The FATF Fraud Roadmap 2026 to 2028: What It Means for Your AML Programme
Reading time: ~12 minutes · For AML, fraud, sanctions and FIU professionals
I have sat in enough compliance committee meetings to know how fraud usually gets talked about. It is a customer service problem. It is a cyber security problem. It is something the fraud team owns, and AML gets involved once the money has already moved somewhere interesting. That framing just became a lot harder to defend.
On 1 July 2026, the Financial Action Task Force launched a two-year fraud roadmap, and it lands on the desk of every AML, sanctions and financial crime professional whether their job title has the word “fraud” in it or not. If you work in a regulated firm anywhere in the roughly 200 jurisdictions that FATF’s standards reach, this is worth twenty minutes of your time now, before your MLRO asks you what it means.
What is the FATF fraud roadmap?
The FATF fraud roadmap is a two-year work programme that runs from 1 July 2026 to 30 June 2028. It was launched on day one of the United Kingdom’s presidency of FATF, led by Giles Thomson, Director for Economic Crime and Sanctions at HM Treasury.
It helps to be clear about what FATF actually is, because the roadmap only makes sense in that context. FATF does not write national law. It sets 40 Recommendations that member jurisdictions transpose into their own AML and counter-terrorist financing regimes, and it then grades those jurisdictions through a mutual evaluation process. A roadmap like this one does not create new binding rules on day one. What it does is tell every supervisor, examiner and mutual evaluation team where FATF wants scrutiny to fall over the next two years. In practice, that shapes what gets tested, what gets marked down, and what shows up in your next exam long before any Recommendation is formally rewritten.
The reason fraud earned its own roadmap is straightforward. FATF’s most recent round of assessments found that fraud featured as a major proceeds generating offence in nearly 90 percent of jurisdictions reviewed. FATF has also stated that global scam losses came close to 500 billion dollars across 2024 and 2025 alone, and it now describes fraud as the fastest growing source of illicit funds, driven by how easily digital platforms, instant payments and virtual assets let criminals scale.
Put those two numbers together and the logic is hard to argue with. If fraud proceeds are showing up in nine out of ten assessments and the money involved is approaching half a trillion dollars a year, treating fraud as somebody else’s problem was never going to hold.
Three things the roadmap actually targets
FATF has been specific about where it wants attention focused, and it comes down to three targets.
The first is scam compounds, the physical and organisational infrastructure behind large scale fraud operations. These are not lone actors. They are industrial scale criminal enterprises, and FATF wants a clearer picture of the money trails that connect them to the financial system.
The second is transnational fraud networks, the organisations running scams across borders rather than within a single jurisdiction. Cross border fraud is harder to prosecute and harder to trace, which is exactly why it has flourished.
The third is payment and virtual asset rails, the channels that actually move and launder the proceeds once a victim has sent the money. This is the part that lands most directly on regulated firms, because it is where your transaction monitoring, your onboarding and your Travel Rule compliance all sit.
The workstreams behind the roadmap
A roadmap is not much use without concrete actions attached to it, and FATF has set out several.
FATF committed to studying the money trails around scam compounds and mapping the transnational criminal organisations that run them, work that feeds directly into future guidance rather than sitting as a one off report. It is also updating guidance on how existing tools, asset freezing, transaction interdiction and intelligence sharing, apply specifically to fraud proceeds, since much of the current toolkit was designed with other predicate offences in mind.
Information sharing sits at the centre of the plan. FATF approved a Global Overview of Public and Private Sector Partnerships and Data Protection Arrangements, intended to give banks, payment firms and law enforcement a clearer lawful basis for exchanging fraud signals quickly. Alongside that, FATF is convening a private sector consultative group to help steer the work, building toward a Global Response Against Fraud event planned for spring 2027.
FATF also opened a consultation on payment transparency, which keeps Recommendation 16, the Travel Rule governing identity data that must accompany wire transfers and virtual asset transfers, firmly under review. None of this is a single rule change. It is a two-year sequence of studies, guidance updates and consultations, each one narrowing the gap between what firms currently do and what FATF wants them to be able to prove.
Four duties that are tightening
This is the part that matters most if you sit in a compliance, financial crime or FIU role, because the roadmap translates into four specific areas where expectations are rising.
Suspicious activity reporting. Monitoring needs to catch mule accounts, authorised push payment fraud and rapid layering of victim funds, and the reports themselves need to name the fraud typology rather than simply flag a transaction as unusual. A SAR that says “large round sum transfer” carries a lot less weight with a supervisor than one that says “pattern consistent with mule account layering.”
Customer due diligence and ongoing monitoring. Synthetic and stolen identities are the entry point for most fraud networks, so onboarding checks and event driven reviews carry more scrutiny. If your CDD process would not catch a well constructed synthetic identity today, that is now a gap examiners are actively looking for.
The Travel Rule. Recommendation 16 already requires identity and originator data to travel with payments and virtual asset transfers. The open consultation signals that data quality expectations are getting stricter, not looser, so this is a good moment to audit what you actually capture versus what you are supposed to capture.
Information sharing. Where lawful gateways already exist, whether that is a domestic public-private partnership or a mechanism like section 314(b) in the United States, FATF’s direction of travel is that using them moves from optional good practice toward an expected part of a mature fraud programme.
None of these four are entirely new obligations. What is new is the level of evidence FATF expects firms to produce that they are meeting them well, not just that a policy document exists somewhere.
What this means depends on what kind of firm you are
The roadmap talks about “payment and virtual asset rails” as a single target, but the practical impact is not the same for every type of firm sitting on those rails.
Retail banks are likely to feel this first through authorised push payment fraud and mule account activity. If your fraud team and your AML team still run on separate systems with separate alert queues, this is the roadmap FATF is effectively asking you to use as the business case for merging that view. A mule account rarely trips a single dramatic alert. It trips a series of smaller, unremarkable ones across account opening, first deposit and rapid onward transfer, and only looks obviously wrong when someone looks at the whole pattern rather than any one event.
Payment firms and money service businesses sit closer to the Travel Rule pressure. Recommendation 16 already requires originator and beneficiary information to travel with a transfer, and the open consultation on payment transparency is a strong signal that data completeness and accuracy will get more scrutiny, not less. If your originator data has gaps today because a counterparty firm sends incomplete fields and you have never pushed back, this is the moment to start.
Virtual asset service providers arguably carry the sharpest end of this. Crypto rails move faster than traditional payment rails, cross border by default, and have historically had weaker identity verification at the point of onboarding than most banks. FATF’s focus on scam compounds and transnational networks assumes those networks are moving value through exactly these channels, which means VASPs should expect their Travel Rule implementation and their transaction monitoring to be an early test case for how seriously the roadmap gets enforced.
If you sit across more than one of these categories, and plenty of firms now do, the honest move is to map your exposure against all three rather than assuming the roadmap is really about somebody else’s business line.
The June 2026 plenary, for context
The fraud roadmap did not launch in isolation. It came out of FATF’s June 2026 plenary, which also updated the list of jurisdictions under increased monitoring, commonly known as the grey list. Iraq and Bosnia and Herzegovina were added, while Algeria and Namibia were removed, bringing the total under increased monitoring to 22 jurisdictions. The high-risk call for action list, which currently covers North Korea, Iran and Myanmar, was unchanged.
I mention this because it is a useful reminder of how FATF operates. Grey list movements get attention because they carry immediate correspondent banking and de-risking consequences. The fraud roadmap is quieter, but it will shape supervisory priorities for two full years, which arguably makes it the more consequential outcome of the two for most compliance functions.
Source: FATF, the global standard-setter for anti-money laundering and counter-terrorist financing.
What is still genuinely uncertain
I do not think it is useful to present this roadmap as a finished set of instructions, because it is not one, and pretending otherwise does not help anyone prepare properly.
The biggest open question is whether collecting and sharing more identity data actually reduces fraud, or whether it just relocates the risk. The financial system already holds enormous volumes of identity and transaction data, and fraud still runs at record levels, so it is a fair challenge to ask whether more centralised data solves the problem or creates a different one. Every new identity database is also a more attractive target, and the roadmap does not fully resolve the tension between wanting firms to hold more verification data and wanting that data to stay secure.
There are practical uncertainties too. A roadmap is not binding law, so adoption will vary significantly by jurisdiction, and grey list pressure will do most of the enforcing rather than a uniform legal requirement. The concrete standards that come out of this work, including anything that changes Recommendation 16 in practice, are still quarters away, which means firms are being asked to invest and prepare against expectations that have not fully crystallised yet.
How compliance teams should actually respond
Given all of that, here is where I would put the effort if I were running a financial crime programme right now.
Start with detection rather than tooling. Re-tune transaction monitoring specifically for fraud typologies, mule account behaviour and rapid layering patterns, and make sure your SAR narratives name the typology clearly rather than describing the transaction in generic terms. This is the single fastest way to show an examiner that your programme has actually absorbed the roadmap’s priorities.
Pressure test your onboarding against synthetic identity scenarios specifically, since that is the stated entry point FATF keeps coming back to. If your CDD team has not run a deliberate synthetic identity test in the last year, that is a reasonable place to start.
Map every lawful information sharing gateway available to you, whether that is a domestic public-private partnership, a specific statutory mechanism, or an industry body arrangement, and document clearly why you participate in the ones you use and why you do not participate in the ones you have chosen to skip. Supervisors are increasingly likely to ask that second question directly.
Audit your Travel Rule data quality now, ahead of any formal change to how Recommendation 16 is applied. Firms that wait for the rule to change before checking what data they actually capture tend to discover the gap at the worst possible moment, mid examination.
And brief your board or senior management properly. Fraud needs to be framed as a first order supervisory priority now, not as a customer experience issue that occasionally intersects with compliance.
The bottom line
The FATF fraud roadmap does not rewrite the rulebook overnight, and anyone telling you it does is overselling it. What it does is tell you clearly where FATF wants supervisory attention to go for the next two years, and the direction is unambiguous. Fraud proceeds are money laundering proceeds, the roadmap treats them that way explicitly, and the four areas it highlights, suspicious activity reporting, customer due diligence, the Travel Rule and information sharing, are exactly the areas your next mutual evaluation or supervisory review is likely to probe.
Firms that start tightening these now, while the detailed standards are still forming, will be in a considerably stronger position than those that wait for a final text that may not arrive for another year or more.
Frequently asked questions
What is the FATF fraud roadmap 2026 to 2028? It is a two-year work programme launched by FATF on 1 July 2026, under the UK’s presidency, that makes fraud a first order priority for AML and counter-terrorist financing supervision across the roughly 200 jurisdictions that follow FATF standards.
Who leads the FATF fraud roadmap? Giles Thomson, Director for Economic Crime and Sanctions at HM Treasury, leads the roadmap as part of the United Kingdom’s presidency of FATF, which runs from 1 July 2026 to 30 June 2028.
Is the FATF fraud roadmap legally binding? No. FATF sets recommendations and standards that jurisdictions adopt into their own national law and that FATF then grades through mutual evaluations. The roadmap shapes what those evaluations will focus on, but it does not itself create new binding obligations.
How does the roadmap affect customer due diligence? It raises the bar on detecting synthetic and stolen identities at onboarding and during ongoing monitoring, since these are the primary entry point fraud networks use to open and control mule accounts.
Does the roadmap change the Travel Rule? FATF opened a consultation on payment transparency alongside the roadmap, which keeps Recommendation 16 under active review. Firms should expect stricter data quality expectations for originator and identity data attached to payments and virtual asset transfers.
This article is for general information only and does not constitute legal or regulatory advice. Firms should assess their own obligations with qualified counsel. Source: Financial Action Task Force, FATF Roadmap 2026 to 2028: Fraud.