Fraud & Compliance / Learning brief
AML Typologies Across Sectors: Beyond the Bank
Your notes
In simple terms / 01
What this means in plain language
Anti-money-laundering duties reach well beyond banks, into professions and sectors from law and real estate to casinos and charities. A risk-based approach spreads those duties and asks each firm to assess and document its own exposure.
It is easy to think of anti-money-laundering (AML) as a banking topic, but the obligations reach much further. The Financial Action Task Force asks countries to bring a set of non-bank businesses, known as Designated Non-Financial Businesses and Professions (DNFBPs), into the AML net, because criminals can misuse a lawyer, an accountant, or a property sale just as readily as a bank account. Other sectors, such as charities and online gaming, carry their own risks. The organising idea is the risk-based approach: rather than treating everyone the same, each firm identifies where its exposure lies, rates it, and documents the result. This guide explains who is covered and the tools firms use to assess themselves.
Complete lesson / 02
Understand the full idea, step by step
Buy a flat, hire a lawyer to hold the deposit, sit at a casino table, donate to a charity — none of these is a bank, yet each can be used to move or disguise value. That is why anti-money-laundering duties reach well beyond banking, into a surprising range of professions and sectors.
Designated Non-Financial Businesses and Professions (DNFBPs)
FATF asks countries to bring a set of non-bank businesses into the AML net — DNFBPs: lawyers, accountants, real-estate agents, trust and company service providers, casinos, and dealers in precious metals and stones. Each can be misused, wittingly or not, to move or layer value. Bringing them in closes doors that would otherwise sit wide open beside the well-guarded banking system.
Other risk sectors
Beyond the DNFBP list, some sectors carry their own attention. Non-profit organisations (NPOs) and charities can be misused to raise or move funds under a trusted cover, so many jurisdictions apply proportionate, risk-based measures to them for terrorist-financing risk — FATF Recommendation 8 cautions against treating non-profits as inherently high-risk. Online gaming and gambling, where value flows quickly and across borders, is another. The point is not that these sectors are guilty — it is that their features make certain abuses easier, so controls attend to them.
The risk-based approach
The reason duties spread unevenly is the risk-based approach: effort should follow exposure. Rather than identical checks everywhere, a firm concentrates resources where danger is greatest and applies lighter measures where it is low. This makes controls proportionate — but it also puts the burden on each firm to understand its own situation honestly and to justify, to a regulator, why it treats some relationships as higher risk than others.
Business Risk Assessment and Risk Register
To make the risk-based approach real, firms use governance tools that force the thinking onto paper. A Business Risk Assessment (BRA) steps back and asks where the whole firm is exposed — across customers, products, geographies, and channels. A Risk Register then lists those risks and rates each one, a living record that can be reviewed and challenged. Together they let a firm show not just that it is careful, but *why* it is careful in the particular way it is.
Digital KYC spreads the reach
Applying real customer checks across sectors far from banking is only practical because of Digital KYC — electronic identity verification that makes checks faster and more consistent. It lets a small law firm or a gaming operator run identity and screening steps that once needed a bank's back office. It does not replace judgement; it makes the routine parts repeatable so judgement can focus where it matters.
COMMON CONFUSION
“The risk-based approach means low-risk customers can be ignored entirely.”
It means proportionate effort, not zero effort. Even low-risk relationships carry baseline checks — identity, monitoring, the ability to notice change. Risk-based lets a firm do less where danger is genuinely low, but 'less' is never 'nothing', and the firm must be able to justify where it drew the line.
FOR NOW, REMEMBER
- AML duties reach beyond banks to DNFBPs — lawyers, accountants, real estate, casinos, dealers — plus risk sectors like NPOs and gaming.
- The risk-based approach directs effort toward exposure, and asks each firm to justify its choices.
- A Business Risk Assessment and Risk Register put that thinking onto paper.
- Digital KYC makes consistent checks practical across sectors — but does not replace judgement.
TRY IT YOURSELF
A small accountancy firm decides a client is low-risk and proposes doing no identity checks or monitoring at all. Does the risk-based approach permit this?
Firms do not work alone. Next: how authorities ask institutions to search their records for named subjects — and how banks respond without freezing anything.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
Designated Non-Financial Businesses and Professions (DNFBPs), including lawyers, accountants, real-estate agents, trust and company service providers, casinos, and dealers in precious metals and stones, are brought within AML obligations by the Financial Action Task Force.
- 02
Some sectors carry particular risk, such as non-profit organisations (NPOs) and charities, which can be misused for terrorist financing, and online gaming; the risk-based approach spreads obligations according to exposure rather than uniformly.
- 03
Firms assess and record their own exposure using governance tools such as a Business Risk Assessment and a Risk Register, and increasingly verify identity through Digital KYC, or electronic identity verification.
Practical use cases / 04
Where you would use this
A real-estate agency documenting how it checks the source of funds on high-value purchases as part of its AML obligations.
A firm building a Risk Register that rates its exposure by customer type, geography, product, and channel, and updating it when the business changes.
A trust and company service provider using Digital KYC to verify a client's identity electronically before acting for them.
Worked example / 05
Put the idea into a real situation
Illustrative example: A fictional law firm, Harborline Legal, handles property conveyancing. As a Designated Non-Financial Business and Profession, it completes a Business Risk Assessment and finds that overseas buyers paying through several accounts are its highest-risk scenario. It records this in a Risk Register, rates it high, and sets a control: enhanced source-of-funds checks and Digital KYC for those clients. When a routine sale later matches that profile, staff already know it needs a closer look, because the firm assessed and wrote down its own exposure in advance.
Evidence & review / 07
Evidence & review
Global AML framework for non-bank sectors. The exact list of covered businesses, thresholds, and supervisory duties varies by jurisdiction.
What this brief simplifies: Sector duties summarised; governance tools (BRA, Risk Register) and Digital KYC described at concept level.
Sources for this brief2
- Official requirement
The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation ↗ — Financial Action Task Force · DNFBPs; risk-based approach; risk assessment
Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.