AMLR Redefines Risk Assessment: Five Challenges in Practical Implementation

In the first part of our blog series on AFC risk assessment, we outlined the direction supervisors are taking: they do not want a better document – they want an operational, auditable system. This becomes especially clear in the requirement that enterprise-wide risk evaluations must be documented, kept up to date, reviewed regularly, and made available to supervisors upon request (see Regulation (EU) 2024/1624, Article 10(2)).

This is exactly where many institutions run into challenges: the objective is understood, but implementing it in day-to-day operations creates concerns. The issue is not the regulation itself – it’s the operational translation of the requirements into data structures, operating models, processes, and (in some cases) methodology.

But why is this the case? Why does risk assessment, of all things, face such frequent and severe challenges?

1. Data: The Greatest Lever ─ and the Greatest Obstacle

An AFC risk assessment is only as good as the data behind it. In practice, however, relevant information is often fragmented: customer data, product and channel information, country-specific aspects, monitoring and screening outputs, case volumes, and typologies are scattered across multiple systems and teams. It is precisely these patterns – fragmented data sources, inconsistent definitions, poor data quality, and the absence of a central risk database – that are among the most common reasons risk assessments remain difficult to operationalize and implement.

The consequence is tricky: evaluations appear plausible at first glance but are not reproducible. It becomes difficult to reliably explain which data, in which version, and with which assumptions were incorporated into the assessment. This conflicts with the regulatory objective: risk assessments should not only be “defensible” but also comparable, traceable, and auditable – built on a consistent data framework.

2. System: Excel Becomes the De Facto System ─ Without System Capabilities

Many institutions effectively manage risk assessments through files, spreadsheets, and manual consolidation. That works as long as the scope is manageable and changes remain limited. However, as soon as multiple stakeholders work simultaneously on scales, weightings, source data, and text modules, typical system limitations arise: gaps between analysis, evaluation, and reporting; missing version control; missing audit trails; and ultimately limited ability to explain and validate outcomes.

The problem is not “Excel itself,” but the lack of traceability: Without historical tracking and audit logging, it becomes difficult over time to demonstrate what changed, when it changed, and why. Yet it is precisely this capability that becomes central to the vision of a continuous, auditable risk assessment.

In addition, Excel-based environments often lack the controls needed for ongoing operations: parallel collaboration, clear approvals and reviews, role-based access, validation mechanisms, and consistent data governance all need to be managed outside the process itself. That makes solutions more error-prone, less transparent, and more difficult to maintain – while also complicating audit compliance.

3. Process: Risk Management Turns Into an Annual Project (with Significant Manual Effort)

When the data infrastructure and system support are not in place, many institutions fall into the same pattern: risk assessment becomes an annual large-scale project requiring significant coordination and maintenance effort. Updates are no longer made as part of normal operations but instead become special initiatives – for example after launching new products, changing customer segments, entering new geographies, or responding to external events.

As a result, the actual value gets lost: Instead of enabling management decisions, the process often turns into reporting pressure – and risk assessment becomes little more than a periodic snapshot. This contradicts the expectation that risk understanding should be maintained continuously: AMLR explicitly requires documentation, ongoing updates, regular review, and the ability to provide results to supervisors on request. International standards reinforce the same principle: effective risk understanding is dynamic, must continuously incorporate new information, and should operate as an ongoing process – not as an occasional mandatory exercise.

4. Methodology: The Concepts Are Clear ─ Operationalization Falls Short

Many institutions already have reasonable conceptual assessment frameworks. The challenge often appears in execution: evaluation logic is not consistently operationalized through standardized data points, clear scoring scales, and transparent calculation methods.

This is precisely why European regulators are pushing for greater harmonization: As part of Article 40(2) AMLD6, AMLA has proposed draft Regulatory Technical Standards (RTS) intended to establish a common risk-based methodology for supervisors – including classification of inherent and residual risk profiles and requirements for review frequency. The objective is clear: reduce today’s fragmentation and inconsistent evaluation outcomes while enabling more comparable and efficient supervision.

For institutions, the direction is equally clear: Assessment frameworks need to be structured in a way that they clearly separate risk drivers (inherent risk = gross risk) from the quality/effectiveness of controls ─ and derive a residual risk (net risk) from this that can be explained consistently. Where separation, weighting, and aggregation are not embedded into the process, scoring models quickly become a “black box,” reducing explainability, comparability, and auditability – especially when methodologies evolve or new data points are introduced.

5. Governance & Ownership: Without Clear Responsibilities, It Stays a Project ─ Not a System

Even a strong methodology will not hold up in day-to-day operations if responsibilities, approvals, and change management are not clearly defined. As mentioned in various sections, the AMLR sets out very specific governance expectations in this regard: Enterprise-wide risk evaluations must be documented, kept up to date, reviewed regularly, and made available to supervisors upon request. In addition, the AML Officer is responsible for preparing the risk evaluations, and the management body must approve it (see Regulation (EU) 2024/1624, Article 10(2)).

International standards emphasize the same principle: risk understanding is not a static snapshot, but an ongoing, dynamic process that must adapt to changing conditions and systematically incorporate new information.

In practice, this means: Without clear roles (who provides data, who evaluates, who reviews, who approves?), without defined triggers for reevaluation, and without a traceable history of changes, a sustainable operating model cannot be established – instead, it ends up with recurring project work that delivers updates and reporting capability inconsistently rather than reliably.