Contents
- New Individual Analysis under Article 20(2) AMLR
- Why the Risk-Based Approach Has Fundamentally Changed
- The mandate of Article 20(2) AMLR
- Strict sequence
- Knock-out Criteria
- Statutory high-risk classifications fixed by law
- The Portable Customer-invariant Layer
- The Internal Layer
- Product, service and transaction risk variables
- Delivery channel risk variables
- Product-specific modifiers
- The new logic in one sentence
- Download
New Individual Analysis under Article 20(2) AMLR
Why the Risk-Based Approach Has Fundamentally Changed
With the adoption of Regulation (EU) 2024/1624 (AMLR), the EU has fundamentally re-engineered the concept of individual customer risk analysis.
While the wording of Article 20(2) AMLR still refers to an “individual analysis of the risks of money laundering and terrorist financing”, its legal function, scope, and hierarchy have changed decisively compared to the former AMLD framework.
The mandate of Article 20(2) AMLR
Article 20(2) AMLR requires obliged entities to determine the extent of customer due diligence measures based on:
- an individual analysis of ML/TF risks,
- having regard to:
- the specific characteristics of the client, and
- the specific characteristics of the business relationship or occasional transaction,
- taking into account:
- the business-wide risk assessment (Article 10 AMLR),
- the risk variables listed in Annex I AMLR, and
- the risk factors listed in Annexes II and III AMLR.
Crucially, Article 20(2) AMLR no longer operates in isolation. Its application is subordinate to other AMLR provisions that either prohibit a relationship outright or predetermine the risk level by law.
Strict sequence
A correct AMLR implementation must follow a strict sequence:
- Legal admissibility of the relationship
- Statutory risk classification by the EU
- Individual risk analysis
This hierarchy is not optional. It follows directly from the structure of the Regulation.
Knock-out Criteria
UN financial sanctions
Where a customer, a controlling person, or a majority owner is subject to UN financial sanctions, Article 27 AMLR applies.
Prohibition of correspondent relationships with shell institutions
Article 39 AMLR establishes an absolute prohibition on correspondent relationships with shell institutions.
Statutory high-risk classifications fixed by law
Even where a relationship is legally admissible, AMLR removes discretion in a wide range of cases.
Mandatory enhanced due diligence
Article 34(1) AMLR explicitly provides that enhanced due diligence is mandatory in the cases referred to in:
- Articles 29–31 AMLR (High-Risk Third Countries), and
- Articles 36–46 AMLR (Correspondent relationships, self-hosted addresses, residence-by-investment, PEPs, etc.).
Where one of these applies, the risk is “High” by default. No balancing against Annex II lower-risk factors is permitted.
This includes, in particular:
- links to High-Risk Third Countries (Arts. 29-31 AMLR),
- cross-border correspondent relationships (Arts. 36-38 AMLR),
- transactions involving self-hosted crypto-asset addresses (Art. 40 AMLR),
- applicants for residence-by-investment schemes (Art. 41 AMLR).
- Politically Exposed Persons, their family members and close associates (Arts. 42-46 AMLR),
In all these cases, the legislator has already decided the risk outcome.
The Portable Customer-invariant Layer
A key structural insight of the AMLR is that a large part of customer risk is portable.
Identity, structure and jurisdiction
Based on Article 22(1) AMLR and Article 2(1)(33) AMLR, the following elements attach to the customer itself, not to the obliged entity:
- identity and legal form,
- country of birth or creation,
- registered office or residence,
- ownership and beneficial ownership structure,
- jurisdictional anchoring of the customer and BOs.
If the same customer starts three business relationships on the same day with three obliged entities, these elements are identical in all three cases.
They may change over time, but not across obliged entities.
External legal statuses
External legal statuses – such as sanctions, PEP status, or HRTC links – are universal classifications.
They are:
- time-dependent,
- but obliged entity-independent.
Obliged entities do not “assess” these statuses. They recognise and apply them.
The Internal Layer
Only after:
- knock-out criteria are excluded, and
- statutory high-risk classifications are applied,
does Article 20(2) AMLR open a residual analytical space.
This space concerns risk created by the obliged entity’s own business model.
Product, service and transaction risk variables
Annex I(b) AMLR lists product- and transaction-related risk variables that are inherently entity-specific.
Purpose of the account or relationship
The economic rationale of the relationship depends on:
- the product offered,
- contractual design,
- permitted use cases.
Different obliged entities may legitimately assign different purposes to relationships with the same customer.
Regularity or duration of the relationship
Risk differs materially between:
- one-off transactions,
- short-term accounts,
- long-term contractual relationships.
This is determined by the business model, not the customer.
Level of assets or size of transactions
Risk exposure depends on:
- account limits,
- transaction thresholds,
- aggregation rules.
These limits are internal design choices.
Transparency or opaqueness
Some products provide:
- full traceability,
- clear audit trails,
- granular transaction data.
Others are structurally more opaque.
This is a product architecture issue, not a customer trait.
Complexity of products or transactions
Layered structures, structuring options, or multi-step flows increase ML/TF risk. Such complexity arises from how services are engineered.
Value or size of products or transactions
High-value products amplify potential harm and supervisory concern. Again, this depends on what the obliged entity offers.
Delivery channel risk variables
Annex I(c) AMLR addresses how the relationship is established and maintained.
Non-face-to-face relationships
Digital onboarding, remote identification, and fully online servicing affect:
- impersonation risk,
- fraud exposure,
- identity assurance.
Different obliged entities may use fundamentally different onboarding channels.
Introducers and intermediaries
Risk depends on:
- whether third parties are involved,
- the degree of reliance on them,
- the transparency of their relationship to the customer.
This is a distribution-model risk, not a customer risk.
Product-specific modifiers
This is the core refinement layer of Article 20(2) AMLR.
Lower-risk product and channel factors
Annex II(2) AMLR identifies design-based risk mitigants, such as:
- low-premium life insurance products,
- pension products without early surrender or collateralisation,
- employee retirement schemes with payroll deductions,
- financial-inclusion products with narrowly defined functionality,
- electronic money with strict purse limits and transparent ownership.
These factors reduce risk because of structural constraints, not because the customer is “low risk”.
They may therefore differ across obliged entities for the same customer.
Higher-risk product and channel factors
Annex III(2) AMLR identifies risk-amplifying business features, including:
- private banking services,
- products or transactions favouring anonymity,
- payments from unknown or unassociated third parties,
- new products, new business practices, and new technologies,
- transactions linked to high-risk goods and sectors (oil, arms, precious metals, art, cultural artefacts, etc.).
These factors arise solely from strategic and operational choices of the obliged entity.
They expand ML/TF risk even where the customer itself presents no additional inherent risk.
The new logic in one sentence
Under AMLR, customer risk is largely pre-classified, while Article 20(2) AMLR governs only the additional risk created by the obliged entity’s own business model.
Download
| Portable (customer-invariant) layer | Internal (business-model-dependent) layer |
|---|---|
| Customer type (natural person, legal entity, legal arrangement, other organisation with legal capacity) acc. to Art. 22(1) AMLR | Product / service type (account, loan, insurance, e-money, crypto service, investment service, correspondent account) acc. to Annex I(b) AMLR |
| Identity data (name, legal form, date/place of birth or country of creation, registered office / residence) acc. to Art. 22(1), Art. 2(1)(33) AMLR | Purpose of the account or relationship (intended use, economic rationale) acc. to Annex I(b)(i) AMLR |
| Constitutional basis (instrument of constitution, statutes, trust deed, governing powers) acc. to Art. 2(1)(33) AMLR | Regularity and duration of the relationship (one-off vs ongoing, short- vs long-term) acc. to Annex I(b)(ii) AMLR |
| Ownership and control structure (shareholders, members, control chains) acc. to Art. 2(1)(33), Annex I(a) AMLR | Expected asset levels / transaction size (limits, thresholds, volume expectations) acc. to Annex I(b)(iii), (vi) AMLR |
| Beneficial owners (identity, control, majority ownership) acc. to Art. 22(1), Annex I(a) AMLR | Transparency or opaqueness of the product or transaction (traceability, audit trail) acc. to Annex I(b)(iv) AMLR |
| Jurisdictional anchoring (country of birth/creation, residence, registered office, place of administration, main place of business) acc. to Annex I(a)(iv)-(vi) AMLR | Complexity of product or transaction structure (layering, structuring options) acc. to Annex I(b)(v) AMLR |
| UN financial sanctions (incl. control or >50 % ownership by sanctioned persons) acc. to Art. 27 AMLR → Knock-out | Delivery channel (face-to-face vs non-face-to-face onboarding, digital vs physical) acc. to Annex I(c)(i) AMLR |
| Prohibition of correspondent relationships with shell institutions acc. to Art. 39 AMLR → Knock-out | Use of introducers or intermediaries (agents, distributors, referrers) acc. to Annex I(c)(ii) AMLR |
| High-Risk Third Countries (HRTC) acc. to Arts. 29-31 AMLR → Higher risk per default | Lower-risk product design factors (low-premium insurance, non-redeemable pensions, financial-inclusion products, e-money with purse limits) acc. to Annex II(2) AMLR |
| Politically Exposed Person (PEP), family member, close associate acc. to Arts. 42-46 AMLR → Higher risk per default | Higher-risk product or channel factors (private banking, anonymity-favouring products, new technologies, payments from unknown third parties) acc. to Annex III(2) AMLR |
| Residence-by-investment applicant acc. to Art. 41 AMLR → Higher risk per default | Sector exposure via product offering (oil, arms, precious metals, art, cultural artefacts, protected species, etc.) acc. to Annex III(2)(e) AMLR |
| Self-hosted address involvement acc. to Art. 40 AMLR → Higher risk per default | Technology and operational setup (new delivery mechanisms, innovative products, platform architecture) acc. to Annex III(2)(d) AMLR |
| Cross-border correspondent relationship (as a legal category) acc. to Arts. 36-38, 34(1) AMLR → Higher risk per default | Risk mitigants embedded in the business model (limits, controls, transparency features specific to the institution) acc. to Annex II(2) AMLR |