Article 4 Assessment and classification of the residual risk profile of credit institutions and financial institutions


This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 4 of the RTS on assessment of inherent and residual risk of obliged entities say?

This article brings together the outputs of Articles 2 and 3 to produce the final residual risk classification for each supervised credit or financial institution.

It describes how supervisors must combine the inherent risk score (derived from Article 2) and the controls quality score (derived from Article 3) into a single residual risk score, and then convert that score into one of four risk categories: low, medium, substantial, or high.

The combination logic is notable in that good controls can never push the residual risk below the inherent risk level — the best outcome for an institution with strong controls is that its residual risk equals its inherent risk score.

Important points:

  • Supervisors are required to combine the inherent risk score and the controls quality score using a specific formula to produce the residual risk score.
  • Where an institution's controls quality score is worse than or equal to its inherent risk score, the residual risk score is set as the arithmetic average of the two; where controls are better, the residual risk score simply equals the inherent risk score.
  • The final residual risk score is then classified into one of four levels — low, medium, substantial, or high — using fixed numerical thresholds.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Supervisors shall assess and classify the residual risk profile of each credit institution or financial institution under their supervision that has commenced its activities no later than during the year prior to the year that the assessment and classification takes place.

    1. For the purposes of the assessment and classification mentioned in paragraph 1, supervisors shall apply the following sequential steps:

      1. determine the residual risk score of the credit institution or financial institution, based on the inherent risk score and the controls quality score attributed to the credit institution or financial institution, in accordance with Article 2 and Article 3;

      2. supervisors shall apply the following rules to combine the inherent risk score and the controls quality score, in accordance with paragraph 1:

        1. where the controls quality score is greater than the inherent risk score, the residual risk score shall be equal to the inherent risk score;

        2. where the controls quality score is lower than or equal to the inherent risk score, the residual risk score shall be equal to the arithmetic average of the inherent risk score and the controls quality score;

      3. based on the residual risk score determined in accordance with paragraphs 1 and 2, classify the residual risk profile of the credit institution or financial institution, in accordance with the following conversion rules:

        1. Score<1.75: Low risk (1)
        2. 1.75Score<2.5: Medium risk (2)
        3. 2.5Score<3.25: Substantial risk (3)
        4. Score3.25: High risk (4)

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod