FATF Rec 10: What It Requires and Who It Applies To

What is FATF Rec 10?

FATF Recommendation 10 is the international standard for customer due diligence (CDD), issued by the Financial Action Task Force. It defines what covered institutions must do before, during, and after onboarding a customer: verify who they are, identify who ultimately controls them, understand why the relationship exists, and keep reviewing that picture over time.

The Financial Action Task Force was established by the G7 in Paris in 1989 to coordinate the global response to money laundering. Its original 40 Recommendations came out in 1990. Recommendation 10 in its current form dates from the 2012 revision, adopted in February 2012, which restructured CDD obligations around a risk-based approach and extended them across all covered sectors. A 2019 update brought virtual asset service providers explicitly within scope. The 2023 consolidated version made further refinements to address emerging risks.

The reasoning is direct. You can't detect suspicious activity if you don't know who you're dealing with. The BCCI collapse in 1991 exposed how opaque ownership structures could hide criminal control of a global bank for decades. More recently, Danske Bank's Estonian branch processed an estimated €200 billion in suspicious funds between 2007 and 2015, partly because CDD on high-risk non-resident customers was not functioning.

The FATF Recommendations aren't international law in themselves, but 200 jurisdictions have committed to implementing them. National regulators, FinCEN in the US, the FCA in the UK, MAS in Singapore, enforce them through domestic statute. According to the FATF's published Recommendations, non-compliant jurisdictions risk public listings that damage sovereign credit ratings and correspondent banking access.

Who does FATF Rec 10 apply to?

The FATF divides covered entities into two categories.

Financial institutions:

• Commercial banks, savings banks, and credit unions
• Insurance companies and intermediaries writing life or investment-linked products
• Securities dealers, investment managers, and asset management firms
• Electronic money institutions (EMIs): Monzo, Wise, Revolut, and Stripe's licensed European entities
• Virtual asset service providers (VASPs): crypto exchanges, custodians, and brokers in digital assets. FATF added VASPs in 2019; most major jurisdictions have since enacted VASP licensing regimes
• Money services businesses: remittance providers, foreign exchange offices, and mobile money operators
• Consumer finance firms and leasing companies in jurisdictions that include them

Designated Non-Financial Businesses and Professions (DNFBPs):

• Casinos, and online gambling operators where jurisdictions extend the requirement
• Real estate agents when facilitating the purchase or sale of property
• Dealers in precious metals or stones, typically above EUR 10,000 for cash transactions
• Lawyers, notaries, and accountants when handling client funds, company formation, or trust arrangements
• Trust and company service providers

There's no size exemption. A 200-person credit union and a G-SIB operate under the same Rec 10 framework. The jurisdictional scope covers all 39 FATF members plus the European Commission, meaning any firm holding a regulated financial license in a member jurisdiction faces Rec 10-derived obligations in domestic law. In practice, Rec 10 reaches everywhere a regulated financial activity touches.

What does FATF Rec 10 require?

Rec 10 establishes five core CDD measures. Institutions must apply all five when establishing a new business relationship, when conducting occasional transactions above USD/EUR 15,000 (USD 3,000 for wire transfers in many jurisdictions), when there's suspicion of money laundering or terrorist financing regardless of transaction size, and when they have doubts about previously collected identification data.

1. Customer identification and verification. Collect legal name, date of birth, and residential address for natural persons. For legal entities: company name, registration number, registered address, and jurisdiction of incorporation. Verify that information against reliable, independent sources, including government-issued ID, official corporate registries, or accredited electronic verification services.

2. Beneficial ownership identification and verification. Identify the ultimate beneficial owner (UBO) of every legal entity customer. FATF defines this as any natural person who ultimately owns or controls the customer, or on whose behalf a transaction is conducted. Most national implementations use 25% as an ownership threshold indicator, though FATF itself requires only "reasonable measures." Institutions must also capture control relationships that fall below the ownership threshold. Verification must go beyond collecting self-certifications.

3. Purpose and nature of the business relationship. Establish why the account is being opened, what products the customer expects to use, and what transaction volumes they anticipate. This is the baseline against which future behavior gets measured.

4. Ongoing due diligence. Scrutinize transactions throughout the relationship against the customer's declared profile and risk rating. Refresh records when material changes occur. Periodic review frequency must reflect risk: annually for high-risk customers, every three to five years for standard-risk.

5. Risk-calibrated CDD intensity. Apply enhanced due diligence (EDD) for higher-risk situations: politically exposed persons, correspondent banking relationships, customers or counterparties from FATF-listed jurisdictions, and non-face-to-face onboarding. Simplified due diligence is permitted only where risk is demonstrably lower, and always requires documented justification.

Records of CDD measures must be retained for at least 5 years after a business relationship ends or after an occasional transaction, per FATF Rec 11. Many jurisdictions extend this to 7 or 10 years for specific transaction types.

What evidence do regulators expect?

Examiners pull files. They don't accept verbal assurances that procedures exist. On an exam day, expect requests across four categories.

Policies and procedures:

• A written CDD policy mapping obligation types (standard, simplified, enhanced) to specific risk triggers
• Documented decision criteria for when EDD applies, not just a statement that it does
• A periodic review schedule showing different review frequencies by risk tier

Customer files:

• A verified identity document for every active customer
• For legal entities: a corporate structure chart tracing the ownership chain to UBO level, with supporting source documents
• Evidence of UBO verification, not just collection: certified documents, registry printouts, or third-party verification service logs
• Business relationship purpose documented at onboarding, including the customer's expected transaction profile
• A current risk rating with a written rationale tied to specific risk factors

Ongoing monitoring records:

• Transaction monitoring alerts raised, triaged, and resolved, with analyst notes explaining disposition
• Escalation records for cases referred to senior compliance or management
• SAR and STR filings linked to specific customer records

Process controls:

• Training records showing staff completed CDD training: date, content, and assessment scores
• Quality assurance results from periodic file reviews, including pass rate, issue types found, and remediation tracking
• System configuration evidence: monitoring thresholds, watchlist feed versions, and last-review dates

FinCEN examiners typically pull a random sample of 25 to 50 customer files during an exam. Every file must be complete, current, and internally consistent with the customer's transaction history. Gaps in a single file are a finding. Systematic gaps are a program failure.

Common failure modes

Most enforcement actions trace to a short list of repeating problems.

• No beneficial ownership documentation. Institutions collect a customer's name and ID but stop short of identifying who controls the entity. In its January 2021 action against Capital One, FinCEN cited systemic failures to collect, verify, and maintain adequate CDD files across hundreds of thousands of accounts over multiple years.

• Stale customer profiles. Periodic review cycles exist in policy but aren't enforced in practice. Customers originally rated low-risk go unreviewed for five to seven years despite material changes in transaction volumes or business structure.

• SDD applied without justification. Simplified procedures are used on customers who don't qualify, with no documented rationale. Examiners treat this as a control failure, not a paperwork oversight.

• Monitoring disconnected from CDD. Transaction monitoring thresholds aren't calibrated to individual customer profiles. A high-risk customer with a declared $10,000 monthly transaction volume triggers alerts at the same dollar level as a retail depositor, or not at all. The NatWest case shows the consequence: one corporate customer deposited £365 million in cash over five years with no monitoring escalation, leading to the FCA's first-ever criminal prosecution of a UK bank and a £264.8 million fine.

• Correspondent banking onboarded without respondent assessment. Respondent institutions are accepted without any evaluation of their own CDD programs, directly violating the framework set out in FATF Rec 13.

• PEPs processed as standard-risk customers. FATF Rec 12 requires EDD for politically exposed persons and their associates. Institutions regularly fail to screen at onboarding, let alone on an ongoing basis.

Penalties for non-compliance

The penalties are large. The trajectory is up.

United States: FinCEN fined Capital One $390 million in January 2021 for willful Bank Secrecy Act violations, including CDD deficiencies spanning multiple years and covering hundreds of thousands of transactions. The FinCEN announcement details the specific failure categories. Capital One was also required to implement a supervised remediation program with ongoing regulatory oversight.

United Kingdom: NatWest received a £264.8 million fine in December 2021 from the FCA's first-ever criminal prosecution of a UK bank under the Proceeds of Crime Act 2002. The court found NatWest failed to monitor a single corporate customer depositing £365 million in cash over five years. The FCA sentencing statement is public record.

Australia: AUSTRAC fined Westpac AUD 1.3 billion in September 2020 for 23 million contraventions of anti-money-laundering law, including CDD failures in correspondent banking relationships. At the time, it was the largest corporate penalty in Australian history.

Regulatory powers beyond fines: The ECB can revoke banking licenses for systematic AML failures. The FCA can prohibit individuals from working in financial services. FinCEN can issue cease-and-desist orders and refer cases for criminal prosecution. Individual compliance officers face personal liability under Section 5318 of the Bank Secrecy Act: up to $25,000 per day for willful violations, plus criminal exposure. Remediation programs typically cost three to five times the initial fine in technology, staffing, and consultant fees.

Related regulations and frameworks

Rec 10 connects to a wider set of obligations that no institution can treat in isolation.

Other FATF Recommendations:

• FATF Rec 1 (Risk-Based Approach): Sets the methodology for calibrating CDD intensity to actual risk. Decisions to apply simplified or enhanced due diligence under Rec 10 are only defensible if grounded in a documented risk assessment under Rec 1.
• FATF Rec 11: Specifies record-retention requirements for CDD documents. Minimum 5 years after the end of a business relationship or the date of an occasional transaction.
• FATF Rec 12: Extends EDD obligations specifically to politically exposed persons, their immediate family members, and known close associates.
• FATF Rec 13: Applies CDD principles to correspondent banking with additional controls for respondent assessment and payable-through accounts.
• FATF Rec 15: Brings VASPs fully within the CDD framework, including crypto exchanges, custodians, and DeFi platforms where jurisdictions have extended scope.

National implementing legislation:

• USA: Bank Secrecy Act (31 CFR Part 1010); FinCEN's 2016 CDD Rule (31 CFR 1010.230) codified the 25% beneficial ownership threshold for legal entity customers
• UK: Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs 2017), implementing 4AMLD into UK law
• EU: 4AMLD (2015/849/EU), 5AMLD (2018/843/EU), 6AMLD (2018/1673/EU), which extended criminal liability to legal persons
• Singapore: MAS Notice 626 for banks; Notice SFA 04-N02 for capital markets services licensees

Where national law diverges from FATF's baseline, it generally imposes stricter requirements. Several EU member states transposed 5AMLD with beneficial ownership thresholds below 25%.

How FluxForce supports FATF Rec 10 compliance

FluxForce's AI agents address the core obligations Rec 10 imposes. Aiden Flux automates identity verification and KYC/AML checks at onboarding, extracts UBO chains from corporate registry data, and flags customers for periodic re-review based on their risk tier. Nova Sentinel runs continuous transaction monitoring calibrated to each customer's expected behavior profile, not generic industry thresholds. Every automated decision includes a full, auditable evidence trail that compliance teams and examiners can inspect without requesting additional documentation. To see how it works in practice, request a demo.