AMLA's New BWRA Guidelines: Why Your Self-Assessment Should Mirror the Supervisor's Scorecard

On 16 April 2026, AMLA opened a public consultation on draft Guidelines on business-wide risk assessment under Article 10(4) of the AMLR. The headline reading is straightforward. AMLA wants every obliged entity to do a structured business-wide risk assessment, with four minimum requirements and a documented methodology. The consultation closes 15 July 2026, with a public hearing on 28 May and final guidelines expected in Q4 2026.

Most coverage stops there. The deeper reading is that AMLA has, in a single document, told obliged entities to build their own risk self-assessment around the same data points supervisors will use to score them under direct supervision from 2028. The supervisor's scorecard is now public. The BWRA Guidelines are the instructions for how to use it.

What the Guidelines Actually Require

The draft Guidelines structure the BWRA around four minimum requirements. The first is a business and operational overview covering legal setup, group structure, customer base, products and services within the AMLR scope, delivery channels, geographical exposure, the AML/CFT function, outsourcing arrangements, and use of new or emerging technologies (paragraph 21 of the draft Guidelines). The second, third, and fourth are a documented three-phase methodology: identification, assessment and classification of inherent risks (MR2), assessment of the quality of AML/CFT and TFS controls (MR3), and assessment and classification of residual risks (MR4).

Two things stand out compared to the existing EBA/GL/2021/02 framework that has governed the financial sector since 2021. First, the BWRA scope now expressly includes the risks of non-implementation and evasion of targeted financial sanctions, not only ML and TF (paragraph 3 of the draft). Second, the requirement now covers obliged entities across both the financial and non-financial sectors, including those newly designated under the AMLR.

The Guidelines also prescribe what the BWRA must look like as an artefact. It has to be drawn up by the Compliance Officer, approved by the management body in its management function under Article 10(2) AMLR, communicated to the supervisory function where one exists, and made available to supervisors on request (paragraph 5). It must be supported by a documented methodology with risk-based weighting and clear rationale (paragraphs 14 and 15).

Proportionality is preserved. Non-complex obliged entities can apply a less elaborate, more qualitative BWRA, with the threshold for non-complex defined cumulatively by size and activity criteria from the supervisory RTS under Article 40(2) AMLD (paragraph 8 of the draft Guidelines). That cross-reference is not incidental. It is the first hint at the structural move the Guidelines actually make.

The Supervisor Has Already Published the Scorecard

On 16 December 2025, AMLA published its Final Report on the draft RTS supplementing Directive (EU) 2024/1640 with regard to the methodology supervisors will use to assess the inherent and residual risk profile of credit and financial institutions. The methodology applies from 31 December 2027 and governs how every supervisor in the EU will score the regulated entities they oversee.

The supervisor methodology is a three-step process. Inherent risk is assessed first, on the basis of indicators reflecting the level of ML/TF risk to which an entity is exposed. The quality of AML/CFT controls is assessed second. The residual risk score is derived from the combination of the two. Annex I of the RTS sets out the data points. Section A lists the inherent risk indicators organised by customer, products and services, geographies, and distribution channels, broken down further by sector. Section B lists the controls quality indicators, organised into seven categories.

This is the supervisor's scorecard. It is harmonised, structured, and now public. Importantly, the supervisor methodology does not rely on obliged entities' self-assessments. Supervisors will compute the score independently, using existing information, with assessments at least annual for most institutions and every three years for the smallest and lowest-risk firms.

Where the Two Methodologies Meet

Now look at paragraph 23 of the BWRA Guidelines. When identifying inherent risks for the BWRA, obliged entities should at least refer to the data points listed in the RTS on Article 40(2) AMLD, supplemented by additional quantitative and qualitative indicators relevant to the entity. The Guidelines' background section makes the connection explicit: the BWRA concerns the obliged entity's self-assessment, while Article 40(2) relates to the supervisory assessment, and both mandates refer to common concepts.

The methodologies mirror each other deliberately. Inherent risk, then controls quality, then residual risk. The same three-phase shape, the same taxonomy of risk drivers (customer, product and service, geography, delivery channel), and a strong overlap on the data points used to populate each step. The supervisor's RTS was written for regulators. Read in combination with the BWRA Guidelines, it functions as the reference dataset for the regulated.

This matters in two ways. The first is intellectual. An obliged entity whose BWRA is structured around the same taxonomy and data points as the supervisor's score will be making risk decisions in the same conceptual frame as the authority that will eventually inspect those decisions. The second is operational. When the supervisor opens an inspection in 2028 and asks for the BWRA, the firm whose BWRA references the same data points the supervisor used to score it can demonstrate alignment by construction. The firm whose BWRA was structured around a different taxonomy is going to spend the inspection translating between two frameworks.

What the Mirror Does Not Cover

The cross-reference is real, but the BWRA is not a copy of the supervisor's RTS. The Guidelines deliberately go further in three places.

Sources of information are wider. Paragraphs 18 to 20 list public authorities, sanctions and watchlists, mutual evaluation reports, industry sources, civil society indices, commercial intelligence, and internal sources including STRs and audit findings.

The TFS scope is wider. The Guidelines explicitly cover non-implementation and evasion of targeted financial sanctions in addition to ML/TF, while the supervisor RTS focuses on ML/TF risk profiles.

The BWRA must produce more than a score. It must drive the firm's policies, procedures, and controls (paragraph 5b of the draft Guidelines), feed individual customer-level risk assessments under Article 20(2) AMLR, and trigger remediation when residual risks remain elevated (paragraph 32).

The point is not that the BWRA equals the supervisor's score. The point is that AMLA has structured the BWRA so that the supervisor's data points are the natural starting set for the inherent risk identification step. Firms that ignore that signal will produce a BWRA the supervisor cannot easily map to its own score. Firms that take it seriously will spend less time defending methodological choices and more time defending substantive risk decisions.

What This Means for Management Companies, TCSPs, and Fund Administrators

For Luxembourg management companies, Mauritius-based fund administrators, and TCSPs operating across both jurisdictions, three things are practical now, ahead of the 28 May public hearing and the 15 July deadline.

Structure the BWRA methodology around the supervisor's taxonomy. Customer, product and service, geography, delivery channel for inherent risk. The seven controls quality categories from Annex I Section B for the controls assessment. If the firm's existing BWRA is organised around a different framework (a custom risk register, a legacy spreadsheet, an inherited consultancy template), the gap is structural and worth surfacing now rather than during the next supervisory engagement.

Treat the BWRA as queryable structured data, not a document. The Guidelines require the BWRA to be reviewed regularly (paragraph 5a), to drive controls updates (paragraph 5b), and to inform individual customer-level risk assessments. A BWRA that exists only as a Word document, refreshed annually, cannot serve any of those functions effectively. The methodology has to live in a system where data points can be updated, queried, and traced through to the policies and individual assessments they support.

Plan for the group-wide consolidation that Article 16(1) of the AMLR now requires. The Guidelines make explicit that parent undertakings must consolidate the BWRAs of their branches and subsidiaries into a group-wide assessment that takes into account the residual risk scores of each (paragraphs 11 and 31). For groups that span Luxembourg and Mauritius, or Luxembourg and other EU jurisdictions, the consolidation step is only as good as the consistency of the underlying methodology. A common BWRA structure across the group, anchored in the supervisor's taxonomy, makes the consolidation tractable. Diverging local methodologies make it nearly impossible.

The Real Signal

The signal in AMLA's package is not that obliged entities now have to do a BWRA. They already had to. The signal is that the supervisor's methodology has been published in advance of the supervisory cycle that will use it, and the BWRA Guidelines are pointing every obliged entity towards that methodology as the reference for their own self-assessment.

The firms that read the package as a description of how their regulator will think about them in 2028 are going to spend the next 18 months bringing their BWRAs into structural alignment with the supervisor's taxonomy. The firms that read it as another consultation to comment on, file, and forget will find that compliance defensibility now requires explaining methodological mismatches that did not need to exist.

It is not a policy problem. It is a data structure problem with a deadline.

Want to discuss what aligning your BWRA to the AMLA methodology looks like in practice? Speak to our team.