Article 2 Assessment and classification of the inherent risk at entity level


This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 2 of the RTS on risk assessment to select institutions for direct supervision say?

This is a core methodological article that lays out the step-by-step scoring process used to assess and classify the inherent risk profile of credit and financial institutions.

It feeds directly into the broader risk classification framework established under Regulation (EU) 2024/1640, and its output — the inherent risk score — also serves as one of the two inputs used in Article 4 to derive the residual risk score.

The article works through a sequential process: identifying applicable risk indicators, scoring them, rolling those scores up through sub-categories and categories using weighted averages, and ultimately arriving at a single numerical score that maps to one of four risk classifications.

Important points:

  • The scoring scale for inherent risk runs from 1 (lowest risk) to 4 (highest risk), with the final classification falling into one of four bands: low, medium, substantial, or high.
  • Weighted arithmetic averages are used at every level of aggregation, with higher-scoring categories carrying greater weight in the final inherent risk score calculation.
  • The resulting inherent risk classification directly feeds into the residual risk assessment under Article 4, making this article a foundational step in the overall supervisory risk profiling process.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The methodology for assessing and classifying the inherent and residual risk profile of a credit institution or financial institution as referred to in Article 12, paragraphs (5) and (6), of Regulation (EU) 2024/1640 as low, medium, substantial or high, shall consist of the following sequential steps:

      1. identify all the inherent risk indicators that apply to the credit institution or financial institution and allocate a score to each of these indicators, in accordance with paragraph 2;

      2. identify all the sub-categories of indicators listed in Section A of Annex I, within the ‘products and services’ category, that apply to the credit institution or financial institution, and calculate a combined score for each of those sub- categories, in accordance with paragraph 3;

      3. calculate combined scores for all categories of indicators listed in Section A of Annex I, in accordance with paragraph 4;

      4. calculate the inherent risk score of the credit institution or financial institution, in accordance with paragraph 5;

      5. classify the inherent risk profile of the credit institution or financial institution, in accordance with paragraph 6.

    1. Each score allocated to an inherent risk indicator shall be a numerical value without decimal places ranging from 1, that corresponds to the lowest level of risk, to 4, that corresponds to the highest level of risk. The inherent risk indicators shall be established based on the data points listed in Section A of Annex I. The scores shall be calculated based on pre-determined thresholds.

    1. A sub-category shall apply only if at least one of its indicators applies to the credit institution or financial institution. Each combined score per sub-category shall be a numerical value with two decimal places ranging from 1, that corresponds to the lowest level of risk, to 4, that corresponds to the highest level of risk. Each combined score per sub-category shall be calculated from the scores allocated to its inherent risk indicators, in accordance with paragraph 2. For this purpose, a weighted arithmetic average method shall be used. The weight applied to each indicator shall be based on its risk significance. The weights shall be expressed as a numerical value without decimal places ranging from 1, that corresponds to the lowest level of risk significance, to 5 that corresponds to the highest level of risk significance.

    1. Each combined score per category shall be a numerical value with two decimal places ranging from 1, that corresponds to the lowest level of risk, to 4 that corresponds to the highest level of risk. Each combined score per category shall be calculated from the scores allocated to its inherent risk indicators, in accordance with paragraph 2. By way of derogation, the combined score of the ‘products and services’ category shall be calculated from the combined scores attributed to its sub-categories, in accordance with paragraph 3. For this purpose, a weighted arithmetic average method shall be used. The weight applied to each indicator or sub-category shall be based on its risk significance. The weights shall be expressed as a numerical value without decimal places ranging from 1, that corresponds to the lowest level of risk significance, to 5, that corresponds to the highest level of risk significance.

    1. The inherent risk score shall be a numerical value with two decimal places ranging from 1, that corresponds to the lowest level of risk, to 4, that corresponds to the highest level of risk. The inherent risk score shall be calculated from the combined scores per category determined in accordance with paragraph 4. For this purpose, a weighted arithmetic average method shall be used. The weight applied to each category shall be dependent on the score it received. Categories that received a higher risk score shall have a greater weight than categories that received a lower risk score.

    1. The classification shall be based on the inherent risk score attributed to the credit institution or financial institution in accordance with paragraph 5. The classification shall be made in accordance with the following conversion rules:

      1. Score<1.75: Low risk (1)
      2. 1.75Score<2.5: Medium risk (2)
      3. 2.5Score<3.25: Substantial risk (3)
      4. Score3.25: High risk (4)

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod