12 November 2025
FATF ¦ R.1 Assessing Risks and Applying a Risk-Based Approach
Recommendation 1: Putting Risk at the Center of AML/CFT and Proliferation Financing Controls
Recommendation 1 of the FATF Standards sets the foundation for how countries, financial institutions, and DNFBPs should fight money laundering (ML), terrorist financing (TF) and proliferation financing (PF). It requires an ongoing understanding of risk and the application of proportionate, risk-based measures. The goal is simple: deploy resources where the risks are higher, streamline where the risks are lower, and ensure targeted financial sanctions are fully implemented at all times.
National Responsibilities: Risk Identification and Coordination
Countries must regularly identify, assess, and understand ML/TF risks across the economy. This is not a one-off national risk assessment; it’s an ongoing function that informs:
- Changes to laws, regulations, and supervisory practices.
- The allocation and prioritization of AML/CFT resources.
- The guidance and information provided to financial institutions and DNFBPs.
Authorities should designate a coordinating body or mechanism to oversee this risk work and ensure the results are communicated to supervisors, self-regulatory bodies (SRBs), and the private sector. Where higher risks are identified, countries must ensure that enhanced measures are prescribed or that national findings are incorporated into institutional risk assessments. Where lower risks are objectively supported, countries should allow and encourage simplified measures, subject to the limits set in the FATF Standards.
Proliferation Financing: A Focused Risk Concept
Recommendation 1 also requires countries to assess PF risk. Here, “proliferation financing risk” is defined narrowly: it relates strictly to the potential breach, non-implementation, or evasion of targeted financial sanctions under Recommendation 7. Unlike many AML/CFT obligations, targeted financial sanctions are not risk-based — they must be fully implemented in all cases. Risk-based measures in the PF context aim to reinforce and complement those strict obligations by improving detection and prevention of sanctions breaches or evasion.
For PF, countries should:
- Understand how evasion or non-implementation of sanctions could occur domestically.
- Share typologies and insights across authorities and with the private sector.
- Require proportionate controls where PF risks are higher, and ensure measures remain proportionate where PF risks are lower — while always maintaining full compliance with Recommendation 7.
When Lower Risk Allows Simplification — and When It Doesn’t
The risk-based approach is not a free pass to relax controls indiscriminately. Simplified measures may be allowed and encouraged only where lower risks have been credibly identified, either by national assessment or by institutional analysis subject to supervisory expectations. Even then:
- Simplified measures are never permitted where there is suspicion of ML/TF.
- Record-keeping requirements must still be met.
- Supervisors must ensure institutions apply simplification proportionately and with proper justification.
In limited, justified circumstances, and only where the risks are assessed as low, countries may decide not to apply certain Recommendations to specific types of institutions, activities, or DNFBPs. They may also exempt occasional or very limited financial activities (other than money or value transfer) subject to clear quantitative criteria and low risk. These carve-outs must remain narrow and evidence-based.
Institutional Duties: Building and Operating a Risk-Based Program
Financial institutions and DNFBPs must operate a risk-based framework with processes to identify, assess, monitor, manage, and mitigate ML/TF and PF risks.
Key expectations include:
- Risk Assessment: Assess risks related to customers, countries/geographies, products, services, transactions, and delivery channels. Document assessments, keep them current, and be ready to share relevant information with competent authorities and SRBs. The depth and formality should be proportionate to the size and nature of the business; however, institutions must always understand their risks. In some sectors with clearly identified risks, supervisors may determine that individual documented assessments are not necessary.
- Risk Management and Controls: Implement policies, controls, and procedures approved by senior management. Monitor effectiveness and apply measures that are proportionate to the level of risk identified, aligning with national requirements and supervisory guidance.
- Higher Risk: Apply enhanced measures — stricter due diligence, intensified monitoring, and stronger controls — where higher risks are present.
- Lower Risk: Where justified, apply simplified measures to manage and mitigate risk more efficiently.
- Differentiation: Institutions should differentiate the extent of measures across risk factors. For example, a customer may warrant standard onboarding CDD but enhanced ongoing monitoring due to product or geography risk — or vice versa.
PF at the Institutional Level
Institutions and DNFBPs must assess PF risks and manage them within targeted financial sanctions/compliance programs:
- Conduct PF risk assessments and document them.
- Maintain and monitor controls designed to prevent breaches, non-implementation, or evasion of sanctions.
- Enhance controls where PF risks are higher, and ensure measures remain proportionate where PF risks are lower — while still ensuring full implementation of sanctions under Recommendation 7 in all scenarios.
Supervision and Proportionate Oversight
Supervisors and SRBs are responsible for ensuring institutions implement Recommendation 1 effectively and proportionately. This includes reviewing institutional risk profiles, assessments, and mitigation measures, and adjusting supervisory actions based on what those reviews show. Where risk is lower, supervision should not impose unnecessary burdens; where risk is higher, supervisors should expect stronger controls and more intensive monitoring.
The Core Principle: Proportionate Measures
At the heart of Recommendation 1 is proportionality: measures must correspond to the level of risk and be effective in mitigating it. Proportionate does not mean minimal; it means fit-for-risk. High-risk scenarios demand enhanced controls. Low-risk scenarios allow streamlined measures — so long as suspicion is absent and record-keeping and sanctions obligations remain intact.
What Good Practice Looks Like
- Countries: Maintain an up-to-date national ML/TF and PF risk assessment; designate a coordinating authority; publish or share findings and guidance; prescribe enhanced measures for higher risks; permit simplification for lower risks; ensure full sanctions implementation.
- Institutions/DNFBPs: Embed risk assessment into governance; document and refresh risk analyses; tailor controls to risk; escalate measures for higher risks; simplify responsibly for lower risks; integrate PF controls with sanctions compliance; ensure senior management oversight and accountability.
- Supervisors/SRBs: Apply proportionate supervision; review risk assessments and controls; provide guidance on simplified measures; enforce enhancements where warranted; promote consistent implementation of targeted sanctions.
Bottom Line
Recommendation 1 transforms AML/CFT and PF compliance from a rules-only mindset into a system grounded in risk. Done well, it ensures resources target the most significant threats, improves detection and prevention, and supports efficient business operations — while preserving the non-negotiable requirement to fully implement targeted financial sanctions.
Dive deeper
- FATF ¦ The FATF Recommendations ¦ Link
What else?
