Definition
A High-Risk Third Party is any non-client third entity whose involvement in business relationships or transactions heightens exposure to financial crime risks, necessitating stricter oversight beyond standard customer due diligence (CDD). Unlike routine third-party relationships, this status arises from factors like inadequate AML regimes, political instability, or FATF-identified deficiencies, making reliance on them potentially vulnerable to abuse.
Financial institutions must treat these parties as high-risk regardless of direct customer status.
Key Distinguishing Features
High-Risk Third Parties differ from low-risk ones by objective criteria: FATF black/grey lists, EU high-risk third country designations, or internal risk assessments showing weak compliance. For example, a correspondent banking relationship with a bank in a FATF “jurisdictions under increased monitoring” qualifies automatically.
Purpose and Regulatory Basis
High-Risk Third Parties matter because they can serve as conduits for layering illicit funds, bypassing domestic controls through cross-border or intermediary channels. Designating them ensures institutions apply EDD, preserving the integrity of global financial systems and preventing regulatory arbitrage.
Key Global Regulations
The Financial Action Task Force (FATF) sets the standard via Recommendations 10 (CDD) and 13 (correspondent banking), requiring EDD for high-risk relationships including third parties in deficient jurisdictions. In the EU, AML Directives (e.g., 5AMLD Article 18a, 6AMLD) mandate enhanced measures for high-risk third countries (HRTCs), with the Commission updating lists via delegated acts like the August 2023 regulation.
National Frameworks
The USA PATRIOT Act Section 312 demands EDD for private banking and correspondent accounts involving high-risk foreign entities, emphasizing source-of-funds verification. UK Money Laundering Regulations 2017 (Reg 33) mirror FATF, requiring senior management approval and increased monitoring for HRTC-linked transactions. These align to counter proliferation financing risks too.
When and How it Applies
Application triggers when a third party is from an FATF-listed jurisdiction, has poor AML ratings, or exhibits red flags like opaque ownership or high-volume transactions. For instance, onboarding a payment processor in a grey-listed country activates EDD immediately.
Use Case Examples
In correspondent banking, a U.S. bank dealing with a Turkish intermediary must scrutinize nested accounts for Iranian sanctions evasion. Retail banks flag vendors in Myanmar (FATF grey list as of 2025) for supply chain payments. Triggers include transaction mismatches or third-country exposure.
Types or Variants
Primary variant: High-Risk Third Countries (HRTCs), per EU/FATF lists (e.g., Iran, North Korea on blacklists; Turkey, UAE on grey lists post-2025 plenary). Institutions apply blanket EDD to entities domiciled there.
Entity-Based Classifications
Correspondent banks, money remitters, or crypto exchangers with weak controls qualify. Variants include “third-party reliance” for CDD (regulated under FATF Rec 17) versus “third-party payments” obscuring fund sources.
Other Forms
Politically exposed third parties (PEPs) or those in high-crime sectors like gaming, if combined with jurisdictional risks.
Procedures and Implementation
- Inventory all third parties and classify by risk (critical/high/moderate/low).
- Conduct EDD: Verify AML program equivalence, financial stability, and obtain senior approval.
- Implement controls: Written agreements for data access, transaction monitoring, and periodic audits.
Systems and Tools
Deploy automated screening against FATF/EC lists, AI-driven transaction monitoring, and due diligence platforms like LSEG for reputational checks. Ongoing monitoring includes source-of-wealth probes and volume thresholds.
Impact on Customers/Clients
Customers linked to High-Risk Third Parties face delays in onboarding, account freezes, or transaction holds pending EDD. They retain rights to appeal classifications, provide mitigating evidence, and receive transparent explanations under GDPR/consumer protection laws.
Interaction Dynamics
Institutions must disclose EDD requirements without tipping off, balancing compliance with service continuity. High-risk clients may need enhanced ID proofs or fund tracing.
Duration, Review, and Resolution
EDD applies indefinitely until risk de-escalates (e.g., FATF delisting), with annual reviews minimum. Quarterly monitoring for active relationships; immediate reassessment on list changes.
Review Processes
Senior compliance officers lead periodic audits; resolution via exit strategies if risks persist, documenting rationale.
Reporting and Compliance Duties
Document all EDD findings, report suspicious activities via SARs/FINs to FIUs, and retain records 5-10 years. Train staff on recognition and escalate to MLROs.
Penalties for Non-Compliance
Fines reach millions (e.g., EU AMLD6 penalties up to 10% global turnover); criminal liability for willful breaches. UK FCA examples include Danske Bank’s €4bn scandal tied to high-risk third-party failures.
Related AML Terms
Links to Enhanced Due Diligence (mandatory measure), High-Risk Countries (trigger), Third-Party Reliance (CDD delegation), and Correspondent Banking (sector-specific). Intersects with Politically Exposed Persons (PEPs) and Ultimate Beneficial Owner (UBO) identification.
Risk-Based Approach Integration
Forms part of broader RBA under FATF Rec 1, prioritizing resources on high-threat vectors.
Challenges and Best Practices
Challenges include list update lags, over-reliance on third-party data, resource strain on SMEs, and false positives from broad jurisdictional flags.
Mitigation Strategies
Best practices: Automate screening with real-time FATF feeds, tiered EDD based on exposure, collaborate via industry utilities, and conduct tabletop simulations. Partner with regtech for scalable controls.
Recent Developments
Post-June 2025 FATF plenary, grey list expansions (e.g., Philippines progress noted) demand vigilant monitoring. EU’s 2023 Delegated Act refines HRTC criteria, emphasizing beneficial ownership gaps. Tech advances: AI for behavioral anomaly detection in third-party transactions; blockchain analytics for crypto intermediaries.
Regulatory Shifts
AMLD6/UK alignment strengthens sanctions screening; U.S. FinCEN proposes crypto third-party rules mirroring PATRIOT Act.
High-Risk Third Party designations are foundational to AML resilience, compelling proactive EDD to shield institutions from global financial crime networks. Compliance officers must embed them in risk frameworks for sustained efficacy.