FATF Rec 20: What It Requires and Who It Applies To

What is FATF Rec 20?

The Financial Action Task Force (FATF) Recommendation 20 is the international standard requiring financial institutions and designated non-financial businesses and professions to file a Suspicious Transaction Report (STR) with their national Financial Intelligence Unit (FIU) when they know, suspect, or have reasonable grounds to suspect that a transaction or attempted transaction involves proceeds of a criminal offence or is connected to terrorist financing. FATF published the current 40 Recommendations in February 2012, replacing versions that had stood since 2003. Recommendation 20 superseded the former Recommendation 13.

The genesis matters. FATF introduced the reporting obligation in its original 40 Recommendations in 1990, after the G7 commissioned the task force in response to the rising scale of drug-money laundering. The core logic hasn't changed in 35 years: regulators can't act on what they can't see. STR filing converts frontline suspicion into actionable intelligence for FIUs, law enforcement, and prosecutors.

What makes Rec 20 operationally demanding is the "reasonable grounds to suspect" threshold. It's a low bar, deliberately. Institutions don't need proof of a crime; they need a genuine, articulable basis for suspicion. Attempted transactions count. If a customer tried to execute a transaction and cancelled when asked for documentation, that attempt still needs to be evaluated for reporting. FATF's Interpretive Note to Recommendation 20 confirms that institutions acting in good faith receive safe harbor from civil and criminal liability, which means filing on thin suspicion is almost always the right call.

The obligation links directly to the Customer Due Diligence (CDD) and ongoing monitoring infrastructure that banks maintain under FATF Rec 10. You can't identify suspicious activity without first knowing your customer.

Who does FATF Rec 20 apply to?

The scope is broad. Rec 20 applies to any entity covered by FATF's definition of "financial institution" or "designated non-financial business or profession" (DNFBP). In practice, that covers most of the regulated financial sector globally.

Financial institutions covered:

• Retail and commercial banks, including branches of foreign banks
• Credit unions and savings institutions
• Electronic money institutions (EMIs) and neobanks
• Virtual asset service providers (VASPs): exchanges, custodians, and wallet providers
• Correspondent banks (see FATF Rec 13 for specific obligations in that context)
• Money service businesses: remittance firms and currency exchangers
• Securities firms: broker-dealers, investment advisers, and fund managers
• Life insurers and certain non-life insurance providers
• Leasing companies and consumer finance firms

DNFBPs covered (per FATF Rec 22):

• Casinos and gaming operators
• Real estate agents
• Dealers in precious metals and stones
• Lawyers, notaries, and accountants when conducting or facilitating financial transactions
• Trust and company service providers

There are no explicit size thresholds. A one-branch community bank carries the same STR obligation as a global systemically important bank. The difference is proportionality of controls, not the existence of the obligation.

Jurisdictional reach is effectively global. FATF counts 37 member countries plus the European Commission. Its standards are adopted by regional bodies covering 200+ jurisdictions. The EU implements Rec 20 through its AML Directives, including 6AMLD and the new EU AMLR. The US implements it through the Bank Secrecy Act (BSA), which requires Suspicious Activity Reports (SARs) as the domestic equivalent of FATF's STR.

What does FATF Rec 20 require?

The core obligation sounds simple: report suspicion. The operational requirements are where it gets specific.

1. File when you know, suspect, or have reasonable grounds to suspect. The trigger is a genuine basis for suspicion, not certainty. The bar is lower than probable cause. If you're asking yourself whether something looks wrong, that's often enough to be at the threshold.

2. Report promptly to the FIU. FATF doesn't mandate a universal deadline. National law governs the exact timeframe. In the US, SARs must be filed within 30 calendar days of initial detection, extendable to 60 days if no suspect has been identified. The UK's Proceeds of Crime Act 2002 requires reporting "as soon as practicable." Australia's AML/CTF Act 2006 sets a 3-business-day deadline.

3. Include all relevant information. A complete STR documents the suspicious activity in detail: the nature of the suspicion, the transactions involved, the parties, available identification, and the specific red flags that triggered the analysis. Vague STR narratives ("unusual activity observed") generate investigative dead ends and attract examiner criticism. A well-written STR names amounts, dates, counterparties, and the exact indicators.

4. Do not tip off the subject. Tipping off is a criminal offence in most FATF-implementing jurisdictions. You cannot disclose to the subject, or to third parties, that an STR has been or may be filed. This creates real tension in correspondent banking relationships where both institutions may independently be obligated to file.

5. Maintain strict confidentiality. The existence of the report and its contents are protected. Disclosure within the institution is restricted to those with a direct need to know, typically the MLRO, compliance, and senior management with oversight responsibility.

6. Retain records for at least five years. This aligns with FATF Rec 11 on record keeping. Retained records must include the STR itself, the underlying transaction data, and the documented analysis that led to the filing decision.

7. No general obligation to freeze without separate legal authority. Rec 20 is a reporting obligation. Institutions report and, absent a separate legal order or sanctions hit, continue servicing the account. If a sanctions match exists under a regime like OFAC's SDN List, blocking applies separately. Conflating the two obligations is a common compliance error.

What evidence do regulators expect?

When an examiner arrives for a BSA/AML examination, they're not only checking that STRs were filed. They're assessing whether the institution has a defensible process for identifying, evaluating, and reporting suspicious activity end to end.

The audit-day checklist typically covers:

Policies and procedures:

• Written STR/SAR policy with clear escalation paths, defined roles, and documented sign-off requirements
• Records of "no-file" decisions (not just affirmative filings), including analyst rationale
• Tipping-off prohibition explicitly addressed, with examples
• Policy version history showing annual review and board or senior management approval

Transaction monitoring system:

• Documented alert rules or model configuration with change history
• Alert calibration records showing false positive rates and tuning methodology
• Evidence that coverage extends to all product lines and transaction types, not just retail accounts

Case management:

• Case files for every alert reviewed, including analyst notes and supervisor sign-off
• Timeliness records showing alerts were reviewed within the firm's own SLA
• Clear documentation of why each alert was cleared versus escalated to an STR

Training records:

• Annual AML training completion records for all relevant staff
• Targeted training for high-risk roles: relationship managers, private bankers, wire desks
• Training content that specifically addresses STR obligations and tipping-off risks

Testing and audit:

• Independent audit or compliance testing of the STR process within the prior 12 months
• Evidence that prior audit findings were remediated
• Management information tracking STR filing volumes, average filing time, and geographic distribution

Regulators focus particularly on "no-file" documentation. If your institution reviewed 1,000 suspicious-activity alerts and filed 50 SARs, examiners will sample the 950 no-file decisions. An unsupported no-file is as dangerous as a missed filing.

Common failure modes

Most enforcement actions don't arise from a single catastrophic miss. They come from systematic weaknesses that accumulated over years.

Structural failures:

• Siloed monitoring. Alert systems that cover retail accounts but miss commercial banking, private banking, or trade finance entirely. Every product line with AML risk needs transaction monitoring coverage.
• Stale typologies. Rules written five years ago and never updated to reflect new payment methods, crypto on-ramps, or current criminal typologies, such as trade-based money laundering or mule account networks.
• Chronic understaffing. Alert queues running 60 to 90 days behind because analyst headcount never kept pace with alert volume. Timely filing becomes structurally impossible.

Process failures:

• Unsupported no-file decisions. Closing alerts with "no suspicious activity identified" and no supporting notes. Examiners treat this as evidence of systematic under-reporting.
• Vague STR narratives. Filing reports that describe "unusual activity" without naming specific transactions, amounts, or red flags. A narrative that could apply to any customer is a wasted filing and signals a deeper process failure.
• Tipping off. In June 2020, the FCA fined Commerzbank AG London £37.8 million for AML control failures, including a framework where relationship managers communicated AML concerns to customers. (FCA Final Notice, June 2020)

Governance failures:

• No independent audit. Institutions that rely entirely on first-line compliance with no second-line review of STR decision quality.
• Missing management information. No tracking of filing volumes, timeliness, or geographic distribution. Regulators expect management to actively monitor the health of the STR process.

Penalties for non-compliance

The penalty ranges across FATF-implementing jurisdictions are substantial. These are real numbers from real cases.

United States. FinCEN can impose civil money penalties up to $1 million per violation per day under 31 U.S.C. § 5321. In January 2021, FinCEN assessed a $390 million civil money penalty against Capital One for systematic SAR filing failures and a deficient AML program that persisted from 2008 to 2014. (FinCEN Press Release, January 2021) In October 2024, FinCEN's consent order with TD Bank included a $1.319 billion civil money penalty, the largest in FinCEN's history to that date, covering failures that included chronic SAR filing breakdowns on over $18.3 billion in transactions. (FinCEN Consent Order, October 2024)

United Kingdom. The FCA can impose unlimited financial penalties and withdraw authorisation. Beyond Commerzbank, the FCA's enforcement register documents multiple STR-related failures in its annual financial crime report.

European Union. The EU AMLR and the forthcoming EU AMLA establish a harmonised penalty framework. Maximum penalties for serious AML breaches reach €10 million or 10% of annual turnover, whichever is higher, for legal persons.

Australia. AUSTRAC reached an AUD 1.3 billion civil penalty settlement with Westpac in September 2020 following 23 million contraventions of the AML/CTF Act, including large-scale failures to report suspicious transactions. (AUSTRAC, September 2020)

Beyond financial penalties, institutions face consent orders, deferred prosecution agreements, enhanced supervision, business restrictions, and, in severe cases, prosecution of individual officers. The reputational cost of a public enforcement action typically dwarfs the monetary penalty.

Related regulations and frameworks

Rec 20 doesn't stand alone. It depends on upstream obligations and feeds directly into downstream enforcement frameworks.

Within the FATF 40 Recommendations:

FATF Rec 1 establishes the risk-based approach that determines where to focus monitoring resources. Without a risk assessment, it's impossible to prioritize where suspicious activity is most likely to surface. FATF Rec 10 provides the customer intelligence necessary to recognize anomalous behaviour; you can't identify a suspicious transaction without understanding what a normal one looks like for that customer. FATF Rec 11 sets the five-year retention standard that applies to the STR and its underlying transaction data. FATF Rec 15 and the FATF Virtual Assets Guidance extend Rec 20 obligations to VASPs, creating STR requirements for crypto exchanges and custodians that mirror those on traditional banks.

National implementing laws:

In the US, the BSA implements Rec 20 through the SAR requirement, and the Anti-Money Laundering Act of 2020 strengthened that framework with expanded information-sharing powers. In the EU, 6AMLD and the EU AMLR implement Rec 20 across member states. In the UK, Regulation 50 of the Money Laundering Regulations 2017 carries the STR obligation in domestic law. In Singapore, MAS Notice 626 operationalises the requirement for licensed financial institutions.

Complementary reporting obligations:

The STR obligation coexists with threshold-based transaction reporting. In the US, the Currency Transaction Report (CTR) requires reporting cash transactions above $10,000 regardless of suspicion. These are separate obligations that can both apply to the same transaction.

How FluxForce supports FATF Rec 20 compliance

FluxForce's AI agents automate the alert-to-STR workflow from initial transaction monitoring through case closure. Nova Sentinel flags anomalous activity in real time. Aiden Flux drafts structured STR narratives with full audit trails and evidence attached to every decision. Compliance teams get a defensible case file for every filing and every no-file determination. Timeliness controls track alert age against filing deadlines automatically. To see how FluxForce maps to your FIU's specific reporting requirements, request a demo.