New AML/CFT Controls under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

New AML/CFT Controls under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

Sectors, Categories, and the 70 Data Points

EU AML supervision now assesses not only what risks exist, but how effectively those risks are controlled. This second dimension is operationalised through a mandatory set of 70 AML/CFT control data points.

These control data points must be collected by obliged entities and submitted to the relevant National Competent Authority (NCA), such as BaFin (Germany), FMA (Austria) or CSSF (Luxembourg). They allow supervisors to assess control effectiveness in a standardised, comparable, and data-driven manner.

Sectors

The AML/CFT control reporting framework applies to all obliged entities, structured into the following supervisory sectors:

  • CI – Credit Institutions
  • CP – Credit Providers
  • LI – Life Insurance Undertakings
  • EMI – Electronic Money Institutions
  • PI – Payment Institutions
  • BC – Bureau de Change
  • IF – Investment Firms
  • AMC – Asset Management Companies
  • CASP – Crypto-Asset Service Providers
  • O – Other obliged entities (e.g. TCSPs, lawyers, real-estate professionals, gambling providers, crowdfunding platforms)

While the 70 control data points are uniform in structure, supervisory expectations regarding depth, maturity, and evidence vary by sector. A CASP or PI, for example, will be assessed differently from a life insurer or asset manager.

Purpose of the AML/CFT Control Data Set

The AML/CFT control data points are designed to answer one supervisory question:

Are the AML/CFT controls of the institution adequate and effective in light of its objectively measured inherent risk?

They are:

  • not policy descriptions,
  • not narrative self-assessments,
  • not best-practice statements.

Instead, they require verifiable, operationally grounded information on how AML/CFT controls are governed, implemented, monitored, and enforced.

Categories

The 70 control data points are organised into seven mandatory control categories, each reflecting a distinct supervisory control objective.

Governance, Culture & Compliance Function

(Role and responsibilities of the management body, AML/CFT risk culture, AML/CFT compliance function and resources, AML/CFT training)

This category assesses tone from the top and organisational accountability.

AML/ CFT Controls include:

  • management-body responsibility and oversight for AML/CFT,
  • establishment and promotion of AML/CFT risk culture,
  • independence, authority, and resourcing of the AML/CFT compliance function,
  • appointment and continuity of key AML roles,
  • AML/CFT training for staff and senior management.

Supervisors use these data points to determine whether AML/CFT is actively governed or merely formally assigned.

Internal Controls & Outsourcing

(Internal controls and reporting systems, outsourcing and reliance on third parties, internal audit function / external expert, record keeping)

This category ensures the structural soundness and auditability of the AML/CFT framework.

AML/ CFT Controls include:

  • internal AML/CFT control and reporting systems,
  • outsourcing arrangements and reliance on third parties,
  • oversight of outsourced AML/CFT activities,
  • independent testing by internal audit or external experts,
  • record-keeping and retention mechanisms.

The supervisory focus is on retained responsibility: outsourcing does not transfer accountability.

Risk Assessment

(Business-Wide Risk Assessment (BWRA) and Customer ML/TF risk assessment and classification (CRA))

This category forms the analytical foundation of AML/CFT.

AML/ CFT Controls include:

  • existence and methodology of the BWRA,
  • coverage of products, services, geographies, and distribution channels,
  • periodic and event-driven updates of the BWRA,
  • customer-level ML/TF risk assessment and classification,
  • alignment between inherent-risk data and internal risk logic.

Supervisors assess whether risk assessments are data-driven, current, and decision-relevant.

Customer Due Diligence & Monitoring

(Customer Due Diligence and ongoing monitoring of business relationships)

This category governs how customer risk is managed over the lifecycle of the relationship.

AML/ CFT Controls include:

  • customer identification and verification,
  • identification and verification of beneficial owners,
  • understanding of the purpose and nature of the relationship,
  • application of enhanced due diligence (EDD),
  • ongoing and periodic review of customer information.

The supervisory emphasis is on dynamic customer risk management, not onboarding-only compliance.

Transaction Monitoring and Suspicious Activity Reporting

This category focuses on detection, assessment, and reporting of suspicious activity.

AML/ CFT Controls include:

  • transaction monitoring across all relevant products and services,
  • detection of unusual or suspicious patterns,
  • internal escalation and case handling,
  • submission of suspicious transaction reports (STRs),
  • documentation of reporting and non-reporting decisions.

Supervisors compare these controls directly with transaction volumes and values reported in the inherent-risk dataset.

Targeted Financial Sanctions and Compliance with the Funds Transfer Regulation

This category covers sanctions compliance and payment transparency obligations.

AML/ CFT Controls include:

  • sanctions screening of customers, UBOs, and counterparties,
  • ongoing and transaction-based screening,
  • handling and escalation of sanctions hits,
  • compliance with the Funds Transfer Regulation, including required payer and payee information.

Supervisory expectations focus on continuous, automated, and well-governed screening.

Group-wide AML/CFT Framework

(AML/CFT governance structures, group-wide ML/TF risk assessment, group policies and procedures, including sharing of information, group-wide AML/CFT function)

This category applies to groups and cross-border institutions.

AML/ CFT Controls include:

  • group-wide AML/CFT governance structures,
  • group-wide ML/TF risk assessment,
  • harmonised group policies and procedures,
  • information sharing within the group,
  • group-level AML/CFT oversight and coordination.

Supervisors use this category to assess consolidated control effectiveness and consistency.

70 Data Points

Across the seven categories, obliged entities must submit 70 AML/CFT control data points.

Key characteristics:

  • They are objective and verifiable.
  • They focus on existence, operation, and effectiveness of controls.
  • They are assessed in conjunction with the 151 inherent-risk data points.
  • Missing or inconsistent control data is treated as a control weakness.

Applicability depends on:

  • sector,
  • business model,
  • group structure,
  • and services provided.

Supervisory Use by NCAs

Authorities such as BaFin, FMA, and CSSF use the AML/CFT control data to:

  • assess control effectiveness relative to inherent risk,
  • prioritise supervisory actions,
  • support risk-based supervision and inspections,
  • identify systemic weaknesses across sectors.

The future of AML/CFT

The AML/CFT control reporting framework completes the EU’s transition to fully data-driven AML supervision.

Together with inherent-risk reporting, the 70 AML/CFT control data points allow supervisors to assess:

  • whether risks are properly governed,
  • whether controls work in practice,
  • and whether institutions can demonstrate this consistently and on demand.

For obliged entities, the challenge is no longer documenting controls, but ensuring that governance, processes, systems, and evidence are aligned, operational, and inspection-proof.

1.1_20251216_FINAL REPORT RTS 40(2) AMLD financial only_FinalHerunterladen
2.1_20251216_Final report – RTS under art. 12(7) AMLARHerunterladen

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert