40 FATF 40 Recommendations
17

Recommendation 17 · Group D · Preventive Measures

Former: R.9

Reliance on third parties

Recommendation 17 lets a financial institution rely on a regulated third party — typically another financial institution or DNFBP — to perform parts of customer due diligence (R.10) or identify the introduced business. The relying institution remains ultimately responsible: it must ensure the third party is supervised, applies adequate CDD, and provides identification data immediately on request. Reliance is allowed only when the third party is regulated, supervised and applies AML/CFT measures consistent with the FATF Recommendations.

Who must comply?

  • Banks and financial institutions using introducer or referral models
  • Asset managers and private banking units
  • Securities firms and broker-dealers receiving customers from intermediaries
  • Insurance brokers and agents introducing clients to insurers

Key requirements

  1. 1

    Ultimate responsibility remains

    The financial institution that relies on a third party retains ultimate responsibility for CDD measures. It cannot use reliance to escape its own AML/CFT obligations.

  2. 2

    Third party must be regulated and supervised

    The third party must be subject to regulation, supervision or monitoring for AML/CFT and apply CDD measures consistent with the FATF Recommendations. Reliance on unregulated third parties is prohibited.

  3. 3

    Immediate access to CDD data

    The relying institution must immediately obtain the necessary information concerning the elements of CDD measures performed by the third party.

  4. 4

    Copies of identification on request

    The relying institution must take adequate steps to satisfy itself that copies of identification data and other relevant CDD documentation will be made available from the third party upon request without delay.

  5. 5

    Country of the third party

    Take into account information available on the level of country risk where the third party is based — particularly whether that country is identified as having strategic AML/CFT deficiencies (R.19).

  6. 6

    Group reliance

    When reliance is among entities of the same financial group, requirements may be relaxed if (a) the group applies CDD, record-keeping and AML/CFT programmes per R.18 across the group, (b) the group is supervised at group level, and (c) any high-country-risk concerns are mitigated by the group's policies.

Practical example

Example: a Mexican broker referred to a private bank

A Mexican broker introduces a high-net-worth client to a Swiss private bank. Under R.17 the Swiss bank can rely on the broker's CDD if (a) the broker is licensed by the CNBV in Mexico (regulated and supervised), (b) the Swiss bank obtains immediate access to the customer file, source-of-wealth analysis and ID copies, (c) Mexico is not on the FATF grey/black list, and (d) the Swiss bank documents the reliance arrangement. The Swiss bank remains accountable to the Swiss FINMA — if the file is incomplete, FINMA will sanction the Swiss bank, not the Mexican broker.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México permite la dependencia en terceros bajo condiciones específicas:

DCG CNBV — Dependencia en sector financiero

Las disposiciones permiten que las entidades del sector financiero dependan de otras entidades reguladas para CDD, siempre que se obtenga acceso inmediato al expediente y se mantenga responsabilidad última.

LFPIORPI — Dependencia limitada

La LFPIORPI no contempla expresamente la figura de 'dependencia en terceros'. Las AV son responsables directas de identificar al cliente. Pueden recibir información de un asesor o gestor pero deben validarla y conservarla en su propio expediente.

Fideicomisos y dependencia entre fiduciarios

Bancos fiduciarios pueden depender de la DDC realizada por otro banco fiduciario en el mismo grupo cuando administran estructuras complejas (FIBRAs con múltiples vehículos, fideicomisos emisores con sub-fideicomisos).

Milestones

  1. 2003

    Original Recommendation 9 on third-party reliance

  2. 2012

    Renumbered as Recommendation 17

  3. 2025

    October 2025 update strengthens group-reliance and country-risk standards

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 10 R.10 Customer due diligence (CDD) 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 18 R.18 Internal controls & foreign branches 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 17, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org