FATF warns of global gaps in controls against proliferation financing and sanctions evasion
Global financial oversight remains dangerously fragmented in the face of growing threats from proliferation financing (‘PF’) and sanctions evasion, the Financial Action Task Force has warned in a report, saying that outdated controls, unregulated technologies, and widespread non-compliance with international standards are allowing state and non-state actors to circumvent sanctions and finance weapons of mass destruction programmes.
The report, titled Complex Proliferation Financing and Sanctions Evasion Schemes, described a ‘high-risk’ environment in which countries have failed to implement the watchdog’s standards—particularly in the area of virtual assets and virtual asset service providers.
As of April 2024, three quarters of countries in the FATF Global Network were assessed as either non-compliant or only partially compliant with FATF’s requirements on virtual assets and VASPs. This lack of regulation has left the sector vulnerable to exploitation by proliferation networks, especially those affiliated with North Korea, Iran and Russia.
The DPRK remains the most significant proliferation financing threat globally, the FATF stated, citing Pyongyang’s extensive use of cyber heists, IT worker deployments, and shell companies to raise billions in hard currency. In one cited example, North Korea allegedly stole $1.5 billion in cryptocurrency from the ByBit exchange in February 2025.
The report details how PF actors use complex methods—including front companies, falsified shipping documents, altered vessel identities, and decentralised financial tools—to evade export controls and targeted financial sanctions. Maritime and shipping sectors, fintech infrastructure, and free trade zones have all been exploited, often through intermediaries operating in third countries.
Only 13% of FATF or FATF-Style Regional Body (‘FSRB’) countries were deemed fully compliant with Recommendation 7—the standard requiring implementation of UN-mandated sanctions against WMD proliferation—while 46% were found partially or non-compliant. Overall, just 16% of countries demonstrated high or substantial effectiveness in applying sanctions measures.
The FATF also emphasised that many jurisdictions have yet to perform adequate PF risk assessments, with some reporting no vulnerabilities at all. The report warned that such self-assessments often ignore real-world geopolitical and technological shifts. It said while the threat landscape has changed dramatically, national PF risk assessments have not kept pace.
Though the DPRK is the only country subject to UN-mandated PF sanctions, the FATF noted that many member states also identified Iran and the Russian Federation as significant threats due to their alleged involvement in such schemes.
Iran’s network of proxy groups—including Hezbollah—was linked to oil smuggling, weapons development, and global money laundering using gold traders and foreign exchange houses. Russia, meanwhile, was named in several case studies involving export control evasion, shell company networks, and a 2024 treaty with the DPRK establishing deeper banking ties and economic integration.
That treaty introduces new vulnerabilities into the international financial system, the report stated, noting the presence of more than 50 DPRK banking representatives abroad despite UN resolutions requiring their expulsion.
The FATF called for urgent reforms to address these vulnerabilities, including the regular updating of PF typologies and threat assessments to reflect evolving risks; enhanced public-private information sharing, particularly through suspicious activity and transaction reports; the inclusion of an official definition of WMD proliferation financing in the FATF General Glossary to close jurisdictional gaps; and a global horizontal review of PF risk assessments within three years to identify systemic weaknesses across countries.
The watchdog also warned that the termination of the UN Panel of Experts under Resolution 1718, which had monitored DPRK sanctions violations until it was disbanded by a Russian veto at the UN in March last year, severely hampers the global understanding of PF threats.
The report includes case studies from over a dozen jurisdictions, and concludes with a set of red-flag indicators aimed at helping financial institutions and regulators detect suspicious activity tied to PF networks.
Emails for comment to the diplomatic missions of Russia, Iran and North Korea in Paris or other European capitals did not receive an immediate response.
