Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Luxembourg
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
Capital Markets | Strategic outlook on 2024 insights, recent developments and 2025 horizons
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Publication

Risk-based approach : key updates

17 Jun 2026 Luxembourg 4 min read

Under the AMLR, the fundamental principle remains unchanged: the Risk-Based Approach (RBA) continues to sit at the core of the AML-CTF framework.

The objective is clear. AML-CTF measures must be proportionate and tailored to the specific risks of money laundering and terrorist financing identified in each situation.

Risk assessment under the AMLR: what must be considered

The AMLR introduces a more structured framework for risk assessment, while maintaining continuity in substance.

Harmonised risk factors

Risk factors are now formally harmonised and listed in:

  • Annex II (lower risk), and
  • Annex III (higher risk) of the AMLR.

No change in substance

Despite this formalisation, there is no substantive change in how risks are assessed. Risk factors continue to relate to:

  • customer risk factors,
  • types of products, services, transactions, or delivery channels provided by the obliged entity, and
  • geographical risk factors.

Upcoming regulatory developments

Further guidance is expected to complement the framework:

  • AMLA Guidelines on Article 10(4) AMLR – Business-wide risk assessment (currently under consultation), expected by 10 July 2026;
  • RTS on Article 28(1) AMLR – Requirements and information to be collected for standard CDD, SDD and EDD purposes, also expected by 10 July 2026.

Simplified Due Diligence (SDD): still possible, but stricter

The AMLR preserves the possibility to apply Simplified Due Diligence, but introduces stricter conditions.

Conditions for applying SDD

  • SDD is limited to situations where low risk is clearly demonstrated and documented.
  • Obliged entities must be able to show, based on documented criteria, that the relationship presents low money laundering and terrorist financing risks.

No exemption from identification

Importantly, the AMLR explicitly confirms that:

  • applying SDD does not exempt obliged entities from identifying customers and their beneficial owner(s).

Examples of SDD measures

The AMLR provides a non-exhaustive list of simplified measures, including:

  • Verification of identity after onboarding, provided it is completed within 60 days;
  • Less frequent updates of identification data;
  • Reduced information requirements, where the purpose and nature of the relationship may be inferred;
  • Reduced monitoring;
  • Reliance on additional simplified measures identified by the AMLA.

It should be noted that SDD is not permitted in certain situations, in particular where there are doubts regarding the accuracy or consistency of customer or beneficial owner information.

Enhanced Due Diligence (EDD): broader mandatory scope

The AMLR significantly expands the situations in which Enhanced Due Diligence is required.

EDD must be applied in the following cases:

  • High-risk customers, identified through the risk assessment as presenting a high risk of money laundering or terrorist financing;
  • High-net-worth individuals, in the context of business relationships involving:
    • the handling of assets with a value of at least EUR 5 million,
    • through personalised services for a customer holding total assets of at least EUR 50 million (≥ EUR 5m handled | customer assets ≥ EUR 50m);
  • High-risk third countries, when the business relationship involves such jurisdictions;
  • Residence-by-investment schemes, where the customer is an applicant under such schemes.

Examples of EDD measures

The AMLR also introduces a non-exhaustive list of enhanced measures, including:

Deeper transaction analysis, requiring obliged entities to gather more detailed information on:

  • the reasons for intended or executed transactions, and
  • their consistency with the overall business relationship;

Stronger payment safeguards, including:

  • requiring the initial payment to be made through an account in the customer’s name held with a CDD-compliant institution.

Guidance on the definition and treatment of PEPs

The AMLR provides further clarity on politically exposed persons (PEPs), reinforcing their importance within the EDD framework.

EU-wide definition

An EU-wide definition of PEPs is introduced, covering:

  • domestic, foreign, and international organisation PEPs;
  • family members (including civil partners and spouses);
  • known close associates.

PEPs as a key EDD trigger

The presence of a PEP remains a key trigger for enhanced due diligence. In such cases:

  • enhanced scrutiny must be applied to the business relationship;
  • in addition to standard CDD measures, obliged entities must:
    • obtain senior management approval;
    • take appropriate measures to establish the source of wealth and source of funds involved.

Declassification rules

PEP status is not lifted automatically:

  • it must be maintained for at least 12 months after the end of the public function;
  • beyond this period, enhanced measures may only be lifted following a documented risk-based assessment demonstrating that the individual no longer presents a higher risk.

Operational takeaway

From an operational perspective, obliged entities should:

  • review screening frameworks,
  • reassess escalation mechanisms, and
  • strengthen documentation requirements.

Conclusion

The AMLR reinforces the centrality of the risk-based approach while introducing greater harmonisation, stricter conditions for simplification, and a broader scope for enhanced due diligence.

Organisations should take proactive steps to align their frameworks with these requirements, particularly in relation to:

  • risk assessment methodology,
  • documentation standards, and
  • the treatment of high-risk categories such as PEPs and high-net-worth individuals.

Any questions?

For further information or to discuss these developments, please contact our key representatives.

More insights
Banking & Finance

Explore more

Publication Luxembourg

AML-CTF Package – What is it and the timeline

17 Jun 2026 3 min read
Expert Guide International

CMS Expert Guide for taking security in Luxembourg

29 min read
Event Luxembourg

On the Pulse webinar series 2026 - Spring/Summer

30 Jun 2026
Back to top Back to top
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.