FATF 40 AML/CFT Recommendations

What are the FATF 40 Recommendations?

The FATF 40 Recommendations are the global standard for combating money laundering, terrorist financing, and the financing of weapons of mass destruction proliferation. Issued by the Financial Action Task Force (FATF) — the inter-governmental body established by the G7 in 1989 — the Recommendations set out the legal, regulatory, and operational measures that countries should adopt to build effective AML/CFT/CPF regimes. They are not law in themselves; instead, they form the framework that national legislatures, supervisors, and Financial Intelligence Units use to design their own rules.

Although called the "40 Recommendations," the framework also includes a set of Interpretive Notes that elaborate each Recommendation, plus 11 Immediate Outcomes used in mutual evaluations to assess effectiveness in practice. Compliance is measured along two dimensions: technical compliance with the legal standards (Recommendation by Recommendation) and effectiveness (Immediate Outcome by Immediate Outcome).

How many FATF Recommendations are there?

The headline number is 40 — but it has not always been so. The original 1990 Recommendations focused on money laundering. The 2003 revision added counter-terrorism content. In 2012, FATF integrated the original 40 plus the Special Recommendations on Terrorist Financing into a single set of 40 Recommendations covering ML, TF, and proliferation financing — the architecture that remains in force today. References to "40+9 Recommendations" reflect the pre-2012 version and are no longer current. Within the modern 40, individual Recommendations have been refined regularly — most notably Recommendation 15 on virtual asset service providers (VASPs), updated in 2018–2019 to extend the framework to crypto.

Structure of the FATF 40 Recommendations

The Recommendations are grouped into seven sections that together cover the full AML/CFT/CPF lifecycle. The first section addresses AML/CFT policies and coordination — including the requirement for every country to conduct a national risk assessment and apply a risk-based approach. The second covers money laundering and confiscation, defining the offence and the powers needed to seize criminal proceeds. The third handles terrorist financing and proliferation financing, including targeted financial sanctions implementing UN Security Council Resolutions. The fourth — and the most operationally consequential for financial institutions — sets out preventive measures: customer due diligence, recordkeeping, PEP rules, correspondent banking, wire transfers, and reliance on third parties. The fifth establishes rules on transparency and beneficial ownership of legal persons and arrangements. The sixth defines the powers and responsibilities of competent authorities, including FIUs and supervisors. The seventh sets out international cooperation standards — mutual legal assistance, extradition, and information sharing.

Key Recommendations for financial institutions

Several Recommendations sit at the heart of every AML/CFT compliance programme. Recommendation 1 mandates the risk-based approach across every country, supervisor, and obliged entity. Recommendation 10 sets the global CDD standard — verifying customer identity, identifying beneficial owners, understanding the nature of the relationship, and conducting ongoing monitoring. Recommendations 11 and 12 cover recordkeeping and politically exposed persons. Recommendation 13 addresses correspondent banking. Recommendation 16 is the Travel Rule, requiring originator and beneficiary information to accompany wire transfers and (since 2019) virtual asset transfers. Recommendation 20 mandates suspicious-transaction reporting to FIUs. Recommendation 22 extends the preventive framework to DNFBPs. Recommendations 24 and 25 require transparent and accurate beneficial-ownership information for legal persons and arrangements. Many of these are operationalised through ongoing customer KYC, transaction monitoring, and AML screening controls — see our explainer on the 5 pillars of an AML program for the broader programme architecture.

FATF and KYC

The 40 Recommendations are the upstream source of nearly every national CDD and KYC rule in force today — from FinCEN's CIP/CDD framework to the EU AMLR, the UAE Federal Decree-Law 20 of 2018, the FCA Handbook, and dozens of others. FATF Recommendation 10 specifies that obliged entities must identify and verify the customer using reliable, independent source documents or data; identify the beneficial owner and take reasonable measures to verify their identity; understand the purpose and intended nature of the business relationship; and conduct ongoing due diligence, ensuring transactions are consistent with the institution's knowledge of the customer. The principles set out in the Wolfsberg Principles and the Basel Committee AML guidelines translate these standards into bank-specific operating practice — and see our AML compliance complete guide and explainer on finding the UBO of a company for the operational details.

Risk-based approach

Recommendation 1 is the foundation of the modern AML framework — the risk-based approach. Countries must identify, assess, and understand the ML/TF/PF risks they face and apply mitigating measures proportionate to those risks. Supervisors and obliged entities must do the same at their own level. The risk-based approach replaces the older "rules-based" model in which the same controls were applied to every customer regardless of risk; instead, resources are concentrated where exposure is highest. In practice, this means simplified due diligence may be appropriate for very low-risk relationships and EDD must be applied to higher-risk ones — including PEPs, customers from high-risk jurisdictions, and complex or unusual structures.

VASPs and the Travel Rule

In 2019 FATF extended the Recommendations explicitly to virtual asset service providers (VASPs) — see our KYC guide for crypto for the practitioner view. Recommendation 15 now requires countries to license or register VASPs and apply the same preventive obligations as those applied to financial institutions. Recommendation 16 — the Travel Rule — was extended to virtual asset transfers, requiring VASPs to obtain and transmit originator and beneficiary information for transfers above defined thresholds. Implementation across jurisdictions is uneven, and FATF has continued to publish guidance and follow-up reports on the so-called "Travel Rule gap" in the crypto sector.

Mutual evaluations and compliance

FATF assesses each member jurisdiction through mutual evaluations conducted on a multi-year cycle. The evaluation covers both technical compliance with the 40 Recommendations and effectiveness against the 11 Immediate Outcomes. Outcomes are graded — Compliant, Largely Compliant, Partially Compliant, Non-Compliant for technical compliance; High, Substantial, Moderate, Low for effectiveness. Countries with significant deficiencies may be placed on FATF's "grey list" (jurisdictions under increased monitoring) or "black list" (high-risk jurisdictions subject to a call for countermeasures). Listing has serious consequences for cross-border banking, investment, and trade flows.

Are FATF Recommendations legally binding?

Strictly speaking, no. The 40 Recommendations are international standards, not international law. They become enforceable only when implemented through national legislation and regulation. In practice, however, the framework is treated as effectively binding: FATF mutual evaluations, peer pressure, and reputational consequences (grey/black listing) create powerful incentives for jurisdictions to align. As a result, virtually every major economy has now embedded the 40 Recommendations into domestic law.