Written by:



1. Which countries are considered to be high risk jurisdictions for the European Union?

According to Directive 2015/849 EU, article 9, paragraph 1, all Countries which have strategic deficiencies in their national AML/CFT regimes that pose significant threats to the financial system of the Union are considered as high-risk third Countries. The Commission is empowered to adopt delegated acts in accordance to art. 64 (article 9, paragraph 2), having considered multiples criteria: 

  1. the legal and institutional AML/CFT framework of the third country, in particular:

  • criminalisation of money laundering and terrorist financing;

  •  measures relating to customer due diligence;

  • requirements relating to record-keeping; and

  • requirements to report suspicious transactions;

(b) the powers and procedures of the third country’s competent authorities for the purposes of combating money laundering and terrorist financing;

(c) the effectiveness of the AML/CFT system in addressing money laundering or terrorist financing risks of the third country.

At the moment, the list of high-risk third countries include 27 countries, which are: Afghanistan, Barbados, Burkina Faso, Cambodia, Cayman Islands, Democratic People’s Republic of Korea (DPRK), Haiti, Iran, Jamaica, Jordan, Mali, Morocco, Myanmar, Nicaragua, Pakistan, Panama, the Philippines, Senegal, South Sudan, Syria, Trinidad and Tobago, Uganda, Vanuatu, Yemen, Zimbabwe.


2. A German freelancer wants to open a bank account in Spain. He says he is an IT technician, freelance, that provides informatic services in remote to Iranian companies. These companies are his main clients. Would you accept him as a client? What questions and documentation would you ask to him? 

In the present case, we should consider that the application made by the German freelance could present some important risk factors, since the companies he works for are located in Iran, which is considered a high-risk third country by the European Commission. In order to accept his application and bring the process successfully to the end, we would apply to him the measures provided for articles 13, 18 and 19 of the Directive 2015/859, which correspond to customer due diligence and enhanced customer due diligence.  

We should begin by performing the activities described by article 13, paragraph 1, letters a), c), d), namely: 

  1. identifying the customer and verifying the customer’s identity (his identity card or passport)

  2. assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;

  3. conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship, the business and risk profile, including where necessary the source of funds.

Nevertheless, as above-mentioned, these activities would not be enough to ensure of avoiding the risk of money laundering, since we should apply further measures. Indeed, article 18, paragraph 1, mentions that in cases of higher risk, Member States shall require obliged entities to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately. Right after, paragraph 2 requires the examination of the purpose of all unusual patterns of transactions, which have no apparent economic or lawful purpose. Lastly, paragraph 3 recalls the Annex III, suggesting factors of potentially higher-risk situations related to geography risk factors.

So, in order to perform enhanced customer due diligence, we should ask the client for further documentation, such as: additional documents proving his identity, the origin and legitimacy of the client’s wealth, the source and the amount of the earnings, a check of the news and information about the reputation of the client and if he has been involved in financial crimes, the name and the address of the Iranian companies he works for, the proof he pays taxes in his country of residence.


c. A Nigerian woman living in France (she has a legal residence in France) wants to open a bank account in your bank in Spain. She says she needs the account to receive a scholarship that she won from an NGO in Spain. What Know Your Customer measures would you apply in this case? Mention each one.

The correspondence between the Nigerian woman and NGO may present a high-risk factor, since NGOs are not considered obliged entities by the AML regulations. Although NGOs are usually established with charitable intentions, they can actually be used by criminals to conduct illicit financial activities. The fact that funds flow in and out of the organization in a complex way makes them very susceptible to abuse from terrorists and money launderers.

In fact, the main risk about NGO is that terrorism financing is concrete, since people who voluntary donate money to these organizations do not know how the funds will be utilized. The funds could be therefore diverted and utilized to finance terrorist groups secretly. 

As known, the measures laid down by article 13, paragraph 1, letters a), c), d) of the AML Directive apply to the present case, so we should ask our client for an external document proving the identity of the person (ID or Passport for example), the proof of legal residence in France, a government-issued tax identification number, the proof of her occupation. However, these measures could not be enough to guarantee the legality of the relationship, as enhanced due diligence measures provided for article 18, paragraph 2, could be also applied to this case, in order to prove the economic or lawful purpose.

Therefore, our request to the customer would be to obtain further information especially in relation to the organization, such as its charity purposes, the origin and the destination of the funds, the public documents evidencing its legal existence (NGO name, legal form, registered address, identity of their directors, tax identification numbers).




d. Mr. Braccio an Italian citizen is a computer technician. He has an IT company in the Democratic Republic of the Congo (DRC). This company has contracts with the Congolese government. He lives in DRC. He pays taxes in this country. He is not a tax resident in Italy, but a tax resident in DRC. He has a non-resident account in an Italian bank. In his banking records you can see the following operations: 

  • Weekly purchases in Italy, paid with his personal debit card.

  • International transfers. 

His Italian bank account receives almost 30.000 euros every month from his bank account in a different bank in DRC. The Italian Financial Crime Unit (a public authority the investigate financial crimes) requires you a record of his banking operations in a ten-year period. However, in the requirement document, the Crime Unit don’t specify if Mr. Braccio is being investigated as a criminal or as a victim. Are you obliged to provide the banking records of this client to the abovementioned crime unit? Is a bank obliged to keep a ten-year record of a client’s transactions? Besides this, are you obliged to perform a parallel investigation (for banking purposes), to verify if this client has suspicious activity in his banking records? Which due diligence measures would you perform? Do you think the activities of the client are risky? Is DRC a high-risk country? Should Mr. Braccio be considered a high-risk client? In case you want to ask the client to clarify some transactions, what would you do if he doesn’t want to provide necessary information and documentation? What would you reply if the client asks you about the legal grounds supporting your requirements? Do you think the amount of money he receives monthly is of a relevant quantity for AML purposes? In your opinion, why the Financial Crime Unit is not giving more details about their investigation? If you consider Mr. Braccio is an alleged criminal, what crime might be he committing?

Despite we do not know if Mr. Braccio is being investigated as a criminal or as a victim, article 33 of the AML regulations states at paragraph 1, letter b), the obligation of providing the FIU, directly or indirectly, at its request, with all necessary information, in accordance with the procedures established by the applicable law. This disposition is integrated by article 42, which requires obliged entities to dispose of systems that enable them to respond fully and speedily to enquiries from their FIU to assess if they have whether maintained or currently maintain a business relation with a client for a period of five years from the request.

That considered, AML regulation do not provide for the obligation of keeping a ten- year record of client’s transactions, as article 40, paragraph 1, letters a) and b) only ask for obliged entities to keep a copy of documents and information and the evidence and records of transaction for a period of maximum 5 years after the end of a business relationship with their customer or after the date of an occasional transaction. However, according to article 40, paragraph 2, Member States may allow or require the retention of such information or documents for a further period of five years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.

From the other side, article 11, letter b), subparagraph i), provides for the obligation for us to apply customer due diligence measures to our client, since his account receives unusually large transactions exceeding € 15.000. Moreover, the criteria provided for Annex III, paragraph 3, letter b), suggest that we may perform enhanced customer due diligence as well, since DRC can be considered as country with high degree of corruption, even if DRC is not considered as a high-risk third country by the European Commission. In addition, we could may consider Mr. Braccio as ‘persons known to be close associates’, as stated by article 3, number 11). As this description matches with Mr. Braccio’s profile, we should perform the further diligence provided for article 20, letter a) and b), which whereas: obtain senior management approval for establishing or continuing business relationships with such persons; take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons; conduct enhanced, ongoing monitoring of those business relationships.

According to article 18, paragraph, 2 we should ask to Mr. Braccio the following documentation: the national identity card of Mr. Perez; the public documents evidencing the existence for the legal persons: company name, legal form, registered address, identity of their directors, articles of association and tax identification number; the records from Mr. Braccio’s personal bank account in DRC (bank statement); the records of the taxes payments connected to Mr. Braccio’s bank account in the DRC; the records of Mr. Braccio’s IT company’s fiscal data; the records of banking operations of the closest family and employees of Mr. Braccio.

In case the client does not want to provide us the requested information, we should apply the procedure provided for article 33, paragraph 1, letter a), which requires us to make a report to the FIU, who will communicate to the national authorities the result of the analysis. If the FIU confirms its suspects, they may require us to inhibit or block Mr. Braccio’s account if he has not fulfilled his obligations. Nevertheless, we are not obliged to communicate to the client any information about the ongoing investigations, as provided for article 39. The FIU may not give more details about its investigations in order to prevent and mitigate the risk the client could discover any detail about the ongoing investigations. 

If we assume that Mr. Braccio is committing a crime, we should consider that these large transactions could match with money laundering practice, since Mr. Braccio could be receiving large amounts of cash deriving from illegals activities, with the aim of hinder their traceability in Italy. Another connected crime could be terrorism financing, as he could be financing terrorist groups in Italy with funds originating from Congo. 


e. A French student living in Madrid, wants to open a bank account in your bank. What kind of due diligence would you apply to him? What documentation would you require to him?

The present case presents a situation of low risk, as stated by article 15, so we could apply to this client the simplified customer due diligence measures. In fact, as we can observe in Annex II, number 1, subparagraph c), which refers to customers that are resident in geographical areas of lower risk, including France.

So, we should ask to the student a proof of residence or stay permit (‘Residencia’ or ‘Estancia’); Foreigner’s Identification Number (Número de Identificación de Extranjero, assigned by the Spanish; National Police on account of obtaining the residence or stay permit, allowing for the performance of the legal activity); Proof of employment status (enrolment confirmation by the university or a student card) is correct.


f. A refugee wants to open a bank account in your bank: What documentation would you require to him? Is a refugee a high-risk client?

Refugee status may correspond to a high average risk level, as the status raises uncertainties about the identity of the client. In this case, we should have to look at the articles of Chapter II, Section III, articles 18 and 19, about enhanced customer due diligence. 

We should ask the client for: a document that accredits the condition of the applicant in the middle of the process of international protection, or a Red Card, which is a document the person is provided with during the (6 – month long) period of processing the application for asylum. It contains a Foreigner’s Identification Number (Número de Identificación de Extranjero) allowing for the performance of the legal activity.