The New AMLA Logic: Is Your Data Ready for the EU’s "Black Box" Supervision?

The Draft Regulatory Technical Standards (RTS) published by AMLA on December 18, 2025, represent more than just a technical update—they mark a fundamental shift in European supervision. For financial institutions, this means the end of national "discretionary" leeway. Under the new EU-wide scoring methodology, those who cannot precisely quantify their Inherent Risks or demonstrably prove the Effectiveness of their Controls will inevitably face a higher residual risk score. This leads to immediate consequences: intensified supervisory scrutiny, higher reporting burdens, and increased reputational pressure.

Key Facts at a Glance:

• The Objective:A data-driven, harmonized EU AML/CFT supervisory system that shines a spotlight on high-risk institutions.
• The Deadline:Expected entry into force on December 31, 2027, with full application starting January 1, 2028. The window to upgrade IT and data infrastructure is closing.
• The Target Audience:While the RTS is addressed to supervisors (including AMLA), the operational burden lies with the institutions. You must provide the data that fuels the scoring engine.
• The Pain Points:Unprecedented requirements for data granularity (over 150 data points), the mandate for "audit-proof" evidence of control effectiveness, and the urgent need to simulate and manage your own "AMLA Score" internally.

We bridge the gap: The RegCore team at S+P Compliance Services continuously monitors these regulatory shifts. We translate AMLA logic into practical solutions—from impact analysis and governance design to data management systems that withstand the scrutiny of European supervisors.

A. Goal    

Both RTS address the goal of establishing a unified, risk-based AML/CFT supervisory system focused on high-risk institutions in the EU and implementing the requirements of the European Commission from the Call for Advice.  

B. Implementation deadlines  

No legally binding implementation date. Expected to enter into force on December 31, 2027, and therefore to be practically applied by national supervisory authorities from January 1, 2028.  

C. Target group   

I. Personally, to be directed at the supervisory authorities, including AMLA itself. II. Materially, to all financial obliged entities that fall under ML/TF risk according to this methodology and are selected for direct supervision.  

  D. Essential duties

The RTS establish in particular obligations for a uniform, data-based risk and supervisory methodology for AML/CFT supervisors and effectively lead to an obligation for institutions to maintain structured risk data and robust AML controls, i.e. to keep them organized and functional and, as a result, to withstand the new scoring logic.

  E. Action plan for implementation

Supervisory authorities: Development of a uniform scoring framework for inherent, control, and residual risk; establishment of a standardized data collection process; implementation of a regular review cycle (initial assessment, periodic, and ad-hoc reviews); and clear documentation and governance rules for manual score adjustments. AMLA (direct supervision): Specific materiality thresholds and data processes for cross-border activities; a two-stage selection methodology for institutions under direct supervision; development of a group-wide risk scoring logic; and transitional rules for the first selection cycle. Institutions: Development/adaptation of data management and reporting; strengthening and fine-tuning of AML/CFT governance, systems, and controls; and creation of internal risk analytics capabilities to understand and manage their own risk scoring according to AMLA logic. 2.1.1.        

Area

Key Message / Main Change

Practical Impact

Next Steps (Action Items)

A. Objective

EU-wide harmonised scoring methodology for inherent risks and control quality.

Supervision becomes more comparable and fully data-driven across the EU.

Align internal controls and risk management with the EU scoring logic.

B. Timeline

Expected application date: 01 Jan 2028.

Significant lead time required for data, governance and process adjustments.

Start project in 2026: perform a gap analysis of data landscape and reporting capabilities.

C. Scope / Target Group

Focus on credit institutions and financial institutions (incl. certain MiFID investment firms).

Indirect obligation to provide “scoring-ready” structured risk data.

Perform impact assessment: cross-border footprint? size? risk class?

D. Core Requirements

Introduction of a three-step methodology (Inherent Risk / Control Score / Residual Risk).

Stronger evidence requirements for AML control effectiveness and governance.

Build a control inventory and digitise evidence of effectiveness (testing, KPIs, audit trail).

E. Implementation Measures

Standardised data collection (Annex I) and regular review cycles.

Higher supervisory pressure to justify score deviations and manual adjustments.

Establish governance structures and audit trails for scoring-relevant data and decisions.

1. Goal

The objective of the two regulatory instruments published by AMLA on December 18, 2025, can be summarized – from a legal and supervisory perspective – as follows:

1.1. RTS according to Art. 40 para. 2 AMLD (inherent/residual risk):

• Introduction of a fully harmonized methodology for assessing the inherent and residual risk profile of obliged entities in the financial sector in all Member States.
• Creating a common dataset and a uniform scoring logic to make ML/TF risk assessments comparable, reducing fragmentation of supervisory approaches and focusing supervision on the highest risks in a resource-oriented manner.
• Support for an effective, risk-based and proportionate supervisory approach, including requirements for the frequency of risk profile reviews.

1.2. RTS according to Art. 12 para. 7 AMLAR (selection for direct supervision):

• Establishing material thresholds (number of customers/transaction volume) from which activities within the framework of the free movement of services are considered "relevant" for geographical suitability for direct AMLA supervision.
• Development of a risk assessment methodology for the selection of those credit and financial institutions (or groups) that should be directly supervised by AMLA due to high residual risks and significant EU presence.
• Ensuring that AMLA identifies the most complex and high-risk cross-border institutions for direct supervision, thereby guaranteeing coordinated, EU-wide consistent AML/CFT supervision.

2. Implementation deadlines

The AMLA RTS of December 18, 2025 do not yet contain a fixed, calendar-based implementation date, but only the mechanism:

Both RTS come into force on the 20th day after publication in the Official Journal.

They only apply from a separately defined "Date of application", which is still included as a placeholder in the current draft.

Secondary literature suggests that the RTS are expected to enter into force on December 31, 2027, and will be practically applied by national supervisory authorities from January 1, 2028.

As long as the Commission has not formally adopted the RTS and published it in the Official Journal, there is therefore no legally binding implementation date, but only this planning perspective.

3. Target group 3.1. Immediate addressees (primary target group):

• Supervisory authorities or “supervisors” responsible for the AML/CFT supervision of financial sector obliged entities (credit institutions, financial institutions, etc.).
• The RTS pursuant to Article 40(2) AMLD “applies to supervisors that are responsible for the AML/CFT supervision of financial sector obliged entities”; the RTS pursuant to Article 12(7) AMLAR lays down the methodology that AMLA itself uses for the selection of institutions for direct supervision.
• The RTS pursuant to Article 40(2) AMLD applies to the assessment of the inherent and residual risk of “credit institutions and financial institutions”.
• “Financial institutions” explicitly includes certain investment firms under MiFID II; the Delegated Act lists, among other things, investment firms as covered financial institutions, with special rules for certain (small/low-risk) types of investment firms.
• Credit institutions and banksfall fully within the scope of application ; for them, all steps of risk assessment (inherent risk score, control score, residual risk score, review frequency) are mandatory.
• For German securities institutions, this means: Insofar as they fall under the definition of covered investment firms/financial institutions, they will be included in the harmonized AMLA risk assessment methodology and assessed according to the same benchmarks as banks.

3.2. Indirect addressees (secondary target group):

Financial sector obliged entities, i.e. credit institutions, financial institutions and groups, whose inherent and residual risk is assessed using this methodology and which may be selected for direct AMLA supervision.

4. Obligations4.1. Obligations of the supervisory authorities (RTS Art. 40 para. 2 AMLD)

• Use of a harmonized methodologyfor assessing the inherent and residual risk of all credit and financial institutions on the basis of a uniform data set (Annex I, data points).
• Conducting a three-stage risk assessmentfor each institution: identifying inherent risks, assessing the quality of AML/CFT controls, deriving a residual risk including classification into the levels "low, medium, substantial, high".
• Regular updatesof risk profiles: first assessment within nine months of the application date, then generally annually (or every three years for very small/low-risk institutions), plus ad-hoc assessments in the event of significant events.
• Possibility to calibrate scores accordingly(within narrow limits, max. one risk level) in the case of national specifics or based on supervisory or auditor findings, with documentation and justification requirements.

4.2. AMLA’s obligations for direct supervision (RTS Art. 12 para. 7 AMLA)

• Application of materiality thresholdsfor cross-border activities (e.g. ≥ 20,000 customers per Member State or transaction volume > EUR 50 million) to determine whether an activity is ‘material’ within the framework of the freedom to provide services.
• Conducting a standardized risk analysisto select the institutions/groups for direct AMLA supervision, focusing on the most complex, high-risk institutions with a significant EU presence.
• Calculation of a group-wide risk score based on weighted residual risks of the group companies, including special weighting of high-risk and significant units.

4.3. Indirect obligations of institutions

• Provision of the extensive data pointsdefined in Annex I (customer structure, transaction volumes, products, geographies, quality of controls, etc.) in a form that enables the supervisory scoring methodology.
• Ensuringthat AML/CFT governance, systems and controls are designed in such a way that they receive an appropriate quality assessment (control score) under the new methodology and thus limit the residual risk.

5. Measures for the implementation of the AMLA-RTS of 18 December 2025 5.1. Measures by the supervisory authorities (RTS pursuant to Art. 40 para. 2 AMLD)

• Development and operation of a harmonized scoring framework for assessing inherent risk, control quality and residual risk (including thresholds, weightings, risk levels “low–high”).
• Establishment of a standardized data collection process along the data set defined in Annex I (100–150 data points per institution, supplemented sector-specifically), including data source control (institutions, FIU, auditors, other supervisors).
• Introduction of a regular review cycle: first full risk assessment within nine months of the application date, then annually (or every three years for very small/low-risk institutions) plus ad hoc reviews in the event of significant incidents.
• Implementation of documentation and governance processes for manual adjustments of scores (max. one risk level, only in the case of national specifics or confirmed supervisory findings, with justification and logging).

5.2. Measures by AMLA for direct supervision (RTS pursuant to Art. 12 para. 7 AMLAR)

• Operationalization of materiality thresholds for cross-border activities (≥ 20,000 customers per Member State or transaction volume > EUR 50 million per year) and development of corresponding data collection and evaluation processes.
• Introduction of a two-stage selection methodology:
• Stage 1: Identification of all institutions/groups operating in at least six Member States (including FOS activities) based on the thresholds.
• Stage 2: Application of the residual risk methodology (from Art. 40 RTS) to this population to select institutions with high ML/TF risk for direct supervision.
• Development of a group risk scoring logic (weighted average of residual risks with greater weighting of large/high-risk units) and the associated IT tools.
• Establishment and application of transitional rules for the first selection cycle (e.g., temporary exclusion of certain data points, limited possibility of adjusting the control score based on on-site results).

5.3. Expected implementation measures by the institutions (indirectly from both RTS)

• Development and/or adaptation of data management and reporting processes to ensure that all AMLA data points (customer structure, products, transactions, geographies, controls) are delivered completely, consistently and periodically.
• Review and, if necessary, further development of AML/CFT governance, systems and controls so that they achieve an appropriate quality rating (A/B instead of C/D) in the new methodology and reduce the residual risk.
• Establishment of internal risk analytics capabilities to understand one’s own classification according to the AMLA logic (Inherent /Controls /Residual Risk Score) and to be able to anticipate the supervisory strategy (national vs. direct supervision AMLA).
• If you wish, I can derive a short implementation roadmap or checklist for a specific institution (e.g., bank/FinTech) from these specifications.

Those:

AMLA (Primary source)

Final Report – Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) AMLD (AMLA, 16.12.2025).

​ https://www.amla.europa.eu/document/download/c8782141-45bf-4ef9-9d66-33e2f90e607e_en?filename=1.1_20251216_FINAL+REPORT+RTS+40%282%29+AMLD+financial+only_Final.pdf

EBA

EBA response to EC Call for Advice on six AMLA mandates – Background to the derivation of the RTS methodology (transition EBA → AMLA).

​https://www.eba.europa.eu/sites/default/files/2025-10/b5a9a9aa-ce4f-4130-89a7-a19f2e791750/EBA%20response%20to%20EC%20CfA%20on%20six%20AMLA%20mandates%202025%2010%2030.pdf

National / Secondary sources (including BaFin references)

Technical article “Inherent risks pursuant to Art. 12 para. 7 AMLA Regulation and Art. 40 para. 2 AML Directive” – with presentation of the 151 data points, the sectors concerned and the role of national supervisory authorities such as BaFin, FMA, CSSF.

​https://geldwaesche-beauftragte.de/inhaerente-risiken-gemaess-art-12-abs-7-amla-vo-und-art-40-abs-2-aml-rl/

ESMA does not play a central role here, as it primarily concerns AMLA and EBA mandates in the AML/CFT area; for investment institutions, ESMA remains relevant more in the MiFID/market supervision context, not as the standard-setter for these two RTS.

​https://anti-money-laundering.eu/draft-rts-risk-assessment-for-amla-supervision/