14 November 2025

FATF ¦ R.9 Financial Institution Secrecy Laws

Recommendation 9: Ensuring Secrecy Laws Don’t Shield Financial Crime

Recommendation 9 of the FATF focuses on a simple but crucial requirement: financial institution secrecy laws must never hinder the implementation of FATF’s standards. In practice, this means countries must structure their legal and regulatory frameworks so that confidentiality obligations — whether arising from banking secrecy, customer privacy, professional privilege, or data protection — do not block the effective application of anti-money laundering and counter-terrorist financing (AML/CFT) measures.

What Recommendation 9 does not mean

It does not call for abolishing banking secrecy or dismantling privacy protections. Instead, it requires targeted exceptions and legal clarity so that relevant information can be accessed and shared when necessary for AML/CFT purposes. Legitimate confidentiality and data protection continue to apply, but they cannot be used as a shield against lawful requests, supervisory oversight, or investigative needs tied to FATF-compliant measures.

Key implications for countries

Legal alignment and carve-outs

Countries must ensure that any laws imposing secrecy on financial institutions contain explicit carve-outs that allow disclosure and access in the context of AML/CFT obligations. This includes enabling:

Compliance with customer due diligence and record-keeping requirements;
Timely reporting of suspicious transactions to the financial intelligence unit (FIU);
Information sharing with competent authorities domestically and, where appropriate, internationally; and
Supervisory examinations and enforcement actions by regulators.

Supervisory access and enforcement

Regulators must be able to obtain all relevant information from financial institutions to assess compliance with FATF standards. Secrecy provisions cannot restrict on-site examinations, off-site reviews, or requests for records. When secrecy laws impede supervisory access, they undermine both compliance assurance and the credibility of the jurisdiction’s AML/CFT regime.

FIU effectiveness and suspicious transaction reporting

Secrecy laws must not deter or delay suspicious transaction reporting (STRs) or the provision of supporting documentation. FIUs require timely, complete data to analyze and disseminate financial intelligence. Any statutory or contractual confidentiality that conflicts with reporting obligations needs to be overridden by law in AML/CFT contexts.

Cross-border cooperation

Recommendation 9 also affects international cooperation. Countries should enable financial institutions and authorities to share information, when legally requested and subject to safeguards, with foreign counterparts. Blocking lawful cross-border data exchange on the basis of secrecy claims undermines global efforts to detect and disrupt money laundering, terrorism financing, and proliferation financing.

Balancing privacy, data protection, and AML/CFT

Modern AML/CFT regimes must coexist with strong data protection and privacy frameworks. The balance is achieved by:

Clear legal bases for AML/CFT processing and disclosures;
Proportionality in the scope of information collected and shared;
Strict access controls, audit trails, and retention limits;
Judicial or administrative oversight where appropriate; and
Transparency to the extent possible about AML/CFT obligations and exceptions.

The objective is not unrestrained information flow, but well-governed, lawful sharing that supports AML/CFT outcomes without compromising fundamental rights.

Bastian Schwind-Wagner _Follow

"Secrecy laws serve legitimate privacy objectives but must not obstruct AML/CFT implementation. Clear legal carve-outs and supervisory access are essential to enable effective reporting and information sharing.

Countries should harmonize banking secrecy, data protection, and AML/CFT laws to remove ambiguity. Guidance and safe-harbor provisions build confidence for institutions to share information lawfully and promptly."

Common pitfalls and how to avoid them

Overbroad secrecy clauses

Poorly drafted statutes that prioritize secrecy without acknowledging AML/CFT exceptions can paralyze compliance. Legislators should review and amend such provisions to include explicit AML/CFT carve-outs and harmonize cross-references across banking, securities, insurance, and data protection laws.

Ambiguity and legal uncertainty

Financial institutions often hesitate to share information due to unclear legal standards or fears of liability. Guidance, regulatory rulemaking, and safe-harbor protections for good-faith disclosures made under AML/CFT obligations help to reduce uncertainty and foster cooperation.

Fragmented frameworks

Inconsistent sectoral rules (e.g., different secrecy interpretations for banks, insurers, and asset managers) weaken overall effectiveness. A unified approach, anchored in Recommendation 9, ensures consistent expectations and compliance across the financial sector.

Operational barriers

Even with legal permission, practical obstacles — like complex approval chains or manual processes — can slow information sharing. Institutions should design streamlined procedures with predefined triggers for AML/CFT disclosures, backed by training, governance, and technology that respects privacy while enabling speed and accuracy.

Why Recommendation 9 matters

Financial secrecy has legitimate purposes, but it cannot be a refuge for illicit finance. Recommendation 9 ensures that AML/CFT measures — customer due diligence, beneficial ownership transparency, STRs, supervision, and international cooperation — function effectively. By preventing secrecy laws from obstructing these measures, countries strengthen their defenses against money laundering and terrorism financing, protect the integrity of their financial systems, and uphold trust in cross-border financial activity.

Conclusion: Practical compliance anchored in legal clarity

For policymakers and compliance leaders, the practical takeaway is straightforward: review secrecy and confidentiality provisions, identify conflicts with FATF obligations, and implement explicit, legally robust exceptions for AML/CFT. Equip supervisors and FIUs with clear access rights. Provide institutions with guidance and safe harbors. Ensure privacy and data protection remain strong, but do not allow them to impede lawful, necessary information sharing. That legal clarity — and the operational discipline that follows — is the essence of Recommendation 9.

FATF Ratings Overview

Luxembourg ¦ FATF Effectiveness & Technical Compliance Ratings

Anti-money laundering and counter-terrorist financing measures

Luxembourg Mutual Evaluation Report, September 2023

This assessment was adopted by the FATF at its June 2023 Plenary meeting and summarises the anti-money laundering and counter-terrorist financing (AML/CFT) measures in place in Luxembourg as at the date of the on-site visit: 2-18 November 2022.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.

Did you find any mistakes? Would you like to provide feedback? If so, please contact us!

Dive deeper

FATF ¦ The FATF Recommendations ¦ Link
FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link

« FATF ¦ R.8 Non-Profit Organisations

FATF ¦ R.10 Customer Due Diligence »

Bastian Schwind-Wagner _Follow Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.

FATF ¦ R.9 Fi­nan­cial In­sti­tu­tion Se­cre­cy Laws