From Compliance to Effectiveness: A Practical Cooperation Playbook for FIUs

On paper, Europe II performs strongly on Recommendation 40 (R.40 – International Cooperation). Egmont’s horizontal analysis shows that 87% of jurisdictions are Compliant or Largely Compliant, 13% are Partially Compliant, and none are non-compliant. At the same time, Immediate Outcome 2 (IO.2 – international cooperation), while generally better rated than IO.6, is still only “largely achieved”: 61% of jurisdictions have Substantial effectiveness, 35% Moderate, and 4% High; no jurisdiction is rated Low. The message is clear: • Legal frameworks for cooperation are mostly in place. • Operational performance is still uneven. Delays in responding to requests, limited spontaneous cooperation, dependence on other authorities for data and the absence of formalised feedback mechanisms continue to constrain effectiveness – even where R.40 looks green. This blog sets out a practical playbook for FIUs and policymakers who want to convert R.40 compliance into fast, proactive and outcome-oriented cooperation that lifts IO.2 ratings.

R.40 and IO.2: How They Fit Together

FATF Recommendation 40 sets the technical expectations for international cooperation:

comprehensive legal gateways for information exchange on ML/TF and predicate offences;
ability to cooperate regardless of an FIU’s institutional model;
secure channels and feedback;
broad scope of information that can be shared.

Immediate Outcome 2 tests whether that framework actually works in practice. Assessors look at how FIUs:

exchange information quickly, securely and constructively with foreign counterparts;
use secure platforms (e.g. Egmont Secure Web);
handle requests comprehensively and in a timely manner;
engage in spontaneous, not just reactive, cooperation;
support cross-border investigations and asset recovery with concrete case examples.

Put simply:

R.40 asks: “Can you cooperate?”
IO.2 asks: “Do you actually cooperate effectively – and fast?”

The Europe II analysis shows that many jurisdictions can answer the first question positively, but still struggle with the second.

Where R.40 Still Fails in Practice

Egmont’s typology of Partially Compliant R.40 jurisdictions highlights the operational weaknesses that matter most for IO.2.

Common deficiencies include:

Operational inefficiencies and delays in responding to requests – even where legal gateways exist.
Absence of formalised feedback mechanisms, leading to inconsistent cooperation and limited learning.
Restricted access to financial intermediary information where there is no STR, forcing FIUs to wait until a suspicion is formally reported.
Heavy reliance on other authorities for information gathering, which causes delays and uncertainty.

Egmont notes that these jurisdictions still benefit from adequate legal frameworks, Egmont membership and the principle of availability, but timeliness, access and efficiency are not where they need to be.

Even some Compliant and Largely Compliant systems display softer versions of the same issues: cooperation exists, but is too slow, too formal and insufficiently proactive to drive strong IO.2 ratings.

IO.2: What “Mostly Achieved” Still Misses

On the IO.2 side, the Europe II picture is encouraging but not perfect:

No jurisdiction is Low.
The majority are Substantial, with only minor or moderate improvements required to reach High.

However, for Moderate-effectiveness countries, Egmont lists recurring weaknesses that mirror the R.40 issues:

Delays in responding to foreign requests due to domestic data-collection bottlenecks and resource constraints.
Reactive rather than proactive cooperation, with low volumes of spontaneous disclosures.
Lack of explicit legal frameworks for FIUs to exchange information with non-counterparts (e.g. foreign supervisors or LEAs).
No clear prioritization mechanisms for handling incoming requests.
Absence of formalized feedback structures with foreign counterparts.

In short, IO.2 weaknesses are rarely about legal impossibility; they are about speed, proactivity, governance and process design.

What High-Performing Cooperation Actually Looks Like

Egmont’s description of Substantial and High IO.2 systems provides a useful blueprint. These FIUs typically combine:

Robust legal frameworks enabling broad information exchange on ML, TF and predicate offences, regardless of FIU model.
Active membership in the Egmont Group, using Egmont Secure Web and other secure channels for routine cooperation.
No legislative or practical impediments to timely responses; case examples show quick turn-around.
Frequent spontaneous disclosures, guided by operational and strategic analysis, not just incoming requests.
Internal triage and prioritization systems to manage fluctuating request volumes while protecting urgent investigations.
Strengthening of internal data-management and analysis capabilities, including tools and organizational changes that reduce dependence on external authorities.

In Compliant R.40 jurisdictions specifically, FIUs can:

exchange a broad range of financial intelligence data without restrictions;
provide feedback without legal obstacles;
operate with strong legal foundations and efficient processes.

These are the characteristics IO.2 assessors look for when differentiating between “Moderate”, “Substantial” and “High”.

A Cooperation Playbook: From Passive to Proactive

Translating Egmont’s recommendations into a practical agenda, FIUs and policy leads can focus on five levers.

Expand FIU authority to act on behalf of foreign counterparts

Egmont recommends that Partially Compliant jurisdictions enable FIUs to request information directly from financial intermediaries on behalf of foreign counterparts, even when no STR exists.

In practice, that means:

Amending laws and regulations to remove any requirement for a domestic STR or domestic investigation before information can be obtained for a foreign FIU.
Clarifying, in guidance, the conditions and safeguards under which this can occur (e.g. documented foreign request, proportionality, logging).

This change alone can significantly reduce delays and dependence on other authorities, especially in complex, cross-border cases.

Industrialize timeliness: triage, SLAs and KPIs

For IO.2, timeliness is as important as content. Jurisdictions should:

Introduce service-level targets (e.g. 30 days for standard requests, accelerated timelines for urgent asset-freeze cases).
Implement triage mechanisms in FIU case-management tools to prioritise requests based on urgency, risk, and potential asset value.
Track KPIs on response times and report them to senior management and national coordination bodies.

This makes timeliness visible and manageable, rather than a vague aspiration.

Make spontaneous cooperation the default, not the exception

Egmont clearly associates high IO.2 performance with proactive, spontaneous cooperation, not just answering incoming requests.

FIUs can operationalize this by:

Embedding triggers for spontaneous dissemination into operational and strategic analysis (e.g. cross-border PEPs, high-risk corridors, typologies involving multiple jurisdictions).
Using secure channels (Egmont Secure Web, FIU-to-FIU platforms) to send concise, targeted packages of intelligence.
Documenting examples where spontaneous cooperation led to asset freezes or investigations, to evidence IO.2 impact in Mutual Evaluations.

Reduce structural dependence on other authorities

Egmont flags reliance on other domestic authorities for information gathering as a key drag on R.40 performance, causing delays and uncertainty.

Mitigations include:

Granting FIUs more direct access to domestic databases (banking, company registers, tax, customs, law-enforcement) wherever possible.
Streamlining internal workflows so that, where other authorities remain involved, their role is governed by clear timelines and escalation paths.
Using MOUs to clarify expectations around urgent foreign requests and asset-freeze cases.

The goal is an operating model where the FIU can move quickly without waiting for multiple administrative layers.

Formalize feedback loops with foreign FIUs

Lack of formal feedback mechanisms appears repeatedly in the R.40 analysis.

Practical steps:

Develop a standard feedback template that foreign FIUs can use to comment on timeliness, completeness and usefulness of responses.
Build feedback collection into FIU platforms, so it is captured alongside each case.
Use feedback data to refine internal processes and demonstrate continuous improvement in follow-up IO.2 assessments.

This turns bilateral relationships into a systematic learning channel.

Technology’s Role: From Email Chains to Cooperation Platforms

Egmont’s broader conclusion stresses that many challenges are systemic – including “MOU or formal request dependence in international cooperation”, which slows interaction when proactive or spontaneous exchange is needed.

From a technology standpoint, FIUs can:

Move from fragmented email-driven processes to integrated FIU case-management platforms (such as FIU360-type architectures) that:
- register incoming and outgoing requests;
- support triage, deadlines and reminders;
- link cooperation cases to underlying STRs and domestic investigations;
- integrate secure communication channels directly into workflows.
Use these platforms to generate cooperation dashboards with IO.2-relevant metrics: number of requests received and sent, response times, spontaneous vs reactive cases, asset-freeze outcomes.

For IntelliSYS and FIU360, this is a natural positioning point: helping FIUs operationalize R.40 and IO.2 requirements in a single architecture, rather than layering manual practices on top of basic messaging tools.

Conclusion:

Egmont’s Europe II horizontal analysis shows that most jurisdictions are technically compliant with Recommendation 40 and achieve at least Moderate IO.2 effectiveness. However, delays, restricted access, limited spontaneous cooperation and weak feedback mechanisms continue to constrain real-world performance. High-performing FIUs expand their authority, industrialize timeliness, reduce reliance on other authorities, normalize spontaneous exchanges and digitize cooperation workflows—turning legal compliance into fast, proactive and results-driven international cooperation.