
AMLA Draft RTS on the assessment of the inherent and residual risk profile of obliged entities in the non-financial sector
The European Anti-Money Laundering Authority, AMLA, has published draft Regulatory Technical Standards establishing a harmonised methodology for assessing the money laundering and terrorist financing risk profiles of obliged entities in the EU’s non-financial sector.
The draft RTS will determine how national supervisory authorities assess and classify:
- the inherent money laundering and terrorist financing risk of an obliged entity;
- the quality of its AML/CFT controls; and
- the residual risk remaining after those controls have been taken into account.
The methodology is intended to ensure that comparable businesses are assessed according to a common supervisory framework throughout the European Union. It also gives supervisors a structured basis for allocating resources, determining supervisory intensity and prioritising higher-risk obliged entities.
Although the draft RTS are formally addressed to supervisory authorities, they will have significant practical consequences for businesses and professionals in the non-financial sector. Supervisors will need extensive information at entity level, meaning that obliged entities will have to be able to identify, aggregate, validate and provide the relevant data.
Legal basis of the AMLA Draft RTS
The legal basis is Article 40(2) of Directive (EU) 2024/1640, the Sixth Anti-Money Laundering Directive, or AMLD6.
Article 40(2) requires AMLA to develop technical standards specifying:
- the benchmarks for assessing risk;
- the methodology for assessing and classifying inherent risk;
- the methodology for assessing AML/CFT controls;
- the calculation and classification of residual risk; and
- the frequency with which the risk profiles must be reviewed.
The standards apply to non-financial obliged entities falling within Article 3(3) of Regulation (EU) 2024/1624, the EU Anti-Money Laundering Regulation.
AMLA is implementing the mandate in two phases. The corresponding methodology for credit institutions and financial institutions was submitted to the European Commission in December 2025. The new consultation addresses the diverse population of non-financial obliged entities.
Which obliged entities are covered?
The non-financial sector includes more than two million natural and legal persons across the EU. It ranges from sole practitioners and micro-enterprises to large international groups.
The draft RTS contain 16 sector-specific sets of inherent risk data points. Relevant categories include, among others:
- auditors, external accountants and tax advisers;
- notaries, lawyers and other independent legal professionals;
- trust and company service providers;
- estate agents and other real estate professionals;
- traders in precious metals and stones;
- traders in high-value goods;
- land-based and online gambling providers;
- crowdfunding service providers and intermediaries;
- investment migration operators;
- non-financial mixed-activity holding companies;
- professional football clubs; and
- football agents.
The use of sector-specific datasets reflects AMLA’s recognition that the risk drivers of a law firm, estate agency, gambling operator and football club cannot be meaningfully assessed through an identical questionnaire.
The methodology nevertheless retains a common architecture so that the resulting supervisory assessments remain comparable across sectors and Member States.
Entity-level assessment replaces purely sectoral analysis
A central feature of the draft RTS is the requirement for an entity-level risk assessment.
A broad sectoral assessment may help supervisors identify common vulnerabilities and establish supervisory priorities. However, AMLA considers sector-level analysis insufficient on its own. Supervisors must assess the individual risk profile of every obliged entity registered or licensed under Article 4 AMLD.
This is a major change for Member States in which supervisory authorities have previously relied mainly on sector-wide information or have not systematically classified every individual supervised entity.
The outcome of the assessment is expected to influence:
- the frequency and scope of supervisory engagement;
- the selection of entities for inspections;
- the intensity of off-site monitoring;
- thematic reviews;
- requests for additional information; and
- the prioritisation of supervisory resources.
AMLA’s three-step risk assessment methodology
The draft RTS introduce a three-step model:
Step 1: Assessment of inherent risk
The supervisor first assesses the level of ML/TF risk to which the obliged entity is exposed before taking its mitigating controls into account.
Step 2: Assessment of AML/CFT controls
The supervisor then assesses the quality of the entity’s governance, policies, procedures, systems and controls.
Step 3: Determination of residual risk
Finally, the inherent risk score and the controls quality score are combined to determine the residual risk remaining after mitigation.
Step 1: Assessment of inherent risk
The inherent risk assessment is based on the data points listed in Annex I. These are tailored to the respective sector but generally cover five overarching risk categories.
Structure of the obliged entity
The methodology considers structural characteristics such as:
- complex ownership or organisational structures;
- politically exposed persons as beneficial owners;
- beneficial owners resident in high-risk third countries;
- parent undertakings in high-risk third countries; and
- branches or subsidiaries in high-risk third countries.
This is a notable addition compared with the financial-sector methodology. AMLA considers the structure of a non-financial obliged entity to be a separate source of inherent risk.
Customers
Customer-related indicators include:
- total and new customers;
- legal entities and legal arrangements;
- politically exposed persons;
- complex ownership structures;
- unidentified or unverified beneficial owners;
- non-resident customers;
- customers from high-risk third countries; and
- customers represented or introduced by third parties.
Products and services
The products and services category is the most extensively tailored part of the methodology.
Depending on the sector, it may cover:
- company and trust formation;
- management of client assets;
- real estate transactions;
- tax planning;
- escrow accounts;
- gambling deposits and withdrawals;
- anonymous play;
- prepaid vouchers;
- crypto-asset transactions;
- high-value goods;
- investment migration services;
- crowdfunding projects; or
- nominee shareholder and director services.
Geographical risk
Geographical indicators focus particularly on:
- customers from outside the obliged entity’s Member State;
- high-risk third countries;
- foreign beneficial owners;
- transactions involving funds from high-risk jurisdictions; and
- business operations conducted in higher-risk countries.
Distribution channels
Relevant distribution-channel risks include:
- non-face-to-face identification;
- reliance on customer due diligence performed by another obliged entity;
- customers introduced by third parties;
- intermediaries outside the EU or EEA;
- distribution networks not subject to AML/CFT supervision; and
- outsourced or indirect delivery models.
The Annex demonstrates the level of granularity expected. Real estate professionals, for example, may have to provide data on transactions significantly above or below local market values, repeated transactions involving the same customer or property, third-party financing, crypto-asset payments and residence-by-investment programmes.
Scoring the inherent risk profile
Each applicable inherent risk indicator receives a score from 1 to 4:
| Score | Meaning |
|---|---|
| 1 | Lowest risk |
| 2 | Medium risk |
| 3 | Substantial risk |
| 4 | Highest risk |
The supervisor assigns each indicator a risk-significance weighting from 1 to 5.
Weighted arithmetic averages are used to calculate:
- sub-category scores, where applicable;
- category scores; and
- the overall inherent risk score.
Higher-risk categories receive greater weight in the calculation of the overall score. The resulting inherent risk profile is classified as follows:
| Overall score | Inherent risk classification |
|---|---|
| Below 1.75 | Low |
| 1.75 to below 2.50 | Medium |
| 2.50 to below 3.25 | Substantial |
| 3.25 or above | High |
The use of common numerical thresholds is intended to increase consistency between Member States, even where the specific data points differ by sector.
Step 2: Assessment of the quality of AML/CFT controls
Annex II establishes a common set of control-related data points for the non-financial sector.
The assessment covers five principal areas.
Governance, culture and compliance function
Supervisors will consider whether the obliged entity has written policies and procedures covering the entire AML/CFT framework.
The data points also address:
- the frequency with which procedures are reviewed;
- the date of the most recent update;
- overall staff numbers;
- employees assigned AML/CFT responsibilities;
- AML/CFT training for relevant employees;
- senior management training; and
- successful completion of training.
Internal controls and outsourcing
The assessment covers:
- internal or external audits of AML/CFT controls;
- the frequency of those audits;
- outstanding audit findings;
- the outsourcing of AML/CFT obligations; and
- written agreements defining the roles and responsibilities of the parties.
Risk assessment
The supervisor will examine whether the obliged entity:
- conducts a business-wide risk assessment;
- reviews and updates that assessment;
- determines its overall risk exposure; and
- maintains policies and procedures for customer risk assessments.
Customer due diligence
Relevant indicators include:
- the number of customers by risk category;
- legal entities or legal arrangements whose beneficial owners have not been identified or verified; and
- customers subject to enhanced due diligence.
Ongoing and transaction monitoring
The draft data points examine:
- whether ongoing or transaction monitoring is performed;
- whether monitoring is manual, partially automated or automated;
- whether reviews are periodic or triggered by events;
- the number of customer reviews due; and
- the number of reviews actually completed.
Annex II therefore looks beyond the formal existence of policies. It includes quantitative indicators capable of showing whether important AML/CFT processes are operating in practice.
Classification of AML/CFT controls
The quality of the controls is scored from 1 to 4, but the direction of the scale is reversed compared with inherent risk:
| Score | Controls classification |
|---|---|
| Below 1.75 | Very good – A |
| 1.75 to below 2.50 | Good – B |
| 2.50 to below 3.25 | Moderate – C |
| 3.25 or above | Poor – D |
A score of 1 therefore represents the highest control quality, while a score of 4 represents the lowest.
The control indicators and categories are again weighted from 1 to 5. Categories receiving a higher score, and therefore indicating poorer control quality, receive greater weight in the overall calculation.
Step 3: Calculation of residual risk
The residual risk profile reflects the risk remaining after the quality of the entity’s AML/CFT controls has been taken into account.
The draft RTS apply two rules:
- Where the controls quality score is greater than or equal to the inherent risk score, the residual risk score is equal to the inherent risk score.
- Where the controls quality score is lower than the inherent risk score, the residual score is calculated as a weighted average of the two scores, with greater weight given to inherent risk.
The formula is therefore asymmetric. Strong controls may reduce the resulting residual risk score, but a controls score at or above the inherent risk score does not increase the residual score beyond the inherent risk score.
Residual risk is classified using the same thresholds as inherent risk:
- low;
- medium;
- substantial; or
- high.
This final classification is likely to become the primary reference point for determining supervisory intensity.
Simplified regime for small obliged entities
AMLA proposes a separate regime for small obliged entities.
An entity qualifies only where it meets both conditions:
- fewer than five full-time equivalent employees; and
- annual turnover or corresponding income below EUR 600,000.
Small obliged entities will generally provide a reduced set of inherent risk data points. Depending on the sector, the reduced dataset typically concentrates on the indicators considered most important for identifying potentially higher-risk entities.
Small entities will not normally be required to report the Annex II data points concerning the quality of their AML/CFT controls. Where the supervisor has no other relevant control information, the controls quality score will be set equal to the inherent risk score.
However, the simplified regime is not unconditional.
A supervisor may:
- adjust the controls score where it already holds relevant information;
- require additional information following supervisory engagement; or
- apply the full dataset to all entities in a sector assessed as presenting medium-high or high ML/TF risk.
The simplified regime is therefore intended to reduce routine reporting burdens rather than exempt small entities from substantive AML/CFT supervision.
Supervisory adjustments remain possible
The calculated score will not automatically determine the final classification in every case.
Supervisors may adjust the inherent risk score where national circumstances or other supervisory information show that the mathematical result does not accurately reflect the entity’s actual exposure.
An adjustment of inherent risk may move the entity’s classification up or down by no more than one level. The adjustment must be justified and documented.
The controls quality score may also be adjusted on the basis of:
- full-scope or targeted on-site inspections;
- thematic off-site reviews;
- other supervisory analyses; or
- assessments performed by external auditors.
This discretion is designed to prevent the model from producing outcomes that conflict with credible supervisory evidence.
Frequency of the risk assessment
The first assessments are to be based on at least one complete reporting year.
Under the draft RTS:
- the first assessments for most non-financial obliged entities must be completed by 31 December 2029;
- the first assessments for professional football clubs and football agents must be completed by 31 December 2030;
- subsequent assessments are generally annual;
- entities already classified as low residual risk may be reassessed at least once every three years; and
- major events or developments must be reflected in the risk profile within six months after the supervisor becomes aware of them.
Major developments may include:
- significant changes to the business model;
- material changes in size, structure or activities; and
- serious weaknesses in AML/CFT procedures, systems or controls.
The draft delegated regulation is expected to apply from 31 December 2028, with the later date of 31 December 2029 applying to professional football clubs and football agents.
What the AMLA Draft RTS mean for obliged entities
The draft RTS are not simply an internal calculation tool for supervisory authorities. They effectively establish a future EU-wide AML/CFT supervisory data model for the non-financial sector.
Obliged entities should expect increased focus on:
- data completeness;
- consistent customer categorisation;
- beneficial ownership information;
- transaction volumes and values;
- geographical segmentation;
- PEP and high-risk third-country exposure;
- evidence of completed customer reviews;
- enhanced due diligence;
- monitoring arrangements;
- training completion;
- audit findings and remediation; and
- documented AML/CFT governance.
The most significant implementation challenge may not be the scoring methodology itself. It will be the ability to produce reliable, reproducible and reconcilable data for every relevant indicator.
How obliged entities should prepare
Businesses and professionals in scope should begin preparing before the formal application date.
1. Identify the applicable sector-specific dataset
Entities performing more than one regulated activity may need to consider more than one set of Annex I data points.
2. Perform a data availability assessment
Each data point should be mapped to:
- its source system;
- the responsible data owner;
- the calculation method;
- the reporting period; and
- the relevant quality controls.
3. Review customer risk classifications
Customer records should support consistent aggregation by:
- risk level;
- legal form;
- beneficial ownership;
- PEP status;
- country of residence or incorporation; and
- enhanced due diligence status.
4. Prepare transaction-level reporting capabilities
Entities should determine whether they can calculate sector-specific values such as:
- annual transaction volumes;
- cash and crypto-asset activity;
- largest transactions;
- transactions involving high-risk jurisdictions; and
- repeated or unusual transaction patterns.
5. Strengthen evidence of control effectiveness
Written policies alone will not be sufficient. Businesses should be able to evidence:
- completed training;
- updated risk assessments;
- customer reviews performed on time;
- resolved audit findings;
- effective outsourcing oversight; and
- functioning ongoing or transaction monitoring.
6. Establish an auditable reporting process
The data submitted to supervisors should be traceable to source records and subject to documented validation, approval and retention procedures.
AMLA consultation and next steps
The consultation runs for eleven weeks. AMLA is also conducting sector-specific surveys to test the clarity, availability and operational feasibility of the proposed data points.
In 2027, AMLA intends to collect information from a sample of obliged entities to calibrate the risk assessment model. The final RTS may therefore differ from the current draft, particularly in relation to individual data points, proportionality measures and transitional arrangements for small entities.
Key Takeaways
The AMLA Draft RTS under Article 40(2) AMLD mark a fundamental shift in the supervision of the EU non-financial sector.
For the first time, supervisors throughout the Union would apply a common methodology to assess:
- the inherent ML/TF exposure of each obliged entity;
- the quality of its AML/CFT controls; and
- the resulting residual risk profile.
The methodology combines EU-wide scoring rules with sector-specific data requirements and a simplified regime for small entities. Once implemented, the resulting classification will enable supervisors to compare obliged entities more consistently and direct supervisory attention towards the areas of greatest risk.
For obliged entities, the decisive issue will be data readiness. Businesses that cannot reliably produce the required customer, transaction, geographical and control information may face difficulties demonstrating the adequacy and effectiveness of their AML/CFT framework—even where formal policies already exist.