FATF ¦ R.28 Re­gu­la­tion and Su­per­vi­sion of DNFBPs

Recommendation 28: Building Effective DNFBP Oversight

Recommendation 28 addresses a crucial vulnerability in anti-money laundering and counter-terrorist financing (AML/CFT) frameworks: designated non-financial businesses and professions (DNFBPs). DNFBPs include high-risk sectors such as casinos, real estate agents, lawyers, notaries, accountants, trust and company service providers, and others whose services can be exploited to launder proceeds of crime or to finance terrorism. Effective regulation and supervision of these sectors reduce the avenues available to criminals to hide illicit funds and provides assurance that professional services are not used to shield illicit activity.

Core requirements for casinos

Casinos receive special focus under Recommendation 28 because of their inherent exposure to cash transactions and high-value instruments. The Recommendation requires that casinos operate under a comprehensive regulatory and supervisory regime that ensures implementation of appropriate AML/CFT measures. At a minimum, this involves three pillars.

First, casinos must be licensed, establishing a legal basis for oversight and accountability.

Second, competent authorities must adopt measures preventing criminals or their close associates from owning or controlling casinos, occupying management positions, or operating casinos. This typically requires fit-and-proper assessments and ownership transparency checks to deny access to those who would use the business to launder funds.

Third, competent authorities must actively supervise casinos for compliance with AML/CFT obligations, applying oversight tools that verify the effectiveness of internal controls, customer due diligence, suspicious transaction reporting, and record keeping.

Risk-sensitive supervision for other DNFBPs

For DNFBPs beyond casinos, Recommendation 28 requires that countries ensure effective systems to monitor and enforce AML/CFT requirements, applied on a risk-sensitive basis. Supervision may be conducted by a designated public supervisor or by an appropriate self-regulatory body (SRB), provided the SRB can ensure compliance among its members. The risk-based approach means supervisors or SRBs must allocate resources, set supervisory frequency and intensity, and design examination techniques according to an informed assessment of the money laundering and terrorist financing risks present in the country and inherent to specific DNFBP sectors, their customers, products and services. Supervisory activities should reflect the diversity and number of DNFBPs and focus on where the risks are greatest.

Expectations for supervisory practice

Supervisors and SRBs should assess DNFBPs’ internal controls, policies and procedures in light of each entity’s risk profile and the degree of discretion the entity exercises under the risk-based approach. This assessment must be proportionate: higher-risk DNFBPs require more intensive review and stronger expectations for controls and reporting, while lower-risk entities warrant lighter touch supervision. Effective supervision relies on adequate legal powers to monitor, inspect and sanction, and on sufficient financial, human and technical resources within supervisory bodies. Staff must be skilled, maintain high professional standards, observe confidentiality, and possess the integrity necessary to carry out sensitive oversight tasks.

Bastian Schwind-Wagner_Follow

"Recommendation 28 reinforces the need to bring designated non-financial businesses and professions into a coherent AML/CFT oversight framework. Clear rules, licensing, and targeted supervision reduce opportunities for criminals to exploit professional services.

Effective implementation depends on risk-based supervision, adequate supervisory powers, and institutional capacity. When supervisors and self-regulatory bodies are properly resourced and use proportionate sanctions, DNFBPs become a stronger line of defense against money laundering and terrorist financing."

Preventing criminal infiltration of professions

Recommendation 28 emphasizes the prevention of criminals and their associates from being professionally accredited, acquiring significant or controlling interests, or holding management positions in DNFBPs. Supervisors or SRBs should implement measures such as fit-and-proper testing, vetting of owners and senior managers, beneficial ownership verification, and licensing conditions that disqualify unsuitable persons. These measures help protect the integrity of professional services and reduce the risk that regulated entities become vehicles for illicit finance.

Sanctions and enforcement

The Recommendation requires that supervisors or SRBs have access to effective, proportionate and dissuasive sanctions to address failures to comply with AML/CFT obligations, consistent with the FATF’s broader approach set out in Recommendation 35. Sanctions should be calibrated to the severity and willfulness of violations and should serve both to punish wrongdoing and to deter non-compliance across the sector. Where appropriate, supervisory action should be accompanied by remedial directions, follow-up examinations and public enforcement to reinforce compliance culture.

Operationalizing a risk-based supervisory model

To operationalize the risk-based approach, supervisors and SRBs must first develop a clear and evidence-based understanding of national and sectoral ML/TF risks. This requires risk assessments that identify vulnerabilities across geographic areas and DNFBP types, and which inform supervisory planning. Supervisory authorities should then determine inspection cycles, thematic reviews, and outreach efforts based on that risk understanding. Assessments of DNFBPs’ AML/CFT controls must be proportionate to each firm’s risk profile, focusing on areas of discretion such as customer acceptance, transaction monitoring, and the application of enhanced due diligence. Supervisors also need procedures for sharing information with financial intelligence units, law enforcement, and other regulators to support coherent and timely action.

Institutional capacity and integrity

Recommendation 28 highlights the need for supervisors and SRBs to possess adequate powers and resources. Effective oversight is not possible without legal authority to require information, conduct on-site inspections, impose sanctions and, where needed, revoke licenses or accreditations. Human resources must be sufficient in number and competency; staff should receive ongoing training in AML/CFT issues and in the sectors they supervise. Safeguards should protect the confidentiality of supervisory information and guard against conflicts of interest or corruption that could undermine oversight.

Conclusion

Recommendation 28 sets out a clear framework for bringing DNFBPs into effective AML/CFT oversight. Its core principles — licensing and robust supervision for casinos, risk-sensitive monitoring for other DNFBPs, fit-and-proper assessments to keep criminals away from professional roles, and effective sanctioning powers — together strengthen national resilience against money laundering and terrorist financing. Implementing these measures requires a well-resourced supervisory architecture, informed risk assessments, proportionate enforcement, and sustained engagement with the DNFBP sectors to ensure that professional services resist misuse and contribute to the integrity of the financial system.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link