FATF ¦ R.18 In­ternal Con­trols and For­eign Branch­es and Sub­sid­iar­ies

Recommendation 18: Internal Controls, Group Programmes and Foreign Branches – What Financial Institutions Need To Do

Recommendation 18 of the FATF Standards sits at the heart of any serious anti-money laundering and counter-terrorist financing (AML/CFT) framework. While other recommendations focus on customer due diligence or reporting suspicious transactions, Recommendation 18 is about the machinery behind the scenes: the internal controls, the group-wide programmes, and the way foreign branches and subsidiaries are supervised and aligned. For compliance teams, this is where policy meets practice. This article explains what Recommendation 18 requires, what it means in practical terms for financial institutions and groups, and how cross-border operations should be managed when home and host country rules differ.

What Recommendation 18 Requires in a Nutshell

Recommendation 18 has two core expectations:

1. Every financial institution must put in place an AML/CFT programme based on internal controls.
2. Every financial group must operate a group-wide AML/CFT programme that extends to all branches and majority-owned subsidiaries, including in foreign jurisdictions, and must ensure that these entities follow AML/CFT measures consistent with home country requirements, as far as local law allows.

These requirements are not optional “good practice”. They are core elements of regulatory expectations worldwide and typically form part of what supervisors inspect during AML/CFT reviews.

Internal Controls: Building the Core AML/CFT Programme

The interpretive note to Recommendation 18 clarifies that an AML/CFT programme is not just a policy document. It must have three pillars:

1. Internal policies, procedures, and controls

This includes:

• Written AML/CFT policies that reflect the FATF Standards and relevant local laws.
• Detailed procedures for customer due diligence, ongoing monitoring, sanctions screening, record-keeping, suspicious transaction detection and reporting, and escalation.
• Clear compliance management arrangements to oversee the effective implementation of those policies.
• Adequate screening procedures for new employees, especially those in sensitive positions (front office, operations, compliance, internal audit, IT security). This is to ensure high standards of integrity and reduce the risk of hiring individuals who may facilitate or ignore financial crime.

The policies and procedures must be more than a “copy-paste” of the law or group standard. They should be tailored to the institution’s products, services, delivery channels, customer base, and geographical footprint.

2. Ongoing employee training

Recommendation 18 highlights training as a core component. A one-off induction session is not enough. The training programme should:

• Be ongoing and repeat at reasonable intervals.
• Be tailored to roles: front-line staff need practical red flags and escalation procedures; back-office staff need training on transaction monitoring and sanctions; senior management needs awareness of risk, governance, and liability.
• Cover money laundering and terrorist financing methods, typologies relevant to the institution’s business, internal procedures, and how to recognise and report suspicious activities.
• Be documented and tracked, so that the institution can show supervisors that the right people are trained at the right time on the right topics.

3. Independent audit function

The institution’s AML/CFT programme must be tested by an independent audit function. “Independent” here means:

• Auditors cannot be the same people who design or run the AML/CFT controls they review.
• They should have direct access to senior management or the board to escalate findings.
• They must have sufficient expertise to assess whether AML/CFT controls are designed appropriately and working in practice.

The audit function should test:

• The design and implementation of policies and procedures.
• The effectiveness of monitoring systems and alert handling.
• The quality of CDD files and ongoing monitoring.
• The handling of suspicious activity and reporting to authorities.
• The adequacy of training and screening programmes.

Bastian Schwind-Wagner_Follow

"Recommendation 18 turns AML/CFT from a set of isolated controls into an integrated system spanning policies, people, technology and governance across all entities of a financial group. It demands not only formal compliance but real operational alignment, especially where foreign branches and subsidiaries are concerned.

For financial crime professionals, this recommendation is both a roadmap and a benchmark. Institutions that design risk-based, group-wide programmes and enable secure intra-group information sharing are far better placed to detect and manage money laundering and terrorist financing risks effectively."

Risk-Based and Proportionate: Tailoring Measures to the Business

Recommendation 18 is explicit that the type and extent of internal controls should be appropriate to:

• The risk of money laundering and terrorist financing.
• The size of the business.

This introduces flexibility but also responsibility. Smaller institutions or those with low inherent risk may not need complex, automated solutions, but they still must have controls that are effective. Conversely, larger or higher-risk institutions (for example, those with international private banking, trade finance, or money remittance services) will be expected to have more sophisticated systems, deeper analytics, and more robust governance.

Simply claiming to be “small” is not a defence if the actual risk profile is high. The risk assessment of the institution, and the rationale for the chosen level of controls, should be documented.

Compliance Management and the Role of the Compliance Officer

The interpretive note states clearly that compliance management arrangements must include the appointment of a compliance officer at management level. In practice, this means:

• A named individual with sufficient seniority, authority, and resources to oversee AML/CFT.
• Direct access to senior management and, ideally, the board or a board committee.
• Responsibility for ensuring the implementation of policies, the coordination of training, the oversight of suspicious activity reporting, and the interaction with supervisors.

In a group context, this role often exists both at group level and at entity level (e.g., Group Head of AML/CFT and local Compliance Officers in each subsidiary). Coordination among these roles is essential for a consistent approach.

Group-Wide Programmes: Extending Control Across the Group

For financial groups, Recommendation 18 raises the bar. Group-wide AML/CFT programmes must:

• Apply to all branches and majority-owned subsidiaries, regardless of location.
• Include the same core elements: internal policies and procedures, training, and independent audit.
• Be appropriate to the business of each branch or subsidiary, meaning they should reflect local products, statutory requirements, and risk profiles.

The programme must be implemented effectively by each branch and subsidiary. Supervisors increasingly expect evidence of:

• Local adoption of group standards.
• Local risk assessments aligned with group methodologies.
• Local controls that meet or exceed group and home-country standards.

Information Sharing Within the Group: A Key Component

A major focus of Recommendation 18 is information sharing within a group for AML/CFT purposes. Group-level compliance, audit, and/or AML/CFT functions should have access to customer, account, and transaction information from branches and subsidiaries when necessary for AML/CFT purposes.

This includes:

• Customer due diligence information.
• Transaction data and monitoring results.
• Analyses of unusual transactions or activities.
• Suspicious transaction reports (STRs), their underlying information, or at least the fact that an STR has been filed.

Similarly, branches and subsidiaries must receive relevant information from group-level functions that can help them manage their risks, for example:

• Group-wide typologies or red flags.
• Information about customers or counterparties already identified as high-risk elsewhere in the group.
• Feedback on monitoring, investigations, and group-wide thematic reviews.

Confidentiality and data protection are critical. Recommendation 18 stresses that there must be adequate safeguards to protect the confidentiality and use of information exchanged, and to prevent tipping-off. Countries can determine the scope and extent of intra-group information sharing, taking into account the sensitivity of the data and its relevance to AML/CFT risk management. Institutions should ensure that group-wide information sharing is compliant with data protection and bank secrecy laws, but still achieves AML/CFT objectives.

Foreign Branches and Subsidiaries: Dealing with Conflicting Requirements

One of the most challenging parts of Recommendation 18 concerns foreign branches and majority-owned subsidiaries. The standard requires that:

• If the host country’s AML/CFT rules are less strict than the home country’s, the financial institution must ensure that its foreign branches and majority-owned subsidiaries apply the home country’s requirements, to the extent permitted by host country law.

This has several practical implications:

• Group standards should generally meet or exceed the highest applicable AML/CFT expectations in the key jurisdictions where the group operates.
• Local entities must not lower their controls to match weaker host rules if the home rules require more.

When host law does not allow full implementation

Sometimes, local laws (for example, related to data protection, bank secrecy, or restrictions on cross-border data transfer) may prevent a branch or subsidiary from fully applying home-country or group AML/CFT standards, especially around information sharing. In these cases:

• The financial group must apply additional measures to manage the money laundering and terrorist financing risks. These could include enhanced monitoring, stricter onboarding thresholds, more frequent reviews, or restrictions on certain products or customer types.
• The group must inform the home supervisor about the limitation and the extra measures taken.

If those additional measures are still not sufficient to manage the risk properly, Recommendation 18 goes further: competent authorities in the home country should consider additional supervisory actions. These may include:

• Imposing additional controls on the group’s operations linked to that host country.
• In extreme cases, requesting the financial group to close its operations in that host country.

This is a strong signal that AML/CFT obligations are not optional and that financial crime risk cannot simply be exported to jurisdictions with weaker controls.

Why Recommendation 18 Matters for Financial Crime Compliance

Recommendation 18 brings together several themes that regularly appear in enforcement actions:

• Weak internal controls or unclear responsibilities.
• Poor training, leading to missed red flags.
• Lack of independent testing of the AML/CFT framework.
• Inconsistent standards between head office and foreign branches or subsidiaries.
• Failure to share information across the group, resulting in fragmented customer views and undetected linked activities.

Regulators and international bodies now expect institutions to show that their AML/CFT programmes are cohesive, risk-based, and consistent across the group. A branch in a higher-risk jurisdiction cannot become a “weak link” where criminals exploit lower standards or poor oversight.

Key Takeaways for Institutions and Compliance Teams

For compliance, risk and senior management, the following points are central to meeting Recommendation 18:

• Ensure your AML/CFT programme has the three core elements: policies and controls, ongoing training, and independent audit.
• Make sure you have a designated, suitably senior compliance officer, with clear responsibility and sufficient authority.
• Design your controls based on actual AML/CFT risks and the size of your business, and document your risk assessment and rationale.
• If you are part of a group, confirm that group-wide standards apply to all branches and majority-owned subsidiaries, and verify their effective implementation.
• Establish robust intra-group information sharing for AML/CFT purposes, with appropriate safeguards to protect confidentiality and comply with data protection rules.
• Assess foreign operations for gaps between home and host requirements, implement home standards where possible, apply additional risk mitigation where not, and maintain transparent communication with home supervisors.

Recommendation 18 is about building a coherent, group-wide defence against money laundering and terrorist financing, ensuring that every branch and entity, wherever it operates, contributes to the same overall objective: protecting the financial system from abuse.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link