23 November 2025
FATF ¦ R.26 Regulation and Supervision of Financial Institutions
Recommendation 26: Strengthening Regulation and Supervision of Financial Institutions
Recommendation 26 requires countries to make sure financial institutions are properly regulated and supervised so they implement the FATF standards effectively. The core aim is to prevent criminals, their associates, or shell banks from controlling or hiding ownership of financial institutions, and to ensure that institutions which pose higher risks receive proportionate regulatory attention. In short, Recommendation 26 ties prudential regulation to anti–money laundering and counter‑terrorist financing (AML/CFT) outcomes and demands that supervisors use resources where they matter most.
Risk-based supervision: focus and flexibility
The interpretive note clarifies that supervision should follow a risk-based approach. That means supervisors must understand the domestic and international money laundering and terrorist financing threats and allocate their efforts accordingly. A risk-based approach has two linked meanings: first, a general allocation of supervisory resources informed by a country’s risk picture; second, targeted supervision of institutions that themselves apply risk-based AML/CFT controls. Supervisors should therefore shift attention and more intensive on-site work to institutions, business lines, customers or products that present higher risks.
Supervisors need access to comprehensive information on the specific risks associated with an institution’s customers, products, services and the quality of its compliance function. The frequency and intensity of on-site and off-site supervision should reflect each institution’s risk profile and the national risk environment. Importantly, risk assessments are not one-off. Supervisors must review an institution’s risk profile periodically and whenever significant events or changes in management, ownership, or operations occur. Supervisory activity must be dynamic and responsive as threats evolve and as institutions exercise discretion under a risk-based approach.
Applying prudential measures to AML/CFT
For institutions covered by the Basel Core Principles (BCP), Recommendation 26 requires that prudential regulatory and supervisory tools relevant to money laundering and terrorist financing be applied similarly for AML/CFT. This includes using consolidated group supervision so that risks and controls are assessed at the group level and cross-border vulnerabilities are captured. In other words, a strong prudential regime should be harnessed to detect and deter illicit finance, and supervisors should align their AML/CFT work with existing prudential oversight.
Licensing and supervision for other financial sectors
The standard also covers other financial sectors beyond banks and major deposit-takers. Non-core financial institutions must be licensed or registered, subject to regulation, and monitored for AML/CFT risks proportionate to the threat they pose. At minimum, providers of money or value transfer services (MVTS) and currency exchange services must be licensed or registered and placed under effective monitoring systems to ensure compliance with national AML/CFT rules. This prevents regulatory gaps that criminals could exploit by moving activities into less supervised corners of the financial system.
Preventing criminal control and shell banks
Recommendation 26 obliges competent authorities to take legal or regulatory measures to stop criminals, their associates, or hidden beneficial owners from holding significant or controlling interests or management roles in financial institutions. Countries must also refuse to authorize the establishment or continued operation of shell banks, and should not permit institutions that lack a physical presence and adequate supervision to operate. These measures protect the integrity of ownership and management structures and reduce the risk that financial institutions will be misused to launder proceeds or finance terrorism.
Resourcing and independence of supervisors
Effective supervision requires properly resourced authorities. The interpretive note emphasizes adequate financial, human and technical resources, professional standards, confidentiality safeguards, and staff integrity. Supervisory bodies must enjoy operational independence and autonomy to act without undue influence. Where supervisors lack capacity or independence, even clear rules will fail to produce meaningful AML/CFT protection.
Supervisory approach to institutions’ internal controls
Supervisors should scrutinize whether institutions’ AML/CFT policies, controls and procedures are adequate and properly implemented. Where institutions are allowed discretion under a risk-based approach, supervisors must assess the underlying risk assessments that justify that discretion and the effectiveness of internal controls that result. This supervisory oversight must consider institution characteristics such as size, diversity, complexity and the number of entities in a group.
Practical implications for policymakers and supervisors
Policymakers must ensure legal frameworks empower supervisors to: license and refuse unsuitable applicants, require disclosure of beneficial ownership, remove unfit directors, and close or deny authorization to shell banks. Supervisors should adopt methodologies for profiling institutions by risk and for conducting proportionate on-site and off-site work. They should also coordinate with other domestic and foreign authorities to capture cross-border risks and apply consolidated supervision where relevant.
For industry, Recommendation 26 reinforces that compliance cannot be siloed from prudential governance. Boards and senior management must maintain robust AML/CFT frameworks, invest in controls and risk assessments, and be transparent about beneficial ownership and governance arrangements. Firms should expect targeted supervisory scrutiny based on their risk profiles and changes in their operations or ownership.
Conclusion
Recommendation 26 links strong regulation and supervision with effective AML/CFT outcomes. It demands a risk-sensitive supervisory model, adequate resourcing and independence for supervisors, and concrete measures to prevent criminals and shell banks from gaining control of financial institutions. Properly implemented, these measures reduce opportunities for misuse of the financial system and strengthen trust in financial markets.
FATF Ratings Overview
Luxembourg ¦ FATF Effectiveness & Technical Compliance Ratings
Anti-money laundering and counter-terrorist financing measures
Luxembourg Mutual Evaluation Report, September 2023
This assessment was adopted by the FATF at its June 2023 Plenary meeting and summarises the anti-money laundering and counter-terrorist financing (AML/CFT) measures in place in Luxembourg as at the date of the on-site visit: 2-18 November 2022.
Table 1. Effectiveness Ratings
Note: Effectiveness ratings can be either a High- HE, Substantial- SE, Moderate- ME, or Low – LE, level of effectiveness.
IO1 Risk, policy and coordination
Money laundering and terrorist financing risks are identified, assessed and understood, policies are co-operatively developed and, where appropriate, actions co-ordinated domestically to combat money laundering and the financing of terrorism.
Substantial
IO2 International cooperation
International co-operation delivers appropriate information, financial intelligence and evidence, and facilitates action against criminals and their property.
Substantial
IO3 Supervision
Supervisors appropriately supervise, monitor and regulate financial institutions and VASPs for compliance with AML/CFT requirements, and financial institutions and VASPs adequately apply AML/CFT preventive measures, and report suspicious transactions. The actions taken by supervisors, financial institutions and VASPs are commensurate with the risks.
Moderate
IO4 Preventive measures
Supervisors appropriately supervise, monitor and regulate DNFBPs for compliance with AML/CFT requirements, and DNFBPs adequately apply AML/CFT preventive measures commensurate with the risks, and report suspicious transactions.
Moderate
IO5 Legal persons and arrangements
Legal persons and arrangements are prevented from misuse for money laundering or terrorist financing, and information on their beneficial ownership is available to competent authorities without impediments.
Substantial
IO6 Financial intelligence
Financial intelligence and all other relevant information are appropriately used by competent authorities for money laundering and terrorist financing investigations.
Substantial
IO7 ML investigation & prosecution
Money laundering offences and activities are investigated, and offenders are prosecuted and subject to effective, proportionate and dissuasive sanctions.
Moderate
IO8 Confiscation
Asset recovery processes lead to confiscation and permanent deprivation of criminal property and property of corresponding value.
Moderate
IO9 TF investigation & prosecution
Terrorist financing offences and activities are investigated and persons who finance terrorism are prosecuted and subject to effective, proportionate and dissuasive sanctions.
Substantial
IO10 TF preventive measures & financial sanctions
Terrorists, terrorist organisations and terrorist financiers are prevented from raising, moving and using funds.
Moderate
IO11 PF financial sanctions
Persons and entities involved in the proliferation of weapons of mass destruction are prevented from raising, moving and using funds, consistent with the relevant UNSCRs.
Moderate
Table 2. Technical Compliance Ratings
Note: Technical compliance ratings can be either a C – compliant, LC – largely compliant, PC – partially compliant or NC – non compliant.
R.1 Assessing Risks and applying a Risk-Based Approach
C – compliant
R.2 National Co-operation and Co-ordination
C – compliant
R.3 Money laundering offence
C – compliant
R.4 Confiscation and provisional measures
LC – largely compliant
R.5 Terrorist financing offence
C – compliant
R.6 Targeted financial sanctions related to terrorism and terrorist financing
LC – largely compliant
R.7 Targeted financial sanctions related to proliferation
LC – largely compliant
R.8 Non-profit organisations
PC – partially compliant
R.9 Financial institution secrecy laws
C – compliant
R.10 Customer due diligence
C – compliant
R.11 Record-keeping
C – compliant
R.12 Politically exposed persons
C – compliant
R.13 Correspondent banking
C – compliant
R.14 Money or value transfer services (MVTS)
C – compliant
R.15 New technologies
LC – largely compliant
R.16 Payment transparency
C – compliant
R.17 Reliance on third parties
C – compliant
R.19 Higher-risk countries
C – compliant
R.20 Reporting of suspicious transactions
C – compliant
R.21 Tipping-off and confidentiality
C – compliant
R.22 DNFBPs: Customer due diligence
C – compliant
R.23 DNFBPs: Other measures
C – compliant
R.24 Transparency and beneficial ownership of legal persons
LC – largely compliant
R.27 Powers of supervisors
C – compliant
R.28 Regulation and supervision of DNFBPs
C – compliant
R.29 Financial intelligence units
C – compliant
R.30 Responsibilities of law enforcement and investigative authorities
LC – largely compliant
R.32 Cash Couriers
LC – largely compliant
R.33 Statistics
LC – largely compliant
R.34 Guidance and feedback
C – compliant
R.35 Sanctions
LC – largely compliant
R.36 International instruments
LC – largely compliant
R.37 Mutual legal assistance
C – compliant
R.38 Mutual legal assistance: freezing and confiscation
C – compliant
R.39 Extradition
C – compliant
R.40 Other forms of international co-operation
LC – largely compliant
Dive deeper
What else?
