FATF ¦ R.17 Rel­i­ance on Third Par­ties

Recommendation 17: How Far Can You Rely On Third Parties For CDD?

Recommendation 17 sits at the heart of practical anti-money laundering and counter-terrorist financing operations. It recognizes a simple reality: financial institutions and DNFBPs (Designated Non-Financial Businesses and Professions) often need to rely on others to carry out customer due diligence (CDD). At the same time, it draws a clear line: reliance is allowed, delegation is possible, but accountability never moves. The institution that relies on a third party stays fully responsible for CDD. The Recommendation allows countries to let financial institutions rely on third parties to perform key elements of CDD, specifically elements (a), (b) and (c) of Recommendation 10, or to introduce business. However, this is not a free pass. Reliance is subject to strict conditions aimed at maintaining CDD quality, data access, and effective oversight.

What “Reliance On Third Parties” Actually Means

A third-party reliance arrangement is not the same as outsourcing or using an agent. In a reliance scenario, the third party:

• Is itself subject to CDD and record-keeping requirements that are consistent with Recommendations 10 and 11.
• Is regulated, supervised, or otherwise monitored by competent authorities.
• Normally has its own, independent business relationship with the customer.

The key feature is independence: the third party applies its own CDD procedures in line with its own regulatory obligations. The relying institution then uses that CDD work to meet its own requirements, but it does not control in detail how the third party conducts that CDD.

By contrast, in outsourcing or agency:

• The outsourced service provider or agent performs CDD on behalf of the delegating financial institution.
• The delegating institution’s policies and procedures apply.
• The delegating institution retains direct control over how CDD is implemented by the outsourced entity.

Recommendation 17 is explicitly not about outsourcing or agency. It is about whether, and under what conditions, one regulated institution can place reliance on another’s CDD.

The Core Conditions For Reliance

Recommendation 17 sets out four basic criteria that must be met when a financial institution relies on a third party. These conditions are designed to ensure that customer identification and verification standards do not weaken when multiple entities are involved.

First, immediate access to CDD information

The relying institution must immediately obtain the key CDD information from the third party relating to elements (a)–(c) of Recommendation 10. In practice, this means that, before or at the start of the business relationship, the relying institution must have:

• The customer’s identifying information.
• Information on the beneficial owner(s), where applicable.
• Information about the purpose and intended nature of the business relationship.

The word “immediately” matters. It is not enough to know that somewhere in a different system a third party has done CDD. The institution that relies on that CDD must have the core information at hand without delay, so it can understand who its customer is, assess risk, and onboard (or refuse to onboard) in an informed way.

Second, timely access to underlying documents

Beyond the basic CDD data, the relying institution must take adequate steps to satisfy itself that copies of identification data and other relevant documentation can be obtained from the third party without delay when requested.

This goes to evidential support. If a competent authority, internal audit, or compliance function needs to see:

• Copies of passports or ID cards.
• Proof of address.
• Corporate documents such as certificates of incorporation, registers of shareholders, or beneficial ownership documentation.

then the relying institution must be able to get these quickly. A mere promise that documents “can be provided if necessary” is not enough. The relying institution needs to be confident, on the basis of a concrete arrangement or tested process, that documents will in fact be made available promptly.

Third, assurance on regulation and AML/CFT controls

The relying institution must satisfy itself that the third party:

• Is regulated, supervised, or monitored.
• Has measures in place to comply with CDD and record-keeping requirements that are in line with Recommendations 10 and 11.

This requirement is about the quality of the third party’s AML/CFT framework. Reliance is acceptable only if the third party is subject to comparable obligations and effective oversight. In practice, this often involves:

• Checking that the third party is licensed or registered by an appropriate authority.
• Reviewing its AML/CFT policies and procedures.
• Understanding the supervisory regime that applies to the third party.
• Assessing whether its record-keeping standards meet the required retention periods and content.

This is not a one-off box-ticking exercise. The relying institution should periodically reassess the suitability of the third party as regulations, business models, or risk profiles change.

Fourth, considering country risk

When deciding in which countries qualifying third parties can be based, countries should consider available information on the level of country risk. This adds a jurisdictional layer to the assessment:

• Even if a particular institution abroad is well-regarded, the country’s legal framework, enforcement effectiveness, and overall ML/TF risk environment must be taken into account.
• Authorities should look at risk indicators such as sanctions exposure, known deficiencies in AML/CFT frameworks, and mutual evaluation findings.

Recommendation 17 recognizes that cross-border reliance is possible, but it should not undermine the overall robustness of the AML/CFT system. High-risk country environments require more caution, stronger safeguards, or, in some cases, a decision not to allow reliance at all.

Ultimate Responsibility: You Can Share Work, Not Liability

One of the most important messages of Recommendation 17 is that reliance does not transfer responsibility. Even where reliance is allowed and all conditions are formally met, the institution that relies on the third party remains ultimately responsible for performing CDD measures.

In practice, this means:

• If CDD is incomplete, outdated, or deficient, the relying institution is accountable to its competent authority, not just the third party.
• Regulatory sanctions, supervisory findings, or enforcement actions will be directed at the relying institution if it has failed to properly oversee and validate the reliance arrangement.
• Internal risk management and monitoring cannot be outsourced. The financial institution must integrate relied-on CDD into its own risk-based approach, customer risk rating, and ongoing monitoring processes.

For compliance teams, this often translates into a cautious, documented approach. Reliance is used where it reduces duplication and cost, but it is supported by robust controls, contract clauses, and periodic review of the third party’s performance.

Special Case: Reliance Within The Same Financial Group

Recommendation 17 recognizes that reliance on group entities is different from reliance on unrelated third parties. When the third party is part of the same financial group, and:

• The group applies CDD and record-keeping requirements consistent with Recommendations 10, 11, and 12;
• The group has programmes against money laundering and terrorist financing in line with Recommendation 18;
• Effective implementation of those requirements and programmes is supervised at group level by a competent authority;

then competent authorities may treat some of the reliance requirements differently.

In particular:

• Authorities may consider that the relying institution already meets the requirement to ensure access to documentation and to verify that the third party has suitable CDD and record-keeping measures, through the group’s own policies and controls.
• Authorities may decide that the country risk condition is not a strict precondition to reliance, provided that higher country risk is adequately mitigated by the group’s AML/CFT policies and controls.

This reflects the idea of group-wide AML/CFT frameworks, where consistent standards, central oversight, and information sharing provide a strong basis for intra-group reliance. However, this flexibility is not automatic. It depends on the existence of:

• Real, effective group-level supervision by competent authorities.
• Demonstrable, consistent implementation of policies across branches and subsidiaries.
• Strong group-wide controls that actually mitigate higher country risk rather than just refer to it in policy documents.

Bastian Schwind-Wagner_Follow

"Reliance on third parties under Recommendation 17 can be a valuable tool to streamline CDD while maintaining strong financial crime controls. However, it demands careful selection of third parties, strong documentation, and continuous oversight. Institutions remain fully accountable for compliance, even when they leverage others’ CDD work.

For compliance teams, the safest approach is to treat reliance as a controlled exception, not a default shortcut. Clear internal policies, tested information-sharing channels, and regular reviews of third-party performance are essential. Used properly, reliance arrangements can support efficient and effective AML/CFT frameworks without weakening defenses."

Interpretive Note: Clarifying Scope And Roles

The interpretive note to Recommendation 17 provides important clarifications that are often misunderstood in practice.

First, clear distinction from outsourcing and agency

The note emphasizes again that Recommendation 17 does not apply to outsourcing or agency. In outsourcing or agency:

• The outsourced entity or agent carries out CDD on behalf of the delegating institution.
• The delegating institution’s own procedures apply.
• The delegating institution exercises control over how effectively those procedures are implemented.

In a third-party reliance scenario:

• The third party applies its own procedures.
• It is responsible for its own compliance with CDD and record-keeping obligations.
• It typically has an independent, pre-existing relationship with the customer.

This distinction matters for how contractual arrangements are drafted, how responsibilities are documented, and which regulatory expectations apply. Mixing these two models can lead to gaps in controls and confusion in audits or inspections.

Second, who are “relevant competent authorities”?

For the purposes of Recommendation 17, relevant competent authorities are defined as:

• The home authority, which must be involved in understanding group-wide policies and controls.
• The host authorities, which are responsible for supervising branches and subsidiaries.

This emphasizes that reliance, especially within groups, is not just a bilateral matter between two institutions. It sits within a broader supervisory framework where home and host regulators both have a role in ensuring the consistency and effectiveness of AML/CFT controls across jurisdictions.

Third, what counts as “third parties”?

The term third parties is defined as financial institutions or DNFBPs that:

• Are supervised or monitored; and
• Meet the requirements under Recommendation 17.

This excludes unregulated entities or those without appropriate oversight from being used as reliance partners. It also reinforces the idea that Recommendation 17 is primarily a mechanism for reliance between regulated actors within the financial system and covered non-financial sectors.

Practical Implications For Compliance And Risk Teams

For financial crime professionals, Recommendation 17 provides an opportunity to reduce duplication and friction in CDD, but only within a well-structured control environment.

In practice, institutions that use third-party reliance should:

• Maintain a vetted list of eligible third parties that meet regulatory, supervision, and control criteria.
• Document reliance arrangements carefully, including how CDD information and documents are shared and how quickly they can be retrieved.
• Conduct periodic reviews of third-party performance, including testing the timeliness and completeness of CDD data and document provision.
• Integrate relied-on CDD into the institution’s risk-based approach, ensuring that reliance does not weaken overall risk assessment and monitoring.
• Ensure internal training clearly distinguishes between reliance, outsourcing, and agency, so staff understand what rules and expectations apply in each case.

Conclusion: Reliance With Accountability

Recommendation 17 does not encourage blind trust in others’ CDD. Instead, it offers a controlled framework where reliance can improve efficiency without undermining AML/CFT standards. Financial institutions may lean on third parties for parts of the work, especially where those third parties are well-regulated and subject to strong oversight. But they cannot outsource accountability.

For regulators, supervisors, and practitioners, the core message is straightforward: reliance is a tool, not a shield. Used properly, it supports effective financial crime control across complex networks of institutions and jurisdictions. Used carelessly, it exposes institutions to regulatory risk and weakens the overall defenses against money laundering and terrorist financing. Recommendation 17 is designed to keep that balance firmly on the side of robust, accountable CDD.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link