Gibraltar in, Malta out of UK AML high-risk list

The latest updates to the UK’s high-risk jurisdictions for money laundering

The UK periodically updates its list of high-risk countries or jurisdictions for AML, meaning that regulated businesses must apply enhanced customer due diligence measures and enhanced ongoing monitoring in any business relationship with a person in any of these jurisdictions. A high-risk third country is defined for the purposes of the MLRs as a country specified in Schedule 3ZA.


The updated list of countries


The latest schedule, or list, published in June 2022, includes the following countries:

  • Albania
  • Barbados
  • Burkina Faso
  • Cambodia
  • Cayman Islands
  • DPRK*
  • Gibraltar
  • Haiti
  • Iran*
  • Jamaica
  • Jordan
  • Mali*
  • Morocco
  • Myanmar*
  • Nicaragua*
  • Pakistan
  • Panama
  • Philippines
  • Senegal
  • South Sudan*
  • Syria*
  • Türkiye
  • Uganda
  • United Arab Emirates
  • Yemen*

The starred (*) jurisdictions are subject to financial sanctions measures at the time of publication of the current list. This designation requires firms to take additional measures.

What’s new on the updated list?

On the new list, Gibraltar was added, and Malta was removed.

This statutory instrument came into force on 11 July 2022, at which time the new list of high-risk third countries replaced the previous list. The list continues to mirror both the Financial Action Task Forces (FATF) ‘Jurisdictions under increased monitoring’ and ‘High-risk jurisdictions subject to a call for action’ documents. All counties in either of these lists have significant shortcomings in their AML, counter-terrorist financing and counter-proliferation financing controls.

Why was Gibraltar added to the list

Gibraltar made a high-level political commitment in June 2022 to strengthen its AML/CFT regime. In December 2019, Gibraltar adopted its MER and since then the country has made progress on a significant number of its MER’s recommended actions, including completing a new national risk assessment, addressing the technical deficiencies in relation to BO-related record keeping, introducing transparency requirements for nominee shareholders and directors, strengthening the financial intelligence unit, and refining its ML investigation policy in line with risks. Though Gibraltar has made significant progress, more work remains to be done, including ensuring that supervisory authorities for non-bank financial institutions and DNFBPs use effective sanctions for AML/CFT breaches and demonstrating that it is more actively and successfully pursuing final confiscation judgements, through criminal or civil proceedings based on financial investigations.

Why has Malta been removed?

In June 2021, the FATF identified strategic deficiencies related to the detection of inaccurate company ownership information and sanctions on gatekeepers who fail to obtain accurate BO information, as well as the pursuit of tax-based money laundering cases utilising financial intelligence. Since then, Malta made significant progress and strengthened the effectiveness of its AML/CFT regime to meet the commitments in its action plan. Therefore, Malta has been removed from the list and is no longer subject to increased monitoring by the FATF. Still, Malta should continue to work with MONEYVAL to make sure these improvements remain in place.

What about Russia?

On 17 June 2022 the FATF also published a separate statement on the Russian Federation, which includes certain requests that firms should be aware of:

  • “The FATF continues to call upon all jurisdictions to remain vigilant of threats to the integrity, safety and security of the international financial system arising from the Russian Federation’s aggression in Ukraine.”
  • The FATF reiterates that all jurisdictions should be vigilant to possible emerging risks from the circumvention of measures taken in order to protect the international financial system.”

Other recent counties that have been grey-listed:

Turkey was added to the FATF grey list earlier in the year, and the UAE was added more recently.

Some other countries of interest:

Barbados

In February 2020, Barbados pledged to work with the FATF and CFATF to strengthen the effectiveness of its AML/CFT regime. In that time, Barbados has taken steps to improve its regime, but deficiencies remain and the deadlines for implementing the agreed upon action plan have all passed. Therefore, Barbados remains on the list and the FATF encourages Barbados to continue to work on implementing the plan to reduce the deficiencies.

The Cayman Islands

In February 2021, the Cayman Islands also made a commitment to work with the FATF and CFATF to strengthen its AML/FFT. The Islands agreed to address its strategic deficiencies by, among other things, imposing adequate and effective sanctions when necessary and demonstrating that they are prosecuting all types of money laundering cases in line with the jurisdictions risk profile. Since all deadlines for implementing these actions have now expired, the Cayman Islands remains on the list and the FATF encourages the jurisdiction to continue to implement its action plan.

Panama

Panama has taken steps to strengthen its AML/CFT regime since it made a high-level political commitment in June 2019 to do so, including by improving its monitoring of the corporate sector, and focusing on ML investigations in relation to high risk areas. But more work remains to be done, and Panama should take urgent action to fully address remaining measures in its action plan, as the deadline for doing so passed in January 2021. Therefore, Panama remains on the list and must continue to work on implementing its action plan to address its strategic deficiencies.

Morocco

Since February 2021, when it made a high-level political commitment to improve its AML/CFT regime, Morocco has taken steps to improve, including licensing and monitoring the registration of DNFBPs and addressing technical deficiencies related to TFS. However, deficiencies remain and Morocco should continue to take steps to implement its action plan, including improving risk-based supervision and applying effective sanctions for non-compliance.

Philippines

Since June 2021, when it made a high-level political commitment to work with the FATF and APF to improve its AML/CFT regime, the Philippines has taken steps towards this end, including implementing registration requirements and applying proportionate sanctions to unregistered and illegal remittance operators and increasing TF investigation and prosecution capacity. However more work remains, and the Philippines should continue to work on addressing strategic deficiencies by with regard to both money wandering and terrorist financing-related measures.

UAE

In February 2022, the UAE made a high level political commitment to work to strengthen its AML/CFT regime. Since the adoption of its mutual evaluation report at that time, the UAE has made significant progress to improve its system for preventing money laundering and terrorist financing. However, there is still more work to be done in order to reach full implementation of their action plan and so they remain on the list for now.

How might doing business with a country on the list affect me?

Failing to appreciate or note the risks of doing business with countries recognised as having AML deficiencies could lead to risks or even serious breaches. Supply chains running through countries on the list could be an AML risk, and estate agents and solicitors dealing with property transactions with clients in these countries also have to take special care. The impact of the grey listing means additional checks will be required on a source of funds resulting from the sale of a property for instance, or a customer seeking a mortgage to purchase a property.

What to do now

  • Renew practice wide and country risk assessments, particularly for the countries on the list, and for Russia
  • Review client lists for those who require ongoing monitoring
  • Review CDD and EDD procedures
  • Strengthen sanctions screening processes and ensure sanctions checks are regularly undertaken
  • Update sanctions training for all staff
  • Review sanctions policy template with our free updated version
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.