FATF Rec 22: What It Requires and Who It Applies To

What is FATF Rec 22?

FATF Recommendation 22 is a global anti-money laundering standard issued by the Financial Action Task Force (FATF) that extends customer due diligence obligations to Designated Non-Financial Businesses and Professions (DNFBPs). The current version took effect in February 2012 as part of FATF's comprehensive revision of its 40 Recommendations; the standard has been updated multiple times since, with amendments adopted through 2023.

The regulation exists because money launderers learned quickly that transacting through a real estate agent or a law firm attracted far less scrutiny than doing the same through a bank. Before the 2012 revisions, DNFBPs often operated with minimal identity verification controls. Property purchases, corporate structuring by lawyers, and precious metals dealing appeared repeatedly in FATF typologies reports as preferred channels for illicit funds.

Rec 22 addresses this by incorporating by reference the core CDD obligations in FATF Recommendation 10, the record-keeping requirements in FATF Recommendation 11, and the suspicious transaction reporting obligation in FATF Recommendation 20. A lawyer managing a property transaction faces the same identity verification and beneficial ownership checks as the bank financing the same deal.

FATF member jurisdictions are obligated to transpose Rec 22 into national law. Compliance is assessed through Mutual Evaluation Reviews and published publicly on the FATF website. A poor rating triggers enhanced follow-up and, in serious cases, grey listing with real economic consequences for the jurisdiction's financial sector. The official text is available at the FATF publications page.

Who does FATF Rec 22 apply to?

The FATF Glossary defines six DNFBP categories. Coverage is activity-specific, not sector-wide. A lawyer who litigates employment disputes has no FATF obligation under Rec 22. The same lawyer who incorporates a company or manages client funds does.

Covered entities and the activities that trigger the obligation:

• Casinos (including internet casinos): CDD applies when a customer conducts a transaction of USD/EUR 3,000 or more, or when a business relationship is established. High-value patrons purchasing chips or making wire withdrawals are the primary focus.
• Real estate agents: Applies when the agent assists in buying or selling real estate. Both purchase and sale sides of a transaction are covered. The obligation sits with the agent, not only with the conveyancing lawyer.
• Dealers in precious metals and stones: Applies to cash transactions of USD/EUR 15,000 or more. Structuring cash payments just below this threshold is a known evasion pattern and a red flag in its own right.
• Lawyers, notaries, other independent legal professionals, and accountants: CDD is required when these professionals prepare or execute transactions involving real estate or business entity purchases and sales; management of client money, securities, or other assets; opening of bank or investment accounts; contributions to company creation; and creation, operation, or management of legal persons or arrangements. Purely advisory work and litigation fall outside scope.
• Trust and company service providers (TCSPs): Applies when TCSPs form companies or other legal persons; act as or arrange for another person to act as a director, secretary, partner, or trustee; provide a registered office, business address, or correspondence address for a fee; or act as nominee shareholders.

In the UK, the Money Laundering Regulations 2017 implement Rec 22 and designate HMRC as the primary supervisory authority for most DNFBP sectors outside regulated financial services. Professional body supervisors, including the Law Society and the Institute of Chartered Accountants, oversee their respective professions under the same framework.

What does FATF Rec 22 require?

The core obligations mirror the customer due diligence requirements imposed on financial institutions. DNFBPs must:

1. Identify and verify customer identity before or during establishment of a business relationship. For natural persons: full legal name, date of birth, nationality, and a government-issued document. For legal entities: company name, legal form, proof of existence (certificate of incorporation or equivalent), registered address, and identity of the persons authorised to bind the entity.

2. Identify the beneficial owner and take reasonable measures to verify their identity. The standard threshold is 25% ownership or control, though some jurisdictions apply a lower threshold for higher-risk sectors. Stopping at the first legal entity in a structure is not sufficient.

3. Understand the purpose and nature of the business relationship. Document why the client is engaging the DNFBP's services and what types of transactions are expected. This baseline is what ongoing monitoring is measured against.

4. Conduct ongoing due diligence. CDD is not a one-time event at onboarding. Transactions must be monitored against the client's risk profile, and records must be updated when material changes occur. The frequency and depth of review should reflect the risk rating.

5. Apply enhanced due diligence in higher-risk situations. EDD is mandatory for politically exposed persons, non-face-to-face relationships, complex or unusual transactions without an apparent economic rationale, and any situation the risk assessment flags as elevated.

6. Maintain records for a minimum of five years after the business relationship ends or the transaction completes. Records must include the identity documents obtained, transaction records sufficient to reconstruct the transaction, and business correspondence.

7. File suspicious transaction reports with the national Financial Intelligence Unit when there's knowledge or suspicion of money laundering or terrorist financing. Legal privilege is a narrow carve-out in most jurisdictions; it covers specific legal advice and litigation preparation. It does not cover the underlying transaction itself.

8. Decline or terminate a business relationship if CDD can't be completed. A client who refuses to disclose beneficial ownership information is a client who should be declined.

9. Calibrate the intensity of CDD to actual risk. Higher-risk clients require more scrutiny; lower-risk clients may qualify for simplified measures where national law permits.

What evidence do regulators expect?

Examiners arrive with a sample selection methodology and a checklist. Written policies alone don't satisfy them. What they look for:

• Written AML/CDD policies and procedures specific to the DNFBP's sector and activity types. A generic template borrowed from a financial institution won't match the actual risk profile and will be noted as a deficiency.
• Customer risk assessment methodology: a documented framework for assigning risk ratings and the factors that drive them. Examiners test a sample of live client files against this methodology to check consistency between written policy and actual practice.
• KYC files for a sample of active and recently closed relationships: dated identity documents, source of funds or wealth assessments for higher-risk clients, and the documented rationale for the risk rating assigned. Missing documents or unexplained gaps in the file are immediate findings.
• Ongoing monitoring records: evidence that the monitoring process generates and resolves alerts. A monitoring system with zero alerts over two years raises serious questions, particularly if the client base includes high-net-worth individuals or complex corporate structures.
• EDD files for politically exposed persons and other elevated-risk clients: source of wealth verification, senior management approval of the relationship, and a record of enhanced monitoring activity.
• Staff training records: dates, content covered, attendance, and assessment results. Training must address sector-specific red flags, not only generic AML theory.
• Suspicious transaction report logs: internal referral records, decision rationale, and filed STRs. Examiners want to see the decision trail, not just a count of reports submitted.
• Governance documentation: senior management reporting on AML risk and board-level sign-off on the risk appetite statement.

Common failure modes

DNFBPs across all sectors return the same failure patterns. Enforcement records confirm this.

• One-and-done onboarding. The firm collects an ID at the start of the relationship and considers CDD complete. Two years later, the client is wiring funds to jurisdictions not mentioned at onboarding, and no one has reviewed the file. Ongoing monitoring is a written requirement, not an optional extra.
• Shallow beneficial ownership checks. Firms record the first legal entity they encounter and stop. The natural person behind a two-layer offshore structure never gets identified. This is the most frequently cited finding in FATF mutual evaluation reports for DNFBP sectors.
• No documented risk rationale. The file shows a risk rating of "medium" with no explanation of why. Examiners ask for the methodology and find the rating was assigned informally, with no reference to the written policy.
• Overconfidence in legal privilege. Some lawyers treat the entire client relationship as privileged and decline CDD or refuse to report suspicious activity. The exemption covers specific legal advice and litigation preparation. It does not cover the transaction itself.
• EDD gaps for politically exposed persons. A government official buying commercial property is a PEP by definition. Real estate agents consistently fail to recognise this, or to apply the additional scrutiny required.
• Stale training records. Training records exist from two or three years ago, but current staff have no record of completion. Examiners verify training records against employment start dates.

HMRC's annual AML supervision reports document penalty decisions and enforcement patterns across DNFBP sectors including estate agency and accountancy. These reports are publicly available at GOV.UK.

Penalties for non-compliance

Penalties have increased materially over the past decade and are no longer nominal.

In the UK, HMRC issues civil monetary penalties for CDD failures, with individual firms receiving amounts ranging from tens of thousands of pounds for procedural deficiencies to hundreds of thousands for systemic breakdowns. HMRC can also apply fit-and-proper test failures that bar individuals from working in supervised DNFBP sectors. The FCA applies separate sanctions for any regulated-activity component, with AML-related fines in the seven-figure range for serious cases.

In the EU, the Fourth and Fifth AML Directives require member states to impose administrative sanctions of at least EUR 1 million against natural persons and EUR 5 million (or 10% of annual group turnover, whichever is higher) against legal persons for serious, repeated, or systemic violations. The EU AML Regulation (2024) raises these minimums and enables the new EU AMLA to impose penalties directly on the highest-risk cross-border firms, including large TCSPs.

Criminal liability is a separate exposure. In the UK, sections 327-329 of the Proceeds of Crime Act 2002 create offences carrying up to 14 years imprisonment for those who conceal, arrange, or acquire criminal property. Section 330 creates a failure-to-disclose offence applicable to regulated professionals who had suspicion or knowledge and did not report.

At the jurisdictional level, poor DNFBP compliance contributes to a country's Mutual Evaluation score. Countries rated non-compliant or partially compliant on Rec 22 face enhanced follow-up and potential grey listing. Grey listing triggers correspondent banking repricing, increased due diligence from international investors, and potential exclusion from key financial markets.

Related regulations and frameworks

Rec 22 doesn't operate in isolation. It imports obligations from related recommendations and is given effect through national law in every FATF member jurisdiction.

FATF Recommendation 10 is the CDD standard that Rec 22 mirrors for DNFBPs. If Rec 10 is amended, Rec 22 changes with it. The two should be read together.

FATF Recommendation 23 is the direct companion to Rec 22. While Rec 22 covers CDD obligations, Rec 23 covers internal controls, AML program requirements, and supervisory arrangements for DNFBPs. Together, they define the full compliance framework for covered sectors.

FATF Recommendation 24 addresses beneficial ownership transparency for legal persons. TCSPs that form companies or provide nominee arrangements sit at the intersection of Rec 22 (their own CDD obligations) and the transparency chain that Rec 24 is designed to make visible.

EU AML framework: The Fourth AML Directive, set out in Directive 2015/849/EU, implemented Rec 22 across EU member states by 2017. The EU AMLR (2024) consolidates and raises these obligations, with the new EU AMLA gaining direct supervisory authority over cross-border DNFBPs from 2028.

UK MLR 2017: The Money Laundering Regulations 2017 implement Rec 22 in UK law, with HMRC as the primary DNFBP supervisor for most sectors outside regulated financial services.

US: DNFBPs remain largely outside specific federal AML requirements. FinCEN has proposed rules targeting real estate professionals and investment advisers. The absence of a comprehensive federal DNFBP AML framework was a significant finding in the FATF's Mutual Evaluation of the United States.

How FluxForce supports FATF Rec 22 compliance

FluxForce AI agents automate the CDD and ongoing monitoring obligations that Rec 22 imposes on DNFBPs. Aiden Flux handles customer identity verification and risk scoring at onboarding. It flags beneficial ownership gaps before a relationship is established. Nova Sentinel monitors ongoing client activity against the established risk profile and generates alerts when transactions diverge from expected patterns. Both agents produce full decision explanations. Compliance teams get the documented rationale examiners expect on audit day. To see how this works in a DNFBP context, request a demo.