Article 3 Assessment and classification of the quality of AML/CFT controls


This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 3 of the RTS on risk assessment to select institutions for direct supervision say?

This article is the counterpart to Article 2, which deals with inherent risk.

Where Article 2 assesses the risks a credit or financial institution is exposed to, Article 3 focuses on the other side of the equation: how well the institution's AML/CFT controls actually work.

It lays out a sequential, scored methodology for supervisors to assess and qualify the quality of those controls, moving from scoring individual indicators through to a final classification of the institution on a four-tier scale from very good (A) to poor (D).

Notably, the methodology includes a supervisory override mechanism, allowing scores to be adjusted where the calculated result does not adequately reflect reality, provided any such adjustment is duly justified and recorded.

Important points:

  • Supervisors are required to apply a structured, step-by-step scoring methodology to assess the quality of AML/CFT controls in place at credit and financial institutions, drawing on data points in Section B of Annex I.
  • Supervisors are permitted to adjust a category score where a supervisory or external auditor's assessment indicates the calculated score does not adequately reflect the actual level of control quality, but every adjustment must be justified and recorded.
  • The final controls quality score translates into one of four classifications — very good (A), good (B), moderate (C), or poor (D) — which feeds directly into the residual risk calculation set out in Article 4.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The methodology for assessing and qualifying the quality of the AML/CFT controls put in place by a credit institution or financial institution to mitigate the inherent risks to which it is exposed shall consist of the following sequential steps:

      1. identify all the controls quality indicators that apply to the credit institution or financial institution and allocate a score to each of these indicators, in accordance with paragraph 2;

      2. calculate combined scores for all applicable categories of indicators listed in Section B of Annex I, in accordance with paragraph 3;

      3. where supervisors have assessed that a combined score per category does not adequately reflect the level of quality of the controls falling within the relevant category, adjust the score accordingly, in accordance with paragraph 4;

      4. calculate the controls quality score of the credit institution or financial institution, in accordance with paragraph 5;

      5. classify the credit institution or financial institution in accordance with paragraph 6.

    1. Each score allocated to a controls quality indicator shall be a numerical value without decimal places ranging from 1, that corresponds to the highest level of quality, to 4, that corresponds to the lowest level of quality. The controls quality indicators shall be established based on the data points listed in Section B of Annex I. The scores shall be calculated based on pre-determined thresholds.

    1. Each combined score per category shall be a numerical value with two decimal places ranging from 1, that corresponds to the lowest level of risk, to 4, that corresponds to the highest level of risk. Each combined score per category shall be calculated from the scores allocated to its controls quality indicators, in accordance with paragraph 2. For this purpose, a weighted arithmetic average method shall be used. The weight applied to each indicator shall be based on its significance. The weights shall be expressed as a numerical value without decimal places ranging from 1, that corresponds to the lowest level of significance, to 5, that corresponds to the highest level of significance.

    1. Each adjustment of a score per category shall be based on a supervisory assessment or an external auditors’ assessment available to the relevant supervisor. Each adjustment shall be duly justified and recorded. For the purposes of this paragraph:

      1. a supervisory assessment shall mean any assessment of the effectiveness, or compliance with AML/CFT legal requirements, of all or part of a credit institution or financial institution’s AML/CFT governance, procedures, systems and controls carried out by a supervisor within the course of its supervisory activities. This includes, but is not limited, to full scope or targeted on-site inspections, thematic off-site reviews and other off-site analyses;

      2. an external auditor’s assessment shall mean any assessment of the effectiveness, or compliance with AML/CFT requirements, of all or part of a credit institution or financial institution’s AML/CFT governance, procedures, systems and controls carried out by external auditors.

    1. The controls quality score shall be a numerical value with two decimal places ranging from 1, that corresponds to the lowest level of risk), to 4, that corresponds to the highest level of risk. The controls quality score shall be calculated from the combined scores per category determined in accordance with paragraphs 3 and 4. For this purpose, a weighted arithmetic average method shall be used. The weight applied to each category shall be dependent on the score it received. Categories that received a higher score that corresponds to a lower level of quality shall have a greater weight than categories that received a lower score that corresponds to a higher level of quality.

    1. The classification shall be based on the controls quality score attributed to the credit institution or financial institution in accordance with paragraph 5. The classification shall be made in accordance with the following conversion rules:

      1. Score<1.75: Very good quality of controls (A)
      2. 1.75Score<2.5: Good quality of controls (B)
      3. 2.5Score<3.25: Moderate quality of controls (C)
      4. Score3.25: Poor quality of controls (D)

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod