.png)
With the publication of the 2026 REQ submission deadlines and REQ templates being made available in the first week of February, subject persons are entering a critical stage of their regulatory cycle. As supervisory expectations continue to increase, particularly in relation to the quality and depth of Business Risk Assessments, regulatory reviews consistently show that weaknesses in the BRA often translate into broader AML/CFT deficiencies, leading to remediation requirements, enhanced monitoring, or follow-up supervisory engagement.
The FIAU has underlined that the BRA is not a procedural obligation, but the cornerstone of the risk-based approach. It determines how ML/FT risks are identified, measured, mitigated, and prioritised across the organisation. Where the BRA lacks structure, evidencing, or internal coherence, the effectiveness of the wider AML/CFT framework is inherently compromised.
A comprehensive BRA should demonstrate a clear understanding of how ML/FT risks arise within the specific business model. This requires a structured methodology covering customer profiles, geographical exposure, products and services, delivery channels, and other sector-specific risk factors, supported by objective data and documented rationale.
Understanding the purpose of the BRA
The BRA enables an organisation to form a holistic view of its risk exposure, from inherent risk through to residual risk. It provides management with a clear picture of where threats are most likely to materialise, how severe their potential impact may be, and whether existing controls sufficiently mitigate those risks.
Regulatory expectations increasingly require the methodology to be quantitative, applying defined scoring criteria and a structured assessment of control effectiveness. This assessment must be proportionate to the size, complexity, and risk profile of the subject person, and capable of being clearly explained and defended during supervisory review.
Supervisors now expect subject persons to demonstrate not only an understanding of the ML/FT threats they face, but also how those threats translate into residual risk after controls are applied. This distinction is central to the credibility of the BRA.
Core components of an effective BRA
An inherent risk assessment should apply quantitative scoring that measures both likelihood and impact. Likelihood assesses the probability of a threat exploiting a vulnerability, while impact considers regulatory, financial, operational, and reputational consequences. These criteria must be clearly defined and applied consistently.
Control effectiveness must be assessed against each identified risk. This includes governance arrangements, customer due diligence measures, monitoring systems, reporting processes, and escalation frameworks. Controls should be assigned defined effectiveness ratings, supported by evidence. Subjective or undocumented assessments significantly weaken the reliability of the BRA.
Residual risk should be clearly derived from the interaction between inherent risk and control effectiveness. The rationale for each residual risk rating should be transparent, particularly in higher-risk areas, and clearly linked to management decisions and oversight.
Evidence-based analysis remains essential. The FIAU expects BRAs to be supported by verifiable data, such as customer and jurisdictional breakdowns, transaction volumes, delivery channel usage, and product risk indicators, as well as appropriate reference to supervisory guidance and typology reports.
The central importance of residual risk
Residual risk represents the level of ML/FT risk that remains after the application of mitigating controls. Understanding residual risk is critical because it reflects the organisation’s true exposure and directly informs risk appetite, control enhancements, and strategic decisions.
A well articulated residual risk assessment allows management to identify areas where controls are effective, as well as areas where risk remains elevated despite existing measures. This is particularly relevant for higher-risk products, services, customers, or jurisdictions, where residual risk may exceed the organisation’s stated risk appetite and require further action.
From a regulatory perspective, residual risk is often a key focus during inspections. Subject persons are expected to clearly demonstrate how residual risk ratings were derived, why they are considered acceptable or otherwise, and what governance decisions have been taken in response. Where residual risk assessments are unclear, inconsistent, or unsupported by evidence, supervisory authorities may conclude that risks are not adequately understood or managed.
Alignment with the National Risk Assessment
An effective BRA must also demonstrate alignment with the findings of the National Risk Assessment. The sectoral risks, threats, and vulnerabilities identified at national level should be clearly reflected in the business’s own risk assessment, where relevant.
This does not require a generic restatement of national findings. Rather, subject persons are expected to show how sector-specific risks highlighted in the National Risk Assessment have been considered, assessed, and, where applicable, incorporated into the BRA. Where certain national risks are deemed not applicable, this should be clearly justified.
Referencing the National Risk Assessment in this way strengthens the credibility of the BRA and demonstrates that the organisation’s understanding of risk is informed by both internal data and external risk intelligence.
Supporting regulatory readiness
A well-constructed BRA strengthens regulatory resilience, supports informed decision-making, and enables compliance resources to be allocated where residual risk is highest. As submission deadlines approach and supervisory expectations continue to rise, many subject persons are reassessing whether their existing BRA accurately reflects their true residual risk exposure and aligns with current regulatory standards. Proactive engagement at this stage can significantly reduce regulatory risk and avoid the need for corrective action under supervisory pressure.
How BDO Can Help
BDO Malta is equipped to support subject persons in preparing clear, defensible, and regulator‑aligned Business Risk Assessments. Our services include methodology development, drafting, validation, and end‑to‑end support to ensure your BRA accurately reflects your risk profile and aligns with FIAU expectations.
Get in touch with BDO Malta to discuss how we can strengthen your BRA and support your AML compliance objectives.
Contact us