40 FATF 40 Recommendations
18

Recommendation 18 · Group D · Preventive Measures

Former: R.15 & R.22

Internal controls & foreign branches

Recommendation 18 requires every financial institution and DNFBP to implement an internal AML/CFT programme proportionate to its size and risk — including policies, controls and procedures, an independent audit function, employee screening and ongoing training, and (for groups) policies that apply group-wide. Foreign branches and majority-owned subsidiaries must apply group-level AML/CFT measures consistent with home-country requirements when local rules are weaker.

Who must comply?

  • All financial institutions (banks, securities, insurance, MVTS, VASPs)
  • DNFBPs subject to AML/CFT
  • Financial groups with cross-border operations
  • Compliance, internal audit and human resources functions

Key requirements

  1. 1

    Written AML/CFT programme

    Implement an internal programme — written, approved by senior management, kept up to date — that includes policies, procedures and controls proportionate to the size and risks of the institution.

  2. 2

    Compliance management arrangements

    Designate a compliance officer at management level with responsibility for AML/CFT compliance, independent reporting to the board, and adequate resources.

  3. 3

    Independent audit function

    Maintain an audit function — internal or external — to test the AML/CFT programme periodically. The audit must be genuinely independent and have authority to escalate findings to the board.

  4. 4

    Employee screening procedures

    Apply screening procedures when hiring employees to ensure high standards — including verification of identity, employment history, criminal records and conflicts of interest.

  5. 5

    Ongoing employee training

    Provide ongoing AML/CFT training for relevant personnel — covering typologies, internal procedures, regulatory updates and the institution's risk profile.

  6. 6

    Group-wide programmes

    Financial groups must implement group-wide programmes against ML/TF — including policies and procedures for sharing information required for CDD and ML/TF risk management.

  7. 7

    Foreign branches and subsidiaries

    Foreign branches and majority-owned subsidiaries must apply AML/CFT measures consistent with the home-country requirements where the host-country requirements are less strict — to the extent permitted by host-country law. If the host country prohibits implementation, the home-country supervisor must be notified and additional measures applied.

Practical example

Example: building a SOFOM ENR's compliance programme

A Mexican SOFOM ENR builds its mandatory AML/CFT programme. Under R.18 (and Art. 95 Bis LGOAAC + DCG CNBV) it must include: a written manual approved by the board, designation of a compliance officer (oficial de cumplimiento) certified by the CNBV, an internal audit performed annually by independent auditors, employee onboarding with verification of antecedentes penales and CV, mandatory annual AML/CFT training for all staff with attendance records, an automated transaction-monitoring system (Art. 18 Fr. X reform 2025), and a system for reporting STRs (ROR/ROI/ROIP) to the CNBV.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México detalla los componentes del programa ALA/CFT en cada régimen:

LFPIORPI Art. 18 Fr. VIII a XI — Programa para AV

La reforma de julio 2025 incorporó manual de cumplimiento (Fr. VIII), capacitación anual (Fr. IX), mecanismos automatizados (Fr. X) y auditoría interna o externa (Fr. XI) como obligaciones expresas para todas las actividades vulnerables.

Manual de cumplimiento PLD

El manual debe incluir políticas de identificación, criterios de clasificación de riesgo, lineamientos de monitoreo, procedimientos de detección y reporte, capacitación y auditoría. Las RCG pendientes (deadline julio 2026) detallarán el contenido mínimo.

Manual de cumplimiento LFPIORPI

Oficial / Representante de cumplimiento

En sector financiero (CNBV) se exige un oficial de cumplimiento certificado. En AV (LFPIORPI Art. 20) se exige un representante encargado de cumplimiento — figura distinta y con responsabilidades específicas.

Grupos financieros mexicanos en el extranjero

Los grupos financieros mexicanos con operaciones internacionales (Banorte, Bancoppel, Banco Azteca, Aeroméxico Pagos) aplican el programa grupal a sus filiales en el extranjero, con notificación a la CNBV cuando un país anfitrión prohíba implementar ciertas medidas.

Milestones

  1. 1990

    Original Recommendations 15 and 22 on internal controls and foreign branches

  2. 2012

    Consolidated as Recommendation 18

  3. 2017

    Updated guidance on group-wide AML/CFT programmes

  4. 2025

    October 2025 update reinforces group information-sharing requirements

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 10 R.10 Customer due diligence (CDD) 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 18, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org