5 min read

High-Risk Third Countries: an AML challenge for the EU

The EU (European Union) has had its share of recent money laundering challenges and scandals, such as those related to Danske Bank, Swedbank, ABLV and Rabobank and while plans are under way to address shortcomings within the EU, it is also aiming to protect itself from threats from outside – namely from ‘high-risk third countries’.

The EU 4th Anti-Money Laundering Directive (4AMLD), under Article 9, introduced a requirement to identify third-country jurisdictions which have strategic deficiencies in their national AML/CFT regimes. By empowering the European Commission to adopt a ‘Delegated Regulation’, the aim was to help protect the integrity of the EU financial system.

Resistance to previous attempts at an EU list

An EU high-risk third countries list was previously published on 13 February 2019 but drew significant criticism, particularly by the US and Saudi Arabia, and the Council of the EU rejected the list by 7 March 2019.

Although Saudi Arabia said they regretted the EU’s decision to place it on the list, the US went one step further in its response. The US Department of the Treasury said it had “significant concerns” about the list and the “flawed process by which it was developed”, noting that the FATF already develops a list of high-risk jurisdictions with AML/CFT deficiencies through a comprehensive process. The Treasury Department rejected the inclusion of American Samoa, Guam, Puerto Rico, and the US Virgin Islands and did not expect US financial institutions to take the Commission’s list into consideration in their AML/CFT policies and procedures.

The EU high-risk third countries

On 7 May 2020, the European Commission adopted the new Delegated Regulation EU 2020/855, which will add the following countries to the high-risk third country list from 1 October 2020:

  • Bahamas
  • Barbados
  • Botswana
  • Cambodia
  • Ghana
  • Jamaica
  • Mauritius
  • Mongolia
  • Myanmar/Burma
  • Nicaragua
  • Panama
  • Zimbabwe

They will join the following countries already on the list; Afghanistan, Democratic People’s Republic of Korea (DPRK), Iran, Iraq, Pakistan, Syria, Trinidad and Tobago, Uganda, Vanuatu and Yemen.

A number of countries were to be deleted from the high-risk third country list, these were:

  • Bosnia-Herzegovina
  • Ethiopia
  • Guyana
  • Lao People’s Democratic Republic
  • Sri Lanka
  • Tunisia

A duplication of efforts?

Observers will note that the Commission’s list appears very similar to FATF’s work in identifying countries with strategic deficiencies and that is because the Commission’s methodology puts forward that it recognises the FATF lists as a starting point. It claims to complement them through an “autonomous assessment” of additional countries. The approach includes assessing legal frameworks and effective application across eight areas, through analysing the countries’ measures on:

  • Criminalisation of money laundering and terrorist financing;
  • Customer due diligence requirements, record keeping and reporting of suspicious transactions in the financial sector;
  • The same requirements in the non-financial sector;
  • The existence of dissuasive, proportionate and effective sanctions in case of breaches;
  • The powers and procedures of competent authorities;
  • Their practice in international cooperation;
  • The availability and exchange of information on beneficial ownership of legal persons and legal arrangements;
  • Implementation of targeted financial sanctions

Despite the claim that it is an ‘autonomous’ assessment that complements FATF’s work, the eight areas the Commission considers in its analysis are very similar to what FATF would cover in their Mutual Evaluation Reports (MER), therefore many may find it difficult to not feel that it is a duplication of effort.

Mauritius as a stand out

One country that is a stand out on the updated EU high-risk third countries list is Mauritius. The country was the focus of attention as part of what was dubbed the ‘Mauritius Leaks’, an investigation by the ICIJ (International Consortium of Investigative Journalists) from 2019. The investigation follows a leak of 200,000 documents from law firm Conyers Dill & Pearman, and the leaked documents ranged from emails and contracts to business plans from firms such as KPMG and Clifford Chance. The ICIJ alleged the documents revealed attempts by both corporations and individuals through rules that allowed them to avoid paying taxes of countries such as Egypt, Mozambique and Thailand.

The investigations outlined that the companies set up were ‘shell’ or ‘brass plate’ companies, which only existed in Mauritius by name and address only. Multinationals were allowed to channel funds through ‘resident’ shell companies, paying an effective 3% or less income tax rate in order to avoid paying much higher taxes in other countries. This was compounded by double tax treaties, intended to ensure that multinational corporations are not taxed on the same income twice. These types of treaties can cost some of the poorest countries in the world to lose billions in tax revenue, when firms combine such treaties with other loopholes to route funds through shell companies in tax havens.

Although Mauritius rejected criticism of its role as a ‘tax revenue haven’, it was said to have responded by introducing stricter rules to prevent tax abuse. Notably, Zambia ended its tax treaty with Mauritius in June 2020 and Senegal also ended its tax treaty with Mauritius earlier in the year.

Aside from the investigations, critics have called into question the addition of Mauritius on the EU high-risk third countries list, especially when compared with countries, such as Ethiopia which has been removed from the list. This again raises questions on the Commission’s approach to listing. The government of Mauritius issued a statement in June 2020 outlining that it decided to accelerate points for address from its action plan with FATF. The aim being to complete them for August 2020 rather than year end, in the hope of convincing the Commission to reconsider its addition of Mauritius to the EU high-risk third countries list.

First-hand insights

Having worked at a number of banks, I have seen that many have found it a challenge to implement effective country risk ratings. One bank, a global organisation, had developed country risk ratings using an informal and opaque methodology. The country risk ratings in operation were so ineffective that it posed a significant money laundering risk to the bank. To demonstrate just how much of a risk this posed, I took a number of indexes (such as Basel AML Index, Global Terrorism Index, Corruption Perception Index and FATF high risk country lists), plotted scores for a number of countries marked as low risk, plus countries not even on the list. Even this very crude calculation and composition highlighted countries that should have been high risk, especially as some were already known globally to be, yet had not even been incorporated in the bank’s country risk list at all. The bank did however eventually update its country risk ratings as part of a formal update to its AML programme.

Considerations for risk and compliance practitioners

Whilst many banks now use more complex methodologies to develop country risk ratings, using external indexes and sources such as the FATF, the EU high-risk country list is yet another to add to methodologies, which may offer little in the way of significant change in risk ratings overall but will add to compliance efforts nonetheless. It may be difficult to manually track yet another change, though it does raise questions that banks should be considering, such as: how often do they review their risk rating methodology? If using a manual method, multiple sources and updates may render it ineffective therefore should they be considering the use of technology to better manage data sources and updates? Are they able to adapt to sudden change in risk appetite of certain jurisdictions? For example, when the diplomatic crisis in Qatar emerged in 2017, the first question I raised was “What is the bank’s jurisdictional exposure? How were they planning on making any changes to country risk ratings? (if any)”.

Give the significant regulatory burden banks and financial institutions already face in the EU, if they are not already, they will need to be cognizant of Point 29 of 4AMLD, which puts forward that: “Member States should at least provide for enhanced customer due diligence measures to be applied by the obliged entities when dealing with natural persons or legal entities established in high-risk third countries identified by the Commission” which then goes on to also state: “Reliance on third parties established in such high-risk third countries should also be prohibited”.