Two Risk-Based Regimes Divided by a Common Language? Supervisory vs Institutional Risk Assessments 

There is a familiar phrase often used to describe differences in dialect across the Atlantic: “two nations divided by a common language.” It is a phrase that feels oddly apt when reading the EBA’s recent consultation on the proposed Regulatory Technical Standards (RTS) for AML supervision. We appear to be looking at two risk-based regimes, both speaking the language of "inherent risk" and "control effectiveness", but applying it in fundamentally different ways. 

Same Terms, Different Tools 

The EBA’s draft RTS sets out how supervisors should assess the ML/TF risk profiles of regulated institutions. It introduces a harmonised three-step process: assess inherent risk, evaluate the quality of controls, and calculate residual risk. It proposes automated scoring, supervisory adjustment rules, and defined frequency for reassessment, tools designed to enable consistency and comparability across Member States. 

This approach makes sense in the context of supervision. Supervisors typically operate with limited access to internal control data and rely on aggregate indicators. The objective is not to micromanage individual risks, but to triage supervision, identify outliers, and allocate inspection resources. 

But what works for prioritising supervision doesn't necessarily translate into effective risk management within firms. 

The Institutional Reality: Risk Lives in the Details 

For financial institutions, risk is not an abstract score. It materialises through specific risk events, instances where the institution might be exploited for money laundering, terrorist financing, or sanctions evasion. Managing that risk requires more than an aggregate rating. It demands a granular understanding of: 

• What specific events could occur based on the firm’s customers, products, and delivery channels? 

• Which controls are designed to mitigate those events? 

• Whether those controls actually work, not in general, but in the context of the specific risk they are meant to address. 

In this context, assigning a firm-wide “residual risk score” may obscure more than it reveals. It flattens the profile. It may indicate where to look, but not what to fix. 

Why This Matters 

The EBA’s consultation rightly identifies the value of a common framework for supervision. But it is important to resist the temptation to transpose that framework directly into firm-level risk assessments. Doing so risks shifting the focus of internal AML programmes back toward compliance theatre, where firms optimise for the output the supervisor wants to see, rather than what is operationally effective. 

Instead, institutions should embrace a more forensic and event-driven model of risk assessment, one that isolates specific threats and evaluates control effectiveness in context. That is the difference between managing risk and simply measuring it. 

A Call for Clarity 

As the Regulatory Technical Standards crystalise, we should be careful to distinguish the purpose of these tools. Supervisory harmonisation is not the same as risk management. The language may be shared (“risk-based,” “controls,” “inherent risk”) but the grammar is different. We need to preserve that distinction. 

After all, effective risk management is not just about ticking the box. It is about preventing harm. And that starts with understanding the difference between what the regulator needs to know, and what the business needs to manage.