FATF Fifth-Round Mutual Evaluations

What’s changed and why industry must engage

The FATF’s fifth-round mutual evaluations mark a clear shift in emphasis from checking whether laws and rules exist to assessing how effectively those measures operate in practice. For AML professionals, business leaders and regulated entities, this means preparation must go beyond technical compliance to demonstrate genuine, measurable outcomes. Greylisting remains a key business risk – it can damage reputation, reduce investment and strain correspondent banking relationships – and the new round of evaluations increases scrutiny on how jurisdictions and the private sector manage and mitigate that risk.

How the fifth round works – process and practicalities

Mutual evaluations are carried out by multi-disciplinary teams drawn from different countries, typically including law enforcement, financial supervisors, legal experts and sector specialists. The process starts with a scoping note and pre-assessment training from the secretariat, then proceeds through two main submissions: technical compliance (are the rules in place?) and effectiveness (are they working?). On-site visits last two to three weeks and the assessment looks back across four to five years of data. Ratings for effectiveness use four levels – low, moderate, substantial and high – across 11 Immediate Outcomes (IOs). These IOs cover national risk understanding, supervisors’ and industry’s performance, financial intelligence, investigations and prosecutions, asset recovery and measures against terrorist and proliferation financing.

Key changes in the fifth round

There are several noteworthy changes that industry and regulators must factor into their preparations:

• Stronger emphasis on effectiveness. The assessment prioritizes real-world results over ticking legislative boxes. Demonstrable outputs and impact matter.
• Greater focus on risk and context. National and sectoral risk assessments are central. Assessors expect those assessments to be comprehensive, regularly updated and widely shared, and they expect industry-level risk assessments to reflect them.
• Separation of financial sectors and DNFBPs . IO3 (financial institutions and VASPs) and IO4 (designated non-financial businesses and professions such as lawyers, accountants, dealers in precious metals and stones, TCSPs ) are evaluated separately. This highlights DNFBP issues that could previously be obscured within aggregate findings.
• Increased attention to beneficial ownership. Jurisdictions must have registers with adequate, accurate and current beneficial ownership information, and assessors will examine not only filing rates but data quality and verification mechanisms.
• New emphasis on proliferation financing. National and entity-level assessments of proliferation financing risk are required.
• Intensified focus on asset recovery. Authorities must not only have legal tools but must show they are effectively using them to trace, restrain and recover illicit proceeds.
• Results-oriented recommendations. When a report highlights deficiencies, key recommended actions will be clearly identified to show what must be done to remediate shortcomings.

Bastian Schwind-Wagner _Follow

"The FATF’s fifth-round mutual evaluations demand that rules are backed by demonstrable results; firms and regulators must show clear, documented evidence of risk-based decision-making, effective SAR use and reliable beneficial ownership data. Preparation should prioritize collaboration, regular outreach and records that link national and sectoral risk assessments to entity-level controls.

For regulated entities, the test is operational – not just legal: implement pragmatic, documented measures that explain how your firm mitigates identified risks and supports investigations or asset recovery where relevant. For authorities, focus on enforcement, verification and outcome metrics so the system’s effectiveness is visible and defensible during on-site review."

What high performance looks like – lessons from recent reports

Recently published fifth-round reports illustrate the standards assessors now reward. Countries receive high ratings for IO1 (risk understanding) and for areas like asset recovery, where authorities demonstrated policy prioritization, use of provisional measures and statistics aligned with assessed risk. Where private sector actors interviewed by assessors could clearly explain national and sectoral risks and how they adjusted controls accordingly, the country’s effectiveness scores benefitted.

Greylisting – how jurisdictions land on the list and what it means

A jurisdiction enters FATF’s increased monitoring process (commonly called the grey list) if its mutual evaluation shows a pattern of poor effectiveness across multiple IOs. New prioritization rules mean countries on the World Bank high-income list or those meeting certain monetary thresholds may be fast-tracked into active review; least-developed countries will generally receive more consideration and longer observation periods unless they pose significant ML/TF/PF risk. Greylisting is not technically a “call to action” like the blacklist, but it signals the need for political commitment and remediation. FATF encourages members to apply a risk-based approach rather than wholesale derisking, yet greylisting can still lead to reputational, political and financial consequences, especially if correspondent banks or investors react.

Industry’s role before, during and after evaluations

Industry engagement is pivotal. Assessors expect regulated entities to:

• Understand and document how entity-level risk assessments derive from national and sector risk assessments.
• Demonstrate how CDD, transaction monitoring and SAR-filing respond to those risks, and provide examples showing effectiveness.
• Populate and verify beneficial ownership information, and show how issues of inaccurate or incomplete data are addressed.
• Participate in outreach, consultations, public-private partnerships and typology development. Documenting training attendance, supervisory engagement and contributions to policy consultations is important evidence.
• Prepare for on-site interviews with concrete examples and metrics – mock interviews help staff articulate processes and outcomes.

Practical areas industry should prioritize

Regulated entities should focus on several practical areas as the fifth round unfolds:

• Risk documentation. Maintain clear, dated records showing how national, sectoral and entity-level risks were considered and how controls were adapted.
• Beneficial ownership verification. Beyond filing, keep verification checks and discrepancy reporting documented to demonstrate data accuracy and remediation actions.
• SAR quality and follow-up. Measure not only quantity but the quality and outcomes of SARs – refusals, law enforcement referrals, restraints and recoveries are important indicators of system effectiveness.
• Asset recovery cooperation. Track and document any instances where firm-level reporting or cooperation supported investigations or asset recovery actions.
• Training and outreach records. Keep detailed logs of supervisory outreach, conferences attended and internal training to evidence engagement and competence.
• Distinguishing entity risk from sector findings. If a sector is rated high-risk, document why and how your entity differs and the specific mitigating controls you apply.

Common operational dilemmas and approaches

Several recurring questions crop up in practice. For example, when regulatory thresholds differ – such as a 25% beneficial ownership registry threshold versus a 10% customer due diligence threshold used by gatekeepers – both regimes can be compliant with FATF requirements. The challenge is operational clarity: ensure staff understand which thresholds apply for public registries versus entity-level KYC, and maintain outreach and guidance so industry isn’t confused. Another common challenge is how an entity operating within a sector deemed high-risk should treat every client – the solution is not blanket classification but documented, risk-based differentiation explaining why a particular client’s risk profile leads to a specific treatment.

Preparing for Cayman and other upcoming on-sites

Several jurisdictions have already published fifth-round reports, and many more are in the pipeline.
Jurisdictions delisted from increased monitoring will still face detailed scrutiny in the next round because assessors examine recent years’ data. Entities in international financial centers should be ready to demonstrate how they proactively supported national remediation and how operational systems produced measurable results.

Conclusion – collaboration, evidence and continual improvement

The fifth-round mutual evaluations make it clear that demonstrating AML/CFT effectiveness is a shared responsibility between public authorities and private-sector gatekeepers. The new round demands concrete evidence of outcomes – not only that rules exist, but that they work. Regulators and industry must work together early and visibly: share risk assessments, participate in consultations, document outreach and training, and be ready to show how entity-level controls reduce and manage the specific risks identified. With preparation focused on documented effectiveness and clear, results-oriented remediation, jurisdictions and firms can better navigate evaluations and reduce the business risks associated with increased monitoring.