AMLA launches consultations on risk and AML/CFT guidelines

On April 16, 2026, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism ("AMLA") launched two public consultations on draft instruments that establish how obliged entities should identify, assess, and manage money laundering and terrorist financing risks. These consultations concern (i) draft Guidelines on business-wide risk assessment under Article 10(4) of Regulation (EU) 2024/1624 (the "AMLR"), and (ii) draft Regulatory Technical Standards ("RTS") on group-wide requirements under Articles 16(4) and 17(3) of the AMLR.

This briefing summarizes the key proposals under each consultation, highlights their practical implications, and sets out the relevant deadlines for stakeholder engagement.

Consultation 1: draft Guidelines on business-wide risk assessment ("BWRA")

• Purpose and legal basis

  Article 10(1) of the AMLR requires obliged entities ("OEs") to take appropriate and proportionate measures to identify and assess the risks of money laundering, terrorist financing, and non-implementation and evasion of targeted financial sanctions ("TFS") to which they are exposed. Article 10(4) mandates AMLA to issue guidelines specifying the minimum requirements for the content of the BWRA and additional sources of information to be taken into account when carrying out the assessment. The BWRA obligation is not new; it builds on the existing Article 8 of Directive (EU) 2015/849, but the AMLR extends its scope to include TFS evasion risks and newly covered OEs.

• Key principles

  The draft Guidelines emphasize that the BWRA is a central element of the risk-based approach, enabling OEs to understand the risks arising from their business model, customers, products, services, transactions, delivery channels, and geographical exposure. OEs must ensure the BWRA is documented, kept up-to-date, and reviewed regularly. The BWRA must be drawn up by the Compliance Officer, approved by the management body, and, where applicable, communicated to the supervisory function. OEs are also expected to take steps, including ongoing training, to ensure relevant employees understand the BWRA and how it affects their daily work.

• Proportionality

  The draft Guidelines place a strong emphasis on proportionality. Each OE should adapt and calibrate its BWRA to ensure it is proportionate to its own characteristics, including its risks, complexity, and size. Non-complex OEs - those that cumulatively meet the criteria for reduced supervisory risk assessment frequency under the RTS on Article 40(2) of the AMLD - may apply a less elaborate, more qualitative and descriptive BWRA. OEs operating in sectors where the supervisor has developed a sectoral BWRA may use it as a starting point, though they retain full responsibility for ensuring their own BWRA is appropriate. OEs may also rely on third parties to assist with the BWRA, provided that its proposal and approval remain within the OE.

• Four minimum requirements

  The draft Guidelines are structured around four minimum requirements for the content of the BWRA:
  • business and operational overview;
  • identification, assessment, and classification of inherent risks;
  • assessment of the quality of AML/CFT/TFS controls; and
  • assessment and classification of residual risks.

Consultation 2: draft RTS on group-wide requirements

• Purpose and legal basis

  The draft RTS address the design and implementation of group-wide AML/CFT frameworks under Articles 16 and 17 of the AMLR. AMLA has proposed a single set of RTS to address both mandates in a consistent manner, ensuring regulatory coherence and avoiding duplication. The RTS set out minimum requirements for group-wide policies, procedures, and controls; minimum standards for information sharing within a group; criteria for identifying the parent undertaking in certain cross-border situations; and additional measures for branches and subsidiaries in third countries. Here are some of the key features of the draft RTS on group-wide requirements:

• Minimum group-wide policies, procedures, and controls

  The draft RTS notably require parent undertakings to establish an organization and coordination structure at group level with sufficient decision-making powers for the group compliance manager and compliance officer. Group-wide policies must ensure that the management body and control functions have the necessary information to carry out their functions, that conflicts of interest between risk management and commercial functions are identified and mitigated, and that the business-wide risk assessment at group level is carried out and kept up to date. Group-wide policies must be formally documented, approved by the management body of the parent undertaking, recorded in writing, and made available to supervisors upon request. The parent undertaking must take into account the nature, size, complexity, and risks of the group's business when fulfilling these requirements.
  
  The draft RTS also provide specific provisions about third-country branches and subsidiaries.

• Information sharing within groups

  The draft RTS establish detailed and extensive information-sharing requirements within groups, encompassing customer due diligence data (including customer identity, beneficial ownership, etc.), information on transactions, services, and activities; risk assessments including the BWRA, individual risk assessments, and information on PEPs, suspicious transaction and activity reporting data; and other relevant information.
  
  Information sharing must cover at least common customers, customers having the same beneficial owners, and customers that belong to the same group or structure. Importantly, information sharing does not relieve individual OEs of their responsibility for their own risk assessments and AML/CFT compliance obligations.

• Identifying the parent undertaking in the EU

  The draft RTS introduce quantitative and qualitative criteria for identifying the parent undertaking in the EU in cases where two or more OEs belong to a head office in a third country. The determination focuses on "sufficient prominence" (based on the highest average number of customers or the highest average amount of transactions over the preceding three years) and "sufficient understanding of operations" (based on decision-making authority over strategy, important transactions, management coordination, or critical outsourcing arrangements).

• Extension to non-group structures

  A notable feature of the draft RTS is the extension of group-wide equivalent requirements to structures that are not formally organized as groups but share common ownership, management, or compliance control—including networks, partnerships, and franchises. The RTS define these structures and set out detailed conditions for determining when common ownership, common management, or common compliance control exists.

Key dates and next steps