FATF Rec 20: What It Requires and Who It Applies To

What is FATF Rec 20?

FATF Recommendation 20 is the international standard that obliges financial institutions to report transactions they suspect are connected to money laundering, its predicate offences, or terrorist financing. The Financial Action Task Force issued its original 40 Recommendations in 1990. The current text was adopted in February 2012 and updated incrementally since, with the most recent consolidated version of the FATF 40 Recommendations published in 2023.

The text is deliberately short. It says, in effect: if you suspect funds are proceeds of crime or relate to terrorist financing, file a Suspicious Transaction Report with your national Financial Intelligence Unit promptly. No floor amount. No sector carve-outs for covered entities. A €200 cash deposit can trigger an STR obligation if the circumstances warrant it.

FATF introduced the standard because voluntary disclosure wasn't working before 1990. Most jurisdictions had no systematic mechanism to collect suspicious activity intelligence from the private sector. The FIU network that Rec 20 helped build now covers 176 member jurisdictions through the Egmont Group. In 2022, FinCEN alone received over 3.6 million suspicious activity reports from US-based filers, according to FinCEN SAR statistics.

The "promptly" requirement creates real operational pressure. FATF doesn't set a universal deadline, but most jurisdictions do. The US sets a 30-day window from the date the firm becomes aware of the suspicious activity, extendable to 60 days when no subject has been identified. The UK requires a consent STR before proceeding with a transaction, or filing as soon as practicable after. Getting the timing wrong is a standalone violation, separate from any deficiency in the substance of the report itself.

Who does FATF Rec 20 apply to?

The scope is broader than most compliance officers realise when they first read the standard. FATF's Recommendations 10-20 target "financial institutions," but FATF's own definition covers at least eight distinct firm types.

Covered entity types include:

• Banks and deposit-taking institutions: Every bank, regardless of size or business model. Community banks carry the same SAR obligation as tier-1 global institutions. There's no minimum balance sheet or revenue threshold.
• Electronic money institutions: Neobanks, prepaid card issuers, and mobile wallet providers. This includes firms registered under the EU's Payment Services Directive, the UK's EMI regime, and equivalent frameworks worldwide.
• Virtual asset service providers (VASPs): Crypto exchanges, custodians, peer-to-peer platforms, and, in most jurisdictions, NFT marketplaces where virtual assets are the primary product. FATF's 2021 update to its Virtual Assets Guidance confirmed VASPs carry the same STR obligations as banks.
• Securities dealers and investment firms: Brokers, asset managers, and collective investment scheme operators executing or holding client funds.
• Money service businesses: Currency exchange offices, money transfer operators, check cashers, and hawala dealers.
• Life insurance companies and intermediaries: For cash-value products, particularly where premiums are paid in cash or by undisclosed third parties.
• Trust and company service providers: When they form, administer, or manage legal persons or arrangements on behalf of clients.
• Casinos: Both land-based and online operators, in implementing jurisdictions.

There's no revenue or balance sheet minimum. A startup EMI with 500 customers has the same STR obligation as Deutsche Bank. The EU's 6AMLD and the 2024 EU AMLR extend coverage to crypto asset service providers in ways that go beyond the FATF baseline in several respects. Lawyers, accountants, and real estate agents get their STR obligations from FATF Rec 22, not Rec 20, though the underlying duty is identical.

What does FATF Rec 20 require?

The standard reads briefly. The operational requirements are not. Most national implementations translate Rec 20 into seven distinct obligations:

1. Establish a documented STR program: Written policies must define what constitutes reasonable grounds for suspicion, who has authority to approve a filing, and the escalation path from front-line staff to the MLRO or BSA officer. Generic templates fail this test. Examiners want firm-specific definitions tied to the institution's actual risk profile and customer base.

2. File reports promptly: In the US, the SAR filing window is 30 calendar days from the date the institution identifies the suspicious activity, extendable to 60 days when no subject has been identified and investigation is ongoing. In the UK, a consent STR must be filed before executing a transaction if there's time to do so. Late filing is a standalone violation, not just an aggravating factor.

3. Report regardless of amount: Unlike the Currency Transaction Report requirement at $10,000 in the US, Rec 20 imposes no minimum threshold. A $500 wire that pattern analysis flags as suspicious requires the same decision process as a $5 million transaction. The trigger is suspicion, not size.

4. Maintain confidentiality: Filing an STR doesn't authorise the institution to tell the customer about it. FATF Rec 21 formalises the tipping-off prohibition. Disclosing to the subject, or to any third party not authorised by law, that a report has been filed or is under consideration is itself a criminal offence in most jurisdictions.

5. Retain supporting records: Most implementing jurisdictions set a minimum five-year retention period. In the US, 31 CFR 1020.320 sets the five-year floor. The EU's successive AML directives, now consolidated into the EU AMLR, require the same. Every document used to support the filing decision must be available to supervisors and FIUs on request.

6. Train relevant staff: Every employee who could identify or escalate suspicious activity needs periodic, documented training. Typology updates, including emerging crypto schemes, trade-based money laundering patterns, and synthetic identity fraud, must flow into training content on an ongoing basis.

7. Conduct independent testing: Internal audit or an external reviewer must periodically test whether the STR program is functioning as designed, whether alerts are being dispositioned within policy, and whether filing timelines are being met. Testing results and management responses are auditable deliverables, not internal suggestions.

What evidence do regulators expect?

Examiners don't just count filed reports. They assess whether the program generating those reports actually works. The OCC's 12 CFR Part 21 examination procedures and FinCEN's SAR guidance lay out the expected evidence in detail.

On audit day, examiners typically request:

• Written policies and procedures: Specific to the institution's risk profile. A generic template is a red flag. Examiners want firm-specific definitions of suspicion, documented escalation timelines, and named decision authorities.
• Transaction monitoring system documentation: Configuration records, rule logic, alert threshold settings, and the rationale for any changes in the past 12 to 24 months. Unexplained threshold reductions are scrutinised.
• Alert disposition logs: Evidence that every alert was reviewed, a decision was made, and that decision was documented with a clear rationale. "Alert closed, low risk" without supporting analysis is a finding in most examinations.
• STR/SAR filing samples: Examiners sample filed reports and assess narrative quality, accuracy of subject identifying information, and whether the filing window was met. A well-formatted report that says nothing material about why the activity is suspicious is still deficient.
• Escalation records: The complete trail from alert to MLRO decision. Any gap, particularly cases that sat with an analyst for weeks with no documented action, is a control failure.
• Training records: Completion logs, training content, and assessment scores. The UK FCA's SYSC 6.3 requirements add the MLRO's annual report to senior management as an auditable artefact.
• Independent testing results: The most recent internal audit or third-party review of the STR program, including findings, management responses, and evidence of remediation.
• Documented no-file decisions: Regulators increasingly expect a recorded decision when an institution reviews suspicious activity and decides not to file. The absence of a no-file record, when the facts suggest filing should have been considered, is treated as a control gap.

Common failure modes

Most STR program failures share the same root causes. They're not random. We've seen the same patterns cited in enforcement actions across jurisdictions.

• Alert backlogs with no triage discipline: Monitoring systems generating thousands of alerts with no systematic disposition process. In the NatWest case (R v NatWest, Southwark Crown Court, 2021), the bank failed to file STRs on over £264 million in cash deposits partly because suspicious patterns weren't escalated from branches to the compliance function. The cash was deposited by a single jewellery business over several years.

• Shallow SAR narratives: Examiners consistently cite reports that describe what happened rather than why it's suspicious. "Customer made 14 cash deposits totalling $22,000 over six weeks" is a transaction log. A proper narrative connects the pattern to a known typology, explains why the customer's stated business doesn't account for the activity, and names the predicate offence where identifiable.

• Late filing on identified cases: US Bank's 2018 OCC and FinCEN consent order cited systematic SAR delays as a key finding. The bank had a standing policy of capping SAR volumes to avoid what management internally called "increased regulatory scrutiny." FinCEN treated this as wilful non-compliance, not an operational error.

• Missing structuring SARs: Institutions often miss STR obligations on cash structuring below the CTR threshold. Structuring is a federal crime under 31 U.S.C. § 5324, and failing to file a SAR on suspected structuring is a separate violation from the structuring itself.

• No documented no-file decisions: Programs that can demonstrate what they filed, but not what they decided not to file and why. Regulators treat this gap as a control weakness, particularly when the underlying transaction later appears in a criminal investigation.

• VASPs operating with no STR program at all: The 2021 CFTC and FinCEN joint action against BitMEX found the exchange had operated with no AML program and no mechanism for filing SARs on suspicious platform activity, despite processing billions in transaction volume.

Penalties for non-compliance

The penalty exposure under Rec 20 implementations is material. Non-compliance isn't treated as a technical deficiency. Regulators treat it as a control failure that may have actively facilitated crime.

US federal enforcement

Under the Bank Secrecy Act, FinCEN can impose civil money penalties of up to $25,000 per day per violation under 31 U.S.C. § 5321. Wilful violations carry criminal exposure under 31 U.S.C. § 5322: fines up to $500,000 and up to 10 years' imprisonment. Recent major actions include:

• US Bank (2018): $613 million combined OCC and FinCEN consent order for systematically capping SAR filings and suppressing AML program effectiveness.
• Capital One (2021): $390 million FinCEN civil money penalty for SAR deficiencies including failure to file on a substantial volume of wire transfer activity.
• USAA Federal Savings Bank (2022): $140 million OCC and FinCEN penalty for SAR program failures.

UK enforcement

The FCA's 2021 criminal prosecution of NatWest under the UK MLR 2017 resulted in a £264.8 million fine. It was the first criminal conviction of a UK bank under the money laundering regulations and set a precedent for criminal accountability at the institutional level.

EU enforcement

Under the 6AMLD and AMLD5 provisions, administrative penalties for credit institutions can reach 10% of annual turnover or €5 million, whichever is higher. Personal liability for MLROs and board members is available in most EU member states and is being used more frequently.

The direction of travel is toward criminal prosecution and individual liability. MLROs who sign off on deficient programs, and senior managers who override AML recommendations for commercial reasons, are increasingly named in enforcement actions personally.

Related regulations and frameworks

FATF Rec 20 doesn't operate in isolation. Compliance teams need to read it alongside related standards, not treat it as a standalone rule.

Within the FATF 40 Recommendations

Rec 20 is inseparable from Rec 21 (the tipping-off and confidentiality obligation), FATF Rec 22 (which extends STR obligations to designated non-financial businesses and professions), and FATF Rec 24 (beneficial ownership transparency). Knowing who controls a suspicious account is often the key to drafting a meaningful STR narrative. The FATF Virtual Assets Guidance (2021) details how Rec 20 applies to VASPs, including how Travel Rule data feeds STR evidence packets.

National implementations

The US implements Rec 20 through the Bank Secrecy Act and specific SAR filing rules. The AMLA 2020 modernised the BSA framework and imposed new AML program effectiveness requirements on banks. The UK operates under the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017. The EU has implemented through successive AML directives, with the EU AMLR (2024) and the new EU AMLA now centralising AML supervision across the bloc. Singapore's implementation lives in MAS Notice 626. India's is the PMLA 2002.

Complementary US obligations

In the US, Section 314(a) information requests frequently accompany SAR investigations, requiring institutions to search records for accounts or transactions tied to named suspects identified by FinCEN. The FinCEN CDD Rule feeds Rec 20 directly: customer due diligence and beneficial ownership data are the foundation for recognising when a customer's activity crosses into suspicious territory.

How FluxForce supports FATF Rec 20 compliance

FluxForce's AI agents automate the detection, investigation, and documentation workflow that Rec 20 demands. Nova Sentinel monitors transactions in real time and flags anomalies against known AML typologies. Aiden Flux generates complete, audit-ready suspicious transaction report narratives, each with a full decision trail, cutting investigation time and reducing the backlogs that cause late filings. Every decision, including documented no-file decisions, gets supporting evidence attached automatically. FluxForce's regulatory compliance automation platform is built for regulated financial institutions. Book a demo to see how it performs on your transaction data.