AMLR Redefines Risk Analysis: Moving Beyond a Checkbox Exercise – Why Regulators Are Rethinking Their Approach

Preventing money laundering and terrorist financing is no longer a side topic. BaFin explicitly highlights “risks arising from inadequate prevention of money laundering and terrorist financing” as a key risk for 2026. At the same time, BaFin describes a dynamic, increasingly complex risk landscape, driven by factors like geopolitical tensions, increasing fragmentation in payments, and the growth of crypto-related business.

This fits into a broader EU trend: With the EU AML Package (including the AMLR as a directly applicable regulatory framework and the AMLA as a new EU authority), expectations are shifting noticeably—including risk analysis. This marks a shift away from annual reporting toward continuous, transparent risk management.

This blog series follows a clear thread: Understand the problem → Recognize the reality → Identify the solution. We’ll start with the basics: why supervisors are fundamentally rethinking risk analysis.

The current situation is no longer sustainable: “documentation exercise” instead of management tool

Historically, many risk analyses were point-in-time exercises, done periodically (often once a year), and heavily shaped by national perspectives. That left a lot of room for interpretation and resulting in limited comparability. The issue is straightforward: if risk analysis is treated mainly as a report, it doesn’t provide supervisors or management with reliable, consistent input for decision-making.

This is precisely where the system logic of the AMLR comes into play: It’s not about adding more regulation for its own sake – it’s a response to structural inefficiencies in existing risk analyses.

What Regulators Actually Want: Comparability, Manageability, Effectiveness

The core objectives can be summarized as follows:

• EU-wide comparability (“Single Rulebook”): uniform standards, less case-by-case interpretation.
• More efficient supervision: focus on real risk drivers.
• Effectiveness over paperwork: risk, controls/measures, and results need to be clearly linked.

This leads to a fundamental shift: from “producing a report” to “running a system”, from “point-in-time snapshots” to “continuous updates”, and from “descriptive assessments” to “measurable, transparent assessments”. The bottom line from a supervisory perspective is pretty direct: risk analysis is no longer a document—it’s an ongoing, auditable system.

AMLR in Practice: First Assess Risk– Then Justify Measures (and Keep Both Up to Date)

Before establishing risk-appropriate measures (strategies, procedures, controls), you need a company-wide risk assessment. This sequence is fundamental to ensure later on that controls can be adequately justified.

The AMLR incorporates this principle in a company-wide risk assessment: Article 10 requires obligated entities to identify and assess the risks of money laundering and terrorist financing, as well as the risks of non-implementation or circumvention of targeted financial sanctions. Additionally, the risk assessment must be documented, kept up to date, regularly reviewed, and provided to supervisors upon request.

Interesting (and often underestimated): Article 10 explicitly states that at least

• risk variables (Annex I) and risk factors (Annexes II and III) must be taken into account,
• and that, among other things, findings from EU/national risk analyses as well as relevant publications (including those at the EU level) must be incorporated.

This is a key lever for standardization and comparability: not through “nicer PDFs,” but through consistent risk drivers, data sources, and assessment logic.

AMLA Draft Guidelines on the Assessment of Inherent and Residual Risk Profiles

In its draft guidelines on the assessment and evaluation of risks, the AMLA notes in section 2.2.2 that inherent risk values are expected to be calculated automatically. The previous approach of assessing gross risks through expert estimates is no longer sufficient.

How supervisors will structure risk analysis in the future (RTS under AMLD6)

Comparability won’t just come “through more data,” but through a harmonized assessment framework that supervisors across the EU will apply – starting with the financial sector (phased approach). The draft RTS under Art. 40(2) AMLD6 provide a three-step approach: Inherent risk → Quality of controls → Residual risk.

• Inherent risk (gross risk) is structured according to risk factors, particularly in relation to customers, products/services/transactions, distribution channels, and geographies.
• The quality of AML/CFT controls is assessed separately.
• Residual risk (net risk) what remains after factoring in control effectiveness – and is intended to support risk-based supervisory planning.

There’s also more clarity on frequency: Risk profiles should be reviewed at least annually. For very small or low-risk entities, a three-year cycle may be sufficient, but this must be complemented by ad hoc assessments in case of major changes (e.g., business model, ownership), new information, or control failures.

Why this makes sense business-wise (and not just in a regulatory sense)

The logic behind this isn’t just regulatory—it’s economic. If risks, controls, and outcomes are clearly linked, supervisors can allocate resources more effectively. And institutions can finally use risk analysis as a real management tool—for prioritization, budgeting, and measuring control effectiveness—instead of treating it as an annual exercise.

At the same time, external pressure is increasing. In its recent opinion on ML/TF risks, the EBA highlights growing risks related to innovation (FinTech), limited use of RegTech capabilities, and increasing pressure from sanctions-related issues. All of this reinforces the need for more dynamic and operational risk analysis.

Outlook: AMLA, Guidelines, and the Bridge from Existing EBA Standards

As of January 1, 2026, responsibility for the EU AML/CFT rulebook has shifted to AMLA. Existing EBA guidelines remain in place for now until they are replaced by AMLA instruments.

At the same time, the AMLA overview of “Regulatory Instruments” shows that various RTS/ITS packages are currently being developed (including those for assessing inherent/residual risk profiles).

Furthermore, additional EU-wide Level 3 specifications (guidelines) on risk assessment and governance elements are scheduled for July 10, 2026. This aligns with the expectation that existing EBA guidelines could serve as the basis for new standards.