Preamble Recitals


This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Recital 1

Directive (EU) 2024/1640 sets out the obligation for Member States to ensure that competent authorities apply a risk-based approach to supervision. As part of this, competent authorities should identify and assess the ML/TF risks to which obliged entities are exposed, as a result of the characteristics of their customers, the types of products, services or transactions they offer, the jurisdictions in which they operate and the distribution channels that they use.

Recital 2

Pursuant to Article 40(2) of Directive (EU) 2024/1640, AMLA is mandated to develop benchmarks and a methodology to ensure that the inherent and residual risk profiles of individual obliged entities can be assessed and classified in a consistent manner by all competent authorities.

Recital 3

This Regulation sets out benchmarks and a methodology for assessing and classifying the inherent and residual risk profile of credit institutions and financial institutions, as well as the frequency at which such risk profile shall be reviewed.

Recital 4

To ensure that the risk profile of credit institutions and financial institutions is assessed and classified in a consistent manner across the Union, the assessment and classification of the inherent and residual risk profile of credit institutions and financial institutions should be conducted on the basis of the same information in all Member States.

Recital 5

This Regulation does not specify how competent authorities should obtain the information on which the assessment should be based. Supervisors may collect relevant data from different sources, either from the credit institutions and financial institutions themselves, from external auditors, or from AML/CFT authorities, prudential supervisors, FIUs or other public bodies in the context of cooperation or ongoing exchanges. Supervisors should use these data to establish a set of harmonised indicators. These indicators should be scored using the same methodology and combined using the same weighting system to determine the inherent and residual risk profile of credit institutions and financial institutions.

Recital 6

Article 40, paragraph 2, of Directive (EU) 2024/1640 requires supervisors to assess and classify both the inherent and residual risk profiles of credit institutions and financial institutions. Consequently, supervisors should adopt a three-step approach. Firstly, supervisors should assess and classify the inherent risk profile of credit institutions and financial institutions based on a set of indicators aimed at reflecting the level of ML/TF risks to which they are exposed. Secondly, supervisors should assess the quality of the AML/CFT controls put in place by credit institutions and financial institutions to mitigate the inherent ML/TF risks to which they are exposed. Lastly, supervisors should assess and classify the residual risk profile of credit institutions and financial institutions which should reflect the level of ML/TF risk to which credit institutions and financial institutions remain exposed after their controls have been applied.

Recital 7

Inherent ML/TF risks can stem from different types of risk factors, namely factors relating to the nature of customers, factors relating to the nature of the services, products or types of transactions offered, factors relating to the distribution channels used, and factors relating to the geographical areas in which credit institutions and financial institutions are operating. To structure the assessment of inherent risks, the inherent risk indicators should therefore each be divided into four categories reflecting the different types of risk factors and controls mentioned above. Moreover, within certain categories, some indicators relate to the same topic and should therefore be grouped into sub-categories. Similarly, different types of AML/CFT controls can be identified. To structure the assessment of the quality of controls, these different indicators should also be classified into different categories corresponding to these different types of controls.

Recital 8

Indicators comprising a sub-category or category will generally not have the same level of significance. Consequently, indicators should be given different weights in the determination of the combined score attributed to this sub-category or category. Equally, the sub-categories comprising a category may have different levels of significance and should also be given different weights in the determination of the combined score per category.

Recital 9

Some sectors have specificities that affect the level of ML/TF risks to which the credit institutions and financial institutions operating in these sectors are exposed. These specificities should be reflected in the methodology by adjusting the list of applicable indicators and the weights given to these indicators, depending on the sector(s) to which the assessed credit institutions and financial institutions belong. The assessment of the risks of money laundering and terrorist financing and of non-implementation and evasion of targeted financial sanctions affecting the internal market and relating to cross-border activities conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640 should be used as a source of information to determine the extent to which adjustments are needed for the different sectors.

Recital 10

Similarly, supervisors may possess relevant information suggesting that the credit institution or financial institution’s inherent risk score does not reflect the level of inherent ML/TF risks to which it is exposed, for instance due to national specificities of their Member States. This information should be reflected in the methodology by introducing a mechanism whereby supervisors can adjust the inherent risk score of the relevant credit institutions and financial institutions, based on duly justified considerations.

Recital 11

ML/TF risks affecting the internal market are constantly evolving. It is therefore important that the methodology can be adjusted on an ongoing and timely basis to capture these evolutions. To ensure that this is possible, the precise values and thresholds to be applied to score each indicator and the precise weights to be given to each indicator, sub-category and category in the determination of the inherent and residual risk profile of credit institutions and financial institutions should not be specified in this Regulation. It will be the role of AMLA to develop and keep up to date the necessary guidance to ensure that each competent authority applies the same thresholds and weights.

Recital 12

To ensure that supervisors’ understanding of the ML/TF risks to which credit institutions and financial institutions are exposed, the inherent and residual risk profile of credit institutions and financial institutions should be reviewed at least once per year. Where the size of the business of a credit institution or financial institution is very small, or where the nature of the business exposes the entity to a low level of risk or does not justify reviewing the inherent and residual risk profile of the credit institution or financial institution every year, supervisors should be able to review such profile only once every three years, provided that no major event or development in the management and operations of the relevant credit institution or financial institution occurs during the three years preceding the assessment.

Recital 13

Major events or developments in the management and operations of credit institutions and financial institutions can significantly affect the ML/TF risks to which the relevant credit institutions and financial institutions are exposed, in a way that justifies a rapid supervisory reaction. Where such events or developments occur, supervisors should conduct an ad hoc assessment of the impact of those events or developments on the inherent and residual risk profile of the relevant credit institutions and financial institutions in a timely fashion.

Recital 14

This Regulation is based on the draft regulatory technical standards submitted by AMLA to the Commission.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod