FATF Methodology

About

Contents

List of recommendations

Technical compliance assessment

Recommendation

Interpretive Note

list of
results

Glossary

RECOMMENDATION 1

ASSESSING RISKS AND APPLYING A RISK-BASED APPROACH5 The requirements in this recommendation should be assessed taking into account the more specific risk based requirements in other Recommendations. Under Recommendation 1 assessors should come to an overall view of risk assessment and risk mitigation by countries and financial institutions/DNFBPs as required in other Recommendations, but should not duplicate the detailed assessments of risk-based measures required under other Recommendations. Assessors are not expected to conduct an in-depth review of the country’s assessment(s) of risks. Assessors should focus on the process, mechanism, and information sources adopted by the country, as well as the contextual factors, and should consider the reasonableness of the conclusions of the country’s assessment(s) of risks.

OBLIGATIONS AND DECISIONS FOR COUNTRIES

Risk assessment

1.1Countries6 Where appropriate, ML/TF risk assessments at a supra-national level should be taken into account when considering whether this obligation is satisfied. should identify and assess the ML/TF risks for the country,
1.2Countries should designate an authority or mechanism to co-ordinate actions to assess risks.
1.3Countries should keep the risk assessments up-to-date.
1.4Countries should have mechanisms to provide information on the results of the risk assessment(s) to all relevant competent authorities and self-regulatory bodies (SRBs), financial institutions and DNFBPs.

Risk mitigation

1.5Based on their understanding of their risks, countries should apply a risk-based approach to allocating resources and implementing measures to prevent or mitigate ML/TF.
1.6Countries which decide not to apply some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, should demonstrate that:
1. there is a proven low risk of ML/TF; the exemption occurs in strictly limited and justified circumstances; and it relates to a particular type of financial institution or activity, or DNFBP; or
2. a financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis (having regard to quantitative and absolute criteria), such that there is a low risk of ML/TF.
1.7Where countries identify higher risks, they should ensure that their AML/CFT regime addresses such risks, including through: (a) requiring financial institutions and DNFBPs to take enhanced measures to manage and mitigate the risks; or (b) requiring financial institutions and DNFBPs to ensure that this information is incorporated into their risk assessments.
1.8Countries may allow simplified measures for some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, provided that a lower risk has been identified, and this is consistent with the country’s assessment of its ML/TF risks.7Where the FATF Recommendations identify higher risk activities for which enhanced or specific measures are required, countries should ensure that all such measures are applied, although the extent of such measures may vary according to the specific level of risk.
1.9Supervisors and SRBs should ensure that financial institutions and DNFBPs are implementing their obligations under Recommendation 18The requirements in this criterion should be assessed taking into account the findings in relation to Recommendations 26 and 28..

OBLIGATIONS AND DECISIONS FOR FINANCIAL INSTITUTIONS AND DNFBPS

Risk assessment

1.10Financial institutions and DNFBPs should be required to take appropriate steps to identify, assess, and understand their ML/TF risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels)9 The nature and extent of any assessment of ML/TF risks should be appropriate to the nature and size of the business. Competent authorities or SRBs may determine that individual documented risk assessments are not required, provided that the specific risks inherent to the sector are clearly identified and understood, and that individual financial institutions and DNFBPs understand their ML/TF risks.. This includes being required to:
1. document their risk assessments;
2. consider all the relevant risk factors before determining what is the level of overall risk and the appropriate level and type of mitigation to be applied;
3. keep these assessments up to date; and
4. have appropriate mechanisms to provide risk assessment information to competent authorities and SRBs.

Risk mitigation

1.11Financial institutions and DNFBPs should be required to:
1. have policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified (either by the country or by the financial institution or DNFBP);
2. monitor the implementation of those controls and to enhance them if necessary; and
3. take enhanced measures to manage and mitigate the risks where higher risks are identified.
1.12Countries may only permit financial institutions and DNFBPs to take simplified measures to manage and mitigate risks, if lower risks have been identified, and criteria 9 to 11 are met. Simplified measures should not be permitted whenever there is a suspicion of ML/TF.

RECOMMENDATION 2

NATIONAL CO-OPERATION AND CO-ORDINATION

OBLIGATIONS AND DECISIONS FOR COUNTRIES

2.1Countries should have national AML/CFT policies which are informed by the risks identified, and are regularly reviewed.
2.2Countries should designate an authority or have a co-ordination or other mechanism that is responsible for national AML/CFT policies.
2.3Mechanisms should be in place to enable policy makers, the Financial Intelligence Unit (FIU), law enforcement authorities, supervisors and other relevant competent authorities to co-operate, and where appropriate, co-ordinate and exchange information domestically with each other concerning the development and implementation of AML/CFT policies and activities. Such mechanisms should apply at both policymaking and operational levels.
2.4Competent authorities should have similar co-operation and, where appropriate, coordination mechanisms to combat the financing of proliferation of weapons of mass destruction.
2.5Countries should have cooperation and coordination between relevant authorities to ensure the compatibility of AML/CFT requirements with Data Protection and Privacy rules and other similar provisions (e.g. data security / localisation).10For the purposes of technical compliance, the assessment should be limited to whether there are mechanisms in place enabling co-operation and co-ordination between the relevant authorities.

RECOMMENDATION 3

MONEY LAUNDERING OFFENCE

3.1ML should be criminalised on the basis of the Vienna Convention and the Palermo Convention (see Article 3(1)(b)&(c) Vienna Convention and Article 6(1) Palermo Convention11Note in particular the physical and material elements of the offence.)
3.2The predicate offences for ML should cover all serious offences, with a view to including the widest range of predicate offences. At a minimum, predicate offences should include a range of offences in each of the designated categories of offences12Recommendation 3 does not require countries to create a separate offence of “participation in an organised criminal group and racketeering”. In order to cover this category of “designated offence”, it is sufficient if a country meets either of the two options set out in the Palermo Convention, i.e. either a separate offence or an offence based on conspiracy..
3.3Where countries apply a threshold approach or a combined approach that includes a threshold approach13Countries determine the underlying predicate offences for ML by reference to (a) all offences; or (b) to a threshold linked either to a category of serious offences or to the penalty of imprisonment applicable to the predicate offence (threshold approach); or (c) to a list of predicate offences; or (d) a combination of these approaches., predicate offences should, at a minimum, comprise all offences that:
1. fall within the category of serious offences under their national law; or
2. are punishable by a maximum penalty of more than one year’s imprisonment; or
3. are punished by a minimum penalty of more than six months’ imprisonment (for countries that have a minimum threshold for offences in their legal system).
3.4The ML offence should extend to any type of property, regardless of its value, that directly or indirectly represents the proceeds of crime.
3.5When proving that property is the proceeds of crime, it should not be necessary that a person be convicted of a predicate offence.
3.6Predicate offences for money laundering should extend to conduct that occurred in another country, which constitutes an offence in that country, and which would have constituted a predicate offence had it occurred domestically.
3.7The ML offence should apply to persons who commit the predicate offence, unless this is contrary to fundamental principles of domestic law.
3.8It should be possible for the intent and knowledge required to prove the ML offence to be inferred from objective factual circumstances.
3.9Proportionate and dissuasive criminal sanctions should apply to natural persons convicted of ML.
3.10Criminal liability and sanctions, and, where that is not possible (due to fundamental principles of domestic law), civil or administrative liability and sanctions, should apply to legal persons. This should not preclude parallel criminal, civil or administrative proceedings with respect to legal persons in countries in which more than one form of liability is available. Such measures are without prejudice to the criminal liability of natural persons. All sanctions should be proportionate and dissuasive.
3.11Unless it is not permitted by fundamental principles of domestic law, there should be appropriate ancillary offences to the ML offence, including: participation in; association with or conspiracy to commit; attempt; aiding and abetting; facilitating; and counselling the commission.

RECOMMENDATION 9

FINANCIAL INSTITUTION SECRECY LAWS

9.1Financial institution secrecy laws should not inhibit implementation of the FATF Recommendations33 Areas where this may be of particular concern are the ability of competent authorities to access information they require to properly perform their functions in combating ML or FT; the sharing of information between competent authorities, either domestically or internationally; and the sharing of information between financial institutions where this is required by Recommendations 13, 16 or 17. .

RECOMMENDATION 10

CUSTOMER DUE DILIGENCE34 The principle that financial institutions conduct CDD should be set out in law, though specific requirements may be set out in enforceable means. (CDD)

10.1Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names.

When CDD is required

10.2Financial institutions should be required to undertake CDD measures when:
1. establishing business relations;
2. carrying out occasional transactions above the applicable designated threshold (USD/EUR 15 000), including situations where the transaction is carried out in a single operation or in several operations that appear to be linked;;
3. carrying out occasional transactions that are wire transfers in the circumstances covered by Recommendation 16 and its Interpretive Note;
4. there is a suspicion of ML/TF, regardless of any exemptions or thresholds that are referred to elsewhere under the FATF Recommendations; or
5. the financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.

Required CDD measures for all customers

10.3 Financial institutions should be required to identify the customer (whether permanent or occasional, and whether natural or legal person or legal arrangement) and verify that customer’s identity using reliable, independent source documents, data or information (identification data).
10.4 Financial institutions should be required to verify that any person purporting to act on behalf of the customer is so authorised, and identify and verify the identity of that person.
10.5 Financial institutions should be required to identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using the relevant information or data obtained from a reliable source, such that the financial institution is satisfied that it knows who the beneficial owner is.
10.6Financial institutions should be required to understand and, as appropriate, obtain information on, the purpose and intended nature of the business relationship.
10.7Financial institutions should be required to conduct ongoing due diligence on the business relationship, including:
1. scrutinising transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the financial institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds; and
2. ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.

Specific CDD measures required for legal persons and legal arrangements

10.8 For customers that are legal persons or legal arrangements, the financial institution should be required to understand the nature of the customer’s business and its ownership and control structure.
10.9 For customers that are legal persons or legal arrangements, the financial institution should be required to identify the customer and verify its identity through the following information:
1. name, legal form and proof of existence;
2. the powers that regulate and bind the legal person or arrangement, as well as the names of the relevant persons having a senior management position in the legal person or arrangement; and
3. the address of the registered office and, if different, a principal place of business.
10.10For customers that are legal persons35 Where the customer or the owner of the controlling interest is a company listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means) which impose requirements to ensure adequate transparency of beneficial ownership, or is a majority-owned subsidiary of such a company, it is not necessary to identify and verify the identity of any shareholder or beneficial owner of such companies. The relevant identification data may be obtained from a public register, from the customer or from other reliable sources. the financial institution should be required to identify and take reasonable measures to verify the identity of beneficial owners through the following information:
1. the identity of the natural person(s) (if any36 Ownership interests can be so diversified that there are no natural persons (whether acting alone or together) exercising control of the legal person or arrangement through ownership. ) who ultimately has a controlling ownership interest37 A controlling ownership interest depends on the ownership structure of the company. It may be based on a threshold, e.g. any person owning more than a certain percentage of the company (e.g. 25%). in a legal person; and
2. to the extent that there is doubt under (a) as to whether the person(s) with the controlling ownership interest is the beneficial owner(s) or where no natural person exerts control through ownership interests, the identity of the natural person(s) (if any) exercising control of the legal person or arrangement through other means; and
3. where no natural person is identified under (a) or (b) above, the identity of the relevant natural person who holds the position of senior managing official.
10.11 For customers that are legal arrangements, the financial institution should be required to identify and take reasonable measures to verify the identity of beneficial owners through the following information:
1. for trusts, the identity of the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries38 For beneficiaries of trusts that are designated by characteristics or by class, financial institutions should obtain sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout or when the beneficiary intends to exercise vested rights. , and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership);
2. for other types of legal arrangements, the identity of persons in equivalent or similar positions.

CDD for Beneficiaries of Life Insurance Policies

10.12 In addition to the CDD measures required for the customer and the beneficial owner, financial institutions should be required to conduct the following CDD measures on the beneficiary of life insurance and other investment related insurance policies, as soon as the beneficiary is identified or designated:
1. for a beneficiary that is identified as specifically named natural or legal persons or legal arrangements – taking the name of the person;
2. for a beneficiary that is designated by characteristics or by class or by other means – obtaining sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout;
3. for both the above cases – the verification of the identity of the beneficiary should occur at the time of the payout.
10.13 Financial institutions should be required to include the beneficiary of a life insurance policy as a relevant risk factor in determining whether enhanced CDD measures are applicable. If the financial institution determines that a beneficiary who is a legal person or a legal arrangement presents a higher risk, it should be required to take enhanced measures which should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.

Timing of verification

10.14 Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers; or (if permitted) may complete verification after the establishment of the business relationship, provided that:
1. this occurs as soon as reasonably practicable;
2. this is essential not to interrupt the normal conduct of business; and
3. the ML/TF risks are effectively managed.
10.15 Financial institutions should be required to adopt risk management procedures concerning the conditions under which a customer may utilise the business relationship prior to verification.

Existing customers

10.16 Financial institutions should be required to apply CDD requirements to existing customers39 Existing customers as at the date that the new national requirements are brought into force. on the basis of materiality and risk, and to conduct due diligence on such existing relationships at appropriate times, taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained.

Risk-Based Approach

10.17 Financial institutions should be required to perform enhanced due diligence where the ML/TF risks are higher.
10.18 Financial institutions may only be permitted to apply simplified CDD measures where lower risks have been identified, through an adequate analysis of risks by the country or the financial institution. The simplified measures should be commensurate with the lower risk factors, but are not acceptable whenever there is suspicion of ML/TF, or specific higher risk scenarios apply.

Failure to satisfactorily complete CDD

10.19Where a financial institution is unable to comply with relevant CDD measures:
1. it should be required not to open the account, commence business relations or perform the transaction; or should be required to terminate the business relationship; and
2. it should be required to consider making a suspicious transaction report (STR) in relation to the customer.

CDD and tipping-off

10.20 In cases where financial institutions form a suspicion of money laundering or terrorist financing, and they reasonably believe that performing the CDD process will tip-off the customer, they should be permitted not to pursue the CDD process, and instead should be required to file an STR.

RECOMMENDATION 11

RECORD KEEPING40 The principle that financial institutions should maintain records on transactions and information obtained through CDD measures should be set out in law.

11.1 Financial institutions should be required to maintain all necessary records on transactions, both domestic and international, for at least five years following completion of the transaction.
11.2 Financial institutions should be required to keep all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, for at least five years following the termination of the business relationship or after the date of the occasional transaction.
11.3 Transaction records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity.
11.4 Financial institutions should be required to ensure that all CDD information and transaction records are available swiftly to domestic competent authorities upon appropriate authority.