FATF Rules on Terrorism Financing: What Recommendations 5–8 Mean for Your Compliance Program

FATF Rules on Terrorism Financing: What Recommendations 5–8 Mean for Your Compliance Program

If you work in compliance long enough, Financial Action Task Force (FATF) Recommendations start to feel like background noise. They are always there, usually in the footnotes, often behind whatever local rulebook your institution actually has to follow. But that is exactly why it matters. FATF Recommendations are the global standard for Anti Money Laundering (AML), Counter Terrorist Financing (CTF), and proliferation financing controls. FATF states that countries are expected to implement standards through national measures adapted, exemplified by measures such as the U.S. Bank Secrecy Act (BSA), the UK Money Laundering Regulations, the EU AML regime, and MAS Notice 626 in Singapore. Though based in different countries, these measures share the same underlying logic.

This matters for practical reasons, not just policy reasons. FATF evaluations assess countries on both technical compliance and effectiveness. These assessments result in the “grey list”, which is basically a list of jurisdictions placed under increased monitoring and face heightened scrutiny because of strategic deficiencies in their AML/CTF and proliferation financing controls. FATF’s June 2025 procedures make clear that evaluations test both whether the rules exist and whether they work. For institutions, these procedures can affect correspondent banking, cross border risk appetite, onboarding decisions, and supervisory pressure. If you understand FATF, you understand what regulators in almost any jurisdiction are trying to achieve. This article explains the following points about the FATF recommendations.

• Why FATF Recommendations Matter for Your Compliance Program
• The FATF Framework: How the 40 Recommendations Are Structured
• Recommendation 5: Criminalisation of Terrorist Financing
• Recommendation 6: Targeted Financial Sanctions Related to Terrorism
• Recommendation 7: Targeted Financial Sanctions Related to Proliferation
• Recommendation 8: Non-Profit Organisations
• Beyond 5–8: Other FATF Recommendations That Also Matter for CTF
• How FATF Assesses Your Country: Mutual Evaluations and What They Mean
• FATF Recommendations in Practice: A Compliance Checklist

Why FATF Recommendations Matter for Your Compliance Program

You can think of FATF as the plan that guides local law. National regulators write in their own style, and countries don't all follow the rules in the same way, but the structure is clear. FATF calls its Recommendations the "building blocks" of a good framework to stop money laundering, terrorist financing, and proliferation financing. It also makes it clear that the standards should not just be copied as a way to check off a box. Compliance teams need to know the difference between these two things. A program that only remembers local wording often doesn't get the point of the rules behind it. A program that knows how the FATF works usually adapts more quickly.

There is another reason to be concerned. According to FATF's July 2025 Comprehensive Update on Terrorist Financing Risks, terrorists still take advantage of the global financial system and change their methods depending on the situation. The report also says that 69% of the jurisdictions that were looked at had major or structural problems with effectively investigating, prosecuting, and convicting terrorist financing cases. That's not just a number for the police. It tells compliance officers that weak national implementation is still common and that companies that do business across borders can't count on things being the same.

So, the usefulness is clear. If you know what the FATF framework is, you know why your local rules are in place and what your country is ultimately being judged against. That is helpful whether you are writing a risk assessment, fine tuning a sanctions screening process, reviewing a Non-Profit Organization (NPO) customer, or explaining to higher ups why terrorist financing controls can't be seen as just a small part of regular money laundering work.

The FATF Framework: How the 40 Recommendations Are Structured

Instead of putting all 40 Recommendations into one chapter on terrorism, FATF puts them all into a broad framework. The Recommendations page and the full standards document show that they cover a lot of ground, including policies and coordination for AML/CTF, money laundering and confiscation, terrorist financing and proliferation financing, preventive measures, transparency and beneficial ownership, competent authorities and other institutional measures, and international cooperation. In other words, the rules about financing terrorism are not the only ones. They belong to a system.

Recommendations 5 to 8 make up the core of the terrorism financing prevention actions. FATF itself says that Recommendations 5, 6, and 8 are the only ones that deal with terrorist financing. Recommendation 5 is about making terrorist financing a crime, Recommendation 6 is about targeted financial sanctions related to terrorism and terrorist financing, and Recommendation 8 is about stopping NPOs from being used for illegal purposes. Recommendation 7, which is in the same group, is about targeted financial sanctions related to proliferation. It is next to the terrorist financing rules, not inside them in the strictest sense. That difference is important because a lot of companies combine Recommendations 6 and 7 in their operations, even though they deal with different types of risks.

There is also a historical footnote worth keeping in mind. The FATF made separate Special Recommendations on Terrorist Financing after 9/11. The 2012 revision combined those special recommendations into the 40 Recommendations. That's why older guidance, training decks, and even some internal policies still use the "Special Recommendations" numbering system. That language usually means that the material is based on the older post-2001 framework instead of the newer integrated one.

This article is mostly about 5 to 8 because they are the most direct standards for terrorism. But you never use them alone in real compliance work. Risk assessments, customer due diligence (CDD), politically exposed persons (PEPs), virtual assets, wire transfers, suspicious transaction reporting, and information sharing all affect how terrorist financing controls work in real life.

Recommendation 5: Criminalisation of Terrorist Financing

FATF's legal line is in Recommendation 5. Countries must make it a crime to fund terrorism on its own, as the 1999 UN International Convention for the Suppression of the Financing of Terrorism says they should. The crime must include anyone who gives or collects money knowing or intending that it will be used for terrorist acts, by a terrorist group, or by a single terrorist. FATF also makes it clear that the crime must include money from both legal and illegal sources, and that it should not matter if the money was used in a completed attack.

That last point makes a big difference for compliance teams. Terrorist financing is not just "money laundering with a terrorism angle." It is a crime in its own right with its own rules. To create exposure, a customer does not need to pay for a successful attack. The act that raises suspicion could be giving or getting money. The idea of "funds" is also very broad. FATF's rules use language that covers all kinds of assets, not just money in a bank account. That includes money, property, and digital property.

The meaning for your program is clear. You should look at terrorist financing indicators at the same time as money laundering indicators, not after them. When the jurisdiction gives you separate fields or types, filing logic should be able to tell the difference between the two. Financial Crimes Enforcement Network's (FinCEN) SAR framework in the US, for example, has a specific category for terrorist financing. In general, investigations should know that both direct and indirect provision count. Your customer doesn't have to give money to a terrorist in person. Recommendation 5 is meant to cover the risk pattern that can still be met by routing funds through middlemen, front organizations, or digital channels.

Recommendation 6: Targeted Financial Sanctions Related to Terrorism

Most compliance teams work with Recommendation 6 every day. It requires countries to put in place targeted financial sanctions that immediately freeze the money and other assets of people named by the United Nations Security Council (UNSC). This includes the 1267/1989/2253 ISIL (Da'esh) and Al Qaida regime and the 1988 Taliban regime, as well as domestic mechanisms that carry out UNSC Resolution 1373. The Recommendation includes freezing, banning the making available of funds or other assets, and ways to remove items from the list and unfreeze them when necessary.

This is the legal basis for screening for terrorism related sanctions. That's why institutions check against the UN Security Council's consolidated list and against national or regional lists like the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List), the EU's consolidated sanctions list, and the UK's counter terrorism asset freezing lists. The language of the FATF is important here. "Without delay" is not a passive phrase. It tells institutions to screen new designations and transaction activity in real time or almost real time, not just every once in a while after the fact. This is the perfect place to link to your batch screening article from within your own site, since batch only screening is often too slow for a sanctions environment that needs to freeze assets right away.

Another detail that companies sometimes don't pay enough attention to is that the Recommendation doesn't just apply to current balances. It also says that you can't give money or other assets to certain people. The duty is not only to "find and freeze what is already there," but also to "stop the next transaction from going out." "Other assets" is a broad term. Money, payment rights, and things that aren't cash can all be important. That's why a strong sanctions screening stack is more than just a way to punish people. This is a direct way to put Recommendation 6 into action. This is also the best place to send people to your real time screening product pages and your sanctions screening cluster pages.

Recommendation 7: Targeted Financial Sanctions Related to Proliferation

Recommendation 7 is next to the terrorism rules because the operational needs are the same, even though the topics are different. It requires countries to put in place targeted financial sanctions against the spread of weapons of mass destruction. This is specifically under UNSC Resolution 1718 for the Democratic People's Republic of Korea (DPRK) and UNSC Resolution 2231 for Iran. Like Recommendation 6, the obligation includes freezing funds and assets and making sure that designated people and groups can't get to those funds or assets.

What does this have to do with an article about funding terrorists? Most organizations don't have separate screening engines for terrorism and proliferation. They use the same basic screening system to meet both Recommendations 6 and 7. FATF's standards are also starting to see proliferation financing as part of the bigger picture of controlling financial crime. FATF changed Recommendation 1 in 2020 to say that countries and businesses in the private sector must also find, evaluate, understand, and lower the risks of proliferation financing. Recommendation 7 is not a terrorism rule in the strictest sense, but it is definitely part of the system that makes sure people follow the rules about terrorist financing.

The difference for your program is both conceptual and operational. In terms of ideas, Recommendation 6 is about sanctions against terrorism and Recommendation 7 is about sanctions against the spread of weapons. Both require screening, quick controls, and keeping people from getting money and other economic resources. That's why a lot of companies now look at them all at once in a single workflow, but still write down the legal basis separately. If you're making a content cluster around AML/CTF and sanctions screening, this is also the right bridge to an article about financing proliferation.

Recommendation 8: Non-Profit Organisations

In October 2023, Recommendation 8 was changed. This change is one of the most important recent changes to the CTF part of the FATF framework. FATF says that countries need to check to see if the laws and rules about NPOs that might be used to fund terrorism are good enough and take steps that are focused, fair, and based on risk. When FATF announced the change in November 2023, it said it was meant to fix the way Recommendation 8 had been misapplied and misinterpreted, which had caused some countries to put unfair restrictions on NPOs.

That language is important. The FATF is not telling organizations to treat all charities as high risk. In fact, it is telling you not to do that. The Recommendation is now even more clearly against derisking and debanking whole parts of the NPO sector. The FATF's best practices paper on stopping the abuse of NPOs under Recommendation 8 makes the same point. It is finding the small group of organizations that are really at risk and protecting legitimate NPO activity from unnecessary disruption.

This means that compliance teams should not be suspicious of all NPO clients at once. Some characteristics that make a group more likely to be involved in terrorism are working in conflict zones, receiving donations from outside the country, having unregistered or unincorporated structures, not being clear about their finances, or having ties to people or groups with extremist views. But most NPOs don't pose much of a risk of financing terrorism. That is a sentence worth repeating, because the operational urge is often to deal with uncertainty by limiting the whole group. FATF's new Recommendation 8 says that is not the right answer. The correct response is risk based enhanced due diligence when the circumstances warrant it, along with monitoring scenarios that identify NPO specific red flags. This is where you should naturally move on to an article about warning signs of terrorist financing in charities and non-profits.

Beyond 5–8: Other FATF Recommendations That Also Matter for CTF

5 to 8 are the main CFT specific recommendations, but no working program can stop there.

Recommendation 1 calls for a risk based approach. In other words, your risk assessment should focus on terrorist financing and not just money laundering with "and TF" added at the end. FATF says that understanding risk is the most important part of the standards.

Recommendations 10 to 12 deal with CDD, record keeping, and PEP related controls. They apply to both money laundering and terrorist financing risk. In CTF cases where state sponsors, sanctions sensitive jurisdictions, and abuse of office are involved, PEP exposure can be important.

Recommendation 15 talks about new technologies and, after the standard changed in 2019 and the guidance changed in 2021, it also talks about virtual assets and Virtual Asset Service Providers (VASPs). The FATF's 2025 targeted update says that implementation is still uneven and needs stronger action.

The wire transfer rule, which includes information about the sender and receiver, is Recommendation 16. In the world of virtual assets, it comes after the Travel Rule idea and is very important for checking payment parties in CTF workflows.

Recommendation 20 says that you have to report transactions that seem suspicious. In real life, this means that Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) procedures must include suspicions of financing terrorism, not just money laundering.

Recommendations 35 to 40 talk about sanctions, international agreements, mutual legal assistance, extradition, and working together more on a global scale. This part of the framework is more important than it gets credit for because terrorist financing control is by nature cross border.

How FATF Assesses Your Country: Mutual Evaluations and What They Mean

Mutual evaluations are where the theory turns into reality. The Financial Action Task Force (FATF) currently evaluates countries based on their technical compliance and effectiveness. When you talk about technical compliance, you're asking if the legal, regulatory, and institutional framework is there. Effectiveness is about whether the system really works in practice to get the results you want. This difference is important because a country can have great laws but bad results, or good results but technical problems that still need to be fixed.

The 2025 terrorist financing update shows why this is important for businesses. FATF found that 69% of the places it looked at had major or structural problems with investigating, prosecuting, and convicting people who were financing terrorism. If your area has been criticized in a mutual evaluation or is being watched more closely, local supervisors may pay more attention to how your institution deals with CTF risk. Also, if your correspondents or counterparties are in places with strategic weaknesses, your onboarding, monitoring, and enhanced due diligence expectations usually go up with them. The "grey list" from the FATF is more than just a country risk headline. It can directly lead to problems with compliance across borders.

This is where geographic risk scoring goes beyond just being a basic country field. A serious compliance program should include FATF evaluation results, increased monitoring status, and cross border exposure in its risk model. If you sell software, this is also the best place to say that your geographic risk scoring model takes FATF results into account. It's easy to defend the logic because FATF uses these evaluations to see if a jurisdiction's AML/CTF controls are both in place and working.

FATF Recommendations in Practice: A Compliance Checklist

Bookmark this page in case you need an example checklist to use in your work flow.

Is it against the law in your area to give money to terrorists?

Recommendation 5 says that it is, and your internal investigations and reports should show the difference between money laundering and terrorist financing.

Do you check against the UN, OFAC, EU, and UK lists of people who are terrorists?

Recommendation 6 is what made those controls necessary. Screening should be fast enough to include new designations so that freezing can happen "without delay."

Do you also check for sanctions against the DPRK and Iran for spreading weapons?

That is the area of Recommendation 7. It is next to CTF and is usually handled in the same screening system.

Do you check to see if NPO and charity clients are at risk of being used to fund terrorism?

Recommendation 8 calls for targeted and appropriate actions, not broad restrictions on the whole sector.

Do you do a risk assessment that is specific to financing terrorism?

Recommendation 1 calls for more than just a money laundering check with TF thrown in at the end.

Is transaction monitoring set up to look for TF patterns?

Terrorist financing often involves small amounts, legal sources, or normal looking movement, so the reporting logic for Recommendation 20 shouldn't just be set up for classic laundering behavior.

If your jurisdiction offers them, do your SAR or STR procedures include TF specific fields, typologies, or key terms?

Reports of suspicious activity should make it clear that they are about terrorist financing, not hide it in general stories about money laundering.

Does payment screening look at both the sender and the receiver's information?

Recommendation 16 is meant to make it possible to screen payment parties and wire transfers.

Are virtual assets and VASP customers part of your CTF controls?

Recommendation 15 says they should be. FATF's most recent updates keep pushing businesses and governments to fill in the gaps here.

Do employees know how to tell the difference between TF and ML indicators?

The FATF's broader framework relies on effective execution, encompassing training, escalation, and the quality of investigations, rather than merely the language of policy.

Recommendations 5 to 8 from the FATF are not vague international policy. They are the legal and operational reasons why most compliance teams already do things like sanctions screening, reporting suspicious activity, reviewing the risks of non-profit organizations, and risk based CTF assessment every day. Recommendation 5 says that financing terrorism is a crime in and of itself. Recommendation 6 explains why terrorism sanctions screening needs to work in real time. Recommendation 7 reminds you that the same screening stack usually has to pay for the spread of weapons too. Recommendation 8 says to keep the NPO sector safe without treating all of it like it's bad.

When you can see the framework clearly, local rules don't seem random anymore. It starts to look like it's being put into action. That makes it much easier to create a compliance program that is not only technically correct, but also really helpful.