OBLIGATIONS AND DECISIONS FOR COUNTRIES

Risk assessment

1. 1.1Countries6 Where appropriate, ML/TF risk assessments at a supra-national level should be taken into account when considering whether this obligation is satisfied. should identify and assess the ML/TF risks for the country,
2. 1.2Countries should designate an authority or mechanism to co-ordinate actions to assess risks.
3. 1.3Countries should keep the risk assessments up-to-date.
4. 1.4Countries should have mechanisms to provide information on the results of the risk assessment(s) to all relevant competent authorities and self-regulatory bodies (SRBs), financial institutions and DNFBPs.

Risk mitigation

5. 1.5Based on their understanding of their risks, countries should apply a risk-based approach to allocating resources and implementing measures to prevent or mitigate ML/TF.
6. 1.6Countries which decide not to apply some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, should demonstrate that:
   1. there is a proven low risk of ML/TF; the exemption occurs in strictly limited and justified circumstances; and it relates to a particular type of financial institution or activity, or DNFBP; or
   2. a financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis (having regard to quantitative and absolute criteria), such that there is a low risk of ML/TF.
7. 1.7Where countries identify higher risks, they should ensure that their AML/CFT regime addresses such risks, including through: (a) requiring financial institutions and DNFBPs to take enhanced measures to manage and mitigate the risks; or (b) requiring financial institutions and DNFBPs to ensure that this information is incorporated into their risk assessments.
8. 1.8Countries may allow simplified measures for some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, provided that a lower risk has been identified, and this is consistent with the country’s assessment of its ML/TF risks.7Where the FATF Recommendations identify higher risk activities for which enhanced or specific measures are required, countries should ensure that all such measures are applied, although the extent of such measures may vary according to the specific level of risk.
9. 1.9Supervisors and SRBs should ensure that financial institutions and DNFBPs are implementing their obligations under Recommendation 18The requirements in this criterion should be assessed taking into account the findings in relation to Recommendations 26 and 28..

OBLIGATIONS AND DECISIONS FOR FINANCIAL INSTITUTIONS AND DNFBPS

Risk assessment

10. 1.10Financial institutions and DNFBPs should be required to take appropriate steps to identify, assess, and understand their ML/TF risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels)9 The nature and extent of any assessment of ML/TF risks should be appropriate to the nature and size of the business. Competent authorities or SRBs may determine that individual documented risk assessments are not required, provided that the specific risks inherent to the sector are clearly identified and understood, and that individual financial institutions and DNFBPs understand their ML/TF risks.. This includes being required to:
    1. document their risk assessments;
    2. consider all the relevant risk factors before determining what is the level of overall risk and the appropriate level and type of mitigation to be applied;
    3. keep these assessments up to date; and
    4. have appropriate mechanisms to provide risk assessment information to competent authorities and SRBs.

Risk mitigation

11. 1.11Financial institutions and DNFBPs should be required to:
    1. have policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified (either by the country or by the financial institution or DNFBP);
    2. monitor the implementation of those controls and to enhance them if necessary; and
    3. take enhanced measures to manage and mitigate the risks where higher risks are identified.
12. 1.12Countries may only permit financial institutions and DNFBPs to take simplified measures to manage and mitigate risks, if lower risks have been identified, and criteria 9 to 11 are met. Simplified measures should not be permitted whenever there is a suspicion of ML/TF.

OBLIGATIONS AND DECISIONS FOR COUNTRIES

1. 2.1Countries should have national AML/CFT policies which are informed by the risks identified, and are regularly reviewed.
2. 2.2Countries should designate an authority or have a co-ordination or other mechanism that is responsible for national AML/CFT policies.
3. 2.3Mechanisms should be in place to enable policy makers, the Financial Intelligence Unit (FIU), law enforcement authorities, supervisors and other relevant competent authorities to co-operate, and where appropriate, co-ordinate and exchange information domestically with each other concerning the development and implementation of AML/CFT policies and activities. Such mechanisms should apply at both policymaking and operational levels.
4. 2.4Competent authorities should have similar co-operation and, where appropriate, coordination mechanisms to combat the financing of proliferation of weapons of mass destruction.
5. 2.5Countries should have cooperation and coordination between relevant authorities to ensure the compatibility of AML/CFT requirements with Data Protection and Privacy rules and other similar provisions (e.g. data security / localisation).10For the purposes of technical compliance, the assessment should be limited to whether there are mechanisms in place enabling co-operation and co-ordination between the relevant authorities.

1. 3.1ML should be criminalised on the basis of the Vienna Convention and the Palermo Convention (see Article 3(1)(b)&(c) Vienna Convention and Article 6(1) Palermo Convention11Note in particular the physical and material elements of the offence.)
2. 3.2The predicate offences for ML should cover all serious offences, with a view to including the widest range of predicate offences. At a minimum, predicate offences should include a range of offences in each of the designated categories of offences12Recommendation 3 does not require countries to create a separate offence of “participation in an organised criminal group and racketeering”. In order to cover this category of “designated offence”, it is sufficient if a country meets either of the two options set out in the Palermo Convention, i.e. either a separate offence or an offence based on conspiracy..
3. 3.3Where countries apply a threshold approach or a combined approach that includes a threshold approach13Countries determine the underlying predicate offences for ML by reference to (a) all offences; or (b) to a threshold linked either to a category of serious offences or to the penalty of imprisonment applicable to the predicate offence (threshold approach); or (c) to a list of predicate offences; or (d) a combination of these approaches., predicate offences should, at a minimum, comprise all offences that:
   1. fall within the category of serious offences under their national law; or
   2. are punishable by a maximum penalty of more than one year’s imprisonment; or
   3. are punished by a minimum penalty of more than six months’ imprisonment (for countries that have a minimum threshold for offences in their legal system).
4. 3.4The ML offence should extend to any type of property, regardless of its value, that directly or indirectly represents the proceeds of crime.
5. 3.5When proving that property is the proceeds of crime, it should not be necessary that a person be convicted of a predicate offence.
6. 3.6Predicate offences for money laundering should extend to conduct that occurred in another country, which constitutes an offence in that country, and which would have constituted a predicate offence had it occurred domestically.
7. 3.7The ML offence should apply to persons who commit the predicate offence, unless this is contrary to fundamental principles of domestic law.
8. 3.8It should be possible for the intent and knowledge required to prove the ML offence to be inferred from objective factual circumstances.
9. 3.9Proportionate and dissuasive criminal sanctions should apply to natural persons convicted of ML.
10. 3.10Criminal liability and sanctions, and, where that is not possible (due to fundamental principles of domestic law), civil or administrative liability and sanctions, should apply to legal persons. This should not preclude parallel criminal, civil or administrative proceedings with respect to legal persons in countries in which more than one form of liability is available. Such measures are without prejudice to the criminal liability of natural persons. All sanctions should be proportionate and dissuasive.
11. 3.11Unless it is not permitted by fundamental principles of domestic law, there should be appropriate ancillary offences to the ML offence, including: participation in; association with or conspiracy to commit; attempt; aiding and abetting; facilitating; and counselling the commission.

1. 4.1Countries should have measures, including legislative measures, that enable the confiscation of the following, whether held by criminal defendants or by third parties:
   1. property laundered;
   2. proceeds of (including income or other benefits derived from such proceeds), or instrumentalities used or intended for use in, ML or predicate offences;
   3. property that is the proceeds of, or used in, or intended or allocated for use in the financing of terrorism, terrorist acts or terrorist organisations; or
   4. property of corresponding value.
2. 4.2Countries should have measures, including legislative measures, that enable their competent authorities to:
   1. identify, trace and evaluate property that is subject to confiscation;
   2. carry out provisional measures, such as freezing or seizing, to prevent any dealing, transfer or disposal of property subject to confiscation14Measures should allow the initial application to freeze or seize property subject to confiscation to be made ex-parte or without prior notice, unless this is inconsistent with fundamental principles of domestic law. ;
   3. take steps that will prevent or void actions that prejudice the country’s ability to freeze or seize or recover property that is subject to confiscation; and
   4. take any appropriate investigative measures.
3. 4.3Laws and other measures should provide protection for the rights of bona fide third parties.
4. 4.4Countries should have mechanisms for managing and, when necessary, disposing of property frozen, seized or confiscated.

1. 5.1Countries should criminalise TF on the basis of the Terrorist Financing Convention15Criminalisation should be consistent with Article 2 of the International Convention for the Suppression of the Financing of Terrorism..
2. 5.2TF offences should extend to any person who willfully provides or collects funds or other assets by any means, directly or indirectly, with the unlawful intention that they should be used, or in the knowledge that they are to be used, in full or in part: (a) to carry out a terrorist act(s); or (b) by a terrorist organization or by an individual terrorist (even in the absence of a link to a specific terrorist act or acts).16Criminalising TF solely on the basis of aiding and abetting, attempt, or conspiracy is not sufficient to comply with the Recommendation.
3. 5.2^bis TF offences should include financing the travel of individuals who travel to a State other than their States of residence or nationality for the purpose of the perpetration, planning, or preparation of, or participation in, terrorist acts or the providing or receiving of terrorist training.
4. 5.3TF offences should extend to any funds or other assets whether from a legitimate or illegitimate source.
5. 5.4TF offences should not require that the funds or other assets: (a) were actually used to carry out or attempt a terrorist act(s); or (b) be linked to a specific terrorist act(s).
6. 5.5It should be possible for the intent and knowledge required to prove the offence to be inferred from objective factual circumstances.
7. 5.6Proportionate and dissuasive criminal sanctions should apply to natural persons convicted of TF.
8. 5.7Criminal liability and sanctions, and, where that is not possible (due to fundamental principles of domestic law), civil or administrative liability and sanctions, should apply to legal persons. This should not preclude parallel criminal, civil or administrative proceedings with respect to legal persons in countries in which more than one form of liability is available. Such measures should be without prejudice to the criminal liability of natural persons. All sanctions should be proportionate and dissuasive.
9. 5.8It should also be an offence to:
   1. attempt to commit the TF offence;
   2. participate as an accomplice in a TF offence or attempted offence;
   3. organise or direct others to commit a TF offence or attempted offence; and
   4. contribute to the commission of one or more TF offence(s) or attempted offence(s), by a group of persons acting with a common purpose17 Such contribution shall be intentional and shall either: (i) be made with the aim of furthering the criminal activity or criminal purpose of the group, where such activity or purpose involves the commission of a TF offence; or (ii) be made in the knowledge of the intention of the group to commit a TF offence. .
10. 5.9TF offences should be designated as ML predicate offences.
11. 5.10TF offences should apply, regardless of whether the person alleged to have committed the offence(s) is in the same country or a different country from the one in which the terrorist(s)/terrorist organisation(s) is located or the terrorist act(s) occurred/will occur.

Identifying and designating

1. 6.1In relation to designations pursuant to United Nations Security Council 1267/1989 (Al Qaida) and 1988 sanctions regimes (Referred to below as “UN Sanctions Regimes”), countries should:
   1. identify a competent authority or a court as having responsibility for proposing persons or entities to the 1267/1989 Committee for designation; and for proposing persons or entities to the 1988 Committee for designation;
   2. have a mechanism(s) for identifying targets for designation, based on the designation criteria set out in the relevant United Nations Security Council resolutions (UNSCRs);
   3. apply an evidentiary standard of proof of “reasonable grounds” or “reasonable basis” when deciding whether or not to make a proposal for designation. Such proposals for designations should not be conditional upon the existence of a criminal proceeding;
   4. follow the procedures and (in the case of UN Sanctions Regimes) standard forms for listing, as adopted by the relevant committee (the 1267/1989 Committee or 1988 Committee); and
   5. provide as much relevant information as possible on the proposed name18 In particular, sufficient identifying information to allow for the accurate and positive identification of individuals, groups, undertakings, and entities, and to the extent possible, the information required by Interpol to issue a Special Notice ; a statement of case19 This statement of case should be releasable, upon request, except for the parts a Member State identifies as being confidential to the relevant committee (the 1267/1989 Committee or 1988 Committee). which contains as much detail as possible on the basis for the listing20 Including: specific information supporting a determination that the person or entity meets the relevant designation; the nature of the information; supporting information or documents that can be provided; and details of any connection between the proposed designee and any currently designated person or entity ; and (in the case of proposing names to the 1267/1989 Committee), specify whether their status as a designating state may be made known.
2. 6.2In relation to designations pursuant to UNSCR 1373, countries should:
   1. identify a competent authority or a court as having responsibility for designating persons or entities that meet the specific criteria for designation, as set forth in UNSCR 1373; as put forward either on the country’s own motion or, after examining and giving effect to, if appropriate, the request of another country.
   2. have a mechanism(s) for identifying targets for designation, based on the designation criteria set out in UNSCR 137321 This includes having authority and effective procedures or mechanisms to examine and give effect to, if appropriate, the actions initiated under the freezing mechanisms of other countries pursuant to UNSCR 1373 (2001) ;
   3. when receiving a request, make a prompt determination of whether they are satisfied, according to applicable (supra-) national principles that the request is supported by reasonable grounds, or a reasonable basis, to suspect or believe that the proposed designee meets the criteria for designation in UNSCR 1373;
   4. apply an evidentiary standard of proof of “reasonable grounds” or “reasonable basis” when deciding whether or not to make a designation22 A country should apply the legal standard of its own legal system regarding the kind and quantum of evidence for the determination that “reasonable grounds” or “reasonable basis” exist for a decision to designate a person or entity, and thus initiate an action under a freezing mechanism. This is the case irrespective of whether the proposed designation is being put forward on the relevant country’s own motion or at the request of another country. . Such (proposals for) designations should not be conditional upon the existence of a criminal proceeding; and
   5. when requesting another country to give effect to the actions initiated under the freezing mechanisms, provide as much identifying information, and specific information supporting the designation, as possible.
3. 6.3The competent authority(ies) should have legal authorities and procedures or mechanisms to:
   1. collect or solicit information to identify persons and entities that, based on reasonable grounds, or a reasonable basis to suspect or believe, meet the criteria for designation; and
   2. operate ex parte against a person or entity who has been identified and whose (proposal for) designation is being considered.

Freezing

4. 6.4Countries should implement targeted financial sanctions without delay23 For UNSCR 1373, the obligation to take action without delay is triggered by a designation at the (supra-) national level, as put forward either on the country’s own motion or at the request of another country, if the country receiving the request is satisfied, according to applicable legal principles, that a requested designation is supported by reasonable grounds, or a reasonable basis, to suspect or believe that the proposed designee meets the criteria for designation in UNSCR 1373. .
5. 6.5Countries should have the legal authority and identify domestic competent authorities responsible for implementing and enforcing targeted financial sanctions, in accordance with the following standards and procedures:
   1. Countries should require all natural and legal persons within the country to freeze, without delay and without prior notice, the funds or other assets of designated persons and entities.
   2. The obligation to freeze should extend to: (i) all funds or other assets that are owned or controlled by the designated person or entity, and not just those that can be tied to a particular terrorist act, plot or threat; (ii) those funds or other assets that are wholly or jointly owned or controlled, directly or indirectly, by designated persons or entities; and (iii) the funds or other assets derived or generated from funds or other assets owned or controlled directly or indirectly by designated persons or entities, as well as (iv) funds or other assets of persons and entities acting on behalf of, or at the direction of, designated persons or entities.
   3. Countries should prohibit their nationals, or24 “or”, in this particular case means that countries must both prohibit their own nationals and prohibit any persons/entities in their jurisdiction. any persons and entities within their jurisdiction, from making any funds or other assets, economic resources, or financial or other related services, available, directly or indirectly, wholly or jointly, for the benefit of designated persons and entities; entities owned or controlled, directly or indirectly, by designated persons or entities; and persons and entities acting on behalf of, or at the direction of, designated persons or entities, unless licensed, authorised or otherwise notified in accordance with the relevant UNSCRs.
   4. Countries should have mechanisms for communicating designations to the financial sector and the DNFBPs immediately upon taking such action, and providing clear guidance to financial institutions and other persons or entities, including DNFBPs, that may be holding targeted funds or other assets, on their obligations in taking action under freezing mechanisms.
   5. Countries should require financial institutions and DNFBPs to report to competent authorities any assets frozen or actions taken in compliance with the prohibition requirements of the relevant UNSCRs, including attempted transactions.
   6. Countries should adopt measures which protect the rights of bona fidethird parties acting in good faith when implementing the obligations under Recommendation 6.

De-listing, unfreezing and providing access to frozen funds or other assets

6. 6.6Countries should have publicly known procedures to de-list and unfreeze the funds or other assets of persons and entities which do not, or no longer, meet the criteria for designation. These should include:
   1. procedures to submit de-listing requests to the relevant UN sanctions Committee in the case of persons and entities designated pursuant to the UN Sanctions Regimes , in the view of the country, do not or no longer meet the criteria for designation. Such procedures and criteria should be in accordance with procedures adopted by the 1267/1989 Committee or the 1988 Committee, as appropriate25 The procedures of the 1267/1989 Committee are set out in UNSCRs 1730; 1735; 1822; 1904; 1989; 2083 and any successor resolutions. The procedures of the 1988 Committee are set out in UNSCRs 1730; 1735; 1822; 1904; 1988; 2082; and any successor resolutions. ;
   2. legal authorities and procedures or mechanisms to de-list and unfreeze the funds or other assets of persons and entities designated pursuant to UNSCR 1373, that no longer meet the criteria for designation;
   3. with regard to designations pursuant to UNSCR 1373, procedures to allow, upon request, review of the designation decision before a court or other independent competent authority;
   4. with regard to designations pursuant to UNSCR 1988, procedures to facilitate review by the1988 Committee in accordance with any applicable guidelines or procedures adopted by the 1988 Committee, including those of the Focal Point mechanism established under UNSCR 1730;
   5. with respect to designations on the Al-Qaida Sanctions List, procedures for informing designated persons and entities of the availability of the United Nations Office of the Ombudsperson, pursuant to UNSCRs 1904, 1989, and 2083 to accept delisting petitions;
   6. publicly known procedures to unfreeze the funds or other assets of persons or entities with the same or similar name as designated persons or entities, who are inadvertently affected by a freezing mechanism (i.e. a false positive), upon verification that the person or entity involved is not a designated person or entity; and
   7. mechanisms for communicating de-listings and unfreezings to the financial sector and the DNFBPs immediately upon taking such action, and providing guidance to financial institutions and other persons or entities, including DNFBPs, that may by holding targeted funds or other assets, on their obligations to respect a de-listing or unfreezing action.
7. 6.7Countries should authorise access to frozen funds or other assets which have been determined to be necessary for basic expenses, for the payment of certain types of fees, expenses and service charges, or for extraordinary expenses, in accordance with the procedures set out in UNSCR 1452 and any successor resolutions. On the same grounds, countries should authorise access to funds or other assets, if freezing measures are applied to persons and entities designated by a (supra-)national country pursuant to UNSCR 1373.

1. 7.1Countries should implement targeted financial sanctions without delay to comply with United Nations Security Council Resolutions, adopted under Chapter VII of the Charter of the United Nations, relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing26 Recommendation 7 is applicable to all current UNSCRs applying targeted financial sanctions relating to the financing of proliferation of weapons of mass destruction, any future successor resolutions, and any future UNSCRs which impose targeted financial sanctions in the context of the financing of proliferation of weapons of mass destruction. At the time of issuance of the FATF Standards to which this Methodology corresponds (June 2017), the UNSCRs applying targeted financial sanctions relating to the financing of proliferation of weapons of mass destruction are: UNSCR 1718(2006) on DPRK and its successor resolutions 1874(2009), 2087(2013), 2094(2013), 2270(2016), 2321(2016) and 2356(2017). UNSCR 2231(2015), endorsing the Joint Comprehensive Plan of Action (JCPOA), terminated all provisions of UNSCRs relating to Iran and proliferation financing, including 1737(2006), 1747(2007), 1803(2008) and 1929(2010), but established specific restrictions including targeted financial sanctions. This lifts sanctions as part of a step by step approach with reciprocal commitments endorsed by the Security Council. Implementation day of the JCPOA was on 16 January 2016. .
2. 7.2Countries should establish the necessary legal authority and identify competent authorities responsible for implementing and enforcing targeted financial sanctions, and should do so in accordance with the following standards and procedures.
   1. Countries should require all natural and legal persons within the country to freeze, without delay and without prior notice, the funds or other assets of designated persons and entities.
   2. The freezing obligation should extend to: (i) all funds or other assets that are owned or controlled by the designated person or entity, and not just those that can be tied to a particular act, plot or threat of proliferation; (ii) those funds or other assets that are wholly or jointly owned or controlled, directly or indirectly, by designated persons or entities; and (iii) the funds or other assets derived or generated from funds or other assets owned or controlled directly or indirectly by designated persons or entities, as well as (iv) funds or other assets of persons and entities acting on behalf of, or at the direction of designated persons or entities.
   3. Countries should ensure that any funds or other assets are prevented from being made available by their nationals or by any persons or entities within their territories, to or for the benefit of designated persons or entities unless licensed, authorised or otherwise notified in accordance with the relevant United Nations Security Council Resolutions.
   4. Countries should have mechanisms for communicating designations to financial institutions and DNFBPs immediately upon taking such action, and providing clear guidance to financial institutions and other persons or entities, including DNFBPs, that may be holding targeted funds or other assets, on their obligations in taking action under freezing mechanisms.
   5. Countries should require financial institutions and DNFBPs to report to competent authorities any assets frozen or actions taken in compliance with the prohibition requirements of the relevant UNSCRs, including attempted transactions.
   6. Countries should adopt measures which protect the rights of bona fide third parties acting in good faith when implementing the obligations under Recommendation 7.
3. 7.3Countries should adopt measures for monitoring and ensuring compliance by financial institutions and DNFBPs with the relevant laws or enforceable means governing the obligations under Recommendation 7. Failure to comply with such laws or enforceable means should be subject to civil, administrative or criminal sanctions.
4. 7.4 Countries should develop and implement publicly known procedures to submit de-listing requests to the Security Council in the case of designated persons and entities that, in the view of the country, do not or no longer meet the criteria for designation27 Such procedures and criteria should be in accordance with any applicable guidelines or procedures adopted by the United Nations Security Council pursuant to UNSCR 1730 (2006) and any successor resolutions, including those of the Focal Point mechanism established under that resolution. . These should include:
   1. enabling listed persons and entities to petition a request for de-listing at the Focal Point for de-listing established pursuant to UNSCR 1730, or informing designated persons or entities to petition the Focal Point directly;
   2. publicly known procedures to unfreeze the funds or other assets of persons or entities with the same or similar name as designated persons or entities, who are inadvertently affected by a freezing mechanism (i.e. a false positive), upon verification that the person or entity involved is not a designated person or entity;
   3. authorising access to funds or other assets, where countries have determined that the exemption conditions set out in UNSCRs 1718 and 1737 are met, in accordance with the procedures set out in those resolutions; and
   4. mechanisms for communicating de-listings and unfreezings to the financial sector and the DNFBPs immediately upon taking such action, and providing guidance to financial institutions and other persons or entities, including DNFBPs, that may be holding targeted funds or other assets, on their obligations to respect a de-listing or unfreezing action.
5. 7.5With regard to contracts, agreements or obligations that arose prior to the date on which accounts became subject to targeted financial sanctions:
   1. countries should permit the addition to the accounts frozen pursuant to UNSCRs 1718 or 1737 of interests or other earnings due on those accounts or payments due under contracts, agreements or obligations that arose prior to the date on which those accounts became subject to the provisions of this resolution, provided that any such interest, other earnings and payments continue to be subject to these provisions and are frozen; and
   2. freezing action taken pursuant to UNSCR 1737 should not prevent a designated person or entity from making any payment due under a contract entered into prior to the listing of such person or entity, provided that: (i) the relevant countries have determined that the contract is not related to any of the prohibited items, materials, equipment, goods, technologies, assistance, training, financial assistance, investment, brokering or services referred to in the relevant Security Council resolution; (ii) the relevant countries have determined that the payment is not directly or indirectly received by a person or entity designated pursuant to UNSCR 1737; and (iii) the relevant countries have submitted prior notification to the 1737 Sanctions Committee of the intention to make or receive such payments or to authorise, where appropriate, the unfreezing of funds, other financial assets or economic resources for this purpose, ten working days prior to such authorisation.

Taking a risk-based approach

1. 8.1Countries should:
   1. without prejudice to the requirements of Recommendation 1, since not all NPOs are inherently high risk (and some may represent little or no risk at all), identify which subset of organizations fall within the FATF definition28For the purposes of this Recommendation, NPO refers to a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of “good works”. of NPO, and use all relevant sources of information, in order to identify the features and types of NPOs which by virtue of their activities or characteristics, are likely to be at risk of terrorist financing abuse29For example, such information could be provided by regulators, tax authorities, FIUs, donor organisations or law enforcement and intelligence authorities.;
   2. identify the nature of threats posed by terrorist entities to the NPOs which are at risk as well as how terrorist actors abuse those NPOs;
   3. review the adequacy of measures, including laws and regulations, that relate to the subset of the NPO sector that may be abused for terrorism financing support in order to be able to take proportionate and effective actions to address the risks identified; and
   4. periodically reassess the sector by reviewing new information on the sector’s potential vulnerabilities to terrorist activities to ensure effective implementation of measures.

Sustained outreach concerning terrorist financing issues

2. 8.2 Countries should:
   1. have clear policies to promote accountability, integrity, and public confidence in the administration and management of NPOs;
   2. encourage and undertake outreach and educational programmes to raise and deepen awareness among NPOs as well as the donor community about the potential vulnerabilities of NPOs to terrorist financing abuse and terrorist financing risks, and the measures that NPOs can take to protect themselves against such abuse;
   3. work with NPOs to develop and refine best practices to address terrorist financing risk and vulnerabilities and thus protect them from terrorist financing abuse; and
   4. encourage NPOs to conduct transactions via regulated financial channels, wherever feasible, keeping in mind the varying capacities of financial sectors in different countries and in different areas of urgent charitable and humanitarian concerns.

Targeted risk-based supervision or monitoring of NPOs

3. 8.3 Countries should take steps to promote effective supervision or monitoring such that they are able to demonstrate that risk based measures apply to NPOs at risk of terrorist financing abuse30Some examples of measures that could be applied to NPOs, in whole or in part, depending on the risks identified are detailed in sub-paragraph 6(b) of INR.8. It is also possible that existing regulatory or other measures may already sufficiently address the current terrorist financing risk to the NPOs in a jurisdiction, although terrorist financing risks to the sector should be periodically re-assessed..
4. 8.4Appropriate authorities should:
   1. monitor the compliance of NPOs with the requirements of this Recommendation, including the risk-based measures being applied to them under criterion 8.331In this context, rules and regulations may include rules and standards applied by self-regulatory organisations and accrediting institutions.; and
   2. be able to apply effective, proportionate and dissuasive sanctions for violations by NPOs or persons acting on behalf of these NPOs32The range of such sanctions might include freezing of accounts, removal of trustees, fines, de-certification, delicensing and de-registration. This should not preclude parallel civil, administrative or criminal proceedings with respect to NPOs or persons acting on their behalf where appropriate..

Effective information gathering and investigation

5. 8.5 Countries should:
   1. ensure effective co-operation, co-ordination and information-sharing to the extent possible among all levels of appropriate authorities or organisations that hold relevant information on NPOs;
   2. have investigative expertise and capability to examine those NPOs suspected or either being exploited by, or actively supporting, terrorist activity or terrorist organisations;
   3. ensure that full access to information on the administration and management of particular NPOs (including financial and programmatic information) may be obtained during the course of an investigation; and
   4. establish appropriate mechanisms to ensure that, when there is suspicion or reasonable grounds to suspect that a particular NPO: (1) is involved in terrorist financing abuse and/or is a front for fundraising by a terrorist organisation; (2) is being exploited as a conduit for TF, including for the purpose of escaping asset freezing measures, or other forms of terrorist support; or (3) is concealing or obscuring the clandestine diversion of funds intended for legitimate purposes, but redirected for the benefit of terrorists or terrorist organisations, that this information is promptly shared with competent authorities, in order to take preventive or investigative action.

Effective capacity to respond to international requests for information about an NPO of concern

6. 8.6 Countries should identify appropriate points of contact and procedures to respond to international requests for information regarding particular NPOs suspected of TF or other forms of terrorist support.

1. 9.1Financial institution secrecy laws should not inhibit implementation of the FATF Recommendations33 Areas where this may be of particular concern are the ability of competent authorities to access information they require to properly perform their functions in combating ML or FT; the sharing of information between competent authorities, either domestically or internationally; and the sharing of information between financial institutions where this is required by Recommendations 13, 16 or 17. .

1. 10.1Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names.

When CDD is required

2. 10.2Financial institutions should be required to undertake CDD measures when:
   1. establishing business relations;
   2. carrying out occasional transactions above the applicable designated threshold (USD/EUR 15 000), including situations where the transaction is carried out in a single operation or in several operations that appear to be linked;;
   3. carrying out occasional transactions that are wire transfers in the circumstances covered by Recommendation 16 and its Interpretive Note;
   4. there is a suspicion of ML/TF, regardless of any exemptions or thresholds that are referred to elsewhere under the FATF Recommendations; or
   5. the financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.

Required CDD measures for all customers

3. 10.3 Financial institutions should be required to identify the customer (whether permanent or occasional, and whether natural or legal person or legal arrangement) and verify that customer’s identity using reliable, independent source documents, data or information (identification data).
4. 10.4 Financial institutions should be required to verify that any person purporting to act on behalf of the customer is so authorised, and identify and verify the identity of that person.
5. 10.5 Financial institutions should be required to identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using the relevant information or data obtained from a reliable source, such that the financial institution is satisfied that it knows who the beneficial owner is.
6. 10.6Financial institutions should be required to understand and, as appropriate, obtain information on, the purpose and intended nature of the business relationship.
7. 10.7Financial institutions should be required to conduct ongoing due diligence on the business relationship, including:
   1. scrutinising transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the financial institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds; and
   2. ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.

Specific CDD measures required for legal persons and legal arrangements

8. 10.8 For customers that are legal persons or legal arrangements, the financial institution should be required to understand the nature of the customer’s business and its ownership and control structure.
9. 10.9 For customers that are legal persons or legal arrangements, the financial institution should be required to identify the customer and verify its identity through the following information:
   1. name, legal form and proof of existence;
   2. the powers that regulate and bind the legal person or arrangement, as well as the names of the relevant persons having a senior management position in the legal person or arrangement; and
   3. the address of the registered office and, if different, a principal place of business.
10. 10.10For customers that are legal persons35 Where the customer or the owner of the controlling interest is a company listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means) which impose requirements to ensure adequate transparency of beneficial ownership, or is a majority-owned subsidiary of such a company, it is not necessary to identify and verify the identity of any shareholder or beneficial owner of such companies. The relevant identification data may be obtained from a public register, from the customer or from other reliable sources. the financial institution should be required to identify and take reasonable measures to verify the identity of beneficial owners through the following information:
    1. the identity of the natural person(s) (if any36 Ownership interests can be so diversified that there are no natural persons (whether acting alone or together) exercising control of the legal person or arrangement through ownership. ) who ultimately has a controlling ownership interest37 A controlling ownership interest depends on the ownership structure of the company. It may be based on a threshold, e.g. any person owning more than a certain percentage of the company (e.g. 25%). in a legal person; and
    2. to the extent that there is doubt under (a) as to whether the person(s) with the controlling ownership interest is the beneficial owner(s) or where no natural person exerts control through ownership interests, the identity of the natural person(s) (if any) exercising control of the legal person or arrangement through other means; and
    3. where no natural person is identified under (a) or (b) above, the identity of the relevant natural person who holds the position of senior managing official.
11. 10.11 For customers that are legal arrangements, the financial institution should be required to identify and take reasonable measures to verify the identity of beneficial owners through the following information:
    1. for trusts, the identity of the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries38 For beneficiaries of trusts that are designated by characteristics or by class, financial institutions should obtain sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout or when the beneficiary intends to exercise vested rights. , and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership);
    2. for other types of legal arrangements, the identity of persons in equivalent or similar positions.

CDD for Beneficiaries of Life Insurance Policies

12. 10.12 In addition to the CDD measures required for the customer and the beneficial owner, financial institutions should be required to conduct the following CDD measures on the beneficiary of life insurance and other investment related insurance policies, as soon as the beneficiary is identified or designated:
    1. for a beneficiary that is identified as specifically named natural or legal persons or legal arrangements – taking the name of the person;
    2. for a beneficiary that is designated by characteristics or by class or by other means – obtaining sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout;
    3. for both the above cases – the verification of the identity of the beneficiary should occur at the time of the payout.
13. 10.13 Financial institutions should be required to include the beneficiary of a life insurance policy as a relevant risk factor in determining whether enhanced CDD measures are applicable. If the financial institution determines that a beneficiary who is a legal person or a legal arrangement presents a higher risk, it should be required to take enhanced measures which should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.

Timing of verification

14. 10.14 Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers; or (if permitted) may complete verification after the establishment of the business relationship, provided that:
    1. this occurs as soon as reasonably practicable;
    2. this is essential not to interrupt the normal conduct of business; and
    3. the ML/TF risks are effectively managed.
15. 10.15 Financial institutions should be required to adopt risk management procedures concerning the conditions under which a customer may utilise the business relationship prior to verification.

Existing customers

16. 10.16 Financial institutions should be required to apply CDD requirements to existing customers39 Existing customers as at the date that the new national requirements are brought into force. on the basis of materiality and risk, and to conduct due diligence on such existing relationships at appropriate times, taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained.

Risk-Based Approach

17. 10.17 Financial institutions should be required to perform enhanced due diligence where the ML/TF risks are higher.
18. 10.18 Financial institutions may only be permitted to apply simplified CDD measures where lower risks have been identified, through an adequate analysis of risks by the country or the financial institution. The simplified measures should be commensurate with the lower risk factors, but are not acceptable whenever there is suspicion of ML/TF, or specific higher risk scenarios apply.

Failure to satisfactorily complete CDD

19. 10.19Where a financial institution is unable to comply with relevant CDD measures:
    1. it should be required not to open the account, commence business relations or perform the transaction; or should be required to terminate the business relationship; and
    2. it should be required to consider making a suspicious transaction report (STR) in relation to the customer.

CDD and tipping-off

20. 10.20 In cases where financial institutions form a suspicion of money laundering or terrorist financing, and they reasonably believe that performing the CDD process will tip-off the customer, they should be permitted not to pursue the CDD process, and instead should be required to file an STR.

1. 11.1 Financial institutions should be required to maintain all necessary records on transactions, both domestic and international, for at least five years following completion of the transaction.
2. 11.2 Financial institutions should be required to keep all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, for at least five years following the termination of the business relationship or after the date of the occasional transaction.
3. 11.3 Transaction records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity.
4. 11.4 Financial institutions should be required to ensure that all CDD information and transaction records are available swiftly to domestic competent authorities upon appropriate authority.

1. 12.1 In relation to foreign PEPs, in addition to performing the CDD measures required under Recommendation 10, financial institutions should be required to:
   1. put in place risk management systems to determine whether a customer or the beneficial owner is a PEP;
   2. obtain senior management approval before establishing (or continuing, for existing customers) such business relationships;
   3. take reasonable measures to establish the source of wealth and the source of funds of customers and beneficial owners identified as PEPs; and
   4. conduct enhanced ongoing monitoring on that relationship.
2. 12.2 In relation to domestic PEPs or persons who have been entrusted with a prominent function by an international organisation, in addition to performing the CDD measures required under Recommendation10, financial institutions should be required to:
   1. take reasonable measures to determine whether a customer or the beneficial owner is such a person; and
   2. in cases when there is higher risk business relationship with such a person, adopt the measures in criterion 12.1 (b) to (d).
3. 12.3 Financial institutions should be required to apply the relevant requirements of criteria 12.1 and 12.2 to family members or close associates of all types of PEP.
4. 12.4 In relation to life insurance policies, financial institutions should be required to take reasonable measures to determine whether the beneficiaries and/or, where required, the beneficial owner of the beneficiary, are PEPs. This should occur, at the latest, at the time of the payout. Where higher risks are identified, financial institutions should be required to inform senior management before the payout of the policy proceeds, to conduct enhanced scrutiny on the whole business relationship with the policyholder, and to consider making a suspicious transaction report.

1. 13.1In relation to cross-border correspondent banking and other similar relationships, financial institutions should be required to:
   1. gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business, and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to a ML/TF investigation or regulatory action;
   2. assess the respondent institution’s AML/CFT controls;
   3. obtain approval from senior management before establishing new correspondent relationships; and
   4. clearly understand the respective AML/CFT responsibilities of each institution.
2. 13.2With respect to “payable-through accounts”, financial institutions should be required to satisfy themselves that the respondent bank:
   1. has performed CDD obligations on its customers that have direct access to the accounts of the correspondent bank; and
   2. is able to provide relevant CDD information upon request to the correspondent bank.
3. 13.3 Financial institutions should be prohibited from entering into, or continuing, correspondent banking relationships with shell banks. They should be required to satisfy themselves that respondent financial institutions do not permit their accounts to be used by shell banks.

1. 14.1 Natural or legal persons that provide MVTS (MVTS providers) should be required to be licensed or registered41 Countries need not impose a separate licensing or registration system with respect to licensed or registered financial institutions which are authorised to perform MVTS. .
2. 14.2 Countries should take action, with a view to identifying natural or legal persons that carry out MVTS without a licence or registration, and applying proportionate and dissuasive sanctions to them.
3. 14.3MVTS providers should be subject to monitoring for AML/CFT compliance.
4. 14.4 Agents for MVTS providers should be required to be licensed or registered by a competent authority, or the MVTS provider should be required to maintain a current list of its agents accessible by competent authorities in the countries in which the MVTS provider and its agents operate.
5. 14.5 MVTS providers that use agents should be required to include them in their AML/CFT programmes and monitor them for compliance with these programmes.

Note to Assessors:

For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property”, “proceeds”, “funds”, “funds or other assets”, or other “corresponding value”. When assessing any Recommendation(s) using these terms42The terms property, proceeds, funds, funds or other assets and/or corresponding value are used in R.3 (criteria 3.4 and 3.5), R.4 (criteria 4.1, 4.2 and 4.4), R.5 (criteria 5.2, 5.3 and 5.4), R.6 (criteria 6.5, 6.6 and 6.7), R.7 (criteria 7.2, 7.4 and 7.5), R.8 (criteria 8.1 and 8.5), R.10 (criteria 10.7), R.12 (criterion 12.1), R.20 (criterion 20.1), R.29 (criterion 29.4), R.30 (criteria 30.2, 30.3 and 30.5), R.33 (criterion 33.1), R.38 (criteria 38.1, 38.3 and 38.4) and R.40 (criterion 40.17). See additional guidance in paragraph 15 of the Introduction to the Methodology., the words virtual assets do not have to appear or be explicitly included in legislation referring to or defining those terms. Assessors should satisfy themselves that the country has demonstrated that nothing in the text of the legislation or in case law precludes virtual assets from falling within the definition of these terms. Where these terms do not cover virtual assets, the deficiency should be noted in the relevant Recommendation(s) that use the term. Assessors should also satisfy themselves that VASPs may be considered as existing sources of information on beneficial ownership for the purposes of c.24.6(c)(i) and 25.5; and are empowered to obtain relevant information from trustees for the purposes of c.25.3 and 25.4.43Consideration of VASPs in the context of these criteria is meant to ensure availability of beneficial ownership information. Assessors should not consider these criteria to impose obligations on VASPs. Paragraph 1 of INR.15 also requires countries to apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs): Where these are preventive measures under Recommendations 10 to 21 and implementation of TFS in R.6 (sub-criteria 6.5(d) and (e), and 6.6(g)) and R.7 (sub-criteria 7.2(d) and (e), criterion 7.3, and sub-criterion 7.4(d)), their application to VASPs should be assessed under Recommendation 15, as should compliance with relevant aspects of R.1, 26, 27, 34, 35 and 37 to 40. Where these are other relevant measures relating to virtual assets and VASPs under Recommendations 2 to 5, R.6 (sub-criteria 6.5(a) to (c), 6.6(a) to (f), and criterion 6.7), R.7 (sub-criteria 7.2(a) to (c), 7.4(b) and 7.4(c), and criterion 7.5)), R.8 to 9, and R.29 to 33, their application to virtual assets and VASPs should be assessed in those Recommendations (not in R.15). Assessors should refer to paragraph 15 of the Introduction section of the Methodology for more guidance on how to assess the FATF Standards relating to virtual assets and VASPs.

New technologies

1. 15.1 Countries and financial institutions should identify and assess the ML/TF risks that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
2. 15.2Financial institutions should be required to:
   1. undertake the risk assessments prior to the launch or use of such products, practices and technologies; and
   2. take appropriate measures to manage and mitigate the risks.

Virtual assets and virtual asset service providers44Note to assessors: Countries that have decided to prohibit virtual assets should only be assessed under criteria 15.1, 15.2, 15.3(a) and 15.3(b), 15.5 and 15.9, as the remaining criteria are not applicable in such cases.

3. 15.3In accordance with Recommendation 1, countries should:
   1. identify, assess, and understand the money laundering and terrorist financing risks emerging from virtual asset activities and the activities or operations of VASPs;
   2. based on that assessment, apply a risk-based approach to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified; and
   3. require VASPs to identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks, as set out in criteria 1.10 and 1.11
4. 15.4Countries should ensure that:
   1. VASPs are required to be licensed or registered45A country need not impose a separate licensing or registration system with respect to natural or legal persons already licensed or registered as financial institutions (as defined by the FATF Recommendations) within that country, which, under such license or registration, are permitted to perform VASP activities and which are already subject to the full range of applicable obligations under the FATF Recommendations. at a minimum46Jurisdictions may also require VASPs that offer products and/or services to customers in, or conduct operations from, their jurisdiction to be licensed or registered in this jurisdiction.:
      • when the VASP is a legal person, in the jurisdiction(s) where it is created47References to creating a legal person include incorporation of companies or any other mechanism that is used. To clarify, the requirement in criterion 15.4(a)(i) is that a country must ensure that a VASP created within the country is licenced or registered, but not that any VASP licenced or registered in the country is also registered in any third country where it was created.; and
      • when the VASP is a natural person, in the jurisdiction where its place of business is located48To clarify, criterion 15.4(a)(ii) requires that a country ensure that a VASP that is a natural person located in their country is licensed or registered in their country; not that any VASP that is a natural person with a place of business located in the country is registered in any third country where it also has a place of business.; and
   2. competent authorities take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a VASP.
5. 15.5Countries should take action to identify natural or legal persons that carry out VASP activities without the requisite license or registration, and apply appropriate sanctions to them.49Note to assessors: Criterion 15.5 applies to all countries, regardless of whether they have chosen to license, register or prohibit virtual assets or VASPs.
6. 15.6Consistent with the applicable provisions of Recommendations 26 and 27, countries should ensure that:
   1. VASPs are subject to adequate regulation and risk-based supervision or monitoring by a competent authority50In this context, a “competent authority” cannot include a SRB. , including systems for ensuring their compliance with national AML/CFT requirements;
   2. supervisors have adequate powers to supervise or monitor and ensure compliance by VASPs with requirements to combat money laundering and terrorist financing, including the authority to conduct inspections, compel the production of information and impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the VASP’s license or registration, where applicable.
7. 15.7In line with Recommendation 34, competent authorities and supervisors should establish guidelines, and provide feedback, which will assist VASPs in applying national measures to combat money laundering and terrorist financing, and, in particular, in detecting and reporting suspicious transactions.
8. 15.8In line with Recommendation 35, countries should ensure that:
   1. there is a range of proportionate and dissuasive sanctions, whether criminal, civil or administrative, available to deal with VASPs that fail to comply with AML/CFT requirements; and
   2. sanctions should be applicable not only to VASPs, but also to their directors and senior management.
9. 15.9With respect to the preventive measures, VASPs should be required to comply with the requirements set out in Recommendations 10 to 21, subject to the following qualifications:
   1. R.10 – The occasional transactions designated threshold above which VASPs are required to conduct CDD is USD/EUR 1 000.
   2. R.16 – For all virtual asset transfers51For the purposes of applying R.16 to VASPs, all virtual asset transfers should be treated as cross-border transfers., countries should ensure that:
      • originating VASPs obtain and hold required and accurate originator information and required beneficiary information52As defined in INR.16, paragraph 6, or the equivalent information in a virtual asset context. on virtual asset transfers, submit53The information can be submitted either directly or indirectly. It is not necessary for this information to be attached directly to virtual asset transfers. the above information to the beneficiary VASP or financial institution (if any) immediately and securely, and make it available on request to appropriate authorities;
      • beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities54Appropriate authorities means appropriate competent authorities, as referred to in paragraph 10 of INR.16 ;
      • other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16; and
      • the same obligations apply to financial institutions when sending or receiving virtual asset transfers on behalf of a customer
10. 15.10With respect to targeted financial sanctions, countries should ensure that the communication mechanisms, reporting obligations and monitoring referred to in criteria 6.5(d), 6.5(e), 6.6(g), 7.2(d), 7.2(e), 7.3 and 7.4(d) apply to VASPs.
11. 15.11Countries should rapidly provide the widest possible range of international cooperation in relation to money laundering, predicate offences, and terrorist financing relating to virtual assets, on the basis set out in Recommendations 37 to 40. In particular, supervisors of VASPs should have a legal basis for exchanging information with their foreign counterparts, regardless of the supervisors’ nature or status and differences in the nomenclature or status of VASPs.55Countries that have prohibited VASPs should fulfil this requirement by having in place a legal basis for permitting their relevant competent authorities (e.g. law enforcement agencies) to exchange information on issues related to VAs and VASPs with non-counterparts, as set out in paragraph 17 of INR.40.

Ordering financial institutions

1. 16.1 Financial institutions should be required to ensure that all cross-border wire transfers of USD/EUR 1 000 or more are always accompanied by the following:
   1. Required and accurate56 Accurate” is used to describe information that has been verified for accuracy; i.e. financial institutions should be required to verify the accuracy of the required originator information. originator information:
      1. the name of the originator;
      2. the originator account number where such an account is used to process the transaction or, in the absence of an account, a unique transaction reference number which permits traceability of the transaction; and
      3. the originator’s address, or national identity number, or customer identification number, or date and place of birth.
   2. Required beneficiary information:
      1. the name of the beneficiary; and
      2. the beneficiary account number where such an account is used to process the transaction or, in the absence of an account, a unique transaction reference number which permits traceability of the transaction.
2. 16.2 the beneficiary account number where such an account is used to process the transaction or, in the absence of an account, a unique transaction reference number which permits traceability of the transaction.
3. 16.3 If countries apply a de minimis threshold for the requirements of criterion 16.1, financial institutions should be required to ensure that all cross-border wire transfers below any applicable de minimis threshold (no higher than USD/EUR 1 000) are always accompanied by the following:
   1. Required originator information:
      1. the name of the originator; and
      2. the originator account number where such an account is used to process the transaction or, in the absence of an account, a unique transaction reference number which permits traceability of the transaction.
   2. Required beneficiary information:
      1. the name of the beneficiary; and
      2. the beneficiary account number where such an account is used to process the transaction or, in the absence of an account, a unique transaction reference number which permits traceability of the transaction
4. 16.4 The information mentioned in criterion 16.3 need not be verified for accuracy. However, the financial institution should be required to verify the information pertaining to its customer where there is a suspicion of ML/TF.
5. 16.5 For domestic wire transfers57 This term also refers to any chain of wire transfers that takes place entirely within the borders of the European Union. It is further noted that the European internal market and corresponding legal framework is extended to the members of the European Economic Area. , the ordering financial institution should be required to ensure that the information accompanying the wire transfer includes originator information as indicated for cross-border wire transfers, unless this information can be made available to the beneficiary financial institution and appropriate authorities by other means.
6. 16.6 Where the information accompanying the domestic wire transfer can be made available to the beneficiary financial institution and appropriate authorities by other means, the ordering financial institution need only be required to include the account number or a unique transaction reference number, provided that this number or identifier will permit the transaction to be traced back to the originator or the beneficiary. The ordering financial institution should be required to make the information available within three business days of receiving the request either from the beneficiary financial institution or from appropriate competent authorities. Law enforcement authorities should be able to compel immediate production of such information.
7. 16.7 The ordering financial institution should be required to maintain all originator and beneficiary information collected, in accordance with Recommendation 11.
8. 16.8 The ordering financial institution should not be allowed to execute the wire transfer if it does not comply with the requirements specified above at criteria 16.1-16.7.

Intermediary financial institutions

9. 16.9 For cross-border wire transfers, an intermediary financial institution should be required to ensure that all originator and beneficiary information that accompanies a wire transfer is retained with it.
10. 16.10 Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the intermediary financial institution should be required to keep a record, for at least five years, of all the information received from the ordering financial institution or another intermediary financial institution.
11. 16.11 Intermediary financial institutions should be required to take reasonable measures, which are consistent with straight-through processing, to identify cross-border wire transfers that lack required originator information or required beneficiary information.
12. 16.12 Intermediary financial institutions should be required to have risk-based policies and procedures for determining: (a) when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and (b) the appropriate follow-up action.

Beneficiary financial institutions

13. 16.13 Beneficiary financial institutions should be required to take reasonable measures, which may include post-event monitoring or real-time monitoring where feasible, to identify cross-border wire transfers that lack required originator information or required beneficiary information.
14. 16.14For cross-border wire transfers of USD/EUR 1 000 or more58 Countries may adopt a de minimis threshold for cross-border wire transfers (no higher than USD/EUR 1 000). Countries may, nevertheless, require that incoming cross-border wire transfers below the threshold contain required and accurate originator information. , a beneficiary financial institution should be required to verify the identity of the beneficiary, if the identity has not been previously verified, and maintain this information in accordance with Recommendation 11.
15. 16.15 Beneficiary financial institutions should be required to have risk-based policies and procedures for determining: (a) when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and (b) the appropriate follow-up action.

Money or value transfer service operators

16. 16.16 MVTS providers should be required to comply with all of the relevant requirements of Recommendation 16 in the countries in which they operate, directly or through their agents.
17. 16.17In the case of a MVTS provider that controls both the ordering and the beneficiary side of a wire transfer, the MVTS provider should be required to:
    1. take into account all the information from both the ordering and beneficiary sides in order to determine whether an STR has to be filed; and
    2. file an STR in any country affected by the suspicious wire transfer, and make relevant transaction information available to the Financial Intelligence Unit.

Implementation of Targeted Financial Sanctions

18. 16.18 Countries should ensure that, in the context of processing wire transfers, financial institutions take freezing action and comply with prohibitions from conducting transactions with designated persons and entities, as per obligations set out in the relevant UNSCRs relating to the prevention and suppression of terrorism and terrorist financing, such as UNSCRs 1267 and 1373, and their successor resolutions.

1. 17.1 If financial institutions are permitted to rely on third-party financial institutions and DNFBPs to perform elements (a)-(c) of the CDD measures set out in Recommendation 10 (identification of the customer; identification of the beneficial owner; and understanding the nature of the business) or to introduce business, the ultimate responsibility for CDD measures should remain with the financial institution relying on the third party, which should be required to:
   1. obtain immediately the necessary information concerning elements (a)-(c) of the CDD measures set out in Recommendation 10;
   2. take steps to satisfy itself that copies of identification data and other relevant documentation relating to CDD requirements will be made available from the third party upon request without delay;
   3. satisfy itself that the third party is regulated, and supervised or monitored for, and has measures in place for compliance with, CDD and record-keeping requirements in line with Recommendations 10 and 11.
2. 17.2 When determining in which countries the third party that meets the conditions can be based, countries should have regard to information available on the level of country risk.
3. 17.3 For financial institutions that rely on a third party that is part of the same financial group, relevant competent authorities60 The term relevant competent authorities in Recommendation 17 means (i) the home authority, that should be involved for the understanding of group policies and controls at group-wide level, and (ii) the host authorities, that should be involved for the branches/subsidiaries. may also consider that the requirements of the criteria above are met in the following circumstances:
   1. the group applies CDD and record-keeping requirements, in line with Recommendations 10 to 12, and programmes against money laundering and terrorist financing, in accordance with Recommendation 18;
   2. the implementation of those CDD and record-keeping requirements and AML/CFT programmes is supervised at a group level by a competent authority; and
   3. any higher country risk is adequately mitigated by the group’s AML/CFT policies.

1. 18.1 Financial institutions should be required to implement programmes against ML/TF, which have regard to the ML/TF risks and the size of the business, and which include the following internal policies, procedures and controls:
   1. compliance management arrangements (including the appointment of a compliance officer at the management level);
   2. screening procedures to ensure high standards when hiring employees;
   3. an ongoing employee training programme; and
   4. an independent audit function to test the system.
2. 18.2 Financial groups should be required to implement group-wide programmes against ML/TF, which should be applicable, and appropriate to, all branches and majority-owned subsidiaries of the financial group. These should include the measures set out in criterion 18.1 and also:
   1. policies and procedures for sharing information required for the purposes of CDD and ML/TF risk management;
   2. the provision, at group-level compliance, audit, and/or AML/CFT functions, of customer, account, and transaction information from branches and subsidiaries when necessary for AML/CFT purposes. This should include information and analysis of transactions or activities which appear unusual (if such analysis was done)61This could include an STR, its underlying information, or the fact that an STR has been submitted.. Similarly, branches and subsidiaries should receive such information from these group-level functions when relevant and appropriate to risk management62The scope and extent of the information to be shared in accordance with this criterion may be determined by countries, based on the sensitivity of the information, and its relevance to AML/CFT risk management.; and
   3. adequate safeguards on the confidentiality and use of information exchanged, including safeguards to prevent tipping-off.
3. 18.3

   Financial institutions should be required to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements, where the minimum AML/CFT requirements of the host country are less strict than those of the home country, to the extent that host country laws and regulations permit.

   If the host country does not permit the proper implementation of AML/CFT measures consistent with the home country requirements, financial groups should be required to apply appropriate additional measures to manage the ML/TF risks, and inform their home supervisors.

1. 19.1 Financial institutions should be required to apply enhanced due diligence, proportionate to the risks, to business relationships and transactions with natural and legal persons (including financial institutions) from countries for which this is called for by the FATF.
2. 19.2 Countries should be able to apply countermeasures proportionate to the risks: (a) when called upon to do so by the FATF; and (b) independently of any call by the FATF to do so.
3. 19.3 Countries should have measures in place to ensure that financial institutions are advised of concerns about weaknesses in the AML/CFT systems of other countries.

1. 20.1 If a financial institution suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity64“Criminal activity” refers to: (a) all criminal acts that would constitute a predicate offence for ML in the country; or (b) at a minimum, to those offences that would constitute a predicate offence, as required by Recommendation 3., or are related to TF, it should be required to report promptly its suspicions to the Financial Intelligence Unit.
2. 20.2Financial institutions should be required to report all suspicious transactions, including attempted transactions, regardless of the amount of the transaction.

1. 21.1 Financial institutions and their directors, officers and employees should be protected by law from both criminal and civil liability for breach of any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, if they report their suspicions in good faith to the FIU. This protection should be available even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred.
2. 21.2 Financial institutions and their directors, officers and employees should be prohibited by law from disclosing the fact that an STR or related information is being filed with the Financial Intelligence Unit. These provisions are not intended to inhibit information sharing under Recommendation 18.

1. 22.1DNFBPs should be required to comply with the CDD requirements set out in Recommendation 10 in the following situations:
   1. Casinos – when customers engage in financial transactions65Conducting customer identification at the entry to a casino could be, but is not necessarily, sufficient. Countries must require casinos to ensure that they are able to link CDD information for a particular customer to the transactions that the customer conducts in the casino. “Financial transactions” does not refer to gambling transactions that involve only casino chips or tokens. equal to or above USD/EUR 3 000.
   2. Real estate agents – when they are involved in transactions for a client concerning the buying and selling of real estate66This means that real estate agents should comply with the requirements set out in Recommendation 10 with respect to both the purchasers and the vendors of the property..
   3. Dealers in precious metals and dealers in precious stones – when they engage in any cash transaction with a customer equal to or above USD/EUR 15,000.
   4. Lawyers, notaries, other independent legal professionals and accountants when they prepare for, or carry out, transactions for their client concerning the following activities:
      • buying and selling of real estate;
      • managing of client money, securities or other assets;
      • management of bank, savings or securities accounts;
      • organisation of contributions for the creation, operation or management of companies;
      • creating, operating or management of legal persons or arrangements, and buying and selling of business entities.
   5. Trust and company service providers when they prepare for or carry out transactions for a client concerning the following activities:
      • acting as a formation agent of legal persons;
      • acting as (or arranging for another person to act as) a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;
      • providing a registered office, business address or accommodation, correspondence or administrative address for a company, a partnership or any other legal person or arrangement;
      • acting as (or arranging for another person to act as) a trustee of an express trust or performing the equivalent function for another form of legal arrangement;
      • acting as (or arranging for another person to act as) a nominee shareholder for another person.
2. 22.2 In the situations set out in Criterion 22.1, DNFBPs should be required to comply with the record-keeping requirements set out in Recommendation 11.
3. 22.3 In the situations set out in Criterion 22.1, DNFBPs should be required to comply with the PEPs requirements set out in Recommendation 12.
4. 22.4 In the situations set out in Criterion 22.1, DNFBPs should be required to comply with the new technologies requirements set out in Recommendation 15.
5. 22.5 In the situations set out in Criterion 22.1, DNFBPs should be required to comply with the reliance on third-parties requirements set out in Recommendation 17.

1. 23.1 The requirements to report suspicious transactions set out in Recommendation 20 should apply to all DNFBPs subject to the following qualifications:
   1. Lawyers, notaries, other independent legal professionals and accountants67 Lawyers, notaries, other independent legal professionals, and accountants acting as independent legal professionals, are not required to report suspicious transactions if the relevant information was obtained in circumstances where they are subject to professional secrecy or legal professional privilege. It is for each country to determine the matters that would fall under legal professional privilege or professional secrecy. This would normally cover information lawyers, notaries or other independent legal professionals receive from or obtain through one of their clients: (a) in the course of ascertaining the legal position of their client, or (b) in performing their task of defending or representing that client in, or concerning judicial, administrative, arbitration or mediation proceedings. – when, on behalf of, or for, a client, they engage in a financial transaction in relation to the activities described in criterion 22.1(d)68 Where countries allow lawyers, notaries, other independent legal professionals and accountants to send their STRs to their appropriate self-regulatory bodies (SRBs), there should be forms of co-operation between these bodies and the FIU. .
   2. Dealers in precious metals or stones – when they engage in a cash transaction with a customer equal to or above USD/EUR 15,000.
   3. Trust and company service providers – when, on behalf or for a client, they engage in a transaction in relation to the activities described in criterion 22.1(e).
2. 23.2 In the situations set out in criterion 23.1, DNFBPs should be required to comply with the internal controls requirements set out in Recommendation 18.
3. 23.3 In the situations set out in criterion 23.1, DNFBPs should be required to comply with the higher-risk countries requirements set out in Recommendation 19.
4. 23.4In the situations set out in criterion 23.1, DNFBPs should be required to comply with the tipping-off and confidentiality requirements set out in Recommendation 2169 Where lawyers, notaries, other independent legal professionals and accountants acting as independent legal professionals seek to dissuade a client from engaging in illegal activity, this does not amount to tipping-off. .

1. 24.1 Countries should have mechanisms that identify and describe: (a) the different types, forms and basic features of legal persons in the country; and (b) the processes for the creation of those legal persons, and for obtaining and recording of basic and beneficial ownership information. This information should be publicly available.
2. 24.2 Countries should assess the ML/TF risks associated with all types of legal person created in the country.

Basic Information

3. 24.3 Countries should require that all companies created in a country are registered in a company registry, which should record the company name, proof of incorporation, legal form and status, the address of the registered office, basic regulating powers, and a list of directors. This information should be publicly available.
4. 24.4 Companies should be required to maintain the information set out in criterion 24.3, and also to maintain a register of their shareholders or members71 The register of shareholders and members can be recorded by the company itself or by a third person under the company’s responsibility. , containing the number of shares held by each shareholder and categories of shares (including the nature of the associated voting rights). This information should be maintained within the country at a location notified to the company registry.72 In cases in which the company or company registry holds beneficial ownership information within the country, the register of shareholders and members need not be in the country, if the company can provide this information promptly on request.
5. 24.5 Countries should have mechanisms that ensure that the information referred to in criteria 24.3 and 24.4 is accurate and updated on a timely basis.

Beneficial Ownership Information

6. 24.6 Countries should use one or more of the following mechanisms to ensure that information on the beneficial ownership of a company is obtained by that company and available at a specified location in their country; or can be otherwise determined in a timely manner by a competent authority:
   1. requiring companies or company registries to obtain and hold up-to-date information on the companies’ beneficial ownership;
   2. requiring companies to take reasonable measures to obtain and hold up-to-date information on the companies’ beneficial ownership;
   3. using existing information, including: (i) information obtained by financial institutions and/or DNFBPs, in accordance with Recommendations 10 and 22; (ii) information held by other competent authorities on the legal and beneficial ownership of companies; (iii) information held by the company as required in criterion 24.3 above; and (iv) available information on companies listed on a stock exchange, where disclosure requirements ensure adequate transparency of beneficial ownership.
7. 24.7 Countries should require that the beneficial ownership information is accurate and as upto- date as possible.
8. 24.8 Countries should ensure that companies co-operate with competent authorities to the fullest extent possible in determining the beneficial owner, by:
   1. requiring that one or more natural persons resident in the country is authorised by the company73 Members of the company’s board or senior management may not require specific authorisation by the company. , and accountable to competent authorities, for providing all basic information and available beneficial ownership information, and giving further assistance to the authorities; and/or
   2. requiring that a DNFBP in the country is authorised by the company, and accountable to competent authorities, for providing all basic information and available beneficial ownership information, and giving further assistance to the authorities; and/or
   3. taking other comparable measures, specifically identified by the country.
9. 24.9 All the persons, authorities and entities mentioned above, and the company itself (or its administrators, liquidators or other persons involved in the dissolution of the company), should be required to maintain the information and records referred to for at least five years after the date on which the company is dissolved or otherwise ceases to exist, or five years after the date on which the company ceases to be a customer of the professional intermediary or the financial institution.

Other Requirements

10. 24.10 Competent authorities, and in particular law enforcement authorities, should have all the powers necessary to obtain timely access to the basic and beneficial ownership information held by the relevant parties.
11. 24.11 Countries that have legal persons able to issue bearer shares or bearer share warrants should apply one or more of the following mechanisms to ensure that they are not misused for money laundering or terrorist financing:
    1. prohibiting bearer shares and share warrants; or
    2. converting bearer shares and share warrants into registered shares or share warrants (for example through dematerialisation); or
    3. immobilising bearer shares and share warrants by requiring them to be held with a regulated financial institution or professional intermediary; or
    4. requiring shareholders with a controlling interest to notify the company, and the company to record their identity; or
    5. using other mechanisms identified by the country.
12. 24.12 Countries that have legal persons able to have nominee shares and nominee directors should apply one or more of the following mechanisms to ensure they are not misused:
    1. requiring nominee shareholders and directors to disclose the identity of their nominator to the company and to any relevant registry, and for this information to be included in the relevant register;
    2. requiring nominee shareholders and directors to be licensed, for their nominee status to be recorded in company registries, and for them to maintain information identifying their nominator, and make this information available to the competent authorities upon request; or
    3. using other mechanisms identified by the country.
13. 24.13 There should be liability and proportionate and dissuasive sanctions, as appropriate for any legal or natural person that fails to comply with the requirements.
14. 24.14 Countries should rapidly provide international co-operation in relation to basic and beneficial ownership information, on the basis set out in Recommendations 37 and 40. This should include:
    1. facilitating access by foreign competent authorities to basic information held by company registries;
    2. exchanging information on shareholders; and
    3. using their competent authorities’ investigative powers, in accordance with their domestic law, to obtain beneficial ownership information on behalf of foreign counterparts.
15. 24.15 Countries should monitor the quality of assistance they receive from other countries in response to requests for basic and beneficial ownership information or requests for assistance in locating beneficial owners residing abroad.

1. 25.1Countries should require:
   1. trustees of any express trust governed under their law75 Countries are not required to give legal recognition to trusts. Countries need not include the requirements of Criteria 25.1; 25.2; 25.3; and 25.4 in legislation, provided that appropriate obligations to such effect exist for trustees (e.g. through common law or case law). to obtain and hold adequate, accurate, and current information on the identity of the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control over the trust;
   2. trustees of any trust governed under their law to hold basic information on other regulated agents of, and service providers to, the trust, including investment advisors or managers, accountants, and tax advisors; and
   3. professional trustees to maintain this information for at least five years after their involvement with the trust ceases.
2. 25.2 Countries should require that any information held pursuant to this Recommendation is kept accurate and as up to date as possible, and is updated on a timely basis.
3. 25.3 All countries should take measures to ensure that trustees disclose their status to financial institutions and DNFBPs when forming a business relationship or carrying out an occasional transaction above the threshold.
4. 25.4 Trustees should not be prevented by law or enforceable means from providing competent authorities with any information relating to the trust76 Domestic competent authorities or the relevant competent authorities of another country pursuant to an appropriate international cooperation request. ; or from providing financial institutions and DNFBPs, upon request, with information on the beneficial ownership and the assets of the trust to be held or managed under the terms of the business relationship.
5. 25.5 Competent authorities, and in particular law enforcement authorities, should have all the powers necessary to be able to obtain timely access to information held by trustees, and other parties (in particular information held by financial institutions and DNFBPs), on the beneficial ownership and control of the trust, including: (a) the beneficial ownership; (b) the residence of the trustee; and (c) any assets held or managed by the financial institution or DNFBP, in relation to any trustees with which they have a business relationship, or for which they undertake an occasional transaction.
6. 25.6 Countries should rapidly provide international co-operation in relation to information, including beneficial ownership information, on trusts and other legal arrangements, on the basis set out in Recommendations 37 and 40. This should include:
   1. facilitating access by foreign competent authorities to basic information held by registries or other domestic authorities;
   2. exchanging domestically available information on the trusts or other legal arrangement; and
   3. using their competent authorities’ investigative powers, in accordance with domestic law, in order to obtain beneficial ownership information on behalf of foreign counterparts.
7. 25.7 Countries should ensure that trustees are either (a) legally liable for any failure to perform the duties relevant to meeting their obligations; or (b) that there are proportionate and dissuasive sanctions, whether criminal, civil or administrative, for failing to comply77 This does not affect the requirements for proportionate and dissuasive sanctions for failure to comply with requirements elsewhere in the Recommendations. .
8. 25.8 Countries should ensure that there are proportionate and dissuasive sanctions, whether criminal, civil or administrative, for failing to grant to competent authorities timely access to information regarding the trust referred to in criterion 25.1.

1. 26.1 Countries should designate one or more supervisors that have responsibility for regulating and supervising (or monitoring) financial institutions’ compliance with the AML/CFT requirements.

Market Entry

2. 26.2 Core Principles financial institutions should be required to be licensed. Other financial institutions, including those providing a money or value transfer service or a money or currency changing service, should be licensed or registered. Countries should not approve the establishment, or continued operation, of shell banks.
3. 26.3 Competent authorities or financial supervisors should take the necessary legal or regulatory measures to prevent criminals or their associates from holding (or being the beneficial owner of) a significant or controlling interest, or holding a management function, in a financial institution.

Risk-based approach to supervision and monitoring

4. 26.4 Financial institutions should be subject to:
   1. for core principles institutions — regulation and supervision in line with the core principles78 The Core Principles which are relevant to AML/CFT include: Basel Committee on Banking Supervision (BCBS) Principles 1-3, 5-9, 11-15, 26, and 29; International Association of Insurance Supervisors (IAIS) Principles 1, 3-11, 18, 21-23, and 25; and International Organization of Securities Commission (IOSCO) Principles 24, 28, 29 and 31; and Responsibilities A, B, C and D. Assessors may refer to existing assessments of the country’s compliance with these Core Principles, where available. , where relevant for AML/CFT, including the application of consolidated group supervision for AML/CFT purposes.
   2. for all other financial institutions — regulation and supervision or monitoring, having regard to the ML/TF risks in that sector. At a minimum, for financial institutions providing a money or value transfer service, or a money or currency changing service — systems for monitoring and ensuring compliance with national AML/CFT requirements.
5. 26.5 The frequency and intensity of on-site and off-site AML/CFT supervision of financial institutions or groups should be determined on the basis of:
   1. the ML/TF risks and the policies, internal controls and procedures associated with the institution or group, as identified by the supervisor’s assessment of the institution’s or group’s risk profile;
   2. the ML/TF risks present in the country; and
   3. the characteristics of the financial institutions or groups, in particular the diversity and number of financial institutions and the degree of discretion allowed to them under the risk-based approach.
6. 26.6 The supervisor should review the assessment of the ML/TF risk profile of a financial institution or group (including the risks of non-compliance) periodically, and when there are major events or developments in the management and operations of the financial institution or group.

1. 27.1 Supervisors should have powers to supervise or monitor and ensure compliance by financial institutions with AML/CFT requirements.
2. 27.2Supervisors should have the authority to conduct inspections of financial institutions.
3. 27.3Supervisors should be authorised to compel79 The supervisor’s power to compel production of or to obtain access for supervisory purposes should not be predicated on the need to require a court order. production of any information relevant to monitoring compliance with the AML/CFT requirements.
4. 27.4Supervisors should be authorised to impose sanctions in line with Recommendation 35 for failure to comply with the AML/CFT requirements. This should include powers to impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the financial institution’s licence.

Casinos

1. 28.1Countries should ensure that casinos are subject to AML/CFT regulation and supervision. At a minimum:
   1. Countries should require casinos to be licensed.
   2. Competent authorities should take the necessary legal or regulatory measures to prevent criminals or their associates from holding (or being the beneficial owner of) a significant or controlling interest, or holding a management function, or being an operator of a casino.
   3. Casinos should be supervised for compliance with AML/CFT requirements.

DNFBPs other than casinos

2. 28.2There should be a designated competent authority or SRB responsible for monitoring and ensuring compliance of DNFBPs with AML/CFT requirements.
3. 28.3Countries should ensure that the other categories of DNFBPs are subject to systems for monitoring compliance with AML/CFT requirements.
4. 28.4The designated competent authority or self-regulatory body (SRB) should:
   1. have adequate powers to perform its functions, including powers to monitor compliance;
   2. take the necessary measures to prevent criminals or their associates from being professionally accredited, or holding (or being the beneficial owner of) a significant or controlling interest, or holding a management function in a DNFBP; and
   3. have sanctions available in line with Recommendation 35 to deal with failure to comply with AML/CFT requirements.

All DNFBPs

5. 28.5Supervision of DNFBPs should be performed on a risk-sensitive basis, including:
   1. determining the frequency and intensity of AML/CFT supervision of DNFBPs on the basis of their understanding of the ML/TF risks, taking into consideration the characteristics of the DNFBPs, in particular their diversity and number; and
   2. taking into account the ML/TF risk profile of those DNFBPs, and the degree of discretion allowed to them under the risk-based approach, when assessing the adequacy of the AML/CFT internal controls, policies and procedures of DNFBPs.

1. 29.1Countries should establish an FIU with responsibility for acting as a national centre for receipt and analysis of suspicious transaction reports and other information relevant to money laundering, associated predicate offences and terrorist financing; and for the dissemination of the results of that analysis.80 Considering that there are different FIU models, Recommendation 29 does not prejudge a country’s choice for a particular model, and applies equally to all of them.
2. 29.2The FIU should serve as the central agency for the receipt of disclosures filed by reporting entities, including:
   1. Suspicious transaction reports filed by reporting entities as required by Recommendation 20 and 23; and
   2. any other information as required by national legislation (such as cash transaction reports, wire transfers reports and other threshold-based declarations/disclosures).
3. 29.3The FIU should81 In the context of its analysis function, an FIU should be able to obtain from any reporting entity additional information relating to a suspicion of ML/TF. This does not include indiscriminate requests for information to reporting entities in the context of the FIU's analysis (e.g., "finishing expeditions").:
   1. in addition to the information that entities report to the FIU, be able to obtain and use additional information from reporting entities, as needed to perform its analysis properly; and
   2. have access to the widest possible range82 This should include information from open or public sources, as well as relevant information collected and/or maintained by, or on behalf of, other authorities and, where appropriate commercially held data. of financial, administrative and law enforcement information that it requires to properly undertake its functions.
4. 29.4The FIU should conduct:
   1. operational analysis, which uses available and obtainable information to identify specific targets, to follow the trail of particular activities or transactions, and to determine links between those targets and possible proceeds of crime, money laundering, predicate offences and terrorist financing; and
   2. strategic analysis, which uses available and obtainable information, including data that may be provided by other competent authorities, to identify money laundering and terrorist financing related trends and patterns.
5. 29.5The FIU should be able to disseminate, spontaneously and upon request, information and the results of its analysis to relevant competent authorities, and should use dedicated, secure and protected channels for the dissemination.
6. 29.6The FIU should protect information by:
   1. having rules in place governing the security and confidentiality of information, including procedures for handling, storage, dissemination, and protection of, and access to, information;
   2. ensuring that FIU staff members have the necessary security clearance levels and understanding of their responsibilities in handling and disseminating sensitive and confidential information; and
   3. ensuring that there is limited access to its facilities and information, including information technology systems.
7. 29.7The FIU should be operationally independent and autonomous, by:
   1. having the authority and capacity to carry out its functions freely, including the autonomous decision to analyse, request and/or forward or disseminate specific information;
   2. being able to make arrangements or engage independently with other domestic competent authorities or foreign counterparts on the exchange of information;
   3. when it is located within the existing structure of another authority, having distinct core functions from those of the other authority; and
   4. being able to obtain and deploy the resources needed to carry out its functions, on an individual or routine basis, free from any undue political, government or industry influence or interference, which might compromise its operational independence.
8. 29.8Where a country has created an FIU and is not an Egmont Group member, the FIU should apply for membership in the Egmont Group. The FIU should submit an unconditional application for membership to the Egmont Group and fully engage itself in the application process.

1. 30.1There should be designated law enforcement authorities that have responsibility for ensuring that money laundering, associated predicate offences and terrorist financing offences are properly investigated, within the framework of national AML/CFT policies.
2. 30.2Law enforcement investigators of predicate offences should either be authorised to pursue the investigation of any related ML/TF offences during a parallel financial investigation83 A ‘parallel financial investigation’ refers to conducting a financial investigation alongside, or in the context of, a (traditional) criminal investigation into money laundering, terrorist financing and/or predicate offence(s).
   A ‘financial investigation’ means an enquiry into the financial affairs related to a criminal activity, with a view to: (i) identifying the extent of criminal networks and/or the scale of criminality; (ii) identifying and tracing the proceeds of crime, terrorist funds or any other assets that are, or may become, subject to confiscation; and (iii) developing evidence which can be used in criminal proceedings. , or be able to refer the case to another agency to follow up with such investigations, regardless of where the predicate offence occurred.
3. 30.3There should be one or more designated competent authorities to expeditiously identify, trace, and initiate freezing and seizing of property that is, or may become, subject to confiscation, or is suspected of being proceeds of crime.
4. 30.4Countries should ensure that Recommendation 30 also applies to those competent authorities, which are not law enforcement authorities, per se, but which have the responsibility for pursuing financial investigations of predicate offences, to the extent that these competent authorities are exercising functions covered under Recommendation 30.
5. 30.5If anti-corruption enforcement authorities are designated to investigate ML/TF offences arising from, or related to, corruption offences under Recommendation 30, they should also have sufficient powers to identify, trace, and initiate freezing and seizing of assets.

1. 31.1Competent authorities conducting investigations of money laundering, associated predicate offences and terrorist financing should be able to obtain access to all necessary documents and information for use in those investigations, and in prosecutions and related actions. This should include powers to use compulsory measures for:
   1. the production of records held by financial institutions, DNFBPs and other natural or legal persons;
   2. the search of persons and premises;
   3. taking witness statements; and
   4. seizing and obtaining evidence.
2. 31.2Competent authorities conducting investigations should be able to use a wide range of investigative techniques for the investigation of money laundering, associated predicate offences and terrorist financing, including:
   1. undercover operations;
   2. intercepting communications;
   3. accessing computer systems; and
   4. controlled delivery.
3. 31.3Countries should have mechanisms in place:
   1. to identify, in a timely manner, whether natural or legal persons hold or control accounts; and
   2. to ensure that competent authorities have a process to identify assets without prior notification to the owner.
4. 31.4Competent authorities conducting investigations of money laundering, associated predicate offences and terrorist financing should be able to ask for all relevant information held by the FIU.

1. 32.1Countries should implement a declaration system or a disclosure system for incoming and outgoing cross-border transportation of currency and bearer negotiable instruments (BNIs). Countries should ensure that a declaration or disclosure is required for all physical cross-border transportation, whether by travellers or through mail and cargo, but may use different systems for different modes of transportation.
2. 32.2In a declaration system, all persons making a physical cross-border transportation of currency or BNIs, which are of a value exceeding a pre-set, maximum threshold of USD/EUR 15 000, should be required to submit a truthful declaration to the designated competent authorities. Countries may opt from among the following three different types of declaration system:
   1. A written declaration system for all travellers;
   2. A written declaration system for all travellers carrying amounts above a threshold; and/or
   3. An oral declaration system for all travellers.
3. 32.3In a disclosure system, travellers should be required to give a truthful answer and provide the authorities with appropriate information upon request, but are not required to make an upfront written or oral declaration.
4. 32.4Upon discovery of a false declaration or disclosure of currency or BNIs or a failure to declare or disclose them, designated competent authorities should have the authority to request and obtain further information from the carrier with regard to the origin of the currency or BNIs, and their intended use.
5. 32.5Persons who make a false declaration or disclosure should be subject to proportionate and dissuasive sanctions, whether criminal, civil or administrative.
6. 32.6Information obtained through the declaration/disclosure process should be available to the FIU either through: (a) a system whereby the FIU is notified about suspicious crossborder transportation incidents; or (b) by making the declaration/disclosure information directly available to the FIU in some other way.
7. 32.7At the domestic level, countries should ensure that there is adequate co-ordination among customs, immigration and other related authorities on issues related to the implementation of Recommendation 32.
8. 32.8Competent authorities should be able to stop or restrain currency or BNIs for a reasonable time in order to ascertain whether evidence of ML/TF may be found in cases:
   1. where there is a suspicion of ML/TF or predicate offences; or
   2. where there is a false declaration or false disclosure.
9. 32.9Countries should ensure that the declaration/disclosure system allows for international co-operation and assistance, in accordance with Recommendations 36 to 40. To facilitate such co-operation, information84 At a minimum, the information should set out (i) the amount of currency or BNIs declared, disclosed or otherwise detected, and (ii) the identification data of the bearer(s). shall be retained when:
   1. a declaration or disclosure which exceeds the prescribed threshold is made; or
   2. there is a false declaration or false disclosure; or
   3. there is a suspicion of ML/TF.
10. 32.10Countries should ensure that strict safeguards exist to ensure proper use of information collected through the declaration/disclosure systems, without restricting either: (i) trade payments between countries for goods and services; or (ii) the freedom of capital movements, in any way.
11. 32.11Persons who are carrying out a physical cross-border transportation of currency or BNIs that are related to ML/TF or predicate offences should be subject to: (a) proportionate and dissuasive sanctions, whether criminal, civil or administrative; and (b) measures consistent with Recommendation 4 which would enable the confiscation of such currency or BNIs.

1. 33.1Countries should maintain comprehensive statistics on matters relevant to the effectiveness and efficiency of their AML/CFT systems.85For purposes of technical compliance, the assessment should be limited to the four areas listed below. This should include keeping statistics on:
   1. STRs, received and disseminated;
   2. ML/TF investigations, prosecutions and convictions;
   3. Property frozen; seized and confiscated; and
   4. Mutual legal assistance or other international requests for co-operation made and received.

1. 34.1Competent authorities, supervisors, and SRBs should establish guidelines and provide feedback, which will assist financial institutions and DNFBPs in applying national AML/CFT measures, and in particular, in detecting and reporting suspicious transactions.

1. 35.1Countries should ensure that there is a range of proportionate and dissuasive sanctions whether criminal, civil or administrative, available to deal with natural or legal persons that fail to comply with the AML/CFT requirements of Recommendations 6, and 8 to 23.86 The sanctions should be directly or indirectly applicable for a failure to comply. They need not be in the same document that imposes or underpins the requirement, and can be in another document, provided there are clear links between the requirement and the available sanctions.
2. 35.2Sanctions should be applicable not only to financial institutions and DNFBPs but also to their directors and senior management.

1. 36.1Countries should become a party to the Vienna Convention, the Palermo Convention, the United Nations Convention against Corruption (the Merida Convention) and the Terrorist Financing Convention.
2. 36.2Countries should fully implement87 The relevant articles are: the Vienna Convention (Articles 3-11, 15, 17 and 19), the Palermo Convention (Articles 5-7, 10-16, 18-20, 24-27, 29-31, & 34), the Merida Convention (Articles 14-17, 23-24, 26-31, 38, 40, 43-44, 46, 48, 50-55, 57-58), and the Terrorist Financing Convention (Articles 2-18). the Vienna Convention, the Palermo Convention, the Merida Convention and the Terrorist Financing Convention.

1. 37.1Countries should have a legal basis that allows them to rapidly provide the widest possible range of mutual legal assistance in relation to money laundering, associated predicate offences and terrorist financing investigations, prosecutions and related proceedings.
2. 37.2Countries should use a central authority, or another established official mechanism, for the transmission and execution of requests. There should be clear processes for the timely prioritisation and execution of mutual legal assistance requests. To monitor progress on requests, a case management system should be maintained.
3. 37.3Mutual legal assistance should not be prohibited or made subject to unreasonable or unduly restrictive conditions.
4. 37.4Countries should not refuse a request for mutual legal assistance:
   1. on the sole ground that the offence is also considered to involve fiscal matters; or
   2. on the grounds of secrecy or confidentiality requirements on financial institutions or DNFBPs, except where the relevant information that is sought is held in circumstances where legal professional privilege or legal professional secrecy applies.
5. 37.5Countries should maintain the confidentiality of mutual legal assistance requests that they receive and the information contained in them, subject to fundamental principles of domestic law, in order to protect the integrity of the investigation or inquiry.
6. 37.6Where mutual legal assistance requests do not involve coercive actions, countries should not make dual criminality a condition for rendering assistance.
7. 37.7Where dual criminality is required for mutual legal assistance, that requirement should be deemed to be satisfied regardless of whether both countries place the offence within the same category of offence, or denominate the offence by the same terminology, provided that both countries criminalise the conduct underlying the offence.
8. 37.8Powers and investigative techniques that are required under Recommendation 31 or otherwise available to domestic competent authorities should also be available for use in response to requests for mutual legal assistance, and, if consistent with the domestic framework, in response to a direct request from foreign judicial or law enforcement authorities to domestic counterparts. These should include:
   1. all of the specific powers required under Recommendation31 relating to the production, search and seizure of information, documents, or evidence (including financial records) from financial institutions, or other natural or legal persons, and the taking of witness statements; and
   2. a broad range of other powers and investigative techniques.

1. 38.1Countries should have the authority to take expeditious action in response to requests by foreign countries to identify, freeze, seize, or confiscate:
   1. laundered property from,
   2. proceeds from,
   3. instrumentalities used in, or
   4. instrumentalities intended for use in, money laundering, predicate offences, or terrorist financing; or
   5. property of corresponding value.
2. 38.2Countries should have the authority to provide assistance to requests for co-operation made on the basis of non-conviction based confiscation proceedings and related provisional measures, at a minimum in circumstances when a perpetrator is unavailable by reason of death, flight, absence, or the perpetrator is unknown, unless this is inconsistent with fundamental principles of domestic law.
3. 38.3Countries should have: (a) arrangements for co-ordinating seizure and confiscation actions with other countries; and (b) mechanisms for managing, and when necessary disposing of, property frozen, seized or confiscated.
4. 38.4Countries should be able to share confiscated property with other countries, in particular when confiscation is directly or indirectly a result of co-ordinated law enforcement actions.

1. 39.1Countries should be able to execute extradition requests in relation to ML/TF without undue delay. In particular, countries should:
   1. ensure ML and TF are extraditable offences;
   2. ensure that they have a case management system, and clear processes for the timely execution of extradition requests including prioritisation where appropriate; and
   3. not place unreasonable or unduly restrictive conditions on the execution of requests.
2. 39.2Countries should either:
   1. extradite their own nationals; or
   2. where they do not do so solely on the grounds of nationality, should, at the request of the country seeking extradition, submit the case without undue delay to its competent authorities for the purpose of prosecution of the offences set forth in the request.
3. 39.3Where dual criminality is required for extradition, that requirement should be deemed to be satisfied regardless of whether both countries place the offence within the same category of offence, or denominate the offence by the same terminology, provided that both countries criminalise the conduct underlying the offence.
4. 39.4Consistent with fundamental principles of domestic law, countries should have simplified extradition mechanisms88 Such as allowing direct transmission of requests for provisional arrests between appropriate authorities, extraditing persons based only on warrants of arrests or judgments, or introducing a simplified extradition of consenting persons who waive formal extradition proceedings. in place.

General Principles

1. 40.1Countries should ensure that their competent authorities can rapidly provide the widest range of international co-operation in relation to money laundering, associated predicate offences and terrorist financing. Such exchanges of information should be possible both spontaneously and upon request.
2. 40.2Competent authorities should:
   1. have a lawful basis for providing co-operation;
   2. be authorised to use the most efficient means to co-operate;
   3. have clear and secure gateways, mechanisms or channels that will facilitate and allow for the transmission and execution of requests;
   4. have clear processes for the prioritisation and timely execution of requests; and
   5. have clear processes for safeguarding the information received.
3. 40.3Where competent authorities need bilateral or multilateral agreements or arrangements to co-operate, these should be negotiated and signed in a timely way, and with the widest range of foreign counterparts.
4. 40.4Upon request, requesting competent authorities should provide feedback in a timely manner to competent authorities from which they have received assistance, on the use and usefulness of the information obtained.
5. 40.5Countries should not prohibit, or place unreasonable or unduly restrictive conditions on, the provision of exchange of information or assistance. In particular, competent authorities should not refuse a request for assistance on the grounds that:
   1. the request is also considered to involve fiscal matters; and/or
   2. laws require financial institutions or DNFBPs to maintain secrecy or confidentiality (except where the relevant information that is sought is held in circumstances where legal professional privilege or legal professional secrecy applies); and/or
   3. there is an inquiry, investigation or proceeding underway in the requested country, unless the assistance would impede that inquiry, investigation or proceeding; and/or
   4. the nature or status (civil, administrative, law enforcement, etc.) of the requesting counterpart authority is different from that of its foreign counterpart.
6. 40.6Countries should establish controls and safeguards to ensure that information exchanged by competent authorities is used only for the purpose for, and by the authorities, for which the information was sought or provided, unless prior authorisation has been given by the requested competent authority.
7. 40.7Competent authorities should maintain appropriate confidentiality for any request for cooperation and the information exchanged, consistent with both parties’ obligations concerning privacy and data protection. At a minimum, competent authorities should protect exchanged information in the same manner as they would protect similar information received from domestic sources. Competent authorities should be able to refuse to provide information if the requesting competent authority cannot protect the information effectively.
8. 40.8Competent authorities should be able to conduct inquiries on behalf of foreign counterparts, and exchange with their foreign counterparts all information that would be obtainable by them if such inquiries were being carried out domestically.

Exchange of Information between FIUs

9. 40.9FIUs should have an adequate legal basis for providing co-operation on money laundering associated predicate offences and terrorist financing89 FIUs should be able to provide cooperation regardless of whether their counterpart FIU is administrative, law enforcement, judicial or other in nature. .
10. 40.10FIUs should provide feedback to their foreign counterparts, upon request and whenever possible, on the use of the information provided, as well as on the outcome of the analysis conducted, based on the information provided.
11. 40.11FIUs should have the power to exchange:
    1. all information required to be accessible or obtainable directly or indirectly by the FIU, in particular under Recommendation 29; and
    2. any other information which they have the power to obtain or access, directly or indirectly, at the domestic level, subject to the principle of reciprocity.

Exchange of information between financial supervisors90 This refers to financial supervisors which are competent authorities and does not include financial supervisors which are SRBs.

12. 40.12Financial supervisors should have a legal basis for providing co-operation with their foreign counterparts (regardless of their respective nature or status), consistent with the applicable international standards for supervision, in particular with respect to the exchange of supervisory information related to or relevant for AML/CFT purposes.
13. 40.13Financial supervisors should be able to exchange with foreign counterparts information domestically available to them, including information held by financial institutions, in a manner proportionate to their respective needs.
14. 40.14Financial supervisors should be able to exchange the following types of information when relevant for AML/CFT purposes, in particular with other supervisors that have a shared responsibility for financial institutions operating in the same group:
    1. regulatory information, such as information on the domestic regulatory system, and general information on the financial sectors;
    2. prudential information, in particular for Core Principles supervisors, such as information on the financial institution’s business activities, beneficial ownership, management, and fit and properness; and
    3. AML/CFT information, such as internal AML/CFT procedures and policies of financial institutions, customer due diligence information, customer files, samples of accounts and transaction information.
15. 40.15Financial supervisors should be able to conduct inquiries on behalf of foreign counterparts, and, as appropriate, to authorise or facilitate the ability of foreign counterparts to conduct inquiries themselves in the country, in order to facilitate effective group supervision.
16. 40.16Financial supervisors should ensure that they have the prior authorisation of the requested financial supervisor for any dissemination of information exchanged, or use of that information for supervisory and non-supervisory purposes, unless the requesting financial supervisor is under a legal obligation to disclose or report the information. In such cases, at a minimum, the requesting financial supervisor should promptly inform the requested authority of this obligation.

Exchange of information between law enforcement authorities

17. 40.17Law enforcement authorities should be able to exchange domestically available information with foreign counterparts for intelligence or investigative purposes relating to money laundering, associated predicate offences or terrorist financing, including the identification and tracing of the proceeds and instrumentalities of crime.
18. 40.18Law enforcement authorities should also be able to use their powers, including any investigative techniques available in accordance with their domestic law, to conduct inquiries and obtain information on behalf of foreign counterparts. The regimes or practices in place governing such law enforcement co-operation, such as the agreements between Interpol, Europol or Eurojust and individual countries, should govern any restrictions on use imposed by the requested law enforcement authority.
19. 40.19Law enforcement authorities should be able to form joint investigative teams to conduct cooperative investigations, and, when necessary, establish bilateral or multilateral arrangements to enable such joint investigations.

Exchange of information between non-counterparts

20. 40.20Countries should permit their competent authorities to exchange information indirectly91 Indirect exchange of information refers to the requested information passing from the requested authority through one or more domestic or foreign authorities before being received by the requesting authority. Such an exchange of information and its use may be subject to the authorisation of one or more competent authorities of the requested country. with non-counterparts, applying the relevant principles above. Countries should ensure that the competent authority that requests information indirectly always makes it clear for what purpose and on whose behalf the request is made.