On 19 June 2020, the European Commission updated the list of high-risk third countries in respect of anti-money laundering and counter-terrorist financing (AML/CTF) due diligence. Commission Delegated Regulation (EU) 2020/855, which has been published in the Official Journal of the EU (OJ), amends the list of high-risk third countries with strategic AML/CTF deficiencies as provided for under Article 9(2) of the Fourth Money Laundering Directive (4MLD). Under 4MLD, the European Commission must, from time to time, draw up a list of such high-risk third countries; regulated firms must apply enhanced due diligence in respect of transactions or business relationships with customers established in those countries.
The Delegated Regulation amends the list of high-risk third countries that have provided a written high-level political commitment to address identified strategic AML/CTF deficiencies and have developed an action plan with the Financial Action Task Force (FATF) as follows:
| Newly added to the list | Remaining on the list | Removed from the list |
| The Bahamas | Afghanistan | Bosnia-Herzegovina |
| Barbados | Iraq | Ethiopia |
| Botswana | Pakistan | Guyana |
| Cambodia | Syria | Lao People’s Democratic Republic |
| Ghana | Trinidad and Tobago | Sri Lanka |
| Jamaica | Uganda | Tunisia |
| Mauritius | Vanuatu | |
| Mongolia | Yemen | |
| Myanmar/Burma | ||
| Nicaragua | ||
| Panama | ||
| Zimbabwe |
This updated list is the first to be based on the Commission’s revised methodology for identifying high-risk third countries under 4MLD, published on 7 May 2020. The revised methodology takes into account several key elements, including (among others) increased interaction with FATF. In principle, third countries listed by FATF will also be listed by the EU, with “top-ups” where necessary to meet specific EU requirements. Where a country is delisted by FATF, the Commission will assess whether the FATF action plan is sufficient for the purposes of an EU delisting. The countries newly added to the list by the Delegated Regulation are also listed by FATF.
Going forward – timeline and key considerations
Although the Delegated Regulation enters into force from 9 July 2020, Article 2 (which adds the new countries to the list) will not apply until 1 October 2020. This delay takes into account the disruption caused by COVID-19 and allows for sufficient time to ensure effective implementation. We recommend that firms revisit their risk assessments where they carry on significant business with these countries, and review their policies, controls and procedures for any necessary changes, including the following:
- Firms should re-assess their onboarding and ongoing due diligence procedures for clients established in the newly added countries to ensure that these procedures meet the requirements of enhanced due diligence measures. The UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 specify examples of enhanced due diligence measures as including, for example, seeking additional independent, reliable sources to verify information provided and increasing the monitoring of the business relationship, including greater scrutiny of transactions.
- Where a branch or majority-owned subsidiary of a firm established in the EU is located in a high-risk third country, enhanced due diligence measures do not need to be automatically applied, provided that the branch or subsidiary fully complies with group-wide policies and procedures in accordance with Article 45 of 4MLD. Firms will need to handle these cases with a risk-based approach and ensure that the relevant group-wide standards are being applied at local level.
- Firms should ensure that they do not rely on third parties established in countries on the list to carry out due diligence measures (although note that restrictions relating to third party performance do not apply to outsourcing or agency relationships where, on the basis of a contractual arrangement, the outsourcing service provider or agent is to be “regarded as part of” the EU/UK firm falling within scope of the rules – where, in any event, the outsourcing rules in 4MLD would require the relevant EU/UK standards to be followed).
- Firms may be prevented from performing simplified customer due diligence – which is limited to business relationships and transactions presenting a low degree of risk – where there are connections between customers or transactions to the newly listed countries.
- For clients established in countries removed from the list, firms may consider whether their due diligence measures can be adjusted on a risk-based approach.
- Firms should consider refreshing and rolling out AML/CTF training to their relevant staff to reflect these new provisions.
