FATF Recommendations: What you need to know

The Financial Action Task Force (FATF) is an international, intergovernmental body dedicated to combating money laundering and the financing of terrorism. Established in 1989, the FATF works to align international anti-money laundering and countering the financing of terrorism (AML/CFT) standards across its 37 current member states by issuing regular guidance to national financial authorities. The FATF sets out its AML/CFT approach in its 40 Recommendations. Before introducing new AML/CFT measures, member-state authorities and financial institutions (FIs) seeking to understand and comply with FATF policy should consult the recommendations.

FATF recommendations range from implementing international conventions to reporting and customer due diligence (CDD) measures. Some of the most important recommendations are summarized below:

FATF Recommendation 1: Risk-based approach

The FATF recommends that countries implement a risk-based approach to AML/CFT. This means that each country should instruct reporting entities to identify the level of risk from money laundering and terrorism financing they face and take appropriate compliance action in response. Governments are directed to establish national supervisory authorities and regulatory mechanisms to monitor and mitigate those criminal threats. 

The risk-based approach is considered the foundation of an effective AML/CFT regime and essential for implementing additional FATF recommendations. It’s also scalable: higher levels of risk mandate more robust compliance measures, while lower levels may be met with simpler measures.

FATF Recommendations 6/7/35: Sanctions

To comply with United Nations Security Council (UNSC) resolutions, the FATF recommends that member states implement targeted financial sanctions against persons or entities that pose terrorism financing risks, or that engage in the proliferation and financing of weapons of mass destruction. The UNSC resolutions require countries to immediately freeze the funds and assets of those persons and entities and to ensure that no further funds or assets are made available. FATF member-states produce and issue sanctions lists that FIs can consult before establishing business relationships with clients, such as politically exposed persons, that might pose a risk. 

FATF Recommendation 10: Customer due diligence

Countries should ensure their FIs implement appropriate due diligence procedures to prevent customers from opening accounts anonymously or under fictitious names. These CDD measures should be observed when an FI begins a new business relationship, when certain transactions occur, and when there is suspicion of money laundering or terrorist financing, or when there is any doubt about a customer’s identity. The CDD measures should be ongoing and allow FIs to reliably verify customer identities, identify beneficial owners, and clarify the nature of business relationships.

FATF Recommendation 12: Politically exposed persons (PEPs)

The FATF recommends that FIs implement AML/CFT measures to address foreign politically exposed persons (PEPs) and the risks they present. Those measures include taking a risk-based approach to individual clients, identifying the source of wealth and funds, conducting ongoing monitoring, and introducing a senior management approval process for the commencement of business relationships that involve PEPs. Organizations must be able to establish which PEPs present a higher risk and subject those customers to a more robust level of screening. PEP AML/CFT measures should also apply to family members and close associates of the relevant customers.

FATF Recommendation 15: Virtual assets

FATF Recommendation 15 concerns new technologies and is informed by an Interpretive Note on virtual assets (VAs), which essentially refers to cryptocurrencies. The note sets out provisions for the treatment of VAs by both financial authorities and obliged entities. This includes a recommendation that countries apply a risk-based approach to cryptocurrency AML/CFT compliance, that national authorities regulate, monitor, and supervise virtual asset service providers (VASPs), and that national authorities facilitate information sharing. The FATF also recommends that VASPs be licensed and fulfill standard AML/CFT obligations, including CDD, PEP screening, and reporting and record-keeping.

In 2021, the FATF published its Guidance for a Risk-Based Approach to Virtual Assets and VASPs, which set out a range of critical focus areas for AML/CFT compliance teams. Those areas included clarifications on the definition of virtual assets, guidance on the treatment of stablecoins, VASP licensing, and the implementation of the Travel Rule (Recommendation 16). The guidance also sets out principles of information sharing and cooperation between VASP supervisory bodies. 

FATF Recommendation 16: Wire transfers

Also known as the Travel Rule, FATF Recommendation 16 requires countries to collect identifying information from the originators and beneficiaries of domestic and cross-border wire transfers to establish a suitable AML/CFT audit trail. In practice, this involves exchanging information between parties whenever a transfer occurs, including the submission of names, physical addresses, and account numbers. In 2019, the FATF updated the Travel Rule to account for the increasing global use of cryptocurrency. The rule now applies to VASPs, such as cryptocurrency exchanges and wallets, and subjects them to the same information exchange requirements as conventional FIs during digital funds transfers. 

Following a 2021 review, the FATF expanded the Travel Rule to apply to a range of new cryptocurrency products and services, including private wallets, non-fungible tokens (NFTs), and decentralized finance (DeFi). 

FATF Recommendation 19: Higher-risk countries

Certain countries represent a higher risk of money laundering and terrorist financing activity – and these countries may be included on the FATF’s black list or grey list. When doing business with persons and entities in these countries, the FATF recommends that financial organizations apply enhanced due diligence measures. In practice, those measures include enhanced reporting and audit mechanisms, prohibitions on new branch and office openings or any reliance on third parties, and limitations on business relationships within those countries. The FATF also suggests that member states should implement measures to advise their FIs on the AML/CFT weaknesses of high-risk countries.

A guide to the FATF grey list

The FATF grey list is among the best-known indices of higher-risk countries in the compliance industry. But how should firms respond to a grey listing in practice?

Download your copy

FATF Recommendation 20: Reporting of suspicious transactions

This FATF recommendation requires FIs to promptly report suspicious transactions to the relevant financial intelligence unit (FIU). Those transactions specifically involve funds suspected to be the proceeds of criminal activities or to have been used to finance terrorism. In this context, ‘criminal activities’ primarily refers to money laundering offenses – the criteria for which are set out in FATF Recommendation 3. Suspicious transactions should carry a direct, mandatory reporting obligation and be reported regardless of the amount involved – even if they are not completed successfully.

FATF Recommendation 24: Beneficial ownership

Under Recommendation 24, FIs must establish the legal beneficial ownership of companies and other corporate structures to ensure that such entities are not used for money laundering or the financing of terrorism. In March 2022, the FATF confirmed changes to Recommendation 24, introducing new requirements that countries maintain adequate, accurate, and up-to-date information on the beneficial ownership of legal entities. The updated standards mean that FIs must collect beneficial ownership information through multiple means, and that member states must ensure they implement a public beneficial ownership register (or a similar mechanism) to facilitate access to that information. 

Designated non-financial businesses and professions (DNFBPs) should also be subject to Recommendation 24. In its guidance, the FATF singles out casinos as significant targets for beneficial ownership compliance, suggesting that they should be ‘subject to a comprehensive regulatory and supervisory regime’ to prevent criminals from becoming their owners.

This focus on beneficial ownership extends beyond customers to the casinos’ business relationships. Regulators are increasingly concerned about risks from third parties, such as white-label partners and external investors. The UK’s Gambling Commission, for example, considers these relationships high-risk and mandates that operators conduct thorough due diligence. This includes assessing the beneficial ownership and source of funds of any business associates, payment processors, or entities that provide loans, to ensure the relationships are legitimate and to prevent the casino from being used to support crime. 

FATF Recommendation 28: DNFBPs

FATF Recommendation 28 addresses the AML/CFT regulation and supervision of DNFBPs, and specifically outlines the oversight required for the gambling sector. 

Recommendation 28 mandates that casinos be subject to a comprehensive regulatory and supervisory regime to ensure the effective implementation of AML/CFT measures. Central to these provisions is the requirement that:

• All casinos should be licensed.
• That the relevant authorities take proactive regulatory steps to prevent criminals or their associates from holding:
  • Significant interests
  • Beneficial ownership
  • Management functions 
  • Controlling interest
• National authorities effectively supervise casinos to ensure ongoing compliance.

Countries should ensure that the other categories of DNFBPs are subject to effective monitoring systems that ensure compliance with AML/CFT requirements. Other DNFBP professions include:

• Legal professionals
• Financial professionals
• Trust and company service providers
• Real estate
• High-value dealers

Effective monitoring systems of these DNFBPs should be performed on a risk-sensitive basis by either:

• A supervisor
• An appropriate self-regulatory body (SRB), provided that it can ensure its members comply with their obligations to combat money laundering and terrorist financing.