Two regulatory developments, one at a supranational level and one at a national one, are set to reshape how financial sector obliged entities are assessed for AML/CFT compliance purposes. Together, they signal a material increase in the granularity and standardisation of data that supervisors across the EU will expect entities to be able to produce.
The first development is the AMLA draft Regulatory Technical Standards published pursuant to Article 40(2) of Directive (EU) 2024/1640 applying from 31 December 2027. The draft RTS establishes a harmonised three-step methodology for supervisors across all EU Member States:
- Inherent risk score assessed across customers, products/services, geographies, and distribution channels. Scored 1–4, classified as Low, Medium, Substantial, or High.
- Controls quality score assessed across seven categories including governance, CDD, transaction monitoring, TFS compliance, and group-wide frameworks. Classified A (very good) to D (poor).
- Residual risk score the combination of the two. Critically, strong controls cannot reduce residual risk below the inherent risk floor and where controls are better than inherent risk, residual risk equals inherent risk.
Weights and thresholds will be set by AMLA per review cycle. Scores are based on objective, quantitative data and not entity self-assessments.
The second development comes from the FIAU and is what sets the scene locally. In a recently issued Information Notice, the Unit confirmed that Malta’s 2027 annual REQ cycle will experience a revised list of questions, aimed at achieving harmonisation with other member states and alignment with AMLA’s new supervisory data points. No action is required at this stage but the direction is clear, the REQ will be recalibrated to a significantly more detailed, quantitative standard.
Entities should therefore act on four fronts:
- Data infrastructure. Data points reflected in Annex I of the Draft RTS require structured, extractable metrics on customer composition, transaction flows, PEP exposure, unhosted wallet volumes, and CDD gap rates. Many entities will need to review whether their systems can produce these as reliable outputs.
- Business Wide RIsk Assessment (BWRA) and Customer Risk Assessment (CRA) current state. The approval date of the BWRA and the last update date of the CRA are direct controls quality data points. Outdated risk assessments will adversely affect scoring.
- Transaction Monitoring (TM) and Suspicious Transaction Report (STR) metrics. Alert backlogs, average alert closure times, and STR-to-alert ratios are all measured. Entities with manual or under-resourced TM functions are most exposed.
- Targeted Financial Sanctions (TFS) screening. The maximum lag between TFS list publication and implementation in screening tools is a specific data point. Entities should document and, where necessary, tighten this process.
For ease of reference, the draft RTS may be accessed here.
At Shoulder Compliance we can assist obliged entities with two core workstreams in preparation for the 2027 REQ cycle and AMLA supervisory methodology:
- REQ and data point readiness: gap analysis of current data extraction capabilities against the data point requirements as per Annex I of the Draft RTS and reconfiguration of annual reporting processes.
- BWRA and CRA recalibration: review and update of business-wide and customer risk assessments to ensure alignment with the AMLR framework and AMLA’s supervisory methodology.
Early preparation is the most effective mitigation. Contact us at info@shoulder.mt for support.
