FATF in Action: Implementing Recommendations 18, 23 and the Private Sector Sharing Principles

In a world where the threats of money laundering and terrorist financing continue to evolve, compliance with international standards is more than a legal obligation, it is a strategic responsibility for financial institutions and associated service providers. At the core of these standards is the FATF (Financial Action Task Force), the body that sets the global standards for combating Money Laundering and Financing of Terrorism, and which directly or indirectly shapes the actions of companies with compliance responsibilities around the world.

In this article, we delve into three key issues:

• How international financial institutions comply with FATF Recommendations 18 and 23, which concern the coherence of compliance programs at group level and the inclusion of non-financial entities (DNFBPs);

• How companies share suspicious activity reports (SARs) without incurring tipping-off, a legal and ethical risk;

• What FATF Principles 48 to 51 are on information sharing in the private sector, and how they shape safe and compliant data protection practices.

Topics such as KYC, due diligence and risk assessment, which we have already explored in our previous blog on KYC and AML, are again highlighted here, now framed in a broader logic: how to share critical information safely, effectively and legally.

If you work in compliance, risk management, audit or an MLRO function, this content is for you. Let’s get into it!

1. How financial institutions comply with FATF Recommendations 18 and 23

   
   

Recommendation 18 requires financial institutions to adopt AML/CFT compliance programs at group level, even when they operate in different jurisdictions. This ensures a uniform response to ML/TF risks, especially in groups with international subsidiaries.

How it is applied in practice:

• Overarching global policies and procedures, approved by headquarters and re-implemented in each jurisdiction in order to comply with local requirements;

• MLRO at group level, with visibility and authority to supervise local entities, and local MLROs able to meet local statutory requirements;

• Centralized monitoring, often with dashboards that analyze alerts from all jurisdictions;

• Transversal internal auditing, which guarantees the integrity of local programs;

• Creation of internal watchlists to alert local branches of bad actors common between different group jurisdictions.

Recommendation 23 applies the same principles to DNFBPs, such as law firms, consulting firms, real estate agents or trust companies, when they are part of a group under common control.

2. How do firms share suspicious activity reports without tipping off?

Sharing suspicious activity reports (SARs) between entities or within a group raises serious legal risks. The crime of tipping-off, i.e. alerting the suspect that they are being investigated, or alerting anyone to the existence of a SAR for any purpose other than preventing money laundering.

What FATF says:

• Sharing can be done within the group (see Recommendation 18), as long as there are proper safeguards;

• Outside the group, it must go through FIUs (Financial Intelligence Units) or authorized channels;

• It is essential to guarantee the anonymization, encryption and justification of the sharing;

• It is possible to rely on local tipping off exemptions (such as POCA section 333B) to safely share data with other branch offices to share awareness of a possible bad actor.

  
  

Practical solutions used:

• Secure data sharing platforms;

• Lists with limited information linked to screening software;

• Internal protocols, which define when and how a SAR can be discussed between teams;

• Privacy technology to share risk indicators without revealing personal details;

• Intensive training for MLROs and compliance teams on what constitutes tipping-off.

3. FATF guidance on private sector information sharing principles 48 to 51

These references are to the document “Private Sector Information Sharing Guidance” (Nov 2017), cited in the 2022 report “Partnering in the Fight Against Financial Crime”.

• Principle 48, referring to “Clarity and legitimacy”, implies that there should be clear rules on who can share, what kind of information, and for what purpose;

• Principle 49, linked to data protection, states that sharing should include data protection safeguards (privacy, security, confidentiality) in accordance with national legislation (for example GDPR);

• Principle 50, which advises that sharing should be based on a balance between confidentiality and crime prevention and that thresholds and procedures should be established for each situation;

• Principle 51 indicates that sharing should be done for legitimate purposes, documented, with auditing and accountability mechanisms to ensure that data is only used for AML/CFT.

  
  

Practical examples:

• Creation of lists of bad actors subject to SARs, including nothing but the full name, date of birth and country of residence/birth, making it possible to screen and discount the same individual or legal entity in other group jurisdictions;

• Global MLRO functions building bridges between jurisdictions and coordinating international investigations;

• Simple but capable IT systems to filter user access and recording permissions from local MLROs to share full details of SARs abroad (there may be restrictions on request from Production Orders or FIU instructions).

The sharing of SAR information is fundamental to an effective ecosystem for combating ML/TF within international financial institutions. It is a required step to detect and report larger organised crime internationally.

Ancilia can position itself as a strategic partner:

• Helping to implement governance and frameworks for SAR data sharing across jurisdictions;

• Creating safe and legally compliant sharing protocols;

• Advisory on technology capable on delivering these functionalities;

• Preparation on training packs to deliver to MLROs, and deliver said training if necessary;

• External appointment of Global MLROs or Interim solutions;

• Offering technical and advisory support to apply the FATF principles with confidence;

• Analysis of local tipping off exemptions.

Talk to us and find out how we can support your compliance program.