Article 4 Assessment and classification of the residual risk at entity level


This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 4 of the RTS on risk assessment to select institutions for direct supervision say?

Article 4 is the culminating step in a sequential risk assessment process, bringing together the outputs of Articles 2 and 3 to produce a final residual risk classification for credit and financial institutions.

While Articles 2 and 3 establish how to score inherent risk and controls quality respectively, this article explains how those two scores are combined into a single residual risk score, and how that score is then converted into one of four classifications: low, medium, substantial, or high.

The key mechanic is that good controls can reduce but never worsen an institution's residual risk — if controls quality is better than the inherent risk score, the residual risk simply equals the inherent risk; if controls quality is worse, the residual risk is the average of the two scores.

Important points:

  • The residual risk score for credit and financial institutions is derived by combining the inherent risk score from Article 2 and the controls quality score from Article 3 using a specific two-rule formula.
  • Strong AML/CFT controls can cap but not reduce the residual risk below the inherent risk score — meaning inherent risk always sets the floor.
  • The final residual risk classification falls into one of four categories — low, medium, substantial, or high — determined by fixed numerical score thresholds.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. The methodology for assessing and classifying the residual risk profile of a credit institution or financial institution, as referred to in Article 12, paragraph (5) and (6), of Regulation (EU) 2024/1640 as low, medium, substantial or high, shall consist of the following sequential steps:

    1. based on the inherent risk score and the controls quality score attributed to the credit or financial institution, in accordance with Article 2 and Article 3, determining the residual risk score of the credit and financial institutions by applying the following rules:

      1. where the controls quality score is greater than the inherent risk score, the residual risk score shall be equal to the inherent risk score;

      2. where the controls quality score is lower than or equal to the inherent risk score, the residual risk score shall be equal to the average of the inherent risk score and the controls quality score;

    2. depending on the residual risk score of the credit institution or financial institution, determined in accordance with point (a), classifying the residual risk profile of the credit institution or financial institution as low, medium, substantial or high, in accordance with the following conversion rules:

      1. Score<1.75: Low risk (1)
      2. 1.75Score<2.5: Medium risk (2)
      3. 2.5Score<3.25: Substantial risk (3)
      4. Score3.25: High risk (4)

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod