New High-Risk Countries under Annex III(f) AMLR
Why obliged entities must redesign country-risk logic under Articles 32 and 34(3) AMLR
With Regulation (EU) 2024/1624 (AMLR), the EU has introduced a materially new concept of country risk. The change is anchored in Annex III(f) AMLR and becomes enforceable through Article 32 AMLR (AMLA Guidelines) and Article 34(3) AMLR (EDD decision inputs).
This is not a minor enhancement to existing high-risk country approaches. For obliged entities, it has a major operational impact:
- Existing “high-risk country lists” are no longer sufficient as the backbone of country-risk management.
- Country-risk methodologies that are list-driven (FATF-only, EU list-only, sanctions-only) become structurally obsolete under AMLR.
- Risk assessment must shift from “Is a country listed?” to “Does the jurisdiction’s system design enable financial secrecy?”
Annex III(f) AMLR: The new high-risk category
Annex III(f) AMLR introduces a structural risk category: jurisdictions enabling financial secrecy.
A country may be considered potentially higher risk if credible sources identify it as enabling secrecy by:
- Barriers to cooperation and information exchange
- Strict corporate or banking secrecy laws
- Weak controls for creating legal entities or legal arrangements
- No central database or register for beneficial ownership information
Only one of these triggers is sufficient.
This is new because it does not rely on:
- crime levels,
- corruption indices,
- sanctions,
- or FATF listing status.
It relies on whether transparency and verification can function.
What is new compared to 4AMLD / 5AMLD
Under 4AMLD / 5AMLD, geographical higher-risk thinking was dominated by:
- weak AML systems,
- corruption/crime,
- sanctions,
- terrorist financing.
Under AMLR, Annex III(f) adds a new dimension:
A jurisdiction can be higher risk even if it is not a classic “problem country” if it structurally prevents transparency.
That single change forces obliged entities to redesign how country risk is assessed.
Article 32 AMLR: Annex III(f) becomes a living EU risk reference
Annex III(f) is intentionally open-ended (“credible sources or acknowledged processes”). Article 32 AMLR ensures this open-ended concept is not left to fragmented interpretation.
By 10 July 2027, AMLA must issue guidelines defining ML/TF risks, trends and methods involving any geographical area outside the Union, taking into account Annex III. Where higher risk situations are identified, AMLA must include EDD measures that obliged entities shall consider applying.
What is new for obliged entities
- Country risk calibration will increasingly be benchmarked against AMLA guidance, not only internal models.
- “Non-listed but opaque” jurisdictions will be harder to classify as low/medium risk without strong justification.
- EDD expectations will become pre-structured at EU level for secrecy-driven risk scenarios.
Article 34(3) AMLR: Country-risk lists are no longer sufficient for EDD decisions
The strongest operational impact comes from Article 34(3) AMLR.
When assessing ML/TF risk for a business relationship or occasional transaction (outside automatic EDD cases), obliged entities must take into account at least:
- the higher-risk factors in Annex III, and
- AMLA guidelines under Article 32,
as well as other indicators like: - FIU notifications, and
- the institution’s business-wide risk assessment (Article 10).
What this changes in practice
This makes it non-defensible to say:
- “The country isn’t on our list, so no EDD.”
Under AMLR, a defensible EDD decision requires documented consideration of:
- Annex III(f) secrecy indicators,
- AMLA guidance,
- FIU intelligence,
- BWRA findings.
In other words:
EDD decisions must be evidence-based and multi-source. List-only logic becomes obsolete.
No new blacklist but a much larger high-risk universe
AMLR does not issue a new “Annex III(f) blacklist”. Instead, it expands the high-risk universe through definitional change.
Under Annex III(f), risk can be triggered by:
- limited BO transparency,
- easy entity creation and restructuring,
- restricted cooperation channels,
- secrecy laws and enforcement culture.
This means more situations will qualify as higher risk even if the jurisdiction is not on FATF or EU high-risk third-country lists.
For obliged entities, this is the central operational disruption: risk identification moves from lists to structural conditions.
What obliged entities must change now
Redesign the country-risk methodology (not just update lists)
Country-risk models must incorporate structural secrecy indicators, including:
- BO register existence and accessibility,
- entity creation controls and substance expectations,
- cooperation and information exchange effectiveness,
- secrecy-law constraints.
A model that cannot evaluate these dimensions will not satisfy Article 34(3) AMLR decision requirements.
Replace list-based escalation with decision-based escalation
Instead of “EDD if country is listed”, obliged entities need decision logic like:
“EDD if Annex III(f) indicators are present and cannot be mitigated by reliable verification sources.”
This is a fundamental shift in control design.
Strengthen documentation and auditability
Supervisors will test whether you can reconstruct:
- which Annex III(f) indicator applied,
- which sources supported it,
- which AMLA guidance was considered,
- which BWRA and FIU inputs were used,
- and why EDD was or was not applied.
Annex III(f) does not add another list, it replaces list-thinking
The key takeaway for obliged entities is:
Annex III(f) AMLR makes country-risk management structural, evidence-based and dynamic.
Legacy list-only approaches are no longer sufficient under Article 34(3), and AMLA guidance under Article 32 will set the supervisory benchmark.
This is a major impact because it forces a redesign of:
- country-risk scoring,
- EDD triggers,
- verification logic,
- and audit trails.
Download
ANNEX III 4AMLD vs AMLR
| ANNEX III 4AMLD - Higher risk factors | ANNEX III AMLR - Higher risk factors |
|---|---|
| (3) Geographical risk factors: | Geographical risk factors: |
| (a) without prejudice to Article 9, countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective AML/CFT systems; | (a) third countries subject to increased monitoring or otherwise identified by the FATF due to the compliance weaknesses in their AML/CFT systems; |
| (b) third countries identified by credible sources / acknowledged processes, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective AML/CFT systems; | |
| (b) countries identified by credible sources as having significant levels of corruption or other criminal activity; | (c) third countries identified by credible sources / acknowledged processes as having significant levels of corruption or other criminal activity; |
| (c) countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the United Nations; | (d) third countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the UN; |
| (d) countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country. | (e) third countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country; |
| (f) third countries identified by credible sources or pursuant to acknowledged processes as enabling financial secrecy by: | |
| (i) posing barriers to the cooperation and exchange of information with other jurisdictions; | |
| (ii) having strict corporate or banking secrecy laws which prevent institutions and their employees from providing customer information to competent authorities, including through fines and penalties; | |
| (iii) having weak controls for the creation of legal entities or setting up of legal arrangements; or | |
| (iv) not requiring beneficial ownership information to be recorded or held in a central database or register. |