FATF Role and Recommendations

FATF: The Global Standard-Setter

The Financial Action Task Force (FATF) is an inter-governmental body created by the G7 in Paris in 1989. It does not issue laws; it issues standards that more than 200 jurisdictions commit to implement through FATF itself plus nine FATF-Style Regional Bodies (FSRBs) such as MONEYVAL (Europe), APG (Asia-Pacific), GAFILAT (Latin America), and ESAAMLG (Eastern/Southern Africa). On the CAMS exam, FATF is the default answer whenever a question asks "who sets the international AML/CFT standard."

FATF's mandate has expanded three times. It began with money laundering, added terrorist financing after the 9/11 attacks via nine Special Recommendations, and later added proliferation financing (funding weapons of mass destruction). A frequent CAMS trap is the phrase "40+9 Recommendations" — that is the pre-2012 structure. In 2012 FATF consolidated the 40 Recommendations and the 9 Special Recommendations into a single set of 40 Recommendations. If an option references "40+9," it is testing whether you know the current framework.

The 40 Recommendations and the Risk-Based Approach

Recommendation 1 (R.1) is the cornerstone: it mandates the risk-based approach (RBA), requiring countries and institutions to identify, assess, and mitigate their ML/TF risks and apply resources proportionately. Where risk is higher, enhanced measures apply; where it is lower (and only where lower risk is documented), simplified measures may apply. CAMS scenario questions reward the proportionate answer, not the most aggressive one.

Key recommendations CAMS candidates must recognize by number:

Mutual Evaluations, Grey List, and Black List

FATF assesses each member through a Mutual Evaluation Report (MER), scoring both technical compliance (are the laws on the books?) and effectiveness (are they working in practice, measured against 11 Immediate Outcomes?). A jurisdiction with strategic deficiencies but a credible action plan goes on the grey list ("Jurisdictions under Increased Monitoring"). As of February 2026 the grey list held roughly 22 jurisdictions, with Papua New Guinea added that month.

The black list ("High-Risk Jurisdictions subject to a Call for Action") historically holds Iran and the Democratic People's Republic of Korea (DPRK); for these, FATF calls for countermeasures, not merely enhanced due diligence.

The practical CAMS consequence: a transaction touching a grey-list country triggers enhanced due diligence, while a black-list country may trigger countermeasures or prohibition. Confusing these two responses is a classic distractor.

Common traps to memorize:

• FATF cannot prosecute, fine, or freeze assets — that is for national authorities. FATF only sets standards and lists.
• Mutual evaluations grade effectiveness, not just whether laws exist. A country can have perfect laws and still fail on effectiveness.
• Recommendation 1 (RBA) is the lens for almost every program question; "treat all customers identically" is virtually always wrong.

How FATF Shapes a Real AML Program

Worked example: a mid-size bank opens a relationship with a trading company in a country that FATF placed on the grey list last quarter. Under R.1 the bank classifies the relationship as higher risk; under R.10 it verifies identity and the nature of the business; under R.24/R.25 it identifies the beneficial owners behind the corporate structure; and under R.16 it ensures complete originator and beneficiary data accompanies the company's wire transfers. None of these steps is optional, because the grey-list designation is a documented risk trigger.

The exam reward is recognizing which numbered Recommendation maps to which step, not reciting all 40.

FATF also drives the domestic legal architecture candidates see referenced indirectly. The 40 Recommendations were transposed in the European Union through successive AML Directives and in the United States through the Bank Secrecy Act framework. When a CAMS item describes a national rule, the underlying logic almost always traces back to a FATF Recommendation, so understanding the source standard lets you reason about an unfamiliar jurisdiction.

Finally, remember the cadence: FATF publishes updated grey and black lists at its three annual plenary meetings (roughly February, June, and October), so the lists change. The exam will not ask you to memorize today's exact roster, but it expects you to know that grey-list status means increased monitoring and enhanced due diligence, while a call-for-action (black list) jurisdiction warrants countermeasures. Treating the lists as static, or treating grey and black identically, are the two errors to avoid.

One further governance point the exam expects: FATF assesses effectiveness against eleven Immediate Outcomes, ranging from risk understanding and international cooperation to supervision, preventive measures, and confiscation. A country can score "compliant" on technical criteria yet "low" on effectiveness if its laws are not actually disrupting crime. This is why a jurisdiction with modern statutes can still land on the grey list, and why CAMS frames the mutual-evaluation outcome around whether the system works, not merely whether the rules exist.

When a scenario describes a country with strong laws but weak prosecutions and poor information sharing, the FATF lens points to an effectiveness deficiency rather than a technical one, and enhanced due diligence on that jurisdiction's exposures remains appropriate.