FATF Rec 10: What It Requires and Who It Applies To

What is FATF Rec 10?

FATF Recommendation 10 is the global standard for Customer Due Diligence (CDD), issued by the Financial Action Task Force, the intergovernmental body responsible for setting global anti-money laundering and counter-terrorism financing standards. The recommendation was first established in 1990 as part of FATF's original 40 Recommendations, and was substantially overhauled in 2012 when FATF revised its entire framework to embed the risk-based approach as a foundational principle.

The 2012 revision changed the logic. Before it, CDD was largely rules-based: the same checks for every customer. The revised Rec 10 made risk calibration central to the obligation itself. Institutions must now apply enhanced due diligence (EDD) for higher-risk customers and relationships, and may apply simplified measures for demonstrably lower-risk ones, provided they document their risk reasoning. FATF updated its guidance again in October 2023, clarifying expectations around digital identity verification and the CDD obligations of virtual asset service providers.

The core purpose is to prevent financial institutions from becoming conduits for money laundering or terrorist financing, knowingly or otherwise. Knowing who your customer is, who actually owns or controls a legal entity, and what a business relationship is for sounds basic. Getting this right across millions of customers, multiple jurisdictions, and varied entity types is operationally demanding, and regulators know it.

FATF Rec 10 is the foundation that most national CDD regimes build on. The FinCEN CDD Final Rule in the US, the UK Money Laundering Regulations 2017, and the EU's successive AML directives all trace their CDD obligations directly back to this recommendation. The full text is available at fatf-gafi.org.

Who does FATF Rec 10 apply to?

Rec 10 covers two broad categories: financial institutions and designated non-financial businesses and professions (DNFBPs).

Financial institutions:

• Banks and credit institutions: retail banks, commercial banks, private banks, credit unions, savings institutions
• Electronic money institutions (EMIs): digital wallets, prepaid card issuers, mobile payment providers
• Securities firms: broker-dealers, investment advisors, portfolio managers, fund administrators
• Insurance companies: specifically life insurance and investment-linked products; general insurance is typically out of scope
• Virtual asset service providers (VASPs): crypto exchanges, custodian wallet providers, and platforms meeting FATF's VASP definition; the FATF Virtual Assets Guidance covers the evolving scope here
• Money services businesses: foreign exchange dealers, money transfer operators, check cashers

DNFBPs:

• Casinos, including online casinos in most jurisdictions
• Real estate agents handling property transactions
• Dealers in precious metals and stones for transactions above threshold
• Lawyers, notaries, and accountants acting in financial or corporate capacities
• Trust and company service providers (TCSPs)

CDD requirements specific to DNFBPs are addressed separately in FATF Rec 22.

There's no asset or revenue threshold that exempts smaller institutions. A community bank with $200 million in assets and a $50 billion multinational face the same CDD obligation in principle. Proportionality comes through the risk-based approach, not size exemptions. FATF standards apply across all 200+ jurisdictions that have committed to the FATF framework through membership or association with FATF-Style Regional Bodies (FSRBs). Individual countries may, and often do, set requirements that go beyond FATF minimums.

What does FATF Rec 10 require?

The recommendation establishes four core CDD measures, plus rules on when to apply them and what to do when full CDD can't be completed.

Core CDD measures:

1. Identify the customer and verify their identity. For natural persons: full name, date of birth, nationality, and official identification such as a passport or national ID card. For legal entities: legal name, registered address, registration number, legal form, and the identity of the person acting on the entity's behalf.

2. Identify the beneficial owner and take reasonable measures to verify their identity. The FATF standard uses a 25% ownership or control threshold for legal entities, though several jurisdictions set the bar at 10%. The ultimate beneficial owner (UBO) must be identified even when ownership runs through multiple layers of holding companies. This obligation connects directly to FATF Rec 24 on beneficial ownership registers.

3. Understand and, where appropriate, obtain information on the purpose and intended nature of the business relationship. A legitimate import-export business with regular cross-border payments looks very different from a newly formed shell entity conducting the same transactions. Understanding why a customer is opening an account, and what they expect to do with it, is part of the basic CDD obligation.

4. Conduct ongoing monitoring of the business relationship. This includes scrutinizing transactions for consistency with the institution's knowledge of the customer and their risk profile, and keeping CDD records current. Periodic reviews are expected, with frequency calibrated to risk level.

When CDD is triggered:

• Establishing a new business relationship
• Occasional transactions at or above USD/EUR 15,000 (or equivalent), including linked transactions that together reach the threshold
• Wire transfers covered by FATF Rec 16
• Any suspicion of money laundering or terrorist financing, regardless of amount
• Doubts about the veracity or adequacy of previously collected customer data

Enhanced due diligence applies to higher-risk situations: correspondent banking relationships (see FATF Rec 13), politically exposed persons (addressed in FATF Rec 12), customers in high-risk jurisdictions, and complex or unusual transaction patterns.

Record retention: All CDD records must be kept for at least five years from the end of the business relationship or the date of an occasional transaction. FATF Rec 11 covers the detailed record-keeping requirements.

What evidence do regulators expect?

Examiners don't come in asking whether you have a CDD policy. They want to see it working. Here's what they look for:

Policies and procedures:

• Written CDD program covering natural persons, legal entities, trusts, and VASPs
• Risk appetite statement with documented risk tiers
• Procedures for EDD triggers, PEP screening, and adverse media checks
• Exception handling: what happens when a customer can't provide full documentation

Customer records:

• Identity verification documents for each customer (type of ID, issuing authority, expiry date, verification method)
• Beneficial ownership declarations signed by the customer or entity representative
• Business purpose questionnaires or onboarding notes explaining the expected relationship
• Source of funds and source of wealth evidence for high-risk customers

Ongoing monitoring evidence:

• Transaction monitoring system configuration, alert thresholds, tuning records, and validation results
• Records of periodic CDD reviews: who triggered them, what was checked, what was updated
• Evidence that dormant account reviews actually happen

Training:

• Staff training records showing frequency, content covered, and completion rates
• Training materials that address beneficial ownership identification, PEP detection, and EDD procedures

Independent testing:

• Internal audit reports on CDD program effectiveness, including sample testing results
• Remediation tracking for identified gaps

Examiners will pull a sample of customer files, targeting high-risk accounts, and trace the chain from initial onboarding through to current CDD status. Stale records, undocumented EDD decisions, and gaps in beneficial ownership files are the most common findings.

Common failure modes

FATF mutual evaluation reports and national enforcement actions point to the same failures appearing across institutions of all sizes.

• Beneficial ownership opacity. Institutions verify the legal entity but stop there. The actual human owner behind a chain of holding companies isn't identified. FinCEN's 2016 CDD Final Rule (81 FR 29398) was introduced specifically because US examiners kept finding this gap in examination after examination.

• Stale CDD on existing customers. Institutions do thorough onboarding but never update records. A customer onboarded ten years ago may now be a PEP, subject to sanctions, or operating a completely different business. Ongoing monitoring means updating records, not just watching transactions flow through.

• Threshold structuring ignored. Institutions focus on the USD/EUR 15,000 threshold and miss customers or agents structuring transactions to stay below it. Rec 10's obligation extends to suspicious activity regardless of amount.

• EDD without substance. Institutions check the EDD box by collecting more documents from high-risk customers without asking harder questions about source of wealth or business rationale. Volume of paper isn't EDD.

• Deutsche Bank (FCA, 2017): The FCA fined Deutsche Bank £163 million for AML control failures that included inadequate CDD on a $10 billion mirror trading scheme. The bank processed transactions despite clear red flags about beneficial ownership and business purpose. The FCA Final Notice documents the specific control gaps in detail.

• Westpac (AUSTRAC, 2020): AUSTRAC found Westpac had failed to complete CDD on approximately 23 million transactions and had missed indicators linked to child exploitation financing. The AUD 1.3 billion penalty remains the largest in Australian corporate history. See the AUSTRAC settlement announcement.

Penalties for non-compliance

Penalties are set by national regulators implementing FATF standards. FATF itself has no direct enforcement power, but its mutual evaluation process creates strong reputational and market-access pressure for jurisdictions that don't comply.

United States: FinCEN imposes civil money penalties under the Bank Secrecy Act, which incorporates Rec 10 obligations through the CDD Rule. Capital One received a $290 million penalty in 2021 for AML program failures that included deficient KYC procedures and inadequate customer monitoring. The full FinCEN enforcement action is publicly available. OCC consent orders can additionally restrict asset growth, require board-level oversight changes, and mandate multi-year remediation programs.

European Union: EU directives require member states to set maximum administrative penalties of at least EUR 5 million or 10% of total annual turnover for legal entities, and EUR 5 million for natural persons. Several member states go significantly higher. ABLV Bank in Latvia was forced into liquidation in 2018 following FATF-related concerns identified by the ECB and Latvian regulators.

United Kingdom: The FCA has imposed penalties ranging from under £1 million for smaller firms to over £100 million for large banks. The UK Money Laundering Regulations 2017 give the FCA authority to impose unlimited fines, restrict business activities, and pursue individual accountability under the Senior Managers and Certification Regime.

Australia: AUSTRAC can impose civil penalties up to AUD 222 million per contravention. The Westpac figure of AUD 1.3 billion illustrates how quickly individual contraventions aggregate.

Criminal liability is possible in most jurisdictions for willful CDD failures. Individual compliance officers, senior managers, and board members have faced prosecution in the UK, US, and several EU jurisdictions.

Related regulations and frameworks

FATF Rec 10 doesn't operate in isolation. It sits within a network of related obligations that compliance teams need to map together.

Within the FATF 40 Recommendations:

• FATF Rec 1 establishes the risk-based approach that determines how deeply Rec 10 measures apply. Without it, Rec 10 is just a checklist.
• FATF Rec 11 sets the five-year retention requirement for all CDD documentation.
• FATF Rec 12 requires EDD for PEPs, which directly layers onto Rec 10's standard CDD obligations.
• FATF Rec 20 connects here: CDD that reveals red flags typically triggers a suspicious transaction reporting obligation.
• FATF Rec 24 is complementary in the clearest way. Rec 10 requires institutions to identify UBOs; Rec 24 requires countries to maintain registers that make that identification feasible.

National implementations:

• US: The FinCEN CDD Final Rule (effective 2018) is the direct national implementation, adding beneficial ownership as a fifth pillar to the existing BSA/AML program requirements. The AMLA 2020 strengthened these further.
• EU: The EU AMLR 2024 will consolidate and raise CDD standards across member states from 2027, with direct applicability replacing the directive model.
• UK: The Money Laundering Regulations 2017 remain the domestic implementing instrument.
• Singapore: MAS Notice 626 sets out CDD requirements for banks in Singapore, closely tracking the FATF standard.
• India: The RBI KYC Master Direction 2016 implements equivalent CDD obligations for RBI-supervised entities.

For VASPs, FATF Rec 15 and the Virtual Assets Guidance clarify how Rec 10 applies in the crypto context, where customer identification raises distinct technical and jurisdictional questions.

How FluxForce supports FATF Rec 10 compliance

FluxForce's AI agents automate customer risk-scoring, identity verification checks, and beneficial ownership tracing at the scale Rec 10 demands. Nova Sentinel monitors ongoing transaction behavior against each customer's expected profile and flags deviations that warrant a CDD review. Aiden Flux handles automated EDD workflows for high-risk customers and generates documented risk rationales that hold up on examination day. Every decision produces an auditable evidence trail. For institutions managing millions of customer relationships, this is where identity verification and KYC/AML automation moves from optional to operational. Request a demo to see how it works in practice.