EU Methodology for Identifying High-Risk Third Countries



The 5th EU Anti-Money Laundering Directive (2018/843), in force as of 11 July 2018, includes amendments to the 4th AML Directive, among them improvements in the procedure to identify high-risk third countries, a task delegated to the EU Commission. In addition, the new Directive also entails the harmonisation of the enhanced customer due diligence measures, which financial institutions and other obliged entities must apply to business relationships or transactions involving high-risk third countries. Against the backdrop of the controversies this year about high-risk country lists drawn up by the EU Commission, the following article will also review the recently published Commission Staff Working Document (2018, 362 final, 22. June 2018) “Methodology for identifying high risk third countries”.

Harmonisation of enhanced customer due diligence measures

The enhanced due diligence measures which financial institutions and obliged entities in all Member States will have to conduct on customers and transactions involving high-risk third countries, are listed in the new Article 18a, paragraph 1 of the 5thAML Directive:

a) obtaining additional information on the the customer and on the beneficial owner(s)
b) obtaining additional information on the intended nature of the business relationship
c) obtaining information on the source of funds and source of wealth of the customer and of the beneficial owner(s)
(d) obtaining information on the reasons for the intended or performed transactions
(e) obtaining the approval of senior management for establishing or continuing the business relationship
(f) conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selection patterns of transactions that need further examination.

In its explanatory section, the new Directive states that business relationships or transactions involving high-risk third countries should be limited when significant weak­nesses in the AML/CFT regime of the third-countries of concern are identified, unless adequate additional mitigating measures or countermeasures are applied. Such restrictions and certain additional mitigation measures are detailed in paragraphs 2 and 3 of article 18a, including a requirement to review, amend, or if necessary terminate, relationships with correspondent banks in such high-risk countries.

The aforementioned measures (a) through (d) refer to extra intelligence which should be collected on a customer’s background, the origins of the funds, the nature and purpose of the business, and the  transactions. These requirements essentially asking for sufficient transparency and legitimacy of the customer’s business rationale, in order to make sure that the money involved does not come from corrupt or criminal activities and is not being used for illegal purposes, such as money-laundering and terrorist financing or for the purpose of other financial crime. These requirements regularly entail more in-depth investigations as part of the customer due diligence process.

The harmonisation was deemed necessary in order to prevent different approaches amongst the EU Member States thus creating “weak spots” in the EU-wide management of business relationships involving high risk third countries.

Identification of high-risk third countries

The EU is serious about requiring the financial institutions to conduct appropriate enhanced customer due diligence, but how serious is the EU about identifying and assessing relevant high risk third countries? The first blacklists of both “non-cooperative jurisdictions for tax purposes” and “high-risk third countries with strategic deficiencies” regarding Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), which were drawn up by the Council and the Commission respectively, earlier this year, cast some doubts on the consistency and transparency of the selection procedures.

The 5th AML Directive includes some specifications to article 9,  paragraph 2 of the 4th Directive, which sets out relevant aspects which the EU Commission shall take into account in identifying the strategic deficiencies of high-risk third countries. These include the recent amendments underlined below:

(a)  the legal and institutional AML/CFT framework of the third country, in particular:
(i)  the criminalisation of money laundering and terrorist financing;
(ii)  measures relating to customer due diligence;
(iii)  requirements relating to record-keeping;
(iv)  requirements to report suspicious transactions;
(v)  the availability of accurate and timely information of the beneficial ownership of legal persons and arrangements to competent authorities;

(b)  the powers and procedures of the third country’s competent authorities for the purposes of combating money laundering and terrorist financing including appropriately effective, proportionate and dissuasive sanctions, as well as the third country’s practice in cooperation and exchange of information with Member States’ competent authorities;

(c)  the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks.

The EU Commission’s new ‘methodology for identifying high-risk third countries’, is based on these criteria but expands in greater detail on the actual process of analysing relevant information sources that will feed into the envisioned autnomous country risk assessment. A continuing matter of interest will be any deviations from the FATF blacklist.

An Expert Group on Anti-Money Laundering And Counter Terroritst Financing (EGMLTF) within the Commission will play an advisory role in the process, starting with the scoping phase in which potential countries are identified, in addition to those already listed by the FATF, which are relevant to the integrity of the EU’s financial system, and including those countries which internal EU sources find to be exposed to money laundering and terrorist financing risks and predicate offenses. Internal sources include Europol and the European External Actions Service (EEAS) and data collected as part of Europol’s Serious Organised Crime Threat Assesment (SOCTA), but also data collected on third countries for tax purposes. This implies the integration of the list of non-cooperative jurisdictions for tax purposes in the process of identifying third countries associated with increased money laundering and terrorism financing risks – a remarkable step forward should this integration be realised.

The purpose of the scoping exercise is to set priorities for the in-depth country assessment phase, which is in line with the risk-based approach of the 4th AMLD. In terms of timing, the working documents states, that the Commission is planning to present the results of its priority country assessment by the end of 2018.

Assessment of effectiveness of  AML/CFT regime

For those countries identified in the scoping, the Commisison will prepare individual country profiles and threat assessments, and eventually analyse the effectiveness of a country’s AML/CFT regime according to eight ‘building blocks’. Generally, the threat assessment will be based on law enforcement information about the level of predicate offences and corruption, terrorism threat, relevance as country of origin, transit or destination of money-laundering and terrorist financing. The building blocks relate to the aforementioned criteria listed in article 9 of the 5th Directive. Taking into consideration internal EU information as well as publicly available information such as FATF evaluation reports, and a mix of international ratings, the analysis aims to ascertain whether the AML/CFT control framework of a country is adequate to address the money laundering and terrorist financing risk as determined by the threat assessment. Both technical compliance with international AML/CFT requirements and effectiveness in applying those requirements will be considered.

For each country of concern a “level of deficiency” will be determined for each building block ranging from a “low significance level of deficiency”, where there is a robust AML/CFT framework in place, over “moderately significant level of deficiency” with moderate deficiencies in the control framework to addresse the identified threat, and “signficant level of deficiency” to “very significant level of deficiency”, where signficant deficiencies in the control framework exist to address the identified threat.

The methodology states that based on this analysis the Commission will make an overall assessment of the level of deficiency of a particular third country (low, medium, high level of deficiency) without being more specific about how exactly the aggregation of the assessments of the building blocks would work.

What makes a country cross the threshold to presenting “strategic deficiencies” which will then lead to being listed as a high-risk third country? According to the methodology, a country which presents “major” deficiencies, i.e. a high level of deficiency, is considered as having strategic deficiencies. Moreover, in case of moderate to significant deficiencies, which is an overall medium level, the Commisison will consider the country’s risk profile to conclude whether these deficiencies are strategic, which would also lead to a designation as a high-risk country.


Following the new methodology, will the number of third countries designated as high risk increase? The more comprehensive approach, taking into consideration the level of predicate crimes, and the degree of effective implementation of AML/CFT laws, would suggest that, as well as a more extensive interpretation of strategic deficiencies which might also include countries with medium-to-high level deficiencies.

At the same time, the methodology states that the objective of the EU list is not to “name and shame” and to maintain and intensify a dialogue to ensure that the jurisdictions concerned remove identified deficiencies. Together with the overall consideration of the country profile in the assessment stage, it seems likely that the creation of  the country list may continue to be a process influenced by other political and foreign policy considerations within the EU.

Financial institutions and entities obliged to conduct customer due diligence tailored to the country risk, will have to watch carefully, to find out not only which countries might be included but also where exactly the identified strategic deficienies lie. The methodology includes a plausibly structured approach, and thus is an important step forward in providing consistent country risk assessments. However, transparency will be key. At this point, the evaluation of the eight relevant criteria in the assessment phase, the aggregration of the criteria assessements into an overall country assessment and the definition of the threshold separating non-strategic deficiencies from strategic deficiencies still appear to be a bit fuzzy.

Such fuzziness may be intended to offer more leeway for EU officials and member state representatives in their deliberations about the listing of countries. Whether it will come at the cost of transparency remains to be seen. As a minimum transparency requirement, the EU country risk assessment should clearly offer a breakdown of the criteria for the assessment in order to provide information about a country’s deficienies which can be utilised for the enhanced due diligence on business relationships and transactions.