FATF Rec 22: What It Requires and Who It Applies To

What is FATF Rec 22?

FATF Recommendation 22 is the Financial Action Task Force standard that extends customer due diligence (CDD) obligations beyond banks and financial institutions to a defined set of non-financial businesses and professions. The FATF issued the original 40 Recommendations in 1990. Recommendation 22 in its current form dates to the major 2012 revision, published in February that year, with substantive updates in 2019 and 2022. The full text, including Interpretive Notes, is available at the FATF's official publications page.

The recommendation exists because money launderers don't limit themselves to banks. Real estate transactions, legal trust structures, and high-value goods purchases have all been used to place, layer, or integrate illicit funds. The 2016 Panama Papers and 2021 Pandora Papers made this visible at scale: law firms and corporate service providers appeared in thousands of shell company structures built to obscure beneficial ownership. The FATF responded by expanding the scope of mandatory CDD to cover the professionals most often implicated.

Under Rec 22, the FATF requires countries to impose on DNFBPs the same CDD framework that governs financial institutions under Recommendation 10. That means identifying customers, verifying identity against reliable and independent sources, identifying beneficial owners, understanding the nature and purpose of the business relationship, and applying ongoing monitoring. The full Rec 10 framework carries over, including provisions for enhanced due diligence for high-risk relationships and simplified due diligence where risk is demonstrably low.

The 2012 revision added a risk-based dimension. DNFBPs aren't required to apply the same depth of checks to every transaction; the required intensity scales with the assessed risk of the customer and the transaction. That sounds reasonable. In practice, FATF mutual evaluation reports have consistently found that many DNFBPs interpret "risk-based" as permission to do less, rather than as a framework to do the right amount.

Who does FATF Rec 22 apply to?

Recommendation 22 applies to DNFBPs, a category the FATF defines explicitly in its 2012 Recommendations and Interpretive Notes. The covered entity types are:

• Casinos (including internet casinos): when customers engage in financial transactions at or above €3,000, or the equivalent threshold set by each member state
• Real estate agents: when involved in transactions for clients buying or selling real property, including acting as an intermediary or facilitator; no minimum transaction value applies
• Dealers in precious metals and stones: when engaged in cash transactions at or above €15,000 (or equivalent)
• Lawyers, notaries, and other independent legal professionals: when they prepare or carry out transactions involving real estate purchase or sale; management of client money, securities, or assets; management of bank or securities accounts; organization of company formation contributions; or acting as trustees, directors, or company secretaries
• Accountants: when performing the same categories of activity as the legal professionals listed above
• Trust and company service providers (TCSPs): when providing company formation, acting as director or company secretary, providing a registered address, or acting as a trustee for a client

The jurisdictional scope is global. FATF's 37 member jurisdictions, plus over 180 countries participating through FATF-Style Regional Bodies, are expected to implement Rec 22 into national law. The UK MLR 2017 does this for regulated businesses in Great Britain, covering law firms, accountants, estate agents, and high-value dealers under HMRC and sector-specific supervision. The EU's Anti-Money Laundering Directives carry equivalent requirements across EU member states.

One notable gap is the United States. The Bank Secrecy Act covers financial institutions comprehensively, but US DNFBP coverage remains incomplete. Real estate professionals and many lawyers operate outside formal AML programs at the federal level, a gap the FATF flagged explicitly in its 2016 and 2020 US mutual evaluation reports.

Size thresholds are transaction-based, not firm-based. A sole practitioner lawyer is as covered as a large partnership, provided the transaction type triggers the obligation.

What does FATF Rec 22 require?

The core obligations that DNFBPs must fulfill mirror those in Recommendation 10. A DNFBP must apply CDD measures when:

1. Establishing a business relationship with a new customer
2. Conducting occasional transactions at or above the applicable threshold: €3,000 for casinos, €15,000 for dealers in precious metals and stones
3. Carrying out wire transfers above threshold, where applicable to the entity type
4. Suspecting money laundering or terrorist financing, regardless of transaction size, frequency, or whether any exemption might otherwise apply
5. Doubting the accuracy or adequacy of previously obtained identification or verification data

For each trigger, the required CDD measures are:

1. Identify and verify the customer. For natural persons: government-issued photo ID, plus a second independent source where risk warrants. For legal entities: corporate registration documents, articles of association, and evidence of the registered office.
2. Identify the ultimate beneficial owner of any legal entity. The 2022 FATF update strengthened this: if controlling ownership can't be determined via shareholding records, beneficial ownership falls to the natural persons exercising effective control by other means. This cross-references FATF Rec 24 on beneficial ownership standards for legal persons and companies.
3. Understand the nature and purpose of the business relationship, including expected transaction types, volumes, and source of funds where risk warrants.
4. Apply ongoing monitoring: keep CDD data current, review transactions for consistency with the known customer profile, and escalate anomalies.
5. Apply enhanced due diligence for high-risk customers: politically exposed persons (PEPs), customers from high-risk third countries, or relationships with complex ownership structures. This means verifying source of funds, obtaining senior management approval for the relationship, and applying heightened monitoring.
6. Retain records for a minimum of five years after the business relationship ends, or five years after the date of an occasional transaction.
7. File suspicious transaction reports (STRs) with the national financial intelligence unit when the DNFBP knows, suspects, or has reasonable grounds to suspect that funds are proceeds of criminal activity. This obligation connects directly to FATF Rec 20 on suspicious transaction reporting requirements.

The risk-based approach requires a documented risk assessment at the firm level. It's not enough to say the firm operates on a risk-based approach; examiners want to see the written assessment showing how the firm identified its exposure and how that shaped its CDD procedures.

What evidence do regulators expect?

On exam day, the examiner's job is to test whether the DNFBP's AML/CDD program actually runs, not just whether it was designed. The typical audit checklist covers:

• Written AML/CDD policies and procedures: Current, approved by senior management, reviewed at least annually. The policy must specify CDD trigger thresholds, the information collected for each customer type, escalation procedures for suspicious activity, and the firm's documented risk appetite.
• Firm-level ML/TF risk assessment: A written assessment of the firm's exposure to money laundering and terrorist financing risk, updated whenever the business changes materially. Examiners look for evidence that the assessment shaped the firm's procedures, not just that it sits in a compliance folder unread.
• Customer due diligence files: For each customer who triggered CDD, the examiner expects to find identity documents collected, the verification method used, the beneficial ownership determination, a record of the relationship's purpose, and the date of the last file review.
• Transaction monitoring records: Evidence of ongoing scrutiny. For law firms and accountants, this means client matter reviews. For real estate agents, documented transaction file checks. For dealers, transaction logs covering all cash receipts above threshold.
• STR/SAR records: Any reports filed, with dates, the basis for suspicion, and FIU reference numbers. Non-filing is also examined: examiners may ask why specific high-risk customers never generated a report.
• Staff training records: Logs showing all relevant staff completed AML training in the past 12 months, plus evidence of refresher training after significant regulatory changes.
• Sanctions and PEP screening logs: Records showing customers were screened against sanctions lists and politically exposed persons databases, with the date and outcome of each screen.

Examiners don't only review the policy binder. They pull random customer files and test whether documented procedures match what the firm actually did. Gaps between policy and practice are the most common finding in DNFBP examinations.

Common failure modes

These patterns keep appearing in published enforcement actions and supervisory findings. They're not exotic. Most are the same institutional inertia, appearing across different sectors.

• CDD triggered too late: Real estate agents completing transactions before verifying the buyer's or seller's identity, sometimes waiting until post-closing. The obligation attaches at the point of business relationship establishment, not at completion.
• Beneficial ownership left unresolved: The firm collected identity documents for the signatory director but stopped there, never attempting to identify the beneficial owner behind the corporate structure. This is the most consistently cited gap in DNFBP examinations across jurisdictions.
• Source of funds accepted but not verified: Lawyers and accountants routinely accept client assertions about funds origin for high-risk customers, including PEPs and individuals from high-risk countries, without seeking corroborating documentation. Enhanced due diligence requires verification.
• CDD files not updated: Customer records completed at onboarding and never revisited, even after years of the ongoing relationship, changes in customer circumstances, or updates to country risk ratings.
• Low STR filing rates: The FATF's 2022 Guidance on the Risk-Based Approach for Real Estate Agents specifically identified low suspicious transaction reporting as a systemic problem in the real estate sector globally. Some firms had never filed a single STR despite years of operation in high-risk markets.
• Third-party CDD reliance without oversight: Using another professional's CDD records without verifying their adequacy, then discovering the underlying CDD was incomplete or outdated.
• Training that doesn't land: Annual AML training "completed" on paper but with no evidence of staff comprehension. Examiners test staff directly in interviews; the answers reveal whether training was meaningful or a checkbox exercise.

Penalties for non-compliance

FATF itself is a standard-setter; it doesn't levy fines. Enforcement happens at the national level, and the trend over the past five years has moved firmly toward formal supervision with real consequences for DNFBPs.

United Kingdom: HMRC supervises estate agents, high-value dealers, accountancy service providers, and TCSPs for AML compliance. HMRC's 2022-23 Anti-Money Laundering Supervision Annual Report documented 1,126 compliance interventions and £5.6 million in penalty assessments across its supervised DNFBP sectors that year alone. Law firms fall under Solicitors Regulation Authority (SRA) supervision; the SRA's 2022 thematic review of AML controls found that 21 of 40 inspected firms had significant CDD failures, including missing beneficial ownership determinations and absent source of wealth checks for high-risk clients.

United States: FinCEN's Geographic Targeting Orders (GTOs) for residential real estate have been in place since 2016 and were expanded nationally in 2021. They require title insurance companies to identify beneficial owners in all-cash purchases above specified thresholds. FinCEN has proposed extending formal AML program requirements to investment advisers and residential real estate professionals: FinCEN real estate GTOs.

Australia: The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 brought lawyers, accountants, and real estate agents into the AUSTRAC framework for the first time. Penalties under the AML/CTF Act run up to AUD 22.2 million per contravention for serious and repeated failures. See: AUSTRAC new regulated businesses.

FATF grey-listing: Countries that fail Rec 22 implementation risk grey-listing through the FATF's International Co-operation Review Group process. Malta and the Cayman Islands both faced grey-listing processes partly linked to DNFBP supervision deficiencies, with direct consequences for correspondent banking access.

Related regulations and frameworks

FATF Rec 22 sits within the broader FATF 40 Recommendations framework. Recommendation 10 sets the CDD standard that Rec 22 imports by reference, so any revision to Rec 10 directly affects DNFBP obligations. FATF Rec 24 addresses beneficial ownership transparency for legal persons, which directly underpins Rec 22's UBO identification requirements. For suspicious transaction reporting, DNFBPs operating under Rec 22 are simultaneously subject to FATF Rec 20.

At the national level, implementing legislation varies:

• EU: The Third (2005), Fourth (2015), Fifth (2018), and Sixth (2018/2019) Anti-Money Laundering Directives progressively expanded DNFBP coverage. The EU AMLR (Regulation 2024/1624), applicable from 2027, replaces the directives with a directly applicable regulation and tightens DNFBP requirements further, including stricter beneficial ownership verification and harmonized penalties.
• UK: The UK MLR 2017 implements Rec 22 for UK law firms, accountants, estate agents, high-value dealers, and TCSPs, supervised by HMRC, the SRA, FCA, ICAEW, and other sector-specific bodies.
• Australia: The AML/CTF Amendment Act 2024 brings Rec 22-equivalent obligations to DNFBPs for the first time, with a phased implementation timeline running through 2026.
• Singapore: Financial institutions fall under MAS supervision; DNFBPs are regulated by separate sector authorities, though the framework aligns with FATF standards.

For firms navigating related US obligations, the FinCEN CDD Rule governs CDD for covered financial institutions and provides useful context for how Rec 22 principles translate into a formal regulatory structure. The two frameworks share the same underlying logic on beneficial ownership identification and ongoing monitoring.

How FluxForce supports FATF Rec 22 compliance

FluxForce's AI agents automate the CDD workflows that DNFBPs struggle to run manually: customer identity verification, beneficial ownership tracing, ongoing monitoring, and enhanced due diligence escalation for high-risk relationships. Every decision produces a documented audit trail, so examiners see the evidence they expect from day one. The platform's configurable risk thresholds adapt to each DNFBP type, whether a real estate firm, law practice, accounting firm, or TCSP. To see how the agents handle a Rec 22 compliance workflow in practice, book a live demo.