GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

AML Typologies Across Sectors: Beyond the Bank

Your notes

What this means in plain language

Anti-money-laundering duties reach well beyond banks, into professions and sectors from law and real estate to casinos and charities. A risk-based approach spreads those duties and asks each firm to assess and document its own exposure.

It is easy to think of anti-money-laundering (AML) as a banking topic, but the obligations reach much further. The Financial Action Task Force asks countries to bring a set of non-bank businesses, known as Designated Non-Financial Businesses and Professions (DNFBPs), into the AML net, because criminals can misuse a lawyer, an accountant, or a property sale just as readily as a bank account. Other sectors, such as charities and online gaming, carry their own risks. The organising idea is the risk-based approach: rather than treating everyone the same, each firm identifies where its exposure lies, rates it, and documents the result. This guide explains who is covered and the tools firms use to assess themselves.

Understand the full idea, step by step

Buy a flat, hire a lawyer to hold the deposit, sit at a casino table, donate to a charity — none of these is a bank, yet each can be used to move or disguise value. That is why anti-money-laundering duties reach well beyond banking, into a surprising range of professions and sectors.

Designated Non-Financial Businesses and Professions (DNFBPs)

FATF asks countries to bring a set of non-bank businesses into the AML net — DNFBPs: lawyers, accountants, real-estate agents, trust and company service providers, casinos, and dealers in precious metals and stones. Each can be misused, wittingly or not, to move or layer value. Bringing them in closes doors that would otherwise sit wide open beside the well-guarded banking system.

Other risk sectors

Beyond the DNFBP list, some sectors carry their own attention. Non-profit organisations (NPOs) and charities can be misused to raise or move funds under a trusted cover, so many jurisdictions apply proportionate, risk-based measures to them for terrorist-financing risk — FATF Recommendation 8 cautions against treating non-profits as inherently high-risk. Online gaming and gambling, where value flows quickly and across borders, is another. The point is not that these sectors are guilty — it is that their features make certain abuses easier, so controls attend to them.

The risk-based approach

The reason duties spread unevenly is the risk-based approach: effort should follow exposure. Rather than identical checks everywhere, a firm concentrates resources where danger is greatest and applies lighter measures where it is low. This makes controls proportionate — but it also puts the burden on each firm to understand its own situation honestly and to justify, to a regulator, why it treats some relationships as higher risk than others.

Business Risk Assessment and Risk Register

To make the risk-based approach real, firms use governance tools that force the thinking onto paper. A Business Risk Assessment (BRA) steps back and asks where the whole firm is exposed — across customers, products, geographies, and channels. A Risk Register then lists those risks and rates each one, a living record that can be reviewed and challenged. Together they let a firm show not just that it is careful, but *why* it is careful in the particular way it is.

Digital KYC spreads the reach

Applying real customer checks across sectors far from banking is only practical because of Digital KYC — electronic identity verification that makes checks faster and more consistent. It lets a small law firm or a gaming operator run identity and screening steps that once needed a bank's back office. It does not replace judgement; it makes the routine parts repeatable so judgement can focus where it matters.

COMMON CONFUSION

The risk-based approach means low-risk customers can be ignored entirely.

It means proportionate effort, not zero effort. Even low-risk relationships carry baseline checks — identity, monitoring, the ability to notice change. Risk-based lets a firm do less where danger is genuinely low, but 'less' is never 'nothing', and the firm must be able to justify where it drew the line.

FOR NOW, REMEMBER

  • AML duties reach beyond banks to DNFBPs — lawyers, accountants, real estate, casinos, dealers — plus risk sectors like NPOs and gaming.
  • The risk-based approach directs effort toward exposure, and asks each firm to justify its choices.
  • A Business Risk Assessment and Risk Register put that thinking onto paper.
  • Digital KYC makes consistent checks practical across sectors — but does not replace judgement.

TRY IT YOURSELF

A small accountancy firm decides a client is low-risk and proposes doing no identity checks or monitoring at all. Does the risk-based approach permit this?

Yes — low risk means no obligations apply.

Not this one — The risk-based approach scales effort to exposure; it never removes the baseline. Even low-risk clients require identity verification and ongoing monitoring. 'Less' is not 'nothing'.

No — proportionate means lighter measures for low risk, but baseline checks and monitoring still apply.

Correct — Correct. A firm may do less where risk is genuinely low, but it must still verify identity, monitor, and be able to justify its assessment. Skipping everything is not risk-based; it is uncontrolled.

It does not matter, because accountancy firms are not covered by AML rules.

Not this one — Accountants are a DNFBP — squarely within the AML net. The obligations apply; the only question is how much effort each relationship warrants.

Firms do not work alone. Next: how authorities ask institutions to search their records for named subjects — and how banks respond without freezing anything.

KEEP GOING

Three things to remember

  1. 01

    Designated Non-Financial Businesses and Professions (DNFBPs), including lawyers, accountants, real-estate agents, trust and company service providers, casinos, and dealers in precious metals and stones, are brought within AML obligations by the Financial Action Task Force.

  2. 02

    Some sectors carry particular risk, such as non-profit organisations (NPOs) and charities, which can be misused for terrorist financing, and online gaming; the risk-based approach spreads obligations according to exposure rather than uniformly.

  3. 03

    Firms assess and record their own exposure using governance tools such as a Business Risk Assessment and a Risk Register, and increasingly verify identity through Digital KYC, or electronic identity verification.

Where you would use this

USE CASE 01

A real-estate agency documenting how it checks the source of funds on high-value purchases as part of its AML obligations.

USE CASE 02

A firm building a Risk Register that rates its exposure by customer type, geography, product, and channel, and updating it when the business changes.

USE CASE 03

A trust and company service provider using Digital KYC to verify a client's identity electronically before acting for them.

Put the idea into a real situation

Illustrative example: A fictional law firm, Harborline Legal, handles property conveyancing. As a Designated Non-Financial Business and Profession, it completes a Business Risk Assessment and finds that overseas buyers paying through several accounts are its highest-risk scenario. It records this in a Risk Register, rates it high, and sets a control: enhanced source-of-funds checks and Digital KYC for those clients. When a routine sale later matches that profile, staff already know it needs a closer look, because the firm assessed and wrote down its own exposure in advance.

Evidence & review

REVIEWED 2026-07-13

Global AML framework for non-bank sectors. The exact list of covered businesses, thresholds, and supervisory duties varies by jurisdiction.

What this brief simplifies: Sector duties summarised; governance tools (BRA, Risk Register) and Digital KYC described at concept level.

Sources for this brief2
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · DNFBPs; risk-based approach; risk assessment

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Fraud & Compliance archive

AML transaction-monitoring typologies

Transaction monitoring watches for named laundering behaviours such as structuring, pass-through movement, round-tripping, and layering. This defensive article explains each pattern and how scenarios and thresholds surface it for review.

READ BRIEF

AML transaction monitoring

Anti-money-laundering transaction monitoring reviews many transactions over time for patterns that suggest financial crime, after they settle rather than in the payment path. Alerts that survive investigation become suspicious activity reports filed with the authorities.

READ BRIEF

Payment fraud typologies

Payment fraud typologies are recognised patterns of attack — authorized push payment fraud, account takeover, and money-mule networks. Knowing each pattern's signals helps a bank detect and prevent it and protect the customer, and stays firmly on the defensive side.

READ BRIEF