FATF Rec 1: What It Requires and Who It Applies To

What is FATF Rec 1?

FATF Recommendation 1 is the foundational standard of the Financial Action Task Force's 40 Recommendations, requiring countries and their financial institutions to identify, assess, and understand money laundering (ML) and terrorist financing (TF) risks, then apply anti-money laundering controls proportionate to those risks. The FATF, an intergovernmental body established in 1989, published the original 40 Recommendations in 1990. The risk-based approach (RBA) at the heart of Recommendation 1 took current form in the 2012 revision of the FATF Standards, with the most recent update published in October 2023.

Before 2012, most jurisdictions operated under a compliance-based, rule-driven model: apply the same controls to every customer, file the same reports regardless of actual threat exposure. The 2012 revision made proportionality an explicit requirement. A bank serving high-risk cryptocurrency businesses alongside retail depositors that applies identical controls to both is wasting analyst capacity and, more importantly, failing the standard.

The Interpretive Note to Recommendation 1 makes the obligations concrete. Countries must conduct national risk assessments (NRAs) and make results available to financial institutions. In turn, banks, fintechs, and all other covered entities must conduct their own institutional risk assessments, document the methodology, keep it current, and use the results to calibrate every element of their AML/CFT program. This is a live document, not a one-time filing. Regulators expect annual reviews at minimum, with event-triggered updates when a new product launches, a new geography is entered, or typologies shift.

Recommendation 1 also permits simplified measures where risks are demonstrably low. That flexibility is the mechanism behind tiered Customer Due Diligence (CDD) programs. The permission comes with conditions: institutions must record exactly why the risk is low before reducing the depth of scrutiny.

Who does FATF Rec 1 apply to?

FATF Recommendation 1 applies to every entity that falls within the FATF's definition of a financial institution or designated non-financial business and profession. The Recommendations aren't self-executing international law. Their force comes through national implementation: the 39 FATF members plus over 200 jurisdictions covered by FATF-style regional body networks transpose the standards into domestic statute.

Covered entity types:

• Banks and credit institutions: Commercial banks, savings banks, credit unions, and private banking divisions. Any entity accepting deposits or extending credit is in scope.
• Fintechs and payment service providers: Digital wallets, payment processors, buy-now-pay-later providers, and money remittance firms. In the United States, FinCEN's MSB registration requirements under the BSA implement this for the domestic market.
• Virtual asset service providers (VASPs): Crypto exchanges, custodial wallet providers, and DeFi platforms meeting the FATF definition. The FATF added VASPs explicitly in 2018. They're now subject to the same NRA-driven risk calibration as traditional banks.
• Securities firms and broker-dealers: Investment firms, mutual fund administrators, and stockbrokers.
• Insurance companies: Life insurers and those offering investment-linked products.
• DNFBPs: Real estate agents handling high-value transactions, dealers in precious metals and stones, accountants, lawyers acting in certain transaction types, trust and company service providers, and casinos. FATF Rec 22 sets the specific CDD requirements for this group.

There's no size threshold in the FATF text itself. A two-person fintech and a global systemically important bank are both in scope. Proportionality governs the calibration of controls, not the applicability of the framework. A small institution with a simple, low-risk business model can have a shorter, simpler risk assessment. It still needs one.

What does FATF Rec 1 require?

The Interpretive Note to Recommendation 1 breaks the obligation into discrete requirements. Here's what institutions must actually deliver:

1. Conduct an institutional risk assessment. Identify the ML/TF risks inherent in your customer base, products, delivery channels, and geographic exposure. Document the methodology. The FATF's National Risk Assessment Guidance provides the reference framework; each institution must apply it to its own context, not copy a template.

2. Incorporate the national risk assessment. Where a national competent authority has published an NRA, institutions must consider it. Ignoring a documented national-level threat typology in your own assessment is a finding examiners will write up.

3. Apply enhanced measures to higher-risk situations. Enhanced Due Diligence (EDD) is mandatory for customers and products flagged as high-risk in your assessment. For politically exposed persons, the linkage to FATF Rec 12 is direct.

4. Apply simplified measures only where risks are demonstrably low. Simplified due diligence is a conditional permission. Documented evidence that the risk is low must exist before lighter controls are applied.

5. Calibrate your AML/CFT program to your risk profile. Customer risk scoring, transaction monitoring alert thresholds, and suspicious activity report (SAR) filing triggers should all reflect your institution-specific risk assessment. A threshold lifted from a peer's playbook without documented justification doesn't satisfy the standard.

6. Maintain records of your risk assessment. Most implementing jurisdictions set a five-year retention minimum. The EU's 6AMLD and the UK's MLR 2017 both require five-year retention for AML documentation.

7. Review and update the assessment regularly. At minimum annually. Immediately following a material change to the business model, product mix, customer base, or published typologies. The risk assessment is a live document, and examiners will check version history.

8. Demonstrate the link between assessment and controls. This is the test institutions fail most often. Your alert thresholds, CDD tiers, and monitoring rules must be traceable back to your risk assessment. The logic must be explicit.

The risk-based approach doesn't allow institutions to lower standards broadly. It demands more analytical work: every calibration decision must be justified and documented.

What evidence do regulators expect?

Examiners don't want a policy that says "we follow a risk-based approach." They want evidence the approach is operating. Here's what they look for in practice:

• Written risk assessment: A dated, version-controlled document covering customer risk, product risk, channel risk, and geographic risk. The analysis must reflect the actual business. A generic template with the institution's name swapped in will be noted.
• Risk methodology documentation: How were factors weighted? What data sources were used? If weighting changed since the last review, what triggered it?
• Board or senior management sign-off: Risk assessments must be approved at the appropriate governance level. The UK FCA expects formal MLRO sign-off; many US regulators expect board-level ratification.
• Training records: Staff applying the risk-based approach need documented training on what it means in practice. Annual sign-offs on a policy document don't substitute.
• Transaction monitoring configuration logs: Examiners want to see that alert thresholds are calibrated to the risk assessment and that rule changes are documented with a rationale.
• Customer risk rating distribution: A breakdown of the portfolio by risk tier. If 99% of customers are rated low risk, expect detailed questions on the methodology.
• EDD evidence files: For high-risk customers, documented evidence of enhanced scrutiny: source of wealth, source of funds, and ongoing monitoring records. The AML Risk Assessment Step-by-Step Guide covers documentation requirements in practical detail.
• NRA cross-reference: Evidence that the institution has considered the relevant national risk assessment findings, including any sector-specific guidance from the competent authority.

Common failure modes

Most Recommendation 1 enforcement actions don't cite the standard by name. They show up as domestic AML statute violations, but the root cause is almost always a broken or absent risk assessment. Common patterns:

• Generic, untailored risk assessments. Banks that copy a peer's assessment or use an unmodified industry template. The FCA cited this as a systemic problem in its 2021 review of 89 financial institutions' AML frameworks, finding that many had failed to reflect their specific business models in their ML/TF risk assessments (FCA Dear CEO Letter, March 2021).

• Static assessments that go stale. TD Bank's 2024 consent order with FinCEN and the OCC, resulting in over $3 billion in combined penalties, identified failures to update risk programs when the bank expanded into new business lines. The bank knew about risk gaps and didn't act.

• Monitoring thresholds not linked to the risk assessment. Setting the same transaction alert threshold for a retail branch serving low-income depositors and a private banking desk serving high-net-worth clients is a documented failure pattern examiners flag directly.

• Risk ratings that don't change behavior. If customers rated high-risk receive identical CDD treatment to low-risk customers in practice, the risk-based approach is a paper exercise. Examiners compare risk tiers to actual due diligence file contents.

• No documented rationale for simplified measures. Applying lighter CDD without recording the specific reason the risk is low.

• Ignoring the national risk assessment. Where a published NRA identifies specific product or sector vulnerabilities, institutions that can't show they considered those findings in their own assessment have an obvious gap.

Penalties for non-compliance

Recommendation 1 failures rarely appear in isolation. They surface as part of broader AML program breakdowns, and penalties reflect the scale of systemic failure.

TD Bank, United States (2024): FinCEN, the OCC, and the DOJ assessed over $3 billion in combined penalties against TD Bank for, among other failures, maintaining an AML program that didn't reflect the bank's actual ML/TF risk profile. Internal reviews had flagged gaps, and the bank didn't address them. This is the largest bank criminal penalty in US AML history.

HSBC, United States (2012): The DOJ and FinCEN assessed $1.9 billion following findings that included a near-complete absence of country-level and product-level risk assessments for HSBC's Mexico and US correspondent banking operations. Billions in drug cartel proceeds moved through accounts that had no meaningful risk-based controls applied (DOJ press release, December 2012).

Westpac, Australia (2020): AUSTRAC assessed AUD 1.3 billion against Westpac for 23 million breaches of the AML/CTF Act. Failures included not assessing the ML/TF risks of a specific correspondent banking product that was later traced to child exploitation payments.

In the EU, the EU AMLR and the EU AMLA (operational from 2027) will give a supranational authority direct sanctioning power over high-risk obliged entities. Penalties under the EU framework reach EUR 10 million or 10% of annual turnover, whichever is higher, for serious breaches.

Related regulations and frameworks

Recommendation 1 is the risk-based umbrella. Every other FATF Recommendation specifies how to implement it for a particular obligation.

FATF Rec 10 governs CDD requirements. Your risk assessment determines which customers receive standard CDD, which get Enhanced Due Diligence (EDD), and which qualify for simplified treatment. The two recommendations operate as a linked system.

FATF Rec 20 on suspicious transaction reporting is calibrated directly to risk. What constitutes a suspicious transaction depends on the customer's risk profile, which depends on your risk assessment. A transaction that warrants a Suspicious Transaction Report (STR) for a high-risk customer may be routine for a low-risk one.

At national level, Recommendation 1 is implemented through the BSA in the United States, the MLR 2017 in the UK, and India's PMLA. Each national law adds specificity on record retention periods and reporting timelines, but all sit on the Recommendation 1 RBA foundation.

For VASPs, the 2018 FATF update brought crypto exchanges and custodial wallet providers into the RBA framework. The FATF Virtual Assets Guidance and FATF Rec 15 on new technologies both reference Recommendation 1 as the framework for assessing ML/TF risks posed by new products and channels.

The EU's 6AMLD and the forthcoming EU AMLR implement Recommendation 1 directly, requiring all obliged entities to conduct and document ML/TF risk assessments at both institutional and transaction level, with assessments subject to supervisory review.

How FluxForce supports FATF Rec 1 compliance

FluxForce's AI agents automate the most labor-intensive parts of a risk-based AML program. Nova Sentinel runs continuous customer risk scoring, updating ratings in real time as transaction behavior, adverse media, and sanctions data change. Aiden Flux maps institutional risk across customer segments, products, and geographies, producing an audit-ready risk assessment that updates automatically when the business changes. Every risk calibration decision comes with a full explanation, so compliance teams can show examiners the documented rationale behind every threshold. See how FluxForce supports Regulatory Compliance Automation, or book a demo to see it working on your data.