New Inherent Risk Data Points under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

New Inherent Risk Data Points under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

Sectors, Risk Categories, and the 151 Data Points

EU AML supervision is undergoing a fundamental shift. Supervision is moving away from narrative, policy-based assessments towards a quantitative, data-driven risk model.

At the centre of this change is a fixed catalogue of 151 substantive AML/CFT data points that obliged entities must collect and submit to their National Competent Authority (NCA), such as BaFin (Germany), FMA (Austria) or CSSF (Luxembourg). These data points form the exclusive factual basis for supervisory risk scoring.

Sectors

The RTS apply to all obliged entities under Article 3 AMLR, structured into a harmonised supervisory sector taxonomy:

  • CI – Credit Institutions
  • CP – Credit Providers
  • LI – Life Insurance Undertakings
  • EMI – Electronic Money Institutions
  • PI – Payment Institutions
  • BC – Bureau de Change
  • IF – Investment Firms
  • AMC – Asset Management Companies
  • CASP – Crypto-Asset Service Providers
  • O – Other obliged entities (e.g. TCSPs, lawyers, real estate professionals, gambling providers, crowdfunding platforms)

This sector classification is not descriptive. It determines:

  • which data points are applicable,
  • which inherent risks are presumed,
  • and how institutions are benchmarked across the EU.

Obliged entities must report all data points applicable to the sectors, products, and services they actually provide, irrespective of how they describe their business model internally.

Risk Categories

Supervisors organise inherent AML/CFT risk along five mandatory risk categories. Each of the 151 data points is assigned to exactly one of these categories.

Customers

This category captures who the institution does business with.

Inherent risk data points include:

  • total number of customers,
  • number of natural persons and legal entities,
  • PEP exposure (customers and UBOs),
  • customers with complex ownership structures,
  • customers with high-risk activities,
  • new customers onboarded during the previous year.

These metrics allow supervisors to assess scale, complexity, and integrity risk within the customer base.

Products

The products category reflects what financial instruments or value-storage mechanisms are offered.

It is subdivided into granular product-specific sub-categories, including:

  • Payment accounts
  • Virtual IBANs
  • Prepaid cards
  • Lending (consumer, real estate, asset-backed)
  • Factoring
  • Life insurance contracts
  • Currency exchange involving cash
  • E-money
  • Money remittance
  • Wealth management
  • Correspondent services
  • Trade finance
  • Custody of crypto-assets
  • Crypto cash cards
  • Exchange crypto ↔ funds
  • Exchange crypto ↔ crypto
  • Transfer of crypto-assets
  • Investment services (reception and transmission of orders, custody account keeping, portfolio management)
  • Management of UCITS
  • Management of AIFs
  • Safe custody services
  • Crowdfunding
  • Cash transactions

For each applicable product or service, the RTS require quantitative indicators, typically:

  • number of transactions,
  • total value (EUR),
  • number of customers using the product,
  • specific risk amplifiers (e.g. unhosted wallets, third-party payments).

If a product or service is not offered, the corresponding data points must be reported as not applicable, not omitted.

Services

Services describe how products are used in practice.

Inherent risk data points include:

  • incoming and outgoing transactions,
  • transaction frequency and value,
  • transactions above defined thresholds,
  • cash activity,
  • trade finance operations,
  • crypto-asset transaction flows.

Services form the core quantitative risk engine of the RTS framework. Transactional activity, velocity, and cross-border use are central drivers of supervisory risk scoring.

Geographies

Geography acts as a horizontal risk multiplier.

Inherent risk data points include:

  • customers by country,
  • transactions by country (incoming and outgoing),
  • exposure to non-EEA jurisdictions,
  • branches, subsidiaries, agents, and distributors by country,
  • correspondent relationships by respondent country.

Supervisors automatically overlay this data with EU high-risk third-country lists and geopolitical risk indicators. Institutions report facts; supervisors determine the risk.

Distribution Channels

This category captures how customers and transactions enter the institution.

Inherent risk data points include:

  • remote onboarding,
  • third-party onboarding,
  • reliance on agents, distributors, or brokers,
  • white-labelling arrangements,
  • walk-in and occasional transaction channels.

Distribution channels are critical because they measure loss of direct control, which directly affects residual risk.

151 Data Points

Across all risk categories and sub-categories, the RTS define 151 substantive AML/CFT data points. Together with the LEI, they form a complete supervisory submission package.

Key characteristics:

  • All 151 data points are quantitative or objectively countable.
  • Narrative explanations are not part of the dataset.
  • Data must be consistent, reproducible, and system-derived.
  • Missing or inconsistent data is treated as a control weakness.

The dataset is modular:

  • A payment institution will not report insurance-specific data.
  • A CASP will report extensive crypto-specific metrics.
  • An asset manager will focus on fund structures, AUM, and investor profiles.

Nevertheless, the catalogue itself is fixed. Applicability depends solely on the services and products actually provided.

Use by National Competent Authorities

NCAs such as BaFin, FMA, and CSSF use the reported data to:

  1. Calculate inherent AML/CFT risk independently of the institution.
  2. Assess control effectiveness against measurable outcomes.
  3. Assign a binding supervisory risk score.
  4. Benchmark institutions across sectors and Member States.

From 2028 onwards, this data-driven approach will replace qualitative supervisory dialogue as the primary assessment mechanism.

The future of AML/CFT

The RTS data reporting regime marks a decisive change in EU AML supervision. Obliged entities are no longer assessed on how convincingly they describe their risks, but on what their data objectively demonstrates.

The combination of:

  • sector-based applicability,
  • harmonised risk categories,
  • granular product and service sub-categories,
  • and 151 mandatory inherent risk data points, supplemented by the LEI,

creates a single, enforceable supervisory language across the EU.

For obliged entities, the central challenge is no longer drafting better policies. It is ensuring that core banking systems, KYC platforms, transaction engines, and data governance frameworks can reliably produce the required data—completely, consistently, and on demand.

Download

Inherent Risk Data Points under Art. 12 (7) AMLAR and Art. 40 (2) AMLDHerunterladen

Sources:

https://eur-lex.europa.eu/eli/dir/2024/1640/oj/eng

https://eur-lex.europa.eu/eli/reg/2024/1620/oj/eng

1.1_20251216_FINAL REPORT RTS 40(2) AMLD financial only_FinalHerunterladen
2.1_20251216_Final report – RTS under art. 12(7) AMLARHerunterladen

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert