Essential Tools for Proactive Compliance
FATF is mandatory - But what are other reports indicate risk?
Lets take a look
Mastering AML Country Risk: Essential Tools for Proactive Compliance
In the ever-evolving landscape of Anti-Money Laundering (AML) compliance, understanding and effectively managing geographical risk is paramount.
Financial institutions and regulated businesses, particularly law firms, must continually assess the money laundering and terrorist financing risks associated with the countries and jurisdictions where their clients operate or where transactions originate and terminate.
A robust geographical risk assessment isn't just a regulatory checkbox; it's a critical defence against financial crime. But with a world of data out there, how do you pinpoint the most reliable and actionable sources?
Here are essential tools and databases that can empower your firm to master AML country risk and build a truly proactive compliance framework:
🌎Financial Action Task Force (FATF)
The Financial Action Task Force (FATF) is a global body that sets standards to combat money laundering and terrorist financing. It maintains two crucial public lists:
"Black List" (High-Risk Jurisdictions subject to a Call for Action): Countries with severe AML/CFT deficiencies.
"Grey List" (Jurisdictions under Increased Monitoring): Countries actively working with FATF to address AML/CFT weaknesses.
Why these lists are crucial for UK Regulated Law Firms (MLR 2017, Regulation 33(1)):
Under the Money Laundering Regulations 2017, Regulation 33(1)(b), UK law firms are legally obliged to apply Enhanced Due Diligence (EDD) when dealing with individuals or entities from countries on either of these FATF lists. This is a direct regulatory mandate, not just guidance.
Impact of Failing to Update after a FATF Plenary:
FATF updates its lists three times a year. If your firm fails to incorporate these changes into its AML framework:
Direct Regulatory Breach: You could fail to apply mandatory EDD for clients/transactions linked to newly listed countries, directly breaching MLR 2017.
Severe Penalties: This can lead to substantial fines, public sanctions, and even criminal prosecution for the firm and individuals by the regulators.
Increased Risk: Your firm is at higher risk of being used for money laundering or terrorist financing, damaging its reputation and exposing it to illicit funds.
Staying updated with FATF's lists is essential for legal compliance, risk mitigation, and protecting your firm's integrity.
🌎Basel AML Index
The Basel AML Index is an independent ranking that assesses country-specific money laundering and terrorist financing (ML/TF) risks. Specifically, it provides risk scores for countries and jurisdictions based on data from 17 publicly available sources such as the Financial Action Task Force (FATF), Transparency International and the Global Initiative against Transnational Organized Crime.
They have developed a composite score based on five risk factors they feel contribute to a high money laundering risk:
- Quality of AML/CFT/CPF framework
- Corruption and fraud risks
- Financial transparency and standards
- Public transparency and accountability
- Legal and political risks
The information presented on the Basel AML Index website is colourful and graphical, with a tab listing the countries with a colour scale.
The Basel AML Index is maintained by the International Centre for Asset Recovery (ICAR) at the Basel Institute on Governance.
It's an excellent resource for an overview of a country's or regions inherent ML/TF risk, helping you quickly identify jurisdictions that may warrant enhanced due diligence. There are free and paid for subscriptions.
Why it matters for law firms:
The Basel AML Index offers a quick yet valuable screening tool for initial client and matter risk assessments, as well as ongoing monitoring. By drawing from a broad range of sources — including but not limited to FATF — it helps flag high-risk jurisdictions early in the process. This allows firms to make informed decisions about their overall risk appetite and guides the level of due diligence (CDD or EDD) that should be applied.
Impact of not using it:
While not a regulatory requirement, the Basel AML Index draws on diverse and reputable data sources beyond FATF, offering a more holistic view of country-level AML/CFT risks.
Limiting your risk assessment solely to FATF lists can result in an incomplete picture of jurisdictional risk.
Failing to consult wider tools like the Basel Index may lead to:
An incomplete Firm-Wide Risk Assessment (FWRA)
Incorrect client or matter risk categorisation
Application of CDD instead of EDD where enhanced scrutiny is warranted
Lack of documented MLRO approval for high-risk clients
Missed red flags during onboarding or ongoing monitoring
Over time, this may weaken your overall AML framework and could be interpreted by regulators as a failure to apply adequate scrutiny.
The real question:
Is your firm relying solely on the minimum mandatory sources — or is it committed to using available open-source and subscription-based tools to fully understand the inherent geographical risks?
The question is, is your firm just looking at the least mandatory resource or is it willing to look at other open source and budget willing paid subscriptions to fully understand the inherent risk of geographical area.
🌎Transparency International – Corruption Perceptions Index (CPI)
Transparency International sets out their mission on their home page as '...to stop corruption and promote transparency, accountability and integrity at all levels and across all sectors of society'.
Transparency International is an independent, non-governmental, not-for-profit organisation, that works with like-minded partners across the world to end the injustice of corruption.
They state that '...Corruption happens in the shadows, often with the help of professional enablers such as bankers, lawyers, accountants and real estate agents, opaque financial systems and anonymous shell companies that allow corruption schemes to flourish and the corrupt to launder and hide their illicit wealth.'
Corruption can be both a source of illicit funds and a means to launder those funds, making it a significant area of concern for anti-money laundering efforts.
Corruption is a significant enabler of money laundering.
Transparency International state that to fight corruption, we have to embrace transparency. They state, 'Transparency is all about knowing who, why, what, how and how much. It means shedding light on formal and informal rules, plans, processes and actions. Transparency helps us, the public, hold all power to account for the common good.'
The Corruption Perceptions Index (CPI), published by Transparency International, is a global ranking tool of countries around the world on the basis of how corrupt their public sector is perceived. It uses data from 13 data sources which are independent from Transparency International to produce their Index. The CPI does not measure activities such as Tax Fraud, Money Laundering, financial secrecy or illicit flows of money. It serves as a powerful proxy for understanding environments where illicit financial activity may flourish.
A high score on the CPI (means less perceived corruption) can be a positive indicator, while a low score suggests a higher risk environment where illicit funds might more easily flow, impacting could your client and transaction risk assessments.
Why it matters for Law Firms:
Corruption often lies at the heart of money laundering. For law firms subject to the UK’s Money Laundering Regulations 2017, assessing the Source of Funds and Source of Wealth is central to client due diligence — especially when enhanced due diligence (EDD) is required.
Using the CPI as part of your jurisdictional risk toolkit helps you:
Identify clients or transactions connected to high-corruption environments
Inform your Firm-Wide Risk Assessment (FWRA) and individual matter assessments
Apply appropriate levels of due diligence, including escalation to MLROs where required
Support a risk-based, defensible approach in the event of regulatory scrutiny
Impact of not using:
Failing to incorporate the CPI or similar tools into your geographic risk assessment could result in:
Inadequate scrutiny of clients from high-risk jurisdictions
Missed red flags linked to bribery or public corruption
Incorrect application of standard due diligence (CDD) instead of EDD
Reputational damage if the firm is linked to proceeds of corruption
Regulatory breaches or enforcement action under MLR 2017
Potential criminal liability for staff who unwittingly facilitate illicit flows
🌎Know Your Country AML Database
Specialised databases like Know Your Country AML Database compile vast amounts of AML-related information on various jurisdictions. These often include details on a country's AML legislation, regulatory bodies, enforcement actions, and specific risk factors.
They gather and collate information from wide and authoritative sources such as: CIA Factbook, FATF, FBI, Global Initiative, OECD, HM Treasury, IMF, The Egmont Group, Transparency International, US State Department, UN, World Bank, and Regulatory Authorities world wide.
The consider the information and provide reports from summaries to granular insights that complement broader indices, offering practical details for your risk assessments.
They provide free executive summaries or paid services, which offer more detailed reports.
For law firms subject to the Money Laundering Regulations 2017, having accurate, up-to-date jurisdictional information is essential for making informed decisions around Client Due Diligence (CDD), Enhanced Due Diligence (EDD), and Firm-Wide Risk Assessments (FWRA).
The Know Your Country AML Database offers:
- Granular intelligence – Insight into local AML laws, regulatory gaps, and specific red-flag behaviours
- Jurisdictional risk context – Beyond FATF lists, helping refine the firm’s overall risk-based approach
- Support for defensible decisions – Backed by open-source and international data, ideal for documenting the basis of risk decisions
- Practical support for MLROs – Quickly access country-specific threats that influence onboarding and matter-level risk
By using this database, firms can move beyond generic checklists to adopt a data-driven, proportionate, and contextualised approach to AML compliance.
- Overreliance on basic FATF lists – Missing nuanced risks not flagged by FATF alone
- Outdated information – Publicly available data on government sites may be fragmented or lagging
- Incomplete CDD or EDD – Without local context, due diligence may fail to address actual risks
- Weaknesses in FWRA – Inadequate country risk insight may be seen as a failure to follow a robust, risk-based approach
- Regulatory scrutiny – If something goes wrong, the firm may struggle to justify its geographic risk decisions
🌎CIA World Factbook
While not a dedicated AML tool, the CIA World Factbook is an invaluable, open-source intelligence resource that offers deep contextual insight into a country's political, economic, social, and geographic profile.
According to its official description:
“The World Factbook provides basic information on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 258 world entities.”
As a public domain resource, it offers a free and accessible source of authoritative information used widely by governments, researchers, and professionals across the globe.
Why it matters for Law Firms:
Understanding the broader environment in which your clients operate is a critical component of effective geographical risk assessment.
The Factbook supports law firms by:
- Highlighting economic challenges, such as inflation, resource dependency, or financial system fragility
- Offering insight into prevalent industries (e.g. extractives, real estate, informal or cash-based sectors), which may carry elevated ML/TF risk
- Contextualising client behaviour or fund flows that may appear high-risk but are typical of the region’s characteristics
- This kind of context allows firms to assess whether risks are proportionate, explainable, or red flags requiring further inquiry, helping underpin defensible decisions in line with the risk-based approach under the Money Laundering Regulations 2017.
Impact of not using:
Without incorporating sources like the CIA World Factbook into AML risk assessments, firms may:
- Fail to identify hidden vulnerabilities associated with regional instability or sector-specific risk (e.g., mining in conflict zones)
- Miss out on essential context that supports Enhanced Due Diligence (EDD) decisions
- Produce incomplete Firm-Wide Risk Assessments (FWRAs) or risk models that don’t fully reflect country-level exposure
While not a regulatory requirement, using such context-rich, open-source tools demonstrates thoughtful and informed AML risk assessment, supporting defensible compliance decisions.
🌎U.S. INCSR Reports (International Narcotics Control Strategy Report)
Published annually by the U.S. Department of State, the International Narcotics Control Strategy Reports (INCSR) provide detailed assessments of how jurisdictions around the world address drug trafficking and associated financial crimes, including money laundering and terrorist financing.
Volume I focuses on drug and chemical control efforts.
Volume II (spanning over 300 pages) is dedicated to money laundering and financial crimes, offering in-depth insights into each country’s AML/CFT frameworks, enforcement effectiveness, and exposure to narcotics-related financial crime.
While the INCSR does list countries identified as “major money laundering jurisdictions,” it explicitly states that this is not a blacklist. However, the jurisdictions named may not always overlap with the FATF grey and blacklists, providing an additional perspective that can be critical for AML risk assessments.
The 2025 reports are available - see the links below.
Why it matters for Law Firms:
For law firms working with international clients, offshore structures, or cross-border transactions, the INCSR offers a valuable government-backed perspective that goes beyond FATF assessments.
- Identifies AML/CFT enforcement gaps and policy weaknesses that may not yet be reflected in FATF or EU lists
- Offers insights especially relevant where there is any U.S. nexus, such as U.S. counterparties, dollar-denominated transactions, or U.S.-based regulators
Incorporating this information into your Firm-Wide Risk Assessment (FWRA) or client onboarding checks supports more nuanced decision-making, especially where FATF listings alone may not flag risk.
Impact of not using:
Neglecting the INCSR Reports may leave your firm:
- Unprepared for U.S. regulatory expectations, particularly if any part of a transaction or client relationship touches the U.S.
- Exposed to reputational, regulatory, and even criminal liability by onboarding clients or facilitating transactions involving jurisdictions with known narcotics-linked laundering vulnerabilities
In an increasingly globalised legal environment, failing to consider the INCSR perspective could signal a gap in your geographical risk model, weakening your overall AML compliance posture.
🌎EU List of Non-Cooperative Jurisdictions for Tax Purposes
The European Union plays a key role in promoting tax transparency, fair taxation, and the fight against tax fraud, evasion, and avoidance, both within the EU and globally. As part of this effort, it maintains the EU List of Non-Cooperative Jurisdictions for Tax Purposes — often referred to as the EU tax haven blacklist.
While primarily aimed at improving international tax governance, this list has significant AML relevance. Jurisdictions placed on the list are deemed non-compliant with global standards on tax transparency, information exchange, and fair taxation. These same deficiencies often correlate with weak financial oversight, opaque ownership structures, and limited AML enforcement capacity, making them higher-risk environments for money laundering and terrorist financing.
The goal of the list is not to shame jurisdictions, but to encourage reform through constructive engagement and pressure for compliance with international norms.
Law firms involved in tax advisory, entity structuring, or client money management must pay close attention to the EU tax blacklist as part of their Firm-Wide Risk Assessment (FWRA) and matter-level risk assessments.
- Jurisdictions on the list may indicate elevated inherent ML/TF risk due to weak financial transparency and governance.
- Engaging clients with connections to these jurisdictions may necessitate heightened due diligence, even if not explicitly required under MLR 33(1)(b).
- It provides a credible, independent signal of potential risk exposure that should influence your risk rating, source of funds/wealth assessments, and structuring decisions.
Failing to consult or consider the EU tax blacklist may result in:
Onboarding high-risk clients without recognising or mitigating the tax-linked ML risks
Inadequate application of the risk-based approach, particularly when tax avoidance schemes or shell structures are involved
Regulatory criticism, as ignoring such a widely recognised risk indicator could suggest gaps in your due diligence framework under Regulations 18 and 28
Reputational harm, especially if your firm is found to have supported structures or transactions involving jurisdictions viewed internationally as high-risk
Even though the list does not trigger automatic Enhanced Due Diligence under UK law, regulators may still expect you to explain and justify your risk-based decisions, especially where tax risk overlaps with AML exposure.
🌎EU List of High-Risk Countries
The European Commission publishes and regularly updates its list of high-risk third-country jurisdictions—countries identified as having strategic deficiencies in their Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) regimes.
The Purpose:
To safeguard the EU financial system by requiring all EU-obliged entities to apply Enhanced Due Diligence (EDD) when engaging with individuals or transactions involving listed jurisdictions.
To promote global consistency by aligning with international AML standards, particularly those set by the Financial Action Task Force (FATF).
However, it’s important to note that the EU’s high-risk list does not always align exactly with the FATF grey or blacklists.
This obligation stems from Article 9 of the 4th Anti-Money Laundering Directive (AMLD IV), which empowers the Commission to update this list based on strategic assessments, FATF input, bilateral dialogues, and on-site reviews.
Why it matters for Law Firms:
Although UK law firms, under MLR 2017 Regulation 33(1)(b), are mandated to follow the FATF lists when applying mandatory EDD, the EU’s list remains a critical, independent source of geographical AML risk intelligence. Here's why:
It reflects the collective assessment of a major global economic bloc with deep expertise in AML/CFT risks.
It provides additional context to strengthen your Firm-Wide Risk Assessment (FWRA) and individual client or matter assessments.
It can alert you to emerging risks that may not yet appear on the FATF lists but are flagged by EU regulators.
Even if not legally binding for UK-based firms post-Brexit, the EU list represents a credible red flag for jurisdictions requiring enhanced scrutiny.
Impact of not using: Failing to consider the EU’s high-risk list may result in:
Incomplete or inaccurate risk assessments, particularly in cross-border or EU-related matters.
Misclassification of geographic risk, potentially resulting in standard CDD being applied when EDD would have been more appropriate.
Regulatory criticism, especially if your firm cannot justify its geographic risk assumptions during an audit or file review.
While not a direct breach of MLR 33(1)(b), ignoring this list could be viewed as a gap in your risk-based approach under Regulations 18 (FWRA) or 28 (client due diligence) — leading to findings of non-compliance.
🌎Sanctions Country Information (UK, OFAC, EU)
Sanctions are a direct and immediate indicator of heightened risk. Regularly consulting sanctions lists and country-specific information from authorities like the UK Office of Financial Sanctions Implementation (OFSI), Office of Trade Implementation (OTSI), the U.S. Office of Foreign Assets Control (OFAC), and the European Union is non-negotiable. These lists identify individuals, entities, and entire jurisdictions subject to financial restrictions, necessitating immediate action and often prohibiting any dealings.
Why it matters for Law Firms: Adhering to sanctions regimes is a strict legal obligation, often with civil and criminal penalties for breaches. Any transaction involving a sanctioned country, entity, or individual is typically prohibited unless specifically licensed. Law firms must screen all relevant parties and jurisdictions against these lists diligently.
Impact of not using: This is arguably the most severe. Unlike other areas of compliance, sanctions breaches are strict liability — meaning intent is irrelevant. A firm may be held accountable even if the breach was inadvertent. Though, enforcement can take into account a risk based approach. Enforcement can include: individuals subject to fines, potential imprisonment, freezing of assets, and reputational damage due to direct breaches of sanctions law. Ignorance is no defence.
Final thoughts
There is no one-size-fits-all approach.
Your firm’s geographical AML risk assessment should be proportionate to its size, services, client profile, and overall risk exposure.
Make sure to document both your decisions and the rationale behind them.
Some tools are freely available—and can help firms move beyond generic models. They can support the development of a tailored, data-driven, and proactive methodology for assessing and managing country risk. This in turn can significantly reinforce your firm’s defences against financial crime.
Ultimately, the responsibility is yours.
Your AML framework must be owned, implemented, and reviewed within your firm.
Contact Us
If you would like to have an informal conversation contact us
Disclaimer
The links will become redundant and out of date over time, please refer to the latest information on the relevant websites.
We do not provide any warranty for the accuracy or completeness of the information provided.
This post is not legal or regulatory advice and should not be construed as such.
See our Disclaimer