FATF Rec 1: What It Requires and Who It Applies To

What is FATF Rec 1?

FATF Recommendation 1 is the foundational rule of the Financial Action Task Force's Forty Recommendations on anti-money laundering and counter-terrorist financing. The FATF, an intergovernmental body established by the G7 in 1989, published the current version of its 40 Recommendations in February 2012. Recommendation 1 mandates a risk-based approach (RBA) to AML/CFT rather than applying uniform, rule-based controls to every customer, transaction, or product category.

The reasoning is direct. A salaried employee opening a basic checking account poses a different risk profile than a politically exposed person routing funds through a layered corporate structure. Pre-2012 frameworks treated them similarly, prescribed identical documentation requirements, and drained compliance budgets on low-risk activity while leaving high-risk channels under-monitored.

Rec 1 changed the global baseline. Countries must now conduct national risk assessments to identify which sectors, products, and customer types carry the highest money laundering and terrorist financing exposure. Obligated entities translate those national findings into firm-level business risk assessments, which in turn drive tiered customer controls. Where risk is demonstrably lower, firms may apply simplified measures. Where risk is higher, they must apply Enhanced Due Diligence (EDD), including enhanced transaction monitoring and ongoing review.

The FATF updates its interpretive notes periodically. The October 2023 update refined guidance on virtual assets and beneficial ownership, directly extending Rec 1's risk-based framework to newer financial products. The consolidated text is available from the FATF directly. That page is the authoritative source; anything else is a summary.

Who does FATF Rec 1 apply to?

Rec 1 applies to all entities the FATF classifies as "obliged entities." That covers financial institutions and designated non-financial businesses and professions (DNFBPs) across every FATF member jurisdiction. FATF's 39 member states represent the bulk of the global financial system by volume. Non-members still feel the pressure: grey-listing restricts their access to correspondent banking relationships and triggers enhanced scrutiny from their counterparties.

Covered entity types include:

• Banks and credit institutions: retail banks, commercial banks, savings institutions, credit unions, and any deposit-taking entity regulated by a prudential authority
• Fintechs and payment service providers: neobanks, e-money institutions, payment aggregators, buy-now-pay-later providers, and any firm holding a payment institution license
• Virtual asset service providers (VASPs): centralized crypto exchanges, custodial wallet providers, and DeFi platforms that facilitate retail financial transactions, as clarified in the FATF's 2021 Guidance for a Risk-Based Approach to Virtual Assets
• Securities and investment firms: broker-dealers, investment managers, collective investment scheme operators, and trading platforms
• Insurance companies: life insurers and intermediaries writing life policies or investment-linked products
• Money service businesses: currency exchange operators, remittance providers, and informal value transfer operators including hawala networks
• DNFBPs: real estate agents, lawyers handling client funds, accountants, trust and company service providers, and high-value dealers including those in precious metals and gems

FATF sets no size threshold. A ten-person fintech with a payment institution license faces the same RBA obligation as a global bank. Proportionality governs how the firm documents and implements its controls, not whether the obligation exists.

What does FATF Rec 1 require?

Rec 1 breaks into obligations at two levels: country and institution.

Country-level obligations:

1. Conduct a national risk assessment (NRA) that identifies the money laundering and terrorist financing threats, vulnerabilities, and consequences specific to that jurisdiction. The FATF publishes a separate NRA methodology to guide countries through sector-level exposure analysis.
2. Make NRA findings available to obligated entities, so firms can calibrate their own assessments against the national baseline and understand which sectors regulators consider highest priority.
3. Allow risk-based regulatory relief: where an NRA identifies a specific sector as demonstrably low risk, regulators may permit simplified measures. Where a sector carries elevated risk, they must require enhanced measures.

Firm-level obligations:

1. Conduct a documented business risk assessment (BRA) covering at minimum: customer types, geographic exposure, products and services, delivery channels, and transaction volumes and patterns.
2. Set a written risk appetite statement that defines what risk levels the firm accepts, with thresholds that trigger escalation.
3. Apply tiered Customer Due Diligence (CDD) proportionate to identified risk: standard CDD as the default, simplified due diligence for demonstrably lower-risk relationships, and EDD for high-risk customers including politically exposed persons covered under FATF Rec 12.
4. Update customer risk ratings dynamically. A rating assigned at onboarding must respond to new information: behavioral signals, ownership structure changes, geographic footprint shifts. Ratings that never move are a red flag on exam day.
5. Document the risk methodology in enough detail that an examiner can reconstruct how any individual rating was assigned from the file alone.
6. Train staff to recognize elevated risk indicators and escalate appropriately. Training records must be maintained with completion dates and test results by role.
7. Obtain board or senior management approval for the BRA and risk appetite, with written evidence retained on file.

Most national implementing regulations expect BRA review at minimum annually, with unscheduled updates after any material change to the firm's business model, product set, or customer base. The FATF doesn't set a single global timeframe, but examiners across jurisdictions treat an un-updated BRA as a control failure.

What evidence do regulators expect?

Examiners don't read policy documents in isolation. They pull files and test whether the documented framework matches what's actually happening on the floor. On exam day, expect to produce:

• A current business risk assessment: board-approved, dated within the last 12 months, with version history showing it's been actively updated rather than recycled from the prior year
• Risk methodology documentation: the scoring model or decision matrix used to assign customer risk ratings, with written rationale for each factor and its weighting. Examiners will pick 10 to 20 customer files and verify that assigned ratings match the methodology
• Customer due diligence files: CDD documentation collected at onboarding with evidence of scheduled periodic reviews. For elevated-risk customers, EDD files including source of funds, source of wealth, and rationale for any exceptions
• Transaction monitoring configuration logs: the rules or model settings in use, threshold history, and any calibration decisions. If thresholds were adjusted downward to reduce alert volume, that decision must be documented and approved. See AML transaction monitoring rules tuning for what a defensible calibration process looks like
• SAR filing records: volume by period, escalation patterns, and evidence that filings were made within required timeframes (30 days under US BSA rules for standard SARs; 60 days where no suspect is identified)
• Training records: completion by role, by date, with assessment results. Examiners look for training that covers current typologies, not generic modules updated every three years
• Board and risk committee minutes: demonstrating that senior leadership reviewed BRA results and that risk appetite has ongoing board-level attention rather than annual rubber-stamping

Common failure modes

Institutions get cited for Rec 1 violations in recognizable patterns. These aren't abstract compliance gaps. They show up in enforcement orders.

• Static risk assessments: a BRA done at launch and never updated. FinCEN's 2021 consent order against Capital One cited a risk management program that hadn't kept pace with the bank's rapid growth in customer volumes and product lines. The penalty was $390 million. (FinCEN, 2021)
• Uniform CDD regardless of risk: applying identical verification procedures to a salaried retail customer and a PEP with beneficial ownership of three offshore entities. It's the clearest signal to examiners that the risk-based approach exists on paper only.
• Risk ratings that don't move: customers assigned low risk at onboarding who retain that rating despite years of unusual transactions, new counterparties, or geographic changes. A rating that doesn't respond to behavior isn't a rating.
• Undocumented methodology: a scoring matrix that exists informally but isn't written down. If an examiner can't reconstruct how a risk rating was assigned from the file alone, it didn't exist from a compliance standpoint.
• Incomplete VASP risk coverage: crypto firms that collected basic KYC at account opening but didn't apply transaction-level risk scoring to wallet interactions or counterparty chains.
• Training that predates the current threat environment: AML training from 2021 or earlier that doesn't cover AI-generated synthetic identities, instant payment fraud vectors, or VASP-specific red flags.

The FCA fined NatWest £264.7 million in 2021 for AML failures that included a risk framework that missed obvious and sustained escalation: a single client's deposits grew from an expected £10 million to £365 million over five years with no adequate risk reassessment. The bank pleaded guilty in criminal proceedings, the first UK bank to do so. (FCA Final Notice, NatWest, 2021)

Penalties for non-compliance

Non-compliance with Rec 1 is enforced through national implementing legislation, and the trajectory in every major market is upward.

In the United States, the Bank Secrecy Act is the primary vehicle. FinCEN can impose civil money penalties from $1,000 per day for minor violations up to $1 million per day per violation for willful non-compliance. Criminal referrals are possible in the most serious cases.

Real benchmark penalties:

• Capital One (2021): $390 million CMP from FinCEN, with the consent order explicitly citing failures in the risk assessment program as a root cause. (FinCEN consent order)
• NatWest (2021): £264.7 million FCA fine plus a criminal guilty plea in England and Wales. (FCA, 2021)
• Westpac (2020): A$1.3 billion penalty from AUSTRAC for 23 million breaches of Australia's AML/CTF Act, with root causes including a risk assessment that didn't cover specific correspondent banking products and payment channels. (AUSTRAC, 2020)

Beyond fines, regulators can require independent compliance monitors at the firm's expense, restrict business activities or new market entry, mandate board-level personnel changes, and refer individual executives for criminal prosecution. In the EU, AMLD6 introduced personal criminal liability for money laundering that extends to compliance failures enabling it. That individual liability dimension changes the risk calculus for compliance officers significantly.

Related regulations and frameworks

Rec 1 is the architecture. The other 39 Recommendations are what gets built on it, and national AML laws are the local codes that make it enforceable.

Within the FATF 40 Recommendations:

• FATF Rec 10 (Customer Due Diligence): Rec 1's risk tiers determine which CDD tier applies to each customer relationship. Rec 10 specifies what each tier requires in practice: identity verification, beneficial ownership documentation, business purpose, and ongoing monitoring. They work together as risk classification and operational execution.
• FATF Rec 15 (New Technologies): Rec 15 requires that new products, business practices, and delivery mechanisms be subject to a risk assessment before launch. It's Rec 1's logic applied specifically to innovation, and it's especially relevant for fintechs and VASPs introducing new financial products to market.
• FATF Rec 12 (PEPs): The high-risk customer classification under Rec 1 directly triggers the EDD requirements for politically exposed persons under Rec 12. The two recommendations work in sequence: Rec 1 identifies the risk tier; Rec 12 defines what EDD must include for that specific customer type.

National implementing legislation:

• US Bank Secrecy Act (BSA): FinCEN's implementing regulations are the primary domestic translation of FATF's RBA in the United States. The 2016 Customer Due Diligence Rule codified the four pillars of an AML program, all grounded in Rec 1's risk-based logic.
• EU Anti-Money Laundering Directives: AMLD6 (Directive 2018/1673/EU) and the forthcoming EU AML Regulation (AMLR), expected to take direct effect across member states by 2027, both implement the FATF RBA framework. The European Banking Authority's supranational risk assessment feeds into national regulatory expectations.
• UK Money Laundering Regulations 2017: The MLRs 2017 implement the FATF RBA in UK law with specific provisions for business risk assessments, customer risk scoring, and senior management accountability. Post-Brexit, the UK maintains FATF alignment while retaining independent regulatory discretion.

How FluxForce supports FATF Rec 1 compliance

FluxForce's AI agents automate the most labor-intensive parts of Rec 1 compliance: continuous customer risk scoring, dynamic risk tier reassignment, and audit-ready documentation of every rating decision. Aiden Flux and Nova Sentinel monitor behavioral signals in real time and trigger automatic risk upgrades when transaction patterns, counterparty exposure, or geographic footprint changes. Every decision includes a full explanation, giving compliance teams the evidence regulators expect on exam day. The platform is configurable for banks, fintechs, and VASPs. Book a demo to see how FluxForce maps to your regulatory framework.