The Permission Gap: Risk Acceptance in a Zero Tolerance World

When the Financial Action Task Force (FATF) published its Guidance for a Risk-Based Approach for Money or Value Transfer Services, it included a statement of unusual candour. That statement should have reshaped how institutions and supervisors approach wire transfer compliance. The risk-based approach, the FATF stated, is ‘not a “zero failure” approach’; there will be occasions where an institution has taken reasonable anti-money laundering measures and is still exploited for illicit purposes. The concession was deliberate. It acknowledged that payment systems operating at scale will inevitably produce defects, and that the regulatory objective is not perfection but intelligent, proportionate risk management.

Yet that concession has not translated into supervisory practice. Across the UK, the EU and beyond, wire transfer regulation (WTR) enforcement increasingly treats any control failure as evidence of inadequate governance. It makes little distinction between wilful neglect, systemic design weakness and the structural limitations of high-volume payment processing. The result is a widening gap between what the risk-based approach permits in principle and what institutions feel permitted to accept in practice. This is the permission gap, and it is distorting compliance behaviour across the financial services sector.

The regulations demand proportionality, not perfection

The international framework for payment transparency is set by FATF Recommendation 16 and its Interpretive Note, revised at the Joint FATF-MONEYVAL Plenary in Strasbourg in June 2025. The standard requires that originator and beneficiary information accompany wire transfers so that law enforcement and competent authorities can reconstruct payment chains and identify illicit activity. It does not require flawless execution. It requires effective systems, demonstrable governance and proportionate responses to risk.

The revised Recommendation 16 expanded the scope from wire transfers to all payments and value transfers, aligned data requirements with ISO 20022 messaging standards and introduced beneficiary verification obligations. The accompanying assessment methodology, published as Annex IV in October 2025, confirmed that the FATF’s Fifth Round of mutual evaluations will test operational performance, not merely legal compliance. Evaluators will examine whether payment data is traceable, accurate and complete in practice. The standard is clear: systems must work, but perfection is not the benchmark.

The EU embedded the same principle in Regulation (EU) 2015/847, subsequently recast through Regulation (EU) 2023/1113 to extend the travel rule to crypto-asset service providers. The UK retained equivalent requirements under assimilated law following Brexit, implemented through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and subsequent amendments. Both regimes require payment service providers (PSPs) to establish effective risk-based procedures for determining when to execute, reject or suspend a transfer lacking required information. The operative word is ‘effective’, not ‘infallible’.

WTR obligations are absolute, but the controls around them must be risk-based

This is the structural tension at the heart of wire transfer compliance, and the reason it cannot be adequately managed within an enterprise-wide anti-money laundering (AML) risk assessment. AML obligations are inherently discretionary: firms apply customer due diligence measures proportionate to assessed risk. WTR obligations, by contrast, are absolute. A PSP must not execute a transfer without ensuring that required payer and payee information is present, regardless of whether the underlying transaction appears low risk. There is no suspicion threshold. The regulatory concern is with the integrity of the data itself.

Yet the controls that support those obligations must be designed, calibrated and monitored on a risk-based footing. Firms need to determine which transfers require real-time validation and which can be subject to post-event sampling. They need to define when a data defect warrants rejection, when it warrants a request for information, and when it can be remediated after crediting. They need to identify which correspondent relationships generate the highest volumes of incomplete data and whether those patterns reflect systemic weakness or isolated error.

These are not AML questions. They are WTR-specific questions that require WTR-specific risk identification, measurement and governance. When they are subsumed within a general financial crime risk assessment, they are invariably simplified, deprioritised or overlooked entirely.

Enforcement has narrowed the space for tolerated error

In recent years, supervisory focus has shifted decisively from control existence to control effectiveness. This is a welcome development in principle. Paper compliance has long been the enemy of genuine financial crime prevention. The difficulty arises when the standard of effectiveness is applied without acknowledging the structural constraints of high-volume payment processing.

Banks and PSPs process millions of messages daily across multiple formats, messaging standards and jurisdictions. Intermediary institutions remain dependent on upstream data quality they do not control. Legacy systems coexist with ISO 20022 migration programmes, increasing structural complexity rather than reducing it. Correspondent chains introduce data truncation that no amount of policy language can eliminate. Industry estimates suggest that a majority of cross-border payments still require some element of manual intervention. In this environment, defects are not aberrations; they are statistical certainties.

The Financial Conduct Authority (FCA) has repeatedly emphasised systems and controls effectiveness, data integrity and governance across its supervisory communications. Freedom of Information (FOI) data published by OpusDatum in October 2025 revealed that between 2020 and mid-2025, UK firms reported 265 cases of PSPs repeatedly failing to provide required originator and beneficiary information under the WTR. Those notifications covered 135 firms across more than 60 jurisdictions. The FCA could not demonstrate that a single enforcement action had followed. The supervisory silence left the market without a meaningful signal about where the threshold of acceptable failure lies. In the absence of that signal, firms default to treating every defect as unacceptable, because no one has told them otherwise.

Defensive compliance is not effective compliance

When institutions behave as though WTR compliance is binary, the consequences are predictable and counterproductive. Teams escalate everything. Payments are blocked excessively. Controls are designed to satisfy audits rather than intelligence objectives. Resources flow towards eliminating the appearance of risk rather than managing risk itself.

This is the hallmark of what might be called ‘perfection theatre’: compliance activity that optimises for defensibility rather than for financial crime prevention. It generates false positives that overwhelm investigators and dilute the quality of suspicious activity reporting. It diverts analytical attention from genuinely high-risk cross-border transfers towards administrative defects in low-value domestic payments where the financial crime risk is marginal. The cost of managing payment enquiries and exceptions routinely dwarfs the cost of processing the payments themselves. None of this serves the regulatory objective of traceability.

The FATF’s own Interpretive Note to Recommendation 16 requires institutions to have ‘effective risk-based policies and procedures for determining when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information’. The language presupposes that some transfers will lack required information. The regulatory expectation is not that this never happens, but that institutions respond to it with judgement. When firms instead adopt a posture of rejecting or escalating every defect regardless of context, they are not demonstrating compliance; they are demonstrating the absence of a risk-based approach.

Without a dedicated WTR risk assessment, risk acceptance cannot be governed

The permission gap persists because most firms have never formally assessed their WTR risk as a distinct category of exposure. Data truncation across correspondent chains, misapplication of threshold derogations, inconsistent treatment of batch file processing, and variations in national implementation of Recommendation 16: these are not AML risks. They are operational, technical and procedural risks specific to the mechanics of payment processing. They require their own risk identification, their own control design and their own governance reporting.

A dedicated WTR risk assessment enables firms to map end-to-end payment flows and identify where required information is most likely to be lost, truncated or corrupted. It enables them to measure inherent and residual risk by PSP role, distinguishing between payer, payee and intermediary obligations. It enables them to define explicit tolerances for data quality defects and to document the rationale for accepting residual risk where controls cannot eliminate it. Most importantly, it enables boards and senior management to demonstrate to regulators that WTR risk is understood, governed and reviewed with the same rigour as any other category of institutional exposure.

Without this foundation, risk acceptance is not a governance decision. It is an unspoken tolerance. And that is precisely the position that enforcement is designed to punish.

Proportionality must become more than a principle

Wire transfer regulations were designed to support financial intelligence, not to create an illusion of flawless processing. The risk-based approach was never meant to eliminate judgement. It was meant to demand it.

Banks and PSPs should be able to say, credibly and confidently, that certain risks in payment data quality remain despite robust controls. They should be able to demonstrate that those risks are understood, justified and mitigated to the extent reasonably possible. Regulators, in turn, should create an environment in which that honesty is rewarded rather than punished. Until this alignment is restored, firms will continue to optimise for defensibility rather than effectiveness. Risk acceptance will remain an unspoken reality rather than a governed decision. And wire transfer compliance will continue to absorb disproportionate resource without delivering commensurate financial intelligence value.

The permission gap is real. Closing it requires not weaker regulation but more honest compliance, and a willingness to assess, articulate and govern WTR risk as the distinct category of exposure it has always been.

Does your firm assess wire transfer risk as a standalone category, or is it still buried within a general AML framework?

In May 2025, OpusDatum published UK Wire Transfer Regulations: A Practical Risk Assessment Framework for PSPs, a comprehensive guide to designing and implementing a dedicated WTR risk assessment. The framework covers risk identification by PSP role, control design across real-time and post-event monitoring, governance reporting, and the management of repeatedly failing counterparties. It includes sample risk assessment templates, high-risk indicator matrices and an FCA notification template for repeatedly failing PSPs. We work with banks and PSPs to translate this framework into operationally realistic controls that evidence intelligent management of payment transparency risk.

To request a copy of our WTR risk assessment framework, or to discuss how OpusDatum can support your firm in building a defensible, proportionate approach to wire transfer compliance, contact us now.