AMLA’s BWRA Consultation: Setting EU‑Wide Standards for Risk Assessment

The Anti Money Laundering Authority (AMLA), the EU’s new central AML supervisory body based in Frankfurt, launched a public consultation on 16 April 2026 on its draft Guidelines for the Business Wide Risk Assessment (BWRA). The consultation runs until 15 July 2026, with final guidelines expected in Q4 2026.

The BWRA is the cornerstone of every organisation’s risk-based approach to AML/CFT compliance. It determines how exposure to money laundering, terrorist financing, proliferation and sanctions evasion risks is understood. It also informs how AML/CFT controls are calibrated. AMLA is now setting minimum EU wide standards for how this assessment must be done.

The draft Guidelines establish four minimum requirements applicable to all obliged entities, financial and non financial.

A Business and Operational Overview require a documented picture of structure, customer base, products, delivery channels, geographic exposure, and governance setup. This baseline determines the depth of the remaining assessment.

Inherent Risk Identification and Classification require a risk weighted analysis across customers, products, delivery channels, and geographies, identifying where ML/TF and sanctions evasion risks may materialise, with weighting decisions documented and evidence based.

An Assessment of Control Quality evaluates whether existing AML/CFT controls are well designed and operating effectively, supported by audit findings, testing outcomes, and supervisory feedback.

Finally, Residual Risk Assessment requires determining the level of risk remaining after controls are applied, recognising that high inherent risks cannot always be fully eliminated, and ensuring results drive remediation actions.

"AMLA isexplicit that the BWRA must not be a formalistic exercise but a tool thatdrives genuine improvements in risk management."
— AMLA, draft Guidelines on Business‑Wide Risk Assessment

AMLA allows methodological flexibility, requiring the approach to reflect size and complexity while meeting minimum requirements and documenting the rationale. Less complex entities may rely on a more qualitative assessment.

The Guidelines also broaden the information sources to be considered, including FATF reports, sanctions watchlists, FIU feedback, internal audit findings, and other credible external risk intelligence beyond Article 10(1) AMLR.

Despite the BWRA obligation existing since the Fourth AML Directive, challenges across the industry remain common:

• Risk assessments reviewed annually but not used to improve controls
• Generic methodologies failing to distinguish between key risk dimensions
• Control assessments based on self certification rather than testing and audit
• Weak documentation of weighting and judgement
• Management approval without effective engagement

These Guidelines align with EBA risk factor guidelines, restrictive measures guidance, and FATF standards. If your organisations is already aligned with these benchmarks, then you are well placed, if not, you have an opportunity to strengthen your frameworks ahead of finalisation.

If your organisation will come into scope or is an expanded category due to the new Anti-Money Laundering Regulation (AMLR), which is part of the EU’s new AML/CFT legislative package, you need to prepare to align with this expectation.    

With AMLA coordinating supervision across Member States, a robust and well documented BWRA is becoming a baseline expectation for all Subject Persons for AML/CFT Purposes (to be known as Obliged Entities under the AMLR.

The BWRA methodology that we develop draws on multiple external and internal sources, including:

• FATF typologies and mutual evaluations
• EU and Member State national risk assessments
• EBA guidelines and AMLA’s AML Single Rulebook
• FIAU feedback and STR/SAR analysis
• Sanctions intelligence and corruption indices

Now is the time to assess whether your BWRA truly reflects risk exposure, is evidence based, and actively informs AML/CFT controls. Early alignment with AMLA expectations will reduce supervisory risk and strengthen long term resilience. With the Guidelines expected to be finalised in Q4 2026, organisations have a limited window to assess alignment and address gaps before supervisory expectations crystallise.

If your organisation is reviewing its BWRA methodology in light of AMLA’s draft Guidelines, Chetcuti Cauchi can assist with alignment assessments, strengthening risk assessment methodologies, enhancing governance and documentation, and supporting preparedness for supervisory engagement. Engagement at this stage allows organisations to assess alignment ahead of the finalisation of the Guidelines and evolving supervisory expectations.