AMLA’s draft BWRA Guidelines: Why firms should reassess their AML and sanctions risk framework now

AMLA’s draft Guidelines on Business-Wide Risk Assessments (“BWRA”) are likely to reshape how firms evidence AML, counter-terrorist financing and sanctions risk management across the EU.

Firms will now be expected to demonstrate not only that they have a BWRA, but that it actively informs controls, governance, remediation and decision-making across the business.

The Anti-Money Laundering Authority (“AMLA”) has published draft Guidelines under Article 10(4) of Regulation (EU) 2024/1624 (the “AMLR”) on Business-Wide Risk Assessments (“BWRA”). The consultation opened on 16 April 2026 and remains open until 15 July 2026, with final Guidelines expected in Q4 2026.

AMLA’s draft Guidelines expand expectations around structure, governance, methodology and evidencing. Although the BWRA obligation already exists under Article 8 of Directive (EU) 2015/849, the AMLR broadens the framework beyond money laundering (“ML”) and terrorist financing (“TF”) risks by expressly requiring firms to assess risks associated with the non-implementation and evasion of targeted financial sanctions (“TFS”).

A shift from compliance document to operational risk-management tool

A recurring theme throughout the draft Guidelines is that the BWRA should function as a live and practical risk-management tool rather than an annual compliance exercise.

AMLA expects firms to use the BWRA to drive:

• AML/CFT and sanctions controls;
• customer risk assessment frameworks;
• customer due diligence measures;
• transaction monitoring;
• sanctions screening;
• governance and escalation processes;
• resource allocation;
• employee awareness and training; and
• remediation activities.

Firms should therefore be prepared to demonstrate:

• what risks the business is exposed to;
• why those risks arise;
• which controls mitigate those risks;
• whether those controls operate effectively;
• what residual risk remains; and
• what remediation action is required.

What the draft Guidelines require

AMLA structures the BWRA around four minimum requirements:

1. Business and operational overview
2. Assessment of inherent risk
3. Assessment of AML/CFT/TFS control effectiveness
4. Assessment of residual risk

To reflect the diversity of obliged entities captured within the AMLR framework, AMLA deliberately avoids imposing a single mandatory methodology. Instead, firms are expected to adopt an approach proportionate to their:

• size;
• complexity;
• business model;
• geographic exposure; and
• overall risk profile.

The Guidelines also recognise that less complex obliged entities may adopt a more qualitative and descriptive methodology.

Sources of information and use of internal resources

The Guidelines place particular emphasis on firms relying on a broad range of credible and up-to-date internal and external information sources when preparing their BWRA.

AMLA states that firms should refer to information from a variety of sources and appropriately document both:

• the sources consulted; and
• how those sources were used within the BWRA methodology.

The draft Guidelines reference the following additional sources of information:

• information from public authorities and official authorities such as fraud observatories, central banks, statistical organisations and academia;
• sanctions and watchlists maintained by competent authorities;
• publications and assessments from international standard setters in the AML/CFT field, including mutual evaluation reports, detailed assessment reports and follow-up reports;
• industry-level and professional sources shared by industry bodies, professional associations or self-regulatory bodies;
• public-private partnerships and inter-agency cooperation forums;
• credible external sources such as typology reports, intelligence reports, objective press reporting and independent investigative journalism;
• information from civil society, including corruption indices and country reports; and
• information from credible commercial organisations, including risk and intelligence providers.

AMLA further expects firms to make appropriate use of internal knowledge, operational data and professional expertise.

This includes:

• suspicious transaction reports (“STRs”) and suspicious activity reports (“SARs”);
• FIU requests and feedback;
• law enforcement or judicial authority requests;
• compliance monitoring findings;
• internal audit outcomes;
• external audit findings;
• supervisory actions;
• remediation activity;
• transaction monitoring trends;
• customer risk trends; and
• sanctions screening alerts and escalation outcomes.

In practice, firms should be able to demonstrate that the BWRA reflects the firm’s actual operational exposure and risk environment.

The inclusion of targeted financial sanctions risks

The draft Guidelines also extend the BWRA to cover risks relating to targeted financial sanctions (“TFS”).

Under the draft Guidelines, firms must assess risks relating to:

• non-implementation of TFS obligations; and
• evasion of TFS measures.

AMLA makes clear that this risk assessment does not remove firms’ underlying rule-based obligations relating to TFS.

Firms should therefore assess how TFS-related risks may arise within their business model and operations. This may include exposure linked to:

• cross-border transactions;
• geographic exposure;
• complex ownership structures;
• intermediated business models;
• digital onboarding channels; and
• correspondent relationships.

The Guidelines also require firms to consider TFS evasion risk. In practice, this means considering whether particular customers, products, jurisdictions, delivery channels or transaction patterns could increase the risk of sanctions restrictions being circumvented or links to designated persons or entities being obscured.

For some firms, integrating TFS risks into the existing BWRA may be sufficient. For others, particularly those with higher cross-border or jurisdictional exposure, a separate but complementary TFS risk assessment may be more appropriate.

Assessing control effectiveness

The Guidelines require firms to assess not only whether controls exist, but whether those controls operate effectively in practice.

AMLA distinguishes between:

• design effectiveness; and
• implementation effectiveness.

This means firms should be able to evidence whether controls are:

• appropriately designed;
• operating consistently;
• properly governed;
• adequately resourced; and
• capable of mitigating identified risks in practice.

The BWRA should therefore demonstrate a clear and evidence-based relationship between identified risks and the controls intended to mitigate them, including:

• sanctions screening;
• transaction monitoring;
• onboarding verification;
• beneficial ownership checks;
• governance and escalation arrangements;
• quality assurance processes; and
• controls testing frameworks.

What firms should do now

Although the Guidelines remain in draft form, firms should use the consultation period to assess whether existing BWRAs align with the expectations reflected in the draft Guidelines.

Key questions include:

• Does the BWRA accurately reflect the business model and operational reality?
• Have TFS non-implementation and evasion risks been properly assessed?
• Is the methodology clearly documented and evidence-based?
• Are risk weightings and classifications properly explained?
• Are identified risks appropriately mitigated by corresponding controls?
• Is control effectiveness appropriately tested?
• Does the residual risk assessment reflect reality?
• Does the BWRA drive remediation and governance outcomes?

BWRA gap analysis: a practical next step for firms

For many firms, the most effective immediate response will be conducting a structured BWRA gap analysis against AMLA’s draft expectations.
A structured gap analysis can help firms assess whether their existing BWRA framework:

• appropriately identifies and assesses inherent ML/TF and TFS-related risks across customers, products, services, delivery channels and geographical exposure;
• applies a clear, documented and evidence-based methodology proportionate to the firm’s size, complexity and risk profile;
• demonstrates a clear relationship between identified risks and the controls intended to mitigate them in practice;
• adequately assesses both the design and implementation effectiveness of AML/CFT and TFS-related controls;
• appropriately identifies residual risks remaining after mitigating measures have been applied;
• incorporates relevant internal and external information sources, including operational insights, audit findings, supervisory feedback and transaction monitoring trends; and
• effectively supports governance, remediation, resource allocation and broader risk-management decision-making across the business.

About Flawless Money

Flawless Money advises UK and EU fintech firms on AML/CFT compliance, sanctions risk management and governance arrangements.

We support payment institutions, e-money institutions, cryptoasset firms and other regulated businesses with BWRA reviews and AML/CFT framework gap analyses against evolving UK and EU regulatory expectations.

Our team assists firms in assessing risk assessment methodologies, governance arrangements, control effectiveness, internal controls and remediation frameworks to ensure AML/CFT and sanctions programmes remain proportionate, operationally effective and aligned with regulatory expectations.

Please contact Flawless Money if you require support with a BWRA review or broader financial crime compliance programme.