Source: AMLA final report draft
- Anti-money laundering
AML 6 directive supplemental acts
- RTS on assessment of inherent and residual risk of obliged entities
Article 5 Timelines for and updates to the assessment and classification of the inherent and residual risk profile of credit institutions and financial institutions
This is a draft act
This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.
Summary What does Article 5 of the RTS on assessment of inherent and residual risk of obliged entities say?
This article governs the timing and frequency of the risk assessments and classifications that supervisors are required to carry out under Articles 2, 3 and 4.
It sets the schedule for the initial assessment, the cadence of subsequent annual assessments, and carves out a reduced frequency of at least once every three years for certain lower-risk or smaller entities.
Importantly, the article also establishes an ad hoc review mechanism, requiring supervisors to conduct an out-of-cycle assessment within four months of becoming aware of major events or developments that could materially alter an institution's inherent or residual risk profile.
Important points:
- Supervisors are required to complete the first assessment and classification of inherent and residual risk profiles no later than nine months after the date of application of this Regulation.
- Supervisors are required to conduct subsequent assessments by 30 September each year, with a derogation allowing a reduced frequency of at least once every three years for qualifying smaller or lower-activity institutions, as well as those previously classified as low-risk.
- Supervisors are required to carry out an ad hoc review within four months of becoming aware of major events or developments in an institution's management or operations that may materially change its risk profile.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Supervisors shall carry out the first assessment and classification of the inherent risk and residual risk profiles of credit institutions and financial institutions pursuant to Articles 2, 3 and 4 no later than nine months after the date of application of this Regulation.
Supervisors shall carry out any subsequent assessment and classification of the inherent risk and residual risk profile of credit institutions and financial institutions pursuant to Article 2, 3 and 4 by 30 September of the year during which the assessment takes place.
By way of derogation from paragraph 2, supervisors shall carry out the assessment and classification of the inherent risk and residual risk profile of a credit institution or financial institution pursuant to Article 2, 3 and 4, at least once every three years, where the credit institution or financial institution meets any of the following criteria:
the total number of full-time equivalent employees employed by the credit institution or financial institution in the relevant Member State is less than or equal to five;
the credit institution or financial institution carries out only the following activities:
the activity of an insurance intermediary as referred to in Article 2, paragraph 1, point (6)(c), of Regulation (EU) 2024/1624;
the activity of credit intermediary as referred to in Article 2, paragraph 1, point (6)(h), or Article 3, paragraph 3, point (k), of Regulation (EU) 2024/1624;
the activity of an insurance undertaking as referred to in Article 2, paragraph 1, point (6)(b), of Regulation (EU) 2024/1624, provided that the financial institution does not distribute life insurance contracts or products other than: (i) contracts or products that cannot be redeemed; (ii) contracts or products that insure a lender against the death of a borrower; and (iii) contracts or products the annual premium of which does not exceed EUR 1 000 or the corresponding value in the national currency or the unique premium of which does not exceed EUR 2 500 or the corresponding value in the national currency;
the activity of an investment firm as referred to in Article 2, paragraph 1, point (6)(d), of Regulation (EU) 2024/1624, provided that the credit institution or financial institution does not provide (i) any of the investment services listed in points (1), (2), (4), (8) and (9), in Section A of Annex I of Directive (EU) 2014/65, or (ii) any of the ancillary services listed in points (1) and (2), of Section B of Annex I of Directive (EU) 2014/65;
the activity of a creditor as referred to in Article 2, paragraph 1, point (6)(g), of Regulation (EU) 2024/1624;
the activities listed in points (2), (3) and (6), of Annex I of Directive (EU) 2013/36, with the exception of offering credit agreements relating to immovable property;
the credit institution or financial institution is a branch set up by a collective investment undertaking within the meaning of Article 2, paragraph 1, point (6)(e), of Regulation (EU) 2024/1624 in a different Member State; or
the residual risk profile of the credit institution or financial institution has already been assessed and classified in accordance with Article 5 at least once, and such residual risk profile was last classified as the low-risk.
Where major events or developments in the management and operations of a credit institution or financial institution occur, the supervisor shall carry out an ad hoc review of the inherent risk and residual risk profile of the relevant credit institution or financial institution. Such assessment and classification shall take place no later than four months after the supervisor become aware of the major event or development.
When conducting an ad-hoc assessment pursuant to paragraph 4, the supervisor may decide not to review the scores attributed to indicators that are not affected by the occurrence of the relevant major event or development. The supervisor may also decide not to review the scores of controls categories that are not affected by the occurrence of the relevant major event or development, based on an available supervisory assessment and/or external auditor’s assessment.
For the purposes of paragraphs 4 and 5, major events or developments in management and operations shall mean any event or development in the management and operations of a credit institution or financial institution that may lead to a material change in the credit institution or financial institution’s inherent risk or residual risk profile. This includes, but is not limited to:
significant changes in the business model of the credit institution or financial institution to the extent that these changes may lead to a material change in the credit institution or financial institution’s inherent risk or residual risk profile;
the identification by the supervisor of significant weaknesses in the entity's AML/CFT procedures, systems and/or controls, to the extent that these weaknesses may lead to a material change in the credit institution or financial institution’s inherent risk or residual risk profile;
a credit institution or financial institution becomes a significant supervised entity within the meaning of Article 2, point (16), of Regulation (EU) 468/2014 or becomes part of a significant supervised group within the meaning of Article 2, point (22), of Regulation (EU) 468/2014, to the extent that this event may lead to a material change in the credit institution or financial institution’s inherent or residual risk profile.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
supervisor
Definition
residual risk
Definition
financial mixed activity holding company
Definition
inherent risk
Definition
crypto-asset service provider
Definition
credit institution
- a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;
- a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
parent undertaking
- for groups whose head office is located in the Union, an obliged entity that is a parent undertaking as defined in Article 2, point (9), of Directive 2013/34/EU that is not itself a subsidiary of another undertaking in the Union, provided that at least one subsidiary undertaking is an obliged entity;
- for groups whose head office is located outside of the Union, where at least two subsidiary undertakings are obliged entities established in the Union, an undertaking within that group established in the Union that:
- is an obliged entity;
- is an undertaking that is not a subsidiary of another undertaking that is an obliged entity established in the Union;
- has a sufficient prominence within the group and a sufficient understanding of the operations of the group that are subject to the requirements of this Regulation; and
- is given the responsibility of implementing group-wide requirements under Chapter II, Section 2 of this Regulation;
Definition
crypto-asset
Definition
property
Definition
terrorist financing
Definition
group
Definition
money laundering
Definition
financial institution
- an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32), including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;
- an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33), insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;
- an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;
- an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34);
- a collective investment undertaking, in particular:
- an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
- an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;
- a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35);
- a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37);
- a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;
- a crypto-asset service provider;
- a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
third country
Definition
funds