FATF ¦ R.19 High­er-Risk Coun­tries

Recommendation 19: Managing Higher-Risk Countries in Financial Crime Compliance

Recommendation 19 of the FATF Standards focuses on how financial institutions and countries should deal with higher-risk jurisdictions from an anti-money laundering and counter-terrorist financing (AML/CFT) perspective. It requires two core things: first, that financial institutions apply enhanced due diligence (EDD) to relationships and transactions involving higher-risk countries; and second, that countries themselves can impose broader countermeasures when the risk is serious enough. This recommendation is central to how the global financial system protects itself from jurisdictions with weak AML/CFT controls, strategic deficiencies, or a track record of being used for money laundering, terrorist financing, proliferation financing and related financial crime.

Enhanced Due Diligence for Higher-Risk Countries

At the heart of Recommendation 19 is the obligation for financial institutions to “step up” their controls when dealing with business relationships and transactions involving:

• Natural persons (individuals) from higher-risk countries.
• Legal persons (companies, trusts, foundations, etc.) from higher-risk countries.
• Financial institutions that are established in or closely linked to higher-risk countries.

The requirement is not to cut off all activity with such countries by default, but to apply enhanced due diligence measures that are effective and proportionate to the specific risks. “Proportionate” is key: a small, low-value payment involving a low-risk customer may justify different controls compared to a complex, cross-border trade finance structure involving multiple entities from a high-risk jurisdiction.

What Enhanced Due Diligence Can Look Like

The interpretive note to Recommendation 19 points back to the enhanced measures described for customer due diligence (CDD) in Recommendation 10. EDD for higher-risk countries often includes:

• Deeper understanding of the customer: obtaining additional information on the customer’s identity, ownership structure, source of wealth, source of funds, and the purpose of the relationship or transaction.
• More detailed understanding of the transaction: scrutinizing the nature, size, frequency, and counterparties involved; understanding why the transaction involves the higher-risk country and whether this makes economic and commercial sense.
• Senior management involvement: requiring approval from senior management before onboarding customers linked to higher-risk jurisdictions or before proceeding with certain transactions.
• Increased monitoring: applying more frequent or real-time monitoring of account activity, with more granular scenarios and lower thresholds for alerts when the activity involves a high-risk jurisdiction.
• More documentation and verification: requiring additional supporting documentation for cross-border transfers, trade finance documents, or beneficial ownership records, and verifying those documents more thoroughly.

Institutions are expected to adjust the intensity of these measures based on:

• How the FATF has categorized the country (for example, countries on the “high-risk jurisdictions subject to a call for action” list present more serious concerns than those “under increased monitoring”).
• The specific products, services, and delivery channels involved.
• The customer’s profile, including whether the customer is itself a financial institution, a correspondent bank, a money or value transfer service (MVTS), a non-profit organization (NPO), or a complex structure with opaque ownership.

The Role of FATF Calls for Action

Recommendation 19 expressly refers to countries “for which this is called for by the FATF”. The FATF periodically publishes public statements identifying:

• Jurisdictions with serious strategic deficiencies, often accompanied by a call for countries to apply enhanced due diligence and, in the most severe cases, countermeasures.
• Jurisdictions under increased monitoring, where enhanced scrutiny is also recommended.

Financial institutions are expected to:

• Track FATF publications and updates (as well as national transpositions, such as lists issued by local regulators).
• Ensure internal country risk lists are aligned with these calls.
• Embed these lists in customer risk scoring, transaction monitoring, sanctions screening and onboarding workflows.

Countermeasures at the Country Level

Beyond EDD at the institution level, Recommendation 19 also deals with “countermeasures” that can be taken by countries themselves. These are broader, sometimes more restrictive actions than ordinary due diligence measures.

Importantly, the recommendation makes two points:

• Countries should be able to apply countermeasures when FATF calls for them.
• Countries should also be able to apply such measures independently, based on their own risk assessments, even if FATF has not explicitly called for them in a particular case.

Countermeasures must still be effective and proportionate to the risks. They are not meant to be purely symbolic; they should actually reduce the risk of abuse of the financial system. At the same time, they should be calibrated so they do not unnecessarily disrupt legitimate trade and financial flows.

Bastian Schwind-Wagner_Follow

"Recommendation 19 sits at the core of how the financial system responds to risks posed by countries with weak AML/CFT controls. It pushes institutions and authorities to move beyond simple checklists toward a genuinely risk-based approach. When applied properly, it supports both system integrity and legitimate cross-border activity.

For compliance teams, this recommendation is not just a theoretical standard but a daily operational driver. It shapes country risk models, due diligence practices, and decisions on whether to maintain or exit high-risk relationships. In an environment of increasing regulatory scrutiny, getting Recommendation 19 right is both a regulatory necessity and a strategic safeguard."

Examples of Countermeasures

The interpretive note to Recommendation 19 provides concrete examples of what countermeasures can look like. These measures can be used individually or combined, depending on the level and nature of risk.

1. Mandating Specific Enhanced Due Diligence Elements

Authorities can require financial institutions to apply particular elements of EDD to relationships and transactions involving the identified higher-risk country. For example, regulators might explicitly require:

• Mandatory senior management approval for any new relationship involving entities in the high-risk country.
• Detailed verification of beneficial ownership for all customers connected to the country.
• Mandatory evidence and justification for the commercial rationale of cross-border payments.

This is a way for supervisors to standardize expectations rather than leaving all decisions to the discretion of individual institutions.

2. Enhanced or Systematic Reporting Mechanisms

Another countermeasure is to introduce more stringent reporting for financial transactions linked to the high-risk jurisdiction. This could include:

• Systematic reporting of all transactions above a certain threshold to the financial intelligence unit (FIU).
• Additional suspicious transaction or suspicious activity reporting triggers that specifically mention dealings with the higher-risk country.
• More frequent or special reporting requirements for certain sectors (for example, banks, payment institutions, casinos) with significant exposure to that jurisdiction.

These measures increase transparency and give authorities more data to detect and investigate potential money laundering or terrorist financing.

3. Restricting the Presence of Foreign Financial Institutions

Countries may refuse the establishment of subsidiaries, branches, or representative offices of financial institutions from the higher-risk country. Alternatively, they may factor the home country’s weak AML/CFT framework into licensing and authorization decisions.

This could mean:

• Denying license applications from banks headquartered in a high-risk jurisdiction.
• Imposing stricter conditions, such as more intrusive supervision or onshore incorporation requirements.
• Taking a conservative stance on acquisitions or cross-border mergers involving institutions from such jurisdictions.

The objective is to prevent the import of higher-risk practices or weak controls into the domestic financial system.

4. Restricting Outbound Expansion into Higher-Risk Countries

Conversely, authorities can prohibit or restrict their own financial institutions from opening branches or representative offices in the higher-risk country. Even where there is no outright prohibition, regulators can:

• Require institutions to fully factor in the AML/CFT shortcomings of the foreign jurisdiction as part of their risk assessment and risk appetite.
• Subject such expansions to especially rigorous approval processes.

This limits the direct exposure of domestic financial institutions to weak regulatory environments.

5. Limiting Business Relationships and Transactions

Countries can instruct financial institutions to limit business relationships or financial transactions with the higher-risk country or persons located in that country. This may involve:

• Bans or restrictions on certain types of products (e.g., private banking services, trade finance for certain sectors, or high-risk correspondent banking).
• Caps on transaction volumes or stricter controls for specific types of payments (for instance, cash-intensive businesses, virtual assets (VAs), or sectors known for trade-based money laundering).

These measures aim to reduce the overall risk exposure while still allowing legitimate business where appropriate.

6. Restrictions on Third-Party Reliance

Another important countermeasure is prohibiting financial institutions from relying on third parties located in the higher-risk country for elements of the CDD process. Reliance is often used to streamline onboarding and KYC, particularly in cross-border groups or correspondent relationships.

However, if the third party is in a country with insufficient AML/CFT controls, the reliability of that CDD becomes questionable. A prohibition forces institutions to carry out their own CDD or rely only on parties in jurisdictions with adequate standards.

7. Reviewing and Potentially Terminating Correspondent Relationships

Countries can require financial institutions to review and, if necessary, amend or terminate correspondent banking relationships with institutions in the higher-risk country. This can be one of the most impactful measures, because correspondent banking often provides access to the wider financial system.

Such a review may lead to:

• Tightened terms and conditions for correspondent accounts.
• Narrowed scope of services offered to clients in the high-risk jurisdiction.
• Full exit from relationships where the risk cannot be effectively mitigated.

This aspect must be carefully managed to avoid unintended financial exclusion, while still protecting the integrity of the system.

8. Increased Supervisory Examination and External Audits

Supervisors can increase scrutiny of branches and subsidiaries of financial institutions based in the higher-risk country. This may include:

• More frequent onsite inspections.
• Targeted thematic reviews focused on exposure to higher-risk jurisdictions.
• Requirements for enhanced external audits that specifically assess the adequacy of AML/CFT controls in relation to those exposures.

Similarly, for financial groups that have branches and subsidiaries in the high-risk country, regulators can require increased external audit coverage of those units and their group-wide AML/CFT frameworks. This helps ensure that group controls adequately address cross-border risks and that weaknesses in one jurisdiction do not compromise the entire group.

Keeping Institutions Informed: A Critical Support Measure

The interpretive note emphasizes the need for effective measures to ensure financial institutions are informed about weaknesses in other countries’ AML/CFT systems. Without accurate and timely information, institutions cannot realistically calibrate their risks or implement appropriate EDD and countermeasures.

Typical ways authorities achieve this include:

• Publishing and regularly updating lists of higher-risk jurisdictions.
• Issuing circulars, guidance notes, or supervisory letters that highlight specific concerns, such as sectors, products, or typologies associated with certain jurisdictions.
• Sharing FATF public statements, regional body reports, and mutual evaluation findings with clear explanations of what they mean for local institutions.
• Hosting industry briefings and outreach sessions focused on high-risk country exposure and best practices.

For compliance teams, integrating this information into internal policies, risk scoring models, and training materials is essential.

Practical Implications for Financial Institutions

From a financial crime compliance perspective, Recommendation 19 has several practical consequences:

• Country risk framework: Institutions must maintain a dynamic country risk rating methodology that incorporates FATF calls for action, national lists, and their own risk assessments. Higher-risk country designations should directly influence customer risk scoring and transaction monitoring thresholds.
• Policy and procedures: Internal policies should clearly set out how higher-risk countries are identified, what EDD measures apply, when escalation to senior management is required, and how decisions to onboard, continue or exit relationships are documented.
• Systems and data: Screening tools, customer lifecycle platforms and transaction monitoring systems must be able to recognize higher-risk country links (customer residency, incorporation, registration, operating location, transaction origin/destination) and trigger appropriate controls.
• Training and awareness: Relationship managers, onboarding teams, operations staff, and investigators need targeted training on the specific risks associated with high-risk jurisdictions and the additional steps required by Recommendation 19.
• Governance and documentation: Decisions regarding high-risk country exposures should be well documented, especially where the institution decides to maintain or extend a relationship in a situation where risks are elevated but manageable through strong controls.

Balancing Proportionality and Protection

A recurring theme in Recommendation 19 is proportionality. Neither FATF nor national authorities expect a complete cut-off of all activity with higher-risk countries in every situation. Instead, they expect:

• Clear identification of those countries and associated risks.
• Strong and targeted enhanced due diligence measures.
• The ability for authorities to impose broader countermeasures where the level of risk justifies them.

For financial institutions, the challenge is to protect themselves and the financial system from abuse while maintaining legitimate cross-border business. Recommendation 19 provides the framework: risk-based enhanced due diligence, backed by country-level countermeasures where needed, and supported by effective information flow from authorities to the industry.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link