AMLA consults on EU AML business risk assessment guidelines

On 16 April 2026, the EU’s new Anti-Money Laundering Authority (“AMLA”) opened a public consultation process in respect of its draft Guidelines on business-wide risk assessment (“BWRA”) under Article 10(4) of Regulation (EU) 2024/1624 Anti-Money Laundering Regulation (“AMLR”) (the “Draft Guidelines).

The Draft Guidelines aim to develop a harmonised approach to BWRAs that is applied consistently across Member States and set out the core principles, methodology, sources of information and minimum requirements that must be considered by in-scope entities (“Obliged Entities”) when conducting the BWRA.  The deadline for submission of responses to the consultation process is by 15 July 2026.

The requirement to carry out a BWRA is already a feature of Irish law, as section 30A of the Criminal Justice Act 2010 (as amended) currently establishes the requirement for ‘designated persons’ to conduct a business risk assessment to identify and assess the risks of money laundering (“ML”) and terrorist financing (“TF”) involved in carrying on of the firm’s business activities.  However, AMLR and the Draft Guidelines go further to expand on these requirements, in particular, extending the scope of the BWRA to: (i) the risks of non-implementation and evasion of Targeted Financial Sanctions (“TFS”) and (ii) non financial sector entities.

AMLR

The AMLR , which forms part of the EU’s AML package and has a general transposition deadline of 10 July 2027, requires Obliged Entities:

• to take appropriate measures, proportionate to the nature, size, risks and complexity of their business, to identify and assess the ML / TF risks to which they are exposed, as well as the risks of non-implementation and evasion of TFS, taking into account at least the information outlined below (Article 10(1) of the AMLR refers):
  • the risk factors and variables set out in Annexes I, III and III of AMLR;
  • the findings of the risk assessment completed at Member State and EU level, as well as any relevant sector specific risk assessment carried out by the Member States;
  • relevant information on ML/TF risks published by international standard setters, Commission, and national competent authorities; and
  • information on the customer base.
• to ensure that the BRWA is documented, kept up to date and regularly reviewed, including where any internal or external events significantly affect the ML / TF risks associated with the obliged entity, and make it available to supervisors upon request.

AMLR also provides that, with the exception of credit institutions, financial institutions, crowdfunding service providers and crowdfunding intermediaries, supervisors may decide that individual documented BRWAs are not required where the specific risks in the sector are clear and understood (Article 10(3) of the AMLR refers).

The draft guidelines

In order to support the harmonised application of the requirements above, Article 10(4) mandates AMLA to develop guidelines specifying:

• The minimum requirements for the content of the BRWA drawn up by Obliged Entities pursuant to Article 10(1) of the AMLR; and
• The additional sources of information to be taken into account when carrying out the BRWA.

The key elements of the Draft Guidelines are as follows:

1. Focus on proportionality and simplification: The Draft Guidelines clarify that the level of detail in the BRWA should be aligned with the complexity of the obliged entity’s structure and provide options for less complex Obliged Entities, such as applying a less elaborate BWRA methodology or, leveraging a sectoral BRWA developed by the relevant supervisor. Overall, the Draft Guidelines focus on providing targeted clarifications in respect of the AMLR.

2. Interactions between BWRA and individual customer level risk assessments: Regulatory Technical Standards (“RTS”) on Article 40(2) of the Sixth Anti Money Laundering Directive (Directive EU 2024/1620) (“AMLD6”) regarding methodology and frequency of review to be applied by supervisors when assessing and classifying the inherent and residual risk profile of Obliged Entities. Whilst the RTS and the BRWA have different objectives (supervisory assessment and self assessment of ML / TF risks in relation to the obliged entity respectively), the mandates refer to common concepts related to the performance of a risk assessment.

3. Interactions with other mandates: The Draft Guidelines have direct interconnections with other mandates forming part of the EU’s AML / CTF framework, in particular:

• Regulatory Technical Standards on Article 40(2) of the Sixth Anti Money Laundering Directive (Directive EU 2024/1620) regarding methodology and frequency of review to be applied by supervisors when assessing and classifying the inherent and residual risk profile of Obliged Entities. Whilst the RTS and the BRWA have different objectives (supervisory assessment and self assessment of ML / TF risks in relation to the obliged entity respectively), the mandates refer to common concepts related to the performance of a risk assessment.
• Guidelines on Article 9(4) of the AMLR on Policies, Procedures and Controls addressing review of the BWRA and completion of any updates to policies, procedures and controls which are triggered by review of the BWRA;
• Guidelines on risk variables and risk factors to be taken into account by Obliged Entities when entering into business relationships or carrying out occasional transactions under Article 20(3) AMLR; and
• where appropriate, the Draft Guidelines have been aligned with existing guidelines from the European Banking Authority (“EBA”) whilst ensuring that they are adjusted appropriately for Obliged Entities from the non-financial sector.

The Draft Guidelines are structured as follows:

1. Introduction, outlining the overall scope and purpose, which focusses on the following themes:

• Proportionality: Obliged Entities will be required to adopt and calibrate their own BWRA to ensure it is proportionate to the entity’s own characteristics, including risks, complexity and size, and consider the options provided in the Draft Guidelines for application of same.
• Identifying and assessing the risks associated with non-implementation and evasion of TFS: Obliged Entities will be required to have a clear understanding of their exposure to non-implementation and evasion of TFS and should consider whether to extend their ML / TF risk assessment to include a formal assessment of this risk, or alternatively, whether they should conduct a separate risk assessment that complements the overall BWRA on ML / TF risk.
• Implementation within an overall group: Obliged Entities who are parent undertakings should carry out a group-wide risk assessment, leveraging and consolidating the BWRAs completed by each branch and subsidiary (Article 16(1) of the AMLR). The parent undertaking should also ensure that all branches and subsidiaries of the group conduct their own BWRA using a coordinated approach and a common methodology; whilst reflecting the risks and characteristics associated with each entity’s respective operations.

2. Methodology and sources of information

• Obliged Entities will be expected to design a BWRA methodology which includes risk rating levels appropriate to them, ensuring that no single risk factor disproportionately drives the overall outcome. In particular, where an obliged entity’s risk rating levels diverge from those expected in the EU or Member State risk assessments, the rationale for these ratings should be clear.
• Obliged Entities should refer to information from a variety of sources and take into account at least those listed in Article 10(1) of the AMLR, together with any other relevant and credible sources that apply to their activity, sector and jurisdiction, taking into account the nature, scale and complexity of the business.

3. Minimum requirements for completion of a BWRA:

• Business and operational overview: The BWRA shall provide an overview describing key elements of their business and operations, and use this overview as a basis for ensuring that the approach to the assessment is effective and proportionate in the context of the nature, scale and complexity of the obliged entity.
• Identification, assessment and classification of the obliged entity’s inherent risks:  Obliged Entities should take a holistic view of all relevant risk factors when analysing how ML / TF risks / non-implementation and evasion of TFS risks could materialise within the business. This analysis should at least refer to the data points listed in the RTS on Article 40(2) of the AMLD6.
• Assessment of the quality of AML/CFT | Non-Implementation and evasion of TFS controls: Once the inherent risks are identified, Obliged Entities should assess how effectively the entity’s policies, procedures and controls mitigate those risks, from both a design and implementation perspective.
• Assessment and classification of the residual risks:Obliged Entities should determine the residual risks that they remain exposed to, having considered the inherent risk level in the light of the quality of the controls.  Parent undertakings should take into account the overall residual risk scores resulting from the BWRAs performed by its branches and subsidiaries.

Contact us

The consultation responses will be made available on the AMLA’s website and a final report will be published.  We will continue to monitor developments and in the meantime, if you have any queries about this update, please contact partners Ian O’Mara, Joe Beashel or Niamh Mulholland, or your usual contact in the Financial Institutions Group at Matheson.