FATF Rec 24: What It Requires and Who It Applies To

What is FATF Rec 24?

FATF Recommendation 24 is the global standard on beneficial ownership of legal persons, issued by the Financial Action Task Force, the Paris-based intergovernmental body that sets anti-money laundering and counter-terrorism financing standards for its 39 member jurisdictions. The recommendation was first adopted as part of the 2012 revision of the FATF Recommendations and underwent a major strengthening in March 2022, when FATF published revised standards following a global consultation that found widespread deficiencies in corporate transparency across member countries. The full text is available at the FATF Recommendations page.

The core problem Rec 24 addresses is the use of legal persons, companies, foundations, and similar corporate structures to conceal criminal ownership of assets. A shell company with no identifiable human owner is one of the oldest tools in money laundering. Rec 24 requires countries to take one of two approaches: mandate that companies themselves hold current beneficial ownership information and make it available to competent authorities on request, or establish a central registry that holds this data. The 2022 revision pushed countries toward the registry approach and introduced minimum data quality requirements.

Under FATF's definition, a beneficial owner is any natural person who ultimately owns or controls a legal entity. The 25 percent ownership threshold is the most widely applied benchmark across implementing jurisdictions, though Rec 24 does not itself mandate a single number. Control can also arise through voting rights, board positions, or informal mechanisms. If someone controls an entity without formal share ownership, they're a beneficial owner regardless.

Countries are assessed on Rec 24 compliance through FATF mutual evaluations. A poor score can result in enhanced follow-up monitoring or placement on the FATF "grey list," which carries substantial correspondent banking and market access consequences. According to FATF's 2023 Guidance on Beneficial Ownership of Legal Persons, the most common deficiency found across mutual evaluations remains the inability of competent authorities to access timely, accurate ownership data.

Who does FATF Rec 24 apply to?

Rec 24 operates at two levels: the country level and the obliged entity level.

At the country level, every FATF member government must establish mechanisms to collect, verify, and share beneficial ownership data on legal persons incorporated in its jurisdiction. This applies regardless of company size, sector, or revenue.

At the obliged entity level, the institutions that must identify and verify UBOs include:

• Banks and credit institutions of all sizes: retail banks, investment banks, credit unions, and savings institutions. Opening a corporate account requires identifying every beneficial owner above the applicable threshold before the relationship begins.
• Securities dealers and investment firms subject to AML obligations. In the United States, the FinCEN CDD Rule codifies this obligation for covered financial institutions, including brokers, dealers, mutual fund operators, and futures commission merchants.
• Insurance companies writing life insurance and investment-linked products.
• Money service businesses and payment institutions, including fintechs offering business accounts and embedded finance products to corporate customers.
• Designated non-financial businesses and professions (DNFBPs): lawyers, accountants, notaries, trust and company service providers, real estate agents, and high-value dealers when they assist in forming, managing, or transacting through companies. FATF Rec 22 extends full CDD obligations to this sector.
• Virtual asset service providers (VASPs) onboarding corporate customers, in line with FATF's extended guidance on virtual assets.

There are no revenue or headcount exemptions in Rec 24 itself. Some national implementations carve out micro-entities or dormant companies, but the default FATF position is full coverage. Multinationals regularly face concurrent beneficial ownership obligations under UK, EU, US, and FATF-member rules simultaneously, which means the same corporate structure may need to be documented multiple times for different regulators.

What does FATF Rec 24 require?

The March 2022 revision clarified and expanded specific obligations across both country-level mechanisms and obliged entity conduct. In practical terms, compliance requires:

1. Identify beneficial owners before or at the point of onboarding. Obtain the full name, date of birth, nationality, and identity document details of every natural person owning 25 percent or more, or exercising effective control. Know Your Business (KYB) processes must look through every corporate layer to reach the actual human beings, not stop at the first legal entity encountered.

2. Verify information using reliable, independent sources. Self-declaration by the customer is not sufficient on its own. Institutions must cross-check against government-held registers, commercial corporate databases, and certified identity documents. Where a national beneficial ownership register exists, checking it is expected.

3. Update records on a risk-sensitive basis. FATF doesn't specify a fixed review cycle, but the mutual evaluation methodology expects institutions to demonstrate that higher-risk relationships trigger more frequent reviews. Annual review is the standard for high-risk corporate customers; one to three years is typical for standard-risk profiles, with ad hoc reviews triggered by ownership changes or adverse media.

4. Retain all records for at least five years after the end of the business relationship or after the date of an occasional transaction. This aligns with FATF Recommendations 11 and 12 on record-keeping more broadly.

5. Report discrepancies to competent authorities when information gathered during Customer Due Diligence (CDD) contradicts what a national beneficial ownership register shows. The 2022 revision introduced this obligation explicitly, targeting the data quality gap that mutual evaluations consistently found.

6. Apply Enhanced Due Diligence (EDD) where ownership structures involve multiple jurisdictions, nominee arrangements, bearer shares, or other high-risk features. Complexity is not an excuse for incomplete records.

7. Refuse or exit the relationship if beneficial ownership cannot be established after reasonable efforts. Filing a suspicious transaction report may also be appropriate at that point.

At the country level, the 2022 revision requires that legal persons themselves hold current beneficial ownership information and provide it to authorities within a defined timeframe, typically no more than a few business days. Registers must have mechanisms to check data accuracy, not merely collect what companies self-report.

What evidence do regulators expect?

When examiners review Rec 24 compliance, they want a paper trail proving the institution knows who it's dealing with. Specifically:

• Written beneficial ownership policy and procedure, version-controlled and dated, covering the applicable threshold, the definition of control, escalation paths for complex structures, and the process for ongoing monitoring. A policy that hasn't been updated since before the 2022 revision will draw questions.
• Onboarding checklists or workflow records showing beneficial ownership was captured before account activation. System-generated audit logs are more credible than manual checklists because they're harder to alter after the fact.
• Source documentation behind each UBO's identity: passport copies or national ID certificates, articles of incorporation showing ownership percentages, and printouts or screenshots from authoritative registers such as Companies House, SEC EDGAR, or FinCEN's BOI system.
• Training records confirming all relevant staff, including relationship managers and onboarding teams, completed AML and KYB training covering beneficial ownership within the past 12 months. Examiners expect staff to be able to explain the obligation, not just acknowledge a policy exists.
• Periodic review records: the date of each review, who conducted it, what triggered it, and what was found. If a customer's ownership structure changed after onboarding and the file wasn't updated, examiners will find it.
• Discrepancy reports: any instance where CDD findings contradicted a public register entry should be documented, escalated, and reported to the relevant authority where the jurisdiction requires it.
• Internal audit or QA sampling results showing the institution tests its own compliance and tracks remediation. A control framework with no evidence of self-testing is treated as a framework on paper only.
• Escalation files for any corporate customer where beneficial ownership could not be fully resolved: the steps taken, the findings, and the decision made.

Common failure modes

FATF mutual evaluations and domestic enforcement actions tell a consistent story. The failures are rarely exotic.

• Stopping at the first corporate layer. An institution records a holding company as the shareholder at 60 percent and closes the file. The natural person owning that holding company never appears. FATF's follow-up evaluation of the United States, published in 2021, found this pattern in a reviewed sample of large bank corporate customer files.
• Treating self-certification as verification. A customer declares an ownership percentage; the institution records it without checking the corporate registry or articles of incorporation. When regulators audit, there's nothing in the file except the customer's own word.
• Stale records. Corporate structures change through acquisitions, restructurings, and estate events. TD Bank's October 2024 enforcement action with FinCEN, which resulted in $1.3 billion in civil money penalties from FinCEN alone (with a combined total exceeding $3 billion across US agencies), cited the bank's systematic failure to maintain current CDD files, including beneficial ownership data, across its US business. FinCEN, TD Bank Enforcement Action, October 2024.
• Nominee shareholder blind spots. A shareholder agreement puts one person's name on share certificates while another holds the economic interest. Without reviewing shareholder agreements and side letters, institutions miss this routinely.
• No discrepancy reporting. Multiple EU member state evaluations cited institutions that saw clear mismatches between CDD files and national registers and did nothing with the finding. This is exactly why the 2022 revision made discrepancy reporting a specific, affirmative obligation.
• Complex structure paralysis. Trusts, foundations, and multi-jurisdictional holding chains are genuinely harder. But regulators don't accept "it's complicated" as a defense. Institutions that can't resolve a structure must escalate and decide whether to proceed, not file incomplete records and hope for the best.

Penalties for non-compliance

Non-compliance with beneficial ownership requirements carries concrete financial and operational consequences.

FATF doesn't impose fines directly; national regulators do. But the ranges are large.

In the United States, FinCEN can impose civil money penalties of up to $1 million per willful violation under the Bank Secrecy Act. The BSA also supports criminal referrals that expose compliance officers to personal liability. TD Bank's October 2024 enforcement action resulted in a combined $3 billion in penalties from FinCEN ($1.3 billion), the DOJ ($1.8 billion), the OCC, and the Federal Reserve, one of the largest AML enforcement actions in US history. Capital One received a $390 million FinCEN penalty in 2021 for BSA violations that included CDD failures.

In the United Kingdom, the Financial Conduct Authority operates under UK MLR 2017 and can levy unlimited fines. Deutsche Bank received a £163 million penalty from the FCA in January 2017 for anti-money laundering control failures, including inadequate due diligence on certain client types in its UK business. FCA Final Notice, Deutsche Bank AG, January 2017.

In the European Union, 6AMLD requires member states to impose sanctions of at least €5 million or 10 percent of annual turnover for serious violations, with criminal liability for individuals in some member states.

Beyond fines, regulators can restrict business activity, revoke licenses, require independent compliance monitors (typically costing $5-20 million per year), and publish enforcement findings. Public enforcement actions on beneficial ownership failures damage correspondent banking relationships and, in some cases, trigger exit decisions by counterparties.

Related regulations and frameworks

Rec 24 sits within FATF's broader 40 Recommendations and interacts with a range of national and supranational instruments.

Within the FATF family, FATF Rec 22 extends identical beneficial ownership identification requirements to DNFBPs. FATF Rec 20 on suspicious transaction reporting becomes relevant when a beneficial ownership investigation uncovers red flags that don't resolve cleanly. Rec 25, the companion recommendation, applies the same logic to legal arrangements, primarily trusts.

In the United States, the FinCEN CDD Rule (effective May 2018) is the implementing rule for financial institutions, requiring identification of beneficial owners at the 25 percent threshold. The Corporate Transparency Act (2021) created a national beneficial ownership information register at FinCEN, effective January 2024, though enforcement has been subject to ongoing litigation. The BSA is the overarching framework within which both rules operate.

In the European Union, the EU AMLR 2024 consolidates AML obligations, including beneficial ownership, into a directly applicable regulation for the first time, replacing the directive-based approach that previously left significant inconsistency across member states. Supervision of the largest cross-border institutions will move to the new EU AMLA authority from 2028.

In the United Kingdom, the Money Laundering Regulations 2017 implement Rec 24 domestically. Companies House's People with Significant Control register is the UK's national beneficial ownership register; discrepancy reporting to Companies House by regulated firms became mandatory in 2023.

There's one live legal tension worth noting. The Court of Justice of the European Union ruled in November 2022 (joined cases C-37/20 and C-601/21) that unlimited public access to EU beneficial ownership registers was incompatible with GDPR privacy rights. Member states are still adjusting access rules as a result, creating compliance uncertainty for institutions that relied on public register access as part of their verification process.

How FluxForce supports FATF Rec 24 compliance

FluxForce's AI agents automate the end-to-end beneficial ownership workflow: structured data extraction from corporate filings, multi-source cross-referencing against government registers, and real-time alerts when ownership structures change. Nova Sentinel flags discrepancies between self-reported ownership and public registry data before they become examiner findings. Every determination includes full evidence trails for audit purposes. For institutions managing large corporate books, this cuts manual research time per entity from hours to minutes. Request a demo to see how FluxForce handles complex multi-layer ownership structures.