FATF Methodology

About

Contents

List of recommendations

Technical compliance assessment

Recommendation

Interpretive Note

list of
results

Glossary

RECOMMENDATION 1

ASSESSING RISKS AND APPLYING A RISK-BASED APPROACH5 The requirements in this recommendation should be assessed taking into account the more specific risk based requirements in other Recommendations. Under Recommendation 1 assessors should come to an overall view of risk assessment and risk mitigation by countries and financial institutions/DNFBPs as required in other Recommendations, but should not duplicate the detailed assessments of risk-based measures required under other Recommendations. Assessors are not expected to conduct an in-depth review of the country’s assessment(s) of risks. Assessors should focus on the process, mechanism, and information sources adopted by the country, as well as the contextual factors, and should consider the reasonableness of the conclusions of the country’s assessment(s) of risks.

OBLIGATIONS AND DECISIONS FOR COUNTRIES

Risk assessment

1.1Countries6 Where appropriate, ML/TF risk assessments at a supra-national level should be taken into account when considering whether this obligation is satisfied. should identify and assess the ML/TF risks for the country,
1.2Countries should designate an authority or mechanism to co-ordinate actions to assess risks.
1.3Countries should keep the risk assessments up-to-date.
1.4Countries should have mechanisms to provide information on the results of the risk assessment(s) to all relevant competent authorities and self-regulatory bodies (SRBs), financial institutions and DNFBPs.

Risk mitigation

1.5Based on their understanding of their risks, countries should apply a risk-based approach to allocating resources and implementing measures to prevent or mitigate ML/TF.
1.6Countries which decide not to apply some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, should demonstrate that:
1. there is a proven low risk of ML/TF; the exemption occurs in strictly limited and justified circumstances; and it relates to a particular type of financial institution or activity, or DNFBP; or
2. a financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis (having regard to quantitative and absolute criteria), such that there is a low risk of ML/TF.
1.7Where countries identify higher risks, they should ensure that their AML/CFT regime addresses such risks, including through: (a) requiring financial institutions and DNFBPs to take enhanced measures to manage and mitigate the risks; or (b) requiring financial institutions and DNFBPs to ensure that this information is incorporated into their risk assessments.
1.8Countries may allow simplified measures for some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, provided that a lower risk has been identified, and this is consistent with the country’s assessment of its ML/TF risks.7Where the FATF Recommendations identify higher risk activities for which enhanced or specific measures are required, countries should ensure that all such measures are applied, although the extent of such measures may vary according to the specific level of risk.
1.9Supervisors and SRBs should ensure that financial institutions and DNFBPs are implementing their obligations under Recommendation 18The requirements in this criterion should be assessed taking into account the findings in relation to Recommendations 26 and 28..

OBLIGATIONS AND DECISIONS FOR FINANCIAL INSTITUTIONS AND DNFBPS

Risk assessment

1.10Financial institutions and DNFBPs should be required to take appropriate steps to identify, assess, and understand their ML/TF risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels)9 The nature and extent of any assessment of ML/TF risks should be appropriate to the nature and size of the business. Competent authorities or SRBs may determine that individual documented risk assessments are not required, provided that the specific risks inherent to the sector are clearly identified and understood, and that individual financial institutions and DNFBPs understand their ML/TF risks.. This includes being required to:
1. document their risk assessments;
2. consider all the relevant risk factors before determining what is the level of overall risk and the appropriate level and type of mitigation to be applied;
3. keep these assessments up to date; and
4. have appropriate mechanisms to provide risk assessment information to competent authorities and SRBs.

Risk mitigation

1.11Financial institutions and DNFBPs should be required to:
1. have policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified (either by the country or by the financial institution or DNFBP);
2. monitor the implementation of those controls and to enhance them if necessary; and
3. take enhanced measures to manage and mitigate the risks where higher risks are identified.
1.12Countries may only permit financial institutions and DNFBPs to take simplified measures to manage and mitigate risks, if lower risks have been identified, and criteria 9 to 11 are met. Simplified measures should not be permitted whenever there is a suspicion of ML/TF.

RECOMMENDATION 2

NATIONAL CO-OPERATION AND CO-ORDINATION

OBLIGATIONS AND DECISIONS FOR COUNTRIES

2.1Countries should have national AML/CFT policies which are informed by the risks identified, and are regularly reviewed.
2.2Countries should designate an authority or have a co-ordination or other mechanism that is responsible for national AML/CFT policies.
2.3Mechanisms should be in place to enable policy makers, the Financial Intelligence Unit (FIU), law enforcement authorities, supervisors and other relevant competent authorities to co-operate, and where appropriate, co-ordinate and exchange information domestically with each other concerning the development and implementation of AML/CFT policies and activities. Such mechanisms should apply at both policymaking and operational levels.
2.4Competent authorities should have similar co-operation and, where appropriate, coordination mechanisms to combat the financing of proliferation of weapons of mass destruction.
2.5Countries should have cooperation and coordination between relevant authorities to ensure the compatibility of AML/CFT requirements with Data Protection and Privacy rules and other similar provisions (e.g. data security / localisation).10For the purposes of technical compliance, the assessment should be limited to whether there are mechanisms in place enabling co-operation and co-ordination between the relevant authorities.

RECOMMENDATION 3

MONEY LAUNDERING OFFENCE

3.1ML should be criminalised on the basis of the Vienna Convention and the Palermo Convention (see Article 3(1)(b)&(c) Vienna Convention and Article 6(1) Palermo Convention11Note in particular the physical and material elements of the offence.)
3.2The predicate offences for ML should cover all serious offences, with a view to including the widest range of predicate offences. At a minimum, predicate offences should include a range of offences in each of the designated categories of offences12Recommendation 3 does not require countries to create a separate offence of “participation in an organised criminal group and racketeering”. In order to cover this category of “designated offence”, it is sufficient if a country meets either of the two options set out in the Palermo Convention, i.e. either a separate offence or an offence based on conspiracy..
3.3Where countries apply a threshold approach or a combined approach that includes a threshold approach13Countries determine the underlying predicate offences for ML by reference to (a) all offences; or (b) to a threshold linked either to a category of serious offences or to the penalty of imprisonment applicable to the predicate offence (threshold approach); or (c) to a list of predicate offences; or (d) a combination of these approaches., predicate offences should, at a minimum, comprise all offences that:
1. fall within the category of serious offences under their national law; or
2. are punishable by a maximum penalty of more than one year’s imprisonment; or
3. are punished by a minimum penalty of more than six months’ imprisonment (for countries that have a minimum threshold for offences in their legal system).
3.4The ML offence should extend to any type of property, regardless of its value, that directly or indirectly represents the proceeds of crime.
3.5When proving that property is the proceeds of crime, it should not be necessary that a person be convicted of a predicate offence.
3.6Predicate offences for money laundering should extend to conduct that occurred in another country, which constitutes an offence in that country, and which would have constituted a predicate offence had it occurred domestically.
3.7The ML offence should apply to persons who commit the predicate offence, unless this is contrary to fundamental principles of domestic law.
3.8It should be possible for the intent and knowledge required to prove the ML offence to be inferred from objective factual circumstances.
3.9Proportionate and dissuasive criminal sanctions should apply to natural persons convicted of ML.
3.10Criminal liability and sanctions, and, where that is not possible (due to fundamental principles of domestic law), civil or administrative liability and sanctions, should apply to legal persons. This should not preclude parallel criminal, civil or administrative proceedings with respect to legal persons in countries in which more than one form of liability is available. Such measures are without prejudice to the criminal liability of natural persons. All sanctions should be proportionate and dissuasive.
3.11Unless it is not permitted by fundamental principles of domestic law, there should be appropriate ancillary offences to the ML offence, including: participation in; association with or conspiracy to commit; attempt; aiding and abetting; facilitating; and counselling the commission.

RECOMMENDATION 29

FINANCIAL INTELLIGENCE UNITS (FIU)

29.1Countries should establish an FIU with responsibility for acting as a national centre for receipt and analysis of suspicious transaction reports and other information relevant to money laundering, associated predicate offences and terrorist financing; and for the dissemination of the results of that analysis.80 Considering that there are different FIU models, Recommendation 29 does not prejudge a country’s choice for a particular model, and applies equally to all of them.
29.2The FIU should serve as the central agency for the receipt of disclosures filed by reporting entities, including:
1. Suspicious transaction reports filed by reporting entities as required by Recommendation 20 and 23; and
2. any other information as required by national legislation (such as cash transaction reports, wire transfers reports and other threshold-based declarations/disclosures).
29.3The FIU should81 In the context of its analysis function, an FIU should be able to obtain from any reporting entity additional information relating to a suspicion of ML/TF. This does not include indiscriminate requests for information to reporting entities in the context of the FIU's analysis (e.g., "finishing expeditions").:
1. in addition to the information that entities report to the FIU, be able to obtain and use additional information from reporting entities, as needed to perform its analysis properly; and
2. have access to the widest possible range82 This should include information from open or public sources, as well as relevant information collected and/or maintained by, or on behalf of, other authorities and, where appropriate commercially held data. of financial, administrative and law enforcement information that it requires to properly undertake its functions.
29.4The FIU should conduct:
1. operational analysis, which uses available and obtainable information to identify specific targets, to follow the trail of particular activities or transactions, and to determine links between those targets and possible proceeds of crime, money laundering, predicate offences and terrorist financing; and
2. strategic analysis, which uses available and obtainable information, including data that may be provided by other competent authorities, to identify money laundering and terrorist financing related trends and patterns.
29.5The FIU should be able to disseminate, spontaneously and upon request, information and the results of its analysis to relevant competent authorities, and should use dedicated, secure and protected channels for the dissemination.
29.6The FIU should protect information by:
1. having rules in place governing the security and confidentiality of information, including procedures for handling, storage, dissemination, and protection of, and access to, information;
2. ensuring that FIU staff members have the necessary security clearance levels and understanding of their responsibilities in handling and disseminating sensitive and confidential information; and
3. ensuring that there is limited access to its facilities and information, including information technology systems.
29.7The FIU should be operationally independent and autonomous, by:
1. having the authority and capacity to carry out its functions freely, including the autonomous decision to analyse, request and/or forward or disseminate specific information;
2. being able to make arrangements or engage independently with other domestic competent authorities or foreign counterparts on the exchange of information;
3. when it is located within the existing structure of another authority, having distinct core functions from those of the other authority; and
4. being able to obtain and deploy the resources needed to carry out its functions, on an individual or routine basis, free from any undue political, government or industry influence or interference, which might compromise its operational independence.
29.8Where a country has created an FIU and is not an Egmont Group member, the FIU should apply for membership in the Egmont Group. The FIU should submit an unconditional application for membership to the Egmont Group and fully engage itself in the application process.

RECOMMENDATION 30

RESPONSIBILITIES OF LAW ENFORCEMENT AND INVESTIGATIVE AUTHORITIES

30.1There should be designated law enforcement authorities that have responsibility for ensuring that money laundering, associated predicate offences and terrorist financing offences are properly investigated, within the framework of national AML/CFT policies.
30.2Law enforcement investigators of predicate offences should either be authorised to pursue the investigation of any related ML/TF offences during a parallel financial investigation83 A ‘parallel financial investigation’ refers to conducting a financial investigation alongside, or in the context of, a (traditional) criminal investigation into money laundering, terrorist financing and/or predicate offence(s).
A ‘financial investigation’ means an enquiry into the financial affairs related to a criminal activity, with a view to: (i) identifying the extent of criminal networks and/or the scale of criminality; (ii) identifying and tracing the proceeds of crime, terrorist funds or any other assets that are, or may become, subject to confiscation; and (iii) developing evidence which can be used in criminal proceedings. , or be able to refer the case to another agency to follow up with such investigations, regardless of where the predicate offence occurred.
30.3There should be one or more designated competent authorities to expeditiously identify, trace, and initiate freezing and seizing of property that is, or may become, subject to confiscation, or is suspected of being proceeds of crime.
30.4Countries should ensure that Recommendation 30 also applies to those competent authorities, which are not law enforcement authorities, per se, but which have the responsibility for pursuing financial investigations of predicate offences, to the extent that these competent authorities are exercising functions covered under Recommendation 30.
30.5If anti-corruption enforcement authorities are designated to investigate ML/TF offences arising from, or related to, corruption offences under Recommendation 30, they should also have sufficient powers to identify, trace, and initiate freezing and seizing of assets.

RECOMMENDATION 31

POWERS OF LAW ENFORCEMENT AND INVESTIGATIVE AUTHORITIES

31.1Competent authorities conducting investigations of money laundering, associated predicate offences and terrorist financing should be able to obtain access to all necessary documents and information for use in those investigations, and in prosecutions and related actions. This should include powers to use compulsory measures for:
1. the production of records held by financial institutions, DNFBPs and other natural or legal persons;
2. the search of persons and premises;
3. taking witness statements; and
4. seizing and obtaining evidence.
31.2Competent authorities conducting investigations should be able to use a wide range of investigative techniques for the investigation of money laundering, associated predicate offences and terrorist financing, including:
1. undercover operations;
2. intercepting communications;
3. accessing computer systems; and
4. controlled delivery.
31.3Countries should have mechanisms in place:
1. to identify, in a timely manner, whether natural or legal persons hold or control accounts; and
2. to ensure that competent authorities have a process to identify assets without prior notification to the owner.
31.4Competent authorities conducting investigations of money laundering, associated predicate offences and terrorist financing should be able to ask for all relevant information held by the FIU.