JA
Back to Blog

Understanding FATF’s 40 Recommendations: A Practical Guide to AML/CFT Compliance

Jason Atisse
March 27, 2026
12 min read
Understanding FATF’s 40 Recommendations: A Practical Guide to AML/CFT Compliance

The Financial Action Task Force ("FATF") is the international standard-setter for anti-money laundering, counter-terrorist financing, and counter-proliferation financing. Its Recommendations form the global benchmark used by jurisdictions, regulators, financial institutions, and designated non-financial businesses and professions to design and assess AML/CFT systems. For an international financial centre such as Mauritius, FATF standards are not merely technical guidance. They are directly connected to credibility, investor confidence, correspondent relationships, and access to international markets. A jurisdiction that is perceived as weak on FATF implementation can face enhanced scrutiny, increased de-risking by foreign counterparties, and, in serious cases, grey-listing consequences that affect the wider financial sector.

For an international financial centre such as Mauritius, FATF standards are directly connected to credibility, investor confidence, correspondent relationships, and access to international markets. Weak implementation may lead to enhanced scrutiny, de-risking, or grey-listing consequences affecting the wider financial sector.

For Mauritius, the relevance of FATF compliance is therefore both legal and strategic. The country’s AML/CFT architecture has been shaped to align with FATF standards through the Financial Intelligence and Anti-Money Laundering Act 2002 ("FIAMLA"), the Financial Intelligence and Anti-Money Laundering Regulations 2018 ("FIAML Regulations"), sector-specific regulation, and FSC supervisory guidance. This alignment is particularly important for management companies because they operate at the centre of the global business sector, administering companies, trusts, funds, and cross-border structures that can present elevated money laundering and terrorist financing risks if not properly controlled. In practice, FATF compliance determines not only what the law requires, but also how management companies should think about risk, governance, client acceptance, and ongoing monitoring.

What Are the FATF Recommendations?

The FATF Recommendations developed over time. The original 40 Recommendations were focused on anti-money laundering. Following the growing international concern with terrorist financing, FATF introduced the 9 Special Recommendations on terrorist financing. In 2012, FATF revised and consolidated the framework into a single set of Recommendations covering money laundering, terrorist financing, and proliferation financing. Strictly speaking, the current framework is no longer legally or structurally divided into "40 + 9". However, the expression remains useful because it reflects the historical evolution of AML and CFT controls and helps explain why some firms still think of counter-terrorist financing as a distinct compliance discipline.

The purpose of the FATF Recommendations is to provide a complete and internationally accepted framework for preventing abuse of the financial system. FATF states that the Recommendations "set out a comprehensive and consistent framework of measures which countries should implement in order to combat money laundering and terrorist financing, as well as the financing of proliferation of weapons of mass destruction" (FATF Recommendations, Introductory Note). This is important because FATF standards do not apply only to criminal enforcement. They also shape preventive obligations such as customer due diligence, beneficial ownership transparency, targeted financial sanctions, and suspicious transaction reporting. For management companies, this means the Recommendations are highly operational. They influence the design of onboarding, file review, transaction scrutiny, sanctions checks, and escalation systems.

The Recommendations are best understood in thematic groups. Recommendations 1 and 2 address policies, coordination, and the risk-based approach. Recommendations 3 and 4 deal with money laundering offences and confiscation. Recommendations 5 to 8 focus on terrorist financing and targeted sanctions. Recommendations 9 to 23 contain the preventive measures that are most relevant to firms, including customer due diligence, record keeping, politically exposed persons, correspondent relationships, internal controls, and suspicious transaction reporting. Recommendations 24 and 25 focus on transparency and beneficial ownership of legal persons and legal arrangements. Recommendations 26 to 35 concern competent authorities and supervisory or enforcement functions, while Recommendations 36 to 40 deal with international cooperation. This structure matters because not every Recommendation applies in the same way to private firms. Management companies are most directly affected by the preventive and transparency-related Recommendations, but they must also understand the broader framework because supervision in Mauritius is based on how effectively these standards are embedded across the system.

To Whom Do the FATF Recommendations Apply?

At the highest level, the FATF Recommendations apply to jurisdictions. They require countries to establish criminal offences, confiscation powers, supervisory regimes, financial intelligence units, mechanisms for international cooperation, and national coordination arrangements. Recommendation 1, for example, requires countries to identify and assess their money laundering and terrorist financing risks and to take steps to ensure those risks are mitigated effectively. In practical terms, this means that Mauritius must maintain a national AML/CFT strategy, carry out National Risk Assessments, legislate appropriately, and empower regulators and law enforcement agencies to act. The obligation is therefore not placed only on the private sector. The State itself must construct and maintain the legal and institutional architecture that reflects FATF standards.

At the same time, the FATF Recommendations also apply to financial institutions and designated non-financial businesses and professions ("DNFBPs"). FATF Recommendation 22 provides that customer due diligence and record-keeping requirements apply to DNFBPs in specified situations, including "trust and company service providers" when they prepare for or carry out transactions for a client concerning activities such as acting as a formation agent, acting as a director or secretary, providing a registered office, or acting as a trustee or nominee shareholder (FATF Recommendation 22). This is directly relevant to the Mauritian management company sector because much of its activity falls within the trust and company service provider model. The result is that FATF obligations are not only supervisory principles in the background; they translate into concrete duties for management companies.

In Mauritius, management companies are licensed and supervised entities operating within the financial services sector. Their obligations arise under the Financial Services Act 2007, FIAMLA, the FIAML Regulations, FSC Rules, and the FSC AML/CFT Handbook. As a matter of practice, they must implement customer due diligence, enhanced due diligence, beneficial ownership identification, ongoing monitoring, record keeping, sanctions screening, and suspicious transaction reporting. Analytically, this means management companies stand at the intersection of the jurisdiction-level FATF framework and the client-facing operational world. They are both recipients of regulatory expectations and frontline actors responsible for making FATF-derived controls effective in real client relationships.

How FATF Recommendations Are Implemented in Mauritius

In Mauritius, FATF standards are primarily implemented through legislation and regulation. FIAMLA forms the core statutory basis of the AML/CFT regime, while the FIAML Regulations provide operational detail. Section 17C of FIAMLA provides that "every reporting person shall identify, assess, and understand the money laundering and terrorism financing risks for customers, countries or geographic areas, and products, services, transactions or delivery channels" and "shall take effective measures to mitigate and manage those risks" (FIAMLA, s.17C). This provision reflects Recommendation 1 and confirms that the risk-based approach is mandatory in Mauritian law, not optional guidance. FIAMLA also states that where higher risks are identified, "a reporting person shall conduct enhanced due diligence measures consistent with the risks identified" (FIAMLA, s.17C(3)). The legislative position is therefore clear: risk identification must lead to proportionate control measures.

The FIAML Regulations 2018 translate this statutory framework into more detailed compliance obligations. They set out requirements on customer due diligence, beneficial ownership, record keeping, politically exposed persons, and ongoing monitoring. Regulation 12 states that enhanced due diligence may include “obtaining additional information on the customer”, “obtaining information on the source of funds or source of wealth of the customer”, “obtaining the approval of senior management to commence or continue the business relation”, and “conducting enhanced monitoring of the business relationship” (FIAML Regulations 2018, reg. 12(2)). This is an example of how FATF standards are domesticated in Mauritius: broad international principles are converted into explicit legal duties that can be tested during supervision.

The FSC AML/CFT Handbook plays a critical practical role. It does not replace the law, but it explains how the FSC expects financial institutions and licensees to implement their obligations. It reinforces the risk-based approach and provides guidance on how firms should apply CDD, EDD, beneficial ownership analysis, and ongoing monitoring. For management companies, the Handbook is especially important because their business model involves non-face-to-face onboarding, multi-jurisdictional structures, trusts, and nominee arrangements, all of which require more than a mechanical approach to compliance. Analytically, the Handbook is where FATF principles become supervisory expectations. A firm that only reads the statute but ignores the Handbook may comply formally with some minimum rules while still failing to meet the practical standard expected by the FSC.

The FSC AML/CFT Handbook plays a critical practical role. It does not replace the law, but it explains how the FSC expects financial institutions and licensees to implement their obligations. It reinforces the risk-based approach and provides guidance on how firms should apply CDD, EDD, beneficial ownership analysis, and ongoing monitoring. For management companies, the Handbook is especially important because their business model involves non-face-to-face onboarding, multi-jurisdictional structures, trusts, and nominee arrangements, all of which require more than a mechanical approach to compliance. Analytically, the Handbook is where FATF principles become supervisory expectations. A firm that only reads the statute but ignores the Handbook may comply formally with some minimum rules while still failing to meet the practical standard expected by the FSC.

Key FATF Recommendations Relevant to Management Companies

Recommendation 1 – Risk-Based Approach

Recommendation 1 on the risk-based approach is the foundation of the FATF framework. FATF provides that “countries should identify, assess, and understand the money laundering and terrorist financing risks for the country” and that financial institutions and DNFBPs should be required to “identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks” (FATF Recommendation 1). In Mauritius, this principle is reflected in section 17C of FIAMLA. For management companies, Recommendation 1 is not just about having a Business Risk Assessment on file. It requires the firm to understand where risk actually lies in its client book: complex ownership chains, high-risk jurisdictions, nominee shareholders, trust structures, PEP exposure, source of wealth opacity, and unusual transactional behaviour. The analytical point is that all other controls depend on the quality of the risk assessment. If a management company underestimates risk at the onboarding stage, CDD, EDD, monitoring, and escalation will all be weakened. In practical terms, firms should maintain a documented BRA, calibrate client risk-scoring models, align them with the National Risk Assessment, and review them periodically when typologies or business lines change.

Recommendation 10 – Customer Due Diligence

Recommendation 10 on customer due diligence is one of the most important FATF obligations for management companies. FATF requires financial institutions to undertake CDD measures when establishing business relationships, carrying out occasional transactions above threshold levels, when there is suspicion of money laundering or terrorist financing, or when there are doubts about previously obtained identification data (FATF Recommendation 10). The Recommendation also requires identification of the beneficial owner and taking reasonable measures to verify that person’s identity. In Mauritius, this obligation is reflected in the FIAML Regulations, including the requirement to identify and verify the beneficial owner and, for trusts, to identify the settlor, trustee, beneficiaries, and any other natural person exercising ultimate effective control (FIAML Regulations 2018, reg. 7). This is especially important for management companies because they often onboard structures that are lawful on paper but opaque in substance. The practical challenge is not simply to collect registers and incorporation documents, but to determine who truly owns or controls the structure. A strong implementation approach should therefore include ownership charts, control analysis, independent document verification, and sceptical review of arrangements involving nominees or multiple layers.

Recommendation 12 – Politically Exposed Persons

Recommendation 12 on politically exposed persons requires enhanced due diligence for PEPs. FATF requires firms, in relation to foreign PEPs, to have appropriate risk management systems to determine whether a customer or beneficial owner is a PEP, obtain senior management approval before establishing or continuing the relationship, take reasonable measures to establish source of wealth and source of funds, and conduct enhanced ongoing monitoring (FATF Recommendation 12). Mauritian law mirrors this requirement. Regulation 15 of the FIAML Regulations requires firms to “have appropriate risk management systems to determine whether the customer or the beneficial owner is a politically exposed person”, “obtain senior management approval for establishing or continuing business relationships”, “take reasonable measures to establish the source of wealth and source of funds”, and “conduct enhanced ongoing monitoring on that relationship” (FIAML Regulations 2018, reg. 15(1)). For management companies, Recommendation 12 is particularly relevant because PEP risk may be hidden within holding companies, family trusts, or close associates rather than being visible in the name of the direct customer. The correct approach is not to reject PEPs automatically, but to recognise that they require more scrutiny, stronger documentation, and more senior oversight.

Recommendation 22 – DNFBPs

Recommendation 22 is highly significant because it extends the FATF preventive framework to DNFBPs, including trust and company service providers. This is often underestimated in practice because AML/CFT discourse is frequently bank-centric. Yet FATF explicitly recognises that DNFBPs can be used to create or administer structures through which illicit wealth is concealed. For Mauritian management companies, Recommendation 22 is therefore not peripheral. It is one of the clearest bases for applying CDD, record keeping, and reporting duties to their day-to-day activity. Analytically, Recommendation 22 underscores an important truth: management companies are not merely administrative service providers; they are gatekeepers whose corporate and fiduciary services can either protect the integrity of the financial system or weaken it if controls are superficial.

Recommendations 24 & 25 – Beneficial Ownership

Recommendations 24 and 25 on beneficial ownership and transparency are among the most operationally difficult and most strategically important Recommendations for management companies. FATF requires countries to ensure that competent authorities can obtain adequate, accurate, and up-to-date beneficial ownership information on legal persons and legal arrangements. This area became especially important in the Mauritian context following the country’s grey-listing experience, where beneficial ownership transparency was a key focus of international scrutiny. For management companies, the analytical challenge is that formal ownership and actual control do not always coincide. A shareholder register may identify a corporate shareholder, but that does not answer who ultimately owns or controls the customer. In trusts, the issue is even more complex because control may arise through the settlor, protector, trustee, beneficiaries, or informal influence. The proper implementation approach should therefore go beyond collecting documents. Firms should map ownership and control, test the coherence of information across documents, identify the natural persons behind legal entities, and apply heightened scrutiny where there are signs of concealment or unnecessary complexity.

Recommendation 11 – Record Keeping

Recommendation 11 on record keeping is often treated as a routine administrative requirement, but it is analytically more important than that. FATF requires financial institutions to maintain records of transactions and CDD information for at least five years. Record keeping matters because an AML/CFT framework is only as strong as its evidential foundation. In Mauritius, record retention requirements are embedded in the legal framework and are essential for regulatory inspections, investigations, and the reconstruction of transactions. For management companies, good record keeping means more than retaining scanned passports and incorporation documents. It means preserving the rationale for risk classification, the basis for source of wealth conclusions, PEP screening results, escalation notes, management approvals, and ongoing monitoring outcomes. Without this, a firm may have acted properly but still be unable to demonstrate it to the FSC or the FIU.

Recommendation 20 – Suspicious Transaction Reporting

Recommendation 20 on suspicious transaction reporting is equally central. FATF requires that if a financial institution “suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity, or are related to terrorist financing, it should be required, directly by law, to report promptly its suspicions to the financial intelligence unit” (FATF Recommendation 20). In Mauritius, this obligation is implemented through FIAMLA and the FIU reporting framework. For management companies, suspicion may arise from unusual features of a structure, unexplained wealth, inconsistency between declared activity and actual transactions, reluctance to disclose beneficial owners, or unexpected changes in control. The analytical difficulty is that suspicious behaviour in a management company context is often structural rather than transactional. This means internal reporting systems must be sophisticated enough to capture red flags arising from onboarding, corporate administration, and client behaviour, not only bank-style transaction monitoring alerts.

Recommendation 15 – New Technologies

Recommendation 15 on new technologies requires countries and institutions to identify and assess the risks that may arise in relation to new products, new business practices, and the use of new or developing technologies. This has become increasingly relevant as financial services evolve through digital onboarding, fintech integration, and virtual assets. Mauritius has addressed some of these issues through its virtual asset framework and evolving regulation of innovative financial activity. For management companies, the practical relevance lies in the fact that new technologies can increase both efficiency and risk. Remote onboarding tools, digital identity systems, virtual asset exposure, and cross-border digital business models can complicate verification, transaction traceability, and risk monitoring. A sound implementation approach therefore requires pre-adoption risk assessments, controls testing, staff training, and updates to internal risk methodology whenever new technologies or products are introduced.

Recommendations 6 & 7 – Sanctions

Recommendations 6 and 7 on targeted financial sanctions require countries and firms to implement freezing obligations and other controls relating to terrorism and proliferation financing in accordance with United Nations Security Council resolutions. For management companies, this means sanctions compliance is not limited to a one-time name screening exercise. It requires effective screening of clients, beneficial owners, connected parties, and, where relevant, transactions. This is an area where formalistic compliance is particularly dangerous. A firm may screen the direct customer but fail to identify that a beneficial owner, settlor, or controller matches a sanctions list. In practice, management companies should implement onboarding screening, periodic rescreening, trigger-based rescreening when ownership changes, and documented alert resolution procedures. This is especially important because sanctions breaches can create immediate legal and reputational consequences.

Practical Application for Management Companies

In a management company, FATF compliance must be translated into ordinary operational processes. This means the Recommendations should be visible in onboarding forms, risk-rating tools, compliance review templates, escalation channels, and monitoring systems. A policy that refers to Recommendation 10 or Recommendation 12 is not enough if it is not reflected in the questions asked during onboarding, the documents requested, the persons screened, and the approvals captured. Analytically, this is where many firms fail: they understand FATF standards conceptually, but do not convert them into disciplined operational behaviour. The test of an effective compliance framework is therefore whether a reviewer can trace a clear line between regulatory requirements and the actual file-handling process.

The core controls management companies should implement are relatively clear. They should maintain a documented business risk assessment and a methodology for customer risk classification. They should apply customer due diligence and enhanced due diligence that are sensitive to the complexity of global business structures. They should screen for PEPs, sanctions, and adverse media. They should verify beneficial ownership with substance over form. They should maintain systems for ongoing monitoring, internal suspicious activity escalation, and timely filing with the FIU where appropriate. They should also ensure robust record retention. The important analytical point is that these controls should not operate in silos. For example, CDD findings should influence risk ratings, which should influence monitoring intensity, which should influence review frequency and escalation sensitivity. A fragmented framework creates blind spots.

Governance and oversight are equally important. FATF-style compliance depends heavily on clear accountability, independent challenge, and escalation culture. The compliance function and the Money Laundering Reporting Officer (“MLRO”) must have sufficient authority, access to information, and independence to challenge client-facing teams. Senior management approval should be meaningful, particularly in high-risk or PEP cases, and not a mere sign-off ritual. Boards and senior management should receive relevant compliance reporting, including information on higher-risk clients, suspicious activity trends, screening issues, and control weaknesses. In practice, a management company with technically sound procedures but weak governance may still fail because difficult cases are accepted without challenge or because commercial pressure overrides risk judgment.

Common Compliance Gaps

In practice, several weaknesses recur in the management company sector. One of the most common is weak beneficial ownership identification. Some firms still rely too heavily on formal shareholder information without fully analysing ultimate ownership and control. Another frequent issue is over-reliance on introducers, foreign intermediaries, or professional advisers. While introducers may assist with information gathering, they do not displace the Mauritian management company’s legal responsibility to know its customer and assess risk independently. A third weakness is poor documentation of risk assessments. A file may be labelled high-risk or medium-risk, but the rationale is not clearly explained, which undermines the defensibility of the decision.

Another persistent weakness is inadequate ongoing monitoring. Some firms carry out onboarding thoroughly but treat the file as static thereafter. This is problematic because AML/CFT risk is dynamic. Ownership changes, new jurisdictions may appear, client behaviour may diverge from the declared purpose of the structure, and adverse media may emerge after onboarding. Historically, weaknesses of this nature have been relevant in mutual evaluation and supervisory assessments of AML/CFT effectiveness. The broader analytical lesson is that compliance failure often does not arise because firms have no procedures. It arises because procedures are applied mechanically, without enough scepticism, follow-up, or integration between risk assessment and day-to-day business activity.

Regulatory Expectations and Enforcement

Mauritius now operates in a supervisory environment where FATF effectiveness matters as much as technical compliance. The FSC uses a risk-based supervisory approach and assesses not only whether policies exist, but whether they are implemented in a meaningful way. This may occur through onsite inspections, thematic reviews, desk-based reviews, remediation follow-up, and enforcement action where necessary. For management companies, this means the standard of review is increasingly evidence-based. Regulators want to see whether beneficial ownership was genuinely established, whether source of wealth analysis was credible, whether risk ratings were justified, whether monitoring was performed, and whether suspicious matters were escalated properly.

The post-grey-listing environment has reinforced this expectation. Mauritius has made significant efforts to strengthen its AML/CFT system and demonstrate alignment with international standards. That progress, however, does not reduce the burden on individual firms. On the contrary, it increases the expectation that firms will maintain the improved standard. Analytically, this means management companies should not view FATF alignment as a one-time national achievement. It is an ongoing operational obligation that must be sustained through file quality, staff competence, governance discipline, and readiness for supervisory review.

Best Practices

The most effective management companies tend to apply a substance-over-form approach. They do not stop at collecting documents; they seek to understand the commercial rationale, ownership reality, and risk profile behind the structure. They document material decisions, including why a client was accepted, why a risk rating was assigned, how source of wealth was assessed, and why certain red flags were or were not escalated. They also align customer due diligence, enhanced due diligence, monitoring, and suspicious transaction reporting into a single risk framework rather than treating them as isolated compliance tasks.

Continuous staff training is also essential. Frontline teams, client administrators, compliance officers, and senior management should all understand how FATF standards manifest in the Mauritian management company environment. Independent audit or periodic testing is another best practice, because it helps firms identify whether controls are merely present on paper or actually functioning in practice. Finally, management companies should make active use of typologies, National Risk Assessment findings, and FATF guidance to calibrate their controls. The FATF Recommendations should not be viewed only as minimum requirements. They can also be used as a benchmark for building a more resilient and internationally credible compliance culture.

Conclusion

The FATF Recommendations are not abstract international principles operating at a distance from everyday practice. In Mauritius, they shape the legal framework, the regulatory guidance issued by the FSC, and the supervisory expectations imposed on management companies. For management companies in particular, the most important Recommendations are those dealing with the risk-based approach, customer due diligence, politically exposed persons, DNFBP obligations, beneficial ownership, record keeping, suspicious transaction reporting, sanctions, and new technologies. These are the Recommendations that most directly affect how clients are onboarded, monitored, and escalated.

The practical lesson is straightforward. Strong AML/CFT compliance in a Mauritian management company is achieved when FATF standards are translated into real controls, real judgment, and real documentation. Firms that do this well are better placed to protect their licence, preserve their reputation, and sustain access to international business opportunities. Firms that treat FATF compliance as a box-ticking exercise may satisfy a form temporarily, but they do not build the type of control environment that Mauritian law, FSC supervision, and international standards now require.

Share this article
JA

Jason Atisse

Compliance Executive | AML/CFT Specialist