Contents
RTS Inherent Risk Readiness
RTS Inherent Risk Data Points, Supervisory-Proof and Audit-Ready
Under the new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) and the accompanying Regulatory Technical Standards (RTS), inherent AML/CFT risk is no longer defined by internal assessments or qualitative explanations.
Supervisors now calculate inherent risk themselves – based exclusively on standardised data points provided by the obliged entity.
From 2028 onwards, institutions must be able to collect, structure and submit 151 inherent-risk data points to their National Competent Authority, such as BaFin (Germany), FMA (Austria), CSSF (Luxembourg), etc.
Failure to do so leads directly to:
- elevated supervisory risk scores,
- increased inspection intensity,
- remediation measures,
- and personal exposure for management and MLROs.
The Problem with Traditional Inherent Risk Assessments
Most obliged entities still rely on:
- Risk Assessments (RAs),
- qualitative scoring models,
- internally defined risk factors.
These approaches no longer determine supervisory outcomes.
Under the RTS:
- risk is data-driven, not narrative-driven,
- risk is calculated by supervisors, not justified by institutions,
- only objective, reproducible data counts.
The key challenge is therefore not understanding AMLR —
it is operationalising inherent risk data at RTS level.
Our Inherent Risk Readiness Service
RTS Inherent Risk Data Readiness & Supervisory Alignment
Our consulting service ensures that obliged entities can produce, explain and defend all 151 RTS inherent-risk data points, aligned with their actual business model, products and services.
What the service delivers
- Full mapping of the institution to the RTS sector taxonomy (CI, PI, EMI, CASP, IF, AMC, etc.)
- Identification of applicable inherent-risk data points
- System-level mapping of data sources (core banking, KYC, transaction systems)
- Gap analysis against RTS expectations
- Supervisory-style inherent-risk profile preview
- Board-ready remediation and steering recommendations
The result
- No surprises in supervisory risk scoring
- Predictable inherent-risk positioning
- Reduced supervisory escalation risk
- Defensible management decisions
The Inherent Risk Product: RTS Inherent Risk Control Layer
What the product is
A lightweight governance and control platform that allows institutions to manage and evidence the 151 RTS inherent-risk data points on a continuous basis.
It is not a transaction monitoring system and not a KYC tool.
It is a supervisory control layer.
Key features
- Pre-configured catalogue of all RTS inherent-risk data points
- Structuring by:
- customers,
- products,
- services,
- geographies,
- distribution channels
- Clear applicability logic (what must be reported, what is not applicable)
- Data ownership and evidence tracking
- Supervisory-ready exports for BaFin, FMA, CSSF
- Historical traceability and audit readiness
Why institutions choose this product
- RTS inherent-risk reporting is recurring, not one-off
- Supervisory scrutiny will increase, not decrease
- Risk inputs must be stable, reproducible and explainable
Who This Is For
This service and product are designed for:
- Credit Institutions (CI)
- Payment Institutions (PI)
- Electronic Money Institutions (EMI)
- Investment Firms (IF)
- Asset Management Companies (AMC)
- Crypto-Asset Service Providers (CASP)
- Other obliged entities under Article 3 AMLR
Typical users:
- AML Compliance Officers / MLROs
- Heads of Financial Crime
- CROs and COOs
- Responsible members of management
- Internal Audit and Regulatory Affairs
Why This Creates a Real Advantage
Obliged entities using this service and product:
- understand their inherent risk exactly as supervisors do,
- can steer business growth before risk escalates,
- reduce findings, remediation costs and inspection stress,
- protect management and MLROs from personal exposure.
Inherent risk becomes manageable, predictable and defensible.
The future of AML/CTF
Inherent risk is no longer a matter of judgement.
It is a data obligation.
Obliged entities that can control their inherent-risk data:
- control their supervisory risk score,
- control inspection outcomes,
- and control their strategic freedom.
Those that cannot will permanently operate in a reactive, high-risk supervisory mode.