The Authority for Anti‑Money Laundering and Countering the Financing of Terrorism (hereinafter referred to as AMLA) has launched a public consultation on a common methodology for assessing money‑laundering and terrorist‑financing risks in the non‑financial sector. The initiative will affect a broad range of obliged entities, including legal professionals, notaries, real estate agents, auditors, company service providers, gambling operators and professional football clubs.
At present, national supervisors apply their own frameworks when assessing the money laundering and terrorist financing risks presented by non-financial businesses and when determining the frequency and intensity of supervision. Against this background, AMLA’s draft Regulatory Technical Standards, issued under Article 40(2) of Directive (EU) 2024/1640, commonly referred to as the Sixth Anti-Money Laundering Directive, seek to replace these differing national approaches with a harmonised methodology applicable across the European Union. The central objective is to ensure that comparable businesses are assessed in a comparable manner, regardless of the Member State in which they operate.
More specifically, the proposed methodology identifies the information that supervisors will require in order to assess both the inherent and residual risk profile of each obliged entity. Inherent risk refers to the level of risk arising from the nature of the entity’s activities before safeguards are taken into account, while residual risk refers to the risk remaining after the entity’s internal controls and mitigating measures have been considered.
Although supervisors will remain able to rely on information already available to them, the draft standards envisage periodic reporting by obliged entities through standardised data points. Importantly, these data points are not identical for every sector. Instead, they are tailored to reflect the characteristics and risks of each activity. In this way, the methodology aims to ensure that supervisors focus on information that is genuinely relevant to the particular business model and risk exposure of each category of obliged entity.
In addition, a central feature of the draft standards is proportionality, particularly in relation to smaller businesses. Many non‑financial firms operating in the European Union are micro‑enterprises with limited administrative resources, and AMLA expressly recognises this. The methodology therefore introduces a lighter reporting regime for “small entities”, defined as those with fewer than five full‑time equivalent employees and annual turnover below €600,000.
Under this simplified approach, small entities would be required to provide a reduced set of information focused on the most relevant indicators of risk. They would also generally not be required to report on the quality of their own anti-money laundering and counter-terrorist financing controls. Nevertheless, supervisors would remain entitled to take account of any information already available to them concerning the effectiveness of the measures implemented by the entity and to adjust the risk assessment where appropriate.
The draft standards also provide a substantial implementation period. For most non-financial sectors, the common methodology would apply from 31 December 2028, with the first assessments taking place in 2029 using data from the previous year. By contrast, the application date for professional football clubs and football agents would be deferred until 31 December 2029, reflecting the more recent extension of European Union anti-money laundering obligations to that sector.
In the meantime, national supervisors will continue to apply their existing approaches, with the intervening period intended to allow supervisory authorities to adapt their systems and to give obliged entities sufficient time to prepare for the new reporting framework.
To support the finalisation of the standards, AMLA has launched a public consultation consisting of general and sector-specific surveys hosted on the European Commission’s EUSurvey platform. The consultation is organised by sector so that respondents may focus on the questions and data points relevant to their particular activities, rather than completing a single questionnaire covering matters that may have little relevance to their business model.
The design and weighting of the proposed data points may, in turn, have important practical consequences. They could influence how frequently an entity is reviewed, how it is compared with similar businesses and what internal records may be required to demonstrate that its risks are being managed appropriately. Participation in the consultation therefore gives businesses and professionals an opportunity to identify areas in which the proposed methodology may not fully reflect local market conditions, may affect particular business models disproportionately or may create reporting burdens that could be reduced without weakening supervision.
Finally, although the new framework will not apply until the end of 2028, obliged entities may benefit from reviewing their internal data systems at an early stage. In particular, they should consider whether they can readily obtain reliable information concerning their customers, transactions, geographical exposure and products or services. Entities that begin mapping their data and comparing their internal risk assessments with the emerging European Union methodology are likely to be better prepared once the Regulatory Technical Standards become binding.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Alesea Azzopardi Spiteri