40 FATF 40 Recommendations
9

Recommendation 9 · Group D · Preventive Measures

Former: R.4

Financial institution secrecy laws

Recommendation 9 ensures that financial institution secrecy laws — bank secrecy, professional privilege and similar protections — do not inhibit the implementation of the FATF Recommendations. Competent authorities must have lawful access to information needed to investigate ML/TF, and supervised entities must be able to share information with each other and with foreign counterparts as required.

Who must comply?

  • National legislators (laws on bank secrecy, tax secrecy, professional privilege)
  • Financial supervisors and competent authorities
  • Banks, securities firms, insurers and DNFBPs subject to confidentiality rules

Key requirements

  1. 1

    Secrecy must not block AML/CFT obligations

    Bank secrecy and similar confidentiality laws must not prevent financial institutions from implementing customer due diligence, monitoring transactions, identifying beneficial owners, filing STRs or any other FATF requirement.

  2. 2

    Authorities must have access

    Competent authorities — FIU, supervisors, law enforcement — must be able to access information held by financial institutions when carrying out their AML/CFT functions, with appropriate legal safeguards.

  3. 3

    Information sharing among financial institutions

    Sharing of information between financial institutions in the same group, and between unrelated institutions when needed for AML/CFT (e.g., correspondent banking, suspicious-transaction red flags), must be permitted.

  4. 4

    International cooperation enabled

    Secrecy laws must not block international cooperation between supervisors, FIUs and law enforcement on AML/CFT matters — including spontaneous information exchange and responses to formal requests.

  5. 5

    Confidentiality of STRs preserved

    While AML/CFT-related sharing must be enabled, the confidentiality of suspicious transaction reports (R.20) and tipping-off prohibitions (R.21) must be respected — STRs must not become public or be shared with the customer.

Practical example

Example: cross-border investigation pierces bank secrecy

Mexico's UIF receives information from FinCEN (US FIU) about a structured payment scheme involving a Mexican company. Under R.9, the Mexican bank secrecy regime cannot block the UIF from requesting the customer's account history from the bank, nor block the bank from sharing it with the FGR for criminal prosecution. The bank delivers the records under legal protection — the customer cannot sue for breach of secrecy because the AML/CFT carve-out applies.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México alinea el secreto bancario con las obligaciones ALA/CFT mediante excepciones expresas:

Art. 117 LIC — Excepciones al secreto bancario

El secreto bancario en México (Art. 117 LIC) tiene excepciones expresas a favor de la CNBV, UIF, FGR, SAT y autoridades judiciales cuando ejercen funciones ALA/CFT, fiscales o de procuración de justicia.

LFPIORPI y secreto

La LFPIORPI obliga a sujetos obligados a proporcionar información a la SHCP/SAT sin que el secreto bancario o profesional pueda invocarse en su contra. La conservación del expediente por 10 años es exigible aun frente a peticiones del cliente de eliminar datos.

Cooperación internacional

México intercambia información con UIFs extranjeras vía Egmont Group y con supervisores vía MoUs bilaterales (CNBV con SEC, FCA, ESMA, etc.). El secreto bancario no obsta estos intercambios cuando hay base legal.

Milestones

  1. 1990

    Original Recommendation 4 — secrecy must not impede AML

  2. 2012

    Renumbered as Recommendation 9

  3. 2025

    October 2025 update strengthens information-sharing among institutions

Related Recommendations

Other Recommendations in Group D — Preventive Measures

10 R.10 Customer due diligence (CDD) 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 18 R.18 Internal controls & foreign branches 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 9, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org