24 November 2025
FATF ¦ R.27 Powers of Supervisors
Recommendation 27: Why Strong Supervisory Powers Are Essential in the Fight Against Financial Crime
Effective supervision is one of the most important defenses against money laundering and terrorist financing. Financial institutions sit at the center of the financial system, but it is the supervisors who ensure that these institutions actually follow the rules designed to protect that system from abuse. Recommendation 27 focuses on the powers supervisors need to properly oversee financial institutions and enforce compliance with anti-money laundering and counter-terrorist financing obligations. Without clear authority, access to information, and meaningful sanctions, even the best-written laws become weak in practice. Recommendation 27 aims to close that gap by setting out what supervisors must be able to do in order to play their role effectively.
Core Supervisory Powers: Monitoring and Ensuring Compliance
At the heart of Recommendation 27 is a simple expectation: supervisors must have adequate powers to supervise or monitor financial institutions and ensure they comply with anti-money laundering and counter-terrorist financing requirements. This goes beyond simply reviewing policies on paper. It requires active oversight of how those policies are implemented in practice.
Supervisors are expected to:
- Check whether institutions have sound internal controls, risk assessments, and customer due diligence processes.
- Monitor how effectively institutions detect and report suspicious activity.
- Assess whether the institution’s culture, governance, and training genuinely support compliance rather than treating it as a box-ticking exercise.
The word “adequate” here is important. It means that supervisors must not be limited to surface-level reviews. They need sufficient legal authority, tools, and resources to identify weaknesses, investigate irregularities, and push institutions to correct them.
Inspection Authority: Seeing Beyond the Paper Trail
Recommendation 27 explicitly highlights the authority to conduct inspections as a key supervisory power. Inspections are how supervisors test real-world compliance, not just what is written in policy documents.
On-site inspections allow supervisors to:
- Review customer files and transaction records.
- Test the effectiveness of monitoring systems.
- Interview staff at different levels, from frontline employees to senior management.
- Verify that red flags and unusual transactions are handled appropriately.
Off-site inspections are equally important. These can include desk-based reviews of data submitted by institutions, periodic reporting, and targeted questionnaires. Combined, on-site and off-site supervision helps authorities understand whether an institution’s controls work in practice, not just in theory.
The authority to conduct inspections must be broad enough to cover all relevant areas of risk and to be carried out whenever needed, not only at fixed intervals or after problems surface.
Access to Information: Compelling Production of Relevant Data
Supervision is impossible without reliable and timely access to information. Recommendation 27 requires that supervisors be authorised to compel financial institutions to produce any information that is relevant to monitoring compliance with anti-money laundering and counter-terrorist financing obligations.
This means supervisors should be able to obtain:
- Customer identification and verification records.
- Beneficial ownership information.
- Transaction data, including cross-border transfers and complex or unusual activity.
- Internal reports, audit findings, and compliance assessments.
- Suspicious activity reporting statistics and related internal documentation.
The ability to compel information is critical because it removes the option for institutions to withhold or delay providing data that might expose weaknesses or non-compliance. Supervisors must be able to access this information promptly and in a format that allows meaningful analysis.
Sanctions as a Deterrent: Linking to Recommendation 35
Supervisory powers are only truly effective if there are real consequences for failing to comply. Recommendation 27 makes clear that supervisors should be able to impose sanctions in line with Recommendation 35 when institutions do not meet their anti-money laundering and counter-terrorist financing obligations.
Sanctions serve several purposes:
- They punish non-compliance.
- They deter both the offending institution and others from similar behavior.
- They signal the seriousness of regulatory expectations to the market and the public.
Importantly, sanctions must not be purely symbolic. To be credible, they need to be proportionate to the severity of the breach, but also effective and dissuasive. Minor technical breaches may call for corrective measures and smaller penalties. Serious or repeated failures should trigger stronger responses.
Range of Disciplinary and Financial Sanctions
Recommendation 27 states that supervisors should be able to impose a range of disciplinary and financial sanctions. Having a “range” means supervisors can tailor their response to the specific case, instead of relying on a single, blunt option.
Typical sanctions can include:
- Written warnings and formal reprimands.
- Orders to rectify deficiencies within set deadlines.
- Restrictions on certain types of business or products.
- Fines and other financial penalties.
- Conditions imposed on management or governance structures.
- Bans on individuals holding certain positions, where allowed by national law.
The flexibility to choose the right mix of measures allows supervisors to promote compliance effectively without overreacting to minor issues or underreacting to serious ones.
License Measures: The Ultimate Supervisory Tool
Perhaps the strongest power under Recommendation 27 is the ability to withdraw, restrict, or suspend a financial institution’s license, where applicable. This is the ultimate enforcement tool, reserved for the most serious or persistent breaches.
License-related actions may be justified when:
- An institution has systemic and long-standing failures in its controls.
- Management has shown unwillingness or inability to fix serious issues.
- The institution consistently ignores supervisory directions.
- The institution’s continued operation poses a clear risk to the integrity of the financial system.
The possibility of losing a license sends a clear message that compliance is not optional. Even if this power is rarely used, its existence significantly strengthens the credibility of the supervisory regime.
Why Recommendation 27 Matters for the Wider Financial Crime Framework
Recommendation 27 does not stand alone. It supports and interacts with other measures designed to prevent and detect financial crime. For example:
- Customer due diligence requirements are only meaningful if supervisors can check how they are applied in practice.
- Suspicious transaction reporting can only function well if supervisors ensure financial institutions identify and escalate suspicious activity.
- Risk-based approaches depend on supervisors’ ability to understand how institutions assess and manage their own risks.
When supervisors are well-empowered and active, financial institutions are more likely to invest in robust controls, better technology, and stronger compliance functions. This, in turn, improves the overall resilience of the financial system against money laundering and terrorist financing.
Conclusion: Strong Supervisors, Stronger Defenses
Recommendation 27 reinforces a key principle: the fight against financial crime is not just about writing rules, but about ensuring they are followed. For that, supervisors must have adequate powers to:
- Monitor and supervise compliance.
- Conduct meaningful inspections.
- Compel the production of all relevant information.
- Impose a wide range of sanctions, including license withdrawal where necessary.
For financial institutions, this recommendation is a reminder that supervisory expectations carry real weight, supported by real authority. For policymakers and practitioners, it underlines that a credible supervisory framework is essential if anti-money laundering and counter-terrorist financing standards are to work in practice, not just on paper.
FATF Ratings Overview
Luxembourg ¦ FATF Effectiveness & Technical Compliance Ratings
Anti-money laundering and counter-terrorist financing measures
Luxembourg Mutual Evaluation Report, September 2023
This assessment was adopted by the FATF at its June 2023 Plenary meeting and summarises the anti-money laundering and counter-terrorist financing (AML/CFT) measures in place in Luxembourg as at the date of the on-site visit: 2-18 November 2022.
Table 1. Effectiveness Ratings
Note: Effectiveness ratings can be either a High- HE, Substantial- SE, Moderate- ME, or Low – LE, level of effectiveness.
IO1 Risk, policy and coordination
Money laundering and terrorist financing risks are identified, assessed and understood, policies are co-operatively developed and, where appropriate, actions co-ordinated domestically to combat money laundering and the financing of terrorism.
Substantial
IO2 International cooperation
International co-operation delivers appropriate information, financial intelligence and evidence, and facilitates action against criminals and their property.
Substantial
IO3 Supervision
Supervisors appropriately supervise, monitor and regulate financial institutions and VASPs for compliance with AML/CFT requirements, and financial institutions and VASPs adequately apply AML/CFT preventive measures, and report suspicious transactions. The actions taken by supervisors, financial institutions and VASPs are commensurate with the risks.
Moderate
IO4 Preventive measures
Supervisors appropriately supervise, monitor and regulate DNFBPs for compliance with AML/CFT requirements, and DNFBPs adequately apply AML/CFT preventive measures commensurate with the risks, and report suspicious transactions.
Moderate
IO5 Legal persons and arrangements
Legal persons and arrangements are prevented from misuse for money laundering or terrorist financing, and information on their beneficial ownership is available to competent authorities without impediments.
Substantial
IO6 Financial intelligence
Financial intelligence and all other relevant information are appropriately used by competent authorities for money laundering and terrorist financing investigations.
Substantial
IO7 ML investigation & prosecution
Money laundering offences and activities are investigated, and offenders are prosecuted and subject to effective, proportionate and dissuasive sanctions.
Moderate
IO8 Confiscation
Asset recovery processes lead to confiscation and permanent deprivation of criminal property and property of corresponding value.
Moderate
IO9 TF investigation & prosecution
Terrorist financing offences and activities are investigated and persons who finance terrorism are prosecuted and subject to effective, proportionate and dissuasive sanctions.
Substantial
IO10 TF preventive measures & financial sanctions
Terrorists, terrorist organisations and terrorist financiers are prevented from raising, moving and using funds.
Moderate
IO11 PF financial sanctions
Persons and entities involved in the proliferation of weapons of mass destruction are prevented from raising, moving and using funds, consistent with the relevant UNSCRs.
Moderate
Table 2. Technical Compliance Ratings
Note: Technical compliance ratings can be either a C – compliant, LC – largely compliant, PC – partially compliant or NC – non compliant.
R.1 Assessing Risks and applying a Risk-Based Approach
C – compliant
R.2 National Co-operation and Co-ordination
C – compliant
R.3 Money laundering offence
C – compliant
R.4 Confiscation and provisional measures
LC – largely compliant
R.5 Terrorist financing offence
C – compliant
R.6 Targeted financial sanctions related to terrorism and terrorist financing
LC – largely compliant
R.7 Targeted financial sanctions related to proliferation
LC – largely compliant
R.8 Non-profit organisations
PC – partially compliant
R.9 Financial institution secrecy laws
C – compliant
R.10 Customer due diligence
C – compliant
R.11 Record-keeping
C – compliant
R.12 Politically exposed persons
C – compliant
R.13 Correspondent banking
C – compliant
R.14 Money or value transfer services (MVTS)
C – compliant
R.15 New technologies
LC – largely compliant
R.16 Payment transparency
C – compliant
R.17 Reliance on third parties
C – compliant
R.19 Higher-risk countries
C – compliant
R.20 Reporting of suspicious transactions
C – compliant
R.21 Tipping-off and confidentiality
C – compliant
R.22 DNFBPs: Customer due diligence
C – compliant
R.23 DNFBPs: Other measures
C – compliant
R.24 Transparency and beneficial ownership of legal persons
LC – largely compliant
R.27 Powers of supervisors
C – compliant
R.28 Regulation and supervision of DNFBPs
C – compliant
R.29 Financial intelligence units
C – compliant
R.30 Responsibilities of law enforcement and investigative authorities
LC – largely compliant
R.32 Cash Couriers
LC – largely compliant
R.33 Statistics
LC – largely compliant
R.34 Guidance and feedback
C – compliant
R.35 Sanctions
LC – largely compliant
R.36 International instruments
LC – largely compliant
R.37 Mutual legal assistance
C – compliant
R.38 Mutual legal assistance: freezing and confiscation
C – compliant
R.39 Extradition
C – compliant
R.40 Other forms of international co-operation
LC – largely compliant
Dive deeper
What else?
