FATF — The 40 Recommendations, Mutual Evaluations & Lists

No single country can stop money laundering. Dirty money does not respect borders — it flows to wherever the rules are weakest. So in 1989, the world's major economies asked a simple question: what if we agreed on *one* global standard, and then graded every country against it? The body they created to do that is the FATF. Understand the FATF, and you hold the key to all of Domain 2 — because almost every law we will study traces back to it.

Let us start with the name. FATF stands for the Financial Action Task Force. It was established in 1989 by the G7 group of nations, originally to fight money laundering tied to drug trafficking. After the attacks of September 11th, 2001, its mandate expanded to include combating the financing of terrorism, and later the financing of weapons proliferation.

The crucial distinction to understand — and the exam tests it — is what the FATF *is*. The FATF is an intergovernmental *standard-setting* body. It is not a law. It is not a police force. It cannot arrest anyone or freeze an account. What it does is set the *global standards* that countries then write into their own national laws. The US Bank Secrecy Act, the EU's AML Directives, rules across Asia and Africa — they are all, in large part, countries implementing FATF standards domestically.

So think of the FATF as the architect, and national governments as the builders. The FATF draws the blueprint; each country constructs the building in its own legal style. That blueprint has a name: the 40 Recommendations.

The 40 Recommendations are the FATF's core output — a comprehensive set of measures that countries should put in place to combat money laundering, terrorist financing, and proliferation financing. They are recognized as the international standard, and they are publicly available on the FATF's website.

You do not need to memorize all forty for the exam, and I would not want you to. What you need is the *shape* of them — what areas they cover. Broadly, the Recommendations address: criminalizing money laundering and terrorist financing; customer due diligence and recordkeeping by financial institutions; transparency of beneficial ownership for companies and trusts; suspicious-transaction reporting; the powers of financial intelligence units and law enforcement; and international cooperation, like extradition and mutual legal assistance.

A few specific Recommendations come up often enough to know by name. Recommendation 1 establishes the *risk-based approach*, which we will unpack in a moment — it is foundational. Recommendation 10 covers customer due diligence. Recommendation 16 is the *Travel Rule*, requiring that originator and beneficiary information travel along with wire transfers — and, importantly, the FATF later extended that rule to virtual assets, which we will see in Domain 6. If you remember just those three numbers — 1, 10, and 16 — you will recognize most FATF-Recommendation references you encounter.

Recommendation 1 deserves a closer look. The risk-based approach is the philosophical heart of modern AML and a favorite exam concept.

The older way of thinking was *rules-based*: apply the same fixed checks to everyone, every time. The FATF's risk-based approach replaces that with something smarter. It says: identify and assess your risks, then *allocate your resources where the risk is highest*. Apply enhanced scrutiny to high-risk customers, products, and geographies — and simplified measures where risk is genuinely low.

Why does this matter? Because resources are finite. If you treat a retired local pensioner exactly like a foreign politically exposed person moving millions through offshore shells, you waste effort on the first and under-protect against the second. The risk-based approach lets institutions and countries focus their firepower. On the exam, when an answer choice talks about *tailoring* the intensity of controls to the level of risk, that is the risk-based approach speaking.

Now, a standard is only as good as its enforcement. So how does the FATF make sure countries actually *follow* the Recommendations? Through a process called mutual evaluation.

A mutual evaluation is a peer review. Teams of experts from *other* member countries — fellow governments — assess a nation's AML/CFT system in depth. They examine two things. First, *technical compliance*: are the right laws and regulations actually on the books? Second, and just as important, *effectiveness*: do those laws produce real results in practice? A country can have beautiful laws on paper and still fail if no one is filing reports, prosecuting cases, or freezing assets.

The result is a detailed public report, the Mutual Evaluation Report, rating the country across the Recommendations and the effectiveness measures. These reports drive real reform, because no government wants a poor grade in front of its peers — and a poor grade can lead to the lists we are about to discuss. Remember the key word: mutual evaluations are *peer* reviews, country assessing country, not the FATF acting as a court.

This is where the FATF's soft power gets sharp teeth. Based on its findings, the FATF maintains two public lists of jurisdictions with serious deficiencies. The exam wants you to tell them apart cleanly.

The first is officially called *Jurisdictions under Increased Monitoring* — universally known as the **grey list**. A grey-listed country has strategic deficiencies but has *committed* to fixing them on an agreed timeline, and is actively working with the FATF. Being grey-listed is a warning. It signals elevated risk, and banks worldwide will often apply enhanced due diligence to transactions touching that country, which raises the cost of doing business there.

The second is officially called *High-Risk Jurisdictions subject to a Call for Action* — known as the **black list**. This is the severe category. These jurisdictions have serious, persistent deficiencies and are *not* making sufficient progress. For the most extreme cases, the FATF calls on its members to apply *countermeasures* — heightened, sometimes near-prohibitive scrutiny. In practice only a very small number of jurisdictions sit on the black list at any time.

So the simple mental model: grey means "under increased monitoring, committed to reform, treat with caution"; black means "call for action, countermeasures, the most serious risk." Both lists are public and updated by the FATF, typically a few times a year.

One last piece, and it explains how a global standard reaches every corner of the world: FATF-style regional bodies, or FSRBs.

The FATF itself has a limited membership of major economies. But money laundering is everywhere, so the FATF works through a network of regional partners that share its standards and run their *own* mutual evaluations of their members. There are FSRBs covering regions such as the Asia-Pacific, the Caribbean, eastern and southern Africa, the Americas, the Middle East and North Africa, and Europe. They apply the same 40 Recommendations within their regions.

The takeaway for the exam is simply this: the FATF plus its FSRBs together form a *global* network, so that essentially every jurisdiction is assessed against the same standard by someone. When a question mentions a regional body conducting evaluations on the FATF model, that is an FSRB.

So today we put the keystone of Domain 2 in place. The FATF is an intergovernmental *standard-setter*, not a law or police force. Its 40 Recommendations are the global AML/CFT standard, anchored by the risk-based approach of Recommendation 1. It enforces through *mutual evaluations* — peer reviews of both technical compliance and real effectiveness. It publishes the grey list — increased monitoring, committed to reform — and the black list — a call for action with countermeasures. And its FSRBs extend that standard worldwide.

Next, we meet the other key bodies that fill out the global framework: Egmont, Wolfsberg, Basel, and the IMF and World Bank — who does what, and why it matters. See you there.