Learn more about the latest security and privacy threats
Back

FATF fraud roadmap: the UK presidency puts scams at the centre of global AML

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Published July 7, 2026 Reviewed by Charlene Wang
FATF fraud roadmap: the UK presidency puts scams at the centre of global AML

The FATF fraud roadmap for 2026 to 2028 launched under the new UK presidency, putting scams, information sharing and identity fraud at the top of AML work.

Table of contents

The FATF fraud roadmap for 2026 to 2028 launched on 1 July, the first day of the United Kingdom's two-year presidency of the Financial Action Task Force, putting scams and their money trails at the centre of global anti-money laundering work. It signals tougher expectations on fraud detection, identity checks and cross-border information sharing.

  • The FATF fraud roadmap launched on 1 July 2026, day one of Giles Thomson's UK presidency, and runs to 30 June 2028.
  • The FATF says fraud featured as a major proceeds-generating offence in nearly 90 percent of assessments in its last evaluation round.
  • The roadmap targets scam compounds, the criminal networks behind them, and the payment and virtual-asset rails they use.
  • A new Global Overview of public-private partnerships and data protection arrangements was approved to push faster information sharing.
  • At the same 17 to 19 June plenary, Iraq and Bosnia and Herzegovina joined the grey list; Algeria and Namibia left it.

What is the FATF fraud roadmap?

The FATF fraud roadmap is a two-year work programme, launched on 1 July 2026, that makes fraud a headline priority for the global standard-setter on money laundering and terrorist financing. It arrived on the first day of the United Kingdom's presidency, led by Giles Thomson, Director for Economic Crime and Sanctions at His Majesty's Treasury, whose term runs to 30 June 2028.

The FATF frames fraud as the fastest-growing source of illicit funds, "increasingly enabled by digital technologies such as artificial intelligence, virtual assets and online platforms." The organisation points to estimates that scams cost close to 500 billion dollars globally across 2024 and 2025. Incoming President Giles Thomson said the response must "match their pace with a united front across sectors and borders."

This is not binding law. The FATF sets the 40 Recommendations that roughly 200 jurisdictions translate into national rules, then grades them through mutual evaluations. A roadmap steers what those evaluations reward and where supervisors will look next, so it shapes examiner expectations long before any statute changes.

The FATF fraud roadmap: key factsDetail
Launch date1 July 2026
Presidency term1 July 2026 to 30 June 2028
PresidentGiles Thomson, HM Treasury (United Kingdom)
Headline statFraud a major proceeds offence in nearly 90 percent of recent assessments
Scale citedClose to 500 billion dollars in scam losses (FATF estimate), 2024 to 2025
Primary targetsScam compounds, transnational fraud networks, payment and virtual-asset rails

How will the FATF fraud roadmap work?

The FATF fraud roadmap works through workstreams rather than a single rule change. It commits the FATF to study the money trails around scam compounds, map the transnational organisations that run them, and update guidance on how the existing toolkit, asset freezing, transaction interdiction and intelligence sharing, applies to fraud proceeds. Practical outputs will land in stages across the two-year term.

Information sharing is the connective tissue. The June plenary approved a Global Overview of Public and Private Sector Partnerships and Data Protection Arrangements, meant to help countries build lawful channels for banks, payment firms and law enforcement to exchange fraud signals at speed. Thomson has said the FATF will convene a private sector consultative group to steer the work, building toward a "Global Response Against Fraud" event in spring 2027.

The roadmap sits alongside the plenary's other June decisions, which give a sense of direction. The FATF opened a consultation on payment transparency, a signal that Recommendation 16, the Travel Rule for wire transfers and virtual-asset transfers, remains under review. Read together, the message is that identity data must travel cleanly with a payment while fraud typologies get sharper supervisory attention.

June 2026 plenary at a glanceOutcome
Fraud roadmap 2026 to 2028Launched 1 July, UK presidency priority
Grey list additionsIraq, Bosnia and Herzegovina
Grey list removalsAlgeria, Namibia
Jurisdictions under increased monitoring22 in total
High-risk call-for-action listUnchanged: DPRK, Iran, Myanmar
Payment transparencyConsultation opened

What does the FATF fraud roadmap mean for your obligations?

The FATF fraud roadmap does not rewrite your rulebook overnight, but it reshapes what examiners expect you to evidence. Fraud is a predicate offence for money laundering, so proceeds of scams flowing through your accounts already trigger the same duties as any other dirty money. The roadmap raises the bar on how convincingly you detect and report them.

Concretely, four duties tighten, as the table below sets out.

DutyWhat the roadmap changes
Suspicious activity reportingMonitoring should catch mule accounts, authorised push payment fraud and rapid layering of victim funds. Suspicious Activity Reports or Suspicious Transaction Reports should name the fraud typology, not just flag a round number.
Customer due diligence and ongoing monitoringSynthetic and stolen identities are the entry point for scam networks, so onboarding checks and event-driven reviews carry more weight.
Travel Rule (Recommendation 16)Identity and originator data must accompany payments and virtual-asset transfers. The open consultation signals stricter data-quality expectations ahead.
Information sharingWhere lawful gateways exist, such as section 314(b) in the United States or domestic public-private partnerships, supervisors will increasingly expect firms to use them.

The through-line is evidence. Having a monitoring rule is not enough; you need to show it fires on fraud patterns and that your identity checks would stop a synthetic applicant. For a primer on how these controls interlock, see our explainer on the difference between KYC and AML.

What is still uncertain about the roadmap?

Plenty is unresolved, and the roadmap's own logic invites scrutiny. The central open question is whether collecting and sharing ever more identity data actually reduces fraud, or simply relocates the risk. Critics note that traditional finance already gathers vast identity and transaction data, yet fraud persists at scale, so more databases may not mean fewer victims.

The sharper risk is that compliance data becomes a liability. As a Forbes analysis of the roadmap warned, "data that appears to be compliance information to a regulator can appear to be a target list to a criminal." Every new sharing channel widens the attack surface. Identity honeypots assembled to verify customers are exactly what fraudsters want, because they hold the precise combination of attributes that makes impersonation convincing. The IDMerit leak of about one billion identity records in 2026 showed how fast that concentration turns into mass exposure.

Three further uncertainties matter for planning. Data protection tension: faster public-private sharing must square with the GDPR and equivalents, and the FATF's own data protection overview implicitly concedes the friction. Uneven implementation: a roadmap binds no one directly, so national uptake will vary and grey-list pressure does the enforcing unevenly. Cost and slippage: the private sector consultative group and the spring 2027 event mean concrete standards are quarters away, leaving firms to invest against expectations that are still forming.

Why do identity and data minimisation sit at the centre?

Identity is where most scams begin and where the roadmap's data risk concentrates. Fraud networks open accounts with synthetic or stolen identities, then move victim funds through mule chains, so stronger onboarding and cleaner originator data are the roadmap's practical demands. That pushes firms to hold more identity data, precisely the concentration that turns a breach into a catastrophe.

Data-minimising identity design answers both pressures at once. If a customer can prove who they are without every counterparty storing a full copy of their documents, the verification still happens but the honeypot does not form. Reusable, cryptographically verified credentials let a firm confirm a real, live person and a valid government document without warehousing raw images. That is the model the FATF's information-sharing goals and its data-protection caveats both point toward.

How should compliance teams respond?

Start with detection and evidence, not tooling. Re-tune transaction monitoring for fraud typologies, mule behaviour, authorised push payment patterns and fast layering, and make sure your reports name the typology. Pressure-test onboarding against synthetic identity, since that is the roadmap's stated entry point. Map which lawful information-sharing gateways you can use and document why you do or do not. Confirm your Travel Rule data quality ahead of any Recommendation 16 change, and brief the board that fraud is now a supervisory focus, not just a customer-service problem.

Then shrink the data you hold. Zyphe verifies identity through an NFC chip read to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, and issues a reusable KYC passport a customer can re-present elsewhere. Personal data is sharded across a distributed network with no central honeypot, so you meet rising identity expectations without building the target list the roadmap's critics warn about. See how it works or book a demo.

The bottom line

The FATF fraud roadmap tells compliance teams where the wind is blowing: fraud is now a first-order supervisory concern, and the fixes lean on identity data and cross-border sharing. That creates a real tension. The same identity data that strengthens fraud detection becomes a target when it pools in central stores. Teams that treat the roadmap as an identity problem, tightening onboarding while minimising the data they retain, will be ahead of both the fraudsters and the examiners when the concrete standards arrive.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

It is a two-year work programme the FATF launched on 1 July 2026, at the start of the United Kingdom's presidency, that makes fraud a headline priority. It commits the FATF to study scam compounds, the networks behind them, and how existing tools such as asset freezing and information sharing apply to fraud proceeds. Concrete guidance will follow across the term.

Giles Thomson, Director for Economic Crime and Sanctions at His Majesty's Treasury in the United Kingdom, began his two-year term as FATF President on 1 July 2026, running to 30 June 2028. The presidency sets the agenda for the intergovernmental body and steers priorities such as the fraud roadmap and payment transparency work.

No. The FATF sets standards, not statutes. It publishes the 40 Recommendations that jurisdictions turn into national law and grades them through mutual evaluations. A roadmap shapes what those evaluations reward and where supervisors focus, so it changes expectations and examiner scrutiny well before any specific rule is amended in your jurisdiction.

Fraud networks rely on synthetic and stolen identities, so the roadmap sharpens attention on customer due diligence, ongoing monitoring and the identity data that travels with payments under the Travel Rule. Expect examiners to test whether your onboarding would stop a fabricated applicant and whether monitoring catches mule accounts and rapid layering of victim funds.

At the 17 to 19 June 2026 plenary, the FATF added Iraq and Bosnia and Herzegovina to its list of jurisdictions under increased monitoring and removed Algeria and Namibia, leaving 22 countries on the grey list. The high-risk call-for-action list was unchanged, still naming North Korea, Iran and Myanmar.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo