Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence

In this eleventh instalment of our blog series on the EU Regulation on anti-money laundering and counter-terrorist financing (AMLR), we introduce a new thematic area within the framework: the management of money laundering and terrorist financing risks linked to third countries. Focusing on Articles 29–31, we analyse how geographic risk is identified, classified and given direct legal effect in obliged entities’ customer due diligence work and KYC (know your customer). These provisions establish clear KYC triggers, where business relationships and transactions connected to certain countries automatically trigger enhanced requirements.

For businesses, this means higher expectations of legal understanding and correct application of the rules. Morling Consulting supports companies across Europe as an external AML counsel for obliged entities, providing qualified legal analysis and practical support in interpreting AMLR’s third-country rules to ensure a legally robust, proportionate and consistent application of the requirements in an international risk environment.

Article 29 AMLR – Identifying high-risk third countries (strategic AML/CFT deficiencies)

Article 29(1) provides that third countries with significant strategic deficiencies in their national systems for combating money laundering and terrorist financing are to be identified by the European Commission and designated as high-risk third countries. This classification has direct legal consequences for how obliged entities must design their customer due diligence for business relationships or occasional transactions linked to those countries.

The legal mechanism for identifying third countries is set out in Article 29(2), which empowers the Commission to adopt delegated acts supplementing the AMLR. Such acts may be adopted where:

• (a) significant strategic deficiencies have been identified in the third country’s legal and institutional framework;
• (b) significant strategic deficiencies have been identified in the effectiveness of the third country’s system for managing terrorist financing or money laundering risks, or in its system for assessing and mitigating the risks that UN financial sanctions related to the financing of the proliferation of weapons of mass destruction are not implemented or are circumvented;
• (c) the deficiencies under (a) and (b) are persistent and no measures have been taken to mitigate them.

The Commission’s delegated acts must be adopted within 20 calendar days after the Commission determines that the criteria in (a), (b) or (c) are met.

When applying Article 29(2), the Commission must, under Article 29(3), take into account calls for action, evaluations, assessments, reports and public statements by international organisations and standard-setters with competence in the AML/CFT field regarding the application of enhanced customer due diligence measures and other countermeasures.

Under Article 29(4), obliged entities must apply enhanced customer due diligence measures in accordance with Article 34(4) where business relationships or occasional transactions involve natural or legal persons from a high-risk third country. The link to such a country therefore functions as a KYC trigger, irrespective of whether the customer would otherwise be assessed as low or normal risk.

Article 29(5) requires that the delegated act identifying a high-risk third country also specifies which particular countermeasures are to be applied to mitigate the risks associated with that specific high-risk third country. Article 29(6) also allows Member States to require obliged entities on their territory to take additional countermeasures where the Member State identifies specific risks not adequately addressed by the Commission’s decision. This option is subject to a notification requirement to the Commission, which must be made within five days from the time the countermeasures are applied. Following a notification, the Commission must assess the information provided and determine whether country-specific risks affect the integrity of the internal market. The Commission may apply necessary countermeasures to mitigate the risks, or decide that the Member State must discontinue its additional countermeasures if the Commission considers them unnecessary.

A central component of Article 29 is the requirement for regular review. The Commission must continuously ensure that delegated acts adopted under Article 29(2) and the countermeasures applied reflect any changes in the third country’s AML/CFT framework, so that they remain proportionate and appropriate to the risks linked to the third country. For obliged entities, Article 29 means that customer due diligence and KYC must be embedded in a living risk management system, where geographic risk is continuously monitored and reflected in both initial and ongoing customer due diligence.

Article 30 AMLR – Identifying third countries with AML/CFT compliance deficiencies

Under Article 30(1), third countries whose national systems show deficiencies in compliance for combating money laundering and terrorist financing are to be identified by the European Commission.

Identification is made through the Commission’s power to adopt delegated acts under Article 30(2), supplementing the AMLR, where:

• (a) compliance deficiencies can be identified either in the third country’s legal and institutional AML/CFT framework; or
• (b) compliance deficiencies can be identified in the actual effectiveness of the third country’s AML/CFT system regarding the management of money laundering and terrorist financing risks, or in its system for mitigating and assessing the risks that UN financial sanctions related to the financing of the proliferation of weapons of mass destruction are circumvented or not implemented.

Unlike Article 29, there is no requirement that deficiencies are persistent; the focus is on actual non-alignment with international standards. The Commission’s delegated acts must be adopted within 20 calendar days after the criteria in (a) or (b) are met.

When preparing the delegated acts, the Commission must, as the basis for its assessment under Article 30(3), in particular take into account information, evaluations, public statements, reports or assessments concerning jurisdictions subject to increased monitoring by international organisations and standard-setters in the AML/CFT field.

The legal effect of identifying a third country under Article 30 is set out in Article 30(4). The delegated act must determine which enhanced customer due diligence measures, from among those listed in Article 34(4), obliged entities are to apply for business relationships or occasional transactions linked to the third country. Here too, the geographic link operates as a clear KYC trigger, automatically affecting the scope of customer due diligence. Article 30(5) provides that the Commission must regularly review these delegated acts to ensure that the enhanced measures under Article 30(4) remain proportionate and adapted to changes in the third country’s framework.

Article 30 complements Article 29 by introducing a risk category for third countries whose national systems for combating money laundering and terrorist financing show compliance deficiencies, but do not necessarily reach the level of significant strategic deficiencies. The provision therefore reflects a more nuanced risk classification, aligned with AMLR’s risk-based approach.

Article 31 AMLR – Identifying third countries posing a serious threat to the EU financial system

Article 31 is the most intrusive provision in the third-country section and is intended to apply in exceptional cases. It empowers the Commission to adopt delegated acts supplementing the AMLR by identifying third countries that pose a specific and serious threat to the Union’s financial system and the functioning of the internal market, where that threat cannot be adequately managed through measures under Articles 29 or 30.

Unlike Articles 29 and 30, Article 31 is not limited to specific types of deficiencies and is based on an overall assessment of the threat level. Article 31(2) sets out an extensive range of criteria to be considered when preparing delegated acts, including the third country’s AML/CFT legal framework: the criminalisation of money laundering and terrorist financing, rules on customer due diligence and record-keeping, reporting obligations and access to beneficial ownership information. It also covers competent authorities’ powers, sanctions and cooperation methods, as well as the effectiveness of the third country’s system. It is therefore not sufficient that a third country has adopted relevant legislation; what matters is how the rules are applied in practice and the risk they create for the EU financial system.

A central element of Article 31 is the formal role of AMLA. Under Article 31(3), the Commission may request an opinion from AMLA to determine the threat level and assess the specific impact on the Union’s financial system. AMLA may also, on its own initiative under Article 31(4), draw the Commission’s attention to third countries that pose a serious threat but have not yet been identified under Article 29 or 30, by issuing a reasoned opinion.

When preparing delegated acts under Article 31(1), the Commission must give particular consideration to evaluations, assessments or reports from international organisations and authorised standard-setters.

If the specific and serious threat from the third country constitutes a significant strategic deficiency, Article 29(4) applies, meaning countermeasures of the same type as for high-risk third countries. The delegated act adopted under Article 31(1) must set out the specific countermeasures referred to in Article 29(5). If the specific and serious threat instead constitutes a compliance deficiency, the delegated act must determine which enhanced customer due diligence measures under Article 34(4) obliged entities must apply to mitigate the risks.

Regular review is also required here to ensure proportionality and appropriateness. In addition, the Commission is empowered to adopt an implementing act setting out the methodology to be used for identification under Article 31, including how the criteria are to be assessed, the procedure for engaging with the third country, and the procedures for Member States’ and AMLA’s participation in the identification process.

High-risk third countries, KYC triggers and enhanced customer due diligence under AMLR Articles 29–31

Together, Articles 29, 30 and 31 create a three-tier system for managing third-country risks, where the degree of deficiency and threat determines the legal consequences for obliged entities. From a KYC perspective, geographic risk is given a clearly standardised structure, where different risk levels automatically trigger different requirements. For obliged entities, it becomes critical that internal risk assessments, KYC processes and follow-up routines are sufficiently flexible to adapt quickly to changes in third-country classifications.

Morling Consulting provides qualified legal advice on the anti-money laundering framework. Through experienced AML lawyers, we support obliged entities across Europe in interpreting and implementing the rules on high-risk third countries and KYC triggers in a legally robust, proportionate and operationally tailored manner. Read more at morlings.se.

The AMLR overview continues here: Risk-based customer due diligence under AMLR – guidelines and simplified measures