FATF 40 Recommendations
|
|
| Regulator |
N/A |
| Jurisdiction |
Global |
| Status |
live |
| Applicability |
Platform |
The Financial Action Task Force (FATF) 40 Recommendations are the international standards on
combating money laundering, terrorist financing, and proliferation financing. They are not directly
enforceable law, but FATF member countries — including New Zealand and Australia — are required to
implement them through domestic legislation and submit to mutual evaluation. Non-compliance triggers
grey-listing or black-listing, which imposes significant correspondent banking and market access costs.
NZ implements the Recommendations principally through the AML/CFT Act 2009. AU implements them
through the AML/CTF Act 2006. NZ's most recent mutual evaluation was published in 2021 (Immediate
Outcome 4 — Preventive Measures — was rated "Moderately Effective", the primary remediation area).
Australia's evaluation was 2015 with a follow-up assessment in 2024.
The FATF Recommendations most directly satisfied by the Totara platform are R.10 (CDD), R.11
(record keeping), R.12 (PEPs), R.13 (correspondent banking), R.15 (new technologies / AI), R.16
(wire transfers / travel rule), R.20 (suspicious transaction reporting), R.7 (targeted financial
sanctions), and R.6/R.8 (terrorist financing / proliferation financing screening).
Compliance register
This register maps every material FATF Recommendation to the platform control or institutional
process that satisfies it. The domestic legislation that implements each Recommendation is referenced
in the obligation column. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Core CDD and identity obligations (R.10, R.11, R.12)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.10 |
Customer due diligence — verify identity of customers and beneficial owners; conduct ongoing CDD |
AML/CFT Act ss.6–35; AML/CTF Act Part 2 |
🤖 Automated |
AML-011, AML-002 |
MOD-153 (GATE) — no account or facility activated without formal ACCEPT decision; MOD-010 (AUTO) — CDD tier assigned by rule engine, not agent discretion; MOD-039 (AUTO) — ongoing CDD informed by live customer risk score |
🔨 |
| R.11 |
Record keeping — retain CDD records and transaction records for at least 5 years |
AML/CFT Act s.35; AML/CTF Act s.115 |
🤖 Automated |
AML-002 |
MOD-013 (GATE) — sanctions/CDD records immutable; MOD-018 (LOG) — alert and SAR records retained; records cannot be deleted or altered |
🔨 |
| R.12 |
PEPs — apply enhanced due diligence for politically exposed persons; senior management approval |
AML/CFT Act s.22A; AML/CTF Act |
🤖 Automated |
AML-004 |
MOD-010 (ALERT) — PEP detection auto-escalates to EDD tier and senior management notification; MOD-153 (GATE) — PEP cannot be accepted without EDD on record |
🔨 |
Transaction monitoring and suspicious reporting (R.20, R.21)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.20 |
Suspicious transaction reports — file an STR/SMR when there are reasonable grounds to suspect ML/TF |
AML/CFT Act s.40; AML/CTF Act s.41 |
🤖 Automated |
AML-005, AML-001 |
MOD-016 (AUTO) — all transactions monitored against typology rules continuously; MOD-017 (AUTO) — ML behavioural model detects anomalies without requiring a specific rule; MOD-018 (LOG) — alert-to-STR pipeline ensures every alert is actioned and recorded |
🔨 |
| R.21 |
Tipping-off prohibition — must not disclose that an STR has been or may be filed |
AML/CFT Act s.40A; AML/CTF Act s.49 |
🤖 Automated |
AML-001 |
MOD-037 (AUTO) — STR data accessible only to compliance and legal roles; data-layer segregation enforced |
🔨 |
Wire transfers — travel rule (R.16)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.16 |
Wire transfers — include originator and beneficiary information in all payment messages; apply due diligence to incoming wires with missing information |
AML/CFT Act s.48; AML/CTF Act s.75 |
🤖 Automated |
AML-001 |
MOD-026 (AUTO) — originator and beneficiary data populated on every outbound wire automatically; MOD-019 (AUTO) — IFTI/CMIR threshold check applied; ISO 20022 message enrichment automated |
🔨 |
Targeted financial sanctions (R.6, R.7)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.6 / R.7 |
Targeted financial sanctions — implement UNSC TFS resolutions on terrorism and proliferation financing without delay |
Terrorism Suppression Act 2002; Russia Sanctions Act 2022; AU Autonomous Sanctions Act 2011 |
🤖 Automated |
AML-007 |
MOD-013 (GATE) — sanctions screen is a hard gate at both onboarding and payment initiation; MOD-014 (AUTO) — re-screens existing customers when list is updated; MOD-020 (GATE) — mandatory pre-payment gate |
🔨 |
Correspondent banking (R.13)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.13 |
Correspondent banking — conduct enhanced due diligence before establishing a correspondent relationship; prohibit shell bank relationships |
AML/CFT Act s.26; AML/CTF Act |
🤖 Automated |
AML-009 |
MOD-154 (GATE) — no payment routed through a correspondent that has not completed due diligence and received active approval; dual-approval gate (Head of Payments + CCO) required |
🔨 |
New technologies (R.15)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.15 |
New technologies — assess and mitigate ML/TF risks of new products, services, and delivery channels before launch |
AML/CFT Act s.57; AML/CTF Act |
📊 Evidenced |
AML-001 |
MOD-017 (AUTO) — ML behavioural scoring model included in the AML programme and documented in the model inventory; MOD-039 (AUTO) — AI-driven customer risk scoring documented and validated quarterly |
🔨 |
Programme and risk assessment obligations (R.1, R.2)
| Rec |
Obligation |
Domestic ref |
Scope |
Policy |
Platform controls |
Build |
| R.1 / R.2 |
Risk-based approach — establish and maintain a written AML/CFT programme based on a risk assessment; apply resources proportionate to assessed risk |
AML/CFT Act ss.56–60; AML/CTF Act |
📊 Evidenced |
AML-001 |
MOD-037 (AUTO) — annual AML programme report auto-generated from operational data; MOD-016 (LOG) — documented, tested monitoring rules are the operational evidence of the programme; MOD-017 (LOG) — ML model forms part of documented AML programme |
🔨 |
The following FATF-derived obligations are the responsibility of the institution, not the platform.
The platform may generate evidence inputs but does not own these processes.
| Obligation |
Owner |
Platform evidence input |
| AML/CFT training for all relevant staff (R.18) |
Chief People Officer / Chief Compliance Officer |
Platform access control acknowledgements via MOD-049 as supporting evidence only |
| Senior management oversight and governance of the AML/CFT programme (R.18) |
Board / CEO |
MOD-037 provides programme performance data for board reporting |
| Internal audit of the AML/CFT programme (R.18) |
Head of Internal Audit |
MOD-018, MOD-016, MOD-037 provide the audit evidence base |
| Designated AML/CFT Compliance Officer with appropriate authority (R.18) |
Board |
Institutional HR record; not a platform function |
| FATF mutual evaluation preparation and response |
Chief Compliance Officer |
MOD-037 provides examination-ready data extracts |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| CDD and identity (R.10–R.12) |
3 |
3 |
0 |
0 |
0 |
| Transaction monitoring and reporting (R.20–R.21) |
2 |
2 |
0 |
0 |
0 |
| Wire transfers — travel rule (R.16) |
1 |
1 |
0 |
0 |
0 |
| Targeted financial sanctions (R.6–R.7) |
1 |
1 |
0 |
0 |
0 |
| Correspondent banking (R.13) |
1 |
1 |
0 |
0 |
0 |
| New technologies (R.15) |
1 |
0 |
1 |
0 |
0 |
| Programme and risk assessment (R.1–R.2) |
1 |
0 |
1 |
0 |
0 |
| Total |
10 |
8 (80%) |
2 (20%) |
0 |
0 |
All obligations have attributed controls. All attributed modules are currently
build_status: Not started — the compliance position will update as modules are built and deployed.
| Policy |
Title |
| AML-001 |
AML/CFT Programme Policy |
| AML-004 |
Politically Exposed Persons (PEP) Policy |
| AML-005 |
Transaction Monitoring Policy |
| AML-007 |
Sanctions Screening Policy |
| AML-009 |
Correspondent Banking & Payments Policy |
| AML-011 |
Customer Acceptance Policy |
See NZ AML/CFT Act 2009 and AU AML/CTF Act 2006 for the
domestic implementations.
See D03 AML / Financial Crime for the full risk domain.
Official documentation
Policies referencing this standard
- AML-001 — AML/CFT Programme Policy
- AML-004 — Politically Exposed Persons (PEP) Policy
- AML-005 — Transaction Monitoring Policy
- AML-007 — Sanctions Screening Policy
- AML-009 — Correspondent Banking & Payments Policy
- AML-011 — Customer Acceptance Policy
Compiled 2026-05-22 from source/entities/regulations/industry-fatf.yaml