New Business-Wide Risk Assessment (BWRA) under Article 10 AMLR
The European Union is fundamentally reshaping anti-money laundering governance. One of the most important changes under Regulation (EU) 2024/1624 (AMLR) is the new Business-Wide Risk Assessment (BWRA) framework under Article 10 AMLR.
For many obliged entities, the BWRA was historically treated as:
- a static compliance document,
- a periodic risk report,
- or a regulatory formality.
That era is ending.
With the publication of AMLA’s “Consultation on the draft Guidelines on business-wide risk assessment”, the future supervisory direction is now becoming visible. The new BWRA is evolving into a fully operational AML risk governance framework that will become one of the central examination objects of future AML supervision in the EU.
The implications for banks, payment institutions, crypto firms, insurers, investment firms and other obliged entities are enormous.
What Is the Business-Wide Risk Assessment (BWRA)?
The Business-Wide Risk Assessment is the institution-wide assessment of money laundering, terrorist financing and targeted financial sanctions risks arising from:
- customers,
- products,
- services,
- transactions,
- delivery channels,
- and geographic exposure.
Under Article 10 AMLR, obliged entities must identify, assess, understand and document their risks and implement appropriate mitigating controls.
The BWRA forms the foundation of the entire AML/CFT framework because it determines:
- customer risk models,
- monitoring intensity,
- due diligence requirements,
- control priorities,
- resource allocation,
- and governance measures.
AMLA explicitly describes the BWRA as a “central element of the risk-based approach.”
Why the New BWRA under Article 10 AMLR Is So Important
The new AMLR framework significantly expands supervisory expectations.
AMLA’s consultation paper makes clear that the BWRA is no longer expected to be:
- a generic narrative,
- a template-based document,
- or a “box-ticking exercise.”
Instead, the BWRA must become:
- evidence-based,
- methodology-driven,
- operationally embedded,
- auditable,
- and proportionate to the institution’s actual risk exposure.
This represents a major shift from document-centric AML compliance toward operational AML risk governance.
The Four Core Requirements of the New BWRA
AMLA’s draft Guidelines establish four minimum requirements for all obliged entities.
1. Institutional Context
The institution must understand and document:
- its business model,
- products and services,
- customer types,
- transaction flows,
- delivery channels,
- and geographical footprint.
This creates the structural foundation for the risk assessment.
2. Identification of Inherent Risk
Institutions must identify their raw or “inherent” ML/TF exposure before considering controls.
This includes risks arising from:
- high-risk customers,
- complex legal structures,
- cross-border activity,
- cash-intensive sectors,
- crypto-assets,
- correspondent relationships,
- and high-risk jurisdictions.
This step is critical because AMLA now formally separates:
- inherent risk,
- control effectiveness,
- and residual risk.
3. Assessment of Control Effectiveness
One of the most important developments in the AMLA consultation is the requirement to assess controls from both:
- a design perspective,
- and an effectiveness perspective.
This means institutions must evaluate whether controls:
- are appropriately designed,
- operate effectively in practice,
- are proportionate,
- and adequately mitigate identified risks.
This introduces a governance logic very similar to:
- internal control systems,
- operational risk management,
- DORA governance,
- and internal audit methodologies.
4. Determination of Residual Risk
After assessing controls, institutions must determine the remaining or “residual” risk.
This is the risk that still exists after mitigation measures are applied.
The residual-risk assessment becomes a key supervisory focus because it demonstrates whether:
- controls are sufficient,
- governance is effective,
- and AML risks remain within acceptable levels.
AMLA Is Turning the BWRA into a Supervisory Risk Engine
One of the most important messages from the consultation paper is that the BWRA is becoming a supervisory-grade risk framework.
Supervisors will increasingly examine:
- methodologies,
- scoring logic,
- weighting models,
- aggregation mechanisms,
- override processes,
- evidence quality,
- and governance documentation.
The methodology itself is becoming examinable.
This is a fundamental shift in EU AML supervision.
Institutions will need to explain:
- why risks are weighted in a certain way,
- how residual risks are calculated,
- how controls are validated,
- and how management decisions are documented.
Formalistic AML Compliance Is No Longer Sufficient
AMLA repeatedly criticises:
- “formalistic exercises,”
- “purely procedural compliance,”
- and ineffective template-driven approaches.
This signals a clear supervisory direction:
future AML supervision will focus on substance rather than appearance.
Institutions relying on:
- static PDF documents,
- undocumented scoring systems,
- copied industry templates,
- or generic risk narratives
may face increasing regulatory scrutiny.
The expectation is now:
- demonstrable risk understanding,
- evidence-based governance,
- and operationally effective controls.
Internal Audit and Testing Become Central
The new BWRA framework strongly elevates the importance of:
- internal audit,
- compliance testing,
- remediation tracking,
- and governance validation.
AMLA explicitly references:
- audit findings,
- supervisory findings,
- lessons learned,
- and control testing results
as important information sources for the BWRA.
This means future AML governance frameworks will likely require:
- recurring validation cycles,
- formal control testing,
- structured remediation processes,
- and documented evidence repositories.
Proportionality under Article 10 AMLR
One important aspect of AMLA’s approach is proportionality.
AMLA recognises that:
- small entities,
- non-complex firms,
- and DNFBPs
cannot implement the same sophisticated frameworks as large cross-border financial institutions.
Therefore, the Guidelines explicitly allow:
- qualitative approaches,
- simplified methodologies,
- and sectoral BWRAs.
However, proportionality does not remove accountability.
Even smaller obliged entities must still:
- understand their risks,
- document their methodology,
- justify their conclusions,
- and maintain effective controls.
Integration of Sanctions and Targeted Financial Sanctions (TFS)
Another major development is the integration of:
- AML,
- counter-terrorist financing,
- and targeted financial sanctions (TFS).
AMLA makes clear that sanctions risks and sanctions-evasion risks must be integrated into the BWRA.
This is highly significant because sanctions governance has historically been separated from AML governance in many institutions.
The future EU framework increasingly merges:
- AML risk management,
- sanctions compliance,
- and financial-crime governance.
Group-Wide Risk Governance under AMLR
Cross-border groups face particularly significant changes.
AMLA expects:
- coordinated methodologies,
- consolidated group-wide risk views,
- branch-level assessments,
- and consistent governance standards.
This resembles prudential consolidation and enterprise-risk-management frameworks.
International groups will likely need:
- harmonised taxonomies,
- common scoring methodologies,
- group-wide governance committees,
- and centralised oversight mechanisms.
Practical Challenges for Obliged Entities
The new BWRA framework will create major implementation projects across the financial sector.
Key challenges include:
Methodology Governance
Institutions must document:
- scoring logic,
- weighting rationale,
- aggregation methods,
- and override processes.
Data Quality
Reliable and traceable data becomes critical.
Control Validation
Controls must be tested for:
- design adequacy,
- operational effectiveness,
- and proportionality.
Documentation
Institutions will need:
- evidence repositories,
- governance documentation,
- audit trails,
- and version-controlled methodologies.
Dynamic Updates
The BWRA must evolve with:
- business changes,
- new products,
- sanctions developments,
- emerging typologies,
- and supervisory expectations.
What Supervisors Will Likely Focus On
Future supervisory reviews will likely focus on:
- methodological robustness,
- evidence quality,
- governance effectiveness,
- residual-risk logic,
- control testing,
- management involvement,
- and remediation capability.
Supervisors may increasingly challenge:
- undocumented assumptions,
- simplistic scoring,
- disproportionate weightings,
- and ineffective controls.
The BWRA is becoming one of the most important governance documents in the AMLR era.
Key Takeaways
The new Business-Wide Risk Assessment under Article 10 AMLR represents one of the most significant transformations of AML governance in Europe.
AMLA is clearly moving the market away from:
- static compliance documentation
toward:
- operational risk governance,
- evidence-based methodologies,
- control effectiveness testing,
- and auditable AML frameworks.
The BWRA is no longer simply a compliance exercise.
It is becoming:
- the central governance engine of the AML/CFT framework,
- a core supervisory examination object,
- and a key indicator of institutional AML maturity.
Institutions that start preparing early will be significantly better positioned for the new AMLA supervisory environment.