AMLA's BWRA Guidelines: What Practitioners Need to Know

On 16 April 2026, AMLA published its first draft guidelines on the Business-Wide Risk Assessment under Article 10(4) of the AMLR. If you're responsible for your entity's annual AML risk assessment, this document will shape how that process looks from July 2027 onwards.

The consultation runs until 15 July 2026, with final guidelines expected in Q4 2026.

The BWRA isn't new — but the scope is

Obliged entities have been required to conduct a BWRA since the Fourth AML Directive. What's changing is the scope, the structure, and who it applies to.

The most significant change is that the BWRA must now explicitly cover the risk of non-implementation and evasion of targeted financial sanctions. Previously, you assessed ML/TF risk. Now you need to assess whether your sanctions controls could fail or be circumvented, and document that assessment. For institutions with complex cross-border operations or exposure to high-risk jurisdictions, this is a meaningful addition to the annual risk assessment cycle.

The guidelines also extend to all obliged entities — including the non-financial sector — replacing the existing EBA guidance that only covered financial institutions.

Four minimum requirements

AMLA structures the BWRA around four components.

First, a business and operational overview — a concise description of what your entity does, who it serves, where it operates, and how its AML function is organised. This isn't new territory for most compliance teams, but AMLA intends it to serve as the calibration point: the complexity of your BWRA should be proportionate to what this overview reveals.

Second, identification and classification of inherent risks across customers, products, delivery channels, and geography. Entities must take a holistic view of how ML/TF and TFS evasion risks could materialise within their specific business.

Third, an assessment of how effectively your controls mitigate those inherent risks — not just in design, but in practice. AMLA explicitly expects you to reference compliance testing results, audit findings, and supervisory feedback here.

And fourth, an assessment of residual risk, with the important acknowledgment that inherently high-risk factors cannot be fully eliminated by controls. Upon completion, entities must determine priority areas for action and implement remediation.

No prescribed methodology — and that's deliberate

One of the most notable decisions is what AMLA chose not to do. They considered prescribing a standardised methodology — a single scoring model or matrix that every obliged entity would use. They rejected it.

Instead, entities can choose their own methodology — qualitative, quantitative, or a combination — provided it produces clear, accurate outcomes and is properly documented. AMLA's reasoning is pragmatic: the BWRA is a self-assessment tool designed to help the entity understand its own risks. It's not a supervisory comparability exercise. Comparability is handled separately through the supervisory risk assessment under Article 40(2) of the AMLD.

This is a good outcome. A prescribed methodology would have led to box-ticking. AMLA is saying: we care about your understanding of your risks, not about whether your matrix has the right number of columns.

Proportionality provisions

For smaller, non-complex entities, the guidelines offer welcome relief. If you meet the criteria for reduced supervisory assessment frequency (to be defined in a forthcoming RTS), you can apply a simpler, more qualitative approach. If your supervisor has developed a sectoral BWRA, you can use it as a starting point — though you remain responsible for tailoring it.

Third parties can help draft the BWRA, but the proposal and approval must stay in-house. The Compliance Officer drafts it, the management body approves it, and it must be available to supervisors on request.

On TFS risk: flexibility wins

AMLA considered requiring every entity to conduct two separate risk assessments — one for ML/TF and one for sanctions evasion risk. They opted instead for a flexible approach: entities can integrate their TFS risk assessment into the existing BWRA, or conduct it separately, depending on their risk profile.

This makes sense. For many entities, sanctions evasion risk is closely linked to their broader ML/TF risk profile and the same risk factors drive both. Requiring a standalone assessment for every entity — including those with minimal cross-border exposure — would have created compliance overhead without a proportionate improvement in risk understanding.

Sources of information

Beyond the minimum sources listed in the AMLR itself, entities should consult fraud observatories, FATF mutual evaluation reports, industry bodies, investigative journalism, corruption indices, and commercial intelligence providers. They should also draw on their own STR/SAR filing experience and internal audit findings.

What to do now

The consultation closes on 15 July 2026. If you're responsible for your entity's risk assessment framework, read the draft guidelines and consider responding — particularly on the proportionality provisions and the approach to TFS risk assessment. AMLA has explicitly invited feedback on whether the proposals work across all types of obliged entities.

The good news is that AMLA has chosen substance over form. The expectation, though, is clear: you need to own your risk assessment, and you need to be able to explain it.

The consultation paper is available on the AMLA website.