The EU’s Anti-Money Laundering Authority has opened a consultation on draft supervision standards that would apply to gambling operators and other non-financial businesses across the bloc. The exercise is meant to shape how national supervisors profile risk and apply a risk-based approach.
According to the authority’s press release and consultation paper, feedback is open until September 27. The standards are designed to give supervisors a common method for assessing money-laundering and terrorist-financing risk, so similar businesses are judged on the same terms wherever they operate.
The draft rules sit under Directive (EU) 2024/1640, which the paper says created a harmonised framework for risk-based supervision across the Union. Article 40(2) of that directive requires AMLA to develop benchmarks and a methodology for classifying the inherent and residual risk profile of obliged entities, as well as the frequency with which those profiles are reviewed.
The consultation covers the non-financial sector, which the paper says includes more than two million natural and legal persons and many very small firms. It also says supervision remains uneven across member states, with some authorities carrying out detailed entity-level assessments using around 200 data points while others have not yet done those assessments.
AMLA’s draft sets out a three-step process. Supervisors would first assess inherent risk, then the quality of AML and CFT controls, and then determine the residual risk profile after mitigating measures.
Both inherent risk and residual risk would be classified into four bands: low, medium, substantial and high. Control quality would also be split into four categories, from very good to poor, and the residual score would be calculated using a weighted average that gives greater weight to inherent risk rather than a simple arithmetic mean.
The paper says supervisors could adjust scores when their own information shows that calculated results do not reflect actual risk or control effectiveness. Changes to inherent risk would be limited to one level up or down and would have to be justified and documented.
Smaller entities would receive a lighter regime. The paper defines them as firms with fewer than five full-time equivalent employees and annual turnover below EUR 600,000, and says supervisors would use a reduced set of inherent-risk indicators and would not require control reporting from them.
Where supervisors have no relevant information on a small entity’s controls, the control score would be set equal to the inherent-risk score and would not alter the final classification. Even so, supervisors could require all entities in a sector to be assessed on the full set of indicators if that sector is seen as exposed to elevated money-laundering or terrorist-financing risk.
The consultation paper says the draft methodology is due to apply from 31 December 2028, with some entities covered by the regulation only from 31 December 2029. Until then, supervisors are expected to use existing national methods while systems and processes are adjusted, and AMLA plans to collect sample data in 2027 to calibrate the model.
Sweden’s gambling regulator, Spelinspektionen, urged licensed operators to take part and said the draft standards will form the basis for supervisory work on risk classification and supervision. The authority will also hold a public hearing on 10 September from 10:00 to 12:00 CEST.



