What’s a high-risk third country?

A high-risk third country is a country outside the jurisdiction where a regulated business is based and operates, whose anti-money laundering, counter-terrorist financing or counter-proliferation financing framework has strategic weaknesses serious enough to warrant additional caution.

The term appears in some regulatory frameworks, including EU AML directives and the UK’s Money Laundering Regulations 2017 (as amended) (MLRs), where it’s used to identify foreign countries that trigger enhanced due diligence obligations. 

FATF (the Financial Action Task Force) uses different terminology, referring to “higher-risk countries” in Recommendation 19 and publishing its lists under the heading of “high-risk jurisdictions.” The wording differs, but the underlying idea is the same.

What makes a country high risk?

A country is treated as high risk when its legal, regulatory or supervisory framework has weaknesses that increase the likelihood of money laundering, terrorist financing or proliferation financing going undetected. 

Common indicators include:

• weak or unenforced AML legislation;
• limited supervision of financial and professional services;
• poor transparency around beneficial ownership;
• ineffective sanctions implementation;
• limited cooperation with international law enforcement.

Three times a year, after each FATF plenary in February, June and October, FATF publishes two public lists:

• High-Risk Jurisdictions Subject to a Call for Action, often called the FATF “Black List,” covering countries with serious deficiencies where FATF calls on members to apply enhanced due diligence or, in the most serious cases, countermeasures.

• Jurisdictions under Increased Monitoring, often called the FATF “Grey List,” covering countries that have acknowledged weaknesses and are working with FATF on an action plan.

National regulators typically draw on these FATF lists when defining their own high-risk country lists, sometimes adding or removing countries based on their own risk assessment. The UK, for example, maintains its own list under Regulation 33 of the Money Laundering Regulations 2017, updated by HM Treasury after each FATF plenary.

Why this matters for your business

Once a connection to a high-risk country is identified, FATF Recommendations 19 and 23 set out that regulated businesses should apply enhanced due diligence (EDD) measures, proportionate to the risk involved. That connection might come through:

• where a client is based or incorporated;
• the location of a beneficial owner;
• the source of funds for a transaction;
• the location of a counterparty;
• the routing of funds through international payments.

EDD in this context could typically involve:

• gathering more detailed information about the client and the purpose of the relationship;
• verifying source of funds and source of wealth more robustly;
• obtaining senior management approval;
• applying closer ongoing monitoring.

The level of scrutiny should reflect the actual risk involved. A long-standing client with a minor historic tie to a now-listed country presents a different risk picture from a new client routing significant funds through one. The risk-based approach allows for that proportionality, provided your reasoning is documented.

Keeping pace with the lists

FATF updates its lists three times a year. Countries are added when new concerns emerge and removed once FATF is satisfied that reforms have taken hold and are sustained.

Your AML controls need to keep pace. A jurisdiction that was clear at the point of onboarding can move onto the list later, and that change should trigger a review of any clients connected to it. 

Building FATF updates into your ongoing monitoring process turns jurisdictional risk into something you manage actively.