AMLA Sets Four-Pillar Template for Business-Wide Risk Assessment in the EU

What happened

The EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) held a public hearing on 28 May 2026 to present and gather feedback on its draft Guidelines on business-wide risk assessment (BWRA). The guidelines are developed under Article 10(4) of the EU AML Regulation (Regulation (EU) 2024/1624, known as the AMLR). They specify four minimum requirements that any obliged entity must satisfy to produce a BWRA that regulators will consider adequate.

A BWRA is the foundational document of the risk-based approach to anti-money laundering (AML) and countering the financing of terrorism (CFT). It requires a firm to understand the money laundering and terrorist financing risk generated by its business model, its customers, its products and services, its delivery channels, and its geographic exposure. The guidelines apply across all categories of obliged entities, meaning banks, payment institutions, crypto-asset service providers, accountants, lawyers, and others fall within scope.

The public hearing formed part of a broader consultation process. AMLA is building what it describes as the single EU AML rulebook in preparation for its direct supervisory mandate over a selected group of high-risk financial institutions, which takes effect from 2028.

Why it matters

The BWRA guidelines will become the measuring stick regulators use when they assess whether a firm genuinely understands its risk profile. Firms that cannot map their own exposure across each of those dimensions will face scrutiny not just on individual control failures but on whether their entire risk-based approach is credible. That is a qualitative escalation from transaction-level findings.

AMLA’s supervisory mandate starting in 2028 will apply directly to roughly 40 high-risk financial institutions. The guidelines will also inform how national competent authorities supervise the much larger population of obliged entities under the same rulebook. The standard set at the top effectively becomes the floor for everyone. Firms that treat BWRA as a periodic checkbox exercise rather than a living analytical document will struggle to defend that posture in examination.

The consultation period is the one window practitioners have to shape the final text before it locks. Draft guidelines frequently harden at finalisation with less flexibility than the consultation draft suggested. Firms that engage now gain both influence and early knowledge of the exact framing supervisors will use.

Practitioner angle

Start by pulling your current enterprise-wide risk assessment and testing it against the dimensions AMLA named: business model, customers, products and services, delivery channels, and geographic exposure. Identify which dimensions have documented, evidenced analysis and which rely on inherited assumptions or legacy narrative. Gaps are the items to close before the guidelines finalise.

Map the four minimum requirements to your existing BWRA methodology. The draft is available through the AMLA consultation page. Where your methodology does not clearly address a requirement, treat that as a finding for the compliance programme, not simply a drafting task.

Respond to the consultation if your institution is an obliged entity operating in the EU. Submission deadlines for AMLA consultations are firm. Even a short, focused response on the requirements most relevant to your sector creates a record of engagement and ensures your operational reality is visible to the drafters.

Brief your board or senior management committee now on the direction of travel. The convergence of the AMLR, AMLA’s direct supervision model, and the BWRA guidelines means the board will soon be asked to approve a risk assessment methodology that supervisors can inspect directly. The earlier governance understands the standard, the less rushed that approval process will be. That briefing is the single most important step to take this quarter.