The Architecture of Risk: AMLA Rewrites the Risk Assessment
- Elizabeth Travis
- 25 minutes ago
- 7 min read

When the European Union created the Anti-Money Laundering Authority (AMLA) in mid-2024, the ambition was framed in institutional terms: a single supervisor to end two decades of fragmented, directive-led enforcement. Yet the most consequential development of 2026 is not about who AMLA will supervise. It is about how risk itself must now be measured, evidenced and defended across the entire Union. The reforms unveiled this spring do not adjust the procedural furniture of compliance. They redefine what a risk assessment is for, who owns it, and what it must be able to withstand.
The risk assessment has become a legal instrument
For most of the past decade, the business-wide risk assessment occupied an uncomfortable position in compliance practice. It was expected, frequently demanded by supervisors, and yet anchored in guidance rather than hard obligation. That ambiguity is now closing. The Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624, places the business-wide risk assessment on a statutory footing through Article 10, and on 16 April 2026 AMLA opened a public consultation on draft Guidelines under Article 10(4) that specify what obliged entities must actually do.
The continuity with the past is real but should not be overstated. As Ashurst's analysis of the consultation notes, the obligation builds on Article 8 of the Fourth Anti-Money Laundering Directive, Directive (EU) 2015/849, yet the AMLR extends its scope in two material respects: it now expressly captures the risk of evasion of targeted financial sanctions, and it brings newly covered obliged entities within its reach. The shift in register matters more than the lineage. The assessment is no longer something a supervisor expects. It is something the law requires, and the space between those two things was where firms used to live.
Four requirements turn principle into structure
The draft Guidelines do not leave the content of a risk assessment to interpretation. AMLA proposes four minimum requirements applicable across all obliged entities, financial and non-financial alike.
The CPDs.Academy analysis of the draft sets out their shape. The assessment must begin with a clear overview of the business and its operations, covering legal and operational structure, group arrangements, customer base, products and services within scope, delivery channels, geographical exposure, the organisation of the compliance function, outsourcing and any use of emerging technologies. From there it must work through inherent risk, the quality of controls, and the residual risk that remains.
The third requirement is where many firms will feel the strain. AMLA's draft is explicit that controls must be assessed on both design and implementation. A policy on the page is not the same as a control in practice. The assessment must demonstrate, with evidence drawn from compliance testing and internal audit, that the control actually mitigates the risk it is meant to address. This is the distinction between control existence and control effectiveness, and AMLA has placed itself firmly on the side of the latter. The fourth requirement concerns the governance trail. The AMLR requires the assessment to be drawn up by the compliance officer and approved by the management body in its management function, with that approval documented, dated and based on a current assessment. The architecture is no longer optional. Neither is the paper trail that proves it.
Proportionality is the promise, evidencing is the price
AMLA has been consistent in its messaging. Opening the public hearing on 28 May 2026, Executive Board Member Rikke-Louise Ørum Petersen reminded the audience that obliged entities are best placed to understand the risks they face. The remark was generous in tone, but its implication is demanding. If firms know their risks best, they carry the burden of demonstrating that knowledge, not merely asserting it.
Proportionality runs through the draft as a genuine concession rather than a slogan. As Ashurst observes, non-complex entities that meet the criteria for reduced supervisory assessment frequency may apply a lighter, more qualitative and descriptive assessment, and entities in sectors where the supervisor has produced a sectoral assessment may use it as a starting point, though they retain full responsibility for their own. Firms may also draw on third parties to assist, provided the proposal and approval of the assessment remain within the entity. The relief is real, but it is bounded. Responsibility cannot be outsourced, and proportionality is something a firm must justify rather than simply claim.
This is the recurring theme of the 2026 reforms. The analysis published by Moody's observes that AMLA is raising expectations on how risk assessments are evidenced, reviewed and documented, moving towards an environment in which institutions must show that their risk assessments and controls are justified, traceable and operationally sound across every jurisdiction in which they operate. The risk-based approach is not being diluted. It is being made auditable. Proportionality remains the principle, but the price of invoking it is a documented, defensible methodology that a supervisor can interrogate.
Selection is becoming a calculation, not a judgement
The second strand of AMLA's work is quieter but in some respects more decisive. From January 2028, AMLA will directly supervise around forty of the most complex high-risk institutions or groups in the Union, and the December 2025 regulatory technical standards finalised under Article 12(7) of the AMLA Regulation set out exactly how those entities will be chosen. The criteria are objective and quantitative. As set out in the European Banking Authority's draft regulatory technical standards under Article 12(7), and confirmed in the December 2025 final report, eligibility requires activity in at least six Member States, with activity counted as material only where an institution has more than 20,000 resident customers or more than fifty million euro in transaction value in a given Member State. AMLA must begin the first selection process on 1 July 2027 and conclude it within six months.
The significance lies not in the threshold figures, but in what they replace. Selection for direct supervision is now data-driven and reproducible rather than discretionary; if a firm's residual risk score crosses the benchmark, escalation follows automatically. The patchwork that allowed firms to arbitrage between lenient and stringent national supervisors is being dismantled. Consistency is becoming the baseline, and inconsistency is becoming visible.
The methodology firms should fear is the one that judges everyone
It would be a mistake to read the selection standard as a concern only for the largest cross-border institutions. The Article 12(7) selection methodology is mirrored by a parallel standard, the regulatory technical standards under Article 40(2) of the Anti-Money Laundering Directive, Directive (EU) 2024/1640, which establishes the common methodology national supervisors must use to assess every obliged entity in the financial sector. As the AMLYZE analysis explains, the same data points that feed AMLA's selection model will be reported to national supervisors from 10 July 2027, so the methodology quietly becomes the lens through which every obliged entity is judged, not merely the forty under direct supervision.
There is an unusual transparency to this. AMLYZE notes that the framework abandons the familiar probability-versus-impact axis in favour of the inherent, controls and residual model, the same structural logic that underpins COSO ERM, ISO 31000 and the Wolfsberg Group's financial crime frameworks. The methodology a supranational supervisor will use to grade institutions is, in effect, open source. A firm that builds its own risk assessment in deliberate ignorance of how its supervisor reasons is choosing to be surprised. The more defensible posture is alignment: constructing an assessment whose logic of inherent risk, control quality and residual risk maps onto the framework the supervisor will apply. The published methodology is not merely a disclosure. It is an invitation to converge, and the firms that decline it will find their assessments measured against a yardstick they chose not to read.
Group-wide risk is no longer a domestic question
The third element of AMLA's April consultation addressed group-wide requirements through draft regulatory technical standards under Articles 16(4) and 17(3) of the AMLR. AMLA has chosen, as A&O Shearman notes, to address both mandates through a single set of standards to ensure coherence and avoid duplication. These standards set minimum requirements for group-wide frameworks, expressly including cross-border situations and circumstances where obliged entities operate in third countries. AMLA's stated aim is that groups obtain a consolidated view of money laundering and terrorist financing risk across their entire organisation.
For multinational institutions this closes a familiar gap. Risk has too often been assessed entity by entity, jurisdiction by jurisdiction, with no obligation to consolidate the picture at group level. A subsidiary in a higher-risk third country could be managed as a local problem rather than a group exposure. AMLA's draft standards reject that compartmentalisation. The consolidated view is becoming mandatory, and the third-country branch is becoming the parent's concern.
Preparation is no longer optional, and the window is closing
The practical consequences are substantial and they arrive on a fixed timetable. The AMLR applies from 10 July 2027, the parallel supervisory methodology under Article 40(2) takes effect on the same date, AMLA expects to finalise the business-wide risk assessment Guidelines in the fourth quarter of 2026, and written responses to the consultation close on 15 July 2026. The first selection process begins on 1 July 2027. Firms therefore have a narrowing window in which to shape the standards and a shorter one still in which to prepare for them. The public hearing on 28 May drew over a thousand stakeholders, which suggests the sector understands the stakes even if its preparations lag its attention.
Three priorities follow. First, methodology must become explicit and reproducible; a risk assessment that cannot be reconstructed by a supervisor is not defensible, however sound its underlying judgements. Second, evidencing must be designed in rather than retrofitted, because traceability is now part of the obligation and the controls assessment turns on demonstrated effectiveness, not documented intention. Third, group structures must produce a genuinely consolidated risk picture, with third-country operations integrated rather than quarantined. The firms that treat the consultation period as a spectator exercise will inherit standards they had no hand in shaping.
Conclusion: from existence to architecture
For years, compliance maturity was measured by whether a risk assessment existed. AMLA is rebuilding the question. The reforms of 2026 ask not whether a firm has assessed its risk, but whether that assessment is consistent, consolidated, evidenced and able to withstand a methodology the supervisor has already published. A risk assessment can be filed. An architecture has to hold.
Are your firm's risk assessments built to be defended, or merely to exist?
If that question gives you pause, contact us.
At OpusDatum, we help firms move from risk assessments that satisfy a checklist to risk assessments that withstand scrutiny. We work with compliance functions to build methodologies that are explicit, evidenced and aligned with the supervisory frameworks now emerging across the EU and UK.
%20-%20C.png)