Corruption Exposure Index 2026

…and reflections on financial crime indexes in the age of AI

For decades, Transparency International’s Corruption Perceptions Index has been the preeminent comparative ranking of countries’ anti-corruption credentials. One widespread critique has been that the CPI consistently underestimates the role of Western financial centres in perpetuating large-scale corruption. For example, while you are unlikely to be shaken down for a bribe by the police while walking in the City of London, the City’s square mile has long been central to global illicit financial flows.

The Corruption Exposure Index 2026, available below, focuses on destination rather than source jurisdictions. Unlike composite indexes, which rely on other existing rankings, it is solely based on:

  • The Mutual Evaluation Reports published by the Financial Action Task Force and FATF-style regional bodies since 2013, for the top 50 jurisdictions exposed to foreign corruption proceeds.
  • The latest Follow-Up Reports for those 50 jurisdictions.

The Index focuses on two aspects of the MER:

  • Evidence of proceeds of foreign corruption being a major category of predicate offences (destination score);
  • Evidence of persisting vulnerabilities that may facilitate the inward flows of foreign corruption proceeds (vulnerability score).

Substantively, I found this to be an instructive exercise. Based on the sources and methodology used in the Index, major financial centres — the US, BVI, Cayman Islands, UAE and Panama — top the list. All but one, the US, were at some point grey-listed by the FATF.

Methodology

Still more interesting is the methodology. I used Claude Pro to generate this Index over several months. This involved a long series of prompts, rounds of verification and refinements of the methodology which, while a product of trial and error, can be summarised as follows:

  • First, with Claude’s assistance, I iteratively developed a methodology based on jurisdictions’ destination scores (attractiveness to proceeds of foreign corruption or other crime) and vulnerability scores (the existence of vulnerabilities that can facilitate the investment of such proceeds);
  • Second, to contain the amount of necessary work to what is feasible, I requested a list of the Index’s likely top-50 jurisdictions (more on this below);
  • Third, I downloaded the respective countries’ MERs and latest FURs and fed them to Claude one by one for the AI to generate each jurisdiction’s entry based on these documents, with references to specific paragraphs that I could check. This then led to the generation of each jurisdiction’s score, which was partly automatic (some components of the methodology reflect the FATF’s ratings) and party reliant on my judgement (details are in the Annex to the Index);
  • Fourth, multiple rounds of verification were run, over many weeks: both to confirm the calculation of each jurisdiction’s rating based on the Index methodology, and to run line-by-line verification of all statements and citations in each jurisdiction card;
  • Fifth, over a month or so, I ran spot-checks to control Claude’s verification efforts, which appeared to produce accurate results in each of my checks.

There were several false starts throughout the process. For instance, when I asked Claude to find MERs and FURs and analyse them, it proved unable to do so and began inventing data (hence the need to manually feed the documents to it). Even then, false statements occasionally surfaced in jurisdiction summaries.

Insofar as I can tell, the rounds of verification I undertook ultimately resulted in a fairly accurate product. There are, however, three caveats:

  • First, the decision about which 50 jurisdictions to rank is unscientific and essentially reflects ‘the usual suspects’. The real value of the exercise lies in the information extracted in those jurisdictions’ cards and their relative ordering. If the readers find this approach helpful, I will look to expand the index to capture the full array of the world’s countries.
  • Second, while I have done spot-checks of the qualitative comments in each jurisdiction’s entry, I have not verified them all. So, caveat emptor.
  • Third and finally, as already indicated, part of the methodology relies on (necessarily subjective) interpretations of the FATF’s comments: for instance, if a jurisdiction is described as a major destination for the proceeds of foreign corruption or other crime, a numerical score within a predetermined range is assigned depending on the nature of the observations and extent of the evidence cited in the MER.

A purist might suggest that these limitations negate the value of the exercise. However, I would stand by the validity of this Index as a useful way of collating and visualising FATF data (and only FATF data, unlike composite indexes).

Financial Crime Indexes in the Age of AI

Furthermore, based on my experiment so far, it seems to me that AI has profound implications for financial crime indexes:

  • Even a superficial analysis of hundreds of MERs and FURs of this magnitude would have otherwise taken a team of research assistants and far more weeks than I required. Despite the limitations of AI-augmented approaches, they are uniquely suitable for collating data.
  • The first iteration of Transparency International’s CPI was literally the work of one junior staff member collating a bunch of other rankings, such as the World Bank’s Ease of Doing Business, into a single index, prematurely published when he shared his preliminary results with a German media outlet. What can now be achieved in a week is already far more robust than some of those early efforts.
  • For all their evolution, some of the world’s main financial crime indexes — such as Transparency International’s CPI and the Basel Institute’s Basel AML Index — are ‘composite’ indexes that draw on various other existing sources. This is a task that is eminently suited to AI automation. In fact, if you ask AI to come up with improvements to those indexes’ respective methodologies, you will get a number of useful observations (try it!).

This, then, is main implication:

While previously many of us (academics, policymakers and financial crime practitioners) would grumble about aspects of existing indexes’ methodology but ultimately accept them as a ‘good enough’, rough-and-ready indication of countries’ corruption scores, financial crime risks and so on, now anyone can fairly easily construct their own index that is most suited to their objectives, methodological preferences and available data, especially if they have an appropriate in-house dataset to use.

This is surely a positive development as it lowers the costs of assessing countries’ performance across a number of indicators that may be relevant to policymaking, private-sector compliance efforts or other initiatives.

With that extended introduction out of the way, here is the Index — views, comments and critiques are welcome:

Corruption Exposure Index 2026

Ranks jurisdictions by their exposure to the laundering of corrupt and criminal proceeds, based exclusively on Financial Action Task Force (FATF) and FATF-Style Regional Body (FSRB) Mutual Evaluation Reports (MERs) and Follow-Up Reports (FURs). Each jurisdiction is scored on (A) destination evidence and (B) regulatory vulnerabilities, each out of 50, combined out of 100. Source MERs: 2013–2026.

Destination score /50 Vulnerability score /50 D/V scores = MER original + FUR adjustment | Total out of 100
Common acronyms used throughout this Index: ML = money laundering | TF = terrorist financing | PF = proliferation financing | MER = Mutual Evaluation Report | FUR = Follow-Up Report | NRA = national risk assessment | IO = Immediate Outcome | TC = technical compliance | FI = financial institution | DNFBP = designated non-financial business or profession | FIU = financial intelligence unit | LEA = law enforcement authority | STR/SAR = suspicious transaction/activity report | CDD = customer due diligence | EDD = enhanced due diligence | BO = beneficial ownership | PEP = politically exposed person | TCSP = trust and company service provider | IFC = international financial centre | IBC = international business company | VASP = virtual asset service provider | OCG = organised crime group | MLA = mutual legal assistance | RBA = risk-based approach | TFS = targeted financial sanctions

Tier Thresholds

Tier Score range Label Jurisdictions (2026)
Tier 1 60–70 Severe United States (66), British Virgin Islands (65), Cayman Islands (64), United Arab Emirates (62), Panama (60) — 5 jurisdictions
Tier 2 44–59 High Switzerland (57), United Kingdom (57), Austria (57), Luxembourg (54), China (51), South Africa (51), Germany (50), Monaco (50), Italy (50), Samoa (49), Portugal (48), Singapore (48), Isle of Man (47), Hong Kong SAR (46), Türkiye (45), Malaysia (45), Seychelles (44), Bahamas (44), Cyprus (44), Guernsey (44) — 20 jurisdictions
Tier 3 30–43 Moderate Russia (43), Japan (43), Liechtenstein (43), Malta (43), Netherlands (43), Jersey (43), Canada (42), Albania (42), Mauritius (41), Montenegro (41), Estonia (41), Serbia (41), Gibraltar (40), Latvia (40), Greece (39), France (39), Vanuatu (38), Ireland (38), Bermuda (38), South Korea (37), Bahrain (36), Kenya (35), Qatar (34), India (34), Saudi Arabia (31) — 25 jurisdictions

No jurisdiction in the 2026 edition scores below 30 (Tier 4). All 50 indexed jurisdictions fall within Tier 1 (Severe), Tier 2 (High), or Tier 3 (Moderate). Scores are ordinal, not cardinal — a higher score expresses greater severity relative to other indexed jurisdictions, not a precise quantified risk level. All scores derived exclusively from FATF and FSRB MER and FUR findings.

Tier 1 — Severe (score 60–70)

🇺🇸
United States
FATF/APG MER October 2016 (onsite Jan–Feb 2016) | 7th Enhanced FUR March 2024 (TC only)
D: 35/50 V: 31/50 66
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: LE IO.7: SE IO.2: SE FATF/APG
Destination risk (MER §34, §36, §41): The MER states that “the U.S. is an attractive destination for domestic and foreign proceeds at the integration stage” (§36). The global dominance of the U.S. dollar “generates trillions of dollars of daily transaction volume through U.S. banks, which creates significant exposure to potential ML activity (generated out of both domestic and foreign predicate offenses) and risks of cross-border illicit flows” (Exec. Summary §2; see also §34). Assessors specifically prioritised examination of the “Role of the U.S. in the global financial system”, under which the U.S. financial system “faces significant risks of abuse for the placement, layering or integration of illicit proceeds generated out of domestic and foreign predicate offenses, including tax crime and foreign corruption” (§41f). Fraud (particularly healthcare fraud against the Federal government, accounting for approximately USD 80 billion annually), drug trafficking (about USD 64 billion annually), transnational organised crime, human smuggling and public corruption (both domestic and foreign) are identified as the major sources of illicit proceeds (Exec. Summary §3; §35). UNODC estimated total financial crime proceeds in the US at USD 300 billion in 2010, excluding tax evasion (§35). The vulnerability is amplified by the large number of companies formed in the US with minimal oversight; lawyers and company service providers are involved in the formation of close to 50% of legal persons without being subject to comprehensive AML/CFT requirements (§20, §36).

Supervisory vulnerability (IO.3: Moderate): The MER finds that “AML/CFT supervision of the banking and securities sectors appears to be robust as a whole” (Exec. Summary Key Findings A), with the FFIEC/BSA Manual constituting “a good, up-to-date reference document” (§23). However, the most significant supervisory gap is “lack of comprehensive AML/CFT supervisory processes for the DNFBPs, other than casinos” (Exec. Summary Key Findings A; §24). Recommendation 28 remains Non-Compliant throughout all seven FURs: “other than for casinos, dealers in precious metals and stones, and in relation to examination for Form 8300 compliance, there are no competent authorities designated to supervise DNFBPs’ compliance with AML/CFT obligations” (FUR7 Annex, R.28).

Preventive measures (IO.4: Moderate): The MER notes that FIs “in general, demonstrate a fair understanding of ML/TF risks and obligations, though the quality of understanding varies” (§21), with the banking sector performing best. The structural gap is the near-complete exclusion of the DNFBP sector from AML/CFT obligations. Recommendation 22 (DNFBP CDD) and Recommendation 23 (DNFBP other measures) both remain Non-Compliant as of the 7th FUR (March 2024). The MER finds that “DNFBPs other than casinos and dealers in precious metals and stones have limited preventive measures applied leaving vulnerabilities particularly in respect of the high-end real estate sector and those sectors involved in the formation of legal persons” (§22). “Lawyers, accountants, high-end real estate agents and trust and company service providers… are not subject to comprehensive AML/CFT requirements, and are not systematically applying basic or enhanced due diligence processes” (§22). The lack of internal controls in high-end real estate and company formation contexts is described as “a major gap” (§343).

Beneficial ownership / legal persons (IO.5: Low): The MER gives IO.5 a Low rating and describes the legal framework as having “serious gaps impeding effectiveness” (§408). There was no requirement to systematically make BO information available to LEAs at the time of the assessment (§36); the difficulty of identifying the individuals (i.e. beneficial owners) who may use shell companies to conduct illicit activities “remains a long standing vulnerability across a range of criminal predicates including healthcare fraud, sanctions evasions, ML and corruption” (§406). States do not verify information collected during formation and are described as in competition with each other to attract company formation (§411). FUR7 (March 2024) upgraded R.24 from NC to Largely Compliant following the Corporate Transparency Act (CTA) and Beneficial Ownership Information (BOI) Reporting Rule. However, the 7th FUR states it “does not address what progress the United States has made to improve its effectiveness” — IO.5 remains Low per the 2016 MER rating which has not been re-assessed.

ML investigations and confiscation (IO.7: Substantial; IO.8: High): The US records over 1,200 ML convictions at the Federal level annually (§144) and confiscated over USD 4.4 billion in 2014 (§15), with Federal LEAs adopting a “follow the money” approach (§13), supported by extensive investigative capabilities and a well-established inter-agency task force environment (§143). The Kleptocracy Asset Recovery Initiative had USD 2.8 billion in restrained assets and repatriated over USD 150 million to countries affected by corruption (§187). These are genuinely strong effectiveness outcomes. However, the MER notes that ML is not consistently prioritised at the State level and some concerns remain about ML as a discrete offence.

International cooperation (IO.2: Substantial): The US provides “good quality and constructive MLA and extradition across the range of international cooperation requests” and is the recipient of very large volumes of requests (§28). One acknowledged gap: the absence of readily accessible BO information means the US is “unlikely to undertake a resource-intensive investigation to uncover BO information on behalf of a foreign counterpart unless the case is of a significantly high priority” (§29, §461). The CTA/BOI access rules address this prospectively.

FUR developments (TC only — IO ratings unchanged): Seven FURs have been issued since the 2016 MER, producing two re-ratings: R.10 (customer due diligence) upgraded PC→LC in the 2020 FUR following the CDD Rule, and R.24 upgraded from Non-Compliant to Largely Compliant by the 7th FUR (March 2024) following the Corporate Transparency Act and Beneficial Ownership Information Reporting Rule, effective 1 January 2024 (FUR7 Table 1). All other TC deficiencies noted in the 2016 MER remain, most significantly R.22 NC (DNFBP CDD), R.23 NC (DNFBP other measures), R.28 NC (DNFBP supervision), and R.25 PC (trusts). The 7th FUR states it does not address effectiveness improvements.
Key MER findings — attributable to source
  • Explicit destination for foreign proceeds (§34, §36, §41): MER states the US “is an attractive destination for domestic and foreign proceeds at the integration stage.” Assessors specifically prioritised examination of how foreign proceeds — including from tax crime and foreign corruption — are laundered through the US financial system. UNODC estimated total financial crime proceeds at USD 300 billion in 2010.
  • Near-complete DNFBP exclusion from AML regime (§22; FUR7 R.22/23 NC): Lawyers, accountants, real estate agents, and TCSPs (other than trust companies) are not subject to comprehensive AML/CFT obligations. R.22 and R.23 both remain Non-Compliant through all seven FURs. Lawyers and company service providers are involved in the formation of close to 50% of legal persons (§20).
  • No DNFBP supervisors (§24; FUR7 R.28 NC): “Other than for casinos, dealers in precious metals and stones… there are no competent authorities designated to supervise DNFBPs’ compliance with AML/CFT obligations.” R.28 remains Non-Compliant throughout all seven FURs.
  • BO framework “serious gaps” — now partially addressed by CTA (§36, §408; FUR7): At MER time, no BO disclosure requirement existed at company formation. IO.5 rated Low. CTA enacted (effective January 2024) and R.24 upgraded NC→LC by FUR7 — but FUR7 notes it does not assess effectiveness of these measures.
  • High-end real estate sector priority gap (§22, §41g, §407): High-end real estate agents not subject to AML requirements. GTO (Geographic Targeting Order) for Manhattan and Miami-Dade issued 13 January 2016 as a temporary measure requiring covered title insurance companies to report the true BO behind all-cash high-end residential purchases (§407). NMLRA identifies real estate ML risk including through legal entities used for all-cash purchases.
  • Strong enforcement outcomes (IO.7 SE; IO.8 HE; §13, §15, §144, §187): Over 1,200 Federal ML convictions annually (§144); USD 4.4 billion confiscated in 2014; Kleptocracy Asset Recovery Initiative with USD 2.8 billion in restrained assets. These are the strongest law enforcement effectiveness outcomes of any jurisdiction in this index.
  • Seven FURs (2016–2024): two TC re-ratings — IO ratings unchanged: R.10 upgraded PC→LC (2020 FUR; CDD Rule) and R.24 upgraded NC→LC (7th FUR, March 2024; Corporate Transparency Act). The FURs state they do not address effectiveness. R.22/23/28 remain NC; R.25 remains PC.
Sources: FATF/APG MER, United States, October 2016 (onsite January–February 2016); FATF 7th Enhanced Follow-Up Report, United States, March 2024. IO ratings from MER Effectiveness Ratings table (p.13); confirmed unchanged by FATF Consolidated Assessment Ratings (MER+FUR(s) row, Mar/2024). 7th FUR: FATF, Paris, 2024 — explicit statement that it “does not address what progress the United States has made to improve its effectiveness.”
🇻🇬
British Virgin Islands
CFATF MER February 2024 (onsite March 2023, adopted November 2023) | 2nd Enhanced FUR October 2025 (TC only)
D: 36/50 V: 29/50 65
Destination
Vulnerability
IO.3: LE IO.4: LE IO.5: ME IO.7: LE IO.8: LE CFATF
↑ TC progress (2nd Enhanced FUR Oct 2025) R.8 NC→LC; R.24 & R.26 PC→LC; R.28 PC→C
D: ±0 (unchanged — TC-only FUR; IO ratings and destination findings not reassessed; June 2025 grey-listing already reflected in D1)   V: −1 from MER baseline (R.24 PC→LC in 2nd Enhanced FUR reduces V2 to 0; R.26 and R.28 upgrades fall outside V components, which use IO.3 effectiveness rather than supervisory TC)
Destination risk (MER §55, §62, §64; IO.1 conclusion): The MER states that the VI’s corporate and financial services sector faces a high threat from proceeds-generating predicate offences committed overseas involving BVIBCs, including “foreign corruption, international fraud, tax evasion, and ML” (§55). The VI’s 2022 MLRA assesses the overall ML threat as medium-high, with a higher threat emanating from foreign crimes. Foreign proceeds of crime are found to enter the financial services sector “through the use of the products and services offered by the various FIs, especially TCSPs” (§64). The TCSP sector — 282 licensed entities accounting for 67% of financial services activity — is identified as the greatest ML/TF risk, serving predominantly non-resident clients. Despite this explicit characterisation, the MER finds that authorities view the illicit activities of foreign beneficial owners as having “insufficient nexus” with the territory, limiting the mitigation response (IO.1: Moderate).

Supervisory vulnerability (IO.3: Low): The MER finds that “neither the FSC nor the FIA could adequately demonstrate effective risk-based supervision” (§30). The number of onsite inspections is “very low” for TCSPs, “extremely low” for investment businesses, and “low” for banks (Key Finding e, Ch.6). Penalties imposed by the FSC are “not considered effective, proportionate, and dissuasive” (§31), and no monetary penalties have been imposed by the FIA (Exec. Summary Key Findings). Market entry controls are deficient in assessing the background of (especially foreign) beneficial owners of applicant licensees (§466). The FSC’s institutional ML/TF risk understanding is limited by the insufficient weight its Risk Assessment Model attributes to the ML/TF risk segment (§29).

Preventive measures (IO.4: Low): The MER gives IO.4 a Low rating, heavily weighted by the performance of the TCSP and investment business sectors. A large proportion of licensed TCSPs have never filed a suspicious activity report — 66.2% per the Chapter 3 analysis (§178), while the IO.4 chapter and Executive Summary state the figure as almost/nearly 50% (§393; Exec. Summary §25) — and 77.3% of TCSP SARs were filed by just 10 entities (§178, §393); the investment business sector filed only two SARs over the review period (§178); real estate agents filed no SARs (“not justifiable” given transaction volumes, §394); and at the time of the onsite visit there was “no evidence” that VASPs were implementing preventive measures (§400–402). CDD implementation remains “rather rule-based,” with BO requirements too focused on ownership thresholds and insufficient attention given to control (§23, §400).

Beneficial ownership / legal persons (IO.5: Moderate): The BO information system is dependent on TCSPs acting as registered agents, whose effectiveness is impacted by the CDD shortcomings described above (§536). Basic information in the VIRRGIN platform is accessible to the public only by email request and payment of a fee, and is not directly accessible to all competent authorities (§35). Director information was not required to be publicly available until January 2023 and, as it is not collected at incorporation, may not be available to the Registry for several months (§35; IO.5 Key Finding f). BO information update frequency is determined by the TCSP’s own risk assessment of the client, ranging from one to four years (IO.5 Key Finding d; §516). Trusts are not required to be registered (§37). No investigations or prosecutions for misuse of legal persons or arrangements have been carried out (§534, §536). Penalties for failure to file registers of directors averaged US$346 in 2022 per Table 7.9 (the §527 text cites US$340). Assessors noted as positive developments: bearer shares immobilised and now prohibited (§38, §497), and recent amendments to the legal framework that can support the availability of up-to-date BO information (§36, §517).

ML investigations and confiscation (IO.7 and IO.8: both Low): Between 2017 and 2022, 24 cases were prosecuted (19 possession of criminal conduct, 5 labelled ML), mainly drug trafficking-related, none involving legal persons, legal arrangements, FIs, or DNFBPs (§12). No complex, third-party, or cross-border ML case has been investigated (§10); no domestic investigation of complex ML schemes and no investigation regarding BVIBCs or those incorporating them has been carried out — even where international investigations abroad had provided evidence of their possible involvement in large-scale ML or other financial crime (§251). US$5.7m was seized and US$4.4m forfeited during the review period, almost entirely cash and mainly relating to drug trafficking (the only other assets forfeited were two boats and one car); there has been no attempt to identify and locate proceeds of predicate offences committed abroad (§13). Mechanisms for value-based confiscation have not been used (§13).

International cooperation (IO.2: Moderate): MLA is generally provided within a reasonable timeframe and of good quality. However, only two outgoing MLA requests were submitted over the entire review period, and these “were not consistent with the overall medium-high ML risk of the VI” (§43). The VI submitted no requests to identify and seize assets abroad (§13; §567). Deficiencies in the understanding and implementation of BO obligations have the potential to negatively impact the effectiveness of related international cooperation, although counterpart jurisdictions did not cite this as an issue (§46, §633).

FUR developments (TC only — IO ratings unchanged; 2nd Enhanced FUR October 2025): The 2nd Enhanced FUR, covering progress to 31 May 2025, re-rated four Recommendations: R.24 PC→LC (BVIBCA amendments requiring appointment of directors within 15 days of incorporation in place of the previous 10 months (s.113(1)); companies to collect, keep and maintain adequate, accurate and up-to-date BO information and file it with the Registrar within 30 days of incorporation or continuation, with changes filed within 30 days (s.96A); nominee shareholder disclosure obligations covering professional and non-professional nominees (s.41(3)); all remaining bearer shares deemed converted to registered shares from 1 July 2023; and a broadened administrative-penalty regime — remaining gaps concern basic and BO information for cooperative societies and record-keeping for Friendly Societies); R.26 PC→LC (Insurance Act and FSC Act amendments on foreign-insurer approvals and risk-based supervision; revised RAF — no explicit requirement remains to review ML/TF risk profiles on major group-level events); R.28 PC→C (FIA granted inspection powers over DNFBP premises (s.5M FIA Act), fit-and-proper approval powers over DNFBP directors, senior officers and controlling interests (s.5C), and enforcement powers including de-registration and requiring licence revocation (s.5J) — all criteria now met); and R.8 NC→LC (NPO TF risk assessment published August 2024; risk-based NPO supervision under the amended FIA Act; donor-community outreach outstanding). The FUR does not analyse effectiveness; all IO ratings remain as per the 2024 MER. The VI remains in enhanced follow-up based on its effectiveness ratings, with the next FUR due in November 2026.
Key MER + FUR findings — attributable to source
  • High foreign ML threat (§55; 2022 MLRA §62): The VI’s corporate and financial sector faces a high threat from foreign proceeds-generating offences. The 2022 MLRA assesses the overall ML threat as medium-high with a higher threat from foreign crimes including corruption, fraud, and tax evasion channelled through BVIBCs.
  • Nexus doctrine limits effectiveness (IO.1; Key Finding a; §4–5, §154): Authorities view foreign beneficial owners’ illicit activities as having “insufficient nexus” with the territory, limiting investigations and prosecutions related to BVIBCs used in international schemes — a finding the MER describes as having “cascading negative effects on the overall effectiveness of the AML/CFT system.”
  • SAR reporting absent in material sectors (IO.4; §178, §393–394): 66.2% of TCSPs have never filed a SAR per §178 (the IO.4 chapter puts the figure at almost 50%, §393); 77.3% of TCSP SARs came from just 10 entities; investment businesses filed only two SARs over the review period; real estate agents filed none; there was no evidence of VASPs implementing preventive measures at assessment. Most SAR filing is concentrated in one bank and a small number of TCSPs (§393; Exec. Summary §25).
  • Supervisory capacity insufficient for sector scale (IO.3; §466–469): 282 TCSPs accounting for 67% of financial services activity; inspections characterised as very low (TCSPs), extremely low (investment businesses), low (banks). Penalties not effective, proportionate, or dissuasive. No monetary penalties by FIA. Neither supervisor demonstrated effective risk-based supervision.
  • BO information gaps (IO.5; §35–38, §536): VIRRGIN accessible only by email/fee; director information not at incorporation; BO update frequency 1–4 years at TCSP discretion (§516); no investigations or prosecutions for misuse of legal persons (§534); penalties for failure to file registers of directors averaged US$346 in 2022 (Table 7.9).
  • ML investigations limited to drug cash cases (IO.7; §10, §12, §251): 2017–2022: 24 prosecutions, mainly drug trafficking-related cash possession. No prosecution involving legal persons, legal arrangements, FIs, or DNFBPs. No BVIBC-related investigation, even where international investigations abroad provided evidence of possible involvement in large-scale ML.
  • Confiscation outcomes limited to drug cash (IO.8; §13, §279–282): US$5.7m seized/US$4.4m forfeited, almost entirely cash mainly from drug trafficking cases. No attempt to identify and locate proceeds of predicate offences committed abroad. Value-based confiscation mechanisms unused. No forfeiture ordered for proceeds of corruption or in ML cases involving VI legal persons.
  • Only 2 outgoing MLA requests in review period (IO.2; §43): The two outgoing requests “were not consistent with the overall medium-high ML risk of the VI.” No requests submitted to identify and seize assets abroad (§13, §567).
  • 2nd Enhanced FUR (Oct 2025): four TC re-ratings — IO ratings unchanged: R.8 NC→LC, R.24 PC→LC, R.26 PC→LC, R.28 PC→C, reflecting BVIBCA/LPA/FIA Act amendments on director filing (15 days), BO filing (30 days), nominee disclosure, and DNFBP supervision. Remaining R.24 gaps relate to cooperative societies and Friendly Societies. TC-only report; the IO.3/IO.4/IO.5/IO.7/IO.8 effectiveness findings above are unaffected. Next FUR due November 2026.
Sources: CFATF MER, Virgin Islands (British), February 2024 (adopted 30 November 2023, 57th CFATF Plenary; published 26 February 2024); CFATF 2nd Enhanced Follow-Up Report & Technical Compliance Re-Rating, Virgin Islands (British), October 2025 (progress considered to 31 May 2025). All MER findings attributed to specific paragraphs or tables of the MER. IO ratings from Table 1, p.19; MER technical compliance ratings from Table 2, pp.19–20; updated TC ratings from the 2nd Enhanced FUR ratings table. The FUR is TC-only and does not analyse effectiveness; IO ratings unchanged.
🇰🇾
Cayman Islands
CFATF MER March 2019 (onsite December 2017) | 3rd Enhanced FUR October 2021 (TC only)
D: 35/50 V: 29/50 64
Destination
Vulnerability
IO.3: LE IO.4: LE IO.5: ME IO.7: LE IO.2: ME CFATF Grey-listed Feb 2021 — removed Oct 2023
Destination risk (MER §4, §6, §11, §16): The MER’s NRA concluded that “foreign generated proceeds of crime posed a more significant threat to the financial and non-financial sectors than domestically generated proceeds of crime” (§16). The MER identifies fraud committed abroad, evasion of foreign taxes by non-residents, and drug trafficking as the Cayman Islands’ external ML threats, noting that “those who have engaged in such activities have sought to launder their proceeds by way of utilising the jurisdiction’s financial system” (§11). The assessors found that the Cayman Islands’ role as “a significant international financial centre” creates specific vulnerability to complex ML/TF/PF schemes (§4, §6). The MER records that the banking sector held USD 1.365 trillion in cross-border assets — the sixth largest in the world by that measure (BIS, second quarter 2014) (§3). The 3rd FUR (2021) reports the broader scale of the financial sector: fund administrators with USD 2.157 trillion under administration and SIBA registered persons/licensees with USD 1.283 trillion under control. Approximately 100,000 exempted companies and partnerships are incorporated in the Cayman Islands, serving an overwhelmingly non-resident clientele. The assessors identified a significant limitation: the NRA did “too much focus on the domestic risk and not enough on the international risks” (§4) and did not include a risk assessment of legal persons or arrangements despite their scale (§13–14).

Supervisory vulnerability (IO.3: Low): CIMA has an established supervisory framework for financial institutions and TCSPs, but the MER identifies three major structural gaps. First, approximately 55% of registered excluded persons under SIBL are “not monitored for compliance with AML/CFT requirements on an ongoing basis” (§334) and perform activities including portfolio management and broker/dealing that entail high-value cross-border transactions. Second, attorneys — many of which serve high-net-worth foreign nationals through large multi-jurisdictional groups — “are not supervised for AML/CFT purposes, producing an extensive gap in the AML/CFT supervisory framework of the jurisdiction” (IO.3 conclusion). Third, the Department of Commerce and Investment (DCI), appointed as AML/CFT supervisor for real estate agents and DPMS in March 2017, had conducted only two onsite inspections at the time of the MER, with a nascent risk assessment framework still being developed. Property developers were “not required to comply with the AMLRs” at all (§338). CIMA’s resources were “constrained by inadequate staffing” for its mandate (§339).

Preventive measures (IO.4: Low): FIs and TCSPs “generally display a fair understanding of their ML/TF risks” (§26) — the positive sector. However, the most significant gap is the excluded persons sector: these entities reported just 0, 2, 2, 8, and 5 SARs across 2013–2017 respectively (Table 5.4), despite performing high-value cross-border activities such as portfolio management and broker/dealing. The assessors found that 55% of excluded persons may be “engaging in high level cross-border transactions with limited or no regard to the AML/CFT requirements” (§306). Cayman Islands banks physically located outside the jurisdiction demonstrated “significant under-reporting” (§27). Lawyers and real estate agents showed only “rudimentary understanding of ML/TF risks” (§26).

Beneficial ownership / legal persons (IO.5: Moderate): A centralised BO register was established just prior to the onsite visit, providing the FRA with immediate access and other competent authorities with timely access (§32). This is the primary positive finding. Limitations: directors of exempted companies and members of LLCs are not publicly available (§399); the system does not prompt when the 30-day update deadline has passed; the total number of trusts in the jurisdiction is unknown; and trusts are not required to engage a regulated Cayman TCSP. The assessors found that “in the absence of a comprehensive risk assessment on legal persons, the jurisdiction is unable to implement appropriate ML/TF risk mitigation” (§399). No sanctions had been imposed for AML/CFT BO violations at time of assessment (§397).

ML investigations and confiscation (IO.7: Low; IO.8: Moderate): Between 2012 and 2014, 15 ML prosecutions were conducted, mainly relating to theft involving approximately USD 3.5 million. The assessors found that the jurisdiction gave “more priority to identifying, investigating and prosecuting ML crimes originating from domestic offences and less priority on those with a foreign element which potentially pose a greater threat” (§164). No ML conviction of a legal person was recorded. Confiscation achievements were “quite modest” and “primarily linked to domestic threats” of theft, corruption and drug trafficking; foreign generated proceeds were confiscated “to a lesser extent” (§188).

FUR developments (TC only — IO ratings unchanged): Three Enhanced FURs have been issued since the 2019 MER. After the 2nd FUR (February 2021), all four most critical Recommendations were upgraded: R.22→C, R.23→C, R.24→LC, R.25→LC. The 3rd FUR (October 2021) upgraded R.15→LC following the Virtual Assets (Service Providers) Act 2020. After all three FURs, no Recommendations remain NC or PC. All FURs address TC only. Cayman Islands remains in enhanced follow-up on effectiveness grounds. Separately, the FATF grey-listed Cayman Islands in February 2021 and removed it in October 2023 following demonstrated progress on its action plan.
Key MER findings — attributable to source
  • Foreign proceeds as primary ML threat (§16, §11): NRA concluded foreign-generated proceeds are the predominant threat. External threats are fraud, foreign tax evasion, and drug trafficking — all channelled through the financial system. Banking: USD 1.365 trillion cross-border assets; funds: USD 2.157 trillion. NRA failed to adequately analyse the international risk dimension for a centre of this scale.
  • Attorneys entirely unsupervised (IO.3; §338, IO.3 conclusion): “Producing an extensive gap in the AML/CFT supervisory framework of the jurisdiction.” DCI supervision of real estate/DPMS nascent at MER; only 2 inspections ever conducted. Property developers not required to comply with AMLRs.
  • Excluded persons: near-zero SAR reporting (IO.4; Table 5.4; §334): 0–8 SARs filed per year by excluded persons under SIBL across 2013–2017 (Table 5.4). Assessors found 55% of excluded persons may be “engaging in high level cross-border transactions with limited or no regard to the AML/CFT requirements.”
  • Centralised BO register — positive but not yet effective (IO.5; §32, §399): New register gives FRA immediate access and competent authorities timely access. Limitations: exempted company directors not public; trust number unknown; no AML/CFT BO sanctions imposed; risk assessment of legal persons absent.
  • ML investigations limited to domestic theft; no legal person ML convictions (IO.7; §164): 15 ML prosecutions 2012–2014, all domestic. “Not enough effort expended on identification of complex, stand-alone and third-party ML cases.” No ML conviction of a legal person.
  • TC significantly improved by FURs; IO ratings unchanged: All four most critical Recommendations (R.22, R.23, R.24, R.25) upgraded from PC to LC/C by 2nd FUR (February 2021); R.15 upgraded by 3rd FUR (October 2021). No NC/PC remain. Cayman Islands nonetheless remains in enhanced follow-up on effectiveness grounds.
  • Grey-listed February 2021, removed October 2023: FATF grey-listing confirmed structural deficiencies remained unaddressed post-MER. Removal in October 2023 reflects demonstrated action plan progress. Not covered by uploaded FURs (CFATF TC process only).
Sources: CFATF MER, Cayman Islands, March 2019 (onsite December 2017); CFATF 3rd Enhanced Follow-Up Report, October 2021; CFATF 2nd Enhanced Follow-Up Report outcomes (February 2021). IO ratings from MER Effectiveness Ratings table (p.19); confirmed unchanged by FATF Consolidated Assessment Ratings (MER+FUR(s) row, Oct/2021). Grey-listing/removal: FATF Public Statements, February 2021 and October 2023. All FURs address TC only and do not assess effectiveness improvements.
🇦🇪
United Arab Emirates
FATF/MENAFATF Joint MER April 2020 (onsite July 2019) | 1st EFUR Nov 2021 | 3rd EFUR June 2023
D: 35/50 V: 27/50 62
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: LE IO.7: LE IO.2: LE FATF/MENAFATF Grey-listed Mar 2022 — removed Feb 2024
Destination risk (MER §54, §59–60, §62): The MER describes the UAE as “a major international and regional financial centre and trading hub” (§60) and identifies the laundering of foreign criminal proceeds as a primary risk, including “proceeds, particularly from foreign predicate offences including fraud, tax offences and organised crime” (§54). The assessors prioritised examination of “how international organised crime groups and third-party money launderers exploit the UAE and how the proceeds of domestic and foreign crimes are laundered through the UAE, as well as trade-based money-laundering” (§59a). The UAE’s highest ML threats according to the NRA are fraud, professional third-party ML, drug trafficking and counterfeiting. The country’s geographic position, the scale of its financial and trade sectors, the large expatriate population sending remittances, the active precious metals and stones market, and the presence of 31 free zones create a complex multi-vector risk profile.

Supervisory vulnerability (IO.3: Moderate): The MER presents a sharply bifurcated supervisory picture. The DFSA (DIFC) and FSRA (ADGM) “have developed a detailed understanding of ML/TF risk… and apply an effective risk-based approach to supervision” (§35); the DFSA is the only supervisor to have fully demonstrated effective, proportionate and dissuasive sanctions against both firms and individuals. By contrast, the BSD (Central Bank, banks and MVTS) and SCA are “developing” their risk-based approach. Most significantly, DNFBP supervisors on the mainland “were only recently established by virtue of Cabinet Resolutions” and the assessors concluded that the “UAE has therefore not been able to demonstrate any notable effective supervision for DNFBPs outside of the FFZs” (§37) — including the DPMS and real estate sectors identified as among the highest sectoral risks. The assessors describe it as “a major concern that the UAE authorities do not recognise the importance of using the full range of sanctions (particularly fines and barring orders) to create a dissuasive environment” (§36).

Preventive measures (IO.4: Moderate): Banks have a “good level of understanding of ML/TF risks” and other FIs a “reasonably good understanding” (§33). However, DNFBPs on the mainland and in CFZs have “weak” risk understanding; AML/CFT obligations are new and supervisors recently appointed. The assessors note “concerns about the low level of STR reporting in many sectors, particularly the DPMS, and Real Estate and TCSP sectors” (§33). DNFBPs in the mainland were assessed as “unlikely to have adequate internal controls in place” (§379), and the majority of mainland/CFZ DNFBPs were “not certain how to identify a PEP” (§348).

Beneficial ownership / legal persons (IO.5: Low): The MER finds that “the risk of criminals being able to misuse legal persons in the UAE for ML/TF remains high, particularly through concealment of BO information via complex structures, or the use of informal nominees” (§38). The UAE has 39 different company registries, whose fragmented nature has created “regulatory arbitrage” with different levels of understanding and application of BO measures (§39, §552). In the DEDs (mainland), there is “generally only basic knowledge of the concept of beneficial ownership” (§554), with registrars focusing on legal ownership documents rather than ultimate beneficial ownership. The UAE had not, at MER date, “implemented at national level a regime whereby sanctions for failing to provide information can be considered effective, proportionate and dissuasive” (§43, §584). Emirates ID provides protection for UAE residents but not for non-resident beneficial owners (§558). Authorities were unaware of the total number of TCSPs operating across the country (§550).

ML investigations and confiscation (IO.7: Low; IO.8: Moderate): Between 2013 and 2018, 50 ML prosecutions and 33 ML convictions were recorded across the UAE — “a noticeable absence of consistent investigations and prosecutions of ML related to other high-risk predicate crimes (such as drug trafficking), professional third-party ML, and those involving higher-risk sectors” (§17). Dubai recorded only 17 ML prosecutions over five years “considering its recognised risk profile” — described as “particularly concerning” (§17). LEAs were “not routinely identifying and targeting significant ML cases in line with the UAE’s risk profile” (§16). On confiscation, the MER notes a policy shift and large domestic figures, but it “was not demonstrated there is systematic or consistent confiscation work following formal international requests involving the proceeds of foreign predicate offences” (§20).

International cooperation (IO.2: Low): The UAE provided MLA “to a minimal extent considering its exposure to foreign predicate offences” (§44). Feedback from foreign delegations highlighted “significant issues in the provision of formal cooperation, including limited responses to requests or extended delays in execution.” ML-related outgoing LEA requests totalled 53 over 2013–2018, representing 0.12% of all police-to-police requests (Table 8.11). The UAE is better at informal cooperation, particularly on TF. BO information exchange was very limited: the FIU made only 4 requests to registries in 2019 (§634).

FUR developments (TC only — no IO re-ratings): The uploaded FURs cover technical compliance re-ratings only; neither addresses effectiveness outcomes. The 1st EFUR (November 2021) upgraded R.6 and R.7 to Compliant and R.25 to Largely Compliant; R.15 was downgraded from LC to PC following post-onsite amendment of the FATF standard on VASPs. The 3rd EFUR (June 2023) upgraded R.1 to LC, R.19 to Compliant and R.29 to Compliant. As of the 3rd EFUR, R.15 (VASPs) remains the only PC. The FATF spreadsheet confirms IO ratings are unchanged from the 2020 MER in the MER+FUR(s) consolidated row. Separately — not covered by the uploaded FURs — the UAE was grey-listed by FATF in March 2022 for strategic AML/CFT deficiencies and removed from the grey list in February 2024 following demonstrated progress on its action plan.
Key MER findings — attributable to source
  • Explicit foreign proceeds destination (§54, §59): The UAE’s main ML risks include laundering of proceeds from foreign predicate offences (fraud, tax offences, organised crime). Assessors specifically examined “how international organised crime groups and third-party money launderers exploit the UAE.” Professional third-party ML is the second-highest identified ML threat.
  • DNFBP supervision vacuum on mainland (IO.3; §37): Supervisors for DNFBPs outside the FFZs were only recently established at time of assessment with “very limited activity beyond initial registration.” The UAE “has therefore not been able to demonstrate any notable effective supervision for DNFBPs outside of the FFZs” — covering DPMS (precious metals, highest sectoral vulnerability) and real estate agents.
  • 39 registries, regulatory arbitrage (IO.5; §38–39, §552): Risk of misuse of legal persons “remains high.” Fragmented registry system gives rise to “regulatory arbitrage” with different BO standards. DEDs (mainland) have “generally only basic knowledge of beneficial ownership.” No effective national sanctions for BO information failures (§584).
  • Low STR rates in highest-risk DNFBP sectors (IO.4; §33, §379): DPMS, real estate and TCSP sectors all have “low levels of STR reporting” despite being the highest-risk sectors for foreign proceeds. Most mainland DNFBPs “unlikely to have adequate internal controls in place” (§379). Majority of mainland DNFBP respondents “not certain how to identify a PEP” (§348).
  • 33 ML convictions in 5 years (IO.7; §16–17): 2013–2018: 50 ML prosecutions, 33 convictions. Noticeable absence of cases involving drug trafficking, professional third-party ML, DPMS, or MVTS. Dubai — the highest-risk emirate — recorded only 17 ML prosecutions over five years, described as “particularly concerning.”
  • Formal MLA provided to “minimal extent” (IO.2; §44–45): Foreign delegations reported “significant issues” including limited responses and extended delays. Only 53 ML-related outgoing LEA requests in five years (0.12% of total requests). FIU made only 4 requests to registries in 2019 for BO information.
  • FUR TC progress (1st and 3rd EFUR): Technical compliance significantly improved — R.1 LC, R.6 C, R.7 C, R.19 C, R.25 LC, R.29 C; only R.15 (VASPs) remains PC. Both FURs state they do not assess effectiveness: IO ratings are unchanged from 2020 MER.
  • Grey-listed March 2022, removed February 2024 (FATF, not covered by uploaded FURs): Grey-listing confirmed that the MER-period strategic deficiencies remained unaddressed two years post-evaluation. Removal in February 2024 reflects demonstrated progress on the FATF action plan — a positive development not yet reflected in IO re-ratings.
Sources: FATF/MENAFATF MER, United Arab Emirates, April 2020 (onsite July 2019); MENAFATF 1st Enhanced FUR, November 2021; MENAFATF 3rd Enhanced FUR, June 2023. IO ratings from MER Effectiveness Ratings table (p.16); confirmed unchanged by FATF Consolidated Assessment Ratings (MER+FUR(s) row, Jul/2023). Grey-listing: FATF Public Statement, March 2022; removal: FATF Plenary statement, February 2024. Both FURs state they do not address effectiveness outcomes.
🇵🇦
Panama
GAFILAT 4th Round MER January 2018 (onsite 2017) | 2nd Enhanced FUR August 2019
D: 30/50 V: 30/50 60
Destination
Vulnerability
IO.1: LE IO.3: ME IO.4: ME IO.5: LE IO.6: LE IO.7: ME GAFILAT Grey-listed Jun 2019 — removed Oct 2023
Destination risk (MER §35, §47, §50–51, §103–105): The MER states that “the country presents an inherently high risk for the placement of assets from offenses committed abroad, particularly in the banking and real estate sectors, using persons and legal arrangements (especially corporations, private interest foundations and trusts)” — language used repeatedly at §35, §47, and the IO.1 chapter. The NRA’s main identified external threat is “the flow of resources related to illegal activities committed abroad, whose products may be placed in Panama” (§34, §103). The evaluation team specifically scoped “how investigative authorities and other relevant authorities have access to [BO] information in a timely, updated and comprehensive manner” and the impact of the non-criminalisation of tax crimes on Panama’s capacity to handle foreign MLA requests (§48–49). The banking system is the dominant sector: 93 bank-licensed banks with total assets of USD 118,945 million — approximately 2.2 times GDP — including 43 generally licensed banks authorised for both domestic and foreign transactions, and 28 internationally licensed banks operating exclusively in foreign markets (§54–56). The trust market comprised 73 companies managing USD 21,914 million in assets (§57). The legal persons landscape is striking in scale: as of May 2017, 734,535 legal persons were registered including 675,624 corporations and 54,171 private interest foundations, of which NRA conclusions identified approximately 500,679 active entities as high-risk (§109, §111, §474). One of the top-priority risks identified but not addressed in the NRA is the receipt of financial assets from tax crimes committed abroad — uncriminalised in Panama at MER time and directly limiting the country’s ability to investigate ML or provide MLA for requests involving this predicate (§34, §107, §129). The Panama Papers (2016) are cited in the MER as evidence of the vulnerability of resident agent activities — lawyers and law firms creating and administering legal entities whose misuse abroad was highlighted at §148. Free trade zones, particularly the Colón Free Zone (the largest in the Americas), are identified as a high-risk sector for fictitious foreign trade operations (under- and over-invoicing, triangulation) and cash use (§37, §119b).

Risk policy and coordination (IO.1: Low): The MER finds that “Panamanian authorities and the reporting institutions bound by the ML/TF regime do not comprehensively understand the ML/TF risks they face and require a deeper analysis of the risks of the most vulnerable sectors” (§103, §128). The NRA does not go deep enough into the specific risks of each vulnerable sector — lawyers, free zones, real estate — to define adequate mitigation measures (§108). The non-criminalisation of tax crimes, which the assessors identify as a “considerable threat,” is not even addressed in the NRA (§107, §129). The National Strategy “does not satisfactorily address the risks faced by the country” (IO.1 conclusion, §123, §130).

Supervisory vulnerability (IO.3: Moderate; IO.6: Low): The four financial supervisors (SBP, SMV, SSRP, IPACOOP) identify sector risks at different stages of development; risk-based monitoring matrices are in place for financial institutions but the Intendencia — responsible for non-financial RIs — was still developing its matrices at MER time (§456–458). Panama has adequate administrative sanctions of up to PAB 1 million for financial institutions, but the number of sanctions applied to DNFBPs is “very limited” and no sanctions had been applied to resident agents despite 48 supervisory visits over three years (§457, §493). Financial intelligence use is critically weak: “the use of financial intelligence produced to contribute to the investigation carried out by the competent authorities proves scarce” (executive summary §7). The total STRs received from lawyers/resident agents was only 119 up to May 2017 despite 4,216 registered agents and 734,419 active legal persons; the ZLC sector filed only 13 STRs since the entry into force of Law 23 of 2015; real estate filed only 11 (§149–151). At the MER date only 51.1% of identified non-financial RIs had registered and were able to report online (§153).

Legal persons transparency (IO.5: Low): The MER finds no effective mechanisms securing the accuracy and updating of BO information. The resident agent framework — Panama’s primary transparency mechanism — is structurally weakened by: (a) resident agents not being required to conduct any proactive verification of declared information at onboarding (§477); (b) Law 23 not clearly obligating resident agents to monitor subsequent client activity to detect BO changes (§478–479); (c) only 522 of 4,216 resident agents registered with the FIU (12%) at MER date (§480, §497); and (d) no sanctions applied for any CDD breaches or resident agent violations, with all Intendencia proceedings still pending (§493). R.24 rated NC at MER — no specific mechanism ensuring BO information is available in-country; the resident agent holds BO data but there is “uncertainty on the availability… accuracy and updating” (§490, §496). No control measures existed for the widespread practice of nominee shareholders and directors, which is permitted and commonly rendered by law firms (§485, §498).

ML investigations and confiscation (IO.7: Moderate; IO.8: Moderate): ML investigations are “mainly associated with cases of drug trafficking, although in recent years certain investigations have been initiated for money laundering with other predicate offenses, such as corruption and financial crimes” (executive summary §8). The criminal procedure system was mid-transition from a mixed inquisitive to an accusatory system during the MER period, creating capacity gaps in ML investigation in the new system (§8, §599). Panama demonstrated an increase in ML convictions linked to corruption investigations within the framework of Law 4 of 2017 (§217). On confiscation, the country has a normative framework including value-based and extended confiscation, but regulations for administration and auctioning of confiscated property needed updating, and asset management capacity required strengthening (executive summary §10).

International co-operation (IO.2: Moderate): Panama has improved quality and response times for requests received from abroad. However, the non-criminalisation of tax crimes “prevents an adequate cooperation in the requests received from abroad, since there is no local predicate offense linked to the tax crime” — a constraint specifically acknowledged by the Prosecutor’s Office (§34, §49, executive summary §24). The PPO has pursued a proactive approach to provide assistance through linkage to other offence categories where possible, though this approach was “not entirely shared by all relevant authorities” (executive summary §24).

2nd Enhanced FUR (August 2019) — TC only; IO ratings unchanged: Four recommendations re-rated: R.3 PC→LC (tax crimes criminalised as ML predicates via Law 70 of January 2019 — the MER’s top-priority action — though minor deficiencies remain in some ML conduct verbs and the threshold of PAB 300,000); R.20 PC→C (STR submission now required immediately, including attempted transactions); R.24 NC→PC (BO safeguard and update obligations for resident agents introduced, but information not yet required to be in-country); R.30 PC→C (parallel investigation framework established via PPO Practical Guide). R.25 remains PC. IO effectiveness ratings from January 2018 MER are not reassessed by the FUR. Separately — not covered by the FUR: FATF grey-listed Panama in June 2019 for strategic deficiencies; removed October 2023 following demonstrated action plan completion, including laws enacted in 2019–2021 and on-site verification in June 2023. Panama had previously been grey-listed 2014–2016.
Key MER + FUR findings — attributable to source
  • “Inherently high risk” for foreign-proceeds placement — explicit destination characterisation (§35, §47, §103): MER uses this formulation in multiple chapters. Main external ML threat is inflow of proceeds from crimes abroad. Banking sector USD 118.9bn total assets (2.2x GDP); 734,419 active legal persons of which ~500,679 classified high-risk by NRA including 675,624 corporations and 54,171 private interest foundations.
  • Tax crimes not criminalised as ML predicates — structural gap at MER time (§34, §49, §107, §129): Identified by assessors as top-priority risk not even captured in NRA. Directly limited domestic ML investigation and blocked MLA provision for foreign tax crime predicates. Partially remedied by FUR2: Law 70 of 2019 criminalised tax fraud above PAB 300,000 threshold; R.3 upgraded PC→LC.
  • 734,419 active legal persons, only 12% of resident agents FIU-registered (§149, §480): 675,624 corporations + 54,171 private interest foundations, predominantly high-risk offshore vehicles. Only 522 of 4,216 resident agents registered with FIU at MER date. ZLC filed 13 STRs in total since Law 23 of 2015; resident agents filed 119 total as of May 2017. No sanctions ever applied for CDD breaches in this sector.
  • BO framework — NC at MER, no enforcement (§477–480, §493, §496): Resident agents not required to proactively verify BO information declared at onboarding. No update obligation for non-high-risk clients. No sanctions imposed in any of 48 supervisory visits to resident agents. R.24 NC at MER; upgraded only to PC in FUR2. No control measures for nominee shareholders/directors (§485).
  • Panama Papers cited as evidence of sector vulnerability (§148): MER references the 2016 leak highlighting misuse of resident-agent-administered legal entities. Law firms acting as resident agents identified as the highest-risk DNFBP sector, yet STR filing and supervisory coverage of this sector were the most deficient in the entire system.
  • FUR2 (Aug 2019): R.3, R.20, R.24, R.30 re-rated; IO ratings unchanged; grey-listed June 2019: Tax crimes criminalised (threshold applies); STR reporting made immediate; BO update obligation introduced; parallel investigation framework established. Grey-listed by FATF June 2019 for strategic effectiveness deficiencies. Removed October 2023 following 15-action plan completion. Previously grey-listed 2014–2016.
Sources: GAFILAT 4th Round MER, Republic of Panama, GAFILAT(2018), adopted December 2017 under the XXXVI Plenary (onsite 2017, published January 2018). IO effectiveness ratings from MER Effectiveness Ratings table (p.14): IO.1 Low, IO.2 Moderate, IO.3 Moderate, IO.4 Moderate, IO.5 Low, IO.6 Low, IO.7 Moderate, IO.8 Moderate, IO.9 Moderate, IO.10 Substantial, IO.11 Substantial. TC ratings from MER Technical Compliance table (p.14). 2nd Enhanced Follow-Up Report, Panama, GAFILAT(2019), August 2019 (TC only — IO effectiveness ratings not reassessed). Grey-listing: FATF, June 2019; removal: FATF Plenary, October 2023. All paragraph references are to the 2018 MER unless marked as FUR2.

Tier 2 — High (score 44–59)

🇨🇭
Switzerland
FATF MER October 2016 (onsite Feb–Mar 2016) | 4th Enhanced FUR October 2023 (TC only)
D: 34/50 V: 23/50 57
Destination
Vulnerability
IO.1: SE IO.3: ME IO.4: ME IO.5: ME IO.7: SE FATF
Destination risk (MER §4, §41, §53, §59): Switzerland’s 2015 NRA, assessed by the evaluators as broadly credible, concludes that “Switzerland is affected by financial crime and is an attractive location for laundering assets acquired as a result of offences committed outside Switzerland” (§41, §4). The main predicate threat categories are fraud and breach of trust, corruption, and membership of criminal organisations. Switzerland is the world’s largest centre for cross-border private banking, with approximately USD 2.4 trillion under management (around 25% of the global total) and around 50% of securities deposited in Swiss banks belonging to foreign customers (§53). The total private assets managed by the Swiss financial sector amounted to CHF 6.656 trillion, approximately 4.1% of global assets under management. The scale of the sector places Switzerland in a distinctive position: even a modest failure rate in identifying foreign criminal proceeds carries absolute risk numbers that are large by any international comparison. The MER notes that several recent internationally significant corruption cases have involved Swiss financial institutions, specifically referencing the Petrobras and 1MDB investigations, where 24 banks in Switzerland were subject to investigation and FINMA conducted enforcement procedures against nine (§59).

Supervisory vulnerability (IO.3: Moderate): FINMA’s supervision is “generally of a satisfactory level” with robust supervisory powers and close continuous oversight of directly supervised financial intermediaries (§390, §22–23). The primary gap is in the OAR sector — eleven self-regulatory organisations that supervise independent asset managers, lawyers, notaries, fiduciaries and trustees. The risk-based approach of the OARs is “still insufficient, particularly for the sectors most at risk, such as the fiduciaries” (§390). Fiduciaries (1,007 entities at end-2015), who act as the formal and actual executive boards of Swiss and foreign domiciliary companies serving a wealthy, predominantly foreign client base, are specifically identified as the highest-risk DNFBP category. FINMA does not have the power to impose financial penalties (R.27 LC; FUR Annex). The quality of audit reports from auditors performing AML/CFT controls “still needs to be improved so that material weaknesses are fully identified” (§23).

Preventive measures (IO.4: Moderate): “Financial intermediaries as a whole implement preventive measures that are proportional overall to their risks, but there are improvements still to be made, particularly in the classification of risks by certain sectors. Financial intermediaries as a whole are not sufficiently engaged regarding the need to submit STRs” (§326). The banking sector performs well. The primary concerns are: STR under-reporting across the sector relative to the scale of risk; inconsistent risk classification by some non-banking entities; and specific limitations in the OAR-supervised sectors. The MER also identifies a structural scope gap: the LBA does not fully cover estate agents, DPMS, and lawyers/notaries/accountants when they provide legal advisory or company formation services rather than acting as financial intermediaries (R.22 and R.23 both PC at MER and throughout all four FURs).

Beneficial ownership / legal persons (IO.5: Moderate): Recent measures at the time of assessment reinforced the transparency of legal persons — a register of shareholders/partners and beneficial owners was required, and bearer shares were reformed. However, “the recent entry into force of these provisions and the insufficient identification and analysis by the authorities of the risks connected with legal persons do not allow determination as to whether these measures are appropriate and sufficient” (§420). Criminal or administrative sanctions for shareholders failing to declare the acquisition of bearer shares or beneficial ownership were absent (§419). Swiss domiciliary companies — administered primarily through 1,007 fiduciaries who act as formal executive boards — present the primary structural BO transparency risk (§54). Switzerland has not performed a detailed analysis of how domiciliary companies and legal persons established in Switzerland can be misused for ML/TF purposes (§26).

ML investigations and confiscation (IO.7: Substantial; IO.8: Substantial): “A large number of ML investigations and prosecutions have been carried out, spanning every type of ML identified by the FATF and resulting in a large number of convictions… including very complex cases of sophisticated ML networks” (§199). Confiscation is a major policy priority: “the total amount confiscated is high… some are significant achievements in the global anti-corruption effort” (§222). Petrobras: Swiss authorities seized funds and submitted a delegation request to Brazil. 1MDB: FINMA enforcement against 9 of 24 investigated banks. The MER’s main concern on IO.7 is that “sentences handed down do not seem to be sufficiently proportionate and dissuasive” (§199).

International cooperation (IO.2: Moderate): “Switzerland provides legal assistance to a large extent, even if the confidentiality of requests remains insufficient” (§473). Two structural limitations at MER time: MROS could only request FI information on behalf of foreign counterparts if there was a prior STR link, and FINMA’s “client procedure” (notifying account holders before transmitting information abroad) caused delays. The 4th FUR (October 2023) upgraded R.40 to LC by fixing the MROS STR-link restriction — MROS can now obtain information without a prior STR. FINMA’s client procedure remains formally in force but has diminishing practical importance.

FUR developments (TC only — IO ratings unchanged): Four Enhanced FURs issued since 2016. The most significant changes: R.10 PC→LC (LBA revised — BO verification obligation; CDD updated); R.40 PC→LC (MROS STR-link restriction removed); R.16 PC→LC, R.19 PC→C, R.33 PC→C, R.8 PC→LC. Remaining PC after 4th FUR: R.22 and R.23 (DNFBP scope gap — real estate agents, DPMS, and lawyers/notaries/accountants when providing advisory/company formation services) and R.35 (sanctions disproportionate). The 4th FUR states it “does not address Switzerland’s progress in improving its effectiveness.”
Key MER findings — attributable to source
  • Explicit foreign-proceeds destination characterisation (§4, §41): NRA concludes Switzerland “is an attractive location for laundering assets acquired as a result of offences committed outside Switzerland.” Main predicates: fraud/breach of trust, corruption, criminal organisation membership. Largest cross-border private banking centre globally (USD 2.4 trillion, ~25% of world total). Petrobras and 1MDB cited (§59).
  • OAR supervision of fiduciaries insufficient (IO.3; §22–23, §390): OAR risk-based approach “still insufficient, particularly for the sectors most at risk, such as the fiduciaries.” 1,007 fiduciaries acting as executive boards of domiciliary companies are the primary high-risk DNFBP category. FINMA lacks power to impose financial penalties (R.27 LC).
  • LBA scope gap: lawyers/notaries/accountants/real estate not fully covered (R.22/23 PC; FUR Annex p.21): LBA does not cover legal advisory and company formation activities of lawyers, notaries, accountants, estate agents, DPMS. R.22 and R.23 remain PC through all four FURs.
  • STR under-reporting and BO transparency gaps (IO.4 ME; IO.5 ME; §326, §419–420): FIs “not sufficiently engaged regarding the need to submit STRs.” BO register newly introduced — effectiveness not yet assessable; no sanctions for failures; no analysis of domiciliary company ML/TF risks.
  • Strong enforcement record (IO.7 SE, IO.8 SE; §199, §222): Large-scale complex ML investigations including foreign predicate offences; Petrobras, 1MDB. Confiscation consistent with identified risks; total amounts high; international asset recovery. Concern: sentence disproportionality (§199).
  • 4th FUR (October 2023): R.10 and R.40 upgraded; MROS restriction removed: R.10 PC→LC (LBA revised: BO verification obligation, CDD updates). R.40 PC→LC (MROS can now obtain FI information for foreign counterparts without prior STR link). R.22, R.23, R.35 remain PC. FUR does not address effectiveness improvements.
Sources: FATF MER, Switzerland, October 2016 (onsite February–March 2016); FATF 4th Enhanced Follow-Up Report, Switzerland, October 2023. IO ratings from MER Effectiveness Ratings table (p.11); confirmed unchanged by FATF Consolidated Assessment Ratings (MER+FUR(s) row, Oct/2023). 4th FUR: FATF, Paris, 2023 — explicit statement that it “does not address Switzerland’s progress in improving its effectiveness.”
🇬🇧
United Kingdom
FATF MER December 2018 (adopted October 2018 Plenary; onsite March 2018) | 1st Regular FUR May 2022 (TC only)
D: 38/50 V: 19/50 57
Destination
Vulnerability
IO.1: HE IO.3: ME IO.4: ME IO.5: SE IO.7: SE FATF
Destination risk (MER §2, §38, §44, §47a): The MER states that “the UK is vulnerable and at risk of being used as a destination or transit location for criminal proceeds” (§38). The executive summary identifies that the UK “faces particular and significant risks from laundering the proceeds of foreign predicate crimes, including transnational organised crime and overseas corruption” (§2). The 2017 NRA identifies “high-end ML” — the laundering of large amounts of criminal funds through the UK via complex corporate vehicles and offshore jurisdictions — as one of the two highest ML risks, alongside cash-based ML (§44). The NRA also identifies a “high ML risk in relation to super-prime property in London, particularly relating to the laundering of proceeds from foreign predicate offences” (§44). The UK is the world’s largest centre for cross-border banking, the leading centre for foreign exchange trading, and has the second-largest legal services sector globally — creating multiple vectors for the placement and integration of foreign criminal proceeds. The assessors made “how effectively the UK mitigates its risk of being used as a destination… for criminal proceeds given its role as a global financial centre” their first priority scoping issue (§47a).

Supervisory vulnerability (IO.3: Moderate): The MER identifies supervision as the most significant area needing major improvement (§4). The FCA supervises over 19,600 firms but operates systematic and proactive supervision programmes for only 170 — 14 under the SAMLP (largest retail and investment banks) and 156 under the PAMLP. This leaves “a significant number of firms undertaking high and medium risk activities falling outside its regular, cyclical supervisory attention” (§28). HMRC’s individual firm risk tool “has only recently been introduced and should be reviewed to ensure it is sufficiently ML/TF focused and effective” (§28), with the majority of its 97 risk rules not aligned to inherent ML/TF risk factors. The 22 legal and accountancy professional body supervisors exhibit “mixed understanding of risks” and OPBAS — created specifically to address these inconsistencies — had not yet demonstrated impact at the time of assessment. “Some other supervisors tend to focus on the largest firms in their supervisory pool rather than taking a more comprehensively risk-based approach” (§28).

Preventive measures (IO.4: Moderate): All entities performing FATF-covered activities are required to implement AML/CFT measures under the Money Laundering Regulations 2017 — this is a meaningful distinction from jurisdictions where DNFBP exemptions exist. The banking sector demonstrates the strongest compliance. However, “the understanding of ML/TF risk is much less developed among DNFBPs” (§25). The SAR regime “needs a significant overhaul” (§11): SAR filing by lawyers, accountants and TCSPs is low relative to the high-risk activity they are exposed to (§339), with banks contributing almost 85% of total SAR filings and four banks accounting for 80% of that figure (§337). The UKFIU “suffers from a lack of available resources (human and IT) and analytical capability which is a serious concern considering similar issues were raised over a decade ago” (§10). JMLIT is highlighted as an “example of best practice” for public-private information sharing (§9).

Beneficial ownership / legal persons (IO.5: Substantial): The UK is described as “a global leader in this space” (§30). The People with Significant Control (PSC) register is fully public, online, and highly transparent. LEAs can access accurate and up-to-date BO information from FIs and DNFBPs in a timely fashion through JMLIT and the NCA’s s.7 gateway. Around 97% of UK-registered companies use a UK bank account, making BO verification accessible in the vast majority of cases. Key limitations: the PSC register is “largely unverified” — “register information is sometimes inaccurate” (§31) — and “the process is more complicated and less timely where the company holds accounts abroad” (§31). Box 32 documents a case of a criminal using UK corporate entities banked exclusively outside the UK to evade CDD obligations. Scottish Limited Partnerships (SLPs) present a specific transparency risk, being subject to less reporting than most other corporate forms. The overseas entity BO register was under development at time of assessment.

ML investigations and confiscation (IO.7: Substantial; IO.8: Substantial): The UK “routinely and aggressively pursues money laundering investigations” (§12). Over 2,000 prosecutions and 1,400 convictions are achieved annually in cases of standalone ML or where ML was the primary offence. The UK has restrained GBP 1.3 billion and recovered GBP 1 billion since 2014 using POCA; HMRC has recovered a further GBP 3.4 billion since 2016 using tax powers (§14). The UK’s focus on high-end ML dates from December 2014 — the MER acknowledges significant progress but notes the UK is “not yet able to demonstrate that its level of prosecutions and convictions of high-end ML is fully consistent with its threats, risk profile and national AML/CFT policies” (§13).

International cooperation (IO.2: Substantial): The UK “provides a broad range of constructive mutual legal assistance and extradition” (§32). JMLIT and the NCA’s overseas criminal justice network are described as particularly strong features. An acknowledged limitation is the UKFIU’s resource constraints — only 17 officers dedicated to international cooperation — which “may be a contributing factor in the delays and difficulties reported by some FATF and FSRB delegations” (§489). The MER notes that “80% of incoming MLA requests is with other EU member states” facilitated by EU regional cooperation tools, with uncertainty about equivalence post-Brexit noted as a forward risk (§32).

FUR developments (TC only — IO ratings unchanged): The 1st Regular FUR (May 2022) re-rates only R.13: PC → Compliant. Following Brexit, the UK amended its Money Laundering Regulations so that EDD measures for correspondent banking now apply to all non-UK institutions (not just non-EEA as previously). R.29 (UKFIU) remains Partially Compliant — the UKFIU expanded from 81 to 141 staff, but this is assessed as still insufficient given the growth in SARs, the scale of the UK financial sector, and the fact that the previous MER from over a decade ago already recommended expanding to 200 staff. The FUR states it “does not address what progress the UK has made to improve its effectiveness.”
Key MER findings — attributable to source
  • Explicit destination for foreign proceeds, including overseas corruption (§2, §38, §44): MER states UK is “vulnerable and at risk of being used as a destination or transit location for criminal proceeds.” NRA identifies high-end ML and super-prime London property as highest ML risks, with overseas corruption named as a major predicate. Assessors made this the first priority scoping issue.
  • FCA supervisory population gap (IO.3; §28): FCA supervises 19,600 firms; only 170 under systematic or proactive supervision programmes. Significant number of medium and high-risk firms outside regular supervisory attention. HMRC risk tool introduced but not yet demonstrated effective. OPBAS created but not yet demonstrated impact at assessment. 22 legal/accountancy supervisors with inconsistent risk understanding.
  • SAR regime needs significant overhaul (IO.4/IO.6; §10–11, §337–342): Banks contribute ~85% of all SARs; four banks contribute 80% of that. SAR filing by lawyers, accountants, TCSPs low relative to their high-risk exposure. UKFIU “suffers from lack of available resources (human and IT)… a serious concern considering similar issues were raised over a decade ago.”
  • PSC register: global leader but largely unverified (IO.5; §30–31): Fully public, online, fast. But information is “largely unverified” and sometimes inaccurate; less timely when company holds accounts abroad. SLPs present specific transparency risk. Overseas entity register under development.
  • Strong prosecution and confiscation record (IO.7 SE, IO.8 SE; §12–15): Over 2,000 ML prosecutions and 1,400 convictions annually. GBP 1.3bn restrained, GBP 1bn recovered since 2014 (POCA); GBP 3.4bn recovered via HMRC tax powers. High-end ML prioritised from December 2014 — good progress but not yet fully consistent with risk profile.
  • 1st Regular FUR (May 2022): R.13 only change — IO ratings unchanged: R.13 upgraded PC→C (EDD now applies to all non-UK correspondent institutions post-Brexit). R.29 remains PC (UKFIU 81→141 staff: still insufficient). FUR states it does not address effectiveness improvements.
Sources: FATF MER, United Kingdom, December 2018 (adopted October 2018 FATF Plenary; onsite March 2018); FATF 1st Regular Follow-Up Report, United Kingdom, May 2022. IO ratings from the MER Effectiveness Ratings table; confirmed unchanged by the 1st FUR, which re-rates technical compliance only and states it “does not address what progress the UK has made to improve its effectiveness.” Numbered references are to MER paragraphs.
🇦🇹
Austria
FATF MER February 2026 (onsite June–July 2025) — 5th round | Enhanced follow-up
D: 36/50 V: 21/50 57
Destination
Vulnerability
IO.1: ME IO.2: ME IO.3: SE IO.4: ME IO.5: HE IO.7: ME FATF Enhanced follow-up
Destination risk (MER §2–3, §66–70, §76, §82, §87; IO.1: Moderate): The MER describes Austria as “an important regional and international financial centre as well as a gateway to the Central, Eastern, and South Eastern Europe (CESEE) and Commonwealth of Independent States (CIS) countries,” with ML and TF risks that arise directly from that position (§2, §66). Austria is characterised as “a transit country for the activities of organised crime groups that launder their proceeds in Austria through cash-intensive businesses and couriers, MVTS, and real estate,” with OCGs operating from CESEE, Caucasian countries, North and West Africa, Asia, and Western Europe (§67). Austria is simultaneously “a cash-intensive eurozone economy” attractive for laundering both foreign and domestic proceeds via real estate, luxury goods, and cash-intensive sectors including hotels, restaurants and cafes, often using straw men as directors and shareholders (§68). Banking sector assets total approximately EUR 1 trillion — 211% of GDP — with three large banking groups (ERSTE, Raiffeisen Bank International, UniCredit Bank Austria) holding over 50% of sector assets; Austrian banks have 35 subsidiaries in 14 CESEE countries with total assets of EUR 299 billion (§82, §87). The 2025 NRA identifies fraud as the main predicate offence, followed by tax offences, drug-related crimes, organised crime, corruption, and smuggling (§76). Transnational corruption cases point to proceeds being laundered in Austria (§68). The real estate sector is identified as highly vulnerable to ML, particularly through high-value purchases by PEPs, foundations, and foreign companies (§70). VASPs present high ML and TF risks; 13 VASPs were operating at end-2024 with total purchase volume of EUR 3.2 billion (§72; §92). IO.1 is rated Moderate: despite progress since the 2016 MER, “a nuanced and consistent ML/TF risk understanding across all competent authorities and a whole-of-government view are yet to be achieved,” with key authorities including BMJ and BAK (anti-corruption) failing to contribute substantively to the NRA (§6; IO.1 key finding a–b).

Financial sector and VASP supervision (IO.3: Substantial; MER §17–25, §71 IO.3 conclusion): The FMA has a sound understanding of ML/TF risks in supervised sectors and has “steadily increased its capacity to understand and detect ML/TF risks specific to VAs/VASPs” (§18). Market entry controls are “to a large extent, effectively implemented in the financial sector” (§17; IO.3 key finding a). The FMA “to a large extent, effectively promotes OEs’ understanding of ML/TF risks and AML/CFT obligations” (§19; IO.3 key finding d). However, risk understanding of cash, laundering through real estate, and corruption beyond PEP-list compliance remains limited across FI sectors (IO.3 key finding d). FMA supervision of financial groups’ foreign subsidiaries and branches in CESEE needs strengthening — “their number remains low despite Austria’s role as a systemically important regional and international financial centre” (§24). Sanctions for AML/CFT breaches “have a demonstrated effect on FIs’ and VASPs’ overall awareness” (§25). IO.3 is rated Substantial (§71 conclusion).

Non-financial sector supervision (IO.4: Moderate; MER §26–30, §92 IO.4 conclusion): DNFBP supervision suffers from “major shortcomings, including fragmentation, shortage of resources to effectively undertake supervision, and few remedial actions” (§26, MER exec summary f). ML/TF risk understanding “varies strongly between the different DNFBP supervisors” (§27). Real estate agents, TCSPs (other than tax advisors), and DPMS — identified as high-risk and material sectors — “do not have an adequate understanding of sectoral and individual DNFBPs’ risks” (IO.4 key finding b). These three high-risk trade sectors are supervised by 94 different local district authorities, creating severe fragmentation (§92, footnote). The understanding of risks related to real estate agents and DPMS “is not in line with Austria’s risk and context” (§28). STR reporting is low and compliance monitoring by supervisors is inadequate in most DNFBP sectors (IO.4 overall conclusion). IO.4 is rated Moderate (§92 conclusion).

Beneficial ownership — exemplary multi-pronged system (IO.5: High; MER §31–37, §105 IO.5 conclusion): IO.5 is the standout strength of Austria’s system, rated High — the highest effectiveness rating in the MER. Austria’s “multi-pronged approach to transparency of beneficial ownership is exemplary and represents a key strength of the AML/CFT system” (MER exec summary j). The Beneficial Ownership Register is “extensively used by competent authorities, which systematically integrate this information in ML/TF and PF-related investigations, including complex and cross-border financial investigations” (§33). The Beneficial Ownership Registry Authority implements “effective measures to ensure that the information on record is adequate, accurate and up to date, including in-depth verifications across the entire ownership and control structure” (§34). FIs and DNFBPs have a good understanding of the register; Austria prohibits bearer shares and has transparency measures for nominees (IO.5 key finding b). Austria has also conducted a comprehensive ML/TF risk assessment of legal persons and arrangements and multiple targeted studies identifying specific abuses (IO.5 key finding a). IO.5 is rated High (§105 conclusion).

ML investigations (IO.7: Moderate; MER §43–45, §139 IO.7 conclusion; improved from LE in 2016): IO.7 is rated Moderate — an improvement from Low in the 2016 MER, but with major deficiencies persisting. “Restrictive interpretations of the ML offence continue to limit investigation and prosecution of standalone and third-party ML cases,” stemming from requirements for a high evidentiary standard of proof for both the predicate offence and the mens rea elements of ML (§43, IO.7 conclusion). “The overall number of ML investigations and prosecutions is low and should be increased and more fully aligned with Austria’s risk profile” (§45). ML investigations are “closely tied to predicate offence investigations, mainly fraud” while ML related to drug trafficking, tax offences, and corruption are “not pursued in line with Austria’s risk and context” (IO.7 conclusion). No sanctions have been imposed on legal persons for ML. The 2016 MER had already flagged Austria’s failure to pursue ML in line with its profile as a financial centre and transit country — these deficiencies remain “unaddressed” (§45; MER exec summary h). IO.7 is rated Moderate (§139 conclusion). Asset recovery (IO.8) is also Moderate: “confiscation values are low, relative to Austria’s risk profile” with rare use of extended confiscation or non-conviction-based confiscation (§49; IO.8 Moderate).

Enhanced follow-up; one sole R.23 PC (MER TC table p.5): Austria was placed in enhanced follow-up at the February 2026 Plenary based on effectiveness ratings. Only one Recommendation is rated Partially Compliant — R.23 (DNFBPs: other measures). All other Recommendations are LC or C, reflecting significant improvement in the technical compliance framework since the 2016 MER. The key outstanding effectiveness gaps driving enhanced follow-up are IO.1 (risk understanding), IO.2 (international co-operation not commensurate with risk), IO.4 (DNFBP supervision fragmented), IO.6 (A-FIU focus too narrow on fraud), IO.7 (ML investigations), IO.8 (asset recovery), IO.10 (TF-TFS supervision gaps), and IO.11 (PF-TFS supervisory deficiencies).
Key MER findings — attributable to source
  • CESEE gateway with EUR 1 trillion banking sector and 35 CESEE subsidiaries; OCG transit hub (MER §2, §67, §82, §87): Austrian banks hold EUR 299 billion in CESEE subsidiary assets across 14 countries, making Austria a systemically important CESEE gateway. OCGs from across CESEE, CIS, and Africa launder proceeds through cash-intensive businesses using straw men. Austria is simultaneously an origin and transit country for dual-use goods linked to WMD proliferation (§73).
  • Transnational corruption proceeds laundered in Austria; BAK absent from NRA (MER §68; IO.1 key finding b): The MER states that “transnational corruption cases point to proceeds being laundered in Austria.” Despite this, the Federal Bureau of Anti-Corruption (BAK) provided no input to the NRA, leaving “the ML threat from corruption under-assessed.” The NRA’s corruption risk analysis suffered from “no input from BAK” (§135).
  • 94 local district authorities supervising real estate agents, TCSPs and DPMS; fragmentation acute (MER IO.4 key finding b; §92): The three highest-risk DNFBP trade sectors — real estate agents, TCSPs (other than tax advisors), and DPMS — are supervised by 94 different local district authorities with no consistent risk-based supervisory framework and inadequate resources. Coordination across supervisors is described as “still nascent.”
  • Restrictive ML offence interpretation persists from 2016 MER; standalone and third-party ML rare (MER §43–45, IO.7 conclusion): The high evidentiary burden for proving both the predicate offence and the mens rea of ML was flagged in the 2016 MER and “remain unaddressed.” Standalone and third-party ML convictions remain rare; no sanctions have been imposed on legal persons. ML investigations are dominated by fraud-linked cases at the expense of drug, corruption, and tax crime ML.
  • IO.5: High — exemplary BO register with in-depth verification and risk-based monitoring (MER §31–37, IO.5 key findings a–d): Austria’s multi-pronged approach to beneficial ownership, centred on the WiEReG Beneficial Ownership Register, is rated High — the only High-rated IO in the 5th round MER. The Register is used systematically in complex financial investigations; in-depth verifications are conducted across entire ownership structures; fraudulent company detection measures exist; bearer shares are prohibited; and nominees are subject to transparency obligations. This represents a genuine best-practice benchmark for AML/CFT systems.
  • A-FIU focus too narrow on fraud; resource and independence constraints (MER §39–41, §7): The A-FIU’s analytical work “too narrowly focuses on predicate offences (especially fraud)” and does not “sufficiently contribute to addressing complex ML cases, involving third-party and professional ML, and TF in line with Austria’s risk and context” (§40). Resource constraints and limitations on operational independence (the A-FIU cannot recruit independently from outside the BKA/police) hinder effectiveness (§7; KRA l).
  • Enhanced follow-up; IO.7 improved from Low to Moderate since 2016 MER; IO.5 High is FATF rarity (MER TC table p.5; §466): Austria’s placement in enhanced follow-up reflects primarily effectiveness deficiencies rather than TC gaps (only R.23 is PC). IO.7 moving from Low (2016) to Moderate (2026) is acknowledged progress. IO.5 at High is rare in the 5th round and reflects exceptional performance on BO transparency. No FUR has been published as of this Index entry.
Sources: FATF MER, Austria, February 2026 (onsite June–July 2025), 5th round. IO ratings from MER Effectiveness and Technical Compliance Ratings table (p.5). All findings attributed to specific MER paragraphs or chapter key findings. Austria was placed in enhanced follow-up at the February 2026 FATF Plenary. No FUR has been published as of this Index entry.
🇱🇺
Luxembourg
FATF 5th Round MER September 2023 (onsite November 2022) — no FURs
D: 33/50 V: 21/50 54
Destination
Vulnerability
IO.1: SE IO.3: ME IO.4: ME IO.5: SE IO.7: ME FATF 5th Round
Note on MER: This entry is based on Luxembourg’s 5th Round FATF MER, adopted September 2023 following an onsite visit in November 2022. This is Luxembourg’s first comprehensive FATF assessment since 2010, replacing the 2014 follow-up conclusions. No follow-up reports have been issued. IO ratings reflect the current state as at November 2022.

Destination risk (MER §29, §34): The MER opens its risk characterisation with an unambiguous statement: “Luxembourg identified foreign predicate offences as its main money laundering threat, given its position as an international financial centre” (§29). The main predicate offences contributing significantly to the ML threat are fraud and forgery, tax crimes, corruption and bribery, and drug trafficking. Luxembourg’s financial scale — EUR 14 trillion in total FI assets (2020), EUR 5,545 billion in net fund assets under management (Europe’s largest fund centre), and 122 banks from 24 countries with EUR 988.72 billion in banking assets — creates an exposure to foreign criminal proceeds that is large in absolute terms relative to a domestic GDP of EUR 73.3 billion. FDI stocks at 1,169% of GDP (EU average: 62%) reflect the volume of international capital channelled through Luxembourg’s fund and holding company structures. The assessors made “cross-border ML/TF risks” their first priority scoping issue (§34a), examining “how the country is using its AML/CFT framework to mitigate these international risks.” The most vulnerable sectors are identified as banks (especially private banking), the investment sector, MVTS, TCSPs, real estate activities, and commercial companies and legal arrangements (§29).

Supervisory vulnerability (IO.3: Moderate): The CSSF, Luxembourg’s main FI supervisor, demonstrates a good and improving risk-based approach, having established dedicated teams for on-site inspections and combining off-site monitoring with on-site work (§16). However, “major improvements are needed in the use and application of supervisory sanctions” (IO.3 conclusion). For DNFBPs, the picture is more concerning. The AED, responsible for supervising real estate agents (2,832), DPMS, and professional directors (204), “does not have a fully mature risk-sensitive approach,” and as of the onsite visit, inspections of professionals providing directorship services “had not started” (§16). The Chamber of Notaries (CdN) supervises through peer review and is “reluctant to impose sanctions.” The AED and the Order of Chartered Professional Accountants (OEC) have limited resources to effectively conduct supervision (IO.3 conclusion). CSSF public statements on enforcement “convey very limited information on the nature of breaches” (§18).

Preventive measures (IO.4: Moderate): FIs demonstrate a stronger application of AML/CFT preventive measures than DNFBPs, with banks and investment fund managers having a good understanding of ML risks (§15). However, “there are major shortcomings in the understanding of TF risks across the private sector” and “major shortcomings in compliance with reporting obligations” (IO.4 conclusion). REAs and DPMS have a “weak understanding of risks and application of AML/CFT obligations resulting in weaker risk-based mitigating measures” (§15). STR quality is a concern: “a large number of DNFBPs and VASPs indicated that they provided STRs based on adverse media without further analysis” (IO.4 conclusion).

Beneficial ownership / legal persons (IO.5: Substantial): Luxembourg’s investment in BO infrastructure since 2019 is one of the assessment’s genuine positives. The RBE (BO register for legal persons, 2019) and RFT (register for fiducies/trusts, 2020) are operational and supported by annual large-scale accuracy exercises conducted by the Luxembourg Business Register (LBR) that have resulted in many outdated companies being struck off (IO.5 conclusion). Competent authorities use a multi-pronged approach to obtain accurate and up-to-date BO information. The main weakness is that violations of legal person BO disclosure requirements can only be sanctioned through criminal penalties, requiring the involvement of the State Prosecutor, which “sharply limits timely application, proportionality and effectiveness of sanctions” (§21, IO.5 conclusion).

ML investigations and confiscation (IO.7: Moderate; IO.8: Moderate): Luxembourg “proactively identifies and investigates ML through the systematic use of financial intelligence” and prosecutes all types of ML including ML from foreign predicate offences (IO.7 conclusion). However, “the number of ML investigations is somewhat inconsistent with Luxembourg’s risk and context,” many cases remain in investigation for several years due to complexity, resource limitations or delays in the Council Chamber, and “the frequent application of suspended sentences is not dissuasive and financial penalties are not proportionate” (IO.7 conclusion). On confiscation, Luxembourg prioritises this since 2019, but “the absence of comprehensive statistics prevents confirmation that confiscation results are consistent with identified risks,” and the absence of an asset management mechanism limits focus to liquid assets (IO.8 conclusion).

International cooperation (IO.2: Substantial): Luxembourg demonstrates “very strong commitment to formal and informal international co-operation,” with generally good-quality MLA processed within 3–4 months for non-coercive requests (IO.2 conclusion). The main concern is timeliness: approximately 30% of incoming MLA requests requiring coercive measures are executed in a timeframe exceeding seven months (§22, IO.2 conclusion). Moderate improvements are required to address this.
Key MER findings — attributable to source
  • Foreign predicates are the main ML threat (§29, §34): MER states that Luxembourg identified “foreign predicate offences as its main money laundering threat.” Main predicates: fraud/forgery, tax crimes, corruption and bribery, drug trafficking. EUR 14 trillion in FI assets; EUR 5,545bn in fund assets; FDI at 1,169% of GDP. Cross-border ML/TF risk identified as first priority scoping issue.
  • DNFBP supervision: major gaps in REAs, professional directors, notaries (IO.3; §16, §18): AED supervision of REAs and DPMS not yet mature; inspections of professional directors had not started. Notaries: peer review only; reluctant to impose sanctions. AED and OEC: limited resources. “Major improvements needed in use and application of supervisory sanctions.”
  • DNFBP preventive measures: major shortcomings (IO.4; §15, conclusion): REAs and DPMS have “weak understanding of risks.” Major shortcomings in TF risk understanding across private sector. Major shortcomings in compliance with reporting obligations. Large proportion of STRs from adverse media hits without further analysis.
  • BO infrastructure operational but sanctions constrained (IO.5 SE; §21, conclusion): RBE and RFT registers operational since 2019/2020; LBR accuracy exercises effective. Key limitation: BO disclosure violations require criminal proceedings and State Prosecutor involvement, limiting proportionate and timely sanctioning.
  • ML investigations below risk profile; sentences not dissuasive (IO.7 ME; conclusion): Number of ML investigations “somewhat inconsistent with risk and context.” Cases remain in investigation for years. Suspended sentences frequently applied — “not dissuasive”; financial penalties not proportionate.
  • ~30% of coercive-measure MLA requests executed in >7 months (IO.2 SE; §22): Overall co-operation strong but timeliness issue specific to incoming MLA requiring coercive measures. Moderate improvements required.
  • All DNFBPs subject to comprehensive AML/CFT obligations (R.22 C, R.23 C): Unlike Switzerland (R.22/23 PC) or the US (R.22/23 NC), Luxembourg has no structural scope gaps in DNFBP coverage. The challenge is supervisory effectiveness, not legal framework coverage.
Source: FATF 5th Round MER, Luxembourg, September 2023 (onsite November 2022). All IO ratings from MER Effectiveness Ratings table (p.12); all TC ratings from MER Technical Compliance table (p.12). No follow-up reports have been issued. This supersedes the 2014 4th-round MER and all prior follow-up reports.
🇨🇳
China
FATF/APG/EAG MER February 2019 (onsite July 2018) | 3rd Enhanced FUR November 2022 (TC only)
D: 11/50 V: 40/50 51
Destination
Vulnerability
IO.3: ME IO.4: LE IO.5: LE FATF
↑ TC progress (3rd Enhanced FUR Nov 2022) R.22, R.23, R.25 remain NC; R.24 now PC
D: ±0 (unchanged — IO ratings not addressed by FUR)   V: reduced from MER baseline (cumulative TC upgrades through FUR3; under rebalanced point values, R.24’s NC→PC upgrade reduces V2 by 1; R.22/23/25 remain NC)
Destination risk (MER §6, §40, §43, §52, §54): China is primarily characterised in the MER as a source of outbound illicit proceeds rather than a destination for foreign criminal funds. The NRA records that between 2014 and 2016, illicit proceeds totalling RMB 864 billion were repatriated to China from over 90 countries — proceeds estimated to have flowed out over a 20-year period (§40). Significant amounts of illicit proceeds flow from mainland China into Macau, China and Hong Kong, China, and from there to other jurisdictions — a pattern noted in the MERs of Australia, Canada, and Singapore (§40). Underground banking operations facilitate movement of proceeds out of the country (§40, §44). Assessors specifically paid attention to “the substantial volume of illicit proceeds flowing out of China” when scoping higher-risk issues (§54). However, China’s domestic vulnerabilities are highly relevant to the destination score: the absence of domestic PEP coverage “is particularly noteworthy in the context of a country where corruption is a major predicate offence and state-owned-enterprises play a dominant role in the economy” (Exec. Summary §5; §43) — meaning proceeds of domestic corruption are effectively permitted to remain undetected within the financial system. The lack of any effective DNFBP framework (§g) — including for the real estate sector, lawyers, accountants, and company service providers — means those sectors cannot function as gatekeepers against the layering and integration of domestic corrupt proceeds. Banks dominate with total assets of RMB 252 trillion and are considered “highly vulnerable to abuse” (§42). China’s GDP of RMB 82.1 trillion and financial sector scale create enormous throughput risk that multiplies even moderate per-entity compliance failures (§57).

Supervisory effectiveness (IO.3: Moderate; MER §23–27): The PBC’s AML/CFT supervisory system is “almost exclusively focused on the financial sector, as there are no effective preventive or supervisory measures in respect of the DNFBP sector” (§g). For FIs, the PBC demonstrates a moderate level of understanding of risk, but its processes are “highly dependent on the correct implementation of the prescribed risk assessment methodology by FIs” — and FIs themselves are assessed as having a low level of risk understanding (§24). The level of banking sector inspections is “not commensurate with the level of risk” (§25). AML/CFT financial penalties average approximately RMB 41 million per year — assessed as “not effective, dissuasive, nor proportionate given the size of the banks and other FIs in the financial sector” (§26). No AML/CFT remedial actions or sanctions have been applied to any online lending institutions or to any DNFBP (§26). The PBC and sector regulators have had “a low to non-existent impact” on the DNFBP sector up to the time of the onsite (§27). Real estate, DPMS, and CSP sectors are not subject to any ongoing criminal background checks (§23).

Preventive measures (IO.4: Low; MER §19–22): FIs have a “satisfactory understanding of their AML/CFT obligations” but “generally have an insufficient understanding of ML/TF risks and apply mitigation measures that are not commensurate with these risks” (§19). Online lending institutions have developed no understanding of ML/TF risks or AML/CFT obligations whatsoever (§19, §22). FIs apply CDD measures “ineffectively,” with “notable weaknesses” in customer identification and BO verification, and ongoing due diligence (§20). PEP measures, TFS implementation, and high-risk country measures are all ineffectively applied by FIs (§20). STR reporting is inconsistent and “the number of STRs reported appears to be modest, considering the size of the financial sector” (§21). DNFBP STR reporting is “virtually non-existent” (§22). Internal controls of financial groups are “often inappropriate for mitigating risks” (§21).

Beneficial ownership / legal persons (IO.5: Low; MER §28–29, §43): Rated Low — the most serious rating. BO information of legal entities is “not (publicly) available in China” (§28). Authorities make use of basic information, CDD from FIs, and law enforcement powers — but “each of these sources poses shortcomings and significant challenges, and the combination of measures at the current stage falls short of an effective system for obtaining accurate, adequate and current BO information in a timely manner” (§28). Basic information is not always accurate and it “seems relatively easy to circumvent the registration rules (for example through straw persons)” (§28). There is “no granular understanding of the ML/TF risks of each type of legal person” (§29). The absence of effective arrangements for registering and retaining BO information is a foundational structural vulnerability (§43), given the identification in the NRA of the abuse of legal persons as a method of laundering illicit proceeds (§40).

FUR developments (TC only — IO ratings unchanged; FUR1 Oct 2020, FUR2 Oct 2021, FUR3 Nov 2022): Across the first two enhanced FURs, China was re-rated upward on nine Recommendations from the MER baseline: R.3 PC→LC, R.8 PC→LC, R.15 PC→LC, R.16 PC→LC, R.18 PC→C, R.26 PC→LC, R.29 PC→LC, R.34 PC→LC, and R.38 PC→C. The 3rd Enhanced FUR (November 2022) re-rated two further Recommendations: R.7 NC→PC (positive progress on PF-related TFS via the April 2022 Working Group Rules and Procedures and March 2022 MFA Procedures, though gaps remain on without-delay implementation and the prohibition on making funds available) and R.24 NC→PC (China enacted the revised Company Law, Civil Code, Foreign Investment Law and the 2022 IRRM, introducing requirements for market entities to report beneficial ownership and sanctions for failure to do so; shortcomings remain on bearer shares, nominee shareholders/directors, and the absence of a risk assessment). R.6 was reviewed in the 3rd FUR but remains PC (no without-delay legal basis; no prohibition provision). R.35 remains PC. Of the four DNFBP/transparency Recommendations, R.22, R.23 and R.25 remain Non-Compliant while R.24 is now PC. R.12 (PEPs) remains PC. All three FURs are TC-only and state they do not address effectiveness; all IO ratings remain unchanged from the 2019 MER.
Key MER + FUR findings — attributable to source
  • China is primarily a source of outbound illicit proceeds; domestic vulnerabilities are extreme (MER §5, §40, §43): NRA records RMB 864 billion repatriated over 20 years; proceeds flow to Macau/HK and beyond through underground banking. Domestically, absence of PEP coverage, DNFBP framework, and BO regime makes domestic corrupt proceeds effectively invisible to the AML/CFT system.
  • DNFBP sector entirely outside AML/CFT — no supervision, no STRs, no sanctions (IO.3 ME, IO.4 LE; MER §22, §26, §g): Real estate, lawyers, accountants, DPMS, CSPs subject to no effective AML/CFT framework. DNFBP STR reporting “virtually non-existent.” No remedial actions or sanctions applied to any DNFBP. “No effective preventive or supervisory measures” for the entire sector.
  • IO.5 Low — BO information not publicly available; straw persons easy to use (MER §28–29): BO information of legal entities not available in China. Basic information inaccurate; registration rules easily circumvented through straw persons. No granular understanding of ML/TF risks by legal person type. Current system “falls short of an effective system.”
  • FI preventive measures low; PEP coverage absent domestically (IO.4 LE; MER §19–21, §43): FIs have satisfactory legal understanding but insufficient risk understanding; CDD applied ineffectively; BO measures weak. Absence of domestic PEP coverage is singled out as a significant vulnerability given corruption as a major predicate and state-owned enterprise dominance.
  • Three TC-only FURs (2020/2021/2022): 11 re-ratings total; R.24 upgraded NC→PC in FUR3 (Nov 2022); IO ratings unchanged: FUR1–FUR2 (to Oct 2021) upgraded R.3/8/15/16/26/29/34 to LC and R.18/38 to C. FUR3 (Nov 2022) upgraded R.7 NC→PC and R.24 NC→PC. R.6 reviewed in FUR3 but remains PC; R.35 remains PC. R.22, R.23 and R.25 remain NC; R.12 (PEPs) remains PC. All FURs assess TC only, not effectiveness.
Sources: FATF/APG/EAG MER, People’s Republic of China, February 2019 (onsite July 2018); FATF 3rd Enhanced Follow-Up Report, People’s Republic of China, November 2022 (also reflecting the 1st FUR Oct 2020 and 2nd FUR Oct 2021). IO ratings from MER Effectiveness Ratings table (p.16); confirmed unchanged by all three FURs (TC-only reports; each states it does not address effectiveness). TC ratings from MER p.16-17 and 3rd Enhanced FUR Tables 1–2. All paragraph references are to the published MER unless marked FUR. Note: Hong Kong SAR, Macau SAR, and Chinese Taipei were not included in this assessment.
🇿🇦
South Africa
FATF MER October 2021 (onsite October–November 2019) | 2nd Enhanced FUR November 2023 (TC only)
D: 27/50 V: 24/50 51
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: LE FATF
↑↑ Significant TC improvement (2nd Enhanced FUR 2023) Removed from FATF grey list October 2025
D: −1 (improved, post-FUR/grey-list removal)   V: reduced from MER baseline (improved, TC upgrades + grey-list removal)
Destination risk (MER §2, §40, §49, §52, §56): The MER identifies South Africa as a large economy and a “regional financial hub for sub-Saharan Africa” with notable exposure to foreign criminal proceeds (§2). The assessors identify the threat of “foreign proceeds of crime from the region being laundered in or through South Africa” — originating predominantly from fraud, corruption and bribery, illicit drugs, and tax crimes in neighbouring states (§40). The preliminary NRA findings acknowledge South Africa’s role as “a gateway for funds flowing from sub-Saharan countries to the rest of the world, including for potential foreign proceeds of crime” (§49). Assessors focused specifically on South Africa’s “role as a regional financial and economic hub and the ML/TF risks emanating from cross-border financial flows and smuggling” (§56). The banking sector holds approximately $385 billion in assets, 2018 cross-border banking transactions totalled approximately $1 trillion, and South Africa has the largest real estate market in sub-Saharan Africa at $50.2 billion (§58). However, assessors raise significant concerns about the NRA’s failure to fully reflect foreign predicate risks: no reference to high-end ML; foreign predicate threats and associated vulnerabilities “not well reflected”; and potentially high-risk sectors outside the AML/CFT regime (DPMS, CSPs) were not assessed (§52). Domestic corruption — particularly the phenomenon known as “State capture” — generated substantial proceeds and undermined key AML/CFT agencies over the preceding decade (§44, §48), with proceeds from those cases often moved abroad with limited recovery (§e, §k).

Supervisory vulnerability (IO.3: Moderate; MER §25–29): The MER concludes that “all supervisors in South Africa need major or fundamental improvements to conduct AML/CFT risk-based supervision effectively” (§27). The SARB:PA’s supervision of the materially important banking sector checks compliance with AML/CFT requirements thoroughly but does not yet use a proper risk-based approach. SARB:FinSurv inspections of ADLAs are based on risk only to a limited extent. For all other supervisors, inspections are “too infrequent to be effective” — and attorneys are subject to essentially no AML/CFT oversight at all (§27). The FSCA and the Estate Agency Affairs Board are hampered by severe resource shortages. Most regulators rely heavily on self-disclosure with limited verification by competent authorities (§25). Sanctions imposed by most supervisors are “too low and infrequent to be dissuasive or effective” (§28). Fit and proper criteria do not extend to beneficial owners in many sectors (§25).

Preventive measures (IO.4: Moderate; MER §20–24): Larger banks show a developed understanding of ML risks and implement risk-based measures to some extent. Most smaller FIs, FSPs, and CIS managers show only basic rule-based compliance (§20). DNFBP understanding of ML risks and AML/CFT obligations is underdeveloped, with estate agents and attorneys specifically cited for poor risk understanding (§20). Only larger banks and ADLAs report sufficient STRs — other high-risk and materially important sectors underreport substantially, with the casino sector as a positive outlier (§23). PEPs are generally insufficiently identified, partly due to deficient legal definition (§22). CSPs, DPMS (other than KRDs), and VASPs were not classified as accountable institutions under the FIC Act at the time of the onsite (§24).

Beneficial ownership / legal persons (IO.5: Low; MER §30): The MER rates IO.5 as Low — the most serious rating available. Companies and trusts are “frequently cited in ML schemes” and the legal framework prevents misuse “to a limited extent only” (§30). There is no comprehensive framework for accessing accurate and up-to-date BO information; obtaining adequate and current BO information compared to basic information “varies but in the majority of cases it is not easily available and when available, it often takes a long time to obtain” (§30). There are significant backlogs for companies registered before 2016 whose records have not been uploaded to the public system (§30). Attorneys and trust and company service providers are described as “inherently vulnerable to misuse” given their role in company and trust formation (§46). The authorities could not demonstrate application of sanctions for failure to comply with information requirements (§30).

2nd Enhanced FUR developments (TC only — IO ratings unchanged; FUR 2023): South Africa was placed in FATF enhanced follow-up following the MER due to 5 NC and 15 PC ratings. The 2nd Enhanced FUR (November 2023) re-rates 18 Recommendations: R.5 and R.23 upgraded PC→C; R.1, R.7, R.10, R.14, R.18, R.22, R.24, R.25, R.26, R.27, R.28 upgraded PC→LC; R.12 upgraded NC→LC; R.17 rated NA; R.6, R.8 and R.15 upgraded NC→PC. R.2 and R.32 remain Partially Compliant. Five Recommendations remain PC, so South Africa remains in enhanced follow-up with a further report due October 2024. The FUR states it “does not address what progress South Africa has made to improve its effectiveness.” All IO ratings from the MER therefore remain unchanged for scoring purposes. South Africa was grey-listed by FATF in February 2023 and removed in October 2025 following demonstrated action plan completion.
Key MER + FUR findings — attributable to source
  • Regional financial hub exposed to foreign proceeds (MER §2, §40, §49, §56): MER identifies South Africa as the sub-Saharan financial hub and a gateway for foreign proceeds from fraud, corruption, illicit drugs, and tax crimes in the region. Cross-border banking transactions totalled ~$1 trillion in 2018 (§58). NRA fails to adequately reflect foreign predicate threats or high-end ML (§52).
  • All supervisors need major or fundamental improvements (IO.3 ME; MER §27): SARB:PA adequate for banks but not risk-based; SARB:FinSurv limited risk basis; all other supervisors too infrequent; attorneys have essentially no AML/CFT oversight. FSCA and EAAB hampered by severe resource shortages. Sanctions “too low and infrequent to be dissuasive” (§28).
  • DNFBPs and gatekeepers effectively unsupervised (IO.4 ME; MER §20–24): Estate agents and attorneys have poor risk understanding and are regularly associated with ML cases (§52). Only larger banks and ADLAs file adequate STRs (§23). CSPs, DPMS, and VASPs entirely outside AML/CFT framework at time of assessment — exclusion not justified on risk (§24).
  • IO.5 Low — BO transparency acutely deficient (MER §30, §46): Companies and trusts frequently misused for ML; BO information not easily available in majority of cases; no sanctions demonstrated for non-compliance. Attorneys and TCSPs “inherently vulnerable to misuse.” Legal framework prevents misuse “to a limited extent only.”
  • State capture — domestic corruption severely undermined AML/CFT agencies (MER §44, §48, §61): SAPS:DPCI, NPA, and SARS specifically undermined. ML cases relating to State capture “not been sufficiently pursued.” Proceeds from State capture moved abroad with limited recovery. NPA and LEAs focused on predicate offences, not ML.
  • 2nd Enhanced FUR (November 2023): 18 Recommendations re-rated, IO ratings unchanged: Major TC upgrades — R.12 NC→LC, R.22 PC→LC, R.23 PC→C, R.24 PC→LC, R.25 PC→LC, R.10 PC→LC. R.2 and R.32 remain PC. Grey-listed February 2023; removed October 2025. FUR states it does not address effectiveness.
Sources: FATF MER, South Africa, October 2021 (onsite October–November 2019); FATF 2nd Enhanced Follow-Up Report, South Africa, November 2023. IO ratings from MER Effectiveness Ratings table (p.14 of MER); confirmed unchanged by FUR 2023 (explicit statement that FUR does not address effectiveness). TC ratings from MER Table 2 (p.14) and FUR 2023 Conclusion and Table 1 (p.38–39). All paragraph references are to the published MER unless marked FUR.
🇩🇪
Germany
FATF MER June 2022 (onsite Nov 2021) | 1st Enhanced FUR December 2023 (TC only)
D: 22/50 V: 28/50 50
Destination
Vulnerability
IO.1: SE IO.3: ME IO.4: ME IO.5: ME IO.6: ME IO.7: ME IO.8: SE FATF
Destination risk (MER §2–3, §27–28, §33–34; IO.1: Substantial): Germany is the largest economy in the EU and the fourth largest in the world, with GDP of EUR 3.85 trillion. Frankfurt is the most important financial centre in continental Europe, and Germany holds the largest banking sector in the euro area with total assets of approximately EUR 7.66 trillion (§34). Cash accounts for 74% of all transactions and 48% of all turnover in Germany — one of the highest rates in the developed world — and Germany has no cash transaction limits (§34; MER key finding b). Germany hosts the third-largest international migrant population globally (approximately 11 million), exacerbating cash-based ML and hawala risks (§34). The main ML/TF risks arise from international interconnectedness (including foreign predicate crime rated high), cash-based ML, real estate sector laundering, and misuse of legal persons (§3). Transparency International estimated that EUR 30 billion with unclear origins entered the German real estate market in 2017 alone (§34). Germany has 20–30% of proceeds of crime estimated to be laundered in the non-financial sector — one study’s estimate — serving a supervised population of approximately one million non-financial sector obliged entities (§35). Two major German banks account for the majority of Germany’s correspondent banking relationships including those with high-risk countries; one was subject to enforcement actions by overseas regulators as well as BaFin (§2). IO.1 is rated Substantial, reflecting Germany’s good risk understanding of the banking sector, cash, and real estate, while noting risk understanding is still developing for complex ML, professional enablers, and legal entities (MER key finding b; §55).

Supervisory vulnerability — 300+ DNFBP supervisors; critical resource shortage (IO.3: Moderate; MER §16–17, §198): BaFin, the main FI supervisor, largely implements a satisfactory risk-based framework and has a strong understanding of risks (MER key finding j). However, DNFBP supervision is decentralised across more than 300 Länder-level and district-level supervisors (§53–54), creating “major difficulties in ensuring all supervisors have a consistent risk understanding and take an effective risk-based approach” (§17). A “critical lack of resources” across the approximately 1 million non-financial sector obliged entities severely hampers effective supervision (MER key finding k). DNFBP supervisors “generally do not consider all relevant risk factors and variables” in implementing risk-based supervision (§17). Crucially, there is “no clear TFS supervisor for casinos, REAs, DPMS and TCSPs, and in practice, most DNFBPs are not subject to clear, effective monitoring” — described as “a major deficiency given Germany’s risk and context” (§198). Some BaFin supervisory measures involving major banks have “not always ensure[d] the prompt remediation of non-compliance or prevent[ed] repeated breaches” (§16). IO.3 is rated Moderate (§198).

Preventive measures — major STR shortcomings; legal professional privilege blocking reporting (IO.4: Moderate; MER §14–15, §162): Larger FIs, particularly major banks, MVTS institutions, and VASPs, have a good understanding of ML/TF risks and apply adequate preventive measures (MER key finding i). However, there are “major shortcomings in suspicious transaction reporting (STR)”: 97% of STRs came from the financial sector in 2020, with banks filing 90%, while DNFBP reporting is described as “particularly low” (§15). Legal professionals and notaries have a “very broad understanding” of legal professional privilege concepts that “prevents STR reporting in the absence of ‘positive knowledge’ that ML or TF has occurred” (§15). Risk understanding among DNFBPs is “still developing,” and smaller DNFBPs in higher-risk sectors face challenges applying preventive measures including CDD, PEP requirements, and TFS (MER key finding i). IO.4 is rated Moderate (§162).

Beneficial ownership — Transparency Register incomplete; civil law partnerships excluded; bearer shares unresolved (IO.5: Moderate; MER §18, §52, §214): Germany introduced the Transparency Register in 2017 and reforms were tracking to turn it into a full register by end-2022 (§18). However, the Register will not include civil law partnerships (GbRs) — an estimated 572,139 entities engaged in commercial activity — a significant scope gap (§37, §52). At the time of assessment, the Register was “not actively and systematically used by competent authorities” as information held was “not reliably verified” and there were issues with accuracy and timeliness (§18). Bearer shares and nominee shareholders continue to present risks that Germany has “not yet fully mitigated” (§18). The Register has been in place since 2017 but “it was not demonstrated that BO information was being regularly and routinely accessed via regulated entities, or through FIU or law enforcement channels” (§214). IO.5 is rated Moderate (§214).

ML investigations — reactive approach; low prosecution rate; focus on predicate (IO.7: Moderate; MER §10, §89; IO.6: Moderate): Germany “takes a reactive rather than a proactive approach to the identification of ML” and it is “not clear that ML involving professional ML networks, cash smuggling, foreign predicates, complex ML and cases involving legal persons are being detected” (§10). The “overall number of ML cases that progress to prosecution is lower than expected and is not fully aligned with Germany’s risk profile” (§10). There is “a focus on prosecuting for the predicate offence and barriers to pursuing ML in cases where there is no clear link to a predicate offence” (§10). Alternative measures — particularly asset confiscation — are used extensively, but “regardless of whether or not it is possible to secure an ML conviction” and “there is no clear policy or strategy for disrupting and sanctioning ML” (§10). IO.6 (financial intelligence) is also Moderate: the 2017 FIU reorganisation has been a positive move overall, but co-operation between the FIU and LEAs has been challenging, with a “low number of requests for FIU intelligence from LEAs” and “only a small proportion [of disseminations] are used in support of criminal proceedings” (§9). IO.6 and IO.7 are both rated Moderate (§76, §89).

Asset recovery — strong (IO.8: Substantial); TFS framework weak (IO.10: Moderate; FUR addresses weekend/holiday gap): Germany introduced non-conviction-based asset confiscation in 2017 and made confiscation a mandatory consideration in every case, leading to “impressive asset confiscation outcomes over the last five years” (MER key finding f). IO.8 is rated Substantial. However, IO.10 (TF-TFS) is Moderate: “TFS mechanisms are not used effectively, or to support Germany’s broader TF and counter-terrorism strategy”; agencies “prefer to rely on domestic disruption mechanisms” and are “not aware of or do not see the value in TFS” (§13). This was cited as “a major shortcoming.” The 1st Enhanced FUR (December 2023) addressed only R.6 and R.7 (PC→LC), resolving the weekend/holiday AWG gap: a revised AWG s.5a allows freezing obligations to apply directly from UN designation without requiring an AWG order to be issued — addressing delays over weekends/holidays. Three Recommendations remain PC as at the 1st FUR: R.13 (correspondent banking — mandatory EDD limited to non-EEA respondents), R.24 (BO of legal persons — multiple gaps), and R.33 (statistics — no clear ML investigation statistics). Germany remains in enhanced follow-up.
Key MER findings — attributable to source
  • 74% cash transactions; no cash limits; EUR 30 billion estimated laundered through real estate in 2017 (MER §34; §34 TI estimate): Germany’s cash intensity — the highest rate in the developed world — combined with the absence of any cash transaction limit creates persistent ML vulnerability. The NRA rates the banking sector, MVTS, notaries, and real estate agents as high ML risk. Transparency International estimates EUR 30 billion with unclear origins entered the German real estate market in 2017 alone.
  • 300+ DNFBP supervisors; 1 million non-financial obliged entities; critical resource shortage (MER §17, §53–54): DNFBP supervision is split across more than 300 Länder-level bodies. The supervised population in the non-financial sector is approximately 1 million entities, including an estimated 800,000 traders in goods alone. The MER describes the resource situation as a “critical lack” that creates “major difficulties” in consistent, risk-based supervision across the country.
  • 97% of STRs from financial sector; DNFBP reporting “particularly low”; legal privilege blocking reporting (MER §15): Almost all STRs — 97% in 2020 — came from the financial sector, with banks accounting for 90%. DNFBP reporting is described as “particularly low.” Legal professionals maintain a broad privilege interpretation requiring “positive knowledge” of ML before reporting — in practice preventing STRs in the large majority of cases where a lawyer suspects but cannot confirm ML.
  • ML approach reactive; no clear prosecution strategy; alternative measures used regardless of ML conviction possibility (MER §10): Germany detects ML primarily through predicate offence investigations. There is no proactive policy for identifying professional ML networks, foreign predicate ML, or complex ML involving legal structures. Asset confiscation is used as an alternative to ML prosecution rather than as a complement to it — with no strategy to ensure consistent and comprehensive ML sanctioning.
  • TFS not used effectively; agencies “not aware of or do not see the value in TFS”; amounts frozen low relative to risk (MER §13): Germany’s TF framework is effective for investigations and prosecutions (IO.9: Substantial) but TFS implementation is rated Moderate. Authorities prefer domestic disruption tools (association bans, BaFin freezes) and the MER describes this as a “major shortcoming” given Germany’s risk and the estimates of total amounts raised within Germany for terrorist organisations. Amounts frozen are described as “relatively low” against Germany’s risk and context.
  • Civil law partnerships (572,139 entities) excluded from Transparency Register; bearer shares and nominees unresolved (MER §18, §37, §52): The Transparency Register reform on track to completion does not cover civil law partnerships — a significant population of entities with no mandatory BO filing requirement. Bearer shares and nominee shareholders remain risk sources that Germany has “not yet fully mitigated.” The Register is not actively and systematically used by authorities to obtain BO information due to accuracy and timeliness concerns.
  • 1st Enhanced FUR (Dec 2023): R.6 and R.7 re-rated PC→LC; three PCs remain; IO ratings unchanged (FUR Table 1, conclusion): The FUR resolved the weekend/holiday AWG gap for TFS implementation (AWG s.5a). R.13 (correspondent banking), R.24 (BO of legal persons), and R.33 (statistics) remain PC. The FUR does not assess effectiveness. Germany remains in enhanced follow-up. The three remaining PCs and six Moderate IO ratings (IO.3, IO.4, IO.5, IO.6, IO.7, IO.10) reflect structural challenges in the federal system that require sustained reform effort.
Sources: FATF MER, Germany, June 2022 (onsite November 2021). IO ratings from MER Effectiveness Ratings Table 1 (p.16): IO.1 SE, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 ME, IO.6 ME, IO.7 ME, IO.8 SE, IO.9 SE, IO.10 ME, IO.11 ME. TC ratings from MER Technical Compliance Table 2 (p.16). 1st Enhanced Follow-up Report, Germany, December 2023 (FATF Plenary written process November 2023): TC only — IO effectiveness ratings not reassessed; R.6 and R.7 re-rated PC→LC. All paragraph references are to the MER unless prefixed FUR.
🇲🇨
Monaco
MONEYVAL 5th Round MER December 2022 (onsite Feb–Mar 2022) | 1st Enhanced FUR November 2024
D: 25/50 V: 25/50 50
Destination
Vulnerability
IO.1: ME IO.3: LE IO.4: ME IO.5: ME IO.7: LE IO.8: LE MONEYVAL Grey-listed FATF June 2024
Destination risk (MER §11, §13, §32, §38): The MER characterises Monaco as facing a “not insignificant ML threat originating mainly from external threats,” driven by its internationally oriented financial sector, private banking, wealth management, and the real estate and high-value goods trade (§11). The NRA 2 findings, adopted by the assessors as broadly credible, establish that “in most cases where it is identified, the predicate offence is committed abroad and the proceeds of the crime are laundered in Monaco” — with proceeds originating primarily from France and Italy (§13). The main ML predicates are scam in its widest sense (fraud, misappropriation, forgery and embezzlement), ranked first, followed by corruption and influence peddling; in nearly a third of cases the predicate was unknown, in most cases because it was committed abroad (§11). An analysis of STRs received found that where predicates were identified, corruption combined with trafficking in influence was cited in 13% of STRs and tax offences in 9% (§155). Monaco’s status as an international centre, with EUR 129 billion in assets in financial institutions as at end-2020 and the world’s highest concentration of millionaires and billionaires per capita (§39–40), is repeatedly cited by the assessors as the structural driver of this exposure. The assessors paid particular attention during scoping to “the extent to which investigations, convictions and confiscations in ML cases are consistent with the threats to the country and its risk profile” and to “international co-operation, which is proving to be an essential part of Monaco’s AML/CFT efforts due to the international nature of the financial activities pursued in the country” (§38). The NRA 2 overall ML risk assessment is “moderately high” but the assessors note that “Monaco’s status as an international centre and its international exposure point to a higher ML risk” than the NRA concludes (§32). SICCFIN’s disseminations to the GPO relate predominantly to corruption combined with misappropriation and trafficking in influence, with forgery, embezzlement and suspected fraud together accounting for over a third of reports (§147). The GRECO interim compliance report (September 2021) raised concerns about Monaco’s anti-corruption framework for members of parliament, judges and prosecutors, including the non-disclosure of MPs’ private interests (§59).

Supervisory vulnerability (IO.3: Low): The MER finds that Monaco’s “supervision policy has been more an awareness-raising exercise in relation to AML/CFT obligations than a supervision aligned to international standards including the use of sanctions” (IO.3 conclusion, §637). The risk-based approach, only partially introduced in 2019, applies the frequency of inspections to just four of the higher-risk categories; the intensity of inspections is not determined risk-based and there is no follow-up process on deficiencies identified (§595, §637). SICCFIN’s Supervision Unit suffers from “a significant lack of human resources and appropriate IT tools” (§637). Regulated professionals receive one month’s notice before on-site inspections; no spontaneous inspections are carried out (§596). Sanctions for AML/CFT breaches are “few, not proportionate to the deficiencies identified, not dissuasive, and imposed two to five years after the on-site inspections” (§637). No sanctions have been imposed by the GPO or the Chairperson of the Monaco Bar Association since 2016 despite deficiencies identified during controls (§621). A major structural gap is the absence of controls when changes of shareholders or beneficial owners occur in FIs and DNFBPs established as joint stock companies (IO.3 key finding a). SICCFIN has limited understanding of sectoral risk, with no ad hoc or thematic inspections carried out even in relation to subjects such as the Panama Papers, despite many Monaco-held accounts belonging to entities registered in Panama and the BVI (§596). FUR1 re-rates R.26, R.27 and R.28 from PC to LC, reflecting legislative progress on supervisory powers, but IO.3 effectiveness is not reassessed by FUR1 and remains Low.

Preventive measures (IO.4: Moderate): Banks and asset management companies have a “moderate” understanding of ML/TF risks — aware of NRA 2 findings at the time of the visit but had not yet drawn relevant conclusions for their own risk analyses (IO.4 key finding a, §422). DNFBPs, with the exception of the casino, have only begun to develop risk understanding and remain limited to a few risk factors such as cash, geographical location and PEP status (IO.4 key finding c). STR quality is a material concern: STRs triggered by adverse press articles account on average for 30% of total STRs, rising to 38% in recent years, constituting “defensive reporting” with “little financial intelligence value” (§159). The STR dissemination rate to the GPO is only 5%, raising concerns about quality and analysis (§161). STR delays of 40 to 100 days were observed even for banks (§162). Only one STR was received by the Chairperson of the Monaco Bar Association in the whole assessed period (§154). At the time of the on-site visit, PEP status was lifted three years after leaving office — not in line with FATF standards — with FIs and DNFBPs applying this period except for high-risk PEPs, who could be treated as PEPs for up to five years; a subsequent legislative change reduced the period to one year, and some FIs and DNFBPs confirmed they were already applying this shorter one-year period and no longer conducting enhanced due diligence beyond it, with a negative effect on effectiveness (§490). FUR1 re-rates R.12 from PC to C: the PEP framework is now fully compliant in technical terms, with the risk-based de-PEP obligation and coverage of international organisations added. IO.4 effectiveness is not reassessed by FUR1 and remains Moderate.

Beneficial ownership / legal persons (IO.5: Moderate): At the time of the onsite visit, the RBO (Register of Beneficial Ownership, commercial companies) and RdT (Register of Trusts) were still “in the process of being completed” and not yet reliable sources for the private sector (§464, IO.5 conclusion). Competent authorities access BO information held by FIs and DNFBPs via case-by-case requests pending reliable access to these registers (IO.5 conclusion). FIs display only moderate effectiveness in identifying beneficial owners of legal persons: most apply the 25% regulatory ownership threshold without going further to identify other forms of control (§465, IO.4 key finding d). Timely access for authorities to accurate and current BO information “is not guaranteed in all cases” (IO.5 conclusion). The definition of beneficial ownership was identified as having a minor deficiency (IO.5 conclusion). Most sanctions relating to BO declaration obligations “are not dissuasive and are rarely imposed” (IO.5 conclusion). FUR1 upgrades R.24 and R.25 from PC to LC: the RBO is now operational, 92% of commercial companies and civil-law partnerships had declared BO information by end-May 2024 (77% for associations and foundations), and the trust register is operational. Remaining deficiencies under FUR1: the sanctioning framework still does not ensure dissuasive fines for serious or systemic BO breaches; the retention period for BO data in the RBO lacks legal clarity. IO.5 effectiveness is not reassessed by FUR1 and remains Moderate.

ML investigations and confiscation (IO.7: Low; IO.8: Low): Between 2017 and 2021, 192 ML investigations gave rise to only 19 prosecutions (§213). Only four final ML judgments were issued during the entire assessment period, all relating to self-laundering in simple cases involving cash deposits and withdrawals — “not consistent with Monaco’s risk profile” (§228). No case has highlighted links with PEPs. Investigations are “only partly in keeping with Monaco’s risk profile, threats and AML framework” (§223). A major structural shortcoming is the near-complete absence of third-party laundering cases — Monaco “has shown its capacity to achieve convictions for ML involving the proceeds of offences committed abroad and for self-laundering, but this does not extend to ML offences by a third party, which is a major shortcoming in view of its financial centre status” (IO.7 conclusion, §246). Investigation delays can reach ten years; the GPO’s powers are limited to non-coercive measures in preliminary investigations; sentences imposed are “neither effective nor dissuasive” (§246). Only about nine legal persons have been charged across all investigations under way (§210). On confiscation: the number of confiscation orders “is still very low and do not apply to property of an equivalent value or held by third parties” (IO.8 conclusion, §279). Instrumentalities of crime are not confiscated. Only two requests to freeze or seize assets were made during the entire assessment period, and none for confiscation (MER §789). Confiscation results are “not consistent with the ML risks in Monaco” (§297–298).

International co-operation (IO.2: Moderate): The MER finds that “major and systemic legislative obstacles, particularly uncommon, hinder the provision of MLA by Monaco” (IO.2 conclusion, §788). These arise from Article 204-1 CCP (added in 2018), which allows lawyers for persons concerned by an MLA request to access the content of the request, enabling procedural obstruction “for years” (IO.2 key finding b). More than one in two extradition requests is refused due to restrictive judicial interpretation (§788). SICCFIN’s response times to foreign counterparts are “inadequate,” primarily due to difficulties accessing information from the private sector (§790). The competent authorities seek assistance from foreign counterparts only “to a certain extent, although limited if considering the risk and the context” (§789). FUR1 re-rates R.37 from PC to LC: the CCP has been amended to address MLA confidentiality (Article 596-13), though some residual risk of disclosure to lawyers during appeals remains. IO.2 effectiveness is not reassessed by FUR1 and remains Moderate.

FUR1 developments (TC only — IO ratings unchanged): The 1st Enhanced Follow-up Report (MONEYVAL(2024)20, adopted 4 November 2024) re-rates 15 recommendations, all previously PC. R.6 and R.7 upgraded to C (TFS frameworks for terrorism and proliferation financing now fully compliant). R.12 upgraded to C (PEP framework now fully compliant). R.4, R.8, R.23, R.24, R.25, R.26, R.27, R.28, R.31, R.34, R.35 and R.37 all upgraded from PC to LC. R.15 (new technologies) remains PC and was not subject to a re-rating request. Remaining LC deficiencies include: paper-based STR reporting by lawyers (R.23); sanctioning framework not ensuring dissuasive fines for serious/systemic BO breaches (R.24, R.25); AMSF powers limited to remediation-based sanctions for one-off breaches identified in documentary checks (R.27, R.28, R.35). Monaco remains in enhanced follow-up and is expected to report back within three years. All IO effectiveness ratings from the 2022 MER are unchanged. Separately: FATF grey-listed Monaco in June 2024 for strategic deficiencies in effectiveness — principally the low rate of ML investigations and prosecutions, inadequate asset recovery, and insufficient supervisory effectiveness — which are not addressed by the FUR’s TC-only scope.
Key MER + FUR findings — attributable to source
  • Foreign-proceeds destination — predicate offence committed abroad (§13, §32, §38): NRA 2 finding adopted by assessors: in most identified cases the predicate is committed abroad, proceeds laundered in Monaco. Primary predicates: fraud/misappropriation/forgery, then corruption and influence peddling. SICCFIN disseminations to GPO dominated by corruption combined with misappropriation (§147). Assessors note Monaco’s NRA understates ML risk relative to its international centre profile (§32).
  • Supervision more awareness-raising than standards-aligned — IO.3 Low (§637, IO.3 conclusion): RBA only partially introduced in 2019 for frequency of inspections — not intensity. No follow-up process on identified deficiencies. SICCFIN Supervision Unit: “significant lack of human resources and appropriate IT tools.” Sanctions few, not proportionate, imposed 2–5 years after inspection. No sanctions by GPO or Bar Chairperson since 2016 despite identified deficiencies. No spontaneous or thematic inspections carried out.
  • 30% of STRs are defensive reporting; dissemination rate to GPO only 5% (§159, §161): Adverse-media-triggered STRs rising to 38% of total; “little financial intelligence value.” STR delays of 40–100 days even for banks (§162). Only 1 STR received by Bar Association Chairperson in entire assessment period (§154). STRs from non-banking sectors “not sufficiently detailed” (§158).
  • 192 ML investigations gave rise to only 19 prosecutions in 5 years; 4 final judgments (§213, §228): All final ML judgments relate to self-laundering in simple cash cases. No case involving PEPs; no third-party laundering prosecution despite financial centre profile; investigations “only partly in keeping with Monaco’s risk profile.” Investigation delays up to ten years; GPO limited to non-coercive powers in preliminary investigations (§217).
  • Only 2 requests to freeze/seize assets in entire assessment period; confiscation not consistent with risk profile (§279, §789): Zero requests for confiscation. Confiscation orders very low, not applied to equivalent-value property or third-party held property. Instrumentalities not confiscated. Capacity to manage seized property limited (IO.8 conclusion).
  • Major and systemic MLA obstacles — extradition refused in more than 1 in 2 cases (§788, IO.2 conclusion): Article 204-1 CCP allows lawyers for MLA-subject persons to access request content, enabling procedural obstruction “for years.” SICCFIN response times to counterparts “inadequate.” Restrictive judicial interpretation means >50% of extradition requests refused.
  • FUR1 (Nov 2024): 15 PC recommendations upgraded; R.12 and R.6/R.7 now Compliant; IO ratings unchanged: R.12 PC→C (PEP framework now fully compliant including international organisations and risk-based de-PEP). R.6/R.7 PC→C (TFS frameworks compliant). R.24/R.25 PC→LC (RBO and RdT operational; 92%/77% BO registration rates; sanctioning gaps remain). R.26/R.27/R.28 PC→LC (supervisory powers improved; one-off breach sanctioning gap persists). Monaco remains in enhanced follow-up. FATF grey-listing June 2024 reflects effectiveness deficiencies beyond TC scope of FUR.
Sources: MONEYVAL 5th Round MER, Monaco, MONEYVAL(2022)19, adopted December 2022 (onsite 21 February–4 March 2022). IO effectiveness ratings from MER Effectiveness Ratings table (p.15): IO.1 Moderate, IO.2 Moderate, IO.3 Low, IO.4 Moderate, IO.5 Moderate, IO.6 Moderate, IO.7 Low, IO.8 Low, IO.9 Moderate, IO.10 Moderate, IO.11 Moderate. TC ratings from MER Technical Compliance table (pp.15–16). 1st Enhanced Follow-up Report & Technical Compliance Re-Rating, Monaco, MONEYVAL(2024)20, adopted 4 November 2024 (TC only — IO effectiveness ratings not reassessed). Grey-listing: FATF Plenary statement June 2024. All paragraph references are to the 2022 MER.
🇮🇹
Italy
FATF MER February 2026 (onsite June–July 2025) — 5th round | Regular follow-up
D: 28/50 V: 22/50 50
Destination
Vulnerability
IO.1: SE IO.3: SE IO.4: ME IO.5: ME IO.7: SE IO.8: SE IO.10: ME FATF
Destination risk (MER §52–56, §60, §68, §72; IO.1: Substantial): Italy’s ML risk profile is defined by the intersection of pervasive domestic organised crime — described in the NRA as largely attributable to organised crime including Mafia-style crime (§54) — and an extensive shadow economy estimated at EUR 201 billion (approximately 10% of GDP in 2022), of which EUR 19.7 billion derives from criminal activities (§53, §60). The NRA identifies organised crime and tax offences as the highest-risk (“very significant”) ML predicates, followed by corruption, extortion, drug trafficking, and bankruptcy/corporate offences rated as high-risk (§56). Cash is the dominant payment medium — 69% of transactions by volume at point of sale, above the EU average of 59% — creating persistent ML vulnerability through cash-intensive sectors (§60). Organised crime is “increasingly infiltrating the legitimate economy, including in geographic areas of Italy where it has historically not been as widespread” including post-pandemic economic stimulus structures (§54). Criminal organisations “make extensive use of companies with complex and opaque structures to obscure beneficial ownership information and as a channel for laundering” (§68). Italy has approximately 1,130 supervised FIs and over 340,000 DNFBPs, plus approximately 130 VASPs at assessment; Italy ranks second in Europe by number of virtual currency service providers (§61, §63). Both domestic and foreign criminal groups use Italy’s financial system: foreign criminal groups move proceeds out to third countries, while domestic groups launder proceeds both domestically and abroad before repatriating them (§79). Corruption in public procurement is described as ongoing and recognised as a priority (§72). IO.1 is rated Substantial — Italy has a “reasonably sound understanding” of ML/TF risks, with three NRA iterations and robust FSC coordination (IO.1 conclusion, §30).

Financial sector and VASP supervision (IO.3: Substantial; MER IO.3 key findings, §57 IO.3 conclusion): The Bank of Italy (BoI) performs risk-based and adequate supervision of banks and major FIs; market entry controls for FIs appear robust against criminal infiltration (IO.3 key findings a, e). However, the supervisory setup is “relatively complicated, with multiple supervisory competences, regulated through specific MoUs to avoid overlap” — the GdF supervises VASPs and all DNFBPs, while BoI, IVASS, and CONSOB supervise different FI categories (IO.3 key finding f). The GdF and IVASS supervisory work on entities outside BoI supervision is “less developed and with a less clear application of the risk-based approach” (IO.3 key finding e). Critically, sanctions imposed where the GdF is supervisor “take two years in the MEF alone,” and BoI does not publish non-pecuniary sanctions — both “undermine the dissuasiveness (and thereby effectiveness) of the actions taken” (§11). VASP compliance “appears weaker overall, which is concerning given its risk and growing importance” (IO.3 key finding d). IO.3 is rated Substantial (§57).

Non-financial sector supervision (IO.4: Moderate; MER IO.4 key findings, §79 IO.4 conclusion): Notaries, auditors, and large online gambling providers have a detailed understanding of ML/TF risks; this is more limited for real estate agents, lawyers, and most other DNFBPs (IO.4 key finding d). Real estate agents and lawyers are “too heavily reliant on other obliged entities’ AML/CFT obligations to mitigate risks” (IO.4 key finding d). STR filing by DNFBPs is “overall low but showing an increasing trend” — the NRA itself flagged reporting levels as a concern (IO.4 key finding e). The GdF’s AOR process is used to prioritise supervision, but supervisory activities are “not wholly aligned with risk” and the sanctioning process takes two years before imposition by MEF, “reducing the impact of such sanctions” (§4, §5). The GdF applies no other remedial measures beyond recommending pecuniary sanctions and does not take specific actions to ensure identified deficiencies are rectified (§5, MER exec summary e). IO.4 is rated Moderate (§79).

Beneficial ownership — BO register suspended (IO.5: Moderate; MER §17–22, IO.5 key findings, §94 IO.5 conclusion): The BO register — the key mechanism for accessing beneficial ownership information — is “currently suspended, including for access by competent authorities” and “there is not a sufficient alternative mechanism in place to access BO information” (IO.5 key finding b). The business register provides basic information but “does not include information on control (such as associated voting rights), which lessens its value in identifying beneficial owners” (IO.5 key finding c). Access to BO information “depends on access to information held by FIs and DNFBPs or alternatively information obtained through international cooperation” (IO.5 key finding d). Sanctions for non-compliance with basic information obligations “are low and not dissuasive”; sanctions for breaches of BO obligations are “not applied, except by FI supervisors” (§22). IO.5 is rated Moderate (§94).

ML investigations and asset recovery (IO.7: Substantial; IO.8: Substantial; MER §27–33, IO.7/IO.8 key findings): Italy’s anti-organised crime framework represents one of the most sophisticated ML investigation and asset recovery systems globally. The GdF and DIA “structurally pursue parallel ML investigations alongside investigations of serious organised crime” — driven by the GdF’s broad database access and the Anti-Mafia Code’s (AMC) preventive confiscation powers (IO.7 key findings a–b). Over EUR 7 billion was confiscated by GdF and DIA during the evaluation period, including through non-conviction-based confiscation (IO.8 overall conclusion). Italy’s UIF and reporting entities regularly use the legal framework to suspend suspicious transactions; the DIA’s preventive confiscation under the AMC has resulted in substantial asset-tracing results (§26, §33). However, Italy does not maintain comprehensive statistics on underlying predicate offences for ML investigations (IO.7 key finding c). Self-laundering convictions are low, and it was not demonstrated that Italy prosecutes legal persons in line with its risk profile (§6, MER exec summary h). ML sanctions are “on the lower end of the spectrum considering Italy focuses on prosecuting ML relating to organised crime” (MER exec summary h). IO.7 and IO.8 are both rated Substantial.

Regular follow-up; only R.12, R.13, R.24, R.8 rated PC (MER TC table p.7): Italy was placed in regular follow-up at the February 2026 Plenary — a strong overall outcome. Only four Recommendations are Partially Compliant: R.12 (PEPs — gaps in coverage), R.13 (correspondent banking — mandatory EDD limited to non-EEA respondents), R.24 (BO of legal persons — suspended register), and R.8 (NPOs — oversight not sufficiently targeted to higher-risk organisations). IO.10 (TF-TFS) is Moderate: new UN designations are not systematically implemented without delay as Italy relies on the EU transposition process rather than maintaining a domestic bridging mechanism; no MEF decrees were issued for any new UN designations during the evaluation period (§39, KRA f). Italy’s three Substantial-rated IOs covering ML investigations (IO.7), asset recovery (IO.8), and financial intelligence (IO.6) reflect genuine best-practice performance in anti-organised crime financial work.
Key MER findings — attributable to source
  • Shadow economy EUR 201 billion; organised crime increasingly infiltrating legitimate economy; 69% cash transactions (MER §53–54, §60): Italy’s shadow economy is approximately 10% of GDP. Mafia-style organised crime — traditionally strongest in the south — is now expanding into northern regions and post-pandemic economic stimulus structures. Cash dominates point-of-sale transactions at 69% by volume, above the EU average, sustaining ML risk through cash-intensive businesses.
  • BO register suspended including for competent authorities; no sufficient alternative mechanism (MER IO.5 key finding b; §18, §22): Italy’s BO register — which would represent a key ML mitigation — is currently suspended, with access blocked even for competent authorities. There is no sufficient alternative mechanism. BO information must be obtained through FIs/DNFBPs or international cooperation. Sanctions for BO non-compliance are not applied except by FI supervisors; sanctions for basic information breaches are low and not dissuasive.
  • EUR 7 billion confiscated over evaluation period; Anti-Mafia Code preventive confiscation used extensively (MER IO.8 overall conclusion; §26): GdF and DIA confiscated assets valued at approximately EUR 7 billion during the evaluation period. Italy uses a range of modalities including non-conviction-based confiscation under the Anti-Mafia Code, pursuit of property of corresponding value, and judicial administration of working businesses seized from organised crime. The DIA’s preventive confiscation measures driven by STR-based intelligence are a distinctive strength.
  • Sanctioning timelines: two years for GdF-referred sanctions to be imposed; BoI does not publish non-pecuniary sanctions (MER §4, §11): Where the GdF identifies DNFBP or VASP non-compliance, it recommends sanctions to the MEF which then imposes them — a process taking approximately two years. This significantly undermines dissuasiveness. The BoI does not publish non-pecuniary sanctions, further weakening deterrence. No other remedial measures are available to the GdF beyond pecuniary sanction recommendations.
  • TF-TFS without delay: no domestic bridging mechanism; no MEF decrees for any new UN designations during evaluation period (MER §39; KRA f): Italy relies entirely on the EU transposition process to implement new UN designations, creating a window during which new designees are not subject to a legal freeze obligation in Italy. No MEF decrees were issued for any new UN designations during the evaluation period — authorities instead conducted database searches but found no matches. The KRA requires Italy to ensure new designations are “systematically implemented without delay.”
  • Lawyers claim their sector is low-risk despite complex ML case examples; DNFBP STR reporting overall low (MER §90; IO.4 key finding e): The National Lawyers Council “has not taken a systematic approach to AML/CFT training through their SRB” and lawyers “have independently claimed their sector is at low risk for ML/TF, despite case examples of abuse of lawyers in complex ML schemes in Italy.” DNFBP STR reporting is overall low and was flagged as a concern in the NRA.
  • Regular follow-up; four PCs only (R.8, R.12, R.13, R.24); seven IOs rated Substantial (MER TC table p.7): Italy’s placement in regular (not enhanced) follow-up reflects a system of genuine strength at the financial-sector and law-enforcement end, with targeted gaps in DNFBP supervision, BO transparency, and TF-TFS timeliness. IO.1, IO.2, IO.3, IO.6, IO.7, IO.8, IO.9, and IO.11 are all Substantial. Only IO.4, IO.5, and IO.10 are Moderate. No IO is rated Low. No FUR has been published as of this Index entry.
Sources: FATF MER, Italy, February 2026 (onsite 23 June–11 July 2025), 5th round. IO ratings from MER Effectiveness and Technical Compliance Ratings table (p.7). All findings attributed to specific MER paragraphs or chapter key findings. Italy was placed in regular follow-up at the February 2026 FATF Plenary. No FUR has been published as of this Index entry.
🇼🇸
Samoa
APG MER September 2015 (onsite Nov 2014) | 8th Enhanced FUR June 2023 (TC only)
D: 17/50 V: 32/50 49
Destination
Vulnerability
IO.3: LE IO.6: LE IO.7: LE IO.4: ME IO.5: ME APG
Destination risk (MER §2–3, §6, §26–28): Samoa’s offshore sector — principally international business companies (IBCs) — is identified as the “main ML/TF risks” in the jurisdiction (§2). At the time of the MER there were approximately 34,141 IBCs (later the 8th FUR records ~32,131 as of 2020), incorporated through licensed trust and company service providers (TCSPs) on the basis of introduced third-party business, with most introducers in Hong Kong, Singapore and Chinese Taipei and most beneficial owners from China and these jurisdictions (FUR §23–24). IBCs are created primarily for asset holding/protection and for obtaining tax privileges and exemptions. The 2012 NRA identifies the offshore sector, MTOs and cross-border cash movement as the areas of highest risk. The MER notes that “although there is only limited evidence to date to suggest it has occurred, there is a concern that criminals may misuse legal persons and arrangements, in particular IBCs, to launder or hide criminal proceeds,” and observes that this limited evidence “may result from a lack of detection, rather than a lack of such activity” (§26). Foreign predicate offences — particularly tax offences — are specifically cited as sources of concern for IBC misuse, with a small number of foreign information requests having already been received (§3). Domestic crime levels are low; the primary risk is foreign criminal proceeds entering through the offshore vehicle infrastructure. Samoan TCSPs’ ability to detect and report suspicious activity on IBCs is described as very limited due to their arm’s-length relationship with the ultimate beneficial owners (§22, §26).

Supervisory vulnerability (IO.3: Low; §23–25): The MER rates supervision Low with “fundamental improvements needed.” The structural problem is resource and scope: supervisory resources in the CBS and SFIU are described as “significantly inadequate.” Critically, at the time of the MER, AML/CFT supervision of the DNFBP sectors — casino, legal, accounting, real estate, precious metals — had “not commenced” at all, except partially for the TCSP sector (§23–24). The frequency and intensity of compliance inspections for banks and MTOs is “considered very inadequate” (§23). SIFA’s supervision of offshore entities (international banks, insurance) had been “inadequate” and of TCSPs “insufficient in depth and scope” (§23). Supervisor powers to impose sanctions are limited, and actual sanctions have been “minimal due to the low level of compliance inspections” (§25). No feedback is being provided to supervised entities (§25). The casino sector’s risks had not been assessed or supervised at all at the time of the on-site (§5).

Preventive measures (IO.4: Moderate; §18–22): The banking sector demonstrates a relatively high level of ML/TF risk understanding and a strong compliance culture for identification and CDD. MTOs — a high-risk sector — also have reasonably good awareness. However, other non-bank FIs (insurance, credit unions) and the DNFBP sectors have “generally weak and very limited” ML/TF risk understanding (§20). This is attributed to supervisors’ very limited engagement. Significant weaknesses exist in implementing PEP measures, correspondent banking, beneficial ownership identification, wire transfer beneficiary information and ongoing monitoring (§21). STR quality is poor — nearly all recent STRs concern internet scams and do not reflect the real ML/TF risk profile; the offshore sector generates very few STRs (§21). For the international sector, TCSPs demonstrate general awareness on IBC creation but their ability to conduct meaningful ongoing due diligence on the vast majority of IBCs — which are arm’s-length introduced business — is “very limited” (§22).

Beneficial ownership / legal persons (IO.5: Moderate; §26–29): TCSPs are generally effective at obtaining BO information on IBC creation, but this information is only updated annually and may be significantly out of date (§22, §28). For the ~32,000+ IBCs, BO information is not publicly available — it requires client consent — though SIFA and SFIU can access it for official purposes and have generally been able to respond to foreign requests (§27). The domestic company registry is “passive and reactive, with limited sanctions” and BO information for domestic legal persons is not centrally collected (§29). No requirement exists for companies to hold BO information in a register (MER R.24). Competent authorities’ actual investigative and analytical capacity to use this information is also limited given IO.6 and IO.7 Low ratings.

ML prosecution (IO.7: Low; IO.6: Low; §9–11): There were “no ML investigations or prosecutions” at the time of the MER, despite ML having been criminalised since 2000 (§11). Financial intelligence is not being used for ML or TF investigations; SFIU dissemination is limited, cooperation with LEAs is weak, and strategic analysis capacity is absent due to resource constraints (§9). The MER notes that this cannot be entirely explained by low domestic crime levels — “other, comparable small jurisdictions have undertaken some ML investigations/prosecutions” — and directly encourages prosecution of third-party ML and cases linked to serious offences in the offshore context (§11).

FUR developments (8th Enhanced FUR, June 2023; TC only): Samoa remains on enhanced follow-up having submitted eight FURs since 2016. The 8th FUR (2023) re-rates R.19 (NC→PC: some EDD framework improvements but countermeasures still absent) and R.36 (PC→LC: accession to Palermo and Merida Conventions). R.24 remains PC despite reforms to the Trustee Companies Act 2017 — BO requirements under the TCA are still unenforceable (no monetary sanction regulation issued); ongoing CDD for change of BO of international legal persons is inadequate (FUR §72–73). R.7 remains NC: no legal basis for PF targeted financial sanctions (FUR §93–95). IO ratings from the 2015 MER are unchanged — the FUR states it does not address effectiveness. 21 Recommendations rated C/LC; 7 remain PC or NC.
Key MER + FUR findings — attributable to source
  • ~32,000 IBCs are the primary ML/TF risk; foreign criminal proceeds via offshore sector identified (MER §2–3, §6, §22, §26): International sector (IBCs via TCSPs) is Samoa’s “main ML/TF risk.” Foreign predicate offences (especially tax) cited as offshore risk source. MER notes limited evidence of abuse “may result from lack of detection.” TCSPs’ ability to monitor IBCs “very limited” — most IBCs administered at arm’s length through foreign introducers (Hong Kong, Singapore, Chinese Taipei) with Chinese beneficial owners.
  • Supervision rated Low — DNFBP supervision had not commenced; CBS/SFIU resources “significantly inadequate” (IO.3; MER §23–25): Casino, legal, accounting, real estate, precious metals sectors — zero AML/CFT supervision at time of MER. Bank/MTO inspection frequency “very inadequate.” SIFA supervision of offshore entities “inadequate.” Sanctions “minimal.” No feedback to supervised entities. Fit and proper requirements do not extend to beneficial owners of FIs.
  • No ML investigations or prosecutions — ever (IO.7; MER §11): No ML cases investigated or brought for prosecution despite criminalisation since 2000. MER notes this cannot be fully justified and encourages pursuit of third-party and offshore ML. Financial intelligence not used for ML/TF investigations (IO.6 Low; §9). SFIU capacity “insufficient” for all FIU functions.
  • IBC BO information not publicly available; annual-only updates; domestic BO not centrally collected (IO.5; MER §27–29; R.24 PC): BO for IBCs requires client consent for public access; updated annually only. Domestic BO not centrally collected. Domestic registry passive/reactive with limited sanctions. No requirement for companies to hold BO in register.
  • 8th FUR (June 2023): R.19 PC, R.36 LC re-rated; R.24 remains PC; R.7 remains NC — IO ratings unchanged: R.24 still PC as TCA 2017 BO requirements unenforceable (no sanction regulation issued). R.7 still NC — no PF TFS legal framework. R.19 improved but countermeasures absent. Enhanced follow-up continues. 2015 IO ratings apply in full.
Sources: APG MER, Samoa, September 2015 (onsite November 2014); APG 8th Enhanced Follow-Up Report, Samoa, June 2023 (data to 1 June 2023). IO ratings from MER Table of Effective Implementation of Immediate Outcomes (Executive Summary pp.8–13); confirmed unchanged by 8th FUR (June 2023), which states it does not address effectiveness. TC ratings from MER Table of Compliance with FATF Recommendations (pp.14–22) as updated by 8th FUR Table (pp.17–18). All paragraph references are to the published MER unless prefixed “FUR §”.
🇵🇹
Portugal
FATF MER November 2017 (onsite March–April 2017) | No FUR adopted
D: 22/50 V: 26/50 48
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.7: SE IO.2: SE FATF
Destination risk (MER §29, §31, §35, §42): The MER identifies Portugal as a transit country for drug flows from Latin America and West Africa to the rest of Europe, with this transit role creating direct linkage to transnational organised crime and corruption (§29). Assessors found that Portugal’s post-crisis economic vulnerabilities “may have created vulnerabilities for the country, potentially exploited by criminal organisations” and that the country “has been the target of investment flows from various countries” that make it “more vulnerable to potential abuse…linked to the proceeds of corruption from high-level figures in foreign countries” (§29). The Golden Visa Programme — which granted residency permits in exchange for real estate investment of at least EUR 500,000 — is listed as a high-risk scoping issue requiring scrutiny as to the sources of inflows (§35, §42). The MER notes that “applicable safeguards regarding the sources of these inflows need to be rigorously implemented” (§42). The real estate sector, the banking sector, and high-value goods dealers are identified by the NRA as the specific sectors at highest risk (§33). The informal economy (estimated at 17.6% of GDP) combined with high cash use and limited threshold controls creates further inflow risk (§30). The Madeira Free Trade Zone (FTZ) — where foreign trusts can register under a preferential tax regime — is separately scoped as a higher-risk area due to limited information on settlors and beneficiaries (§35).

Supervisory vulnerability (IO.3: Moderate; §315–319, §336–337): The MER’s assessment of supervision is starkly divided. The banking supervisor (Banco de Portugal) applies a rigorous and increasingly risk-based supervisory programme with dedicated AML resources and enforcement powers used. However, the DNFBP sector is characterised by a level of supervisory failure that assessors describe as “highly uneven.” Most significantly, lawyers and solicitadores — key gatekeepers for real estate and corporate transactions — have “no AML/CFT-focused supervision” whatsoever (§315). Tax advisors and other legal professionals under ASAE similarly receive no AML/CFT-specific supervision. IMPIC (the real estate sector supervisor) is constrained by resource limitations to the point that it “cannot appropriately use and process the MOTRIM database information…to support its supervisory activities” (§316). ASAE has developed a risk-based inspection plan in principle but “did not demonstrate during the on-site visit that the inspection plan has been fully implemented, particularly given its limited human resources” (§316). Gambling supervisors rely on general tools rather than any AML/CFT-specific risk-based approach (§318). Assessors concluded that the uneven supervisory performance “is mainly due to an uneven level of understanding of ML/TF risks and the availability of resources…more acute for the DNFBP sectors” (§336).

Preventive measures (IO.4: Moderate; §16–17): Financial institutions, particularly larger banks and MVTS providers in international groups, have satisfactory risk understanding and mitigation measures including CDD, record-keeping, and monitoring. The most significant gap is that “some FIs do not seem to have a solid understanding of the concept of BO and tend to equate it to legal ownership” (§16). Among DNFBPs, the picture is weaker: lawyers “underestimate their overall exposure”; most DNFBPs “apply rule-based measures to mitigate risks” rather than genuinely risk-based approaches; and only a few DNFBPs “are duly filing STRs” (§17). EDD measures are known in principle but “do not seem to be rigorously implemented” (§17).

Beneficial ownership / legal persons (IO.5: Moderate; §20–21, §341–343): Basic information on legal persons is publicly accessible through various registries, and Portugal has taken measures to remove dormant companies from registers. The principal vulnerabilities are: no central BO register in place at time of assessment (the enabling law was passed in August 2017 but post-dated the onsite); BO information is “mainly available from FIs” but understanding of the BO concept among some FIs is unreliable (§21); the NRA does not provide a comprehensive ML/TF risk assessment of legal persons and arrangements; sanctions for non-compliance with transparency obligations “do not appear to be effective or dissuasive” (§21); and the Madeira FTZ foreign trust framework has specific gaps — settlor and beneficiary names are protected by secrecy and disclosable only by court order, and there is no requirement for trustees to keep updated information or cooperate rapidly with law enforcement (§341, R.25 conclusion).

ML investigations and confiscation (IO.7: Substantial, IO.8: Moderate; §11–12): Portugal demonstrates strong institutional commitment to ML prosecution: authorities show “high commitment to pursuing ML offences,” prosecute and obtain convictions across a range of ML types including stand-alone and third-party ML and foreign predicate laundering, and apply proportionate and dissuasive sanctions (§11). The “enlarged confiscation” regime combined with early asset freezing is described as a positive feature. Limitations: statistics on confiscated assets are not comprehensive or fully reliable, preventing Portugal from fully demonstrating the values of assets actually confiscated; cross-border detection of illicit currency movements has decreased; and legal persons are “prosecuted and convicted to a lesser extent than natural persons” (§11–12).
Key MER findings — attributable to source
  • Transit hub for drug flows; foreign corruption proceeds inflow risk; Golden Visa Programme (MER §29, §35, §42): Portugal identified as vulnerable to foreign criminal proceeds, particularly corruption-linked. NRA identifies drug trafficking, tax crime, fraud and corruption as main ML predicate offences. Golden Visa Programme singled out as requiring scrutiny on sources of investment inflows; safeguards need rigorous implementation. Real estate sector identified by NRA as a high-risk vulnerability. Madeira FTZ foreign trust regime separately scoped as higher risk.
  • Zero AML/CFT supervision for lawyers and key DNFBP categories (IO.3; §315–316, §336): Lawyers (OA) and solicitadores (OSAE) have no AML/CFT-focused supervision. Tax advisors and other legal professionals under ASAE similarly unsupervised for AML/CFT. IMPIC (real estate) cannot properly use its own MOTRIM transaction database due to resource constraints. ASAE inspection plan not demonstrably implemented due to limited human resources. Gambling supervision has no risk-based AML/CFT framework. Overall IO.3 rated Moderate: BdP strong, DNFBP sector systemically weak.
  • BO concept not fully understood; no central register at assessment (IO.5; §20–21): No central BO register operational at time of onsite (law passed August 2017, post-onsite). BO information dependent on FI records but understanding of BO concept unreliable in parts of the financial sector. NRA lacks comprehensive risk assessment of legal persons and arrangements. Sanctions for transparency non-compliance not effective or dissuasive. Madeira FTZ trust settlors and beneficiaries protected by secrecy; trustees not required to maintain updated BO information.
  • Mixed DNFBP preventive measures; low DNFBP STR filing (IO.4; §17): Most DNFBPs apply rule-based rather than risk-based measures. Lawyers underestimate ML exposure. Only a few DNFBP categories file STRs. EDD requirements known but not rigorously implemented. FIs also show gaps in BO concept understanding. Banking sector is the strongest performer.
  • No FUR adopted as of most recent available data — MER ratings apply in full: R.22 PC, R.24 PC, R.25 PC at MER (R.28 is LC); R.8, R.13 and R.16 are also PC. No re-ratings have been formally adopted. The BO register law (August 2017) and the new AML/CFT Law (August 2017) were both enacted after the onsite and could not be assessed.
Sources: FATF MER, Portugal, November 2017 (onsite March–April 2017). IO ratings from Effectiveness Ratings table (Executive Summary p.11). TC ratings from Technical Compliance Ratings table (p.11). Note: the new AML/CFT Law (Law 83/2017) and BO register law (Law 89/2017) were both promulgated August 2017 — after the April 2017 onsite — and could not be assessed. No FUR has been adopted. All paragraph references are to the published MER.
🇸🇬
Singapore
FATF/APG MER February 2026 (onsite July 2025) — 5th round
D: 30/50 V: 18/50 48
Destination
Vulnerability
IO.3: SE IO.4: SE IO.5: ME IO.7: ME IO.10: ME FATF/APG
Destination risk (MER §3, §57–60, §65, §71; IO.1: Substantial): The MER states that “Singapore’s ML and PF risks are disproportionate to its domestic crime environment” and that its “open economy, large trade flows, status as an IFC and a hub for company formation and wealth management make it attractive to businesses, foreign criminals, as well as those looking to launder their funds and enjoy them in a stable environment” (§3, §57–58). Singapore’s primary ML risk “largely emanates from foreign offences and offences with a foreign nexus,” with illicit funds primarily channelled through the banking sector and payment service providers (§59). The 5th round MER marks a significant evolution from the 2016 assessment: the most prominent ML threat is now fraud — particularly cyber-enabled fraud (CEF) and scams orchestrated by syndicates “typically located overseas” — alongside corruption, organised crime, tax crimes and trade-based ML (TBML) (§58, §65). Assets under management totalled SGD 6.07 trillion (USD 4.5 trillion) at end-2024, with 77% of AUM sourced from outside Singapore — making Singapore’s wealth management sector one of the world’s largest foreign-proceeds exposure points (§71). CSPs are assessed as Singapore’s highest-risk DNFBP sector, having been misused by foreign criminal groups to create shell and front companies (§60). The SGD 3 billion case (“3B$ case”), referenced in the MER, underscores the scope and scale of foreign criminal proceeds laundered through Singapore’s financial system (§3). IO.1 is rated Substantial, reflecting strong risk understanding and whole-of-government coordination, though with identified gaps in systematically connecting risk findings to specific mitigation measures and the relative prioritisation of risks (§5; MER IO.1 key finding c).

Financial sector and VASP supervision (IO.3: Substantial; MER Ch.3 key findings, Overall Conclusions on IO.3): Upgraded from Moderate in the 2016 MER to Substantial in 2026. Singapore has a robust licensing framework to prevent criminals from holding controlling interests in FIs and VASPs (IO.3 key finding a). MAS’ work ensuring FIs and VASPs understand ML/TF risks is described as “a strength of Singapore’s system,” with FIs and VASPs demonstrating solid, comprehensive understanding of AML/CFT obligations (IO.3 key findings c–d). However, the MER identifies that MAS’ supervisory activities are not “planned in accordance with institutional level residual risks” and the process to identify and document institutional residual risks between MAS’ AML department and nine prudential supervisory departments “is not thoroughly systematised” (IO.3 key finding e). STR reporting is “relatively low” for some higher-risk sectors including DPTSPs (VASPs) and for major ML typologies such as TBML (IO.3 conclusion). Sanctions “remain relatively low” in number and the level of financial sanctions “remains not proportionate when considering the size of relevant FIs/VASPs, the serious nature of breaches, as well as Singapore’s risk and context” (IO.3 key finding f). IO.3 is rated Substantial (Overall Conclusions on IO.3).

Non-financial sector supervision and preventive measures (IO.4: Substantial; MER Ch.4 key findings, Overall Conclusions on IO.4): Also upgraded from Moderate to Substantial. Singapore has robust market entry controls and fit-and-proper tests for DNFBPs (IO.4 key finding a). DNFBP supervisors demonstrate “varying yet improving understanding” of ML/TF risks, with stronger awareness in sectors regulated for longer (LTCs, CSPs, accountants, casinos) and improving but less granular understanding in others such as PSMDs (IO.4 key finding b–c). While risk-based supervision models are generally implemented, this is “recent in some sectors” (e.g. developers), and there are “some lower risk sectors being subject to a higher intensity of supervision than some higher risk sectors” (§22). Sanctions applied are generally “not dissuasive, especially taking into account the relative scale of company and transactions” (§22). MinLaw, having recently taken over supervisory responsibility from LawSoc for lawyers, demonstrated “limited understanding of the ML/TF risks associated with lawyers” (IO.4 key finding b). IO.4 is rated Substantial (Overall Conclusions on IO.4).

Transparency and beneficial ownership (IO.5: Moderate; MER Ch.5 key findings, Overall Conclusions on IO.5): R.24 and R.25 both remain Partially Compliant — the sole PC-rated Recommendations in the MER. Singapore demonstrates “a reasonable understanding of the risks stemming from most domestically incorporated companies, but a weaker understanding” of legal arrangements, Unregistered Foreign Companies (UFCs), and multi-structure misuse (IO.5 key finding a). Higher-risk areas such as UFCs and trusts have “insufficient mitigation measures in place”; the registration threshold for UFCs was set 50 years ago without consideration of current ML/TF risk (IO.5 key finding b). Basic and BO information for almost all domestic legal persons must be filed with ACRA, but gaps remain for UFCs, Variable Capital Companies (VCCs), and cases where a company is recorded as the BO (IO.5 key finding c). Singapore does not verify BO information before it is published on the ACRA central registry; BO accuracy is instead relied upon through reporting entities (IO.5 key finding d). Sanctions for breaches of BO information requirements are “not yet dissuasive as increased penalties were just enacted” (IO.5 key finding f). IO.5 is rated Moderate (Overall Conclusions on IO.5).

ML investigations (IO.7: Moderate; MER Ch.7 key findings, Overall Conclusions on IO.7): LEAs opened 11,189 ML investigations over the review period — a very significant number — but over 80% were initiated from victim complaints relating to CEF, and 93% involved domestic predicate offences, which “only partly aligns with Singapore’s risk and context” (IO.7 key findings a–b). Other sources including financial intelligence, referrals from predicate agencies, and international co-operation are “underutilised to identify ML” (IO.7 key finding a). There are “significantly fewer investigations into other higher-risk areas like tax crimes, corruption and TBML” (IO.7 key finding b). Of 11,189 ML investigations, only 682 natural persons were prosecuted — a conversion rate of less than 10% — and most resulting convictions are for low-level money mule cases rather than professional syndicates, professional intermediaries or legal persons (§31). Singapore “prosecutes few legal persons, local directors and professional intermediaries, which is not in line with its risk and context” (IO.7 key finding c). Penalties are assessed as “low for ML, which undermines dissuasiveness” (§3, MER exec summary). IO.7 is rated Moderate (Overall Conclusions on IO.7).

Asset recovery (IO.8: Substantial) and international co-operation (IO.2: Substantial; MER §10–11): Asset recovery is a high-level political priority supported by the National Asset Recovery Strategy; Singapore has a “strong operational and legal framework for asset recovery” (§33), yielding IO.8: Substantial. On international co-operation, Singapore “generally provides effective international co-operation but there can be delays” and “makes four times fewer MLA requests than it receives despite acknowledging that its primary risks lie abroad” (§11) — a persistent gap from the 2016 MER. IO.2 is rated Substantial. Singapore was placed in regular follow-up at the February 2026 Plenary.
Key MER findings — attributable to source
  • Primary ML risk is foreign; SGD 6.07 trillion AUM, 77% foreign-sourced (MER §59, §71): Singapore’s primary ML risk “largely emanates from foreign offences and offences with a foreign nexus.” Assets under management totalled SGD 6.07 trillion at end-2024, of which 77% are foreign-sourced — Singapore’s wealth management sector constitutes a major foreign-proceeds exposure point. Fraud (particularly CEF and scams by overseas syndicates) is assessed as the most prominent ML threat, alongside corruption, organised crime, tax crimes and TBML.
  • 11,189 ML investigations but less than 10% prosecution conversion; focus on CEF money mules not syndicates (MER §30–31; IO.7 key findings a–c): 93% of ML investigations involve domestic predicate offences, the majority being money mule cases linked to CEF. Only 682 natural persons were prosecuted from 11,189 investigations. Resources “primarily focussed into ML from simpler cases targeting CEF at the expense of major transnational investigations.” Fewer investigations into corruption, tax ML and TBML. Singapore “prosecutes few legal persons, local directors and professional intermediaries.”
  • CSPs assessed as Singapore’s highest-risk DNFBP sector; used by foreign criminal groups (MER §60): Corporate services providers, prominent in company formation, have been misused by foreign criminal groups to create shell and front companies and are assessed as Singapore’s highest-risk DNFBP sector. The 3B$ case “underscores the scope and scale of the misuse of Singapore’s financial system to launder the proceeds of crime” (§3).
  • R.24 and R.25 both Partially Compliant; UFC registration threshold set 50 years ago; BO information unverified (MER IO.5 key findings b–d): The only two PCs in the MER. Higher-risk areas including Unregistered Foreign Companies and trusts have insufficient mitigation measures. The UFC registration threshold has not been updated for current ML/TF risk. Singapore does not verify BO information before it is published in the ACRA registry. Sanctions for BO breaches are “not yet dissuasive.”
  • Singapore makes 4× fewer MLA requests than it receives despite primary risks lying abroad (MER §11): A persistent finding from the 2016 MER. Singapore’s central authority “seeks international co-operation in more modest ways” and the outgoing MLA volume is not commensurate with Singapore’s acknowledged foreign ML/TF risk profile. Singapore generally provides good-quality MLA in response to requests it receives.
  • MAS sanctions not proportionate to size or seriousness of FI/VASP breaches; low STR reporting by DPTSPs and on TBML (MER IO.3 key findings e–f): MAS has increased sanctions since the last MER, particularly against individuals, but the level of financial sanctions “remains not proportionate when considering the size of relevant FIs/VASPs, the serious nature of breaches, as well as Singapore’s risk and context.” STR reporting by higher-risk sectors including DPTSPs (VASPs) and on TBML is low relative to identified risk.
  • Placed in regular follow-up, February 2026; seven IO ratings of Substantial, four Moderate, no Low (MER effectiveness table p.6): Major improvement from the 2016 MER’s seven ME/LE outcomes. Singapore achieved Substantial on IO.1, IO.2, IO.3, IO.4, IO.6, IO.8, IO.9 and Moderate on IO.5, IO.7, IO.10, IO.11. Regular (not enhanced) follow-up reflects the overall strength of Singapore’s system relative to its risk profile, while significant gaps remain in BO transparency, ML investigation depth and MLA outreach.
Sources: FATF/APG MER, Singapore, February 2026 (onsite July 2025), 5th round. IO ratings from MER Effectiveness and Technical Compliance Ratings table (p.6). All findings attributed to specific MER paragraphs or chapter key findings. No FUR has been published as at the date of this Index entry; Singapore was placed in regular follow-up at the February 2026 FATF Plenary.
🇮🇲
Isle of Man
MONEYVAL MER December 2016 (onsite April–May 2016) | 4th Enhanced FUR November 2022 (TC only)
D: 25/50 V: 22/50 47
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME MONEYVAL
↑ TC improving (4th Enhanced FUR 2022) R.23 remains PC
D: ±0 (unchanged — IO ratings not addressed by FURs)   V: reduced from MER baseline (improved; most TC deficiencies resolved; R.23 PC remains)
Destination risk (MER §3, §58–59, §63, §69): The NRA rates the ML threat as “medium-high,” acknowledging that since much of the IoM’s financial business is “conducted on a non-face-to-face basis via intermediaries, the potential for proceeds of crime/funds related to ML/FT flowing into or through the IoM is medium to high” (§58). The ML threat is characterised as “mainly external” — business generated outside the IoM “presents the greatest source of threat” due to the volumes generated by non-resident customers and the type of non-resident customers targeted, “such as high net worth individuals, which could include politically exposed persons” (§59). Tax evasion, corruption, and fraud are identified as “the most likely external threats” based on SAR data and incoming MLA request statistics (§59). The TCSP sector — which presents the highest ML risk — is identified as inherently at risk of “laundering the proceeds of foreign tax evasion, foreign corruption and organised crime” (§63). The MER’s own case material references the extensive use of IoM companies to hold real estate in London, and the use of Manx corporate structures in investigations arising from the Arab Spring (§69). The NRA also cites a Transparency International report implying that Manx companies hold real estate in the UK. Insurance and pensions (the largest FI sector), banking, and online gambling add further non-resident exposure.

Supervisory effectiveness (IO.3: Moderate; MER §34–38): The IOMFSA and GSC have established supervisory frameworks, and the IOMFSA’s supervisory approach appears “quite robust, with a variety of off-site factors examined and comprehensive on-site examination” (§35). However, the IOMFSA has not given sufficient attention to the interplay of risks in the banking and TCSP sectors arising from chains of introductions (§35). Supervision under the DBRO Act of FIs and DNFBPs not otherwise overseen by IOMFSA or GSC started only at the beginning of 2016 (§38). The GSC had only recently completed the work necessary to implement a risk-based approach, making it impossible to assess effectiveness at the time of the onsite (§38). There is over-reliance in the past on remediation plans to address AML/CFT issues; remediation action has not always been effective (§37). The IOMFSA does not routinely collect statistics allowing full sector-level ML/TF risk consideration (§34). Sanctioning gaps exist in the GSC framework (§36).

Preventive measures (IO.4: Moderate; MER §27–33): FIs and DNFBPs generally demonstrate good knowledge of AML/CFT requirements and apply a risk-based approach (§27). However, the number of customers assessed as presenting a higher risk is “low compared to risks inherent in the IoM” (§28). There is “insufficient understanding of ML/TF risk where FIs operate business relationships for intermediary customers” (§29). A particular structural weakness is the “information chain” problem: FIs may rely on CDD collected by TCSPs that have themselves collected from a professional intermediary — “an increased inherent risk that a FI or DNFBP may have been provided with incomplete or false information” (§30). SAR quality is “rather low, with less than one third based on suspicion of ML/FT” (§31). TCSPs often do not meet their customers and many accept business from professional intermediaries (§30).

Beneficial ownership / legal persons (IO.5: Moderate; MER §39–43): The risk of legal person and arrangement misuse is “well understood” at a general level, but no specific exercise has been conducted to examine how IoM-established legal persons have been used to “disguise ownership or launder the proceeds of crime” (§39). The Central Registry does not collect all required basic information for foundations or partnerships, or collect it on a timely basis for 2006 companies (§40). Extensive reliance is placed on TCSPs to hold BO information — TCSPs have been regulated and supervised since 2000/2005, providing a stronger basis than many jurisdictions (§41). However, the measure of accuracy of BO information across the system cannot be fully verified. IoM’s Transparency International reference and Arab Spring case studies illustrate real-world misuse of IoM corporate structures for foreign-origin assets (§69).

4th Enhanced FUR developments (TC only — IO ratings unchanged; FUR November 2022): The 4th Enhanced FUR (November 2022) addresses R.23 only — and concludes it cannot be re-rated. Two deficiencies remain: (i) no independent audit function requirement for non-TCSP DNFBPs (the gambling sector in particular); and (ii) no clear statutory gateway for TCSP subsidiaries/branches in the IoM to share data for group AML/CFT purposes — with approximately one third of 105 licensed TCSPs being part of conventional TCSP groups (FUR §9–21). R.23 remains Partially Compliant. All other TC ratings are unchanged from the 3rd FUR (September 2020), which had already upgraded all other previously-deficient Recommendations. All IO ratings from the MER remain unchanged throughout all four FURs.
Key MER + FUR findings — attributable to source
  • ML threat medium-high, mainly external; TCSPs most vulnerable to foreign tax evasion, corruption, organised crime (MER §3, §59, §63): NRA rates ML threat medium-high; business from non-resident HNWIs and intermediaries presents greatest threat. TCSPs identified as highest-risk sector — inherently at risk of laundering proceeds of foreign tax evasion, foreign corruption and organised crime. IoM companies used to hold London real estate and appear in Arab Spring asset investigations (§69).
  • No third-party or standalone ML cases from foreign predicates (IO.7 LE; MER §15): Domestic drug/fraud cases with low proceeds dominate; no third-party or standalone ML cases pursued “when involving complex structures or when used to launder foreign predicate criminality.” Priority action calls for criminal justice policy on ML specifically addressing foreign predicate offending.
  • Information chain risk: banks relying on TCSPs relying on intermediaries (IO.4 ME; MER §29–30): Structural weakness — FIs rely on CDD from TCSPs that have themselves collected from professional intermediaries. TCSPs often do not meet customers or beneficial owners. SAR quality low; less than one third based on actual ML/TF suspicion. Number of higher-risk-rated customers appears low relative to inherent risks.
  • Outgoing international cooperation low relative to risk profile (IO.2 SE; MER §46): Low number of outgoing requests “does not seem commensurate with the IoM risk profile” and points to lack of proactive approach. Close cooperation with UK but insufficient proactive outreach to other jurisdictions for cross-border ML cases.
  • 4th Enhanced FUR (November 2022): R.23 not re-rated — independent audit function and TCSP group programme gaps remain: Two deficiencies persist: independent audit function absent for non-TCSP DNFBPs (gambling sector largest); no statutory gateway for TCSP branches in group structures to share CDD data. One third of 105 licensed TCSPs are part of TCSP groups. All other Recommendations at LC/C since 3rd FUR (September 2020). IO ratings unchanged.
Sources: MONEYVAL MER, Isle of Man, December 2016 (onsite April–May 2016); MONEYVAL 4th Enhanced Follow-Up Report, Isle of Man, November 2022 (MONEYVAL(2022)13). IO ratings from MER Effectiveness Ratings table (p.12); confirmed unchanged throughout all four FURs (TC-only reports). TC ratings from MER p.12 and 4th Enhanced FUR Table 2 (p.6).
🇭🇰
Hong Kong SAR
FATF/APG MER June 2019 (on-site October–November 2018) | 1st Regular FUR February 2023
D: 20/50 V: 26/50 46
Destination
Vulnerability
IO.4: ME IO.5: ME IO.3: ME FATF/APG
↑ Partial improvement (1st Regular FUR February 2023)
FUR: R.28 PC→LC (DNFBP supervision)   R.15 LC→PC (VASP scope gap)   Remains in regular follow-up
Destination risk (MER §§2–3, Key Finding (b), §§14–16): The MER identifies HKC’s main ML threats as “fraud, drugs-related crimes, and foreign corruption and tax evasion” (MER §3). As a “systemically important financial centre,” HKC’s status “inevitably exposes it to potential misuse as a transit point for foreign proceeds of crime” (§3). The HRA acknowledges that “front companies and shell companies constitute a significant ML risk in HKC, both for domestic and foreign predicates” (MER §436). Fraud-related ML accounts for 70% of ML investigations but there is “an appreciable drop in the investigation of non-fraud ML cases assessed as medium-high risk” — foreign drugs, tax crimes and corruption collectively represent less than 30% of ML investigations (MER §15). The MER finds “few of these foreign predicates have been prosecuted for ML in HKC” (§15) and the risk understanding for “ML linked to foreign tax and corruption offences should be further deepened” (MER Key Finding (a)). The low number of outgoing MLA requests “is not consistent with HKC’s risk profile” and HKC does not appear to be “making enough proactive efforts to pursue proceeds of crime outside the jurisdiction and ML arising from foreign predicate offences through formal means” (MER §41).

Supervisory effectiveness (IO.3: Moderate — MER §432): “HKC has achieved a moderate level of effectiveness for IO.3.” Core Principles supervisors — HKMA, SFC, and IA — implement “appropriate risk-sensitive supervision” with the banking sector as the most robust (MER §§31–32). However, “the C&ED, the RML, SRBs and other DNFBP supervisors need important improvements in risk understanding at the institutional level” (MER §31). The “scope and depth of inspections by the C&ED and the RML are too limited” and for SRBs and other DNFBP supervisors, “supervisory activities are generally at a nascent stage or complaints driven” (MER §32). “Limited sanctions have been applied for most of the sectors and, therefore, their effectiveness could not be fully demonstrated” (MER §33). The TCSP and estate agent sectors were, at the time of the MER, at the earliest stages of AML/CFT supervision.

Preventive measures (IO.4: Moderate — MER §369): “HKC has achieved a moderate level of effectiveness for IO.4.” Large FIs and international group members have good risk understanding and CDD implementation (MER §27). DNFBPs — other than large international TCSPs, accounting and law firms — “do not take a risk-based approach to mitigate their ML/TF risks, mainly as a result of a poorer understanding of their ML/TF risks” (MER §28). Domestic TCSPs and estate agents “do not yet have a good understanding of the concept of beneficial ownership and tend to understand it as legal ownership” (§28). DPMS and stand-alone financial leasing companies were entirely unregulated for AML/CFT (MER §§26, 30). “Extremely few estate agents have filed STRs” (MER §428) and STR filing in the TCSP sector is “very fragmented” (MER §429). R.12 (PEPs) was rated PC at MER — a gap in coverage of PEPs from other parts of China was identified (MER Priority Action (f)).

Legal persons and arrangements (IO.5: Moderate — MER Chapter 7): The MER rates IO.5 Moderate (confirmed by the effectiveness ratings table). The HRA assesses that “shell companies created in HKC have been used to facilitate predicate crimes and ML offences” (MER §35). Since March 2018 companies are required to keep a Significant Controllers Register (SCR), but the measure was new at the time of the on-site visit and “more time is needed to assess the effectiveness of the regime” (MER §36, §39). Around 23% of companies inspected had not kept an SCR (MER §458). R.24 was rated LC and R.25 PC at the MER. The TCSP licensing regime imposing CDD and record-keeping requirements on TCSPs was recent and its effectiveness “yet to be fully demonstrated” (MER Key Finding (f)).

Technical compliance and FUR (February 2023): At MER, key gaps were R.12 PC (PEP coverage), R.22 PC (DNFBP CDD), R.25 PC (trust BO arrangements), R.28 PC (DNFBP supervision). The 1st Regular FUR (adopted January 2023, published February 2023) re-rated only two Recommendations: R.28 PC→LC, as risk-based AML/CFT supervision for TCSPs, real estate agents and accountants was implemented (FUR §§ on R.28). R.15 was downgraded LC→PC, as the scope of regulated VASPs remained limited to centralized exchanges offering at least one security token — a “major deficiency related to the scope of VASPs” (FUR §§ on R.15). The proposed AMLO regime to extend VASP coverage to non-security token exchanges was not yet in force at the time of analysis. Post-FUR residual gaps: R.12 PC, R.15 PC, R.22 PC, R.25 PC; R.24 remains LC.
Key MER + FUR findings — attributable to source
  • IO.3 Moderate (MER §432): Core Principles supervisors (HKMA, SFC, IA) effective; C&ED, RML, SRBs and DNFBP supervisors at nascent or complaints-driven stage; limited sanctions applied across most sectors (MER §33)
  • IO.4 Moderate (MER §369): DPMS entirely unregulated for AML/CFT; domestic TCSPs and estate agents don’t understand BO concept; extremely few STRs from estate agents; R.12 PC — gap in PEP coverage for other parts of China
  • IO.5 Moderate: SCR regime for companies nascent at MER; ~23% of companies inspected had not kept an SCR (MER §458); trust BO information reliant on common law fiduciary duties; R.25 PC
  • Foreign proceeds: HKC’s main ML threats include “foreign corruption and tax evasion” (MER §3); few foreign predicate cases prosecuted domestically (MER §15); low outgoing MLA requests inconsistent with risk profile (MER §41)
  • FUR February 2023: R.28 PC→LC (risk-based DNFBP supervision implemented for TCSPs, real estate agents, accountants); R.15 LC→PC downgrade (major VASP scope gap — only security-token exchanges covered)
  • Post-FUR residual: R.12 PC, R.15 PC, R.22 PC, R.25 PC; DPMS AML/CFT regime commenced 1 April 2023 and VASP regime 1 June 2023 — both outside the FUR’s assessment window
🇹🇷
Türkiye
FATF MER October 2019 (onsite March 2019) | 1st EFUR Nov 2021 | 2nd EFUR Apr 2022 | 3rd EFUR Jul 2023
D: 19/50 V: 26/50 45
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.7: ME IO.8: ME FATF Grey-listed Oct 2021 — removed Jun 2024
Destination risk (MER §43–45, §49, §71; IO.1: Substantial): The MER describes Türkiye as located “at an inter-continental junction” facing “significant money laundering (ML) and terrorist financing (TF) risks,” driven by its geographic position between Europe, Asia and the Middle East and its borders with eight countries including conflict-affected states (§43). Key ML threats generating significant proceeds are illegal drug trafficking, migrant smuggling, human trafficking and fuel smuggling; in 2016, 68% of all smuggling convictions related directly to drug smuggling (§44). The business activities assessed as posing the highest ML/TF risks are banking, money and value transfer services (including illegal exchange offices), real estate and dealers in precious metals and stones (DPMS) (§44). The DPMS sector is rated high-risk due to Türkiye’s position among the five largest global markets, with annual business volume estimated at USD 10 billion (§71). Real estate is similarly rated high-risk, and was a priority focus for the assessment team (§49, item 8). Corruption is identified in the NRA at medium threat level (§47), and the OECD Working Group on Bribery had specifically concluded that Türkiye’s foreign bribery enforcement framework “needs to be urgently strengthened” and that sanctions for legal persons for foreign bribery were “not sufficiently effective, proportionate and dissuasive” (§54). The assessors rated IO.1 as Substantial, reflecting a generally sound risk understanding, while noting that national policies did not yet constitute a “comprehensive, national approach” and were not “easily tied together” (§7, §9).

Supervisory vulnerability (IO.3: Moderate; MER §29–32, §125 key findings, §429): MASAK is the central supervisory authority co-ordinating across BRSA, CMB, and MoTF. Market entry controls for licensing of banks and other FIs were found “generally well developed” (key finding a, Ch.6). However, the MER identifies significant gaps: supervisors had “yet to make full use” of NRA outputs to improve risk-based supervisory activity, and the supervisory approach needed to be “better aligned with a risk based approach” (key finding d, Ch.6). Sanctions applied were found “not always effective, proportionate and dissuasive” across both the financial sector and DNFBPs (key finding f, Ch.6). For DNFBPs, supervisory application was “uneven,” with little or no on-site supervision conducted or violations examined by MASAK and/or sectoral supervisors for key sectors, and limited statistical information available to ascertain the extent of enforcement (key finding g, §31). Unregistered MVTS activity was an identified concern, with supervisory authorities and FIs failing to take adequate steps to identify and stop it (§29). Türkiye is rated Moderate for IO.3 (§429).

Preventive measures (IO.4: Moderate; MER §27–28, Ch.5 key findings, §376): Banks have a “good understanding of ML risks,” though TF risk understanding is “relatively weaker” (§27; Ch.5 key finding a). Other FIs have “broadly good understanding” but DNFBP risk understanding is “overall low,” with particular concerns about real estate agents, DPMS, and exchange offices (Ch.5 key finding a). Banks have “relatively good AML measures consistent with risks” but DNFBPs have “much less robust measures” (Ch.5 key finding b). STR reporting by banks has increased and is broadly in line with risk, but reporting by exchange offices and DNFBP sectors is “low and not consistent with risk” (Ch.5 key finding d). Internal control systems at DNFBPs are “much less robust or not in place” (Ch.5 key finding e). Lawyers were entirely outside the AML/CFT framework, a scoping gap noted with concern given their role in company formation and real estate (§71, §73). Türkiye is rated Moderate for IO.4 (§376).

Legal persons and beneficial ownership (IO.5: Moderate; MER §33–35, §460): Türkiye has “most elements of a legal framework” to identify basic and beneficial ownership information of legal persons (Ch.7 key finding a). Centralised electronic registries (MERSIS, KOOP-BIS, VBYS, DERBIS) exist, and authorities have a “moderate understanding” of risks posed by legal persons — though a comprehensive assessment of all types has not been conducted (Ch.7 key finding c). A lack of comprehensive controls to verify accuracy and currency of registry information is noted (Ch.7 key finding d). Sanctions for failure to meet beneficial ownership reporting requirements are “applied to some extent,” but limited pecuniary fines may not always allow “effective, proportionate and dissuasive” sanctions (§35; Ch.7 key finding e). Turkish law does not recognise trusts (§76). Türkiye is rated Moderate for IO.5 (§460).

ML investigations and confiscation (IO.7: Moderate; IO.8: Moderate; MER §45–48 Ch.3 key findings, §203, §229): Each of Türkiye’s four LEAs has trained and dedicated ML investigators; however, Türkiye is “not effectively identifying ML activity for investigation” through STR analysis or investigation of proceeds-generating offences (Ch.3 key finding IO.7a). For the four highest-risk predicate offences, the ratio of ML investigations to predicate offence investigations is less than one ML investigation per 1,000 predicate offence investigations (Ch.3 key finding IO.7b). Türkiye lacks “policy objectives with specific goals considering ML investigations as a strategy to combat the profitability of crime” and has no comprehensive statistics on ML offences investigated (Ch.3 key findings IO.7c–d). On confiscation, an adequate legal framework exists, but limited statistics were provided; exceptional confiscation of EUR 10 billion via Presidential Decree against FETÖ/PDY following the 2016 coup attempt was the headline figure, but the confiscation system’s general effectiveness is not demonstrated, and values of realised assets in ordinary criminal cases are low (Ch.3 key findings IO.8a–c; §228). Türkiye is rated Moderate for both IO.7 (§203) and IO.8 (§229).

FUR technical compliance developments (3rd EFUR July 2023 — TC only; effectiveness IO ratings unchanged): The 3rd Enhanced FUR states it does not address progress on effectiveness (3rd EFUR, Introduction). It records technical compliance re-ratings on six Recommendations: R.8 PC→LC (NPO sector risk-based supervision improved; some Law 7262 measures remain disproportionate); R.12 NC→C (MASAK Communique No.21 on PEPs, November 2022, now covers foreign, domestic and international organisation PEPs); R.15 NC→PC (VASPs included as obliged parties and subject to MASAK supervision, but not required to be licensed/registered and not subject to AML/CFT measures beyond general preventive measures); R.22 PC→LC (lawyers added as obliged parties in 2020, PEP and new technology requirements extended to DNFBPs); R.26 PC→C (risk-based supervision methodology adopted January 2020, annual risk analyses conducted for FIs); R.28 PC→LC (DNFBP risk-based supervision implemented from 2021; minor remaining gap on fit-and-proper requirements for associates of criminals) (3rd EFUR, Table 1). As of the 3rd EFUR, Türkiye has one Recommendation at PC (R.15, VASPs). The 3rd EFUR notes Türkiye will report back on effectiveness in its 5th round mutual evaluation. Separately — not covered by the uploaded FURs — Türkiye was grey-listed by FATF in October 2021 and removed from the grey list in June 2024 following demonstrated progress on its FATF action plan; this is not reflected in the effectiveness IO ratings from the 2019 MER.
Key MER findings — attributable to source
  • Intercontinental junction — high ML/TF risk geography (MER §43–45): Borders with eight countries including conflict zones; key ML threats include drug trafficking, migrant smuggling, human trafficking and fuel smuggling. Drug smuggling represented 68% of all 2016 smuggling convictions. Banking, MVTS (including illegal exchangers), real estate and DPMS assessed as highest-risk business sectors.
  • OECD bribery enforcement criticised (MER §54): The MER records that the OECD Working Group on Bribery had specifically concluded that Türkiye’s foreign bribery enforcement framework “needs to be urgently strengthened” and that corporate liability for foreign bribery was inadequate — noted as a contextual factor bearing on corruption-related ML risk.
  • Supervisory approach not yet risk-based for DNFBPs; sanctions not dissuasive (IO.3; MER Ch.6 key findings d, f, g; §31): Supervisors had not fully used NRA outputs to align supervision with identified risks. Sanctions across financial and DNFBP sectors not always effective, proportionate or dissuasive. Little or no on-site supervision conducted for some DNFBP sectors; unregistered MVTS activity inadequately addressed.
  • DNFBP risk understanding “overall low”; STR reporting not commensurate with risk (IO.4; MER Ch.5 key findings a, d): Real estate agents, DPMS, and exchange offices identified as areas of particular concern. DNFBP STR reporting low and not consistent with risk. Lawyers entirely outside AML/CFT framework at time of assessment (§73).
  • Less than 1 ML investigation per 1,000 high-risk predicate offence investigations (IO.7; MER Ch.3 key finding IO.7b; §202): For drug trafficking, migrant smuggling, human trafficking and fuel smuggling combined — Türkiye’s four highest-risk predicates — ML investigation rates were below 0.1%. No comprehensive ML statistics by predicate offence type maintained.
  • Confiscation values low in ordinary criminal cases; limited policy framework (IO.8; MER Ch.3 key finding IO.8c; §228): Total realised confiscation values for ordinary crime types (smuggling, narcotics, human trafficking, etc.) in the 2013–2017 period were modest. Extended/lifestyle confiscation approach limited. FETÖ/PDY Presidential Decree confiscations (EUR 10 billion) were exceptional and not indicative of systemic capacity.
  • 3rd EFUR: six Recommendations re-rated; effectiveness IO ratings unchanged (3rd EFUR, Introduction and Table 1): R.8 LC, R.12 C, R.15 PC, R.22 LC, R.26 C, R.28 LC. The FUR states it does not address effectiveness outcomes; all IO ratings from the 2019 MER remain in force. One PC remains (R.15, VASPs — not licensed/registered; limited AML/CFT obligations beyond general preventive measures).
Sources: FATF MER, Turkey, October 2019 (onsite March 2019). IO ratings from MER Effectiveness Ratings table (p.11). Technical compliance ratings updated per FATF 3rd Enhanced Follow-Up Report, Türkiye, July 2023 (Table 1, p.20). All MER findings attributed to specific paragraphs or chapter key findings. The 3rd EFUR states it does not address effectiveness outcomes. Grey-listing: FATF Public Statement, October 2021; removal: FATF Plenary announcement, June 2024 (not covered by uploaded FURs).
🇲🇾
Malaysia
FATF/APG MER 2025 (onsite 3–21 February 2025) | Regular follow-up
D: 21/50 V: 24/50 45
Destination
Vulnerability
IO.1: SE IO.3: SE IO.4: ME IO.5: ME IO.7: ME IO.8: ME FATF/APG
Destination risk (MER §3, §55–61, §64, §69, §71–72; IO.1: Substantial): Malaysia’s ML risk profile is shaped by three intersecting factors: domestic illegal activities (corruption, fraud and scams, drug trafficking), strategic transit hub exposure (Strait of Malacca — a key maritime corridor for smuggling of drugs, wildlife, weapons and migrants), and systemic institutional vulnerabilities exposed by the 1MDB scandal. NRA 2023 identifies fraud, corruption, illicit drug trafficking, smuggling, and organised crime as the highest ML threats, with banking institutions, DPMS, and lawyers carrying the highest sectoral ML risks (§64). The shadow economy remains significant at 21.2% of GDP (2010–2019), down from 30.2% (2000–2009), and cash remains a common means of payment (§71). Malaysia’s proximity to the Golden Triangle and its role as a transit and destination country for illicit drugs exposes it to drug-related ML (§58). From 2021 to April 2024, EUR 685 million was lost to online scams affecting over 95,800 victims — a fast-growing source of ML proceeds (§59). The country hosts up to 3.5 million undocumented workers, with human trafficking assessed as medium-high risk for ML (§61). Corruption risk is assessed as high, with several high-ranking government officials convicted, charged or under investigation (§56). Labuan IBFC — a distinct regulatory zone with EUR 85.3 billion in financial sector assets — managed by LFSA, faces elevated ML risks from Labuan money brokers and banks due to international transaction volumes and higher-risk customers (§72). The Labuan CMI sector, which includes VASPs, has only four dedicated AML/CFT supervisors across all Labuan sectors. IO.1 is rated Substantial, reflecting five NRA iterations, strong NCC coordination, and robust domestic cooperation mechanisms (§37 IO.1 conclusion).

Financial sector and VASP supervision (IO.3: Substantial; MER §14–17, §69 IO.3 conclusion): Malaysia’s three main AML/CFT supervisors — BNM, SC, and LFSA — operate a comprehensive licensing framework preventing criminal infiltration of FIs and VASPs. FIs and VASPs generally have good ML/TF risk understanding and apply appropriate mitigating measures, particularly larger institutions (§16). However, STR reporting “remains low across all FI sectors, except for banks,” and AML/CFT supervision of banks “could be improved by further involving specialist AML supervisors in onsite examinations given the limited specialist expertise of general supervisors” in some technical areas (§14, IO.3 conclusion). Supervisory letters are used most frequently to address deficiencies, providing limited incentive for FIs to strengthen controls proactively (IO.3 conclusion). Malaysia does not rely on administrative licensing for DPMS — a high-risk sector — creating an entry controls gap (IO.4 key finding a). IO.3 is rated Substantial (§70 IO.3 conclusion).

DNFBP supervision and preventive measures (IO.4: Moderate; MER §18–23, IO.4 key findings, §91 IO.4 conclusion): DPMS — identified by the NRA as high-risk and comprising 2,390 entities — is “not subject to licensing or registration for AML/CFT/CPF purposes,” and some DPMS in East Malaysia were only recently incorporated into the regulatory perimeter (IO.4 key finding a; §18). DNFBP supervisors have good understanding of sectoral risk but this is “largely confined to the findings of the NRA” for smaller entities (IO.4 key finding b). STR reporting is “extremely low” across DNFBP sectors, and supervisors “continue to identify a significant number of AML/CFT deficiencies across most DNFBP sectors” (IO.4 overall conclusion). Enforcement action (compounds) is “rarely used, despite some serious deficiencies being identified,” and current sanctions levels may not be proportionate for general AML/CFT breaches (§23). Onsite supervision of the high-risk DPMS sector is described as “low across the reporting period” (IO.4 overall conclusion). IO.4 is rated Moderate (§91).

Beneficial ownership (IO.5: Moderate; MER §24–28, §107 IO.5 conclusion): Malaysia follows a multi-pronged approach for BO information — combining legal persons’ own records, CCM/LFSA registries, and information held by reporting institutions — but “significant improvements are required to fully meet the needs of the competent authorities” (§26). The mechanism for onshore companies to disclose nominee directors and shareholders is still being enhanced, “leaving opportunities for misuse by criminals” (IO.5 overall conclusion). For onshore legal arrangements, Malaysia relies heavily on the tax framework (IRBM audits) for BO information, and authorities “have never identified deficiencies in the accuracy of BO information submitted by legal arrangements” — raising doubts about verification robustness (§27). Sanctions for false or inaccurate BO filings are not yet proportionate or dissuasive (KRA h). IO.5 is rated Moderate (§108).

ML investigations (IO.7: Moderate; MER §32–34, IO.7 key findings, §136): ML investigations tripled from 821 (2015 MER) to 2,648 cases — a positive development (IO.7 key finding a). However, only 234 prosecutions and 52 convictions were recorded between 2019 and February 2025 despite a massive investigation volume, reflecting “serious shortcomings in translating investigations into outcomes” (IO.7 key finding b). Conversion barriers include evidence collection challenges, legislated time limits, limited prosecutorial training, and a preference for compounds and tax-based asset recovery over criminal prosecution (IO.7 key finding b). There are “very few prosecutorial results for stand-alone, third-party ML, and ML involving legal persons or foreign predicate offences” (IO.7 key finding b). The overall proportion of ML investigations relative to 767,000 predicate investigations remains low (IO.7 key finding a). ML prosecutions and convictions are “not fully in line with Malaysia’s risk profile, particularly relating to high and medium-high risk predicate offences.” IO.7 is rated Moderate (§136).

Asset recovery (IO.8: Moderate; MER §35–37, IO.8 key findings, §153): Between 2019 and February 2025, Malaysia recovered EUR 8.11 billion in assets total, with EUR 6.08 billion (75%) linked to the 1MDB case — primarily through foreign civil forfeiture and settlements (IO.8 key finding b). The remaining EUR 2.03 billion (25%) raises concern: 88% was achieved through IRBM tax remedies rather than criminal confiscation (IO.8 key finding b). Non-conviction-based forfeiture (NCBF) accounts for 88% of all forfeiture outcomes, reflecting the broader challenges in securing ML convictions (IO.8 key finding b). Forfeiture for drug trafficking, organised crime, and smuggling is “not proportionate to Malaysia’s risk profile” (IO.8 key finding c). Beyond 1MDB, Malaysia makes “limited use of asset recovery linked to foreign predicate offences or overseas assets” (IO.8 key finding c). The 1MDB focus has “diverted resources away from other cases” (§97). IO.8 is rated Moderate (§153). Malaysia was placed in regular follow-up at the 2025 FATF Plenary — no Recommendations rated PC or NC.
Key MER findings — attributable to source
  • 1MDB: EUR 8.11 billion recovered 2019–Feb 2025, EUR 6.08 billion 1MDB-linked; EUR 2.03 billion non-1MDB recovery relies on tax remedies (MER §36, IO.8 key finding b): The 1MDB corruption scandal remains the defining feature of Malaysia’s asset recovery record. EUR 6.08 billion recovered through foreign civil forfeiture and settlements. Of the remaining EUR 2.03 billion not linked to 1MDB, 88% was achieved through administrative tax remedies by IRBM rather than criminal confiscation, indicating structural over-reliance on non-criminal mechanisms.
  • DPMS (2,390 entities) not subject to AML/CFT licensing despite high-risk NRA rating; high-risk sector supervisory gap (MER IO.4 key finding a; §18, §23): Dealers in precious metals and stones are assessed by the NRA 2023 as the third-highest ML-risk sector (alongside banking and lawyers) but remain entirely outside the AML/CFT licensing and registration framework. Some DPMS in East Malaysia were only recently incorporated into the regulatory perimeter and are still being subjected to supervision for the first time.
  • 2,648 ML investigations but only 52 convictions 2019–Feb 2025; compounds and tax remedies preferred over prosecution (MER IO.7 key finding b; §34): A conversion rate of roughly 2% from investigations to convictions reflects systemic prosecution weaknesses. Barriers include legislated time limits, limited prosecutorial expertise, and a structural preference for administrative compounds and IRBM tax recovery over criminal ML prosecution. Stand-alone, third-party ML, and legal-person-involved ML are rarely prosecuted.
  • EUR 685 million lost to online scams 2021–April 2024; 95,800 victims; Strait of Malacca transit hub (MER §57–59): Rising scam proceeds — investment fraud, impersonation scams, phishing/ransomware — are rapidly laundered through mule accounts, cryptocurrency, and layered bank transfers. Malaysia’s Strait of Malacca position makes it a key transit hub for drug trafficking, smuggling and TBML, with complex trade transactions used to disguise illicit proceeds through over/under-invoicing and shell companies.
  • Labuan IBFC: EUR 85.3 billion in financial sector assets; four dedicated AML supervisors for all Labuan sectors; elevated ML risk from money brokers and banks (MER §72, §15): Labuan IBFC’s distinct regulatory regime and elevated exposure to international transaction flows and high-risk customers — including Labuan money brokers assessed as medium-high ML risk — is supervised by LFSA with only four dedicated AML/CFT/CPF supervisors across all sectors. The 2019 OECD report flagged insufficient oversight of Labuan trust companies for 2015–2017.
  • STR reporting extremely low across DNFBP sectors; enforcement action rarely used despite serious deficiencies (MER IO.4 overall conclusion; §23): Most DNFBP supervisors identify significant AML/CFT deficiencies across sectors on examination, yet rely on supervisory letters rather than compounds or formal enforcement action. STR reporting by DNFBPs is described as “extremely low.” Many DNFBPs struggle to identify ultimate BOs in complex structures. Current sanctions levels may be disproportionately low for general AML/CFT breaches.
  • Regular follow-up; no PCs; IO.9, IO.10, IO.11 all Substantial — TF/PF framework a genuine strength (MER IO ratings table p.7): Malaysia’s placement in regular follow-up reflects significant improvement since its 2015 enhanced follow-up. All 40 Recommendations are LC or C — no PCs. TF, TF-TFS and PF-TFS are all rated Substantial, reflecting the centralisation of TF investigations in the Special Branch, active domestic designation regime, and sound legal TFS framework. No FUR has been published as of this Index entry.
Sources: FATF/APG MER, Malaysia, 2025 (onsite 3–21 February 2025). IO ratings from MER Effectiveness and Technical Compliance Ratings table (p.7): IO.1 SE, IO.2 ME, IO.3 SE, IO.4 ME, IO.5 ME, IO.6 SE, IO.7 ME, IO.8 ME, IO.9 SE, IO.10 SE, IO.11 SE. All paragraph references are to the MER. Malaysia was placed in regular follow-up. No FUR has been published as of this Index entry.
🇸🇨
Seychelles
ESAAMLG MER September 2018 (on-site November–December 2017) | 8th Enhanced FUR & 3rd TC Re-Rating March 2023
D: 20/50 V: 24/50 44
Destination
Vulnerability
IO.4: ME IO.5: LE IO.3: LE ESAAMLG
↑↑ Significant TC improvement across 8 FURs
8th FUR: R.5 PC→LC; R.19 PC→C; R.25 PC→LC; R.28 PC→LC; R.34 PC→LC   Remains in enhanced follow-up
Destination risk (MER §§2–5, §§15–16, §§40–42): Seychelles is described as “an international financial centre with a significant share in this area in Africa” whose deliberate policy to grow international business operations has made it one of Africa’s most prominent offshore jurisdictions (MER §3). At the time of the on-site visit, 198,274 International Business Companies (IBCs), 719 international trusts, and 673 foundations were registered under the FSA (MER §15). The NRA “recognises the significant money laundering (ML) threat posed by non-resident clients” (MER §4). The vulnerable sectors identified include “commercial banks with operations in the international financial centre space; luxury real estate; dealers in motor vehicles, yachts and boats; TCSPs in the international financial centre activities; and bureaux de change” (MER §5). Critically, “at the time of the on-site visit, no foreign predicate offences had been identified and investigated by the authorities. This is of serious concern considering the international financial nature of activities which take place in the jurisdiction” (MER §126). The prime real estate market is “dominated by non-resident clients” (MER §24 scoping note).

Supervisory effectiveness (IO.3: Low — MER p.106): “Seychelles has achieved a Low Level of effectiveness for IO.3.” The FIU, as the sole AML/CFT supervisor, “has inadequate resources to effectively supervise or monitor compliance with AML/CFT requirements by reporting entities” (MER Key Findings §6). As a result, “the focus of the inspections has not been wide enough to cover the identified high risk reporting entities” (§6). Understanding of AML/CFT obligations among DNFBPs was “low with the exception of ICSPs” (MER §224). Real estate agents “did not appear to understand when to apply enhanced due diligence measures despite the sector recognising the high risk ML cases it faces” (MER §225). Sanctions were not applied effectively even where warranted (MER §6).

Preventive measures (IO.4: Moderate — MER p.97): “Seychelles is rated Moderate level of effectiveness with IO.4.” Commercial banks and ICSPs demonstrated relatively good understanding of ML/TF risks and implemented measures beyond what local laws require, including group-level databases for UBO verification (MER §12). However, the DNFBP sector “with the exception of the ICSPs, is generally lagging in relation to implementation of the AML/CFT requirements” (MER §8). Real estate agents, dealers in motor vehicles/yachts, and accountants showed particularly weak AML/CFT implementation (MER §§12–13, Priority Actions).

Legal persons and arrangements (IO.5: Low — MER p.115): “Seychelles has achieved a Low level of effectiveness for IO.5.” While ICSPs (who incorporate IBCs) are required to collect UBO information, “effective implementation of the UBO measures is more observed in the commercial banking industry, distantly followed by ICSPs, than other sectors” (MER §6). Domestic companies incorporated under the Companies Ordinance Act are not required to collect BO information at incorporation; reporting entities conducting domestic incorporations (barristers, notaries, attorneys) “do not comply with this requirement” in practice (MER §16). No sanctions for BO non-compliance had been applied to ICSPs/ITSPs at the time of the on-site visit (MER §246). R.24 and R.25 were both PC at MER.

Technical compliance and FUR history: At the MER (September 2018), Seychelles had 4 NC and 16 PC ratings out of 40 — among the weakest in the index — and all 11 IOs were rated Low except IO.4 (Moderate) (FUR §1). The 8th Enhanced FUR (March 2023) is the 3rd TC Re-Rating request. Cumulatively across all FURs to that date, substantial TC progress has been demonstrated. By the 8th FUR, the cumulative TC position (Table 4.1) includes: R.1→C, R.2→LC, R.3→LC, R.7→PC (from NC), R.8→NC (unchanged), R.15→NC (unchanged), R.16→LC, R.22→LC, R.23→LC, R.24→LC, R.26→LC, R.29→LC, R.34→LC, R.35→LC, R.37→LC, R.38→LC, R.39→LC. The 8th FUR itself re-rated: R.5 PC→LC; R.19 PC→C; R.25 PC→LC; R.28 PC→LC; R.34 PC→LC; R.33 remains PC. Seychelles remains in enhanced follow-up and must continue to report (FUR §44). Effectiveness ratings are not addressed by this FUR.
Key MER + FUR findings — attributable to source
  • IO.3 Low (MER p.106): FIU sole supervisor with inadequate resources; inspections not wide enough to cover high-risk entities; DNFBP sector (except ICSPs) with low AML/CFT understanding; sanctions not applied effectively
  • IO.4 Moderate (MER p.97): banks and ICSPs relatively good; DNFBP sector (real estate, motor vehicle dealers, accountants) lagging; real estate agents don’t understand when to apply EDD (MER §225)
  • IO.5 Low (MER p.115): 198,274 IBCs plus 719 international trusts registered; BO registers for IBCs through ICSPs but no sanctions for non-compliance; domestic incorporations don’t collect BO information in practice (MER §§15–16, 246)
  • Destination: IFC exposed to non-resident ML threat; “no foreign predicate offences had been identified and investigated” at time of on-site — “serious concern” for an IFC jurisdiction (MER §126); prime real estate dominated by non-residents (MER §24)
  • MER TC baseline (September 2018): 4 NC ratings (R.7, R.8, R.15, R.38) and 16 PC — among the weakest technical compliance profiles in this index (FUR §1, Table 2.1)
  • 8th Enhanced FUR March 2023 (3rd TC Re-Rating): R.5 PC→LC; R.19 PC→C; R.25 PC→LC (trust BO framework substantially improved via Trusts Act 2021, BO Act 2020); R.28 PC→LC (DNFBP supervision risk-based; minor gap on accountant/auditor fit-and-proper); R.34 PC→LC; R.33 remains PC (statistics not yet comprehensive)
  • Residual post-8th FUR gaps: R.4 PC, R.6 PC, R.7 PC, R.8 NC, R.15 NC, R.26 LC, R.33 PC — IO effectiveness ratings unchanged (all Low except IO.4 Moderate)
🇧🇸
Bahamas
CFATF MER May 2017 (onsite 30 Nov–11 Dec 2015) | CFATF 5th Enhanced FUR December 2022 (TC only)
D: 21/50 V: 23/50 44
Destination
Vulnerability
IO.1: Low IO.3: Mod IO.4: Mod IO.5: Mod IO.7: Low IO.8: Low CFATF
Destination risk (MER §5–7, §10–11, §22, §30–31): The Bahamas is an established international financial centre where financial services account for approximately 15% of GDP. Total banking assets amounted to BSD$279.2 billion — roughly 44 times the country’s GDP — of which 95.9% were offshore (MER §11). International banks held 69.1% of banking assets with a collective base of BSD$192.8 billion; investment fund administration represented a further BSD$134.6 billion (MER §11). The assessors identified the country as vulnerable to financial flows associated with foreign threats, including foreign tax evasion (MER §5). The draft NRA reviewed during the onsite identified The Bahamas as exposed to a wide range of ML threats including: foreign fraud channelled mainly through private banking, trust companies, and securities sectors; drug trafficking using IBCs and offshore banks to launder significant sums despite strict KYC requirements (referencing the 2014 US International Narcotics Control Strategy Report, MER §6). IBCs and offshore banks registered in The Bahamas were identified as potential laundering vehicles despite existing CDD requirements (MER §10, scoping of higher-risk issues). As of assessment, 173,907 IBCs were registered with 34,977 active — reflecting the jurisdiction’s role as a company formation centre (MER §22). The draft NRA acknowledged the inherent vulnerabilities of trust companies and FCSPs, particularly given their use of IBCs and the challenges of establishing beneficial ownership within a multi-jurisdictional context (MER §31). Private banking — personalised management of financial services to high-net-worth individuals including high-risk clients and PEPs — was characterised as high-risk for ML/TF given the large asset base, high volume of cross-border transactions, and complexity (MER §7). Foreign tax evasion was identified as a risk for which The Bahamas was recommended to put in place measures commensurate with the risk to identify and pursue the proceeds (MER §75, Priority Actions).

Risk, policy and coordination (IO.1: Low): At the time of the onsite, The Bahamas had not completed its first NRA. A draft was provided to assessors on the last day of the visit (MER §30). The draft NRA failed to fully discuss the inherent external threats the jurisdiction faces as an international financial centre — including foreign tax evasion, layering of external drug trafficking proceeds, and securities fraud — and contained no analysis of national vulnerabilities or an action plan for mitigating identified risks (MER §31, §43). No formal documented national AML/CFT strategy existed at the time of assessment (MER §34, §43). The Bahamas achieved a low level of effectiveness for IO.1 (MER IO.1 conclusion).

Supervisory vulnerability (IO.3: Moderate): The financial supervisors — CBB, SCB, and ICB — collaborated well and operated risk-based supervisory frameworks for most financial sectors. The CBB’s onsite inspections were described as thorough, with supervisory teams on-site for several weeks (MER §187). However, a risk-based approach had not been fully implemented for credit unions, the securities industry, or Gaming Board licensees (MER §186). The Compliance Commission faced challenges in registering lawyers, accountants, and real estate agents, and would benefit from additional resources and administrative penalty powers for non-compliance with registration requirements (MER §15, Key Findings). DNFBP supervisors needed to incorporate updated ML/TF risk information into guidance (MER §186). Overall, the jurisdiction exhibited some characteristics of an effective supervisory system (MER IO.3 conclusion).

Preventive measures (IO.4: Moderate): FIs in The Bahamas generally demonstrated extensive AML/CFT policies and procedures and a strong commitment to implementation. CDD was carried out in a robust way, including identification of beneficial owners, ongoing monitoring, and EDD for higher-risk customers such as PEPs (MER §12). FIs that were part of large international groups demonstrated better understanding of institutional ML/TF risks. However, FIs not part of such groups demonstrated limited understanding of their specific inherent ML/TF risks beyond customer-level risk assessments (MER §120). DNFBPs’ understanding of ML/TF risk — particularly TF and PF risks — was low, and group-wide programme requirements were not applied (MER §14). STR reporting overall was low given the substantial size of the financial sector and the significant presence of higher-risk activities including private banking, trust, company service providers, and real estate owned by foreigners; the banking sector contributed the majority of STRs while DNFBP reporting was very limited (MER §145). The overall STR count was noted as low taking into consideration the substantial size of the financial sector (MER, Key Findings §12). The Bahamas exhibited some characteristics of an effective system for preventive measures (MER IO.4 conclusion).

Legal persons and arrangements (IO.5: Moderate): Basic ownership information was maintained by the Registrar General, with beneficial ownership information held by FIs and DNFBPs and accessible to competent authorities in a timely manner (MER §206). Competent authorities understood the vulnerability posed by legal persons and arrangements being misused for ML/TF (MER §206, §209). While the Executive Summary stated that sanctions had been applied to legal persons, the operative IO.5 conclusion recorded that no sanctions had been applied to legal persons, leaving The Bahamas unable to demonstrate whether sanctions were effective, proportionate, and dissuasive (MER §208; cf. inconsistent Key Findings §18). Good levels of domestic and international exchange existed among competent authorities. The IBC register — with 173,907 entities registered — represented the dominant legal person form and was identified as a structural vulnerability (MER §10, §22).

ML investigation and prosecution (IO.7: Low): In the four years preceding assessment, there were no ML convictions in The Bahamas (MER §76). The Bahamas in practice placed emphasis on investigating predicate offences rather than ML — a pattern that had evolved due to advice from the ODPP to LEAs regarding the most achievable prosecutorial outcome (MER §77). The LEAs lacked the capacity to effectively pursue ML: staff did not possess the specialised human resources to properly conduct ML investigations and were not adequately trained (MER §77). Only one ML case was before the courts at the time of assessment, resulting from a recent parallel ML investigation (MER §77). There were no ML investigations, prosecutions, or convictions involving the predicate offence of foreign tax evasion — despite this being identified as a significant risk for an international financial centre (MER §75). The Bahamas achieved a low level of effectiveness for IO.7 (MER IO.7 conclusion).

Confiscation (IO.8: Low): The Bahamas had a robust legislative confiscation framework and had successfully undertaken confiscation action under POCA. However, authorities preferred confiscation of criminal proceeds from predicate offences rather than from ML, and there had been no confiscation of ML proceeds or terrorist property (MER §87). The value of confiscation was assessed as not commensurate with the country’s risk profile (MER §87). A limited cross-border declaration system was in place. In the absence of a completed NRA or formally documented national AML/CFT policies, assessors were unable to evaluate whether confiscation results were consistent with ML/TF risks (MER §87). The Bahamas achieved a low level of effectiveness for IO.8 (MER IO.8 conclusion).

5th Enhanced FUR (December 2022) — TC only; IO effectiveness ratings not addressed: The 5th FUR assessed progress on two Recommendations only: R.8 (NPOs) and R.15 (new technologies/virtual assets). R.8 was re-rated from PC to Compliant following completion in May 2022 of a comprehensive TF risk assessment of the NPO sector using the World Bank methodology, development of a Non-Profit Organisations Best Practices Manual (in collaboration with NPOs), implementation of a Risk Based Supervision Framework (April 2022), and establishment of proportionate and dissuasive sanctions including criminal fines up to $25 million and the power to revoke licences and order wind-up (5th FUR §§4–19). R.15 was re-rated from PC to Compliant following completion of a DA/DASP sectoral risk assessment (approved May 2022), enactment of the Digital Assets and Registered Exchange (DARE) Act with comprehensive AML/CFT Rules, legislative provisions requiring risk assessments prior to product launch, implementation of the travel rule for virtual asset transfers at a USD$1,000 threshold, and demonstrated ability to cooperate internationally on DASP matters (5th FUR §§20–42). With all 40 Recommendations now rated C or LC, The Bahamas remains in enhanced follow-up. The FUR does not analyse any progress on effectiveness; all IO ratings from the 2017 MER are unchanged (5th FUR §4, §46).
Key MER + FUR findings — attributable to source
  • Banking sector 44x GDP; 95.9% offshore (MER §11): Total banking assets BSD$279.2 billion with 95.9% offshore and 3.4% onshore. International banks held 69.1% of assets (BSD$192.8bn). Investment fund administration BSD$134.6 billion. The financial sector is overwhelmingly non-resident in character, with foreign tax evasion and offshore account ML identified as structural risks.
  • Foreign tax evasion identified as significant but unpursued risk (MER §5, §75): The MER identifies the Bahamas as vulnerable to financial flows associated with foreign tax evasion and recommends measures to identify and pursue its proceeds. No ML investigations, prosecutions, or convictions involving foreign tax evasion had occurred. Domestic NRA did not fully analyse this as an external threat.
  • 173,907 IBCs registered; BO transparency concerns (MER §6, §10, §22, §31): The IBC is the dominant legal person form. Drug traffickers were specifically cited as exploiting the large number of IBCs and offshore banks to launder money. Trust companies and FCSPs acknowledged as high-risk due to multi-jurisdictional BO challenges. Basic ownership information maintained by the Registrar General and beneficial ownership information held by FIs and DNFBPs, accessible to competent authorities; sanctions effectiveness not demonstrated.
  • No ML convictions in four years; emphasis on predicate offences only (MER §76–77, IO.7 Low): Zero ML convictions in the four years preceding assessment. LEAs advised by ODPP to pursue predicate offences rather than ML as the better prosecutorial outcome. Staff lacked specialised skills and training for ML investigations. Only one ML case before courts at time of assessment.
  • STR reporting low relative to offshore sector scale (MER §145, IO.4 Mod): Overall STR volume assessed as low given the substantial size of the financial sector and the substantial presence of higher-risk activities including private banking, trust, FCSPs, and real estate owned by foreigners. Banking sector contributed the majority; DNFBP reporting very limited. Gaming Board licensees filed no STRs 2013–2014.
  • 5th FUR (Dec 2022): R.8 and R.15 re-rated to C; all 40 Recommendations now C or LC; IO ratings unchanged (5th FUR §43–46): R.8 upgraded following NPO TF risk assessment (May 2022), Best Practices Manual and Risk Based Supervision Framework. R.15 upgraded following DARE Act, DASP sectoral risk assessment and travel rule implementation. FUR does not address effectiveness. Bahamas remains in enhanced follow-up.
Sources: CFATF Mutual Evaluation Report, The Bahamas, May 2017 (onsite 30 November–11 December 2015); CFATF 5th Enhanced Follow-Up Report, The Bahamas, December 2022 (adopted 55th CFATF Plenary, Cayman Islands). IO ratings from MER Effectiveness & Technical Compliance Ratings table (pp.10–11). 5th FUR §4 confirms FUR does not analyse effectiveness; §46 confirms all 40 Recommendations C or LC and continued enhanced follow-up.
🇨🇾
Cyprus
MONEYVAL 5th Round MER December 2019 (onsite May 2019) | 4th Enhanced FUR June 2025
D: 22/50 V: 22/50 44
Destination
Vulnerability
IO.1: SE IO.3: ME IO.4: ME IO.5: ME IO.2: SE MONEYVAL
Destination risk (MER §10, §20, §23–24, §58): The MER characterises Cyprus as an international financial centre (IFC) “primarily exposed to external money laundering threats as non-residents may seek to transfer criminal proceeds to or through Cyprus, particularly through the Cypriot banking system or may seek to use trust and company service providers” (§10). The NRA identifies the banking sector as presenting the highest ML threat, followed by ASPs (administrative service providers/TCSPs), with real estate third (§58). Assessors focused their scoping specifically on “how Cypriot authorities provide and proactively seek assistance… in the area of identification, freezing and confiscation of illegal assets traced or channelled through Cyprus and requests concerning BO of Cypriot companies owned by non-residents” (§20). The Citizenship Investment Programme (CIP), managing EUR 6.64 billion in investments during 2013–2018 with real estate the dominant vehicle, was identified as “inherently vulnerable to abuse for ML purposes” (§12, §24). The total assets of Cypriot banks, while reduced from EUR 122.9 billion in 2012 to EUR 60.5 billion in 2018 after the 2013 financial crisis, remain material; non-resident deposits declined but stabilised (§13). Non-resident owned and controlled Cypriot companies — where BOs reside outside Cyprus and conduct no underlying business there — are described by the assessors as “inherently vulnerable to misuse” (§626). Structures involving nominee shareholders average three layers of intermediary BOs and four or more individuals across multiple jurisdictions (§627). The GRECO evaluation (June 2016) noted that corruption is perceived to be widespread despite Cyprus being ranked comparatively well on the Corruption Perceptions Index, and more cases of corruption were evidenced by increased STRs between the NRA date and the onsite visit (§28, §57). The Panama Papers and Laundromat cases provided direct evidence of Cyprus’s exposure to cross-border ML schemes, with the multi-agency response demonstrating very good understanding in some areas (§63–66).

Risk policy and co-ordination (IO.1: Substantial): The authorities have good to very good understanding of ML/TF risks at national and sectoral level, informed by the NRA (published October 2018 covering through mid-2016) and by direct supervisory data, particularly the CBC’s institutional risk tool for banks (§56). The assessors rated IO.1 Substantial, citing strong risk understanding in the banking sector and positive multi-agency responses to international financial crime events. Key limitations: the NRA did not formally assess risks of legal persons and arrangements (§68); the full extent of risks associated with the CIP had not been subject to a comprehensive whole-of-government assessment (§62); and TF analysis had not fully explored potential avenues such as assessment of money flows to and from high-risk areas or the implications of a large population of temporary resident workers (§69).

Supervisory vulnerability (IO.3: Moderate): FI supervisors — the CBC for banks and CySEC for securities — apply risk-based supervision of generally good quality with comprehensive licensing controls (IO.3 key findings 1–5). However, the resources allocated to AML/CFT supervision across all supervisory bodies (except ICPAC’s onsite inspections) are “not sufficient to ensure the implementation of a fully effective risk-based supervision” (IO.3 key finding 12). DNFBP supervisors present a more mixed picture: the three ASP supervisors (CBA, ICPAC, CySEC) have differing risk assessment methodologies and all require further enhancement; the Estate Agents Registration Council “underestimates the ML/TF risks of the supervised sector” and is itself unsupervised as a self-regulatory body (IO.3 key findings 11, 17); the number of onsite inspections by all DNFBP supervisors except ICPAC is low; and very few sanctions for AML/CFT infringements have been imposed, with a tendency toward a “consensual approach which calls into question the effectiveness, proportionality and dissuasiveness of the sanctioning regime” (IO.3 key finding 14).

Preventive measures (IO.4: Moderate): Banks demonstrate “sophisticated understanding” of ML/TF risks and have strong CDD frameworks (IO.4 key finding 1). However, non-bank FIs and smaller ASPs are less consistently able to articulate how their business can be misused (IO.4 key finding 2). A structural concern is that many non-bank FIs and DNFBPs treat bank CDD as a supplement to, or replacement for, their own obligations, placing “undue risk-mitigation expectations on the banking sector and weakening the overall compliance effectiveness” (IO.4 key finding 4). Among DNFBPs, the casino was operating “at or beyond the limits of its ML/TF compliance and risk management system” with expansion planned (IO.4 key finding 11). Real estate agents “have not demonstrated that they apply enhanced measures appropriately” and their STR reporting is low (IO.4 key findings 12–13). Among the ASP sector, compliance has been uneven, with larger sophisticated ASPs performing well but the highly fragmented sector overall showing variable quality in BO identification and verification (IO.4 key finding 10).

Beneficial ownership / legal persons (IO.5: Moderate): Cyprus’s main mechanism for ensuring transparency of non-resident owned legal persons is the ASP regulatory framework, under which all non-resident owned/controlled legal persons must engage a Cyprus-licensed ASP (§641–642). However, “there is no comprehensive mechanism in place yet to verify that the requirement to engage the services of a Cyprus-licensed ASP is applied for all non-resident owned/controlled legal persons” (§644). The BO register was not yet operational at MER date; authorities planned to establish it by 10 January 2020 (§635, §240). Approximately 63,000 companies out of 215,346 had outdated basic information pending strike-off (§635). Sanctions for BO and AML/CFT violations have rarely been applied despite deficiencies identified on inspection (§662–663). “The lack of application of dissuasive and effective sanctions under the AML/CFT Law is seen as a significant shortcoming and provides little incentive for the private sector, in particular, the ASP sector, to improve compliance” (§662). The banking safeguard for BO transparency only operates where the legal person maintains a bank account with a bank in Cyprus, and there is no requirement for all non-resident owned/controlled legal persons to do so (§648).

ML investigations and confiscation (IO.7: Moderate; IO.8: Moderate): The majority of ML investigations and prosecutions relate to domestic predicate offences and self-laundering, which “is not fully consistent with the jurisdiction’s risk profile as an IFC” (IO.7 key finding 1, §210). Very few ML investigations have been harvested from incoming MLA requests despite Cyprus’s IFC status (IO.7 key finding 1). The expertise of police generally to deal with ML investigations “may still be said to be in its infancy” (IO.7 key finding 2). There is no mechanism for non-conviction based forfeiture except where the defendant is deceased or outside the jurisdiction, and this regime was described as “vastly underutilised” (§207). On confiscation: Cyprus has “achieved appreciable results as regards the confiscation of assets representing the proceeds of domestic criminality” but is less effective at “freezing and confiscating the proceeds of foreign criminality, on the initiative of the domestic authorities” (§241). Overall 13% of frozen assets were ultimately confiscated across the review period, with notable gaps in 2014 and 2018 (§220). Cyprus has some good case examples including corruption prosecution with confiscation of proceeds in the UK and a coordinated joint investigation team with a foreign jurisdiction (Box 8.1, §246).

International co-operation (IO.2: Substantial): Cyprus has been effective in executing MLA requests in a timely and constructive manner; the FIU has been instrumental in freezing and confiscating assets on behalf of foreign jurisdictions; and extradition is handled effectively (§745). The Police demonstrate proactive outgoing MLA requests in corruption and fraud cases, with approximately 35–40% of outgoing requests involving suspected traces of proceeds leaving the island (§696). Feedback from the Global Network is generally positive.

FUR1–FUR4 developments (TC only — IO ratings unchanged): Four Enhanced FURs have been issued since the 2019 MER. Across all four FURs, only two recommendations have been re-rated. R.13 was upgraded from PC to LC in FUR4 (June 2025) after the AML/CFT Law was amended to remove the EEA/third-country distinction for correspondent banking requirements (§6 FUR4). R.8 (NPOs) remains PC through all four FURs despite substantial effort: the 2024 NPO TF risk assessment was completed and identifies 2% of assessed NPOs as medium-high to high risk, but non-profit companies remain outside the assessed scope and multiple procedural gaps persist (FUR4 §10). R.31 (investigative powers) remains PC; a re-rating request was declined by MONEYVAL at FUR4 (FUR4 §10). All IO effectiveness ratings from the 2019 MER are unchanged. Separately: the Cyprus Investment Programme was suspended in November 2021 and abolished following a major media investigation exposing its vulnerability to abuse — removing the most identified ML vulnerability from the MER. Following FUR4, Cyprus is no longer subject to the 5th-round follow-up process; the 6th round onsite visit is scheduled for October 2028 (FUR4 §16).
Key MER + FUR findings — attributable to source
  • Explicit IFC foreign-proceeds characterisation (§10, §58, §20): MER states Cyprus is “primarily exposed to external money laundering threats.” Banking sector is the highest ML threat, followed by ASPs. Assessors specifically scoped the identification, freezing and confiscation of assets “traced or channelled through Cyprus” as a priority area. Very good understanding of cross-border risks in banking, with CBC undertaking specific shell company and Laundromat risk exercises.
  • CIP: EUR 6.64 billion, inherently vulnerable to ML abuse (§12, §24): Real estate the dominant CIP investment vehicle. CIP described as “inherently vulnerable to abuse for ML purposes” with gaps in the whole-of-government AML risk assessment. High-net-worth applicants including some PEPs. CIP suspended 2021 and abolished following Al-Jazeera investigation — most named MER vulnerability removed post-assessment.
  • Non-resident legal persons: no comprehensive ASP compliance verification (§625, §644): No formal risk assessment of legal persons. No mechanism to verify all non-resident owned/controlled legal persons actually engage a licensed ASP. Average ownership structures involve three layers of intermediary BOs across multiple jurisdictions. The bank-based transparency safeguard only operates where a legal person holds a Cyprus bank account, and there is no requirement that all such legal persons do (§648).
  • DNFBP supervision: low inspections, consensual sanctions approach (IO.3 key finding 14): Very few sanctions for AML/CFT infringements by all DNFBP supervisors; consensual approach questions effectiveness and dissuasiveness. Estate Agents Registration Council underestimates ML/TF risks and is not supervised as an SRB. Casino operating at or beyond compliance limits with aggressive expansion planned (IO.4 key finding 11).
  • ML investigations predominantly domestic/self-laundering; few from foreign MLA (IO.7, §210): Not fully consistent with IFC profile. Police ML expertise described as “in its infancy.” Non-conviction based forfeiture regime “vastly underutilised” (§207). 13% of frozen assets ultimately confiscated over 2013–2018 period; foreign-criminal-proceeds confiscation largely reactive to incoming MLA rather than proactive (§241).
  • FUR4 (June 2025): R.13 PC→LC — only substantive change in 4 FURs; R.8 and R.31 remain PC: R.13 upgraded after EEA/third-country correspondent banking distinction removed. R.8 (NPOs) remains PC after four requests for upgrade — non-profit companies not yet fully assessed for TF risk; multiple procedural gaps persist. R.31 (investigative powers) re-rating request declined. All IO effectiveness ratings unchanged. Cyprus exits 5th-round enhanced follow-up; 6th-round onsite October 2028.
Sources: MONEYVAL 5th Round MER, Cyprus, MONEYVAL(2019)27, adopted December 2019 (onsite 13–24 May 2019). IO effectiveness ratings from MER Effectiveness Ratings table (p.14): IO.1 Substantial, IO.2 Substantial, IO.3 Moderate, IO.4 Moderate, IO.5 Moderate, IO.6 Moderate, IO.7 Moderate, IO.8 Moderate, IO.9 Substantial, IO.10 Moderate, IO.11 Moderate. TC ratings from MER Technical Compliance table (pp.14–15). 4th Enhanced Follow-up Report & Technical Compliance Re-Rating, Cyprus, MONEYVAL(2025)2, adopted 12 May 2025 (TC only — IO effectiveness ratings not reassessed). CIP abolition: October/November 2021 (post-MER; not covered by FURs). All paragraph references are to the 2019 MER unless marked as FUR4.
🇬🇬
Guernsey
MONEYVAL 5th Round MER December 2024 (onsite April 2024) | No FUR adopted
D: 27/50 V: 17/50 44
Destination
Vulnerability
IO.7: LE IO.3: ME IO.4: ME IO.5: SE IO.10: HE MONEYVAL
Destination risk (MER §2, §9, §12, §35, §22): The MER is unambiguous: “the Bailiwick’s primary money laundering threats arise from foreign criminality,” specifically bribery and corruption, fraud, tax evasion and drug trafficking (§12). Criminal proceeds “are most likely to be sent from or otherwise linked to the UK, followed by the USA, major countries within Europe and, to a lesser extent, other countries such as the Russian Federation, South Africa, China, Nigeria, India and the UAE” (§12). Proceeds originating from third countries also reach Guernsey after passing through other IFCs used as entrepôts (§12). The Bailiwick is “a major financial centre with clients from all over the world”: 20 banks with £96.2 billion in total deposits; 693 investment firms and 941 regulated collective investment schemes with net asset value of £289.9 billion; 151 primary fiduciaries administering trust and corporate structures for non-resident clients; finance accounts for 36% of GVA (§9, §35). The NRAs identify private banking and TCSPs handling cross-border business as the highest-risk sectors, with bribery, corruption, tax evasion, and organised crime from foreign sources as the most likely ML methods (§22). An important qualification: proceeds are “more likely to pass through the Bailiwick than to be located within the jurisdiction for any significant length of time,” and opportunities for domestic tangible-asset acquisition are limited — though ownership and control of assets elsewhere may still be structured through Bailiwick entities (§12). The FIU’s consent regime has returned large amounts of foreign-linked proceeds to international partners (§19).

Supervisory vulnerability (IO.3: Moderate; §44–48): The GFSC has maintained a risk-based supervisory model for several years and conducts thorough on-site examinations supplemented by well-targeted thematic reviews. However, the frequency of full-scope examinations for medium-high risk entities and the extent of client file sampling need recalibration (§46). The GFSC actively exercises enforcement powers including against senior officers — a positive distinguishing feature — but the lengthiness of enforcement actions and the low number of pecuniary fines in high-risk sectors are concerns (§47). No criminal sanctions have ever been imposed for SAR reporting failures, despite these being exclusively sanctionable criminally and evidence of administrative actions having been taken (§47). The AGCC (which supervises eCasinos) relies exclusively on remedial actions and during the review period “never exercised its enforcement powers” (§47). The Administrator framework (covering accountants, real estate agents and foreign-qualified legal professionals) was only recently introduced and needs to mature further, and not all DPMSs are covered by market entry requirements (§44). EFCB under-resourcing is a systemic constraint on the effectiveness of the overall system (§21, §44).

Preventive measures (IO.4: Moderate; §38–43): The majority of material sectors — banks, TCSPs, eCasinos — demonstrate good ML risk understanding and implement effective AML/CFT measures including risk-based CDD, EDD and record-keeping. The investment sector needs improvement in its understanding of ML risks, particularly the concept of control through other means, and the application of SDD for financial intermediaries (§38–40). A recurring concern is the declining volume of SARs from key sectors: reporting from banks, TCSPs and investment firms is declining, which is “not in line with the risk profile of Guernsey” as an IFC (§15, §42). The quality and relevance of SARs also remains a concern — most SARs originate from a single eCasino and have limited monetary/intelligence value, while SARs related to tax evasion and corruption (the primary risk vectors) are under-reported (§15, §42). Tax-evasion countermeasures are applied, but the assessment team “is not convinced that these are applied effectively” (§39).

Beneficial ownership / legal persons (IO.5: Substantial; §49–54): Guernsey has comprehensive measures to prevent misuse of legal persons and arrangements, including public basic information registers, fully populated BO registers with ongoing accuracy checks, resident agent requirements, GFSC/Registry supervisory involvement, and annual validation by legal persons themselves (§50–51). BO information is directly accessible to GFSC, FIU, EFCB and the Revenue Service with no reported access issues (§52). On-site examinations by GFSC and Revenue Service are of good quality, and the Guernsey Registry began its own on-site inspections in 2023 — the coverage of Guernsey trusts through GFSC inspections remains somewhat limited (§51, §53). Penalties imposed by the Registries and Revenue Service are “not always deemed to be proportionate, effective, and dissuasive,” and there were no pecuniary fines for BO obligation breaches (§54). The 2024 risk assessment on legal persons and arrangements represents a significant improvement in analytical depth (§49). Non-cellular companies and discretionary trusts have the highest ML exposure, particularly through complex structures (§24).

ML prosecution (IO.7: Low; §21–23, §310–312): The IO.7 Low rating is the most significant weakness. The EFCB was created in 2021 as a dedicated financial crime bureau — a “strategic shift towards pursuing ML activities in line with the country risks” — but this objective “has only to a limited extent been achieved mainly because of lack of human resources” (§310). The number of ML investigations and prosecutions is “generally low and declining” (§21, §310). ML cases prosecuted were dominated by proceeds from low-level domestic predicates and are “only to some extent in line with the risk profile of the jurisdiction” — cross-border and foreign-predicate ML cases, which constitute the primary risk, are under-represented (§311). Sanctions in ML convictions are “remarkably lenient” and “not dissuasive,” and no legal persons have ever been investigated or prosecuted for ML (§312). Confiscation results have also been “rather moderate” given the jurisdiction’s context (IO.8: Moderate; §24–25).
Key MER findings — attributable to source
  • Primary ML threat is foreign criminality: bribery, corruption, fraud, tax evasion (MER §2, §12, §22): MER states the Bailiwick’s “primary money laundering threats arise from foreign criminality.” Criminal proceeds linked to UK, USA, major European economies, Russia, South Africa, China, Nigeria, India, UAE. Proceeds also arrive via IFC entrepôts. Private banking and TCSPs rated highest-risk sectors. IFC with £96.2bn bank deposits, £289.9bn investment scheme NAV, 151 primary fiduciaries.
  • IO.7 rated Low — ML prosecutions low, declining, dominated by domestic low-level predicates (MER §21–23, §310–312): EFCB created 2021 but under-resourced; ML investigations generally low and declining. Very few convictions, all low-level domestic predicates; cross-border and foreign-predicate ML systematically under-represented. No legal person ever investigated or prosecuted for ML. Sentencing “remarkably lenient” and not dissuasive. EFCB’s reliance on civil forfeiture as alternative may further reduce ML prosecution pressure.
  • Declining SAR reporting from key sectors; tax evasion/corruption SARs under-reported (IO.4; MER §15, §42): Most SARs from single eCasino with limited intelligence value. Banks, TCSPs and investment firms all declining. SAR reporting not in line with risk profile as an IFC. Tax evasion and corruption — primary ML risk vectors — under-represented in SAR reporting. AT not convinced tax-evasion countermeasures are applied effectively.
  • GFSC supervision strong but sampling/frequency gaps; AGCC never exercised enforcement powers (IO.3; MER §46–47): GFSC risk-based with on-site examinations and thematic reviews, but file sampling and frequency for medium-high risk entities need recalibration. AGCC relies exclusively on remedial actions — no enforcement ever. No criminal sanctions ever imposed for SAR failures. Low pecuniary fines in high-risk sectors. EFCB under-resourcing systemic constraint.
  • TC near-perfect: all 40 Recommendations rated C or LC — no PC or NC ratings: Guernsey has the strongest TC picture among jurisdictions assessed in this index. All R.22, R.23, R.24, R.25 rated LC or C. The principal risks are in effectiveness rather than technical framework. No FUR adopted as of most recent available data.
Sources: MONEYVAL 5th Round MER, Guernsey, December 2024 (onsite April 2024), adopted at MONEYVAL 68th Plenary Session, December 2024. IO ratings from Effectiveness Ratings table (Executive Summary p.20). TC ratings from Technical Compliance Ratings table (p.20). No FUR has been adopted. All paragraph references are to the published MER.

Tier 3 — Moderate (score 30–43)

🇷🇺
Russia
FATF/EAG/MONEYVAL MER October 2019 (on-site March 2019) | EAG 1st FUR December 2023
D: 17/50 V: 26/50 43
Destination
Vulnerability
IO.4: ME IO.5: SE IO.3: ME FATF/EAG/MONEYVAL
↑ TC improvement (EAG FUR December 2023) FATF membership suspended February 2023
FUR: R.6 PC→LC; R.7 PC→LC; R.25 PC→LC   R.15 C→PC (downgrade)   EAG regular follow-up continues
Destination risk (MER §§2–5, §§50–51): The MER states that “Russia is generally perceived as a source country for proceeds of crime, and is not a major centre for laundering the proceeds of crime committed in other countries” (MER §2). Consistent with this, “Russia’s exposure to ML risks is primarily as a source of proceeds of crime” (MER §50). The ML NRA identifies “embezzlement of public funds, crimes related to corruption and abuse of power, fraud in the financial sector, and drug trafficking as the prevalent types of criminal activity with the potential to generate illicit proceeds” (MER §3). “A large proportion of criminal proceeds generated in Russia are laundered abroad, as recognised by the ML NRA, which makes the pursuit of proceeds of crime to other countries an important focus” (MER §3). Russia is assessed as “not a major international financial centre” but “a regional centre for Eurasian countries” (MER §50). The MER identifies Russia as both “a transit and destination country for narcotics trafficking” (MER §50). The D-score reflects these MER findings: Russia is primarily a source jurisdiction for corrupt and criminal proceeds, with moderate (not high) destination exposure.

Supervisory effectiveness (IO.3: Moderate — MER §§33–36): IO.3 is rated Moderate. The Bank of Russia has implemented an intensive bank supervisory programme since 2013 but assessors are “concerned that an insufficient number of on-site inspections for AML/CFT issues is taking place” and that “the current BoR supervision model over-relies on remote forms of supervision” (MER §34). AML/CFT supervision for non-credit FIs “has only recently moved to a risk-based approach and the resource allocation to sectors is not fully in line with sector risks” (MER §34). DNFBP supervision varies significantly: accountants are better supervised, while lawyers, notaries, real estate agents, and DPMS are less effectively covered (MER §§31–36). Overall compliance by FIs has improved but DNFBP supervision remains the structural weakness.

Preventive measures (IO.4: Moderate — MER §§29–32): IO.4 is rated Moderate. FIs have adequate procedures for risk identification and CDD including BO requirements, though “some FIs apply a rules-based definition of BO” (MER §30). DNFBP risk understanding is “fair” overall; accountants and auditors have good understanding, while lawyers and notaries have “superficial” understanding and casinos and real estate agents have “less developed” understanding (MER §31). “Few [DNFBPs] are filing an adequate amount of STRs” despite awareness of obligations (MER §32). R.6 and R.7 were both PC at MER (targeted financial sanctions gaps); R.12 PC (PEP requirements); R.16 PC (wire transfers).

Legal persons and arrangements (IO.5: Substantial — MER §§37–40): IO.5 is rated Substantial — one of the stronger outcomes in the MER. Russia has put in place “stringent rules at registration” and since 2017 has strengthened measures to identify inaccurate information and inactive companies, improving the accuracy of the USRLE register (MER §37). FIs and DNFBPs collect BO information of customers, but have “somewhat limited capacity to verify it” (MER Key Finding 9). A challenge exists in “accessing accurate BO information when a foreign person owns a Russian legal person” (MER §38). TCSPs are “not considered as a distinct economic activity and are not covered by the AML/CFT law” — legal professionals are obliged entities but “not properly supervised” (MER §40). R.25 was rated PC at MER (trust BO arrangements).

EAG 1st FUR (December 2023) — TC re-ratings: Despite Russia’s FATF membership suspension (February 2023), the EAG follow-up process remained operative. The EAG 1st FUR covers Russia’s progress from October 2019 to July 2023 and re-rated three Recommendations upward and one downward. R.6 PC→LC: TFS implementation time reduced to 24 hours via amendments to Federal Law No. 115-FZ and No. 219-FZ; coercive measures extended to all natural and legal persons via Federal Law No. 281-FZ; minor residual shortcomings on non-working hours and natural persons remain (FUR §§11–24). R.7 PC→LC: same legal framework addresses PF-TFS gaps with the same minor residual issues (FUR §§25–31). R.25 PC→LC: trustees/administrators of foreign legal arrangements introduced as AML/CFT obliged entities under Federal Law No. 233-FZ; disclosure requirements, record keeping, update obligations all addressed; minor residual gap on agents/service provider records and low dissuasiveness of fines (FUR §§32–39). R.15 C→PC (downgrade): DC/cryptocurrency service providers remain unregulated — only DFA service providers are covered; five types of VASP activities in the FATF glossary are not all regulated; “legislation on intermediary activities in the sphere of digital currencies is still under development” (FUR §§41–57). Russia remains on EAG regular follow-up (FUR §64). Note: Russia’s FATF membership has been suspended since 24 February 2023; this status does not affect the EAG’s jurisdiction to conduct follow-up or re-rate Recommendations.
Key MER + FUR findings — attributable to source
  • Source not destination: MER §2 states Russia is “generally perceived as a source country for proceeds of crime, and is not a major centre for laundering the proceeds of crime committed in other countries”; large proportion of domestically generated proceeds laundered abroad (MER §3)
  • IO.3 Moderate (MER §§33–36): BoR over-reliant on remote supervision; insufficient AML/CFT on-site inspections; non-credit FI supervision only recently risk-based; DNFBP supervision uneven — lawyers, notaries, DPMS least effective
  • IO.4 Moderate (MER §§29–32): FIs broadly adequate; DNFBP risk understanding “fair” overall but lawyers/notaries “superficial”; few DNFBPs filing adequate STRs; R.6, R.7, R.12, R.16 all PC at MER
  • IO.5 Substantial (MER §§37–40): USRLE register accuracy improved by 2017 reforms; BO collection by FIs and DNFBPs but limited verification; TCSPs not a distinct regulated activity; R.25 PC at MER
  • EAG 1st FUR December 2023: R.6 PC→LC (TFS 24-hour implementation; Federal Law No. 219-FZ); R.7 PC→LC (PF-TFS same framework); R.25 PC→LC (trustees of foreign arrangements as obliged entities; Federal Law No. 233-FZ); R.15 C→PC downgrade (DC/cryptocurrency service providers unregulated)
  • FATF membership suspended 24 February 2023 — EAG follow-up process remains operative; Russia retains EAG membership; post-suspension TC improvements documented by EAG FUR but FATF-level accountability severed
  • Post-FUR residual: R.12 PC, R.15 PC, R.16 PC remain outstanding; IO effectiveness ratings unchanged from MER (not assessed by TC-only FUR)
🇯🇵
Japan
FATF/APG MER August 2021 (onsite Oct–Nov 2019) | No FUR adopted
D: 19/50 V: 24/50 43
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.6: SE IO.2: SE FATF/APG
Destination risk (MER §48, §54, §56–58, §63, §110): Japan is “vulnerable to ML risks from overseas due to its position as a global financial centre, with three major banks designated as globally systemic” (§48). Japanese headquartered financial sector groups have “a significant presence across a range of markets through investments, branches and subsidiaries throughout Asia and throughout the world,” exposing Japan to “potential cross-border ML threats, including from jurisdictions with weaknesses in their AML/CFT systems, and from the threats of illicit funds entering the Japanese financial system from abroad” (§48). As of end-2017, Japanese banks had become the world’s largest foreign lenders with foreign claims over USD 4 trillion (§63). Japan is the world’s third-largest economy with GDP of USD 4.87 trillion and one of the largest and most sophisticated financial systems globally — banks hold more than half of total financial assets, with insurance the world’s second-largest after the US (§58–61). The main domestic predicates are Boryokudan activities (drug trafficking, extortion, loan sharking, gambling, prostitution), fraud, and drug trafficking (§56). Gold smuggling and associated consumption-tax fraud were identified as a specific high ML risk that attracted a targeted national mitigation response (strengthened customs controls and increased sanctions), which reduced the trend (§110). Foreign bribery by Japanese companies operating in the emerging and at-risk markets of Asia is noted as a ML risk, with the assessment team examining the laundering of foreign bribery proceeds (§57g). The assessment team separately prioritised Japan’s role as a “regional financial hub” with transnational elements from FIs operating in higher-risk markets (§57b). The NRA identifies cash transactions, non-face-to-face transactions, and international transactions as the highest-risk types (§54), and the assessment team notes that cross-border risks need deeper development (§6).

Supervisory framework (IO.3: Moderate; §29–36): The JFSA’s AML/CFT risk-based approach to supervision is “still at an early stage” but is “gradually improving” (§30; IO.3 conclusion). The JFSA has “developed relevant tools, has a sufficient risk knowledge” and takes a proactive approach, but “there is large room for enhancement, while the effectiveness of supervisory actions on FIs compliance is affected by Japanese FIs slow approach to change” (IO.3 conclusion). Critically, financial supervisors “have not made use of their range of sanctions to take efficient and dissuasive actions against FIs, including banks” (§33). The JFSA has not imposed clear deadlines for FIs to reach full compliance with AML/CFT obligations (§32). DNFBP supervisors “do not conduct AML/CFT supervision on a ML/TF risk-basis” (§36) and have “a basic understanding of the ML/TF risks of the sectors under their supervision” only (§36). The JFSA did impose strong sanctions on VCEPs, which the MER treats as a positive exception. Currency exchange operators and financial leasing companies are not subject to licensing requirements and therefore receive no fit-and-proper checks (§410).

Preventive measures (IO.4: Moderate; §23–27): Bigger banks and some MVTS have a reasonable understanding of ML/TF risks. Other FIs still have “limited understanding” and “do not have an adequate understanding of the recently introduced or modified AML/CFT obligations” with “no clear deadlines to comply” (§23). DNFBPs have “a low level of understanding of ML/TF risks and of their AML/CFT obligations” (§26). Critically, lawyers, judicial scriveners, certified public accountants, and certified public tax accountants are “not under an obligation to file STRs” (§397) — a significant gap for high-value legal and financial advisory services used in structuring transactions. Even where DNFBP STR reporting is required, “the level of reporting is low, including for sectors identified as facing specific ML/TF risks” (§397). STR reporting overall is increasing but STRs “refer to basic typologies and indicators” (§24). Not all DNFBPs are covered by STR reporting obligations (§27; key finding c).

Beneficial ownership / legal persons (IO.5: Moderate; §37–39, key findings d): Japan has taken important steps placing BO obligations on FIs, VCEPs, and almost all DNFBPs, and requiring notaries to check BO on new company formation since late 2018. However, “adequate, accurate and current beneficial ownership information is not yet consistently available on legal persons in a timely manner” (key finding b). FIs and DNFBPs are still updating existing CDD to meet 2016 obligations. LEAs “do not appear to have the necessary tools to establish the BO associated with more complex legal structures” (key finding d). There is “no understanding of the risks associated with the misuse of legal arrangements” (§37). Very few cases exist where BO information was used in financial investigations (§38). Sanctions for failing to provide basic information are not applied consistently (§39).

ML investigation and prosecution (IO.7: Moderate; §12–13): LEAs demonstrated extensive experience with less complex ML cases and some experience with organised crime and foreign predicate ML. However, “the vast majority of ML cases pursued are for self-laundering, rather than 3rd party laundering” (§12). There “does not appear to be sufficient focus on the flow of money” at profit-taking levels for complex fraud, large-scale foreign predicates, and drug crime (§12). The PPO suspends a majority of ML prosecutions on the grounds of minor offences — reinforcing under-pursuit of serious ML. Custodial sentences for ML are at a lower level than for the predicate offences generating the most proceeds in Japan (key finding f). Japan has no FUR as of this entry; the MER is the current reference.
Key MER findings — attributable to source
  • Japan vulnerable to overseas ML risks as a global financial centre; three G-SIBs; largest foreign lender (MER §48, §63): MER states Japan is “vulnerable to ML risks from overseas” due to its global financial centre position. Three G-SIBs; Japanese banks became world’s largest foreign lenders (USD 4 trillion+ in foreign claims). World’s third-largest economy. Cross-border ML exposure from Japan’s global FI presence and links to higher-risk markets in Asia.
  • JFSA supervision at “early stage”; no dissuasive sanctions imposed on FIs; DNFBP supervisors do not conduct risk-based AML/CFT supervision (IO.3 ME; MER §30–36): JFSA RBA “still at an early stage.” Financial supervisors have “not made use of their range of sanctions to take efficient and dissuasive actions against FIs.” DNFBP supervisors do not conduct ML/TF risk-based supervision. “Large room for enhancement.” No compliance deadlines set for FIs.
  • Lawyers, CPAs, judicial scriveners have no STR obligation; DNFBP STR reporting very low (IO.4 ME; MER §397): Lawyers, judicial scriveners, certified public accountants, certified public tax accountants not under STR obligation. Even where DNFBP STR obligation exists, reporting is “low, including for sectors identified as facing specific ML/TF risks.” DNFBPs have “low level of understanding” of ML/TF risks and apply only “basic AML/CFT preventive measures.”
  • BO information not yet consistently available; LEAs lack tools for complex structures; no understanding of trust ML/TF risks (IO.5 ME; MER §37–39, key finding d): BO information not consistently available in timely manner despite steps taken. LEAs lack tools for complex legal structures. No understanding of risks from legal arrangements. BO almost never used in financial investigations. R.24 PC.
  • ML prosecutions dominated by self-laundering; PPO suspends majority of ML prosecutions; ML sentence ceiling below predicate offences (IO.7 ME; MER §12–13): Vast majority of ML cases are self-laundering. PPO suspends most ML prosecutions citing minor offences. Insufficient focus on money-flow tracing in complex fraud and foreign predicate cases. Maximum ML sentence lower than for the main proceeds-generating crimes. All prosecutions that proceed secure convictions.
Sources: FATF/APG MER, Japan, August 2021 (onsite October–November 2019), adopted at FATF Plenary June 2021. IO ratings from Table 1 Effectiveness Ratings (p.14). TC ratings from Table 2 Technical Compliance Ratings (p.14). No FUR has been adopted. All paragraph references are to the published MER. This is a joint FATF-APG evaluation.
🇱🇮
Liechtenstein
MONEYVAL 5th Round MER May 2022 (onsite Sep 2021) — no FURs
D: 19/50 V: 24/50 43
Destination
Vulnerability
IO.1: SE IO.2: SE IO.3: ME IO.4: ME IO.5: ME IO.6: SE IO.8: SE MONEYVAL 5th Round
Destination risk (MER §5–6, §31–32, §40–41): The MER characterises Liechtenstein as an IFC whose “primary money laundering threats stem from non-resident customers that may seek to transfer criminal proceeds that were generated abroad to, or through, Liechtenstein; or use trust and company service providers (TCSPs) to facilitate their illicit activities” (§5). The most relevant predicate offences are economic crime — fraud, embezzlement, fraudulent bankruptcy, and tax offences — and corruption (§5). Client assets under management by banks reached CHF 179 billion in 2020 (CHF 360 billion consolidated including foreign group entities), against GDP of CHF 6.6 billion — approximately 27 times GDP (§32). Assets of around CHF 50 billion each are separately managed by asset managers and investment funds; the value of bankable assets administered by TCSPs accounts for roughly 20% of assets held by banks (§32). The financial centre can offer “all types of financial products and services that wealthy non-resident clients may seek — establishment of legal entities, administration of structures, bank accounts, trading in securities, insurance policies, VA services” and these services can be “used to transfer illicit funds to destination countries involved in the integration process” (§6). Liechtenstein has, since 2009, actively combated international tax evasion and implemented OECD transparency standards including automatic exchange of information — reducing but not eliminating the ML risk emanating from tax offences (§40, §165). Tax fraud (distinct from simple tax evasion) and VAT fraud have been ML predicates since 2016 (§41). Simple tax evasion remains uncriminalised as a predicate (§41), and the MER identifies no ML prosecutions involving foreign tax crimes to date (IO.7 key finding c). Liechtenstein has less than 25,000 legal persons in total and reducing — a much smaller corporate sector than Panama or Cyprus (§31).

Risk policy and coordination (IO.1: Substantial): The AT considers that authorities “have demonstrated a good broad and convergent understanding of core ML/TF risks in the financial, TCSP, casino and VASP sectors” (§17). Two areas requiring moderate improvement were identified: (i) the TCSP sector’s non-bankable assets are not fully captured in data held by authorities; (ii) the extent of ML from foreign tax offences has not been examined or estimated — authorities recognise the threat but have not quantified it (§164). Taking account of significant action since 2009 on tax transparency, the AT rates IO.1 as Substantial (§165–166).

Supervisory vulnerability (IO.3: Moderate): The FMA has significantly overhauled its supervisory approach since 2018/19, increasing direct inspections and reducing over-reliance on auditor-conducted reviews (§38). The FMA now has good risk understanding and a specific supervisory risk model (§37). However, “direct FMA supervisory activity of entities that it assesses as presenting a high-risk or medium-high risk (predominantly TCSPs and investment funds) is not sufficient and resource constraints are a concern” (§39). Since 2019 there has been a notable increase in monetary fines, but “it is not possible to conclude that effective, proportionate, or dissuasive sanctions have been applied by the FMA” and enforcement against the TCSP sector is less than expected (§40, IO.3 conclusion §636). The AT considers that the FMA has made significant progress but the planned and actual frequency of inspections of higher-risk TCSPs is insufficient (§636).

Preventive measures (IO.4: Moderate): Understanding of ML/TF risks and obligations is “now generally good among covered FIs, DNFBPs and VASPs” — but this was not the case for all the period under review, with improvements particularly noted after supervisory measures were strengthened in 2019 (§30, §531–532). Banks demonstrate the most sophisticated risk understanding, and large TCSPs and casinos also demonstrate good understanding (§30). Key weaknesses: (i) SAR/STR reporting is “still considered to be low” particularly amongst TCSPs, some of which have never made a SAR/STR; (ii) there is an absence of SAR/STR reporting aligned with the high-risk predicate of foreign tax offences; (iii) customer profiling in the VASP sector is hindered by an “extraordinarily high number of legacy customers without full CDD at one large entity” (§533); and (iv) late reporting observed in TCSP and VASP sectors (§34, §532–534).

Legal persons and beneficial ownership (IO.5: Moderate): A BO register has been operational since August 2019 and, with few exceptions, holds adequate BO information on legal persons and legal arrangements (§46). The authorities rely on qualified members — AML/CFT-licensed TCSPs required to sit on the governing bodies of approximately 80% of legal persons — as a central transparency mechanism (§44). In practice, BO information has been accessible to competent authorities without obstacles (§45). However, the Office of Justice “had yet to start monitoring the completeness and plausibility of information held on the register” at onsite date, relying instead on qualified members to submit accurate information (§46). This reliance is problematic given “insufficient FMA oversight of the performance of CDD activities by qualified members” (§46). BO information held by the private sector “updates information based on risk — will not necessarily be up to date” for lower-risk customers (§47). Administrative fines for failing to provide BO information to the Office of Justice are “not effective, proportionate, and dissuasive” (§48). The weaknesses in IO.3 (TCSP supervision) directly undermine IO.5 (§696).

Financial intelligence (IO.6: Substantial) and ML investigations (IO.7: Moderate): The FIU “constitutes an important source of financial intelligence” with direct access to multiple databases including the BO and bank accounts registers since October 2021; it produces high-quality analysis (§235–238). Investigations: Liechtenstein mostly investigates and prosecutes cases where predicate offences were committed abroad and funds subsequently brought to Liechtenstein for laundering — predominantly triggered by incoming MLA (IO.7 key finding b). The AT considers there is “a lack of ML investigations/prosecutions targeting sophisticated ML schemes which potentially include complex legal structures established and managed in Liechtenstein” (IO.7 key finding a). No ML prosecution involving foreign tax crimes as predicate has ever been achieved (IO.7 key finding c). Sentences imposed are “not sufficiently dissuasive and proportionate” — mostly suspended sentences or sentences of several months (§281). Confiscation (IO.8: Substantial): confiscation is pursued as a policy objective with a November 2020 Asset Recovery Policy; LEAs and prosecutors routinely apply seizure and freezing orders; non-conviction-based confiscation is available and applied (IO.8 key findings a–b).

International cooperation (IO.2: Substantial): Liechtenstein has provided “constructive and timely MLA and extradition across the range of international cooperation requests” with positive global network feedback (§49). Two issues were noted — dual criminality for foreign tax evasion and the right to be heard before the court (tipping-off risk for MLA subjects) — but the country has taken mitigating legislative measures and the AT did not observe these having an impact in practice (§50, §756). No FURs have been issued since the 2022 MER.
Key MER findings — attributable to source
  • IFC with external foreign-proceeds threat — primary ML risks from non-resident clients (§5–6, §32): Main ML threats from non-residents transferring abroad-generated criminal proceeds through banking/wealth management (CHF 179bn AUM; 27x GDP) and TCSP sector. Key predicates: fraud, embezzlement, tax offences, corruption. Simple tax evasion remains uncriminalised as ML predicate. No ML prosecutions involving foreign tax crimes to date.
  • TCSP sector — most important sector, insufficient supervisory frequency (IO.3; §636, §39): TCSPs and banking weighted as the two most important sectors. FMA resource constraints mean insufficient direct inspection of high-risk and medium-high-risk TCSPs. Sanctions against TCSPs below expectations. Supervisory model for lawyers rudimentary. Qualified members (licensed TCSPs sitting on governing bodies) central to BO transparency — but oversight of their CDD performance inadequate.
  • SAR/STR reporting low — some TCSPs never filed a report (IO.4; §34, §532): Despite improvement since 2019 supervisory measures, STR volume still considered low given residual inherent risks. Some TCSPs have never made a SAR/STR. No reporting aligned with the identified high-risk predicate of foreign tax offences. Late reporting in TCSP and VASP sectors. Large VASP with extraordinary number of legacy customers without full CDD.
  • BO register operational but not yet monitored for accuracy (IO.5; §46–47): BO register in place since August 2019; accessible to competent authorities without obstacles in practice. But Office of Justice not yet monitoring completeness/plausibility of entries. Private sector updates based on risk — not necessarily current for lower-risk customers. Administrative fines for BO failures not dissuasive (§48). IO.3 weaknesses directly undermine IO.5 effectiveness (§696).
  • ML investigations triggered by MLA; no complex-structure prosecutions; sentences not dissuasive (IO.7; §280–281, key findings a–e): Investigations predominantly triggered by incoming MLA requests, not proactive domestic identification. No prosecutions involving complex legal structures or foreign tax predicates. Sentences for self-laundering cases (post-foreign-conviction) are mostly suspended or short imprisonment — “not sufficiently dissuasive and proportionate.”
  • Strong cooperation (IO.2 SE), confiscation (IO.8 SE), FIU (IO.6 SE) — significant strengths (§49, §235, IO.8 key findings): MLA and extradition constructive and timely; positive global network feedback. FIU is important financial intelligence source with broad database access. Asset Recovery Policy (November 2020) and non-conviction-based confiscation actively applied. These three Substantial IOs meaningfully reduce overall vulnerability.
Source: MONEYVAL 5th Round MER, Liechtenstein, MONEYVAL(2022)6, adopted May 2022 (onsite 6–17 September 2021). IO effectiveness ratings from MER Effectiveness Ratings table (p.18): IO.1 SE, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 ME, IO.6 SE, IO.7 ME, IO.8 SE, IO.9 SE, IO.10 ME, IO.11 ME. TC ratings from MER Technical Compliance table (p.18). No follow-up reports have been issued. All paragraph references are to the 2022 MER.
🇲🇹
Malta
MONEYVAL MER July 2019 (on-site November 2018) | 1st Enhanced FUR April 2021
D: 20/50 V: 23/50 43
Destination
Vulnerability
IO.4: ME IO.5: ME IO.3: LE MONEYVAL
↑ Improving (1st Enhanced FUR April 2021)
FUR: 8 Recommendations re-rated (R.8, 13, 20, 24, 26, 28, 36, 38)   Still in enhanced follow-up
Destination risk (MER Risks and General Situation, p.9 §§2–4): The MER states that “the ML threat related to foreign proceeds of crime” is assessed as “high, a consequence of the size and international exposure of Malta’s economy” (MER p.9 §3). The NRA identifies organised crime and fraud as generating “a significant part of the foreign proceeds laundered in Malta” (§3). The large non-resident oriented TCSP sector is classified as “highly vulnerable to ML” (§4), and the remote gaming sector is identified as “inherently vulnerable to ML due to the high number of customers, mainly non-resident, the high volume of transactions, the non-face-to-face nature of the business and the use of prepaid cards” (§4). Legal professionals, accountants and real estate agents are also identified as “particularly vulnerable to ML” (§4). The MER notes a “large and internationally exposed banking sector” that is “highly vulnerable to ML (especially non-retail deposits, correspondent accounts, wire transfers and wealth management, but also in relation to e-gaming and foreign customers)” (§2). The NRA demonstrates “broad understanding of the vulnerabilities” but “a number of important factors appear to be insufficiently analysed or understood” (MER §6), including in relation to legal persons and arrangements and the use of new technologies.

Supervisory vulnerability (IO.3: Low — MER p.112 §458): “Malta has achieved a low level of effectiveness for IO.3.” The MER’s Supervision key findings record that the supervisory authorities “do not have adequate resources to conduct risk-based supervision, for the size, complexity and risk profiles of Malta’s financial and DNFBP sectors” (MER p.13 §27). There was “no documented process in place setting out how subject person specific ML/FT risk-ratings drive the frequency, scope and nature of future supervisory onsite/offsite inspections” (MER p.13 §28). The FIAU’s focus in the past “has been to issue pecuniary fines for specific breaches” rather than assess systemic governance deficiencies (MER p.13 §29), and “no sanctions had been applied on a subject person’s senior management” (MER p.94, Ch.6 Supervision Key Findings). Market entry and on-going fitness and properness measures are “inadequate for lawyers, DPMS and real estate agents” (MER p.13 §30).

Preventive measures and legal persons (IO.4: Moderate — MER §§401–402, p.93; IO.5: Moderate — MER §489, p.121): IO.4 is rated Moderate — “the FATF obligations are being effectively implemented by FIs and DNFBPs to some extent, with major improvements needed” (MER §401, p.93). Some non-bank FIs and DNFBPs “were unable to clearly articulate how ML might occur within their institution or sector” (MER p.7, Key Findings). IO.5 is rated Moderate. BO registers for legal persons were “currently being retroactively populated” at the time of the on-site visit, preventing full effectiveness assessment (MER p.113, IO.5 Key Findings). The Registry of Companies lacks “sufficient human resources and legal gateways to adequately verify/monitor the accuracy of the beneficial ownership information held” (MER p.113, IO.5 Key Findings). At the time of the evaluation, no sanctions relating to significant AML/CFT deficiencies had been applied to the TCSP, lawyer or accountant gatekeepers of Maltese legal persons in the preceding five years (MER p.113, IO.5 Key Findings).

Technical compliance (MER July 2019 / FUR April 2021): At the MER, R.24 was PC (BO register gaps); R.10, R.12, R.22, R.23, R.25 were all LC or C. The 1st Enhanced FUR (adopted April 2021, MONEYVAL(2021)7) re-rated 8 Recommendations: R.8 PC→LC; R.13 PC→LC; R.20 PC→C; R.24 PC→LC (addressing BO register deficiencies through MBR enhancements, enforcement powers, and annual confirmation requirements, FUR §§32–49); R.26 PC→LC; R.28 PC→LC (with concerns remaining on DPMS/real estate and lawyers, FUR §§55–63); R.36 PC→C (FUR §§64–66); R.38 PC→LC (FUR §§67–73). Concerns remained post-FUR: accuracy of BO information (FUR §49); gatekeeper supervision of lawyers not yet demonstrated (FUR §60); ML/TF risks from group membership not yet fully addressed in supervisory procedures (FUR §§53–54); and completeness of VA/VASP risk assessment (FUR §§80–82). Malta was noted as remaining in enhanced follow-up and required to report back in two years (FUR §111).
Key MER + FUR findings — attributable to source
  • IO.3 Low (MER p.112 §458): supervisory authorities lack adequate resources for Malta’s TCSP, iGaming, and financial sector risk profile; no risk-based supervisory process documented at time of on-site (MER p.13 §§27–28)
  • IO.4 Moderate (MER §§401–402, p.93): AML/CFT obligations “effectively implemented to some extent, with major improvements needed” — some DNFBPs unable to articulate how ML might occur in their sector (MER p.7, Key Findings)
  • IO.5 Moderate (MER §489, p.121; Key Findings p.113): BO registers retroactively populated at time of MER; Registry of Companies lacks resources and legal gateways to verify accuracy; no sanctions applied to TCSP/lawyer gatekeepers in preceding five years
  • Foreign proceeds threat: NRA rates ML threat from foreign proceeds as “high” due to international exposure; TCSP sector “highly vulnerable”; remote gaming sector inherently vulnerable due to non-resident customer base (MER p.9 §§3–4)
  • FUR April 2021 (MONEYVAL(2021)7) §§7–8: R.8, 13, 20, 24, 26, 28, 36, 38 re-rated; R.20 and R.36 reach Compliant; R.24 PC→LC following MBR enhancements and annual BO confirmation requirements
  • Post-FUR residual concerns (FUR §§49, 60, 63): BO information accuracy (foundations); lawyers not yet demonstrating AML/CFT market entry progress; ML/TF risk from wider group membership not yet fully addressed in MFSA/FIAU supervisory methodology
  • Individual Investor Programme: identified in MER risk context as a factor in Malta’s international exposure; FIAU cooperation with Identity Malta noted (MER §185); MER does not rate this as a fully mitigated risk
🇳🇱
Netherlands
FATF MER June 2022 (onsite Oct–Nov 2021) | 1st Regular FUR September 2025
D: 19/50 V: 24/50 43
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.7: SE IO.8: SE FATF
Destination risk (MER §2–3, §30–38, §42; IO.1: Substantial): The Netherlands is a major global financial centre with one of the EU’s most concentrated banking sectors — three Dutch banks controlling 82% of sector assets, two of which had recently been subject to criminal investigations and significant out-of-court settlements for serious, systemic and long-term AML/CFT violations (§2, §34). The Port of Rotterdam is the largest port in Europe and serves as a key gateway for drug trafficking, particularly cocaine from South America; fraud and drug offences account for more than 90% of all Dutch proceeds of crime (§3, §31). The NRA estimated that EUR 16 billion was laundered in the Netherlands in 2014 (§30). The country hosts an estimated 12,000 conduit companies with a balance sheet total of EUR 4,500 billion (550% of GDP), approximately 90% of which have no staff in the Netherlands; these companies frequently link to jurisdictions with high levels of corruption and can be used to channel money to offshore anonymous entities (§37). Unlicensed trust offices — identified as a high-risk activity — are associated with ML risks related to offshore companies; it is estimated that 15% of trust services to conduit companies are offered by entities that have restructured to circumvent stricter regulation (MER §22). Virtual assets are identified as high-risk for both ML and TF (§35). Trade-based ML is identified as a significant risk, with confirmed detected cases (§38). The assessors deprioritised domestic corruption risk based on the Netherlands’ Transparency International ranking (§42), but this index score is not a scoring input for this Index. IO.1 is rated Substantial, reflecting the generally sound risk understanding and strong domestic co-ordination framework, while noting NRA reliance on qualitative inputs and some exemptions inconsistent with BES Islands risk profile (§4–5).

Supervisory vulnerability (IO.3: Moderate; MER Ch.6 key findings, Overall conclusion on IO.3): DNB and AFM have a good understanding of ML/TF risk, increasingly data-driven, and apply a risk-based supervisory approach — DNB in particular has been innovative in using data and technology (Ch.6 key findings FIs/VASPs 3–4). The Netherlands has a strong licensing framework for FIs and robust fit-and-proper checks (Ch.6 key finding FIs 1). However, the MER identifies significant weaknesses: DNFBP supervisors do not apply “an appropriate frequency and intensity” to their supervision programmes and carry out supervision “on a reactive basis” (Ch.6 key finding DNFBPs 4). With the exception of trust offices, DNFBPs’ TFS implementation is not supervised (Ch.6 key finding DNFBPs 6). Some supervisors rely heavily on “warning letters and other informal measures, including where unlicensed activity is identified,” with cases taking more than a year to escalate to formal action (Ch.6 key finding DNFBPs 7). The Netherlands recognises underground banking through unlicensed payment services and hawala networks but does not currently allocate “sufficient supervisory resources to address this” (Ch.6 key finding FIs 2). The two largest banks’ prolonged AML/CFT failings suggest earlier supervisory actions were “not sufficiently proportionate or dissuasive to change the culture within these large organisations” (MER §20). The Netherlands is rated Moderate for IO.3 (Overall conclusion on IO.3).

Preventive measures (IO.4: Moderate; MER Ch.5 key findings, Overall conclusion on IO.4): Banks, larger MVTS and VASPs have a good understanding of ML risks and obligations; however, TF risk understanding is “generally lower across all sectors” (Ch.5 key finding FIs 1). Some banks and MVTS have a tendency to “categorise customers as low risk by default, which makes mitigating measures less effective” (Ch.5 key finding FIs 2). Some larger banks struggle to identify ultimate beneficial owners in complex international structures — a focus of high-profile enforcement in recent years (Ch.5 key finding FIs 4). UTR reporting remains low in some sectors including lawyers and real estate; FIU feedback to obliged entities is inadequate (Ch.5 key finding FIs 6). For DNFBPs: understanding varies significantly; real estate agents and domicile providers have lower understanding; CDD measures are “often basic” and many entities treat CDD as “mainly a role for the banks” (Ch.5 key findings DNFBPs 1–2). DNFBPs struggle to identify ultimate BOs in complex structures and settle for pseudo-BOs, described as “particularly worrying in the case of notaries” who often register this information in the BO register (Ch.5 key finding DNFBPs 3). UTR reporting in many DNFBP sectors is low, “more acute in relation to the legal sector, real estate agents and for sectors where there are no trade organisations” (Ch.5 key finding DNFBPs 5). The Netherlands is rated Moderate for IO.4 (Overall conclusion on IO.4).

Legal persons and beneficial ownership (IO.5: Moderate; MER Ch.7 key findings, Overall conclusion on IO.5): The CoC commercial register contains comprehensive basic information on all legal persons. However, at the time of the onsite, only 27% of existing legal persons had registered BO information in the BO register (Ch.7 key finding 1) — the Netherlands mainly relies on FIs and DNFBPs as gatekeepers, yet recent high-profile fines against largest FIs for CDD failings including failure to identify BOs raise questions about how effective this is (Ch.7 key finding 5). The Netherlands relies on approximately 15,000 foreign legal arrangements operating domestically which are not required to register as trusts (Ch.7 key finding 4). No sanctions are imposed for failing to provide correct or up-to-date basic information; sanctions for failing to submit financial statements are “not dissuasive” (Ch.7 key finding 6). Nominee directors and shareholders are not legally recognised but “do exist in practice” and are used in the management of conduit companies, without AML/CFT obligations (MER §14). 15% of trust services to conduit companies are provided by entities that restructured to circumvent stricter regulation (MER §22). The Netherlands is rated Moderate for IO.5 (Overall conclusion on IO.5).

ML investigations and confiscation (IO.7: Substantial; IO.8: Substantial; MER §3, §8–10): Both IO.7 and IO.8 are rated Substantial — a strength of the Dutch system. LEAs pursue different types of ML at both national and regional levels, with thematic investigation projects identified as a key strength (MER §3). Combined Police-FIOD investigation teams, datahubs (iCOV, AMLC Suite, JustisTRACK), and public-private partnerships (FEC, Fintel Alliance) are all cited as system strengths (MER §6). Confiscation is a stated policy and strategic objective; each LEA and the OM set annual seizure targets; major multi-million confiscations in out-of-court settlements with legal persons account for the majority of collected results (MER §10). VA seizures are increasing annually (MER §10). However, the authorities do not maintain statistics on the type of ML and associated predicate offences investigated, prosecuted and convicted; sanctions in ML cases are found “low, including in complex and serious cases, and are therefore not considered dissuasive” (MER §3).

1st Regular FUR technical compliance (September 2025 — TC only; effectiveness IO ratings unchanged): The 1st Regular FUR states it does not address progress on effectiveness (FUR Introduction). Only one Recommendation was re-rated: R.15 PC→LC. The remaining deficiency under R.15 is the CDD threshold for occasional VASP transactions (EUR 15,000 vs the FATF standard of EUR 1,000), which will be addressed through EU AMLR implementation by July 2027, and the absence of a VASP regime in the BES Islands — both assessed as minor given low BES risk and interim measures in place. The major R.15 deficiency (VASP definition covering only two of the five FATF-defined activities) has been resolved through alignment with MiCAR (February 2025). As of the 1st Regular FUR, R.13 (correspondent banking) remains the only PC. The Netherlands remains in regular follow-up and will report back in its 5th round mutual evaluation (FUR Conclusion).
Key MER findings — attributable to source
  • EUR 16 billion laundered annually; 90%+ from fraud and drugs (MER §30–31): The Netherlands’ NRA estimated EUR 16 billion in ML in 2014. Fraud and drug offences (including synthetic drug production) account for more than 90% of all Dutch proceeds of crime. Drug proceeds are often laundered through physical cash, including via the Port of Rotterdam and Schiphol Airport.
  • 12,000 conduit companies, EUR 4,500bn balance sheet, 550% of GDP (MER §37): An estimated 12,000 conduit companies operate in the Netherlands, with a combined balance sheet of EUR 4,500 billion. Approximately 90% have no staff in the Netherlands. Some link to high-corruption jurisdictions and can channel money to offshore anonymous entities. 15% of trust services to conduit companies are from entities that restructured to avoid regulation.
  • Two largest banks subject to out-of-court settlements for systemic, long-term AML/CFT failings (MER §2, §34): Three Dutch banks control 82% of banking sector assets. Two were recently subject to criminal investigations and significant settlements for serious, systemic AML/CFT violations. Previous supervisory actions were “not sufficiently proportionate or dissuasive” to change culture and address long-term systemic failings (MER §20).
  • BO register only 27% populated at time of onsite; no sanctions for inaccurate basic information (MER Ch.7 key findings 1, 6): At assessment, only 27% of existing legal persons had registered BO information. Sanctions for failure to provide correct or up-to-date basic information are not applied; sanctions for failing to submit financial statements are not dissuasive.
  • DNFBP supervision reactive, not risk-based; TFS implementation unsupervised except trust offices (MER Ch.6 key findings DNFBPs 4, 6–7): DNFBP supervision is “generally carried out on a reactive basis.” Unlicensed activity can take more than a year to escalate to formal action. With the exception of trust offices, DNFBP TFS implementation is not supervised at all.
  • Low UTR reporting in real estate, legal, and domicile provider sectors; pseudo-BO problem in notaries (MER Ch.5 key findings DNFBPs 3, 5): UTR reporting is “low and this seems to be more acute in relation to the legal sector, real estate agents and for sectors where there are no trade organisations.” DNFBPs settle for pseudo-BOs in complex structures — “particularly worrying in the case of notaries” who register this information in the BO register.
  • 1st Regular FUR: only R.15 re-rated PC→LC; R.13 remains only PC; effectiveness IO ratings unchanged (FUR Introduction, Conclusion, Table 1): MiCAR alignment resolved the major VASP scope deficiency. Remaining minor gaps: EUR 15,000 CDD threshold for occasional VASP transactions (vs FATF EUR 1,000 standard; to be resolved by July 2027) and no VASP regime in BES Islands. R.13 (correspondent banking) remains the only PC. The FUR states it does not assess effectiveness.
Sources: FATF MER, Netherlands, June 2022 (onsite October–November 2021). IO ratings from MER Table 1 (p.14). Technical compliance ratings updated per FATF 1st Regular Follow-Up Report, Netherlands, September 2025 (Table 1, p.9). All MER findings attributed to specific paragraphs or chapter key findings. The 1st Regular FUR states it does not address effectiveness outcomes.
🇯🇪
Jersey
MONEYVAL 5th Round MER 2024 (onsite 27 September – 10 October 2023) | No FUR adopted
D: 27/50 V: 16/50 43
Destination
Vulnerability
IO.1: HE IO.3: ME IO.4: ME IO.5: SE IO.7: ME IO.8: SE MONEYVAL
Destination risk (MER Exec. Summary §2; Ch.1 Materiality §14, §17): The MER is explicit that, as an international financial centre, Jersey’s “primary money laundering (ML) threats stem from non-resident customers that may seek to transfer criminal proceeds that were generated abroad to, or through, Jersey or who may seek to use trust and company service providers (TCSPs) to facilitate their illicit activities” (§2). The most pertinent identified threats are frauds, corruption, tax offences and drugs trafficking (§2). The inherent risks flow from an international clientele and wealth-management products: the centre serves as “a one-stop shop for all types of financial products and services wealthy non-resident clients may seek,” and “incriminated assets from abroad can flow into Jersey by using the financial products and services it offers, where they can be administered and further transferred to destination countries using a wide variety of structures” (§2) — a framing that combines destination and conduit characteristics. The scale is substantial: Jersey is a significant global IFC managing in excess of GBP 1 trillion of wealth, with over half a million customer relationships reaching some 250 jurisdictions; financial services account for 42% of GVA (§14). As of end-2022 the banking sector held GBP 151.5 billion in deposits (19 active international banks, including nearly half of the world’s top 25), GBP 489 billion in administered or managed collective investment funds, and the TCSP sector administered an estimated GBP 1.1 trillion in assets as at end-2021 (Ch.1 §17). Roughly two-thirds of the wealth managed originates from investors not domiciled in the UK (Ch.1 §14).

Supervision (IO.3: Moderate; KF (h); §539, §570, §588, §616, §631, §650): The JFSC demonstrates a good understanding of ML risks (TF developed to a lesser degree) and concentrates supervision on higher-risk entities in the materially important sectors, most notably banks and TCSPs, with the number of inspections and resources improving over the assessed period (KF (h); §647, §586). However, full-scope and focused/targeted inspections have been in the minority for most sectors; the JFSC’s reliance on a self-declaration by applicants to report criminal convictions (rather than requiring criminal record certificates as routine) is a less effective market-entry control, and criminality checks for DNFBPs and VASPs were introduced only very recently (§539, §547). The supervisor’s approach to breaches relies heavily on remedial actions, and the imposition of sanctions has been “modest, and in the case of financial penalties, minimal and not in line with the risk profiles of the entities and the number and types of breaches detected” (§616, §631). The institutional risk-assessment model would benefit from enhancement (§570; KF (h)).

Preventive measures (IO.4: Moderate; KF (g); §436, §449, §472, §501, §518, §529, §531): Understanding of ML risks and AML/CFT obligations is generally good across sectors, especially banks and larger TCSPs and law firms, while understanding of TF risk is less developed (KF (g); §436). Risk-mitigating measures applied by reporting entities are mostly commensurate to risk, though effectiveness improved only more recently and there is uneven implementation in relation to complex structures (§449). The number of ML-related SARs is “lower than expected by the AT considering the risks Jersey faces” and policies do not always ensure prompt reporting, although SAR quality has been improving (§518, §531). EDD is applied to PEPs, new technologies, wire transfers, TFS and high-risk countries, but most reporting entities apply the full set of EDD measures to PEPs only where there is an accumulation of risks (§472, §501). The availability of qualified resources in compliance functions was identified as “a serious challenge” (§529; KF (g)).

Beneficial ownership / legal persons (IO.5: Substantial; KF (i); §668, §692, §732, §743, §745–746): Jersey authorities demonstrated a good understanding of how legal persons and arrangements can be misused for ML, supported by a detailed 2023 LPA risk assessment (KF (i)). Jersey maintains a fully populated Registry whose basic information is publicly available and whose BO information is accessible to competent authorities, with comprehensive checks, risk assessment and vetting at registration and on an ongoing basis (§668, §692). BO information for legal arrangements (mostly trusts) is collected and maintained almost exclusively by TCSPs, and the number of trusts covered by supervisory action is below the full trust population (§670, §746). A range of administrative and criminal sanctions is available for BO non-compliance, used mostly for failures to appoint a nominated person or to file annual confirmation statements, and only in a few cases for late BO updates — but not for the provision of false or misleading BO information (§732, §743).

ML investigation, prosecution and confiscation (IO.7: Moderate, IO.8: Substantial; KF (c)–(d); §223, §244, §248, §252, §280, §302): Jersey routinely identifies and investigates ML cases broadly in line with its threats and risk profile, with the exception of ML from tax offences, where investigation numbers are low (KF (c); §244). Complex ML investigations targeting legal structures and asset-holding vehicles are underway, and a few are moving towards prosecution; however, most prosecutions and convictions concern self-laundering, and third-party and autonomous ML prosecutions “are rare, which is not in line with the jurisdiction’s risk profile” (§223, §248, §252). Results obtained under the civil-forfeiture legislation are described as “convincing,” and confiscation is pursued as a policy objective with outcomes mostly in line with risk, again with the possible exception of tax crimes (§280; KF (d)). Foreign confiscation requests are recognised and Jersey has organised both repatriation and return of assets to and from other jurisdictions (§302).
Key MER findings — attributable to source
  • Primary ML threat is foreign-generated proceeds moved to or through Jersey by non-resident clients (MER §2): Threats identified as frauds, corruption, tax offences and drugs trafficking. IFC acting as a “one-stop shop” for wealthy non-resident clients; incriminated foreign assets can be administered in Jersey and further transferred to destination countries through a wide variety of structures — a combined destination/conduit profile.
  • Very large IFC: >GBP 1 trillion of wealth; GBP 1.1 trillion administered by TCSPs (MER §14, §17, §28): 19 active international banks (incl. nearly half the world’s top 25), GBP 151.5bn bank deposits, GBP 489bn in collective investment funds; financial services 42% of GVA; ~two-thirds of managed wealth from non-UK-domiciled investors across Europe, Asia/Middle East and North America.
  • Supervisory sanctioning weak; market-entry criminality checks rely on self-declaration (IO.3; MER §539, §588, §616, §631): JFSC focuses on higher-risk banks and TCSPs but full-scope inspections are in the minority; sanctions modest and financial penalties minimal and not aligned to risk profiles; criminality checks for DNFBPs and VASPs only recently introduced; institutional risk-assessment model needs enhancement.
  • ML prosecutions dominated by self-laundering; third-party/autonomous ML rare (IO.7 Moderate; MER §223, §244, §248, §252): Investigations broadly in line with risk except tax-related ML; complex investigations of legal structures underway but few at prosecution; third-party and autonomous ML prosecutions not in line with the risk profile. Civil-forfeiture results “convincing”; confiscation pursued as a policy objective.
  • TC strong: R.22, R.23, R.24 and R.25 all Largely Compliant; no PC/NC on core gatekeeper or BO Recommendations: R.10 (CDD) and R.12 (PEPs) both LC; R.40 (international cooperation) C. The only PC in the whole assessment is R.18 (internal controls / foreign branches and subsidiaries — no explicit AML/CFT-programme size requirement, independent-audit function or group-wide tipping-off safeguard). The principal risks are in effectiveness, particularly supervisory sanctioning and the prosecution of complex/foreign-predicate ML, rather than in the technical framework. No FUR adopted.
Sources: MONEYVAL 5th Round Mutual Evaluation Report, Jersey, 2024 (MONEYVAL(2024)7; onsite 27 September – 10 October 2023). IO effectiveness ratings from the Effectiveness Ratings table (Executive Summary, p.16): IO.1 HE, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 SE, IO.6 ME, IO.7 ME, IO.8 SE, IO.9 SE, IO.10 SE, IO.11 SE. TC ratings from the Technical Compliance Ratings table (pp.16–17). References shown as “KF (x)” are to the lettered Key Findings (a)–(j) in the Executive Summary; numbered references (§N) are to the correspondingly numbered paragraphs of the published MER. Low paragraph numbers recur across sections, so the Materiality figures are cited as Ch.1 §14, §17; the IO discussions draw on uniquely numbered body paragraphs (IO.4 ch.5.2 §436–531; IO.3 ch.6.2 §539–650; IO.5 ch.7.2 §668–746; IO.7–IO.8 ch.3.3–3.4 §223–302). No FUR has been adopted.
🇨🇦
Canada
FATF MER June 2016 (on-site October–November 2015) | 1st Regular FUR October 2021
D: 13/50 V: 29/50 42
Destination
Vulnerability
IO.4: ME IO.5: LE IO.3: SE FATF
↑ Partial progress (1st Regular FUR October 2021)
FUR: 7 Recommendations upgraded; R.8 downgraded C→PC   Moved to regular follow-up
Destination risk (MER Chapter 1, §§52–59): The MER identifies Canada’s real estate sector as “highly vulnerable to ML, including international ML activities,” driven in part by foreign proceeds and exposure to “high risk clients, including PEPs, notably from Asia and foreign investors (including from locations of concern)” (MER §52). Assessors note that “there are cases of Chinese officials laundering the PoC through the real estate sector, particularly in Vancouver, and the Chinese government has listed Canada as a country that it wishes to target for recovering the proceeds of Chinese corruption” (MER §52, fn.10). The MER states that “Canada’s appeal as an investment setting also makes it an attractive destination for foreign POC” (§56) and that “Canada’s open and stable economy and accessible financial system also make it vulnerable to significant foreign ML threats, especially originating from the neighbouring United States of America” (§13). The NRA is noted as potentially “underestimating the magnitude of some key risks, such as the risk emanating from tax crimes and foreign corruption” (MER §15). Typologies identified by LEAs include “foreign PEPs creating legal entities in Canada to facilitate the purchase of real estate and other assets with the proceeds of corruption” (MER §281).

Supervisory effectiveness (IO.3: Substantial — MER §279): “Canada has achieved a substantial level of effectiveness with IO.3.” FINTRAC and OSFI supervise FIs and DNFBPs on a risk-sensitive basis and have applied remedial actions effectively with positive impact on compliance by FIs and some categories of DNFBPs (MER §33). Concerns include: insufficient supervisory intensity for real estate and DPMS sectors; some duplication between FINTRAC and OSFI on federally regulated FIs; weak DNFBP sector-specific guidance; and no ongoing fitness and probity controls at provincial level after market entry for DPMS (MER §§9, 31–33). The exclusion of legal professions — lawyers, legal firms, and Quebec notaries — from AML/CFT supervision “has a negative impact on the effectiveness of the supervisory regime as a whole” (MER §33).

Preventive measures (IO.4: Moderate — MER §242): “Canada has achieved a moderate level of effectiveness for IO.4.” Large FRFIs have good risk understanding and group-wide AML/CFT programmes (MER §28). However, “AML/CFT requirements are inoperative towards legal counsels, legal firms and Quebec notaries” — constitutionally exempted by the Supreme Court of Canada on 13 February 2015 in a ruling holding that PCMLTFA obligations on lawyers violated attorney-client privilege (MER §27). DNFBPs other than casinos have “either no or weak internal controls” (MER §241) and STR filing by accountants, BC notaries, and real estate agents is “very low” or nil (MER §30). PEP requirements were entirely absent — R.12 was rated NC at MER.

Legal persons and arrangements (IO.5: Low — MER §295): “Canada has achieved a low level of effectiveness for IO.5.” Legal entities and arrangements are at “high risk of misuse” for ML/TF, with “mitigating measures insufficient both in terms of scope and effectiveness” (MER Chapter 7 Key Findings). No legal requirement existed for legal persons to record and maintain BO information; TCSPs operated by lawyers were outside AML/CFT scope; FIs did not verify BO information consistently; nominee shareholding arrangements were “commonly used” and posed “real obstacles for LEAs” (MER §34); and for the “majority of trusts in Canada, beneficial ownership information is not collected” (MER Chapter 7 Key Findings). No sanctions for BO record-keeping failures had been imposed between 2009 and 2014 (MER §293–294).

Technical compliance and FUR (October 2021): At MER, R.12 NC, R.22 NC, R.23 NC, R.24 PC, R.25 NC represented the most significant gaps. The 1st Regular FUR (adopted October 2021) re-rated 7 Recommendations upward following 2019–2020 PCMLTFA regulatory amendments: R.12 NC→LC (PEP obligations introduced); R.15 NC→LC (VA/VASP framework); R.16 PC→LC (wire transfer requirements); R.17 NC→C (third-party reliance); R.20 PC→LC (prompt STR timeline); R.22 NC→PC (DNFBP CDD improvements, but lawyers, Quebec notaries and some CSPs still not covered); R.23 NC→LC (FUR §§ on R.22–23). R.8 was downgraded C→PC as the revised risk-based standard revealed gaps in TF outreach to non-registered NPOs. Remaining gaps post-FUR: R.22 PC (lawyers/Quebec notaries and some DNFBPs still excluded); R.24 PC (no mandatory BO register); R.25 NC (trust BO information not required). Canada moved to regular follow-up (FUR §4 conclusion).
Key MER + FUR findings — attributable to source
  • IO.5 Low (MER §295): legal entities and arrangements at high risk of misuse; no mandatory BO register; TCSPs operated by lawyers outside AML/CFT scope; nominee shareholding widely used; no sanctions applied 2009–2014
  • IO.4 Moderate (MER §242): lawyers, legal firms and Quebec notaries constitutionally exempted from AML/CFT (SCC, 13 February 2015); DNFBP STR filing “very low” or nil for accountants, BC notaries, real estate agents (MER §30)
  • IO.3 Substantial (MER §279): FINTRAC and OSFI supervision broadly risk-sensitive; positive compliance impact for FIs; real estate and DPMS supervision insufficient relative to risk; legal professions exclusion harms overall supervisory effectiveness (MER §33)
  • Destination: real estate “highly vulnerable to ML, including international ML activities” with foreign PEPs and corruption proceeds, particularly Vancouver (MER §52, fn.10); NRA may underestimate foreign corruption risk (MER §15)
  • MER TC: R.12 NC, R.22 NC, R.23 NC, R.24 PC, R.25 NC at adoption — among highest gap-counts in the index for DNFBP and BO obligations
  • FUR October 2021: R.12 NC→LC; R.17 NC→C; R.22 NC→PC; R.23 NC→LC; R.15 NC→LC; R.16 PC→LC; R.20 PC→LC; R.8 downgraded C→PC; Canada moved to regular follow-up
  • Post-FUR residual gaps: R.22 PC (lawyers, Quebec notaries, some CSPs still excluded from DNFBP CDD obligations); R.24 PC (no mandatory BO register); R.25 NC (trust BO information still not required)
🇦🇱
Albania
MONEYVAL 5th Round MER July 2018 (onsite Oct 2017) | 4th Enhanced FUR May 2023 (TC only)
D: 25/50 V: 17/50 42
Destination
Vulnerability
IO.3: ME IO.4: SE IO.5: ME IO.9: LE IO.6: SE MONEYVAL
Destination risk (MER §2–6, §45): Albania is identified as a destination for the reinvestment of proceeds generated by Albanian-ethnicity OCGs operating across Europe. “Organised crime groups with individuals of Albanian ethnicity are active in many countries in Europe… They mostly focus on drug trafficking, human trafficking and crimes against property. The proceeds of crime are circulated and invested in several forms in Albania, e.g. through investment in real estate and commercial companies” (§2). Corruption generates “substantial amounts of criminal proceeds and seriously undermines the effective functioning of the criminal justice system” (§3). The “frequent occurrence of foreign proceeds in ML cases” is noted, with a remarkable number of MLA requests sent abroad due to foreign-predicate laundering activity (§45). The gambling sector (through criminal infiltration of ownership and operation) and the real estate sector are assessed as “very high risk for ML” (§5). The large size of the informal economy, combined with the still widespread use of cash, “constitutes a significant ML vulnerability” (§2). Notaries historically highly vulnerable due to real estate transaction involvement; risk awareness improved but informal property transactions (without notary or agent) now identified as the highest-risk channel (§5). Accountants and lawyers are also deemed vulnerable “due to their involvement in company formation and the fact that majority of their client base is comprised of legal entities” (§6).

Supervisory framework (IO.3: Moderate; §27–35): The Bank of Albania has a good understanding of ML/TF risks and has enhanced its offsite reporting system; the FSA is transitioning to a risk-based approach but its AML/CFT inspection activity “has been very limited” (§31). Critically, “primary DNFBP supervisors do not implement the responsibilities for AML/CFT supervision that are assigned to them by law” — with the exception of notary inspections by the MoJ (§32). The GDPML compensates somewhat through its cross-sector supervisory role but its resources are “too limited to compensate for the general lack of DNFBP supervision” (§32). Sanctions for AML/CFT breaches are “not fully effective or dissuasive” and the GDPML’s sanctioning powers are limited to fines with no ability to impose proportionate penalties for repeat violations (§33). Licensing authorities (BoA, FSA, GSA, POB) “do not fully appreciate the risks of individuals with criminal connections trying to gain control over REs” (§28).

Preventive measures (IO.4: Substantial; §23–26): Banks have “a good understanding of ML/TF risks and AML/CFT obligations and apply mitigating measures in a manner that is mostly commensurate to the assessed level of risk” (§23). CDD and record-keeping are complied with by most REs, stronger in banking (§24). Notaries have improved significantly — they “recognised their important gatekeeper role in real estate transactions” and implementation of AML/CFT obligations including BO identification and STR filing has improved (§25). The gap is DNFBPs outside the notary sector: they have “a lower level of understanding of ML/TF risks” and “very limited numbers of SARs” have been filed (§26). Gambling, accountants, and lawyers “have not received sufficient training and guidance regarding ML/TF risks and AML/CFT obligations” (§35).

Beneficial ownership / legal persons (IO.5: Moderate; §36–40): Albania has not conducted an assessment of ML/TF risks associated with legal persons — understanding of these risks is “weak” (§36). Basic and legal ownership information is publicly available from the NBC and DCoT; however, neither body specifically collects BO information, and “information held by the NBC or DCoT in relation to changes to basic ownership data cannot be considered to be accurate or current” (§37). BO information is held individually by FIs and DNFBPs, but “timely access to this information by the competent authorities is hindered by having to first establish which FI or DNFBP the legal person has a business relationship with” (§38). Sanctions for non-compliance with transparency obligations are “not proportionate and dissuasive” for NBC registrees and “non-existent” for DCoT (§40).

TF prosecution (IO.9: Low; IO.11: Low; §18–22): No TF prosecutions or convictions in Albania despite increased religious radicalism and FTF recruitment linked to the Syrian conflict (§4, §18). “There is no systematic approach to identify and investigate financing aspects of terrorism-related offences” (§6). No legal or institutional framework for PF sanctions (IO.11 Low; §22). The NRA classifies TF as “low” risk but the assessment team disputes the adequacy of this analysis (§18).

4th FUR developments (TC only; May 2023): R.25 upgraded PC→LC (trust obligations now covered in AML/CFT Law, though minor gaps remain in supervisory timelines and MLA application). R.28 upgraded PC→LC (all DNFBP sectors now have designated supervisors; GDPML applies RBA; progress on real estate agent and notary supervision). Remaining PC: R.7 (PF TFS framework not yet operational) and R.15 (VASP/new technology gaps). Albania remains in enhanced follow-up; IO ratings from the MER are unchanged.
Key MER + FUR findings — attributable to source
  • Albanian-ethnicity OCGs reinvest European drug/crime proceeds in Albania; gambling and real estate “very high risk” (MER §2–6): Albanian OCGs active across Europe (drug trafficking, human trafficking, property crimes) reinvest proceeds in Albanian real estate and commercial companies. Corruption generates “substantial amounts of criminal proceeds” and undermines the justice system. Gambling sector and real estate assessed “very high risk” for ML. Large informal economy and cash use as significant ML vulnerability. Foreign-predicate ML cases “frequent.”
  • Primary DNFBP supervisors do not implement AML/CFT supervision responsibilities; GDPML resources “too limited” to compensate (IO.3 ME; MER §32–33): Gambling supervisors, bar associations, POB (accountants), and real estate supervisors do not conduct AML/CFT supervision. GDPML compensates partially but lacks resources. Sanctions limited to fines only; no power for proportionate responses to repeat violations. FSA AML/CFT inspections “very limited.”
  • No TF prosecutions or convictions despite FTF cases and increased radicalism; no PF framework at all (IO.9/IO.11 Low; MER §18–22): No TF prosecutions or convictions. No systematic approach to identify TF financing aspects of terrorism-related offences. No PF legislative/institutional framework — GDPML communicates lists to REs but with no legal obligation to freeze. NRA TF analysis “very limited.”
  • BO information not centrally held; NBC/DCoT records inaccurate; competent authority access hindered (IO.5 ME; MER §37–40): NBC and DCoT do not collect BO information. Registered data “cannot be considered accurate or current.” BO held only by individual FIs/DNFBPs — competent authorities must first identify which institution has a relationship before accessing BO. Sanctions for non-compliance non-existent at DCoT.
  • 4th Enhanced FUR (May 2023): R.25 and R.28 upgraded to LC; R.7 and R.15 remain PC — IO ratings unchanged: R.25 (trust BO) LC: AML/CFT Law now covers foreign trusts. R.28 (DNFBP supervision) LC: all DNFBPs have designated supervisors; GDPML RBA applied. R.7 remains PC (PF TFS not operational). R.15 remains PC (VASP/new technology gaps). Enhanced follow-up continues.
Sources: MONEYVAL 5th Round MER, Albania, July 2018 (onsite October 2017), adopted at MONEYVAL 56th Plenary Session. IO ratings from Effectiveness Ratings table (p.13); confirmed unchanged by 4th Enhanced FUR, which covers TC only. TC ratings from MER Compliance Table (p.13) as updated by 4th Enhanced FUR Table 1 (FUR p.4). All paragraph references are to the published MER unless marked FUR.
🇲🇺
Mauritius
ESAAMLG MER July 2018 (onsite 5–16 June 2017) | ESAAMLG 5th Enhanced FUR September 2022 (TC only)
D: 15/50 V: 26/50 41
Destination
Vulnerability
IO.1: Low IO.3: Low IO.4: Mod IO.5: Low IO.7: Mod ESAAMLG
Destination risk (MER §2, §38–39, §41, §44, §213): Mauritius is one of Africa’s largest international financial centres. As at 31 December 2015, there were 21,443 global business entities with total assets of USD$660.2 billion — representing nearly 60 times the size of GDP (MER §2, §39). The global business sector is one of the key pillars of the economy, with financial and insurance services becoming the largest contributor to GDP at 10.7% in 2016 (MER §2). The financial sector’s 1,699 financial institutions in the Global Business Sector accounted for more than 80% of total financial sector assets (MER §2). The assessors identified that non-resident depositors and investors are attracted by the low tax environment, and that the country generates a huge volume of business from outside through the global business sector in the form of deposits and investments. The assessors found that the major part of the business is conducted on a non-face-to-face basis via intermediaries and third parties (MER §38). Most customers and clients are foreign-based, with non-resident customers including corporates with sophisticated and complex structures, politically exposed persons, and high-net-worth individuals (MER §38, §41). Critically, the assessors found that non-resident inflows could be a source of proceeds from tax evasion, public sector corruption, and fraud crimes committed outside Mauritius (MER §41). Drug trafficking was identified as a major proceeds-generating domestic crime (MER §41). The assessors identified that proceeds arising from drugs, cross-border cash couriers, and politically exposed persons from outside Mauritius pose a significant ML risk, with complex multi-national company structures and cash-intensive businesses making the country additionally vulnerable (MER §213). Mauritius was assessed as one of Africa’s preferred investment destinations for high-net-worth non-resident customers due to the nature of financial services and products offered — exposing the country to a substantial risk of attracting cross-border illicit financial flows (MER §213).

Risk, policy and coordination (IO.1: Low): At the time of the onsite, Mauritius had not completed its NRA — the exercise had commenced in January 2017 but was still underway at the date of the visit (MER §6, §40). No results were available from the NRA for use in assessing the country’s ML/TF risk profile. No documented AML/CFT policies or AML/CFT strategy existed at the national level (MER §59). The National Committee for AML/CFT had not been active for some time until it was recently reactivated for the NRA, and there was no tangible evidence demonstrating that it had delivered on its mandate (MER §97). Coordination between authorities was on an ad hoc basis (MER §7). Legal impediments in the FSA, Trust Act, Income Tax Act, and Prevention of Corruption Act restricted or prohibited some LEAs from accessing or exchanging information relevant to ML/TF (MER §98). Mauritius achieved a low level of effectiveness for IO.1 (MER IO.1 conclusion).

Supervisory vulnerability (IO.3: Low): The FSC did not have adequate capacity to fully carry out AML/CFT compliance monitoring responsibility given the large size of the global business sector — described as an area of concern in view of the perceived ML/TF risks (MER §19). While the FSC indicated it had a risk-based approach model, the assessors did not see how it operated in practice. The BoM’s risk-based approach was less formal and not well documented; a legal requirement for banks to be examined once every two years also made a truly risk-based approach difficult to implement (MER §18). AML/CFT supervision for DNFBPs excluding management companies had not yet started at the time of assessment (MER §18). The legal and regulatory frameworks did not provide for a broad range of sanctions commensurate with AML/CFT violations, particularly for DNFBPs, and no DNFBP regulator had issued any sanction for AML/CFT non-compliance (MER §20). The supervisory resources of the FSC in respect of the global business sector were assessed as insufficient relative to the size and the perceived ML/TF risks inherent in the sector (MER §305). Mauritius achieved a low level of effectiveness for IO.3 (MER §306).

Preventive measures (IO.4: Moderate): FIs and management companies demonstrated a good appreciation of the risks faced and implemented measures to address them, including leveraging on international group information and technology for CDD, EDD on PEPs, and transaction monitoring (MER §258). FIs and MCs were able to demonstrate implementation of key compliance measures including record keeping, internal controls, employee screening, wire transfers, and training (MER §258). However, the preventive measures set out in law had several technical deficiencies and many requirements were contained only in Guidance Notes or the FSC Code — which varied in terms of enforceability (MER §258). Most DNFBPs, with the exception of MCs, were unaware of or had not implemented preventive measures to mitigate ML risks (MER §258). STR reporting by firms in the global business sector and the DNFBP sector was low, indicating a lack of effectiveness in the STR regime given the size of the sectors and ML/TF risk exposure (MER §258). Mauritius achieved a moderate level of effectiveness for IO.4 (MER §259).

Legal persons and arrangements (IO.5: Low): Mauritius had not yet assessed vulnerabilities and risks associated with legal persons and arrangements at the time of assessment (MER §308, §318). LEAs were required to obtain a court order to access confidential information from Global Business Companies, and the categorisation of limited specific offences for which such orders could be sought (drug trafficking, arms trafficking, or ML) hampered investigations into other serious offences including terrorism and TF (MER §314). Information on private trusts was not readily available as private trusts were not required to be registered; the full extent of the risk associated with trusts could not be fully determined (MER §315). The authorities had not applied sanctions in cases where accurate records had not been maintained (MER §318). Mauritius achieved a low level of effectiveness for IO.5 (MER §319).

ML investigation and prosecution (IO.7: Moderate): Potential ML cases were being identified through various sources and investigated using different investigative techniques. However, there was no evidence of direct correlation between the types of ML investigations and the risk profile of Mauritius — which is primarily related to drug crime proceeds — with corruption-related ML cases being more frequently investigated than drug-related ML despite drug trafficking being assessed as posing the highest risk (MER IO.7 Key Findings §1). LEAs carried out limited parallel financial investigations alongside investigations into predicate offences, particularly corruption and drug trafficking (MER §9). Tax evasion as a predicate offence was rarely investigated and prosecuted (MER §9). No prosecution-led investigations existed in any LEA that could properly guide investigators on evidence needed (MER §153). Mauritius achieved a moderate level of effectiveness for IO.7 (MER §154).

5th Enhanced FUR (September 2022) — TC only; IO effectiveness ratings not addressed: The 5th FUR assessed progress on a single Recommendation only: R.15 (new technologies/virtual assets). Since the MER, 29 Recommendations had been re-rated to LC or C through prior FURs, but R.15 had been downgraded from C to PC (in December 2020) after the FATF’s June 2019 revision of R.15 introducing VASP obligations came into force (5th FUR §5, §8–9). In the 5th FUR, Mauritius is re-rated Largely Compliant with R.15 following: a national ML/TF risk assessment completed in 2021 identifying VA/VASP risks as Very High; enactment of the Virtual Asset and Initial Token Offerings Services Act 2021 (VAITOS Act); designation of the FSC as VASP supervisor; and issuance of AML/CFT guidelines for VASPs (5th FUR §10–12). Minor deficiencies remain: no VASP licence had yet been issued by the FSC at the time of the assessment, preventing determination of whether supervision was truly risk-based; only seven individuals had been identified as potentially conducting unlicensed VASP activities; and VASPs remained subject to some wire transfer gaps relating to intermediary institution obligations (5th FUR §10–12). The FUR does not analyse any progress on effectiveness; all IO ratings from the 2018 MER are unchanged. Mauritius remains in enhanced follow-up (5th FUR §1, §16).
Key MER + FUR findings — attributable to source
  • GBC sector USD$660.2bn total assets; nearly 60x GDP; foreign proceeds risk explicit (MER §2, §39, §41): 21,443 global business entities with USD$660.2 billion in total assets. Non-resident customers include PEPs, HNW individuals, and complex corporate structures. Assessors identified that inflows could represent proceeds of tax evasion, public sector corruption, and fraud committed outside Mauritius. Financial and insurance services had become the largest contributor to Mauritian GDP.
  • FSC supervision inadequate for global business sector scale (MER §19, §305, IO.3 Low): FSC did not have adequate capacity to carry out AML/CFT compliance monitoring given the large size of the global business sector. 1,699 FIs in the global business sector; supervision resources assessed as insufficient relative to sector size and ML/TF risks. DNFBP supervision (excluding MCs) had not yet started. No DNFBP regulator had issued any AML/CFT sanction.
  • Compliance risk concentrated in management companies; conflict of interest risk (MER §15, §52): AML/CFT compliance for global business FIs is carried out almost entirely by management companies (MCs). One MC officer reported a portfolio of 118 global business entities; another MC handled compliance for 2,000 entities (FIs and DNFBPs) with lean compliance departments of fewer than five persons in some MCs (MER §52). Some banks refused business referred by MCs citing variable standards; FSC sanctions were dominated by MCs (MER §15).
  • BO information access limited for non-drug/ML offences; private trusts unregistered (MER §314, §315, §319, IO.5 Low): LEAs required a Supreme Court order to access GBC beneficial ownership information, and orders were only available for drug trafficking, arms trafficking, or ML — excluding terrorism and TF. Private trusts not required to register; beneficial ownership information on them was not captured by any authority. Mauritius achieved Low effectiveness for IO.5.
  • ML investigations not correlated to drug trafficking risk; tax evasion rarely pursued (MER §9, §153, IO.7 Mod): Corruption-related ML more frequently investigated than drug-related ML despite drug trafficking being the highest-risk predicate. No prosecution-led investigations existed in any LEA. Tax evasion as a predicate offence rarely investigated. Records shared by the authorities contained no ML cases involving a foreign predicate offence (MER §7).
  • 5th FUR (Sep 2022): R.15 re-rated PC→LC for VASP framework; IO ratings all unchanged (5th FUR §1, §13–16): VAITOS Act 2021 enacted; FSC designated as VASP supervisor; national VASP risk assessment completed (risks rated Very High). Minor deficiencies remain: no VASP licence yet issued; only seven potential unlicensed VASPs identified; intermediary wire transfer obligations gap. FUR does not address effectiveness. Mauritius remains in enhanced follow-up.
Sources: ESAAMLG Mutual Evaluation Report, Mauritius, July 2018 (onsite 5–16 June 2017); ESAAMLG 5th Enhanced Follow-Up Report & Technical Compliance Re-Rating, Mauritius, September 2022 (approved ESAAMLG Task Force September 2022). IO ratings from MER Effectiveness Ratings table (p.14); all confirmed unchanged by 5th FUR §1 (FUR does not analyse effectiveness) and §16 (continued enhanced follow-up). 5th FUR §5 summarises all prior TC re-ratings.
🇲🇪
Montenegro
MONEYVAL 5th Round MER December 2023 (onsite 6–17 March 2023) | MONEYVAL 1st Enhanced FUR & TC Re-Rating December 2025 (TC only)
D: 17/50 V: 24/50 41
Destination
Vulnerability
IO.1: SE IO.2: SE IO.3: ME IO.4: ME IO.5: ME IO.7: ME MONEYVAL
Destination risk — Balkan-route transit with domestic laundering via real estate (MER §§3–8, §§19–21, §39): Montenegro is characterised by the assessors principally as a transit country on the “Balkan route” and as a venue for domestic laundering of OCG proceeds rather than as a primary destination for foreign corrupt proceeds. The NRA identifies international drug trafficking, loan sharking, and tax evasion as the main ML threats (MER §3). The most frequently documented ML method is investment in real estate: OCGs use cash and legal entity structures to purchase immovable property, and the real estate sector — which the MER estimates contributes around 13% of GDP (MER §34) — is rated among the most vulnerable sectors (MER §8). Most FDI originates from the Russian Federation, Italy, Switzerland, Serbia, and Malta (MER §31).

Citizenship by Investment Scheme and foreign FDI flows (MER §9, §27): Between 2019 and 2022 Montenegro operated a CBI Scheme under which 815 foreign nationals — predominantly Russian and Chinese — obtained Montenegrin passports through real estate purchases or donations to underdeveloped areas (MER §9). The assessors specifically scoped the CBI programme for heightened risk scrutiny, examining the robustness of ML controls, the provenance of invested funds, and end-use of proceeds (MER §27). The programme has been discontinued but its legacy transactions fall within the review period.

ML from foreign predicates insufficiently pursued; limited stand-alone and third-party ML (MER §302, Table 3.20; Ch.3 Recommended Actions (c)): Out of six ML convictions (in four cases) across the entire 2017–2022 review period — against five natural persons and one legal entity — only one involved laundering of foreign proceeds (MER §302, Table 3.20). There were zero stand-alone and zero third-party ML convictions. The assessors recommended Montenegro “significantly improve the identification, investigation and prosecution of all types of ML, including focusing more on third-party ML, stand-alone ML, ML with foreign predicate offence and misuse of legal persons” (MER Ch.3 Recommended Actions (c), p.62). ML investigations and prosecutions are characterised as reflecting Montenegro’s risk profile “to a limited extent” only (MER §300, p.96).

Corruption as both structural and predicate threat (MER §§6, §19): Transparency International ranked Montenegro 65th/180 with a score of 45/100 in 2022. GRECO identifies corruption as a serious problem across public, private, and business sectors. The assessors scoped corruption for heightened scrutiny (MER §19), noting that OCGs use it to penetrate law enforcement, prosecution, and judiciary (MER §6). Despite 182 cases and 223 persons convicted for corruption and bribery during the review period as predicate offences (MER Table 3.18), no ML conviction from corruption proceeds is separately recorded.

IO.4 Moderate — preventive measures uneven across sectors (MER §§568–570): Banks and MVTSs implement generally effective controls; banks demonstrate good ML risk understanding (MER §568). DNFBPs are a significant gap: real estate agents and casinos show negligible ML risk understanding; lawyers and notaries demonstrate inadequate preventive measures; STR reporting is low across all sectors. Most reporting entities identify BOs by relying exclusively on the CRBE without additional verification (MER §568). IO.4 is rated Moderate (MER §570).
Key vulnerability findings — attributable to source
  • IO.3 Moderate — DNFBP supervision effectively absent outside banking (MER §§695–700): The CBM has established an adequate risk-based supervisory framework for banks. Outside the banking sector, supervision of lawyers, notaries, casinos, and CSPs is inadequate. The Bar Association and Notary Chamber have limited sector-specific risk understanding; AML/CFT supervision of lawyers is absent and limited for notaries. The Ministry of Interior’s supervisory work is hampered by scarce resources, absence of a systematic risk-based model, and inability to identify CSP providers falling under its remit. Other DNFBP supervisors take no supervisory or enforcement action (MER §697–699). Montenegro rated Moderate for IO.3 (MER §700).
  • Trust services and TCSP scope outside AML/CFT obligations (MER §34; FUR1 R.22 §2, R.25 §§3–4): Trust services are not subject to AML/CFT obligations or supervision. Lawyers and notaries involved in setting up or servicing foreign trusts are not designated reporting entities and are not subject to CDD obligations. Only providers of company formation and fiduciary services are designated REs. Following the 1st FUR, R.22 and R.23 were upgraded to LC, but the trust service and foreign-trust lawyer gaps persist as residual deficiencies. R.25 (BO of legal arrangements) remains PC (FUR1 Table 1).
  • BO register largely unpopulated; nominee director/shareholder risk unaddressed (MER §§759–762; FUR1 R.24 §§35–37): At the time of the on-site visit, only 32 of 37,608 entities required to file BO information had complied with the CRBO (MER §759). Overreliance on self-declarations, limited verification, and absence of sanctions undermine register integrity. Mechanisms to prevent the misuse of nominee directors and shareholders are absent. The managers-as-BOs loophole (senior management identified as BO where it is “not possible” to identify a BO, rather than where no natural person exists) persists (FUR1 R.10 §19(c), R.24 §28). R.24 remains PC (FUR1 Table 1).
  • Sanctions not proportionate or dissuasive; three-year prescriptive period (MER R.35; FUR1 R.35 §§1–11): Misdemeanour fines for AML/CFT breaches are limited (EUR 5,000–20,000 for legal persons in ordinary cases, FUR1 R.35 §6). TFS sanctions (EUR 1,000–40,000 for legal persons, FUR1 R.35 §2) are rated disproportionate. A three-year prescriptive period prevents initiation of misdemeanour proceedings where time has elapsed, materially limiting enforcement (FUR1 R.35 §8). “Responsible person” liability does not capture all directors and senior management (FUR1 R.35 §10). R.35 was not upgraded in the 1st FUR and remains PC.
  • ML investigations and convictions well below risk profile (MER §300, §302, Table 3.20; IO.7 Moderate): Six ML convictions (in four cases) over the 2017–2022 review period; all for self-laundering save one foreign-predicate case. No stand-alone, third-party, or corruption-proceeds ML conviction. Assessors describe the lack of pursuit of ML from high-risk predicates including organised crime, drug trafficking, smuggling, and corruption as “concerning and not in line with the risk profile of the country” (MER §300). IO.7 is rated Moderate.
  • R.19 (higher-risk countries) and R.28 (DNFBP supervision) remain PC post-FUR (FUR1 Table 1): R.19 remains PC: no legal basis for FATF countermeasures; FIU publication of high-risk jurisdictions is discretionary. R.28 remains PC: no fit-and-proper controls preventing criminal associates from infiltrating casinos; DNFBP supervisory authorities lack risk-based supervisory frameworks; no information on licence withdrawal powers for lawyers and notaries; real estate agents, DPMSs, and other professionals not subject to entry requirements (FUR1 Annex A, R.28 §§9).
  • 1st Enhanced FUR (December 2025) — 13 Recommendations upgraded, TC-only (FUR1 §§11, 14–15): The 1st FUR upgraded R.6, R.7, R.8, R.10, R.13, R.15, R.16, R.17, R.18, R.22, R.23, R.26, and R.33 — primarily reflecting the new Law on Restrictive Measures (December 2024) and the revised LPMLTF (March 2025). R.8 moves from NC to PC (NPO TF risk assessment conducted, though featuring and types of at-risk NPOs remain underidentified). R.19, R.24, R.25, R.28, and R.35 remain PC. The FUR assesses TC only and does not revise IO effectiveness ratings (FUR1 §4). Montenegro remains in enhanced follow-up (FUR1 §15).
Sources: MONEYVAL 5th Round MER, Montenegro, MONEYVAL(2023)26, adopted December 2023 (onsite 6–17 March 2023). IO effectiveness ratings from MER Effectiveness Ratings table (p.16): IO.1 SE, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 ME, IO.6 ME, IO.7 ME, IO.8 ME, IO.9 ME, IO.10 ME, IO.11 ME. TC ratings from MER Technical Compliance table (p.16). 1st Enhanced Follow-up Report & Technical Compliance Re-Rating, Montenegro, MONEYVAL(2025)23, adopted 16–18 December 2025 (TC only — IO effectiveness ratings not reassessed). All paragraph references are to the MER unless prefixed FUR1.
🇪🇪
Estonia
MONEYVAL 5th Round MER December 2022 (onsite Apr–May 2022) | 1st EFUR Dec 2024 | 2nd EFUR Dec 2025 (TC only)
D: 16/50 V: 25/50 41
Destination
Vulnerability
IO.1: ME IO.3: ME IO.4: ME IO.5: ME IO.7: ME MONEYVAL
Destination risk (MER §2, §6–8, §15–17, §29–35; IO.1: Moderate): The MER describes Estonia as “a transit country for the concealment of ML and for the concealment or conversion of the origin of assets acquired by criminal activity,” facing ML threats “primarily from proceeds of crime committed abroad and less frequently domestically” (§2, §6). Prevailing ML patterns involve legal persons, money mules, wire transfers, cash deposits/withdrawals, and physical cross-border cash flows. Estonia is “particularly exposed to threats related to fraud and internet fraud (embezzlement) committed abroad, as well as tax offences committed in the neighbouring countries” (§6). Two features distinguishing Estonia’s ML/TF risk profile generate materiality well beyond the country’s EUR 27.4 billion GDP. First, the e-Residency programme — the world’s first — had issued approximately 92,000 digital IDs to nationals of over 170 countries by April 2022, with e-Residents having established around 21,900 companies in Estonia (§30). The assessment team identified e-Residents from FATF-listed jurisdictions including two from North Korea, and documented gaps in background check procedures for applicants from countries with no cooperation relations with Estonia (§30). Second, Estonia was among the first countries globally to license VASPs from 2017, leading to explosive growth: 2,447 licences issued to 1,308 unique providers by end-2019 (§34). Despite mass revocation reducing this to approximately 381 valid licences by end-2021, VASP-mediated services increased nearly eightfold to EUR 20.3 billion in 2020–21, with 4.8 million clients (§35, §65). The MER assessors concluded that “ML/TF risks emanating from such [VASP] vulnerability have the potential of affecting risk profiles of other countries of the region and in wider geography” (§35). The banking sector mediates approximately EUR 132 billion in cross-border payments annually — 11th in the EU by cross-border payment volume relative to population (§27, §64). Four banks were found to have committed serious AML/CFT violations over the review period, including two criminal investigations and one branch closure (§18, §64). IO.1 is rated Moderate (§153).

Supervisory vulnerability (IO.3: Moderate; MER §18–19, §706): The EFSA’s licensing process for FIs is described as “overall quite comprehensive” and its supervisory capacity has been increasing (MER key finding i). However, “for much of the period under review, the EFIU’s procedures were less effective, evident particularly in the VASP sector” — the EFIU had supervisory responsibility for VASPs throughout most of the review period (MER key finding i). The supervisory regime suffers from a sanctioning framework with “a series of limitations, particularly regarding the ability to effectively impose financial penalties”; supervisors rely heavily on warnings, remediation plans, and licence withdrawal; “overall, the applied sanctions cannot be considered to be effective, proportionate and dissuasive” (§20, §706). The sanctioning limitation was a structural constraint identified in the NRA itself (§26). Self-regulatory bodies (SRBs) supervising DNFBPs “were able to explain some risks, however the explanations lacked depth or real appreciation of those risks with some matters being dismissed altogether without a convincing rationale” (§19). IO.3 is rated Moderate (§706).

Preventive measures (IO.4: Moderate; MER §15–17, §558): The banking sector has a good understanding of ML risks and “preventive measures in the banking sector are steadily improving since 2020” following significant AML/CFT compliance investment (§15). However, “VASPs demonstrated a rather superficial understanding of risks and general mitigating measures applied,” with control systems “overall insufficient” despite increased supervisory attention since 2020 (§16). CSPs “demonstrated insufficient risk understanding and less effective preventive measures” with STR reporting levels described as “alarmingly low” (§17). Understanding of TF risk was “generally lower across all sectors.” For much of the review period, 70% of all STRs were filed by the banking sector alone (MER key finding h; §558). The assessment team concluded major improvements were needed and IO.4 is rated Moderate (§558).

Legal persons and beneficial ownership (IO.5: Moderate; MER §21, §29–31, §71, §758): The e-Residency programme and CSP sector create compounding BO transparency risks. Around 75% of Estonian VASPs have a CSP among their associated persons; CSPs also offer nominal board member and shareholder services, which the MER notes some firms “advertise the offering of such illegal nominal persons publicly on their websites” (§34). Forty percent of companies with factual characteristics of providing corporate services operate without a valid licence (§71). The MER identifies that measures “do not fully enable availability of adequate, accurate and current BO information” — the large share of e-Resident-connected companies, significant involvement of licensed and non-licensed CSPs, “on the background of poorly designed and vaguely understood CDD measures implemented by them are factors with adverse impact on the quality of BO information” (§21). “There are no enforceable measures (for supervisors) or practices (for all competent authorities) to obtain basic and BO information from companies. Estonia does not apply sanctions, that are fully effective, proportionate and dissuasive” (§758). IO.5 is rated Moderate (§758).

ML investigations (IO.7: Moderate; MER §9, §22, §290): The number of identified and investigated ML cases is “relatively low mainly due to the limited interpretation of the ML offence by the Supreme Court” — the Supreme Court’s restrictive interpretation in certain cases narrowed the legislative threshold, hindering further investigations and prosecutions (§9; MER key finding c). Sanctions for ML are “not effective and dissuasive since they are low for natural persons and very low for legal persons, with imprisonment of natural persons usually suspended” (§289). The majority of ML investigations, prosecutions and convictions are for third-party ML in relation to foreign predicate offending (§9). Concerns remain about whether domestic high-proceeds-generating offences are being sufficiently considered to investigate potential ML (MER key finding c). IO.7 is rated Moderate (§290).

2nd Enhanced FUR technical compliance (December 2025 — TC only; IO ratings unchanged): The 2nd EFUR states it “does not address what progress a country has made to improve the effectiveness of changes” (FUR §4). Only R.7 and R.15 were re-rated: R.7 PC→LC (PF TFS framework strengthened including ISA amendments, new EFIU sanctions guidance, and bridging mechanism for UNSCR implementation before EU transposition; minor residual deficiencies on freezing scope and misdemeanour sanctions); R.15 PC→LC (MiCAR/MCAA entered into force July 2024, EFSA designated as CASP supervisor from January 2025, VA transfer rules addressed by EU Regulation 2023/1113; remaining deficiencies include NRA results on new technologies not yet adopted and certain sanction limits by EFIU). As at the 2nd EFUR, 12 Recommendations remain PC: R.1, R.8, R.13, R.19, R.20, R.21, R.23, R.24, R.25, R.28, R.33, R.35. Estonia remains in enhanced follow-up and is expected to report back in one year (FUR §15).
Key MER findings — attributable to source
  • e-Residency programme: 92,000 IDs issued; e-Residents from FATF-listed jurisdictions including DPRK nationals (MER §30): Estonia’s e-Residency programme — the world’s first — had issued digital IDs to nationals of over 170 countries, including persons from countries on the FATF black and grey lists. Two e-Residents from North Korea and one company established by them were on record as of January 2022. Background check procedures were found inadequate for applicants from countries lacking cooperative relations with Estonia, and revocation of digital IDs of e-Residents who committed crimes abroad was deficient.
  • VASP sector: EUR 20.3 billion in mediated services; 75% have a CSP as associated person; risks affect other countries (MER §34–35, §65): Despite mass licence revocation reducing providers from 2,447 to ~381, VASP-mediated services increased nearly eightfold. Over 80% of VASPs have only one Estonian person among their associations; nearly 75% have a CSP as an associated person including nominal board members. Most VASPs have 1–2 employees or none in Estonia. The assessment team concluded that VASP vulnerabilities “have the potential of affecting risk profiles of other countries of the region and in wider geography.”
  • Supreme Court restrictive ML interpretation; sanctions low and predominantly suspended (MER §9, §290): The Supreme Court’s interpretation of the ML offence in certain cases was narrower than the legislative threshold, directly hindering investigations and prosecutions. Sanctions for ML convictions are low for natural persons and very low for legal persons; imprisonment is usually suspended. This is a structural vulnerability acknowledged in the NRA.
  • CSP sector: 40% unlicensed; advertised illegal nominee services; alarmingly low STR reporting (MER §17, §71): Forty percent of companies with factual characteristics of providing corporate services operate without a valid licence. Some licensed CSPs and law firms openly advertise illegal nominal person services. STR reporting by CSPs was described as “alarmingly low.” CSPs are the most important DNFBP sector in the Estonian context given their role in e-Residency and VASP formation.
  • Four banks with serious AML/CFT violations; banking sector mediates EUR 132 billion in cross-border payments (MER §18, §64): Four banks were identified with serious AML/CFT violations during the review period. Criminal investigations were initiated against two; one branch was closed and one licence was withdrawn. Estonia ranks 11th in the EU by cross-border payment volume relative to population, creating a material foreign-proceeds channel.
  • Sanctioning framework structural weakness: no administrative fines; misdemeanour limits too low (MER §20, §26): The NRA itself identifies the lack of an administrative fine as a sanction as having “a negative effect on the efficiency of supervision.” Maximum fines under misdemeanour proceedings are insufficient. Supervisors rely heavily on informal measures. The sanctioning regime was found ineffective, disproportionate and non-dissuasive across FI and DNFBP supervision.
  • 2nd EFUR: R.7 and R.15 re-rated PC→LC; 13 Recommendations still PC; IO ratings unchanged (FUR Table 1, §14–15): The 2nd EFUR adopted December 2025 re-rated only two Recommendations. R.7 and R.15 now at LC following MiCAR/MCAA implementation and ISA amendments. The FUR does not assess effectiveness. 12 Recommendations remain PC including R.1, R.8, R.13, R.19–21, R.23–25, R.28, R.33, R.35. Estonia remains in enhanced follow-up.
Sources: MONEYVAL 5th Round MER, Estonia, MONEYVAL(2022)11, adopted December 2022 (onsite 25 April–6 May 2022). IO effectiveness ratings from MER Effectiveness & Technical Compliance Ratings table (p.14): IO.1 ME, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 ME, IO.6 SE, IO.7 ME, IO.8 ME, IO.9 ME, IO.10 ME, IO.11 SE. 2nd Enhanced Follow-up Report & Technical Compliance Re-Rating, Estonia, MONEYVAL(2025)22, adopted 70th Plenary 16–18 December 2025 (TC only — IO effectiveness ratings not reassessed). All paragraph references are to the MER unless prefixed FUR.
🇷🇸
Serbia
MONEYVAL 6th Round MER December 2025 (onsite May 2025) | No FUR adopted — regular follow-up
D: 23/50 V: 18/50 41
Destination
Vulnerability
IO.3: SE IO.4: ME IO.5: SE IO.7: SE IO.8: SE MONEYVAL
Destination risk (MER §1, §c, §19): The main ML threats are tax crimes, corruption, drug trafficking, organised crime and fraud, generating an estimated €1 billion in criminal proceeds annually (§1). ML schemes typically involve front companies, false invoicing, and investment in high-value assets such as real estate and vehicles. Banks are the most exposed sector, followed by real estate and accounting services, with emerging vulnerabilities in online gaming and virtual assets (§1). The financial system is described as “primarily domestic and of limited size” but the MER notes that “gradual outward expansion, particularly through real estate, has increased exposure to laundering risks” (§1). Critically, the involvement of Serbian nationals in transnational organised crime groups is flagged as a key context factor — Serbian OCGs operate across Europe and internationally, with proceeds flowing back (§c). ML cases prosecuted with a foreign predicate offence “remain rare” and are identified as a sector requiring improvement, “taking into consideration the external threat linked to OCGs as well as Serbian OCGs operating abroad” (§19). The 2021 and 2024 NRAs are assessed as comprehensive and of good quality, providing solid risk analysis across sectors. Corruption’s full impact on the AML/CFT regime needs fuller consolidation (§a).

Financial sector supervision (IO.3: Substantial; §10–11): Serbia has a comprehensive licensing and registration framework for FIs and VASPs with systematic fit-and-proper checks. The NBS demonstrates a “particularly advanced understanding” of ML/TF risks in the banking sector and applies a risk-based supervisory methodology with annual banking inspections (§10, §e key finding). VASP supervision, initiated in 2022, already includes both off-site monitoring and on-site reviews (§11). A wide range of enforcement measures is available and applied — from written warnings to pecuniary sanctions and licence suspensions. The main gap: “the number and monetary value of fines remain limited compared to sector size and risk exposure, particularly for banks and exchange offices, somewhat reducing the overall deterrent effect” (§11). Securities Commission has faced capacity constraints since 2022 (§10).

DNFBP supervision and preventive measures (IO.4: Moderate; §12–13): The principal gap is the legal profession: the Bar Association “lacks sufficient evidence of an updated risk understanding” and its supervision “remains minimal” — lawyers have filed zero SARs since 2023, which the AT describes as “concerning and pondered more heavily” given the sector’s importance (§12–13). Notaries, online casinos, the Market Inspection and APML show reasonable to good ML/TF risk understanding and supervisory engagement, but the Notary Chamber has not fully focused on higher-risk entities and CDD/BO breaches continue (§12). GCA on-site supervisory coverage is limited despite the rapid growth of online gaming (§12). Real estate brokers and accountants show persistently low SAR reporting (§13). F&P checks are not applied by the Bar Association (§d KRA).

Beneficial ownership / legal persons (IO.5: Substantial; §14–16): Serbia has a solid framework for transparency of legal persons, supported by interconnected SBRA databases. Banks play a key role in maintaining BO accuracy through CDD and ongoing verification, often detecting concealment attempts (§15). Mandatory bank accounts for all registered entities, cross-verification between SBRA, NBS and Tax Administration, and public availability of business and BO registers are notable strengths (§15). The residual gap is that “moderate gaps remain in effectively preventing and mitigating the more prominent modalities of misuse of legal persons (i.e. via strawmen, or phantom/launderer companies)” (§15). Very few criminal actions have been taken for false BO submissions (§16). R.25 remains PC — express trusts cannot be formed under Serbian law and the framework for foreign trusts is developing (§16).

ML investigation and prosecution (IO.7: Substantial; §19–20): Serbia has significantly improved ML outcomes since its last MER: both self-laundering and third-party ML cases are now prosecuted, and stand-alone autonomous ML prosecutions — which were absent at the last evaluation — are now a notable feature (§19). Convictions are on the rise with the majority involving third-party and autonomous ML cases linked to serious underlying criminality (§20). Sanctions are generally proportionate and dissuasive. The remaining gap is foreign-predicate ML: results on ML prosecuted with a foreign predicate offence “remain rare” and need improvement in the context of Serbian OCG transnational exposure (§19). Serbia is placed in regular follow-up — a significant improvement from enhanced follow-up in all previous rounds.

Asset recovery (IO.8: Substantial; §21–22): Financial investigations are routinely conducted in parallel with predicate crime investigations. Serbia seized approximately EUR 133 million and confiscated approximately EUR 109 million between 2019 and 2023 — described as “a notable result though still below the estimated criminal proceeds” (§21). Cross-border cash declaration enforcement by Customs is effective and dissuasive (§22). The legislative framework has not been updated since 2019 and management of virtual assets remains outside the Directorate’s remit (§21). International approach to identifying, freezing and sharing assets abroad is “not adequately proactive” given Serbian nationals’ involvement in transnational OCGs (§c).
Key MER findings — attributable to source
  • €1bn+ annual criminal proceeds; Serbian OCGs operate transnationally; foreign-predicate ML rare (MER §1, §c, §19): Tax crimes, corruption, drug trafficking, organised crime and fraud generate ~€1 billion annually. Serbian OCG transnational involvement explicit; real estate expansion increasing laundering exposure. ML with foreign predicate “remains rare” and is a priority improvement area. Front companies, false invoicing and real estate the dominant ML typologies.
  • Bar Association: zero lawyer SARs since 2023; minimal supervision; no F&P checks (IO.4 ME; MER §12–13, KRA d): Complete absence of SARs from lawyers since 2023 described as “concerning.” Bar Association lacks risk understanding evidence. No F&P checks. Supervision minimal. MER calls for a dedicated competent authority to oversee Bar Chamber. Lawyers’ AML/CFT application “not adequate.”
  • IO.7 SE and IO.8 SE — ML prosecutions rising; EUR 109M confiscated 2019–2023 (MER §19–22): Major improvement from last evaluation. Third-party and stand-alone ML cases now prosecuted and convicted. EUR 133M seized and EUR 109M confiscated over 5 years. Cross-border declaration enforcement effective. Residual gap: foreign-predicate ML under-pursued given OCG exposure abroad.
  • Only 4 PC ratings (R.4, R.8, R.25, R.31); regular follow-up — strongest TC outcome in Serbia’s MONEYVAL history: All 40 Recommendations C or LC except R.4 (confiscation — no NCBC system, thresholds and extended-confiscation gaps), R.8 (NPO identification/monitoring and sanction proportionality), R.25 (BO of foreign trusts), R.31 (financial-investigative powers not available for all predicate offences/ML types). Regular follow-up confirmed — the first time Serbia has not been in enhanced follow-up since its first evaluation.
  • APML disseminations useful but process not formalised — prone to subjectivity (IO.6 ME; MER §17–18): APML has wide database access and produces quality analytical products. But analytical processes are not formalised — “raising concerns about consistency and coherence.” Dissemination decisions “vulnerable to subjectivity.” Only 18 APML staff for analysis, prevention and cooperation combined. CTR analytical process not formalised.
Sources: MONEYVAL 6th Round MER, Serbia, December 2025 (onsite 12–23 May 2025), adopted at MONEYVAL 70th Plenary Meeting, December 2025. IO ratings from Effectiveness & Technical Compliance Ratings table (p.7). TC ratings from same table (p.7). Serbia placed in regular follow-up. No FUR adopted. All paragraph references are to the published MER.
🇬🇮
Gibraltar
MONEYVAL MER December 2019 (onsite April 2019) | 2nd Enhanced FUR May 2024 (TC only) — exits enhanced follow-up
D: 22/50 V: 18/50 40
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.6: LE IO.7: LE IO.8: LE MONEYVAL
↑↑ All 40 Recommendations now LC/C — exits enhanced follow-up (May 2024)
D: ±0 (unchanged — IO ratings not addressed by FURs)   V: −4.5 (improved; gatekeeper/BO Recs R.22, R.24, R.25 and PEP Rec R.12 all upgraded to C/LC in 1st FUR, scoring 0 on V2/V4)
Destination risk (MER §1, §9, §17; IO.7/IO.8: Low): Gibraltar’s financial sector accounts for approximately 20% of GDP and “consists primarily of branches or subsidiaries of international firms” providing services “primarily to non-resident clients, including clients from high-risk jurisdictions” (§1). Most banks offer private banking to high-net worth individuals. The MER identifies that the NRA underestimates “the cross-border threat which Gibraltar faces as an international financial centre” — the risk analysis is affected by “limited analysis of quantitative and qualitative data” regarding external ML threats (§9). The MER’s priority actions call for a more comprehensive assessment of the “ML threat posed by proceeds generated by crimes committed abroad” as a first priority (Priority Actions). Most critically, the MER finds that financial investigations are limited to “providing further evidence in support of the prosecution of domestic predicate crime” — parallel financial investigations “are not pursued in cases where the associated predicate offences occur outside Gibraltar, thus not reflecting the risks the jurisdiction has in its role as a financial centre” (§17). As a direct result, “assets deriving from foreign predicates in complex and international cases remain undetected and therefore the benefit of that crime is neither restrained nor confiscated” (Key Findings, confiscation). Only four ML convictions exist — all for self-laundering involving domestic predicates; no successful third-party or standalone prosecutions have occurred (§17). These weaknesses drive the MER’s three lowest effectiveness ratings: IO.6 (financial intelligence), IO.7 (ML investigation and prosecution) and IO.8 (confiscation) are each rated Low (§191, §217, §264) — the only Low outcomes in the assessment and directly material to whether foreign criminal and corrupt proceeds are detected and seized. Gibraltar’s key exposed sectors — e-money at significant volumes, TCSPs used to create and manage legal persons for non-residents, and private banking for HNWIs — are precisely those most vulnerable to foreign corrupt proceeds.

Supervisory effectiveness (IO.3: Moderate; MER §34–37): The GFSC and Gibraltar Gambling Commissioner have a robust understanding of sectoral risk and apply licencing/screening measures. However, the GFSC relies primarily on Thematic Reviews — at the time of the onsite completed only for TCSPs and e-money sectors. Supervision for the remaining FIs and DNFBPs is “either triggered by events or is based on the general risk score which… includes, but does not focus on, financial crime risk” (§36). The Office of Fair Trading is described as being “in its nascent stage.” In the gambling sector, supervisory plans are informed “primarily by the size of the entities concerned” rather than risk. “In majority of cases sanctions imposed were not proportionate and dissuasive” (§37). Other supervisors — beyond GFSC and GGC — have “an insufficient understanding of ML and TF risks” (§7).

Preventive measures (IO.4: Moderate; MER §30–33): REs’ understanding of ML risk is overall satisfactory, varying across sectors. FIs focus “almost exclusively on sanction screening, without proper consideration of transactions to high-risk countries” — meaning FT risk is not properly understood by banks, e-money providers, or MVTSs (§30). TCSPs demonstrate a good understanding of beneficial ownership concepts, but banks are weaker particularly regarding complex ownership structures and trusts (§32). There are concerns about the number and quality of STRs, with “defensive reporting” in e-money and online gambling sectors (§33). The near absence of STR-triggered investigations raises questions about STR quality (§7). Understanding of TFS and its operational implications “needs considerable improvement across all sectors” (§33).

Beneficial ownership / legal persons (IO.5: Moderate; MER §38–42): Gibraltar has established the RUBO and subjected TCSPs to comprehensive licensing, but “important issues remain, which pose an inherent vulnerability to ML and FT of legal persons and arrangements that can be established in or managed from Gibraltar” (§38). BO information can be obtained from REs and RUBO in a timely manner, but accuracy and adequacy are affected by: lack of explicit record-keeping requirements for BO information; limited scope of information required in the RUBO concerning trusts; and limitations in the information companies must keep (§41). Sanctions for non-compliance with filing requirements are available but limited — applicable only for late submissions and “not proportionate or dissuasive” (§42).

FUR developments (TC only — IO ratings unchanged): The 1st Enhanced FUR (November 2021) upgraded R.1 PC→C, R.11 PC→C, R.12 PC→C, R.13 PC→C, R.22 PC→C, R.24 PC→LC, R.25 PC→C, R.26 PC→C, R.28 PC→C; R.15 C→LC (re-assessed against the new VASP requirements). The 2nd Enhanced FUR (May 2024) upgrades R.36 PC→LC (Merida and TF Conventions now acceded to and implemented, minor gap in Art.16(2) of TF Convention remaining). With all 40 Recommendations now at LC or C, MONEYVAL Rule 23(5) applies: no further reporting required under the 5th round of evaluations. All IO ratings from the MER remain unchanged throughout both FURs.
Key MER + FUR findings — attributable to source
  • International financial centre; NRA underestimates cross-border ML threat (MER §1, §9): Financial sector ~20% of GDP, primarily serving non-resident clients including from high-risk jurisdictions. Private banking for HNWIs, significant e-money volumes, TCSP sector. NRA described as failing to adequately assess the cross-border threat Gibraltar faces as an international financial centre.
  • Foreign predicate assets remain undetected — no parallel financial investigations (IO.7/IO.8 both Low; MER §17, §217, §264): Only four ML convictions — all domestic self-laundering. Parallel financial investigations not pursued for foreign predicates. Assets from foreign predicates “remain undetected and… neither restrained nor confiscated.” IO.7 (ML investigation/prosecution) and IO.8 (confiscation) are both rated Low — LEAs do not reflect the risks of Gibraltar’s role as a financial centre.
  • GFSC/GGC robust; other supervisors nascent; sanctions mostly not dissuasive (IO.3 ME; MER §34–37): GFSC uses thematic reviews but only completed for TCSPs and e-money at onsite; other FI/DNFBP supervision event-triggered or based on general scores. OFT in nascent stage. Sanctions not proportionate or dissuasive in majority of cases.
  • FT risk poorly understood; TFS implementation needs improvement (IO.4 ME; MER §30, §33): Banks, e-money, MVTS focus on sanction screening but not on high-risk country transactions. STR quality concerns across multiple sectors. TFS understanding needs considerable improvement sector-wide.
  • 2nd Enhanced FUR (May 2024): R.36 PC→LC — all 40 Recommendations now LC/C; exits enhanced follow-up: R.36 upgraded following accession to and implementation of Merida and TF Conventions (minor gap in TF Convention Art.16(2) remaining). All IO ratings unchanged throughout. MONEYVAL Rule 23(5): no further 5th round reporting required.
Sources: MONEYVAL MER, Gibraltar, December 2019 (onsite April 2019); MONEYVAL 1st Enhanced Follow-Up Report, Gibraltar, November 2021; MONEYVAL 2nd Enhanced Follow-Up Report, Gibraltar, May 2024 (MONEYVAL(2024)5). IO ratings from MER Effectiveness Ratings table (p.15): IO.1 ME, IO.2 SE, IO.3 ME, IO.4 ME, IO.5 ME, IO.6 LE, IO.7 LE, IO.8 LE, IO.9 ME, IO.10 ME, IO.11 ME — three Low outcomes (IO.6 financial intelligence, IO.7 ML investigation/prosecution, IO.8 confiscation). Confirmed unchanged throughout both FURs (TC-only reports). TC ratings from MER p.15 and 2nd Enhanced FUR Table 1 (p.4).
🇱🇻
Latvia
MONEYVAL 6th Round MER February 2026 (onsite Nov 2024, adopted June 2025) | No FUR — regular follow-up
D: 25/50 V: 15/50 40
Destination
Vulnerability
IO.1: HE IO.3: SE IO.4: ME IO.5: HE IO.6: HE MONEYVAL
Risk profile and destination context (MER §2, §4–10): Latvia’s risk profile has undergone a fundamental transformation since 2017. The country “is no longer a regional financial centre characterised by a banking sector heavily oriented towards servicing non-resident customers” (§4). This transformation, driven by high-level political commitment, is quantifiable: non-resident deposits from outside the EU have decreased by 87%, credit turnover of customers with BOs from high-risk countries has decreased by 95%, and credit turnover linked to shell companies has decreased by 99% (2017–2023 comparison) (§4). The historic “risk profile one” — Latvia as conduit for CIS and Eastern European criminal and corrupt proceeds — no longer poses a significant current threat (§5). Current ML threats now stem predominantly from domestic predicate offences: shadow economy (tax-related crimes, illegal excise goods movement, smuggling), fraud, and corruption (§5). A “risk profile three” also exists: laundering of proceeds of fraud generated abroad and brought into Latvia physically or otherwise transferred to the Latvian financial system (§5). Latvia’s position as an EU external border with Russia and Belarus creates ongoing transit risk for cash, precious metals, and smuggled goods (§6). EU sanctions evasion risk has increased significantly since Russia’s invasion of Ukraine (§7). The shadow economy is estimated at approximately 23% of GDP and tax-related offences carry the only high ML risk domestically (§15, §24). The AT separately examined the unintended consequences of the large-scale bank liquidations, residency-by-investment legacy issues, and FIU reforms (§17–19). Latvia retains one of the most sophisticated and institutionally committed AML/CFT systems in Europe following its post-ABLV reforms.

Financial sector supervision (IO.3: Substantial; §8–9): Latvijas Banka demonstrates “a comprehensive understanding of ML/TF risk in supervised financial sectors which is especially advanced in the banking sector” and has developed “largely effective institutional risk assessment tools widely used for supervisory planning” (§9). Banking supervision has produced a significant reduction in risk since the last evaluation. Application of CDD/EDD and internal controls by FIs “has improved significantly” (§9). A broad range of effective, proportionate, and dissuasive sanctions has been applied to the banking sector; lower sanction numbers for other financial sectors (excluding VASPs) correlate with fewer on-site visits (§9). VASP supervision, initiated with registration requirements, is functioning. The SRS lacks legal powers to prevent criminals from entering the regulated VASP and lending market, though its materiality impact is limited (§8).

DNFBP supervision (IO.4: Moderate; §10–11): The principal gap is that the SRS — the largest DNFBP supervisor, covering independent legal professionals, accountants, and others — produces institutional risk assessments that the AT considers “not consistent with national or sectoral risks”; specifically, “the large majority of institutional risk assessments show a low ML risk” which does not align with national and sectoral risk assessments for those sectors (KRA §a). Accordingly, the SRS’s supervisory effort “may not always be directed to where ML risk is highest” (§10). The Latvian Council of Sworn Advocates (LCSA) does not collect sufficient information to properly risk-assess the ML/TF risk among advocates subject to FATF Standards, and the inspection model “cannot be considered properly risk-based” (§10, KRA §b). Positively, most DNFBPs demonstrate a good understanding of risks and effective AML/CFT implementation; under-reporting is now “focused in the legal sector” (§11).

Beneficial ownership (IO.5: High; §12–14): Latvia has a robust dual-access BO system through the Enterprise Register (ER) and reporting entities. Numerous verification checks by the ER — including use of SRS data — combined with a discrepancy reporting mechanism ensure accuracy of BO data (§12). Authorities demonstrate a good understanding of legal person-related risks and apply targeted, effective mitigating measures (§13). Proportionate and dissuasive sanctions including liquidation and custodial sentences have been applied for non-compliance (§14). R.25 is PC — Latvia does not recognise trusts and exposure to foreign arrangements is assessed as minimal, so this technical gap has low materiality impact (§13).

Financial intelligence and asset recovery (IO.6: High, IO.8: High; §15–18, §c–d): The FIU has undergone “substantial institutional reforms” and is “well resourced with significant IT and human resources” — the AT describes it as a “global leader,” having initiated projects like the International Financial Intelligence Task Force (IFIT) (§7, §15). EUR 3 billion+ in assets seized (primarily linked to the Bank A liquidation), EUR 300 million+ confiscated during the assessment period, mainly through non-conviction-based confiscation (NCBC) which accounts for 98% of proceeds confiscated (§17–18). ML prosecutions and convictions have increased, with the ex-governor of the Latvian Central Bank sentenced to 6 years for bribery (IO.7 case study). Structural challenges remain in prosecuting large-scale ML schemes linked to liquidated banks where offenders are unknown or non-resident (§c).
Key MER findings — attributable to source
  • Latvia no longer a conduit for CIS/Eastern European criminal proceeds — 87% decrease in non-EU non-resident deposits; 99% decrease in shell company turnover (MER §4–5): Fundamental transformation since 2017 driven by political commitment. The “risk profile one” — Latvia as major ML hub for Russian/CIS proceeds — no longer poses a significant current threat. Current ML is predominantly domestic: shadow economy, fraud, corruption. Some residual foreign-fraud proceeds imported via cash or transfer.
  • IO.6 High and IO.8 High — FIU a “global leader”; EUR 3bn+ seized, EUR 300M+ confiscated (MER §7, §15, §17–18): FIU Latvia described as global leader; initiated IFIT project. EUR 3bn+ assets seized (bank liquidation case); EUR 300M+ confiscated via NCBC. Ex-central bank governor sentenced to 6 years for bribery. ML prosecutions and convictions increasing. Legal person ML prosecution still inadequate given risk and context.
  • SRS DNFBP risk assessments misaligned with national risk — “large majority show low ML risk” (IO.4 ME; MER §10, KRA a): SRS supervises independent legal professionals and accountants but its institutional risk assessments show predominantly low ML risk, inconsistent with national and sectoral risk assessments. Supervisory effort not always directed to highest ML risk areas. LCSA advocate supervision not risk-based. Under-reporting now concentrated in legal sector.
  • IO.5 High — robust BO dual-access system; discrepancy reporting; custodial sentences for non-compliance (MER §12–14): Latvia has one of the strongest BO frameworks assessed in this index. Only R.25 is PC (foreign trust technical gap, minimal materiality). Liquidation and custodial sentences applied for non-compliance with BO requirements.
  • Regular follow-up — one PC rating (R.25, low materiality); IO.1 HE — only 1 of 9 IOs not rated SE or HE (MER §3; KRA roadmap): Latvia achieves regular follow-up with a near-perfect effectiveness profile: IO.1, IO.5, IO.6, IO.8, IO.11 all rated HE; IO.2, IO.3, IO.7, IO.9, IO.10 all SE. Only IO.4 is ME. Strongest overall effectiveness profile of any jurisdiction in this index. EU sanctions evasion risk the most material emerging concern.
Sources: MONEYVAL 6th Round MER, Latvia, February 2026 (onsite 4–15 November 2024), adopted at joint FATF/MONEYVAL Plenary 69th Session, June 2025. IO ratings and TC ratings from Effectiveness & Technical Compliance Ratings table (pp.5–6). Latvia placed in regular follow-up. No FUR adopted. All paragraph references are to the published MER.
🇬🇷
Greece
FATF MER June 2019 (onsite Oct–Nov 2018) | No FUR adopted
D: 16/50 V: 23/50 39
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.7: ME IO.6: SE FATF
Destination risk (MER §3, §51, §54, §60, §69): Greece functions primarily as a gateway and transit jurisdiction rather than a classic proceeds destination, but with meaningful inflow risk in specific sectors. Due to its geographical position, Greece is “a gateway to the EU for illegal goods, migrants and refugees” (§3), with smuggling, drug trafficking and migrant trafficking constituting the highest ML threat categories. The NRA assesses national ML risk as medium-high. A specific destination-risk vector is corruption by Greek civil servants: the MER notes that money laundering in serious corruption cases “is mainly affected via accounts held at foreign banks that maintain the strictest bank secrecy laws, via international credit centres in the name of offshore companies and investments in the real estate market,” with some cases resulting in confiscations of hundreds of millions of euros returned to the Hellenic state (§51). Real estate activities comprise 15% of Greek GDP and the sector “can involve significant investment from foreign jurisdictions”; it is identified as a higher-risk sector with a significant number of unauthorised agents operating in it (§44, §69). The Golden Visa Programme — granting residency in exchange for real estate investment — is identified implicitly through the scoping of real estate as higher-risk with foreign inflows, though not analysed at the depth seen in the Portuguese MER. The shipping industry also creates a specific vulnerability: the Greek-owned merchant fleet ranks in the global top five, Greek-registered shipping companies frequently issue bearer shares and use “complex structures established in offshore locations,” and the separate paper-based registry impedes swift access to beneficial ownership information (§37, §65).

Supervisory vulnerability (IO.3: Moderate; §29–34, §358): Bank of Greece and HCMC demonstrate good risk understanding and robust entry controls for FIs, but resource constraints stemming from the financial crisis have “hindered their capacity to use full range of supervisory tools” including on-site inspections (§30). Fines are the only enforcement tool used, and these are assessed as not proportionate or dissuasive (§31). For DNFBPs, the picture is materially worse. Entry controls across DNFBP sectors “are not sufficient to prevent criminals from market entry”; supervisors’ understanding of risk “varies significantly and supervision is largely inadequate, even in higher risk sectors” (§358). There are a large number of unlicensed estate agents, increasing risk that the property market could be used for ML (§33). Most DNFBP supervisory authorities do not provide sector-specific guidance to their firms, with the exception of IAPR — at the time of the onsite, newly enacted L.4557/2018 requirements had not yet been accompanied by any explanatory guidance from the relevant supervisors (§357). Assessors found that Greek authorities provided “no clear evidence that supervision by the authorities has had an impact on compliance with AML/CFT requirements in the DNFBP sectors” (§355). Overall: “major improvements are required to enhance Greece’s effectiveness” in the DNFBP supervisory space (§358).

Preventive measures (IO.4: Moderate; §25–28): FIs have a reasonably good understanding of AML/CFT obligations and ML/TF risk and adequately implement preventive measures risk-sensitively. Banks in particular are rigorous in monitoring customers and beneficial ownership determination using sophisticated electronic systems. DNFBPs present a stark contrast: understanding of ML/TF risks and obligations “is limited among DNFBPs not subject to regular reporting duties or active supervisory monitoring,” particularly lawyers and tax advisers who also provide company formation services (§25). DNFBPs “generally do not seem to apply” mitigating measures on a systematic basis and certain business practices posing risks — notably acceptance of unlimited amounts of cash by securities firms — are observed (§26). STR filing by DNFBPs is “very low in general,” with the exception of auditors and the gaming sector (§28).

Beneficial ownership / legal persons (IO.5: Moderate; §35–38, §370–372, §381): The GEMI electronic registry provides publicly accessible, generally accurate basic information on most legal persons — a genuine positive feature. However, the central BO register was “not operational” at the time of the onsite, having been provided for in law (L.4557/2018) but still in design phase (§36, §370). Over 10,300 companies had issued bearer shares at the time of the onsite; while legislation to abolish them was enacted, thousands remained in circulation and conversion was not due to complete until June 2019–January 2020 (§38, §372). Greek-registered shipping companies represent the most acute gap: their BO records are maintained in a separate, entirely paper-based registry, requiring manual consultation and “impeding swift access to accurate and up-to-date” BO information for a sector that frequently issues bearer shares and uses offshore structures (§37, §381). No sanctions were in force for failure to collect BO information at the time of the onsite (§370, §379). Offshore companies and complex legal arrangements “feature as high-risk factors in most of the sectors analysed” (§362).

ML prosecution and confiscation (IO.7: Moderate, IO.8: Moderate; §14–17): ML investigations are generally consistent with Greece’s risk profile and can be complex. However, prosecution effectiveness is undermined by a structural legal obstacle: the need, in practice, to prove a predicate offence beyond reasonable doubt to establish the illegal origin of funds “limits the ability to prosecute and convict for different types of ML,” particularly foreign predicates, professional money launderers, or facilitators unconnected to the underlying offence (§15). Judicial processes are subject to lengthy delays, and very few ML cases have been tried to conclusion. On confiscation, seizure and freezing tools are used effectively, but very few irrevocable confiscation orders have been made, and delays in appellate processes prevent permanent deprivation of assets (§17).
Key MER findings — attributable to source
  • EU gateway for drug flows and smuggling; corruption ML via offshore structures and real estate (MER §3, §51, §54, §69): Greece is characterised as an EU entry point for illegal goods, migrants and drug trafficking. Corruption ML confirmed via foreign bank accounts, offshore corporate vehicles and real estate. Real estate activities (15% of GDP) attract significant foreign investment; sector is higher-risk with large number of unlicensed agents. Shipping sector (global top-five fleet) uses bearer shares and offshore structures with paper-only BO registry. Golden Visa Programme implies real estate inflow risk from foreign nationals.
  • DNFBP supervision largely inadequate; entry controls insufficient in highest-risk sectors (IO.3; §33–34, §355–358): Bank of Greece and HCMC strong but resource-constrained; on-site inspection frequency reduced. DNFBP entry controls insufficient to prevent criminal market entry. Supervision of lawyers, notaries, accountants, real estate agents “largely inadequate.” No demonstrated supervisory impact on DNFBP compliance. Most DNFBP supervisors provide no sector-specific guidance. Only fines used as sanctions — not proportionate or dissuasive. Unlicensed estate agents a specific concern.
  • BO register not operational; 10,300+ companies with bearer shares; shipping paper registry (IO.5; §36–38, §370–372): Central BO register in design phase, not operational at onsite. Over 10,300 SA corporations with bearer shares still circulating. Shipping BO records entirely paper-based; companies frequently use bearer shares and offshore structures. No sanctions in force for BO collection failures. No comprehensive ML/TF risk assessment of all legal persons.
  • Structural barrier to ML prosecution: predicate proof required beyond reasonable doubt (IO.7; §15): In practice, prosecutors must prove the predicate offence beyond reasonable doubt to demonstrate illegal origin of funds — limiting prosecutions for foreign predicates, professional laundering, and third-party ML. Very few cases tried to conclusion. Judicial delays systemic. Very few irrevocable confiscation orders despite significant assets frozen (IO.8; §17).
  • TC largely strong — only three PC ratings: R.8 PC (NPOs), R.13 PC (correspondent banking), R.32 PC (cash couriers): No Recommendation is rated NC. R.22, R.23, R.24 and R.25 are all rated LC; R.10, R.12 and R.14 (MVTS) are rated C. Main TC deficiencies concern NPO oversight, correspondent banking and cash courier measures. No FUR adopted as of most recent available data.
Sources: FATF MER, Greece, June 2019 (onsite October–November 2018). IO ratings from Effectiveness Ratings table (Executive Summary p.12). TC ratings from Technical Compliance Ratings table (p.12). No FUR has been adopted. All paragraph references are to the published MER.
🇫🇷
France
FATF MER 2022 (onsite June–July 2021) — most recent MER available; no FUR yet
D: 19/50 V: 20/50 39
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: SE FATF
Exceptional enforcement: IO.8 HE, IO.9 HE — EUR 4.7bn/yr confiscated R.8 PC, R.12 PC, R.13 PC
Destination risk (MER §2–3, §41): The MER characterises France as facing “a broad and substantial range of ML risks, mainly from abroad and less frequently domestically, from the proceeds of offences committed in France” — the primary threat is domestically-generated proceeds being laundered (§2). However, assessors identify a distinct and material risk of France serving as a destination: exposure “to ML risks in France from the proceeds of offences committed abroad, particularly with regard to violations of integrity offences (in particular ill-gotten gains)” (§2). This foreign corrupt proceeds risk is elaborated in §3 as covering “violations of integrity offences including corruption, both active and passive, in particular the laundering of the proceeds of corruption by domestic and/or foreign politically exposed persons (PEPs)” — a risk characterised as involving “smaller financial volumes but with a major societal impact.” The MER’s international cooperation chapter confirms the exposure framework: France is “exposed to ML risks in France from offences committed abroad (e.g. ill-gotten gains cases)” in “high-risk sectors (e.g. luxury real estate and luxury goods)” (§41). Priority action (i) calls for more in-depth assessment of risks in real estate and cash sectors, in particular regarding the specific features of DNFBPs. The NRA and sectoral risk analyses are assessed as insufficiently detailed for corruption risk, virtual assets, and real estate, leaving the residual destination risk partially unassessed (§7, priority action i).

Supervisory effectiveness (IO.3: Moderate; MER §33–37): In the financial sector, the ACPR’s risk-based supervision using the SABRE tool (deployed 2018) has become more granular and well-informed, and the AMF’s approach is risk-based. However, the consideration of risks of French FI subsidiaries established abroad “does not seem sufficiently informed” (§34). For the DNFBP sector, supervisory authorities have been designated and regulatory frameworks established, but quality “still needs to be improved” — the risk-based approach, where present, was implemented only after 2019 and “its effectiveness has yet to be demonstrated” (§36). The AMF sanction system, although technically adequate, “suffers from cumbersome procedures which significantly reduces its effectiveness” — only one sanction imposed since 2016 (§37). DNFBP operational sanction implementation is “even more limited” (§37). Between 2015 and 2020, the ACPR imposed sanctions totalling over EUR 100 million — a genuinely dissuasive record for FIs.

Preventive measures (IO.4: Moderate; MER §28–32): FIs generally have a good understanding of ML/TF risks and obligations, though some smaller FIs are limited to NRA conclusions (§28). DNFBP risk understanding “is only average” — inadequate among real estate agents and business service providers, developing for notaries, satisfactory for lawyers (§28). BO identification is undertaken by most FIs and DNFBPs but mainly focuses on capital control, with some relying solely on the RBO to verify information (§30). STR quality and volumes need improvement from DNFBPs — most DNFBP sectors still submit too few STRs, with notaries, casinos, and online gaming as exceptions (§31). Average STR reporting time is relatively long (§31). TFS implementation in smaller institutions may take more than 24 hours after listing (§30). PEP identification by smaller DNFBPs is inadequate (§30).

Beneficial ownership / legal persons (IO.5: Substantial; MER §38–40): Notable efforts including the publicly accessible RBO established in 2017 and legal arrangement registers accessible by competent authorities (§39). GTC cooperation with TRACFIN identifies new typologies. However, associations, foundations, and endowment funds are excluded from the RBO — basic and BO information on these entities is not adequately available (priority action g). Access to information through multiple mechanisms helps authorities overcome register weaknesses but slows down access (§40). Sanctions favouring ex officio deregistration need to be applied more dissuasively (§40).

Exceptional results in enforcement (IO.7 SE, IO.8 HE, IO.9 HE): France prioritises high-end ML cases — an average of 1,100 ML investigations, 1,700 persons prosecuted, and 1,300 ML convictions per year (§13). Confiscation of EUR 4.7 billion per year via multiple mechanisms including CJIP (deferred prosecution agreements), tax penalties, and asset repatriation (§18). Between 2016 and 2020, 172 TF cases investigated, 95 persons convicted for TF (§19). Approximately EUR 1.7 million in assets frozen under TF-related TFS between 2016 and May 2021 — an amount the MER describes as “not very substantial” but consistent with France’s TF risk profile (§370; the Executive Summary §22 prints “EUR 1.7 billion,” but the IO.10 chapter figure of EUR 1.7 million is the internally consistent one). AGRASC is a strong systemic asset, providing support to the judiciary in national and international seizures. IO.8 and IO.9 both rated High — the strongest effectiveness rating available.
Key MER findings — attributable to source
  • Foreign corrupt proceeds (ill-gotten gains) via luxury real estate and luxury goods identified as destination risk (MER §2–3, §41): France exposed to ML from foreign PEP corruption proceeds in luxury real estate and luxury goods sectors. Smaller financial volumes but major societal impact. NRA risk assessment of corruption, real estate, and cash identified as insufficient by assessors.
  • DNFBP supervision nascent for risk-based approach; sanctions operationally very limited (IO.3 ME; MER §36–37): Risk-based approach for DNFBPs implemented only post-2019; effectiveness not yet demonstrated. AMF sanctions cumbersome — one sanction since 2016. DNFBP operational sanctions even more limited. ACPR strong for FIs.
  • DNFBP STR volumes inadequate; TFS implementation delays; PEP identification gaps for smaller DNFBPs (IO.4 ME; MER §30–31): Real estate agents and business service providers inadequate risk understanding and STR filing. TFS implementation may exceed 24 hours. PEP identification insufficient in smaller DNFBPs. R.12 PC — PEP enhanced measures restricted for persons who left position over one year ago.
  • Exceptional enforcement results: IO.8 HE, IO.9 HE (MER §13, §18–19): 1,300 ML convictions/year; EUR 4.7 billion confiscated per year; 95 TF convictions 2016–2020; EUR 1.7 million frozen under TF TFS (IO.10 chapter §370; “not very substantial”). France is one of the most active jurisdictions globally in ML prosecution and asset recovery.
  • 2022 MER; no FUR yet. R.8 PC (targeted NPO oversight reaches only grant-funded humanitarian NPOs), R.12 PC (PEP restrictions), R.13 PC (correspondent banking): Only three PC ratings; otherwise LC/C. France placed in regular follow-up given strong overall performance. IO ratings reflect a highly functioning system with specific DNFBP supervision gaps.
Sources: FATF MER, France, 2022 (onsite June–July 2021). IO ratings and TC ratings from MER Tables 1 and 2 (p.14). All paragraph references are to the published MER. No FUR has been adopted as of the most recent available data.
🇻🇺
Vanuatu
APG MER September 2015 (onsite 26 Jan–7 Feb 2015) | APG 3rd Enhanced Expedited FUR September 2018 (TC only)
D: 6/50 V: 32/50 38
Destination
Vulnerability
IO.1: Low IO.3: Low IO.4: Low IO.5: Low IO.7: Low APG
Destination risk (MER §8–10, §1.1): The MER identifies Vanuatu’s most significant ML threat as the laundering of foreign proceeds of crime — especially foreign tax crimes — exploiting its status as a tax haven and offshore financial centre established in 1971 (MER §8). The draft NRA reviewed by assessors identified ML threats as arising primarily from foreign predicate offences including foreign tax crimes, illicit cross-border currency, domestic bribery and corruption, fraud, and drug offences (MER §10). Confidential information from APG member jurisdictions identified infiltration by transnational organised crime groups as a significant additional threat, including reports that Vanuatu has been used for weapons smuggling and drug transhipment (MER §9). The offshore sector encompasses approximately 3,800 international companies and a hybrid domestic-offshore banking sector; ML/TF risk profiling of this sector had not been carried out and risk-based supervision was absent at the time of assessment (MER §8, §18). Vanuatu also operates a Capital Investment and Immigration Programme (CIIP) which the assessment team identified as streamlining company registration in combination with immigration benefits, increasing offshore sector ML risk (MER §8). A Flags of Convenience register of approximately 94% foreign-owned vessels was identified as largely unregulated and capable of facilitating illegal cross-border movements of goods (MER §9).

Risk, policy and coordination (IO.1: Low): The preconditions for an effective AML/CFT system were assessed as absent. These include a consistent and informed understanding of ML/TF risk, high-level political commitment, a national AML/CFT strategy and policy framework, adequate financial and human resources, and a formal domestic cooperation/coordination structure (MER, Effectiveness §1). At the time of the onsite visit, Vanuatu had not adopted its draft NRA as a government document. The draft NRA did not cover TF risks, did not assess risks associated with all types of legal persons, and was not based on objective national statistics. No national AML/CFT strategy or policy existed, no coordination mechanism was in place, and no plan existed for keeping risk assessments up to date or disseminating results to competent authorities (MER §7–8, Effectiveness §1).

Supervisory vulnerability (IO.3: Low): The VFIU, with only three staff members, was required to perform both core FIU analytical functions and primary AML/CFT supervisory functions for all reporting entities across the entire financial and DNFBP sectors (MER, Effectiveness §3). Due to this resource constraint, the VFIU had no capacity to carry out rigorous due diligence checks at registration or undertake monitoring exercises to identify unregistered entities. The VFIU also lacked the power to remove entities from the register. Few on-site inspections were taking place and those conducted were not risk-targeted. The RBV also had significant resourcing challenges. No formal process existed for the RBV or VFIU to assess ML/TF risks of supervised entities, meaning supervisory priorities were not driven by any risk assessment (MER, Effectiveness §3). Supervisory authorities were unable to demonstrate that their actions improved AML/CFT compliance or discouraged criminal abuse of the financial and DNFBP sectors (MER, Effectiveness §3).

Preventive measures (IO.4: Low): The AML/CTF Act and Regulations came into force in 2014 but many non-bank reporting entities had not yet revised their AML/CFT procedures to comply. The only guidance provided to non-bank reporting entities by the VFIU remained based on the superseded FTRA requirements (MER §21). Preventive measures were strongest at the three domestic commercial banks; offshore banking entities were assessed as inherently more risky and applying less robust CDD measures (MER §23). Within the DNFBP sector, TCSPs creating and providing services to international companies and trusts were identified as of greatest AML/CFT concern — with overall effectiveness of implementation varying widely (MER §24). Casinos and online gaming, while small in number, were assessed as significant risk sectors with no information available on compliance effectiveness (MER §24). STR reporting was assessed as inadequate outside commercial banks and MVTS (MER, Key Findings §8).

Legal persons and arrangements (IO.5: Low): International companies were identified as the highest-risk legal persons. Under section 125 of the International Companies Act (ICA), it was an offence — punishable by imprisonment — for any person, including competent authorities, to disclose information on the shareholding, beneficial ownership, management, or financial affairs of an international company without a court order (MER §26–27, Key Findings). The VFSC collected only limited basic shareholder and beneficial ownership information on domestic companies and none on most domestic trusts. Bearer shares and share warrants for domestic companies were not adequately mitigated. No law applicable to trusts existed in Vanuatu (MER §26–30, Effectiveness §5). There was also some evidence that Vanuatu-based legal persons and arrangements had actually been used by foreign ML enterprises (MER, Effectiveness §5).

ML investigation and prosecution (IO.7: Low): No ML investigations or prosecutions had taken place in Vanuatu despite ML having been criminalised since 2002 (MER, Effectiveness §7). The VPF Transnational Crime Unit (TCU), staffed by four police officers, was responsible for all ML and TF investigations but lacked financial analytical skills. LEAs did not consider ML alongside predicate offences; no internal policy guidelines existed for prioritising financial investigations. The TCU also investigated drug offences with transnational dimensions and other sensitive cases, leaving inadequate capacity for ML (MER §13, Effectiveness §7).

International cooperation (IO.2: Low): Of nine MLA requests received since 2010, only one had been answered and assistance provided, and that response took five months (MER, Effectiveness §IO.2). No outgoing MLA requests had been made since 2010 despite the high-risk foreign-predicate profile. The ICA’s secrecy provisions at section 125 directly impeded Vanuatu’s ability to respond to international requests for beneficial ownership information on international companies without a court order (MER §33). No extradition requests had been received or made. No case management system, clear processes for prioritisation, or secure gateways for information exchange were in place (MER §32–35).

3rd Enhanced Expedited FUR (September 2018) — TC only; IO effectiveness ratings unchanged: The 3rd FUR assessed Vanuatu’s progress on technical compliance following the 2015 MER and 2017 follow-up round. Vanuatu was re-rated on 27 Recommendations, achieving Compliant ratings on R.1, R.2, R.3, R.4, R.5, R.6, R.7, R.16, R.17, R.27, R.31, R.34, R.35, R.36, R.37, and R.39; and Largely Compliant on R.8, R.10, R.14, R.18, R.22, R.23, R.24, R.25, R.33, R.38, and R.40 (FUR §214). Key legislative steps included: passage of the UN Financial Sanctions Act 2017 (addressing TF and PF sanctions, R.6–7); amendment of the POCA to rectify the ‘serious offence’ definition and criminalise foreign tax evasion (R.3–4); the CTTOC Amendment Act 2017 (comprehensive TF offence, R.5); repeal of the ICA secrecy provisions at section 125 (R.24); abolition of bearer shares and share warrants (R.24); and introduction of AML/CTF enforcement measures including penalty notices and compliance directions (R.35, R.27) (FUR §§29–214). R.19 (higher-risk countries) was not re-rated, as no mechanism for countermeasures or EDD for FATF-listed countries was in place (FUR §§96–99). The FUR confirms it does not analyse any progress on effectiveness; all eleven Immediate Outcome ratings from the 2015 MER remain Low. Vanuatu was moved from enhanced expedited follow-up to enhanced follow-up on the basis of its technical compliance progress (FUR §216).
Key MER + FUR findings — attributable to source
  • Foreign predicate offences as primary ML threat (MER §8–10): The most significant ML threat identified is laundering of foreign criminal proceeds — particularly foreign tax crimes — through Vanuatu’s offshore sector. Confidential APG intelligence identifies transnational organised crime infiltration, including weapons smuggling and drug transhipment, as a significant additional threat. All 11 Immediate Outcomes rated Low at MER.
  • ICA secrecy provisions made BO information inaccessible (MER §26–27, IO.5 Low): Section 125 ICA made it a criminal offence for any person including competent authorities to disclose information on international company beneficial ownership without a court order — making Vanuatu’s approximately 3,800 international companies particularly attractive vehicles for ML. Repealed by International Companies (Amendment) Act 2016–2017, per FUR §§111–128.
  • Zero ML investigations or prosecutions despite 13 years of criminalisation (MER, IO.7 Low): No ML investigations or prosecutions had occurred since ML was criminalised in 2002. TCU staffed by four officers with no financial analytical skills; ML not considered alongside predicate offences. No internal guidelines existed for prioritising financial investigations.
  • VFIU — three staff for both FIU and supervisory functions (MER, IO.3 Low): The VFIU operated with three staff members required to perform both analytical FIU functions and primary AML/CFT supervision of all reporting entities across all sectors. No power to remove entities from register; no risk-based supervisory prioritisation; no capacity for rigorous registration due diligence.
  • Capital Investment and Immigration Programme (CIIP) (MER §8): Assessors identified the CIIP as streamlining company registration combined with immigration benefits, increasing the ML risk profile of the offshore sector. Remains active at time of 3rd FUR.
  • MLA — 1 of 9 requests answered since 2010 (MER, IO.2 Low): Only one of nine MLA requests received since 2010 had been completed; response took five months. No outgoing MLA requests made since 2010 despite high-risk foreign-predicate profile. ICA secrecy provisions directly impeded international BO information sharing.
  • 3rd FUR: 27 Recommendations re-rated; IO effectiveness ratings all remain Low (FUR §213–216): Significant technical legislative reform achieved 2016–2018 including UNFSA, POCA amendments (foreign tax evasion criminalised), CTTOC Amendment Act, ICA secrecy repeal, bearer share abolition. R.19 not re-rated (no countermeasures mechanism). FUR does not address effectiveness; all IO ratings unchanged. Vanuatu moves to enhanced (non-expedited) follow-up.
Sources: APG Mutual Evaluation Report, Vanuatu, September 2015 (onsite 26 January–7 February 2015); APG 3rd Enhanced Expedited Follow-Up Report, Vanuatu, September 2018 (adopted APG plenary 26 July 2018). IO ratings (all Low) from MER Table of Effective Implementation of Immediate Outcomes (pp.12–18); confirmed unchanged by 3rd FUR §1 (FUR does not analyse effectiveness). TC ratings post-FUR from FUR §215. FUR §216 confirms move from enhanced expedited to enhanced follow-up.
🇮🇪
Ireland
FATF MER June 2017 (onsite Nov 2016) | 2nd Regular FUR February 2022 (TC only)
D: 16/50 V: 22/50 38
Destination
Vulnerability
IO.4: ME IO.5: ME IO.3: SE IO.2: SE FATF
Destination risk (MER §2, §4, §7–9, §54): Ireland is described as “an important regional and international financial centre” and is among the IMF’s 29 systemically important financial centres (§2). The assessors scoped the investment funds sector as a priority issue: over 40% of global hedge funds’ assets are administered in Ireland, and the financial sector accounts for fund administration totalling trillions in assets under management (§54). The MER identifies the investment funds sector as “a vulnerable area for ML” internationally, noting that “complex ownership structures and reliance on third-parties to undertake customer due diligence complicates the identification of beneficial ownership and could hide potential money laundering schemes” (§4). Payment institutions using Ireland as a passport hub into the rest of the EEA are rated high risk given the high-volume, cash-based nature of transactions and extensive agent networks (§4, §54). While the NRA shows some appreciation of international ML risk, assessors found the focus of law enforcement “appears to be more domestically orientated” and that “the appreciation of international ML risks, particularly complex schemes, was uneven, especially for the private sector entities” (§7, §9). The NRA lacked comprehensive quantitative data on international cooperation flows and did not include a risk assessment of legal persons and arrangements — a significant gap given the scale of Ireland’s corporate sector (§8–9).

Supervisory vulnerability (IO.3: Substantial; §28–31, §284–315): The Central Bank of Ireland (CBI) is assessed as performing well for financial institution supervision: it applies a structured risk-based engagement model, conducts regular on-site inspections, and has a dedicated unit targeting unauthorised financial service providers (§280–281, §285). The critical vulnerability lies with DNFBP supervision. The Department of Justice and Equality (DoJE) is the AML supervisor for the highest-risk DNFBP sectors — TCSPs, property services providers, high-value goods dealers, accountants, and tax advisors — but operates with only 3 full-time and 1 part-time authorised officers to cover 925 registered entities (§314). Assessors found that several categories of entity within DoJE’s remit (TCSPs, HVGDs, tax advisors, external accountants) “are not being supervised for AML/CFT purposes” and that “the frequency and intensity of DoJE inspections” raises concerns (§314). PSMDs (precious stones/metals dealers) received only 6 inspections over 2013–2016 against a population of 451 registered entities (§Table 29). The Law Society and nine designated accountancy bodies rely primarily on self-declarations for fitness and probity checks rather than independent verification (§282). No sanctions were imposed on DNFBP entities by the Law Society or designated accountancy bodies for AML/CFT non-compliance at time of assessment (§320). Overall IO.3: Substantial — with CBI performance driving the rating upward and DoJE structural under-resourcing as the principal gap.

Preventive measures (IO.4: Moderate; §22–27): International FIs — banks, fund administrators, major payment institutions — demonstrate reasonable AML/CFT controls and CDD processes. However, the private sector’s understanding of ML/TF risks is described as “mixed”: DNFBP entities display “less sophisticated” controls and largely manual CDD processes (§24). STR reporting by DNFBPs (TCSPs, PSMDs) is specifically noted as low (§27). There are “concerns on their ability to identify, in a timely and accurate manner, relationships/transactions in relation to PEPs and designated entities” (§25). Some FIs and DNFBPs show “strong reliance on local community networks and knowledge” as a substitute for objective, risk-based CDD analysis (§26).

Beneficial ownership / legal persons (IO.5: Moderate; §32–37): Ireland has publicly available basic and legal ownership information via the Companies Registration Office and the CRO provides “detailed measures to ensure legal persons are created in a transparent manner” (§34). The principal gap at time of assessment: a central beneficial ownership register for companies had been enacted by regulation (15 November 2016) but was not yet operational, meaning access to BO information beyond the immediate shareholder was “currently limited” (§34, §37). Nominee directors and shareholders are permitted; the new BO obligation was designed to require disclosure where nominees are used to effectively control a company, but had not yet entered into force. BO information for trusts was gathered by Revenue for tax purposes but not publicly accessible, and availability was “limited” for express trusts (§35–36). Ireland has “not comprehensively” assessed the risk that legal persons and arrangements may be used to launder illicit proceeds (§33).

ML investigations and confiscation (IO.7: Moderate, IO.8: Moderate; §15–17): Ireland has a strong ML offence legislatively but the assessors found “this has not translated into results at the trial stage” — as of the on-site visit, there had been no convictions for ML after a trial (only 22 convictions through guilty pleas, 2 acquittals) (§16). This was attributed to possible prosecutorial reluctance to test the AML laws or judicial conservatism, which in turn “acts as a disincentive to investigate complex ML cases” (§16). There are “limited examples of successful prosecutions in relation to foreign predicate offences and third-party ML” (§15). On confiscation, the multi-agency Criminal Assets Bureau (CAB) is described as a strong feature; however confiscation results are characterised as “modest within the context of Ireland’s ML risks” and Ireland was “not clearly” tracing assets abroad in cases where proceeds had moved to other jurisdictions (§17).

FUR developments (TC only — IO ratings unchanged; 2nd Regular FUR February 2022): The 2022 FUR re-rates R.22 from PC to Largely Compliant following amendments to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 introduced in 2018, which addressed gaps in CDD obligations for DNFBPs including identification of persons acting on behalf of customers, identification of senior managing officials as fallback BO, and risk-based application of simplified due diligence. Minor deficiencies remain: no obligation to record examinations of complex transactions; third parties still required to make CDD information available “as soon as practicable” rather than “immediately”; private members’ clubs providing gambling remain unlicensed (FUR §§3–5). R.15 remains LC (unchanged): VASPs are registered and supervised by the Central Bank as designated persons under the CJA 2010, with Ireland’s risk assessment rating VASP risks as medium-high for both ML and TF; the threshold for occasional VASP transactions is EUR 15,000 against the FATF-required EUR 1,000 standard (FUR §§6–8). The FUR states it does not address effectiveness improvements.
Key MER + FUR findings — attributable to source
  • Systemically important financial centre; investment funds and payment institution passport hub (MER §2, §4, §54): Ireland is among IMF’s 29 systemically important financial centres; over 40% of global hedge funds administered in Ireland. Complex BO structures and third-party CDD reliance in the funds sector identified as key ML vulnerability. Payment institutions passporting across the EEA from Ireland rated high risk. NRA underestimates cross-border ML risk and omits legal persons risk assessment.
  • DoJE: 3 FTEs supervising 925 DNFBP entities across highest-risk sectors (IO.3; §314–315): DoJE covers TCSPs, PSMDs, HVGDs, accountants, tax advisors with critically limited staffing. PSMDs: 6 inspections vs 451 registered entities 2013–2016. Multiple DNFBP sub-sectors “not being supervised for AML/CFT purposes.” Law Society and nine accountancy bodies rely on self-declarations; no AML/CFT sanctions imposed on DNFBP entities.
  • No ML conviction after trial; limited foreign predicate prosecutions (IO.7; §15–16): All 22 ML convictions via guilty pleas; no conviction after trial; 2 acquittals. Possible prosecutorial and judicial conservatism acting as disincentive for complex financial crime cases. Limited examples of foreign predicate offence ML prosecutions. Confiscation results “modest” relative to risk profile; limited cross-border asset tracing (IO.8; §17).
  • BO register enacted but not yet operational at assessment; nominee structures permitted (IO.5; §34–37): Central register of corporate BO enacted November 2016 regulation but not operational at onsite. BO beyond immediate shareholder “currently limited.” Trust BO not publicly accessible. Ireland has “not comprehensively” assessed misuse risk of legal persons.
  • 2nd Regular FUR (February 2022): R.22 PC→LC only — IO ratings unchanged: R.22 upgraded to LC following 2018 CJA amendments addressing DNFBP CDD gaps (agent identification, senior managing official fallback BO, risk-based SDD). Minor deficiencies remain on complex transaction recording and third-party CDD timing. R.15 unchanged at LC — VASP registration and supervision in place but EUR 15,000 occasional transaction threshold vs. FATF’s EUR 1,000 standard. FUR confirms IO ratings not reviewed.
Sources: FATF MER, Ireland, June 2017 (onsite November 2016); FATF 2nd Regular Follow-Up Report, Ireland, February 2022. IO ratings from MER Effectiveness Ratings table (Executive Summary p.12); confirmed unchanged by FUR (February 2022), which states it does not address effectiveness improvements. TC ratings from MER TC Ratings table (p.12) as updated by FUR Table 2 (p.5). All paragraph references are to the published MER unless prefixed “FUR §”.
🇧🇲
Bermuda
CFATF MER January 2020 (onsite Sep–Oct 2018) | No FUR adopted
D: 23/50 V: 15/50 38
Destination
Vulnerability
IO.1: HE IO.3: SE IO.4: ME IO.5: SE IO.8: LE CFATF
Destination risk (MER §3, §44–46, §51–59): The MER states that Bermuda “is exposed to significant inherent ML risks due to the threat of foreign predicates and the cross-border transfer of funds” (§44). The main predicate offences for ML are international tax crimes, corruption, fraud, drug trafficking, and market manipulation and insider trading (§46). Bermuda is the world’s third largest reinsurance market and the largest domicile for captive insurance, with financial services accounting for approximately 49% of GDP; total assets in the financial sector amount to USD 791.57 billion (§3, §58). Notably, 96% of the overall financial sector market comprises international clients (§56). The 2017 NRA increased Bermuda’s overall ML threat rating from “medium” to “medium-high,” driven by a better understanding of international tax crime (§44). Two significant civil recovery cases involving foreign corruption and fraud resulted in confiscation of over USD 35.25 million, and the two largest ongoing investigations at the time of the onsite relate to critical incidents of foreign corruption (§53). International fraud is assessed as the more significant ML threat — “because of the much higher value of proceeds involved and the actual use of the financial system in Bermuda to launder those proceeds” (§55). The banking, securities, trust and company service provider (TCSP), and corporate service provider (CSP) sectors are assessed as having high inherent ML risk (§3). One important qualification: the dominant reinsurance sub-sector — approximately 80% of financial assets — is assessed by assessors as low ML/TF risk given the nature of catastrophe reinsurance products (§58).

Supervisory framework (IO.3: Substantial; §23–25, §455–458): The Bermuda Monetary Authority (BMA) is characterised as a “strong, professional and well-resourced risk-based supervisor” with robust market entry fit-and-proper controls, sound risk understanding, and effective supervision of the highest-risk financial institution (FI) and TCSP sectors (§24, §455–457). BMA licensing and vetting of beneficial owners (BOs) upon incorporation is a distinctive feature — maintained for decades — with requirements recently extended and enhanced (§28). All supervisors have issued detailed AML/CFT Guidance Notes. The areas of relative weakness are in less material designated non-financial business and profession (DNFBP) sectors: real estate and dealers in precious metals and stones (DPMS) supervision was at “infancy stages” of the risk-based framework at time of the MER (§25). Not all real estate companies had filed suspicious activity reports (SARs) despite registration and outreach. AML/CFT training is not a prerequisite for Compliance Officer or Money Laundering Reporting Officer (MLRO) roles at real estate and DPMS entities (§363). The Registrar of Companies (ROC) Compliance Unit — established April 2017 — was newly mandated to enforce BO registry compliance and needed further resourcing.

Preventive measures (IO.4: Moderate; §20–22, §364–365): The banking sector demonstrates strong preventive measures with robust three-lines-of-defence regimes, board leadership, and adequate budgets for ongoing training. Banks have standardised enterprise and business relationship risk assessments since 2017. Most major FIs and DNFBPs implement customer due diligence (CDD), enhanced due diligence (EDD), correspondent banking, record-keeping, and internal controls appropriately. The primary gaps are in less mature DNFBP sectors: business risk assessments were not consistently produced in all sectors as required; SAR obligations were not fully observed by the real estate and legal sectors. The insurance sector, while dominant by assets, is assessed as requiring AML/CFT obligations only for life insurance products — not the reinsurance sector that constitutes the bulk of assets.

Beneficial ownership / legal persons (IO.5: Substantial; §26–32): Bermuda has significantly enhanced its BO regime with legislation (effective March 2018) requiring companies, LLCs and partnerships to maintain BO registers and file them with the BMA (effective December 2018). The BMA has vetted BOs upon incorporation for decades. Bearer share issuance has been prohibited for over thirty years. BO information is accessible to competent authorities and can be provided in international cooperation. Residual gaps: Private Act Companies (1,173 as at March 2018, roughly 7% of legal persons) are not covered by the BO framework unless registered with the ROC; bearer share warrants may still be traded; effectiveness of the new NLP registration requirement for private trust companies (PTCs) could not yet be assessed (§27, §30–31).

Confiscation (IO.8: Low; §10, §16, §226–228): The IO.8 Low rating is the most significant structural gap. Total criminal and civil recovery over the four-year period 2014–2017 amounted to only USD 8.2 million — described by assessors as “not consistent” with Bermuda’s risk profile as an international financial centre (IFC) exposed to foreign predicates, corruption and international tax crime (§226–227). The fundamental legislative constraint is that Restraint Orders can only be obtained “immediately prior to a charge being laid,” which prevents early asset preservation in complex, long-running financial crime investigations (§10, §16). The two largest ongoing corruption investigations at the time of the onsite had not yet produced any restraint orders for this reason (§16, §226). Cross-border asset recovery and international outgoing cooperation to pursue ML have been sought “only to a limited extent” (§33).
Key MER findings — attributable to source
  • exposed to foreign predicate ML risk: international tax crime, corruption, fraud (MER §3, §44–46, §53–55): MER states Bermuda is “exposed to significant inherent ML risks due to the threat of foreign predicates and the cross-border transfer of funds.” Main ML threats: international tax crimes, corruption/bribery, fraud, drug trafficking. 96% of financial sector clients are international. USD 35.25M+ confiscated from two foreign corruption/fraud cases. Two largest active investigations involve foreign corruption.
  • IO.8 Low — Restraint Orders only available immediately prior to charge; confiscation USD 8.2M over 4 years (MER §10, §16, §226–228): Total recoveries 2014–2017 only USD 8.2M despite IFC status and high foreign predicate threat. Legislative constraint prevents early asset preservation. Two largest ongoing corruption investigations had no restraints at time of onsite. Confiscation results “not consistent” with risk profile.
  • BMA: robust, well-resourced supervisor with decades of BO vetting (IO.3; MER §24, §28): BMA characterised as “strong, professional and well-resourced.” BO vetting upon incorporation maintained for decades; enhanced by new mandatory BO register (March 2018) filed with BMA. Bearer shares prohibited 30+ years. IO.3 Substantial. DNFBP real estate and DPMS supervision at “infancy stages” at time of MER.
  • TC near-clean: all 40 Recommendations rated C or LC — only one PC (R.32 cash couriers): R.10 C, R.22 C, R.23 C, R.24 LC, R.25 LC. Near-perfect technical compliance (TC) profile. The primary risks are in effectiveness (destination exposure, confiscation failure) not technical gaps. No FUR adopted.
Sources: CFATF MER, Bermuda, January 2020 (onsite September–October 2018). IO ratings from Effectiveness Ratings table (Executive Summary p.14). TC ratings from Technical Compliance Ratings table (p.14). No FUR has been adopted. All paragraph references are to the published MER.
🇰🇷
South Korea
FATF MER February 2020 (onsite Jun–Jul 2019) | 4th Enhanced FUR October 2024 (TC only)
D: 9/50 V: 28/50 37
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: ME IO.6: SE IO.8: SE FATF/APG
Destination risk (MER §2, §4–6, §37, §40): Korea is characterised by the MER as a comparatively low-crime country that is “not a regional or international financial centre” (§5). Its primary ML risks are domestic in character: the seven major proceeds-generating offences identified in the 2018 NRA are tax crimes, illegal gambling, fraud, corruption, market manipulation, ML related to property flight, and embezzlement/breach of trust (§40). The most significant cross-border inflow risk vector is domestic asset flight rather than foreign criminal proceeds flowing in: the MER identifies “ML related to property flight” as a named predicate offence and notes that cross-border transactions via Korea’s large international trade flows could be exploited for ML (§4, §37). A series of high-profile corruption scandals involving former Korean Presidents and large conglomerates created heightened domestic sensitivity to corruption and asset concealment overseas (§6). Korea’s foreign currency controls serve as a meaningful structural mitigant to cross-border ML risk (§4, §37). Virtual assets emerged as a new and significant vulnerability by the time of the onsite — Korea had issued enhanced CDD requirements for VASPs but VASPs were not yet obliged entities, creating a regulatory gap in a sector with material transaction volumes (§2, §40).

Supervisory vulnerability (IO.3: Moderate; §25–26, §418): The supervision picture is sharply bifurcated. Financial institutions and casinos are supervised under a framework that the MER characterises as generally sound and risk-based — the FSC/FSS apply robust licensing and risk-based supervision, coordination between KoFIU and entrusted agencies is effective, and reputational sanctions are particularly dissuasive given Korea’s post-scandal corporate culture (§25–26, §406). The critical vulnerability is total: all DNFBPs other than casinos are completely outside Korea’s AML/CFT framework. There is no supervision, no guidance, and no outreach directed at non-casino DNFBPs — lawyers, accountants, real estate agents, DPMS — despite several of these sectors being identified as medium-risk in the NRA (§25, §418). The casino supervisor for the self-governing Jeju Province takes a rules-based rather than risk-based approach (§26). KoFIU’s supervisory capacity would also benefit from increased permanent staffing (§26).

Preventive measures (IO.4: Moderate; §23–24): FIs and casinos are subject to comprehensive AML/CFT measures covering most FATF Recommendations and have generally sound risk understanding and implementation. Larger FIs in particular demonstrate strong understanding; smaller FIs need further improvement. The dominant structural weakness is the complete exclusion of non-casino DNFBPs from the AML/CFT framework: lawyers, accountants, real estate agents, and DPMS have no CDD obligations, no STR reporting requirements, and no obligation to apply any AML/CFT measures whatsoever (§23). This produces a total gap in the reporting and intelligence framework for sectors the NRA identifies as medium-risk. Domestic PEP coverage is also absent — a significant gap given that corruption is identified as a major predicate offence (§23). The “borrowed name” account typology is prevalent and structurally difficult to address given that AML obligations do not extend to the account-origination ecosystem beyond FIs (§39, §14).

Beneficial ownership / legal persons (IO.5: Moderate; §27–28): Korea has a growing but incomplete understanding of the ML risks posed by legal persons. Basic and legal ownership information is publicly accessible through a network of registries. However, registry information is not always accurate or up-to-date, and authorities do not yet clearly understand the specific characteristics that make certain entity types vulnerable (§27). Accessing BO information through FIs or casinos often requires a warrant in practice, meaning it cannot be used at the intelligence-gathering stage (§27). Sanctions for legal persons failing to comply with reporting and record-keeping obligations are limited and not always effective, proportionate, or dissuasive (§27). The risks from commercial trusts are largely mitigated by FI administration; civil and foreign trusts present residual gaps (§28). LEAs reported seeing increased use of complex corporate typologies in both ML and predicate offence cases (§27).

ML prosecution (IO.7: Moderate; §14, §203): The most fundamental structural weakness is that tax crime — Korea’s “most frequent and prevalent proceeds-generating offence” — is not a predicate offence for ML due to the narrow scope of applicable tax offences in the criminal law. STR reporting requirements extend to a broader range of tax offences than the ML predicate framework, meaning KoFIU receives tax-related STRs but ML charges cannot be filed in most tax cases (§14, §203). This prevents pursuit of ML related to Korea’s single largest category of illicit proceeds. Standalone ML, third-party ML, and ML based on a foreign predicate are not demonstrably or actively pursued; ML convictions appear to have limited sentencing impact (§14).

FUR developments (TC only — IO ratings unchanged; 4th Enhanced FUR October 2024): Korea did not request re-ratings in its first three FURs (2021–2023). The 4th FUR (2024) re-rates only R.8 from PC to LC, following Korea’s identification of 53,918 NPCs and 39,273 PSCs, imposition of disclosure requirements under the Inheritance Tax and Gift Tax Act, strengthened outreach, and expansion of the NPOs CFT Agencies Committee. Minor deficiencies remain: TF threat assessment for at-risk NPOs still relies heavily on international studies and lacks Korean-specific specificity; monitoring compliance with R.8 requirements remains secondary to monitoring for suspected ML/TF activity; sanctions range for R.8 breaches is limited; no sanctions for NPO officers (FUR4 §§ Criterion 8.1–8.4). Seven Recommendations remain PC: R.6, R.7, R.12, R.22, R.23, R.24, R.28. The FUR states it does not address effectiveness improvements.
Key MER + FUR findings — attributable to source
  • All non-casino DNFBPs completely outside AML/CFT framework (IO.3, IO.4; MER §23, §25, §418): Lawyers, accountants, real estate agents, DPMS — sectors the NRA identifies as medium-risk — have zero AML/CFT obligations. No CDD, no STR reporting, no supervision, no guidance or outreach. This is assessed as the MER’s primary structural gap. DNFBPs remain unregulated as of the 4th FUR (2024), with only casinos covered.
  • Tax crime — Korea’s largest predicate — excluded from ML predicate framework (IO.7; MER §14, §203): Most tax offences cannot generate ML charges despite being the single largest source of illicit proceeds. STR reporting extends more broadly than ML predicate coverage, creating a structural asymmetry. Korea is unable to prosecute ML related to the dominant category of criminal proceeds. Standalone ML, third-party ML, and foreign predicate ML not actively demonstrated.
  • Domestic PEP framework absent (MER §23; R.12 PC): There are no requirements for domestic PEPs or PEPs of international organisations — a direct gap given corruption’s identification as a major predicate offence and Korea’s recent high-profile Presidential corruption cases.
  • BO access requires warrant at intelligence-gathering stage; registry accuracy gaps (IO.5; MER §27): Accessing BO information from FIs requires a warrant in many cases, preventing use in investigations prior to formal proceedings. Registry information not always accurate or up-to-date. Sanctions for non-compliance limited. Complex corporate typologies increasingly observed in ML cases.
  • 4th Enhanced FUR (October 2024): R.8 only re-rating PC→LC — IO ratings unchanged; 7 Recommendations remain PC: R.8 upgraded to LC following expanded NPO identification, PSC disclosure framework, and strengthened outreach. R.6, R.7, R.12, R.22, R.23, R.24, R.28 remain PC. All IO ratings from the 2020 MER apply in full — FUR states it does not address effectiveness.
Sources: FATF MER, Republic of Korea, February 2020 (onsite June–July 2019), adopted at FATF Plenary February 2020, conducted jointly with APG; FATF 4th Enhanced Follow-Up Report, Korea, October 2024 (adopted by written process September 2024). IO ratings from MER Effectiveness Ratings table (Executive Summary p.11); confirmed unchanged by FUR4 (October 2024), which states it does not address effectiveness. TC ratings from MER TC Ratings table (p.11) as updated by FUR4 Table 1 (p.7). All paragraph references are to the published MER unless prefixed “FUR4 §”.
🇧🇭
Bahrain
FATF-MENAFATF MER June 2018 (onsite November 2017) | 3rd Enhanced FUR May 2022 (TC only)
D: 17/50 V: 19/50 36
Destination
Vulnerability
IO.3: SE IO.4: ME IO.5: ME MENAFATF
↑ TC improving (3rd Enhanced FUR 2022)
D: ±0 (unchanged — IO ratings not addressed by FUR)   V: −1 (improved; only R.23 PC→LC affects a V-component, reducing V2 by 1)
Destination risk (MER §2, §46–48): The MER describes Bahrain as a “regional financial and trading hub” whose strategic location provides a “natural gateway to the growing Gulf economies” and positions the country as a hub for GCC, MENA, and North Africa operations (§2, §46). Critically, assessors and Bahraini authorities share the view that “the greatest risk of ML is related to foreign proceeds that might transit through Bahrain” — exposing the financial sector to ML risks originating outside Bahrain and making supervision important to the region as a whole (§48). The financial services sector accounts for 16.5% of GDP and is the largest non-oil contributor (§2); Bahrain hosts 29 retail banks and 76 wholesale banks and is the largest centre for Islamic banking in the GCC (§47). Proximity to areas of regional conflict and unrest, maritime borders with Iran, Qatar, and Saudi Arabia, and closeness to Dubai amplify cross-border ML/TF exposure (§46). The main predicate offences for ML are investment fraud, immorality, drug trafficking, human trafficking, and smuggling, with the banking sector, money exchangers, and real estate identified as the most vulnerable sectors (§38). The NRA was incomplete at the time of the onsite — only a draft existed, and assessors note the risk analysis “needs to be deepened” to allow substantiated conclusions, with particular gaps in analysis of external risks, organised crime, and legal persons/arrangements (§7, §42).

Supervisory effectiveness (IO.3: Substantial; MER §23–24): The CBB has “strong elements of a risk-based approach to supervision” — it reviews significant offsite information including STRs, conducts onsite inspections, has imposed a range of sanctions, and made referrals for prosecution (§23). There is, however, scope to increase the use of sanctions as onsite supervision intensity grows (§23). The MOICT has put in place a framework for, and a “largely risk based approach to supervision” — it reviews STRs and auditors’ reports, risk-grades each DNFBP it supervises, and uses both onsite and offsite monitoring tools, though “further enhancements are needed to ensure a more comprehensive risk based approach” (§24). The CBB has strong controls to prevent criminals from owning or controlling a significant interest or holding management functions in FIs (§22). The Ministry of Justice has reasonable controls for lawyers at initial licensing. IO.3 rated Substantial reflects the CBB’s strength, but DNFBP supervision is significantly weaker.

Preventive measures (IO.4: Moderate; MER §20–21): Banks, MVTS, insurance, and securities have a good understanding of ML risks; understanding among the DNFBP sector “needs improvements” (§20). Implementation of CDD measures is “relatively less robust in the DNFBP sector” (§20). Beneficial ownership identification and verification needs improvement across both financial and DNFBP sectors (§20). Five banks file nearly 52% of total banking sector STRs — both the level and quality of STR reporting by DNFBPs “needs major improvements” (§21). Some elements of CDD, including BO identification, need to be improved sector-wide. The DNFBP sector’s preventive measure implementation is a consistent gap throughout the MER.

Beneficial ownership / legal persons (IO.5: Moderate; MER §25–29): Bahrain has not conducted a comprehensive assessment of ML/TF risks posed by legal persons (§25). The Sijilat electronic registry is centralised, publicly accessible, frequently updated, and captures beneficial ownership information where no foreign ownership or control is involved (§26–27). However, the registry lacks reference to those who may control a legal person through means other than ownership (§27), and BO is only “relatively easily traced” where no foreign ownership is involved. There are only 43 trusts registered with the CBB (§63), but limited regime detail on trust oversight is provided. The MOICT’s dual role as DNFBP supervisor and registrar of legal persons requires further resources to fulfil both mandates effectively (§28).

3rd Enhanced FUR developments (TC only — IO ratings unchanged; FUR May 2022): The 3rd Enhanced FUR changed 8 Recommendation ratings (from a re-rating request covering 10): R.1 PC→LC, R.5 PC→LC, R.6 PC→LC, R.7 PC→LC, R.23 PC→LC (all previously deficient); R.2 LC→C, R.18 LC→C (FATF amendments addressed); R.15 C→LC (downgraded due to new FATF VASP requirements); R.21 remained LC. R.22 remains Partially Compliant — the only remaining PC — as deficiencies in DPMS/auditor BO identification, legal arrangement coverage, and PEP family member EDD for real estate persist (FUR §43). Bahrain remains in enhanced follow-up with a 4th EFUR due May 2023. The FUR does not address effectiveness; all IO ratings from the MER remain unchanged for scoring purposes. Bahrain has not been grey-listed by FATF.
Key MER + FUR findings — attributable to source
  • Greatest ML risk is foreign proceeds transiting Bahrain (MER §48): Assessors and Bahraini authorities agree the primary ML exposure is cross-border — foreign proceeds transiting or entering through Bahrain’s regional financial hub. Banking sector most targeted; money exchangers and real estate medium-risk. NRA incomplete at onsite, requiring further depth on external risks and organised crime (§7).
  • CBB supervision strong; DNFBP supervision significantly weaker (IO.3 SE; MER §23–24): CBB uses RBA, imposes sanctions, makes prosecutorial referrals. MOICT has largely risk-based DNFBP approach but needs further enhancement. IO.3 rated Substantial primarily reflects the CBB’s sophistication — DNFBP supervision materially lags.
  • DNFBP preventive measures and STR reporting need major improvement (IO.4 ME; MER §20–21): Five banks file 52% of banking STRs; DNFBP reporting quality and volume is a persistent gap. BO identification and verification needs improvement sector-wide. CDD less robust in DNFBP sector.
  • IO.5 Moderate — BO regime functional for domestic companies, gaps for foreign-controlled entities (MER §25–29): Sijilat registry publicly accessible and captures BO; however BO only easily traceable where no foreign ownership is involved; no assessment of legal person ML/TF risks conducted. MOICT dual-role resource constraints.
  • 3rd Enhanced FUR (May 2022): 8 rating changes, R.22 remains PC — IO ratings unchanged: R.1/5/6/7/23 upgraded PC→LC; R.2/18 upgraded LC→C; R.15 downgraded C→LC (VASP requirements). R.22 remains PC: DPMS/auditor BO gaps, PEP family member EDD absent for real estate, legal arrangement coverage unclear (FUR §43).
Sources: FATF-MENAFATF MER, Kingdom of Bahrain, June 2018 (onsite November 2017); MENAFATF 3rd Enhanced Follow-Up Report, Kingdom of Bahrain, May 2022. IO ratings from MER Effectiveness Ratings table (p.11); confirmed unchanged by 3rd EFUR (TC-only report; explicit that it does not address effectiveness). TC ratings from MER p.11 and 3rd EFUR Table 2 (p.19). All paragraph references are to the published MER unless marked FUR.
🇰🇪
Kenya
ESAAMLG MER September 2022 (onsite 31 Jan–11 Feb 2022) | ESAAMLG 3rd Enhanced FUR & 2nd TC Re-Rating August 2024 (TC only)
D: 5/50 V: 30/50 35
Destination
Vulnerability
IO.1: Low IO.3: Low IO.4: Low IO.5: Low IO.7: Low IO.8: Mod ESAAMLG
Destination risk (MER §2, §32–33, §36, §44–45, §55): Kenya is the largest economy in East Africa with a GDP of USD$109.4 billion and serves as the regional centre for travel, trade, and financial services (MER §44). The assessors identified that Kenya’s geographic and economic position increases its exposure to the threat of foreign proceeds of crime from the region — mainly foreign corruption, but also wildlife trafficking, illicit gold and minerals from neighbouring countries, and drug transshipment (MER §32). Kenya is reported to be the East African hub for illicit gold trade and other minerals from neighbouring countries, consolidated and shipped to China, India, and the UAE (MER §32). The NRA described Kenya as a destination, origin, or transit jurisdiction for ML/TF for countries in the region — including Burundi, DRC, Ethiopia, Somalia, South Sudan, Tanzania, and Uganda — and stated that in the period reviewed (2016–2020), at least Ksh 1,456,000,000 (approximately USD 12.8 million) was seized or confiscated representing proceeds of foreign predicate offences brought into and laundered in Kenya (MER §36). The country is also believed to be a market and transit point for international drug traffickers and wildlife traffickers (MER §32). Real estate is one of the largest sectors of the economy at 8.8% of GDP (higher than the financial and insurance sector at 7.1%), and the NRA found the real estate sector and lawyers to be highly vulnerable to ML risks (MER §45). Mobile money transactions had reached Ksh 605.7 billion (approximately USD 5 billion) annually, with the largest provider operating in ten countries; the third party making cash deposits at mobile money agents is not required to provide identification, making transactions difficult to monitor (MER §33, §55).

Risk, policy and coordination (IO.1: Low): Kenya carried out an NRA exercise from 2019 to 2021, but assessors identified key weaknesses in Kenya’s understanding of risk, including different types of ML, cash and cross-border risks, types of legal persons, TF, PEPs, NPOs, and VASPs (MER Key Findings §b). The NRA was shared with the private sector only a few days before the onsite, limiting the awareness of its results (MER §5). There was insufficient evidence to conclude that the NRA findings had been effectively cascaded to FIs and DNFBPs, or that the national AML/CFT Strategy adequately addressed the identified risks (MER Key Findings §b). The National AML/CFT Strategy was provided after the end of the onsite visit, preventing assessors from confirming it existed at the time or discussing its contents (MER §49). Kenya achieved a Low level of effectiveness for IO.1 (MER Table 1).

Supervisory vulnerability (IO.3: Low): Supervisors demonstrated diverse levels of ML risk understanding. The CBK and IRA had relatively good understanding for banks, MFBs, and life insurance. The CMA’s understanding may have been outdated since the sector risk assessment was conducted in 2016 and limited to ML (MER §18). Risk-based AML/CFT supervision was relatively underdeveloped: CBK inspections were risk-based only to a limited extent; for all other supervisors, inspections were too sporadic to be effective; all inspections primarily focused on the existence of basic AML/CFT controls rather than the soundness of AML/CFT programmes (MER §18, §19). DNFBP supervisors had low ML/TF understanding and had not implemented effective supervisory activities (MER §20). Lawyers were not designated as reporting institutions in Kenya, creating a gap in the preventive measures framework despite being identified by FIs as posing significantly high ML/TF risk (MER §15). Kenya achieved a Low level of effectiveness for IO.3 (MER Table 1).

Preventive measures (IO.4: Low): Commercial banks and MFBs showed a good understanding of ML risks and implemented risk-based mitigating measures. Large NBFIs including materially important mobile money service providers showed a moderate understanding, predominantly implementing rule-based compliance (MER §15). Understanding of ML/TF risks and AML/CFT obligations was minimal amongst recently designated reporting institutions (insurance brokers), those not yet subject to AML supervision (SACCOs), and smaller NBFIs (MER §15). Beneficial ownership requirements were adhered to only to some extent, and measures to determine whether a customer or BO is a PEP were less effective, especially for domestic PEPs (MER Key Findings §h). STR levels were low and not consistent with the country’s risk profile — more reporting would be expected on high-proceeds-generating crimes such as procurement fraud, drug-related offences, illegal wildlife trade, and cybercrime (MER §17). Kenya achieved a Low level of effectiveness for IO.4 (MER Table 1).

ML investigation and prosecution (IO.7: Low): Kenya did not prioritise the identification and investigation of ML — predicate offence investigation took priority. In the period under review, Kenya had no successful ML prosecutions (no convictions) (MER Key Findings §c, §7). FRC financial intelligence triggered very few ML investigations and zero TF investigations (MER §6). Authorities did not appear to appreciate the different types of ML and so did not categorise ML cases accordingly, making it impossible to assess which type was most prevalent (MER §7). The ML threat profile as portrayed by the NRA (fraud, forgery, and drug-related offences as highest threats) was not supported by records and statistics, which showed that most proceeds identified, investigated, and prosecuted came from corruption and theft of public funds (MER §7). Kenya achieved a Low level of effectiveness for IO.7 (MER Table 1).

Confiscation (IO.8: Moderate): Kenya registered some success with recovery of proceeds of crime but this was largely in cases related to corruption and theft of public resources — not entirely consistent with the identified risk profile where fraud, forgery, and drug-related offences form the greatest risk (MER Key Findings §j). Recovery of instrumentalities was mainly limited to cases of trafficking in drugs, humans, and wildlife. Overall recoveries were a small percentage of recorded assets subject to recovery, largely due to lengthy recovery processes (MER Key Findings §j). Kenya achieved a Moderate level of effectiveness for IO.8 (MER Table 1).

3rd Enhanced FUR & 2nd TC Re-Rating (August 2024) — TC only; IO effectiveness ratings not addressed: Following the 1st re-rating (which upgraded R.5, R.10, R.11, R.13, R.18, R.19, R.20, R.21, R.27, R.29, and R.36 to Compliant, and R.23 and R.32 to Largely Compliant), the 2nd re-rating assessed 13 further Recommendations. Results: R.4, R.9, R.17, R.30, R.31 upgraded PC→C; R.14 upgraded NC→C; R.16 upgraded NC→LC; R.12, R.24, R.33, R.39, R.40 upgraded PC→LC; R.2 and R.7 upgraded NC→PC; R.26 maintained at PC (3rd FUR §8, §174). The most significant substantive reform since the MER was passage of the AML/CFT Amendment Act 2023 and the POCAML Regulations 2023, which addressed wire transfer requirements, PEP obligations, third-party CDD responsibilities, BO transparency for legal persons, and proliferation financing TFS (3rd FUR §§9–173). R.26 remained at PC as supervisors could not demonstrate that frequency and intensity of AML/CFT supervision was determined based on ML/TF risk profile of institutions (3rd FUR §§115–123). The FUR does not analyse any progress on effectiveness; all IO ratings from the 2022 MER are unchanged. Kenya remains in enhanced follow-up (3rd FUR §2, §176).
Key MER + FUR findings — attributable to source
  • Destination, transit and origin for regional foreign proceeds; illicit gold hub (MER §32, §36): Assessors identified Kenya as a destination for foreign corrupt proceeds and other crime proceeds from the region (Burundi, DRC, Ethiopia, Somalia, South Sudan, Tanzania, Uganda). Reported as the East African hub for illicit gold trade from neighbouring countries. NRA confirmed at least USD 12.8 million in foreign-predicate proceeds seized or confiscated 2016–2020.
  • No ML convictions; investigations not commensurate with risk (MER §7, IO.7 Low): Zero successful ML prosecutions in the period under review. Predicate offence investigation prioritised over ML. FRC financial intelligence triggered very few ML investigations and zero TF investigations. ML case categorisation absent, preventing risk-based analysis.
  • Mobile money: USD 5bn annual transactions; CDD gap for third-party cash deposits (MER §33, §55): Ksh 605.7bn (USD 5bn) in mobile money transactions annually; dominant provider operates in ten countries. Third-party cash deposits at agents require no ID, making transactions difficult to monitor and vulnerable to ML/TF abuse. VASPs unregulated at time of assessment.
  • Lawyers not designated as reporting institutions despite high ML/TF risk (MER §15, IO.3 Low): FIs identified lawyers as posing significantly high ML/TF risk. However, lawyers were not designated as reporting institutions in Kenya and not subject to AML/CFT preventive measures obligations. DNFBP supervision had not been effectively implemented; supervisory activities were absent across most DNFBP sectors.
  • Real estate 8.8% of GDP; highly vulnerable to ML per NRA (MER §45, Key Findings): Real estate sector contributes more to GDP than the financial and insurance sector. NRA found real estate and lawyers to be highly vulnerable to ML risks. Real estate sector regulation and licensing noted as weak, with risk-based supervision of real estate agents yet to be implemented at the time of assessment (MER §84, §91).
  • 3rd FUR (Aug 2024): 13 Recommendations re-rated; IO ratings unchanged; R.26 stalled (3rd FUR §8, §174–176): AML/CFT Amendment Act 2023 and POCAML Regulations 2023 drove most upgrades. R.26 remains PC — supervisors could not demonstrate risk-based inspection frequency and intensity. FUR does not address effectiveness. Kenya remains in enhanced follow-up.
Sources: ESAAMLG Mutual Evaluation Report, Kenya, September 2022 (onsite 31 January–11 February 2022); ESAAMLG 3rd Enhanced Follow-Up Report & 2nd Technical Compliance Re-Rating, Kenya, August 2024 (approved ESAAMLG Task Force August 2024, Diani, Kwale, Kenya). IO ratings from MER Table 1 (p.17); confirmed unchanged by 3rd FUR §2 (FUR does not analyse effectiveness) and §176 (continued enhanced follow-up). TC ratings post-FUR from 3rd FUR §175.
🇶🇦
Qatar
FATF-MENAFATF MER May 2023 (onsite Jun–Jul 2022) | No FUR adopted
D: 18/50 V: 16/50 34
Destination
Vulnerability
IO.3: SE IO.4: ME IO.5: ME IO.8: SE IO.9: LE FATF/MENAFATF
Destination risk (MER §2–4, §45–52, §56–58): Qatar is “not a major financial centre” but is “positioning itself as a regional financial centre of growing importance” and is exposed to “a range of ML risks” (§2, §57). The national risk assessment (NRA) assesses overall ML and TF residual risk as medium-high (§53). Qatar’s primary domestic ML threats are smuggling (cash, gold, alcohol, tobacco), electronic crime and fraud, drug trafficking, and corruption (§46). Human trafficking from forced labour and sexual exploitation are also identified as “likely prevalent predicate offences given the extensive economic reliance on foreign labour” (§46). A particular feature is Qatar’s position as a major remittance source: the 12th-largest globally and 4th-largest per capita in remittance outflows (USD 10.7 billion, approximately 7.4% of GDP in 2020), driven by its population being 85% foreign workers (§58). Qatar’s total banking assets amount to USD 496 billion in the State regime and USD 23.4 billion in the Qatar Financial Centre (QFC), with the QFC growing 60% in the past five years (§57). On TF, Qatar faces “a distinct risk from TF related to terrorist activity and terrorist groups operating outside of the country” — Al-Qa’ida, the Taliban, and ISIL have all attempted to raise funds in Qatar; designated terrorists and “controversial groups” are present in Qatar (§48–49). On proliferation financing (PF), Qatar has direct and indirect trade links to Iran, and “legal trade networks used for the exchange of legitimate goods with Iran are vulnerable to abuse” (§52).

Supervisory framework (IO.3: Substantial; §31–33): The Qatar Central Bank (QCB), Qatar Financial Centre Regulatory Authority (QFCRA) and Qatar Financial Markets Authority (QFMA) demonstrate well-established risk-based AML/CFT supervision of the financial sector (§32). QCB updated its risk-based supervision procedures in 2021. The principal gap is DNFBP supervision: the Ministry of Commerce and Industry (MOCI) and Ministry of Justice (MOJ) have made positive steps and started risk-rating and inspecting DNFBP sectors from mid-2020, but the process “is at an early stage and although it is improving, it is still not sufficiently developed” (§32). No financial sanctions have actually been paid by any DNFBP as of the assessment — “it remains too early to assess if the sanctions are proportionate, effective, and dissuasive” (§33).

Preventive measures (IO.4: Moderate; §28–30): Larger FIs and DNFBPs — particularly in the QFC — have a generally good understanding of ML/TF risks and implement CDD, EDD, and internal controls adequately. Smaller FIs and DNFBPs in the State “are still in the process of developing their understanding of ML/TF risks and AML/CFT obligations” (§28). STR reporting “has been increasing in recent years” but “remains relatively low in light of the risks” for some sectors (§30). The 2019 NRA noted that STR quality was “generally low.” Some DNFBPs in the State are unclear on whom they need to report STRs (§30).

Beneficial ownership / legal persons (IO.5: Moderate; §34–37): Qatar has established the Unified Economic Register (UER) as a central BO registry covering all registered legal persons and arrangements, completing over 80% of the UER at time of assessment (§35). However, “there are insufficient measures to ensure accurate and up-to-date BO information” particularly from MOCI (§35). MOCI, which holds 90% of registered legal persons, has only restricted licence renewal as a sanction for non-submission of BO — “which does not seem fully effective or dissuasive” (§37). LEAs “do not have direct access to all registries and information which can lead to delays” (§36).

Confiscation (IO.8: Substantial; §16–18): Qatar “seizes and confiscates proceeds and instrumentalities of crime and property of equivalent value robustly” (§16). Separately, under its TF-related targeted financial sanctions (TFS) regime (an IO.10 matter), Qatar has frozen QAR 4.26 billion (USD 1.17 billion), of which QAR 3.66 billion relates to those designated domestically through UN Security Council Resolution (UNSCR) 1373 (Key Findings). Qatar has a national asset recovery strategy and an effective asset management system managed by the Public Prosecution Office (PPO) (§17–18).

TF prosecution (IO.9: Low; §20–22): Qatar has achieved only 3 TF convictions over 2016–2018 and none since — inconsistent with identified risks (§20). Investigations are limited to “unsophisticated channels” and do not address licensed non-profit organisation (NPO) abuse, individual donations for non-charitable purposes, or designated individuals in Qatar (§20–21). Courts struggle to understand TF, and converting intelligence to formal evidence is a persistent challenge (§21). “The efforts undertaken by the authorities in TF investigations, prosecutions and convictions need fundamental improvement” (§22).
Key MER findings — attributable to source
  • Growing regional finance hub; 4th-largest per-capita remittance source; designated TF groups present (MER §2, §48–49, §57–58): Banking sector USD 496bn (State) + USD 23.4bn (QFC, +60% in 5 years). Qatar 12th globally and 4th per capita in remittance outflows (USD 10.7bn). NRA: ML and TF residual risk medium-high. Al-Qa’ida, Taliban, ISIL have attempted to raise funds in Qatar; designated terrorists present. Iran trade link creates PF exposure.
  • IO.9 Low — only 3 TF convictions in 6 years; investigations limited to unsophisticated channels (MER §20–22): No TF convictions since 2018. Investigations do not address licensed NPO abuse or designated individuals in Qatar. Intelligence not converted to evidence effectively. Courts struggle to understand TF. “Fundamental improvement needed.”
  • IO.8 Substantial — robust confiscation; separate TFS freezing of USD 1.17bn (an IO.10 matter) (MER §16–18; Key Findings): Qatar seizes and confiscates “robustly.” Under its TFS regime (IO.10) Qatar has frozen QAR 4.26bn (USD 1.17bn). National asset recovery strategy with effective PPO asset management.
  • MOCI/MOJ DNFBP supervision at early stage; no financial sanctions paid yet (IO.3 SE; MER §32–33): QCB/QFCRA/QFMA financial sector supervision well-established. MOCI/MOJ DNFBP supervision started mid-2020, still developing. No financial sanctions actually paid. No FUR adopted.
Sources: FATF-MENAFATF MER, Qatar, May 2023 (onsite June–July 2022), adopted at FATF Plenary February 2023. IO ratings from Table 1 Effectiveness Ratings (p.14). TC ratings from Table 2 Technical Compliance Ratings (p.14). No FUR adopted. All paragraph references are to the published MER.
🇮🇳
India
FATF MER September 2024 (onsite Nov 2023) | No FUR adopted
D: 17/50 V: 17/50 34
Destination
Vulnerability
IO.3: ME IO.4: ME IO.5: SE IO.7: ME IO.8: SE FATF
Destination risk (MER §2–4, §44, §52, §58): India’s economy is the third largest in the world (on a purchasing-power-parity basis) with a GDP of approximately USD 3.5 trillion, and one of the largest and most complex financial systems globally, with total banking-sector assets of INR 272.46 trillion (EUR 3,044 billion) as at March 2023 (§58, Table 1.1). India’s largest ML risks relate to fraud (including cyber-enabled fraud), corruption, and drug trafficking (§2). The MER finds that India’s main sources of money laundering “originate from within India, from illegal activities committed within the country,” with proceeds laundered domestically, abroad, or abroad and then returned to India for reintegration into the licit economy (§2). Cross-border ML channels identified in the NRA include trade-based money laundering (TBML), hawala/MVTS, shell companies and offshore instruments, with proceeds of corruption among the higher-risk predicates (Ch.1 NRA findings). The DNFBP sector — particularly real estate — is identified as a high-risk ML vehicle, with the NRA rating real estate medium-high overall (§52). The NRA is assessed as comprehensive, and India’s risk understanding is rated positively, with corruption and fraud correctly identified as the primary threats. Notably, the MER assesses that “India is not an attractive destination country for criminal proceeds, relative to the size of its economy and population,” even though cross-border ML/TF flows into and out of the country are present; the main ML sources originate domestically (§44).

Supervisory framework (IO.3: Moderate; §25–30): The RBI — supervisor of the most material financial sectors — generally has a good understanding of inherent ML risks and applies a risk-based approach to supervising its highest-materiality sectors, with SEBI (securities) and IRDAI (insurance) also operating supervisory frameworks (§27). However, DNFBP supervision has significant gaps: DNFBP supervision “is less developed” with “limited or no capacity to supervise and monitor compliance” for most sectors, and implementation of AML/CFT requirements by VASPs and DNFBPs “is in its early stages” (§24, §28). The significant number of virtual asset service providers (VASPs) registered with the Financial Intelligence Unit–India (FIU-IND) have not yet been adequately supervised (§29). The DPMS sector falls outside preventive measures owing to a tax-law cash-threshold prohibition, monitored largely through external audit and tax inspections whose adequacy and dissuasiveness the MER considers uncertain (§30).

Preventive measures (IO.4: Moderate; §21–24): Major banks and financial institutions demonstrate reasonable to good CDD and EDD implementation. However, understanding and mitigating measures are less robust for some other FIs, including the foreign exchange sector and cooperative banks, and beneficial-owner identification is flagged as an area for improvement (§23). The real estate sector — a primary ML risk — has only recently been brought under AML/CFT obligations, and implementation by DNFBPs is in its early stages (§24). STR reporting by some FI sub-sectors (including non-banking financial companies, the Department of Post and rural banks) appears low, and DNFBPs are yet to detect and file STRs in a significant way (§25). On PEPs, all sectors apply EDD to domestic PEPs despite the absence of a legal requirement, but there are inconsistencies in the breadth of domestic PEPs identified (§23).

Beneficial ownership / legal persons (IO.5: Substantial; §31–34, §637–648): India has a central BO registry system through the Ministry of Corporate Affairs (MCA21 portal) and through FI CDD records. The Companies Act 2013 and AML/CFT rules require disclosure of significant beneficial owners (SBOs). However, competent authorities can access adequate, accurate and current basic and BO information “to a large extent,” but the limited number and size of sanctions imposed for serious non-compliance “may not have the dissuasive effect needed” to prevent non-compliance in all circumstances (§33, §637). India’s large number of legal persons — approximately 2 million active legal persons (of which only ~100,000 had filed significant beneficial owner returns by 2023) — presents a significant oversight challenge (§648). The MER flags a need to better assess the residual risks posed by informal nominee arrangements, which is significant in India’s risk and context (§31). For legal arrangements, India relies on registers of public trusts, tax law and CDD requirements, but the fragmented way information on public trusts is kept and the very recent CDD obligations for professional trustees limit availability to some extent (§34).

ML investigation and prosecution (IO.7: Moderate; IO.8: Substantial; §14–20): The Enforcement Directorate (ED) pursues a systematic, risk-informed approach to identifying and investigating ML cases and conducts parallel financial investigations, with INR 834.13 billion (EUR 9.27 billion) in proceeds attached (seized) over the five years 2018–2023 under the Prevention of Money Laundering Act (PMLA) — the routine early-stage attachment of assets is a notable strength that underpins the Substantial IO.8 rating (§293). However, ML prosecutions and concluded trials have not kept pace with investigations: conviction-based ML confiscations amounted to only EUR 4.4 million over the period, weighed down by a constitutional challenge to PMLA provisions and a shortage of prosecutors and specialised Special Courts, producing a considerable backlog (§15, IO.7 conclusion). This prosecution/conviction gap is the principal reason IO.7 is rated only Moderate. International asset recovery remains underdeveloped.
Key MER findings — attributable to source
  • World’s third-largest economy (PPP); ML mainly domestic-origin; cross-border via TBML, hawala, shell companies (MER §44, §58): Banking-sector assets INR 272.46 trillion (EUR 3,044bn). Fraud, corruption, drug trafficking primary ML threats. Cross-border risks via trade-based money laundering (TBML), hawala networks, offshore corruption proceeds reinvested domestically. Main ML sources originate domestically; MER finds India is not an attractive destination country for criminal proceeds relative to its size, though cross-border flows are present.
  • IO.7 ME and IO.8 SE — ED attachments INR 834bn (EUR 9.3bn) 2018–2023; conviction pace lagging (MER §14–20): Enforcement Directorate conducts parallel financial investigations; routine early-stage attachment is a key strength underpinning IO.8 Substantial. INR 834.13 billion (EUR 9.27bn) attached 2018–2023 by ED under PMLA. But conviction-based ML confiscation was only EUR 4.4m; prosecutions and concluded trials lag investigations (PMLA constitutional challenge, shortage of prosecutors/Special Courts) — the reason IO.7 is only Moderate. International asset recovery underdeveloped.
  • DNFBP supervision less developed; VASP supervisory capacity limited; DPMS outside preventive measures (IO.3 ME; MER §28–30): RBI good ML-risk understanding and RBA for material sectors; SEBI/IRDAI also supervise. DNFBP supervision “less developed” with “limited or no capacity” for most sectors; high-risk professionals and real estate agents weighted heavily. VASP risk-based supervision has commenced but capacity is limited. DPMS falls outside preventive measures via a cash-threshold prohibition of uncertain adequacy.
  • BO accessible “to a large extent” but sanctions weakly dissuasive; ~2M active legal persons, low SBO filing (IO.5 SE; MER §31–34): MCA21 portal and Companies Act 2013 SBO requirements exist; competent authorities access accurate BO to a large extent, but sanctions for non-compliance may lack dissuasive effect. Approximately 2 million active legal persons; only ~100,000 SBO returns filed 2019–2023. Residual risk from informal nominee arrangements needs better assessment; fragmented public-trust information limits legal-arrangement transparency.
Sources: FATF MER, India, September 2024 (onsite November 2023), adopted at FATF Plenary June 2024. IO ratings from Table 1 Effectiveness Ratings. TC ratings from Table 2. Placed in regular follow-up. No FUR adopted. All paragraph references are to the published MER.
🇸🇦
Saudi Arabia
FATF-MENAFATF MER June 2018 (onsite Nov 2017) | 1st Enhanced FUR January 2020 (TC only)
D: 15/50 V: 16/50 31
Destination
Vulnerability
IO.3: SE IO.4: ME IO.5: ME IO.7: LE IO.8: LE FATF/MENAFATF
Destination risk (MER §3–4, §8, §16): Saudi Arabia presents a distinctive risk profile: it is primarily a proceeds-generating jurisdiction whose criminal proceeds then flow outward, rather than a classic destination for foreign criminal funds. Saudi Arabia is “generally seen as a conservative country and an unattractive location for laundering international proceeds” due to restrictions on foreign investment, limited access to financial markets for foreigners, and relatively small financial and commercial sectors (§3). Overall proceeds of crime generated domestically are estimated at approximately USD 12–32 billion, with “between 70 and 80 per cent” estimated to flow out of the Kingdom (§4). The main proceeds-generating crimes are narcotics trafficking, corruption, and counterfeiting/piracy. Saudi Arabia “has not been able to repatriate any criminal proceeds from another country over the period 2013–16” (§16). Remittances represent the primary cross-border flow risk: Saudi Arabia has the second highest total outflows of remittances in the world (approximately USD 38.8 billion for the year to April 2017), driven by the large expatriate workforce constituting over a third of residents (§3).

Supervisory framework (IO.3: Substantial; §29–30): Financial supervision by the Saudi Arabian Monetary Authority (SAMA) and the Capital Market Authority (CMA) achieves a substantial level of effectiveness: Saudi Arabia “conducts comparatively intensive supervision of the higher-risk sectors in accordance with a risk-based approach” and has done significant outreach with regulated entities since 2016 (§29). The principal limitation is in DNFBP supervision: AML/CFT obligations were only applied to DNFBPs comparatively recently, with outreach starting in 2016 and AML/CFT-focused supervision starting in early 2017 — “too early to reach a conclusion about effectiveness” (§30). Several DNFBP sectors remain at the beginning stage of risk understanding and supervisory engagement (§28, §30).

Preventive measures (IO.4: Moderate; §26–28): AML/CFT preventive measures in the financial sector are “strong and well established.” Major FIs including banks, securities and financing companies have a solid understanding of ML/TF risks (§27). However, STR reporting is not timely, and the low number of TF-related STRs is “a major concern” (§27). Money exchangers and other DNFBPs (particularly real estate agents and accountants) “do not fully understand their ML/TF risks and apply mitigating measures under a risk-based approach” (§28). STR reporting from non-bank sectors is “a major concern” across the board (§28).

ML prosecution and confiscation (IO.7: Low, IO.8: Low; §14–17): Both IO.7 and IO.8 are rated Low. ML investigations are “often reactive rather than proactive, and tend to be straightforward, unsophisticated, and single-layered” (§15). Prosecutions are mostly for self-laundering, with few third-party ML convictions and essentially no demonstrated pursuit of the 70–80% of proceeds that leave the country (§15). Confiscation results are “increasing, but are still low and are not consistent with the country’s risk profile” (§16). Saudi Arabia’s TF performance is a contrasting bright spot: over 1,700 TF investigations and more than 1,100 TF convictions (IO.9: SE, IO.10: SE; §19).

1st Enhanced FUR (TC only; January 2020): R.6 upgraded PC→LC and R.7 upgraded PC→LC following amendments to the targeted financial sanctions (TFS) Mechanisms. R.18 downgraded C→LC and R.21 downgraded C→LC due to new FATF requirements on group-level information sharing. R.33 and R.36 remain PC. IO ratings unchanged. Saudi Arabia remains in enhanced follow-up.
Key MER + FUR findings — attributable to source
  • 70–80% of domestic proceeds leave the Kingdom; zero foreign repatriation 2013–16 (MER §4, §16, §34): Saudi Arabia is primarily a proceeds-generating, proceeds-exporting jurisdiction. Authorities “do not follow the money outside the borders” and have not repatriated any criminal proceeds from abroad in the four-year review period. Not an inbound destination for foreign proceeds; the foreign ML risk runs in reverse. Second-largest remittance outflow globally (USD 38.8bn).
  • IO.7 Low and IO.8 Low — ML prosecutions reactive/unsophisticated; confiscation inconsistent with risk (MER §15–16): ML investigations straightforward and single-layered; most prosecutions are self-laundering. Third-party ML not demonstrated. Confiscation increasing but low and inconsistent with risk profile.
  • SAMA supervision strong; DNFBP supervision at “beginning stage” — too early to assess effectiveness (IO.3 SE; MER §29–30): SAMA conducts intensive risk-based supervision. DNFBP supervision started 2016–2017 only — too early to evaluate. Money exchangers, real estate agents, accountants weak on risk understanding.
  • Outstanding TF performance: 1,700+ investigations, 1,100+ convictions (IO.9 SE, IO.10 SE; MER §19): Exceptional TF enforcement record. Saudi Arabia’s TF effectiveness stands in stark contrast to its ML outcomes.
  • 1st Enhanced FUR (January 2020): R.6/7 upgraded, R.18/21 downgraded — IO ratings unchanged: R.6 and R.7 upgraded PC→LC (TFS mechanism amendments). R.18 and R.21 downgraded C→LC (new FATF group-level information sharing requirements not met). R.33 and R.36 remain PC. Enhanced follow-up continues.
Sources: FATF-MENAFATF MER, Kingdom of Saudi Arabia, June 2018 (onsite November 2017), adopted at joint FATF-MENAFATF Plenary June 2018; FATF 1st Enhanced Follow-Up Report, Kingdom of Saudi Arabia, January 2020 (adopted at FATF Plenary October 2019). IO ratings from MER Effectiveness Ratings table (p.13); confirmed unchanged by 1st Enhanced FUR, which states it does not address effectiveness. TC ratings from MER p.13 as updated by 1st Enhanced FUR Table 2 (p.6). All paragraph references are to the published MER unless marked FUR.

Annex: Scoring Methodology

How the Destination Score (D) and Vulnerability Score (V) are derived from FATF and FSRB Mutual Evaluation Reports and Follow-Up Reports

Overview. Each jurisdiction receives two sub-scores, each out of 50, combined for a total out of 100. All inputs are exclusively from qualitative comments and formal ratings in FATF and FSRB Mutual Evaluation Reports (MERs) and Follow-Up Reports (FURs). No data sources external to the FATF are used as scoring inputs. Scores are ordinal, not cardinal: a score of 38 does not mean a jurisdiction is a precise percentage more dangerous than one scoring 32. They express relative severity within and across tiers.

Part A — Destination Score (0–50)

The Destination Score answers: to what extent does this jurisdiction’s MER/FUR record establish that it functions as a recipient of foreign proceeds of corruption or other crime? It is constructed from five components.

D1 — MER identification as a destination jurisdiction (0–23 points)

This is the most important single input. Where assessors name the jurisdiction as a destination for foreign proceeds of corruption or other crime — distinguishing it from a transit or source country — this scores highly. The gradations are:

  • 20–23 pts: Assessors use unambiguous language identifying the jurisdiction as a major or primary destination for foreign criminal proceeds (UAE 2020 MER, UK 2018 MER, US 2016 MER, BVI 2024 MER, Cayman Islands 2019 MER).
  • 14–19 pts: Assessors identify proceeds of corruption or other crime as a significant risk and the jurisdiction as a likely destination, but the language is qualified (Luxembourg 2023, Cyprus 2019, Panama 2018).
  • 8–13 pts: Assessors note foreign predicate offences as a medium or medium-high risk with some acknowledgement of inflow risk (Bahrain 2018, Netherlands 2022).
  • 1–7 pts: MER identifies foreign criminal proceeds as one of several risks but does not single out the jurisdiction as a destination; contextual and proportionate to economic scale (Germany 2022, France 2022).

FUR adjustment: Where subsequent FURs or grey-list decisions provide evidence that destination risk has materially increased (BVI grey-listed 2025, Monaco grey-listed 2024) or decreased (Latvia’s non-resident banking sector dismantled, confirmed by 6th round MER 2026), D1 is adjusted by up to ±9 points.

D2 — MER-cited case evidence of foreign-proceeds laundering (0–8 points)

The most concrete destination evidence is where the MER or FURs cite actual cases — investigations, prosecutions, asset recovery actions, or credible allegations — involving foreign proceeds of corruption or other crime.

Gradations: 6–8 pts = multiple major cases with identified foreign predicates (corruption, fraud, drug trafficking) confirmed by MER; 3–5 pts = some case evidence cited but volume or complexity limited; 0–2 pts = MER notes absence of cases or only limited domestic self-laundering prosecutions.

D3 — R.40 / IO.2 International Cooperation (0–6 points)

A jurisdiction that does not cooperate effectively with foreign authorities — MLA, information exchange, extradition — provides an obstacle to the detection and recovery of proceeds of crime. IO.2 (international cooperation effectiveness) and R.40 (technical compliance on international cooperation) are the primary inputs.

Points: IO.2 Low = 4 pts; IO.2 Moderate = 2 pts; IO.2 Substantial or High = 0 pts. R.40 PC adds 1 pt to the IO.2 score; R.40 NC adds 2 pts.

D4 — Investment Migration Programmes (0–3 points)

Citizenship-by-investment (CBI) and residency-by-investment (RBI) programmes that are identified in a MER or FUR as a ML/TF risk vector, and where the MER notes inadequate due diligence or supervision, add up to 3 points. Programmes that have been closed or comprehensively reformed following MER findings score 0.

D5 — NRA quality and cross-border risk coverage (0–10 points)

This component captures whether the jurisdiction’s national risk assessment adequately analyses the risk of inflows of foreign proceeds of corruption or other crime. A jurisdiction whose NRA does not identify cross-border risks, or whose NRA has been assessed as inadequate by the evaluation team, scores higher (more risk) here. A jurisdiction with a recent, comprehensive NRA, as reflected in the MER/FUR, that addresses cross-border ML typologies scores lower.

Gradations: 8–10 pts = NRA absent or severely deficient on cross-border risks; 5–7 pts = NRA covers domestic risks but significantly underestimates or omits cross-border/foreign predicate analysis; 2–4 pts = NRA generally adequate with minor gaps on foreign predicates; 0–1 pts = NRA comprehensive, current, and covers cross-border ML risks.

Part B — Vulnerability Score (0–50)

The Vulnerability Score answers: how exposed is this jurisdiction to the laundering of foreign proceeds of corruption or other crime? It is constructed from six components.

V1 — IO.3 Effectiveness Rating (0–10 points)

IO.3 assesses the effectiveness of AML/CFT supervision of financial institutions. Where supervision fails, the financial sector is structurally open to money laundering.

IO.3 RatingPoints
Low (LE)9–10
Moderate (ME)5–8
Substantial (SE)1–4
High (HE)0–1

V2 — R.22/23/24/25 Technical Compliance Gaps (0–8 points)

These four Recommendations cover DNFBP CDD and other measures (R.22/23) and beneficial ownership transparency for legal persons and arrangements (R.24/25).

RatingPoints per Recommendation
Non-Compliant (NC)2 pts
Partially Compliant (PC)1 pt
Largely Compliant (LC) or Compliant (C)0 pts

FUR adjustment: Where FURs have re-rated R.22, 23, 24 or 25 (upward or downward), the updated rating applies. FUR upgrades from NC→PC reduce the score by 1 pt per Recommendation; NC→LC or PC→LC reduce by the full 2 or 1 pt respectively.

V3 — IO3/IO4 DNFBP gatekeeper qualitative assessment (0–8 points)

This component captures the qualitative picture of DNFBP (lawyers, accountants, real estate agents, trust and company service providers, DPMS) AML/CFT performance as narrated in the MER — going beyond the TC ratings to assess whether these gatekeepers are actually functioning. It draws on IO.4 findings specific to the DNFBP sector, assessors’ characterisations of STR/SAR quality and volume, and the quality of DNFBP supervision.

Gradations: 7–8 pts = DNFBPs almost entirely outside AML/CFT obligations, or supervision wholly absent, or zero STR/SAR filing across all sectors; 4–6 pts = significant DNFBP sectors excluded or with very weak implementation, very low STR filing; 2–3 pts = DNFBP coverage moderate with identifiable structural gaps; 0–1 pts = DNFBPs broadly covered and supervised.

V4 — R.12 and R.10 Technical Compliance (0–6 points)

R.12 covers Politically Exposed Persons (PEPs) — the direct corruption-adjacent requirement. R.10 covers Customer Due Diligence (CDD). PC or NC ratings here are direct evidence of structural vulnerability to laundering of corruption proceeds specifically.

Points: R.12 NC = 3 pts; R.12 PC = 1.5 pts; R.12 LC/C = 0 pts. R.10 NC = 3 pts; R.10 PC = 1.5 pts; R.10 LC/C = 0 pts. Maximum 6 pts if both are NC.

V5 — IO.4 Effectiveness Rating (0–10 points)

IO.4 assesses whether regulated businesses apply adequate preventive measures. A low IO.4 rating is taken as evidence that the jurisdiction is failing to detect proceeds of corruption or other crime and disrupt their use.

IO.4 RatingPoints
Low (LE)9–10
Moderate (ME)5–8
Substantial (SE)2–4
High (HE)0–1

Within each band, the precise score reflects how far below or above the band boundary the assessors’ narrative places the jurisdiction. A jurisdiction rated ME whose narrative is full of near-LE caveats scores 7–8; one showing solid progress but structural gaps scores 5–6.

V6 — IO.5 Effectiveness Rating (0–8 points)

IO.5 assesses whether legal persons and arrangements (companies and trusts) are sufficiently transparent and whether BO information is accessible. A low IO.5 rating indicates that opaque corporate structures are potentially available to hold and conceal proceeds of crime.

IO.5 RatingPoints
Low (LE)7–8
Moderate (ME)4–6
Substantial (SE)1–3
High (HE)0–1

Tier Thresholds

Score distribution across 50 jurisdictions (theoretical maximum: 100; observed range: 31–66):

TierScoreLabelJurisdictions (2026)
Tier 160–70SevereUnited States (66), British Virgin Islands (65), Cayman Islands (64), United Arab Emirates (62), Panama (60) — 5 jurisdictions
Tier 244–59HighSwitzerland (57), United Kingdom (57), Austria (57), Luxembourg (54), China (51), South Africa (51), Germany (50), Monaco (50), Italy (50), Samoa (49), Portugal (48), Singapore (48), Isle of Man (47), Hong Kong SAR (46), Türkiye (45), Malaysia (45), Seychelles (44), Bahamas (44), Cyprus (44), Guernsey (44) — 20 jurisdictions
Tier 330–43ModerateRussia (43), Japan (43), Liechtenstein (43), Malta (43), Netherlands (43), Jersey (43), Canada (42), Albania (42), Mauritius (41), Montenegro (41), Estonia (41), Serbia (41), Gibraltar (40), Latvia (40), Greece (39), France (39), Vanuatu (38), Ireland (38), Bermuda (38), South Korea (37), Bahrain (36), Kenya (35), Qatar (34), India (34), Saudi Arabia (31) — 25 jurisdictions

None of the 50 jurisdictions surveyed in the 2026 edition scores below 30 (Tier 4). All 50 indexed jurisdictions fall within Tier 1 (Severe), Tier 2 (High), or Tier 3 (Moderate). Scores are ordinal, not cardinal: a higher score within a tier expresses relative severity, not a precisely quantified risk level.

FUR Score Adjustments

Where FURs are available, scores are adjusted from the MER baseline. The direction and magnitude depend on:

  • Grey-list entry — increases both D and V scores, reflecting demonstrated systemic deficiencies confirmed by FATF plenary.
  • Grey-list exit — reduces scores proportional to demonstrated reforms. TC-only FURs without effectiveness reassessment produce smaller reductions than FURs confirming effectiveness improvements.
  • TC re-ratings — PC→LC upgrades on R.22/23/24/25 reduce V2 by the applicable points. NC→LC reduces by 3 pts; NC→PC reduces by 1.5 pts; PC→LC reduces by 1.5 pts.
  • Structural reforms confirmed in FURs — e.g. closure of golden visa programmes, restructuring of non-resident banking sectors (Latvia’s ABLV-era reform), Switzerland’s AMLA 2025 reform, UK Companies House reforms — produce score adjustments proportional to risk reduction demonstrated.

Note on Immediate Outcome numbering across assessment rounds

The component definitions above (V1, V5, V6) follow the Immediate Outcome (IO) numbering used in the FATF 2013 Methodology, under which the great majority of indexed jurisdictions were assessed: IO.3 covers supervision (financial institutions and DNFBPs together), IO.4 covers preventive measures, and IO.5 covers transparency of legal persons and arrangements. Jurisdictions assessed under MONEYVAL’s revised 6th-round methodology — in this edition, Serbia (MER 2025) and Latvia (MER 2026) — use a re-organised scheme in which the supervision and preventive-measures outcomes are split by sector: IO.3 becomes financial-sector and virtual-asset supervision and preventive measures, IO.4 becomes non-financial-sector (DNFBP) supervision and preventive measures, and IO.5 remains transparency and beneficial ownership. For these cards, the IO.3 and IO.4 ratings shown are those reported in the source MER under the 6th-round definitions; they are mapped onto the index components on a best-fit basis — IO.3 (FI supervision) to V1, IO.4 (DNFBP supervision and preventive measures) to V5 and the DNFBP elements of V3. IO.5 aligns across both schemes. This mapping affects only the two 6th-round jurisdictions and does not alter the scoring bands.

Relationship to other indices

The CEI is not a general money-laundering risk index, and it is not intended to replicate or compete with one. The most widely used composite measure in this field, the Basel AML Index (published by the Basel Institute on Governance), estimates a jurisdiction’s overall ML/TF/PF risk exposure by blending fourteen weighted indicators across five domains — of which FATF mutual evaluation data is a single indicator, weighted around 0.35. The remaining weight is carried by financial-secrecy data (Tax Justice Network), corruption and organised-crime proxies, public-transparency measures, and political-, legal- and press-freedom indicators. This is also broadly how another composite index, the Corruption Perceptions Index (published by Transparency International), works.

The CEI, by contrast, draws on FATF and FSRB evaluations as its sole source and re-weights that material around Destination and Vulnerability scores. Therefore, it could be thought of as a way of representing and analysing FATF data, with a substantial degree of editorial judgement involved.

This Annex reflects the methodology used to construct the 2026 edition of the Corruption Exposure Index. The index is not an official FATF product. Source documents: Financial Action Task Force (FATF), MONEYVAL, APG, CFATF, GAFILAT, ESAAMLG, MENAFATF, and EAG Mutual Evaluation Reports and Follow-Up Reports, 2013–2026.

Published by Anton Moiseienko

Anton Moiseienko is an Associate Professor of Law at the Australian National University (ANU) Law School. He specialises in financial crime and economic sanctions, with particular expertise in global anti-money laundering and counter-terrorism financing (AML/CTF) regulation and in Australian, US, UK, EU and UN sanctions law and practice. He has developed and taught postgraduate courses in Financial Crime Law and Transnational Anti-Corruption Laws. He has advised the World Bank, the UN Office on Drugs and Crime and the Basel Institute on Governance, prepared expert opinions for law enforcement agencies, and is regularly sought as a commentator by Australian and international media.

Leave a comment