Global menu

Our global pages


Regulated businesses grapple with new list of high-risk third countries as EU Commission launches ambitions new action plan

  • United Kingdom
  • Financial services disputes and investigations
  • Litigation and dispute management


As the EU Commission launches a new action plan for a comprehensive EU-wide policy on preventing money laundering and terrorist financing, Zia Ullah, Steve Smith, Ruth Paley and Michaela Walker of Eversheds Sutherland LLP take a look at the new proposals including a new blacklist of ‘high-risk third countries’.

What’s in the new action plan?

The EU Commission has published a new action plan to improve the EU's overall fight against money laundering and terrorist financing, with the aim of establishing a set of harmonised EU rules which are more effective and better supervised, with enhanced cooperation across member states.

The action plan will bring about wide-ranging changes within the next twelve months, founded on six pillars:

1. Effective application of EU rules including better monitoring of implementation of EU rules by the Commission, with the EBA being encouraged to use new powers to tackle money laundering and terrorist financing.

2. A single EU rulebook by Q1 2021 to prevent diverging interpretations of the rules by member states leading to loopholes which can be exploited by criminals.

3. EU-level supervision by Q1 2021 to plug gaps in how the rules are supervised by individual member states

4. New proposals for a support mechanism for member state Financial Intelligence Units by Q1 2021, aimed at coordinating Financial Intelligence Units across member states.

5. Enforcing EU-level criminal law provisions and information exchange, with better judicial and police cooperation on the basis of EU instruments and institutional arrangements, and guidance on the role of public-private partnerships to enhance data sharing.

6. The EU to adopt a global role including an adjustment its approach to third countries with deficiencies in their AML/CTF regimes to ensure better alignment with the latest FATF (Financial Action Task Force) list.

These are high-level initiatives with the fine detail of the route to delivery not yet available, although the imposition of measurables such as a timetable for the new rule book and supervision arrangements is to be welcomed. The Commission has also prepared a helpful Q&A webpage which illuminates the pillars in more depth. One important development which will affect firms regulated under the Money Laundering Regulations, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) is the publication of a delegated regulation containing new list of high-risk third countries with strategic deficiencies in their anti-money laundering (AML) and countering terrorist financing (CTF) regimes, the so-called EU AML Blacklist.

Why does the EU publish a list of high-risk third countries?

Under the Fourth Anti-Money Laundering Directive (4MLD), the EU is required to establish a list of high-risk third countries with strategic deficiencies in their AML/CTF regimes. The list is intended to make sure the EU financial system is equipped to prevent money laundering and terrorist financing risks from countries outside the EU (referred to as ‘third countries’).

How long has the list been in force?

The first list of this kind was issued in 2016 and updated regularly. However, since the inception of the Fifth Anti-Money Laundering Directive (5MLD), the applicable standards against which a third country will be measured have been substantially extended, leading to a new listing process. The first list using the new assessment criteria was published by the European Commission (the Commission) in February 2019 this year, as our article here explains. That list proved controversial and was rejected by the EU Council (the Council) on the basis of a series of objections which included a perceived lack of transparency and vulnerability to legal challenges. Commentators at the time suggested that political sensitivities were behind the list’s demise, and that acute diplomatic pressure, including robust lobbying from the US and Saudi Arabia, was to blame for the failure to obtain the Council’s approval.

By way of response to the Commission has sought to address the Council’s concerns over transparency and the need to incentivise third countries and respect their right to be heard, through the publication of a new methodology and updated list which is better aligned with FATF.

What does the new methodology involve?

The new methodology first came under discussion between the Council and the Commission late last year, as set out in our second article on EU Blacklist arrangements here. The revised methodology has now been published and a new list has been created. The need to secure increased engagement with third countries has been addressed by:

  • consulting third countries on preliminary findings;
  • drafting country-specific ‘EU benchmarks’
  • seeking third countries’ commitment to implement specific corrective measures before a listing is considered;
  • Imposing a deadline of 12 months on those countries making specific commitments to address concerns.

A listing will occur where a jurisdictions is not cooperative (i.e. it refuses to express a commitment) or where it fails to implement the benchmarks within the agreed period. In very high risk or emergency situations, the Commission can proceed to immediate listing without going through the process above.

Who is on the new list and how does it work?

A number of countries that were previously listed remain on the list. These are Afganistan, DPRK, Iran, Iraq, Pakistan, Syria, Trinidad and Tobago, Uganda, Yemen and Vanuatu.

These countries are now joined by the Bahamas, Barbados, Botswana, Cambodia, Ghana, Jamaica, Mauritius, Mongolia, Myanmar, Nicaragua, Panama and Zimbabwe.

In addition, several countries have been removed from the previous list. These are Bosnia-Herzegovina, Guyana, Lao People's Democratic Republic, Ethiopia, Sri Lanka and Tunisia.

The arrangements for listing and assessment criteria are relatively detailed and the Commission has provided a number of links and resources for understanding the methodology, the interaction and alignment with the FATF listing process and dealt with other important questions here. Firms seeking to understand the reasons for listing and the specific risks that apply should consult these resources carefully, particularly where the firm’s business is impacted in terms of customer or geographic risk profile in light of the new arrangements.

Is the new list in force?

Not yet. Citing in the delegated regulation ‘the very exceptional and unpredictable situation arising from the COVID-19 pandemic which has an impact at global scale and is very likely to lead to disruptions in the proper functioning of economic operators and competent authorities alike’ the Commission has given some additional time to allow for effective implementation and, as such, the new list does not formally apply until 1 October 2020. Arrangements for delisting those countries removed from the list will begin immediately and should be completed within a few weeks.

The Council has yet to respond to this new list and we expect to see some further discussion around individual listings in the near future. However, the Commission’s work to address previous criticisms and the publication of the new methodology means that we anticipate the new list is less likely to draw the vociferous objections to the February 2019 version, and firms should continue to prepare accordingly.

What should regulated firms do?

The fact that a country is included on the EU’s blacklist does not trigger economic or diplomatic sanctions, but will operate instead to require additional KYC measures to be taken by regulated businesses subject to MLR 2017 including banks, lawyers, estate agents and tax advisors. All businesses caught by MLR 2017 will have to apply enhanced due diligence measures on customers and transactions involving these countries. Regulated businesses, also known as ‘obliged entities’ under 4MLD, can continue working from the previous version of the blacklist in the short term, but will need to begin to update policies and procedures (P&Ps) to reflect the new list.

As well as P&Ps, firms will want to consider how this new list impacts customer risk rating matrices, transaction monitoring arrangements; training for KYC analysts, onboarding processes; and, where appropriate, governance and escalation to senior management.

In terms of firms with UK-only operations, Brexit uncertainty continues to makes it difficult to predict with complete certainty the stance the UK will take towards the list, although we do expect adoption of the list in due course. In any event, those regulated entities operating across the EU, which will include a great number of financial and credit institutions (as well as other regulated businesses) with a presence in the UK, will no doubt want to apply any new EU list across their customer base and begin the work now of updating the various aspects of the firm’s financial crime framework identified above to reflect the new arrangements.

Finally, one additional point arising from the new list which firms should not neglect relates to the firm-wide risk assessment (to be performed and documented at least annually). Firms should be careful ensure that the newest iteration of that risk assessment includes reference to the new list with respect to both customer and geographic risk factors (and others as appropriate).