How Combating the Financing of Terrorism (CFT) Works
CFT is a multi-layered compliance discipline that interrupts terrorists' ability to raise, store, move, and deploy funds at every stage of the financial lifecycle. Regulators expect payment businesses to implement controls that detect and disrupt terrorist financing both at onboarding and throughout the ongoing relationship with customers. The framework draws on intelligence from government agencies, real-time watchlists, and behavioural analytics to identify risk that is often invisible to conventional fraud tools.
Customer Identification and Due Diligence
Every customer — individual or business — must be identified and verified before a payment relationship begins. Know Your Customer procedures collect identity documents, beneficial ownership data, and business purpose. Enhanced due diligence applies to high-risk profiles such as politically exposed persons, customers in FATF-blacklisted jurisdictions, and businesses in sectors with elevated terrorist financing exposure such as non-profit organisations and arms-related trade.
Sanctions Screening
Names, entities, and jurisdictions are screened in real time against consolidated watchlists including the UN Consolidated List, OFAC SDN List, EU Consolidated List, and national domestic lists. Sanctions screening must occur at onboarding, at every transaction, and whenever a watchlist is updated. Fuzzy-matching algorithms handle transliterations and name variations that exact-match systems miss — a critical capability given that terrorist operatives routinely use aliases.
Transaction Monitoring
Once a relationship is active, every transaction is monitored for patterns associated with terrorist financing typologies. Unlike money laundering, terrorist financing transactions tend to be small and frequent — deliberately designed to stay below reporting thresholds. Rules-based monitoring is supplemented by machine-learning models and network-graph analysis to surface structuring behaviour, rapid fund aggregation from multiple sources, and rapid dispersal to high-risk recipients.
Suspicious Activity Reporting
When monitoring surfaces a credible concern, the business must file a Suspicious Activity Report (SAR) with the national Financial Intelligence Unit (FIU) — FinCEN in the US, the NCA in the UK. Reports must be filed promptly (within 30 days under the US Bank Secrecy Act) and without tipping off the subject. SAR data feeds into national and international intelligence networks that inform enforcement actions.
Record-Keeping and Regulatory Reporting
Compliance records — KYC files, transaction data, SAR filings, screening logs — must be retained for a minimum period (typically five years in most FATF-aligned jurisdictions). Regulators conducting examinations and law enforcement executing production orders rely on these records. Gaps in record-keeping are themselves a regulatory infraction, independent of whether any underlying terrorist financing occurred.
Governance, Training, and Audit
CFT controls require a documented compliance programme with a designated Money Laundering Reporting Officer (MLRO) or equivalent, regular staff training, independent internal audit of control effectiveness, and board-level accountability. Regulators assess not just whether controls exist but whether they are genuinely embedded in business operations — a "paper programme" with no evidence of operational use is treated as a failure.
Why Combating the Financing of Terrorism (CFT) Matters
The scale of terrorist financing flows and the cost of regulatory failures both justify the compliance investment payment businesses must make. CFT is not a peripheral obligation — it is a licence-to-operate requirement with existential consequences for non-compliance.
The FATF estimates that terrorist organisations require between $1 million and $50 million annually to sustain operations, with much of this moved through the regulated financial system using techniques designed to blend in with legitimate commerce. The 2021 FinCEN Files investigation revealed that major global banks processed over $2 trillion in suspicious transactions over nearly two decades, including funds linked to terrorism — demonstrating the systemic gaps that regulators are now closing through enhanced examination and record-breaking penalties.
Enforcement has intensified sharply since FATF's fourth-round mutual evaluations began scrutinising not just laws-on-paper but real-world effectiveness. Between 2015 and 2023, global AML/CFT fines exceeded $55 billion across the banking and payments industry, with individual institution penalties reaching as high as $1.9 billion in a single action. For payment service providers specifically, the Financial Action Task Force updated Recommendation 16 on wire transfers — the "Travel Rule" — to include crypto asset transfers, expanding CFT obligations to cover blockchain-native payment flows that previously sat in a regulatory grey zone.
Regulatory Scope Expansion
As of 2024, FATF's Recommendation 15 requires all jurisdictions to regulate Virtual Asset Service Providers (VASPs) under AML/CFT frameworks equivalent to those applied to traditional payment institutions. Any payment platform accepting crypto must apply full CFT controls to those rails.
Combating the Financing of Terrorism (CFT) vs. Anti-Money Laundering (AML)
CFT and anti-money laundering share infrastructure but address fundamentally different threat vectors. Understanding the distinction prevents compliance programmes from treating them as interchangeable and missing risks specific to each.
| Dimension | CFT | AML |
|---|---|---|
| Primary concern | Funds used to commit violence | Proceeds of crime integrated into legitimate economy |
| Fund origin | Legal or illegal sources | Typically illegal (crime proceeds) |
| Fund volume | Often small, fragmented amounts | Typically large, complex layering |
| Key typologies | Crowdfunding, hawala, cash couriers, crypto micropayments | Shell companies, real estate, trade-based laundering |
| Detection signal | Fund destination, network analysis | Fund origin, layering patterns |
| Primary reporting | Suspicious Activity Reports to FIU | Suspicious Activity Reports + Currency Transaction Reports |
| International framework | FATF Special Recommendations | FATF 40 Recommendations |
| Typical penalty trigger | Watchlist screening failure, SAR non-filing | KYC gaps, structuring facilitation |
In practice, most regulators issue combined AML/CFT programmes and expect a single integrated compliance function. However, CFT risk assessments must explicitly address terrorist financing typologies, not merely rely on an AML risk model as a proxy.
Types of Combating the Financing of Terrorism (CFT) Controls
CFT controls fall into several categories depending on the mechanism by which they interrupt terrorist financing. A mature programme deploys all categories in combination.
Preventive controls stop terrorist-linked actors from entering the financial system. These include sanctions screening, PEP screening, and enhanced due diligence at onboarding. They are the first line of defence but must be continuously updated as watchlists evolve.
Detective controls surface suspicious activity after a relationship is established. Transaction monitoring, behavioural analytics, and network-graph analysis all sit here. Detective controls are critical because terrorists frequently use accounts established under legitimate identities.
Intelligence-led controls incorporate classified and open-source threat intelligence — terrorist typology reports from FATF, Egmont Group FIU advisories, and national security agency guidance — to tune monitoring rules and risk assessments to current threat vectors rather than historical patterns.
International cooperation controls include the legal and operational frameworks — mutual legal assistance treaties (MLATs), FATF mutual evaluations, Egmont Group information sharing — that allow CFT intelligence to flow across borders. Terrorist financing is inherently cross-border; no single jurisdiction's controls are sufficient in isolation.
Technology and crypto-specific controls address the growing use of virtual assets, crowdfunding platforms, and peer-to-peer payment apps by terrorist groups. These require Travel Rule compliance for crypto transfers, enhanced monitoring of non-custodial wallet interactions, and DeFi platform risk assessments.
Best Practices
For Merchants
Ecommerce merchants are a meaningful terrorist financing risk surface — high volumes of small transactions, anonymous-seeming digital payments, and access to cross-border flows make merchant accounts attractive to illicit actors.
- Implement risk-based customer segmentation at checkout for high-risk product categories (prepaid cards, gift cards, digital goods, donation platforms) and apply enhanced monitoring to accounts showing structuring behaviour below reporting thresholds.
- Maintain a documented CFT risk assessment that specifically addresses your product vertical, customer geography, and payment methods accepted. Regulators and acquiring banks increasingly require this at onboarding.
- Ensure your payment service provider and acquiring bank have current sanctions screening lists active at transaction time — do not assume upstream screening makes your own obligations redundant.
- Train customer service and fraud teams to recognise CFT red flags: repeated small donations to unverified non-profits, purchases of prepaid instruments in bulk, and account takeovers rapidly redirecting funds to overseas accounts.
For Developers
CFT controls must be engineered into payment systems, not bolted on after launch. Compliance failures frequently trace to gaps in how systems are built rather than gaps in policy documents.
- Integrate real-time sanctions API screening (OFAC, UN, EU consolidated lists) at every transaction submission point, not just account creation. Watchlists update daily — a customer who was clean at onboarding may appear on a list tomorrow.
- Build SAR workflow tooling that allows compliance teams to flag, document, and submit reports within regulatory deadlines without manual data extraction. Late filings carry the same penalties as non-filings.
- Implement immutable audit logs for all screening decisions — including the watchlist version used, the match score, and the analyst decision. Regulators routinely request these during examinations.
- Design transaction monitoring rule engines to support tunable thresholds so compliance teams can adjust structuring detection parameters as FATF typology reports identify new terrorist financing amounts and methods.
- For platforms supporting crypto payments, implement Travel Rule data fields (VASP originator and beneficiary identity) in your transaction schema before you need them — retrofitting is expensive and creates compliance gaps during migration.
Common Mistakes
Treating CFT as identical to AML. Many compliance programmes inherit AML risk models and apply them unchanged to CFT. This misses terrorist financing typologies — small amounts, legitimate fund sources, non-profit abuse — that AML models are not calibrated to detect. CFT requires its own risk assessment and dedicated monitoring rules.
Static sanctions screening. Screening customers only at onboarding creates a dangerous gap. OFAC, the UN, and EU update their lists multiple times per week. A customer who was clear at signup may be designated tomorrow. Screening must run at every transaction and on every watchlist update against the full active customer base.
Ignoring the non-profit sector. FATF identifies non-profit organisations as one of the highest-risk sectors for terrorist financing abuse. Payment platforms processing donations for charities and crowdfunding campaigns must apply enhanced due diligence to these flows, yet many treat charity payments as lower risk than commercial transactions — the opposite of regulatory expectation.
Failing to document CFT risk assessments. A CFT control programme without a documented, board-approved risk assessment is viewed by regulators as having no programme at all. The risk assessment is the foundation that justifies every subsequent control decision. Its absence is an automatic finding in regulatory examinations.
Underestimating crypto exposure. Payment platforms that touch crypto rails — even indirectly through stablecoin settlement or crypto-to-fiat conversion — face full CFT obligations under FATF Recommendation 15. Assuming that a third-party VASP partner absorbs all CFT liability is a compliance gap that enforcement actions are increasingly targeting.
Combating the Financing of Terrorism (CFT) and Tagada
Payment orchestration platforms like Tagada sit at the intersection of multiple acquiring banks, payment methods, and merchant segments — making CFT risk management a platform-level concern, not just a merchant-level one.
How Tagada Supports CFT Compliance
Tagada's orchestration layer routes transactions across acquirers while maintaining a unified transaction record — the single source of truth that CFT audit trails require. Merchants can implement consistent sanctions screening and transaction monitoring policies across all payment rails through a single integration, avoiding the fragmented compliance posture that emerges when each acquirer connection is managed separately. This is especially valuable for merchants expanding into new markets where local CFT screening requirements differ from their home jurisdiction.