FATF ¦ Money Laundering National Risk Assessment Toolkit – Annexes A-C

Strengthening National Defenses: Practical Lessons from the FATF Money Laundering National Risk Assessment Toolkit (Annexes A–C)

The FATF Money Laundering National Risk Assessment Toolkit (Annexes A–C) provides focused, practical guidance for jurisdictions confronting some of the most challenging elements of modern ML risk: corruption, virtual assets and VASPs, opaque legal persons and arrangements, and the informal economy. It emphasizes that NRAs are not one-size-fits-all: countries must adapt methods to local context, document assumptions and data gaps, and engage both public and private stakeholders to collect and validate evidence. The Toolkit lays out concrete data sources — from STRs and tax records to court judgments, procurement data and blockchain analytics — and offers case studies and checklists for drilling into sectoral vulnerabilities and typologies.

Annex C maps fit-for-purpose assessment instruments — World Bank, IMF and Council of Europe tools — while Annex A supplies quick guides for difficult thematic areas. Across the package the message is consistent: produce manageable, accessible NRAs that prioritize where risk is highest, enable proportionate supervisory and legislative responses (for example, BO registries or VASP regimes), and include monitoring and review processes so risk understanding, controls and enforcement evolve alongside new technologies and cross-border threats.

Assessing corruption-related laundering risks

The FATF Toolkit’s Annex A highlights corruption as a pervasive and high-impact predicate offence that frequently drives money laundering. Effective national assessment must go beyond headline indices and examine how corruption manifests locally — public procurement, natural resource extraction, small-scale bribery, or state capture — and how those manifestations interact with legal persons, trusts, informal markets and cross-border flows. Useful inputs include court decisions, FIU STRs, Mutual Legal Assistance (MLA) requests, public procurement and tax data, and investigative journalism. Where data are thin, the Toolkit encourages documenting gaps and treating “insufficient evidence” as a meaningful finding that can guide capacity building, targeted research and an action plan to lift future NRA accuracy. Practical steps in the Toolkit include mapping PEP exposure, tracing common typologies (shell companies, nominee directors, use of trusted intermediaries), and integrating corruption risk findings with sectoral analyses such as public procurement and natural-resource sectors so mitigation measures are focused and measurable.

Evaluating virtual assets and VASPs

The Toolkit makes clear that many jurisdictions still struggle to deliver robust VA/VASP risk assessments. Annex A explains the differences between virtual assets and traditional finance — rapid cross-border transfers, varying regulatory coverage, anonymity services, and the need for blockchain analytics expertise — and sets out a practical approach to assessing VA-related ML risk. Countries should treat VA and VASPs together, identify the types of assets and services present, map licensed versus unlicensed activity, and evaluate how VASPs interact with banks, PSPs and Designated Non-Financial Business or Professions (DNFBPs). The Toolkit emphasizes tailored stakeholder engagement — FIUs, VASP supervisors, cyber authorities, blockchain analytics firms and industry — to gather data, develop red-flag indicators, and feed the NRA into risk-based supervision and targeted outreach. Whether a jurisdiction opts for prohibition, restrictions, or licensing, Annex A stresses that a decision must be evidence-based, reassessed regularly and supported by enforcement and international cooperation to avoid regulatory arbitrage.

Bastian Schwind-Wagner_Follow "The FATF ML NRA Toolkit, Annexes A–C, gives pragmatic, evidence‑based guidance to help jurisdictions identify high‑risk threats—corruption, VA/VASPs, opaque legal entities and the informal economy—fill key data gaps, and convert findings into targeted supervisory and enforcement action. It stresses national ownership, cross‑agency coordination and iterative updates so NRAs remain usable, proportionate and action‑oriented."

Tackling legal-person and legal-arrangement vulnerabilities

Legal persons and arrangements remain core enablers for concealment and cross-border laundering. Annex A and Annex B focus on mapping the full universe of entity types and trust-like arrangements, domestic and foreign, and on assessing the ease and speed of formation, gaps in beneficial ownership transparency, nominee services, and sectoral concentration. Good practice examples in the Toolkit show value in combining quantitative registry, tax and STR data with qualitative expert interviews and typologies from prosecutions. Countries should assess “sufficient links” that pull foreign entities or trusts into domestic vulnerability scopes, adopt or refine BO definitions consistent with FATF guidance, and ensure data flows to supervisors and reporting entities so risk-based due diligence and supervisory activity can be effective.

Measuring and addressing the informal economy

The Toolkit discusses the formal/informal economy nexus as both a contextual factor and a vulnerability. Large cash economies, high levels of informal employment and financial exclusion increase opportunities for ML and reduce visibility for STR filing and tax enforcement. The guidance advises using labour and enterprise surveys, central bank cash statistics, tax data, microfinance and mobile-money metrics, and supervisory intelligence to estimate scale and direction of risk. It also stresses that promoting financial inclusion and proportionate, risk-based simplified measures is a mitigation strategy: bringing transactions into regulated rails raises traceability and reduces ML opportunity without compromising legitimate access.

Methods, tools and international comparators

Annex C gives a practical toolbox and describes external methodologies countries can use or adapt: the World Bank’s generic NRA tool (scenario- and modular-based, useful for jurisdictions with limited data), the IMF’s framework (structured around likelihood and consequences with web-based surveys and perception inputs), and the Council of Europe’s Economic Crime and Cooperation Division (ECCD) approach (flexible, participatory, solution-oriented). Each tool differs in emphasis — threat quantification, vulnerability modelling, consequence analysis, stakeholder procedures — but all stress national ownership, multi-agency coordination, the need for private‑sector engagement, and iterative updating. The FATF Toolkit repeatedly urges countries to document assumptions, evidence and data gaps, and to produce NRAs that are accessible, actionable and proportionate to the national context.

From assessment to action: using findings to prioritise and measure effectiveness

The Toolkit underscores that the NRA’s most valuable role is to inform prioritisation: focusing supervisory resources, shaping targeted guidance and red-flag indicators, supporting investigations and MLA requests, and guiding legislative or registry reforms (for example, BO registries or VASP licensing). Good NRAs combine sectoral “vertical” studies (e.g., VASPs, trusts, procurement) with national-level threat analysis and set out clear, time-bound action plans that identify responsible agencies, data collection improvements, metrics for assessing implementation, and periodic reassessment cycles. Where prosecution and asset recovery capacity is weak, NRAs should explicitly connect capacity building with the sectors and techniques that produce greatest harm or pose the greatest systemic risk.

Dive deeper

• FATF ¦ Money Laundering National Risk Assessment Toolkit – Annexes A-C ¦ Link