FATF ¦ IO3 Su­per­vi­sion

Immediate Outcome 3: Strengthening Supervision and Private‑Sector Compliance to Reduce ML/TF Risks

Recommendation 3 sits at the intersection of public oversight and private‑sector action: supervisors must ensure that financial institutions and virtual asset service providers (VASPs) are subject to risk‑based regulation and monitoring, while those entities must understand and apply AML/CFT measures proportionate to their risk exposure. The ultimate aim is to prevent criminals and their associates from gaining controlling interests or management roles, to improve detection and reporting of suspicious activity, and to reduce opportunities for money laundering and terrorist financing (ML/TF) across the regulated economy. Effective delivery of this recommendation requires a coherent, evidence‑based approach by supervisors and responsive, well‑resourced compliance programs within firms.

Clarifying the responsibilities of supervisors

Supervisors are expected to do more than issue rules: they must identify, understand and act upon ML/TF risks across sectors and individual entities. That begins with robust licensing, registration and fit‑and‑proper checks to prevent unsuitable persons from having significant or controlling ownership or management roles in financial institutions and VASPs. Where breaches occur, supervisors need mechanisms to detect them and impose proportionate remedial measures — ranging from directions and corrective plans to sanctions — so that breaches do not persist or spread.

Risk‑based supervision requires supervisors to maintain up‑to‑date sectoral and entity‑level risk profiles, to tailor the intensity and scope of on‑site and off‑site monitoring accordingly, and to adapt quickly to trigger events such as management changes, new products or technological shifts. Supervisory tools should include thematic reviews, targeted inspections, data collection and analytics, and clear guidance and outreach to the industry. Importantly, supervisors must coordinate domestically across authorities (including prudential supervisors and FIUs) and engage in international cooperation where groups operate across borders. Operational independence and sufficient resourcing are essential so supervisory decisions are evidence‑driven and free from undue influence.

What effective private‑sector compliance looks like

Financial institutions and VASPs need to understand both the nature and evolution of their ML/TF risks and translate that understanding into proportionate, documented AML/CFT frameworks. This includes group‑wide policies where relevant, effective customer‑due‑diligence (CDD) systems that reliably capture beneficial ownership, ongoing monitoring to detect changes in risk profiles, transaction monitoring tuned to business lines, and timely, high‑quality suspicious transaction reports (STRs). Firms must be able to refuse or terminate business relationships when CDD cannot be completed and to apply simplified measures where lower risks are clearly demonstrated.

Internal controls, staff training and independent audit must be scaled to the entity’s complexity and risk profile. Firms should ensure compliance functions have adequate access to relevant information and a direct channel to senior management and the board. Remedial actions and internal sanctions for breaches reinforce a compliance culture and reduce repeat deficiencies. Where third‑party reliance is used, controls should ensure that delegated or outsourced compliance obligations are effectively met.

Bastian Schwind-Wagner _Follow

"Supervisors play a critical role in reducing money laundering and terrorist financing by applying risk‑based oversight, enforcing fit‑and‑proper checks, and engaging with the private sector. When supervision is well resourced and coordinated, it creates incentives for firms to adopt stronger AML/CFT controls and improves the overall integrity of the financial system.

Financial institutions and VASPs must translate risk assessments into proportionate policies, reliable CDD, ongoing monitoring, and timely STR reporting. Practical guidance, feedback from authorities, and adequate internal resources enable firms to sustain compliance without unnecessarily impeding legitimate financial activity."

Measuring outcomes: indicators of success

Supervisors and firms should be able to demonstrate, over time, measurable improvements in compliance and risk mitigation.

Useful evidence includes:

• trends in licensing approvals/rejections and the rationale for decisions;
• supervisory risk assessments and the frequency and targeting of inspections aligned to risk;
• the number, type and effectiveness of remedial actions and sanctions imposed;
• improvements in firms’ internal risk assessments and policies; quality and usefulness of STRs submitted;
• case studies where supervisory action led to concrete compliance improvements; and
• data showing adoption of proportionate simplified measures and reduced blanket de‑risking.

Technology can assist both sides: supervisors can use data analytics to spot outliers and emerging risks, while firms can deploy automated monitoring and analytics to improve detection and reduce false positives. Outreach, training and feedback loops — especially between supervisors, FIUs and the private sector — are critical to help firms refine their AML/CFT measures and to ensure reporting remains actionable.

Common challenges and how to address them

Several obstacles frequently undermine the effectiveness of Recommendation 3.

First, insufficiently resourced or technically trained supervisory bodies cannot sustain meaningful, risk‑based oversight. Addressing this requires investment in staffing, continuous training, and modern supervisory tools.

Second, legal or regulatory constraints — such as financial secrecy provisions — may impede timely access to beneficial ownership or transaction information; legal reform and clear protocols for supervised access are necessary.

Third, inconsistent application of requirements across international group operations creates weak links in global groups; home and host supervisors should coordinate and, where necessary, impose group‑wide measures or require parental controls.

Fourth, the risk of blanket de‑risking is another challenge that excludes whole sectors or customer types without proportionate analysis. Supervisors must encourage proportionate, evidence‑based approaches and promote the adoption of simplified measures where appropriate to preserve financial inclusion while managing ML/TF risk.

Last but not least, where VASPs are regulated or prohibited, supervisors must ensure their approach addresses the specific AML/CFT risks:

• if VASPs are prohibited, the focus must be on enforcement and detection;
• if regulated, supervision should be tailored to the particular ways virtual assets are used and abused.

Practical steps for implementation

To meet the objectives of Recommendation 3, countries and supervisors should:

• establish and apply effective fit‑and‑proper controls in licensing and registration processes;
• maintain dynamic, risk‑based supervision strategies that align inspection frequency and intensity with entity risk profiles;
• use data and analytics to target supervision and identify emerging risks;
• ensure supervisors have operational independence, adequate resources and specialized training;
• enhance domestic and international cooperation, including information exchange for group supervision;
• promote firm‑level adoption of proportionate AML/CFT policies, robust CDD (including beneficial ownership), transaction monitoring and quality STR reporting;
• provide practical guidance and feedback to the private sector; and
• guard against undue de‑risking by encouraging proportionate simplified measures.

Conclusion

Recommendation 3 is essential to close the gap between rules on paper and effective practice. When supervisors actively shape the risk environment — through licensing controls, targeted supervision, proportionate enforcement and constructive engagement — and when financial institutions and VASPs develop well‑resourced, risk‑based compliance programs, the combined effect is a measurable reduction in ML/TF vulnerabilities. The focus must remain on sustained, evidence‑based supervision coupled with practical, risk‑sensitive private‑sector implementation to protect the integrity of the financial system without unduly restricting legitimate access.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link