FATF Recommendation 1 — Risk-based approach

Who must comply?

National governments and regulators (must run a National Risk Assessment)
Financial intelligence units, supervisors and law enforcement
Financial institutions (banks, MVTS providers, securities firms, insurers)
Designated non-financial businesses and professions (DNFBPs): casinos, real estate agents, dealers in precious metals/stones, lawyers, notaries, accountants, trust and company service providers

Key requirements

1
National Risk Assessment (NRA)

Every country must produce and keep up to date a written assessment of the money laundering, terrorist financing and proliferation financing risks it faces. The NRA should be informed by intelligence, statistics and private-sector input, and shared with all relevant stakeholders so they can use it.
2
Designate a coordinating authority

Countries must appoint a body or mechanism responsible for coordinating risk assessment work and ensuring that mitigation actions are implemented across ministries, supervisors and the private sector.
3
Allocate resources proportionally

Where risks are higher, countries must apply enhanced measures and devote more resources. Where risks are lower, simplified measures are permitted — but only after a documented assessment supports the conclusion.
4
Cascade the obligation to obliged entities

Financial institutions and DNFBPs must perform their own risk assessments at the entity, customer, product, channel and geography levels, document them, update them, and translate the conclusions into their CDD, monitoring and reporting policies.
5
Proliferation financing carve-out

For proliferation financing, the risk assessment is limited to the potential breach, non-implementation or evasion of targeted financial sanctions under Recommendation 7. It does not expand other obligations beyond what each Recommendation requires.
6
Higher risks trigger enhanced measures

Identifying a higher risk is not enough — countries and entities must demonstrate they have actually applied stronger measures (extra CDD, monitoring, reporting, training, supervision) to address the specific risk.
7
Document everything

Risk assessments and the rationale behind simplified or enhanced measures must be written down, dated, and available to supervisors and assessors during mutual evaluations.

Practical example

Example: Mexican fintech designs its CDD program

A Mexican fintech offering remittances to LATAM completes its entity-level risk assessment. It identifies higher risk in (1) cross-border transfers to GAFI-grey jurisdictions, (2) cash-funded transfers above 1,000 USD, and (3) anonymous prepaid card top-ups. It applies enhanced measures: source-of-funds questions, real-time list screening, transaction caps and senior management approval. For domestic person-to-person transfers under 100 USD between two known customers, it applies simplified measures. Both decisions are documented with rationale and shared with the CNBV during inspections — exactly what Recommendation 1 expects.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México implementa el EBR a través de la Evaluación Nacional de Riesgos (ENR) de la Secretaría de Hacienda y la obligación reformada del Art. 18 Fr. VII de la LFPIORPI:

Evaluación Nacional de Riesgos (ENR) 2025

México publicó su ENR 2025 elaborada por la SHCP con insumos de la UIF, CNBV, SAT, Banxico y FGR. Identifica amenazas, vulnerabilidades y riesgos por sector y producto. Es la base sobre la que se diseñan las políticas PLD nacionales y la base que cada sujeto obligado debe consultar al construir su matriz de riesgos.

Art. 18 Fr. VII LFPIORPI — EBR para actividades vulnerables

La reforma del 16 de julio de 2025 introdujo la obligación expresa de aplicar un Enfoque Basado en Riesgos a quienes realizan actividades vulnerables. Cada sujeto obligado debe clasificar a sus clientes en bajo, medio y alto riesgo, y aplicar diligencia simplificada o reforzada en consecuencia. Las Reglas de Carácter General que detallarán esta obligación tienen deadline de julio 2026.

Régimen antilavado de México

EBR para SOFOMes ENR (DCG CNBV)

Las SOFOMes ENR ya estaban obligadas al EBR desde las Disposiciones de Carácter General de la CNBV (DOF 2011, actualizadas). Deben tener una metodología documentada, criterios de clasificación y una matriz de riesgos vigente revisada anualmente.

Documentación y supervisión

Tanto el SAT (para AV) como la CNBV (para sector financiero) verifican durante visitas que la matriz de riesgos exista por escrito, esté firmada por el oficial/representante de cumplimiento, esté actualizada y se aplique consistentemente en los expedientes de los clientes.

Milestones

1990

Original 40 Recommendations published — risk awareness mentioned implicitly
2003

Second revision broadens scope, but no formal RBA Recommendation yet
2012

RBA becomes Recommendation 1 — the cornerstone of the consolidated framework
2020

Proliferation financing risk assessment added (linked to Recommendation 7)
2025

October 2025 consolidated update reaffirms RBA primacy

Related Recommendations

Other Recommendations in Group A — AML/CFT Policies & Coordination

2 R.2 National cooperation & coordination

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 1, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org

Risk-based approach

Who must comply?

Key requirements

National Risk Assessment (NRA)

Designate a coordinating authority

Allocate resources proportionally

Cascade the obligation to obliged entities

Proliferation financing carve-out

Higher risks trigger enhanced measures

Document everything