ECSH33336 - Checking customer due diligence: high-risk third countries

Where a customer is established in a high-risk third country (HRTC), the business carry out enhanced due diligence (EDD) as required by regulation 33(1)(b).

The additional due diligence measures it take are shown in regulation 33(3A). However, as explained on the previous page, these are not exhaustive and other risk-based measures may be applied by the business.

For a customer to be “established in” a high-risk third country, they need to be resident in that country, not merely having been born in that country in the case of an individual. For customers who are businesses, to be established in a high-risk third country, they need to be incorporated in or have their principal place of business in that country as per the definition in regulation 33(3)(c).

Before you read this guidance, make sure you have read the general guidance on EDD. Further guidance is also shown in the Relevant Requirements section.

You can find more information in ANNEX 5-IV of the Joint Money Laundering Steering Group (JMLSG) guidance.

How are high-risk third countries defined?

From 23 January 2024, Regulation 33(3) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) defines a high-risk third country as a country which is named on either of the High-Risk Jurisdictions subject to a ‘Call for Action’ list or Jurisdictions under ‘Increased Monitoring’ list, published by the Financial Action Task Force (FATF). These may be referred to as the ‘black and grey lists’.

The FATF reviews jurisdictions based on threats, vulnerabilities, or particular risks arising from the jurisdiction. You can read more about this here.

Prior to 23 January 2024, high-risk third countries were defined as:

  • from 26 March 2021 to 22 January 2024 - the list of high-risk jurisdictions was published under MLR 2017 Schedule 3ZA. (Use the scroll bar at the top of the regulation within the “Changes over time for Schedule 3ZA” and click on the date covering the period you’re testing)
  • from 26 June 2017 to 25 March 2021 - high-risk third countries were identified by the European Commission in delegated acts adopted under Article 9.2 of the fourth money laundering directive. (Use the guidance at ECSH64830 for the dates countries were added and removed from the list)

You must determine which list the business needed to check, based on when it carried out due diligence checks on a customer/transaction.

How to determine if a business has customers established in a high-risk third country

Following your initial review, you may have identified that a business has customers who are established in high-risk third countries.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Following initial contact, you may have discussed the types of customers the business has and asked it to provide you with a list of relevant customers – see the guidance for “Requesting sector specific records” in the Information and documents requested before an intervention. This may indicate customers are based overseas. You can use this to check if any customers are (or were) established in a HRTC, following the guidance above.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



When conducting your intervention, you should question the business to check its understanding of high-risk third countries, how it would identify a customer is established in a HRTC and confirm whether the business deals with customers in these countries. 

You should determine:

  • how the business knows which countries are high-risk third countries?
  • if the business keeps a list, how often is it updated? Who does it? Where is it kept? Is it updated on systems?
  • does the business deal with any customers established in high-risk third countries and how does it determine this? (please note the meaning of “established in” at the top of this page)
  • how does the business monitor whether the countries relevant to its customers are added or removed from the list?

During your records testing, you may identify customers or transactions involving high-risk third countries which had not been previously identified. For example, when testing customer due diligence measures performed by an art market participant (AMP), you notice that although a business customer’s address is shown in the UK, the supporting documents show the artwork has been shipped to a beneficial owner resident in a HRTC. If this is the case, you should question the business and consider whether the business has applied EDD measures.

Confirming if the business has applied appropriate EDD measures

Where you have identified that the business has customers established in a HRTC, or in relation to any relevant transaction where either of the parties to the transaction is established in a HRTC, in the period you are checking, you must ask to see evidence that the business has carried out all of the prescribed EDD measures shown in regulation 33(3A). Other examples of “parties to the transaction” could be a payout partner of money transmitters, or cash payments made to a supplier of a high value dealers, who are established in a HRTC.

You should determine:

  • what information does the business obtain on the customer/customer’s beneficial owner in addition to the CDD measures carried out under regulation 28 - regulation 33(3A)(a) of the MLR 2017
  • what information does the business obtain on the intended nature of the business relationship in addition to the CDD measures carried out - regulation 33(3A)(b)
  • what information and documents are obtained to establish the source of funds and source of wealth to satisfy regulation 33(3A)(c)
  • hdoes the business understand why the customer wants to conduct the transaction? What information is obtained? regulation 33(3A)(d)
  • what is the process for obtaining senior management approval to establish or continue the business relationship? Which senior manager approves it and what criteria do they use? - regulation 33(3A)(e)
  • how are higher-risk customers and business relationships/transactions monitored? How are the number and timing of controls increased, over and above standard ongoing monitoring? Who decides this and who carries out the increased monitoring? How are patterns of transactions that need further examination identified and monitored and by whom? - regulation 33(3A)(f))

These should be documented in the business’s written policies, controls and procedures (as required by regulation 19(3)(c)). If they are not, you must establish why.

Once you have confirmed the above EDD procedures, you should check that the business has followed them, and the requirements of regulation 33(3A) in full, when testing the records held for a customer who you have identified is established in a HRTC.

You will need to ask follow up questions to the business to understand what EDD measures it has applied and why.

If procedures have not been followed, you will need to understand the reasons for this. There is likely to be a breach of regulation 19, alongside the breach of regulation 33(1(b) for a specific customer.

Please note, regulation 33(3A) was included in MLR 2017 on 10 January 2020. If you are testing EDD carried out on customers prior to this date, you must use the requirements in force at the time. Use the “Changes over time for: section 33” shown at the top of the regulation and click on the date covering the period you are testing.

Case study

You are undertaking a visit to an accountancy service provider (ASP). During your record testing, you recognise that the ASP provides accountancy services to a customer whose beneficial owners are established in a HRTC. You check the dates that the country was added to the list to confirm it corresponds to the period the business provided services to this customer.

Through questioning and your review of the records and information held, you establish that EDD has not been carried out on this customer. None of the prescribed measures in regulation 33(3A) have been done. You discuss this with the ASP who explains that they thought that high risk countries referred to conflict zones. You establish that the ASP failed to identify and assess the risks of customers established in a HRTC when carrying out its risk assessment and had not read relevant guidance to understand what a HRTC was. He therefore failed to establish any EDD procedures.

You explain to the ASP that there is a breach of regulation 33(1)(b), in that they did not apply the EDD measures in regulation 33(3A) in relation to this customer. You also advise that the business did not take appropriate steps to identify and assess risk factors in relation to the countries or geographic areas in which it operates, as required by regulation 18(1) in relation to regulation 18(2)(b)(ii), because they failed to take into account information made available to them by HMRC, as required under regulation 18(2)(a).  

More guidance on corresponding breaches can be found in specific breaches of customer due diligence.