New Residual Risk Score under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

New Residual Risk Score under Art. 12 (7) AMLAR and Art. 40 (2) AMLD

The new EU AML framework fundamentally reshapes how money laundering and terrorist financing risks are assessed, classified, and supervised.
At the centre of this change lies a single, harmonised residual risk score, applied consistently under:

  • Article 40(2) of Directive (EU) 2024/1640 (AMLD) for risk-based supervision, and
  • Article 12(7) of Regulation (EU) 2024/1620 (AMLAR) for the selection of institutions for direct AMLA supervision.

This article explains the new residual risk score end-to-end, strictly following the Draft Regulatory Technical Standards (RTS).

Definition of inherent risk and residual risk under the Draft RTS (Art. 40(2) AMLD)

The Draft RTS on the assessment of the inherent and residual risk profile of obliged entities begins with two core definitions in Article 1.

Inherent risk

Inherent risk means the risk of money laundering and terrorist financing to which an obliged entity is exposed:

  • because of the products and services it offers,
  • the type of transactions it executes,
  • the customers it serves,
  • the jurisdictions in which it operates, and
  • the distribution channels it uses,

before any mitigating measures have been applied.

Inherent risk therefore reflects the pure exposure profile of the business model, independent of controls.

Residual risk

Residual risk means the risk of money laundering and terrorist financing to which an obliged entity remains exposed after it has put in place:

  • policies,
  • procedures,
  • systems, and
  • controls

to mitigate inherent risk.

Residual risk is therefore derived, not autonomous. By definition, it can never exceed inherent risk.

Assessment and classification of the residual risk profile under Art. 40(2) AMLD RTS

Sequential assessment logic

Under Article 4 of the Draft RTS, supervisors must apply a strict sequential methodology:

  1. Determine:
    • the inherent risk score (Article 2), and
    • the controls quality score (Article 3),
      both on a 1.00–4.00 scale.
  2. Calculate the residual risk score using mandatory rules.

Residual risk calculation rules

The Draft RTS establishes only two mathematically binding rules:

  • If the controls quality score is greater than the inherent risk score
    → the residual risk score equals the inherent risk score.
  • If the controls quality score is lower than or equal to the inherent risk score
    → the residual risk score equals the arithmetic average of:
    • inherent risk score, and
    • controls quality score.

No weighting, no discretion, and no narrative overrides are permitted.

Residual risk classification

Once the numeric residual risk score is determined, it is classified mechanically:

  • Score < 1.75 → Low risk (1)
  • 1.75 ≤ Score < 2.5 → Medium risk (2)
  • 2.5 ≤ Score < 3.25 → Substantial risk (3)
  • Score ≥ 3.25 → High risk (4)

This classification step is automatic and non-discretionary.

Timelines and updates for inherent and residual risk assessments

The Draft RTS introduces binding supervisory timelines in Article 5.

Initial assessment

Supervisors must complete the first assessment and classification of inherent and residual risk no later than nine months after the RTS becomes applicable.

Regular reassessment

Subsequent assessments must be carried out by 30 September of each assessment year.

This creates a fixed, EU-wide supervisory calendar.

Proportionality: three-year cycle

By derogation, assessments must be performed at least once every three years where, for example:

  • the obliged entity has five or fewer FTEs,
  • only narrowly defined low-risk activities are performed, or
  • the last residual risk classification was low risk.

Ad-hoc reassessments

Where major events or developments occur, supervisors must perform an ad-hoc review within four months of becoming aware of the event.

Major events include, in particular:

  • significant business model changes,
  • material AML/CFT control weaknesses, or
  • changes in supervisory significance.

Residual risk assessment for AMLA selection under Art. 12(7) AMLAR

The same residual risk logic is reused under the Draft RTS adopted pursuant to Article 12(7) AMLAR, which governs the selection of institutions for direct AMLA supervision.

Identical methodology

Article 4 of the AMLAR Draft RTS mirrors the AMLD RTS word for word:

  • identical inherent risk score,
  • identical controls quality score,
  • identical residual risk calculation rules,
  • identical classification thresholds.

There is one single EU residual risk engine, applied both for:

  • national supervisory risk-based supervision, and
  • AMLA’s selection for direct supervision.

Supervisory consequence

Institutions are not selected for AMLA supervision based on qualitative judgement, but on mechanically determined residual risk scores, combined with cross-border activity thresholds defined elsewhere in the RTS.

If the score crosses the RTS benchmarks, escalation follows automatically.

One Residual Risk Score to rule them all, One Residual Risk Score to find them, One Residual Risk Score to bring them all and in the Supervision bind them

The new residual risk score under Art. 40(2) AMLD and Art. 12(7) AMLAR represents a decisive shift:

  • from narrative to data-driven supervision,
  • from national discretion to EU-wide harmonisation,
  • from qualitative assessments to algorithmic classification.

Download

Residual Risk ScoreHerunterladen

Sources:

https://eur-lex.europa.eu/eli/dir/2024/1640/oj/eng

OJ_L_202401640_EN_TXTHerunterladen

https://eur-lex.europa.eu/eli/reg/2024/1620/oj/eng

OJ_L_202401620_EN_TXTHerunterladen
EBA response to EC CfA on six AMLA mandates 2025 10 30Herunterladen
1.1_20251216_FINAL REPORT RTS 40(2) AMLD financial only_FinalHerunterladen
2.1_20251216_Final report – RTS under art. 12(7) AMLARHerunterladen

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert