REQ Alignment with AML Supervisory Data Points

The Financial Intelligence Analysis Unit (FIAU) has, on 11 June 2026, issued an important Information Notice signalling a significant development in the regulatory reporting landscape. While the changes will only formally apply from the 2027 Risk Evaluation Questionnaire (REQ) cycle, the direction of travel is already clear: greater harmonisation, deeper data granularity, and a more standardised, data-driven and risk-sensitive supervisory approach driven at EU level by the Anti-Money Laundering Authority (AMLA).

At the core of this development lies the planned alignment of Malta’s REQ data points with the harmonised supervisory data points introduced by AMLA. These stem from the draft Regulatory Technical Standards issued under Article 40(2) of Directive (EU) 2024/1640. The draft RTS remains subject to adoption by the European Commission, and the final FIAU requirements may therefore differ from the present framework. While the FIAU has clarified that no immediate action is required, the implications are significant. The REQ has long been a cornerstone of the FIAU’s supervisory toolkit, and its alignment with the EU framework is likely to change the structure, definitions and granularity of information expected from firms.

The draft RTS introduces a structured and standardised data framework aimed at enabling consistent supervision across Member States. Annex I sets out supervisory data points covering areas such as business-wide risk assessments, customer risk profiling, delivery channels, geographic exposure, transaction monitoring, suspicious activity reporting and governance arrangements. The objective is to ensure that information is comparable, analysable and capable of supporting risk-based supervisory assessments.

One of the most notable themes is the shift towards increased granularity. Firms may be expected to move beyond high-level qualitative responses and provide more detailed quantitative information, including breakdowns of customer types, risk classifications, product exposure, and transactional activity. Firms that rely on manual processes, fragmented data sources, or limited data governance frameworks may find these expectations difficult to meet. The extent of any additional reporting burden will, however, depend on the final FIAU requirements and how these compare with the existing REQ.

Another key aspect is consistency and standardisation. By aligning REQ data points with AMLA requirements, the FIAU is embedding EU-wide supervisory logic into its national processes. This should facilitate benchmarking and supervisory convergence, while making inconsistencies in data quality more visible through comparable assessments. This does not mean that every REQ response will automatically be reviewed directly by AMLA. It does, however, increase the importance of data accuracy, traceability, ownership and governance.

The draft RTS also reflects a stronger emphasis on risk sensitivity. Supervisory authorities are interested not only in whether controls exist, but also in how they operate and respond to different levels of risk. This creates a closer connection between inherent risk, mitigating controls and residual risk. Firms will therefore need to ensure that their AML/CFT frameworks can be clearly articulated and evidenced through reliable data.

Although the FIAU has stated that no action is required at this stage, firms should consider conducting a proportionate readiness assessment. This could include mapping current REQ responses against the applicable Annex I data points, identifying source systems and data owners, documenting calculation methodologies, and testing whether reported figures can be reconciled with underlying customer, transaction-monitoring, CDD, sanctions and suspicious reporting records.

Particular attention should be given to definitions that may differ across systems or business units, including active customers, country attribution, PEP classifications, complex ownership structures, customer risk categories and outstanding monitoring alerts. Firms should also assess whether they can reproduce historical or point-in-time data rather than relying only on current system information.

A controlled trial extraction using a previous reporting period may help identify gaps without requiring firms to commit to major system changes before the FIAU publishes the revised data points, guidance and implementation timelines.

This development forms part of the broader transformation of AML/CFT supervision within the EU. Firms should approach the 2027 REQ as an opportunity to strengthen data governance, risk assessment and the evidencing of control effectiveness, while ensuring that any preparatory work remains proportionate to the final requirements issued by the FIAU.

How BDO can help

At BDO Malta, we support subject persons in navigating complex regulatory change with confidence. Our AML and compliance specialists can assist with gap analyses against the forthcoming RTS requirements, enhancement of REQ data frameworks, optimisation of data governance practices, and end-to-end preparation for AMLR adoption.