Article 10 AMLR – Business-wide risk assessment
1. Obliged entities shall take appropriate measures, proportionate to the nature of their business, including its risks and complexity, and their size, to identify and assess the risks of money laundering and terrorist financing to which they are exposed, as well as the risks of non-implementation and evasion of targeted financial sanctions, taking into account at least:
| (a) | the risk variables set out in Annex I and the risk factors set out in Annexes II and III; |
| (b) | the findings of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640; |
| (c) | the findings of the national risk assessments carried out by the Member States pursuant to Article 8 of Directive (EU) 2024/1640, as well as of any relevant sector-specific risk assessment carried out by the Member States; |
| (d) | relevant information published by international standard setters in the AML/CFT area or, at the level of the Union, relevant publications by the Commission or by AMLA; |
| (e) | information on money laundering and terrorist financing risks provided by competent authorities; |
| (f) | information on the customer base. |
Prior to the launch of new products, services or business practices, including the use of new delivery channels and new or developing technologies, in conjunction with new or pre-existing products and services or before starting to provide an existing service or product to a new customer segment or in a new geographical area, obliged entities shall identify and assess, in particular, the related money laundering and terrorist financing risks and take appropriate measures to manage and mitigate those risks.
2. The business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1 shall be documented, kept up-to-date and regularly reviewed, including where any internal or external events significantly affect the money laundering and terrorist financing risks associated with the activities, products, transactions, delivery channels, customers or geographical zones of activities of the obliged entity. It shall be made available to supervisors upon request.
The business-wide risk assessment shall be drawn up by the compliance officer and approved by the management body in its management function and, where such body exists, communicated to the management body in its supervisory function.
3. With the exception of credit institutions, financial institutions, crowdfunding service providers and crowdfunding intermediaries, supervisors may decide that individual documented business-wide risk assessments are not required where the specific risks inherent in the sector are clear and understood.
4. By 10 July 2026, AMLA shall issue guidelines on the minimum requirements for the content of the business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1, and on the additional sources of information to be taken into account when carrying out the business-wide risk assessment.