FATF ¦ IO4 Pre­ven­tive Meas­ures

Immediate Outcome 4: Strengthening Supervision and Risk-Based Compliance of DNFBPs

Recommendation 4 focuses on the oversight of designated non-financial businesses and professions (DNFBPs) to ensure these sectors do not become conduits for money laundering and terrorist financing. Effective supervision, registration and licensing controls, combined with DNFBPs’ own risk-based policies and reporting practices, reduce opportunities for criminals to exploit these businesses.

The Recommendation ties supervisory activity to practical outcomes:

• preventing criminals or their associates from gaining control or beneficial ownership in DNFBPs;
• guiding and enforcing compliance; and
• ensuring DNFBPs detect and report suspicious activity proportional to their risk exposure.

Preventing criminal ownership and unfit managers

A central element of Recommendation 4 is protecting the DNFBP sector from infiltration. That requires robust licensing, registration and “fit and proper” assessments that screen beneficial owners and senior managers. Supervisory authorities must have mechanisms to detect breaches of entry controls and take proportionate remedial action — from rejecting or withdrawing licenses to imposing restrictions or other sanctions where misconduct or risk is identified. The quality of background checks, rejection or withdrawal reasons, and the transparency of those processes are key indicators of effective prevention.

Building supervisors’ understanding of DNFBP risks

Supervisory effectiveness depends on a detailed, evolving understanding of sector risks. Authorities should identify types and sizes of DNFBPs, cross-border activities, and sector-specific vulnerabilities. fisk assessments and models, supervisory manuals, thematic studies and outreach material help tailor the supervisory approach. Supervisors must periodically update risk profiles, use trigger events (such as ownership or business-model changes) to re-evaluate entities, and employ both on-site and off-site tools in ways that reflect each entity’s risk level.

DNFBPs’ own grasp of ML/TF risks and obligations

Recommendation 4 expects DNFBPs to understand their exposure and to implement risk-based AML/CFT measures. That includes documented ML/TF risk assessments, group-wide policies where relevant, proportionate internal controls, customer due diligence (CDD) including beneficial ownership verification, ongoing monitoring, and effective record-keeping. DNFBPs should apply enhanced measures for higher-risk situations (PEPs, new technologies, jurisdictions of concern) and simplified measures where lower risk is demonstrable. Clear internal audit, escalation and reporting lines, and adequate resourcing of compliance functions are essential.

Bastian Schwind-Wagner _Follow

"Effective supervision and risk-based oversight of DNFBPs is essential to close avenues that criminals exploit for money laundering and terrorist financing. Strong licensing, targeted monitoring and proportionate enforcement create deterrence and raise compliance standards across the sector.

Supervisors and DNFBPs must maintain dynamic risk assessments and invest in resources, training and technology to spot evolving threats. Consistent cooperation between supervisors, FIUs and other authorities ensures that suspicious activity is reported, acted upon, and that supervisory measures have measurable impact."

Supervisory tools to drive compliance

Supervisors must use a tailored mix of tools:

• guidance, outreach and training;
• targeted inspections;
• requirements for remedial action; and
• proportionate, dissuasive sanctions when necessary.

The intensity, frequency and scope of supervision should match the entity’s risk profile. Supervisory engagement should result in measurable improvements: better CDD practices, more accurate and timely STRs, stronger internal controls, and an overall decline in vulnerabilities exploitable by criminals. Supervisors should also promote the adoption of simplified measures to reduce risk, avoiding unnecessary burdens while maintaining safeguards where risk warrants it.

Quality and impact of suspicious transaction reporting

The effectiveness of supervisory regimes is reflected in the quality and sufficiency of STRs from DNFBPs. Supervisors and DNFBPs should monitor STR volumes, sectoral contributions, timeliness, and the degree to which reports support investigations. Supervisors must give practical feedback to DNFBPs to improve report quality and to avoid tipping-off. Case studies and sanitized examples showing STRs that contributed to investigations are powerful tools for both training and demonstrating supervisory impact.

Use of technology and data analytics

Where appropriate, supervisors and DNFBPs should adopt technology to strengthen risk assessment and monitoring. Advanced data analytics can help identify trends, flag unusual activity, and focus supervisory resources. Technology-driven supervision must be applied in a risk-sensitive manner, with clear standards on data quality, privacy and proportionality.

Coordination, independence and resourcing of supervisors

Effective implementation of Recommendation 4 relies on competent authorities having operational independence, sufficient resources and robust cooperation arrangements. Supervisors must share information with licensing authorities, financial intelligence units, law enforcement and other domestic or foreign supervisors when relevant. Resource adequacy should reflect the size, complexity and risk profile of the supervised sectors. Independence protects supervisory decisions from undue influence and supports the consistent application of AML/CFT measures.

Measuring supervisory success: outcomes to look for

Assessment of Recommendation 4 should focus on outcomes: fewer cases of criminal ownership or control in DNFBPs, demonstrable improvements in DNFBP compliance over time, high-quality STRs that contribute to investigations, and proportional supervisory interventions that target higher-risk entities. Evidence supporting these outcomes includes records of licensing decisions, supervisory manuals and findings, enforcement actions, improved firm-level controls, and examples of supervisory engagement yielding changes in practices.

Practical steps for jurisdictions and supervisors

To align with Recommendation 4, jurisdictions should ensure licensing and registration regimes include fit-and-proper checks and that supervisors can detect and act on breaches. Supervisors need documented risk assessments, tailored supervisory strategies, and tools to adjust frequency and intensity of oversight by risk. DNFBPs should be required and supported to maintain up-to-date risk assessments, proportionate CDD and escalation procedures, and adequate resourcing for compliance functions. Regular outreach, training and feedback loops between supervisors, DNFBPs and the FIU will reinforce better detection and reporting of suspicious activity.

Conclusion

Recommendation 4 is about creating a supervisory ecosystem that prevents criminal infiltration of DNFBPs, fosters risk-based compliance by the supervised entities, and produces tangible reductions in money laundering and terrorist financing risk. Success requires robust entry controls, continuous risk assessment, targeted supervision and enforcement, effective use of technology, adequate resourcing, and close cooperation among competent authorities. When these elements work together, the DNFBP sector becomes a resilient component of the broader AML/CFT framework rather than a soft target for illicit finance.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link