40 FATF 40 Recommendations
19

Recommendation 19 · Group D · Preventive Measures

Former: R.21

Higher-risk countries

Recommendation 19 requires financial institutions to apply enhanced due diligence to business relationships and transactions with persons (natural and legal) from countries identified by the FATF as having strategic deficiencies. Countries must also be able to apply countermeasures — proportionate to the risks — when called for by the FATF or independently when warranted.

Who must comply?

  • Banks, securities firms, insurers, MVTS, VASPs
  • DNFBPs (real estate, casinos, lawyers, notaries, accountants)
  • Government bodies designating high-risk jurisdictions and applying countermeasures

Key requirements

  1. 1

    Enhanced due diligence on high-risk countries

    Apply EDD — proportionate to the risks — to business relationships and transactions with natural and legal persons from countries for which the FATF calls for it (typically the 'black list' and 'grey list').

  2. 2

    Apply countermeasures when called for

    Countries must be able to apply countermeasures when called for by the FATF — including limiting business relationships, requiring approval at higher levels, restricting transactions, or prohibiting operations with the country.

  3. 3

    Independent application of countermeasures

    Apply countermeasures independently when warranted by the country's own risk assessment, even if the FATF has not called for them — subject to coordination with international partners where possible.

  4. 4

    Communication of high-risk lists

    Effective communication mechanisms must ensure that financial institutions and DNFBPs are promptly informed of changes to FATF's high-risk lists and any domestic designations.

  5. 5

    Risk-sensitive measures

    Beyond binary EDD/no-EDD, institutions should adjust the intensity of their measures based on the specific risks identified — different countries on the grey list pose different risks (e.g., TF-heavy vs. corruption-heavy).

Practical example

Example: Mexican bank screens a transfer to Myanmar

A Mexican bank receives a request from a corporate customer to transfer USD 200,000 to a beneficiary in Myanmar (currently on the FATF black list). Under R.19: the system flags the country, the file escalates to senior compliance, the bank must (a) demand documentary support of the commercial purpose, (b) verify the beneficiary against UN/OFAC and the SHCP blocked-persons list, (c) apply enhanced ongoing monitoring, and (d) consider whether countermeasures (e.g., flat refusal) are warranted under Mexico's national policy. The transfer is documented and reported to the UIF, which may share with FinCEN.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México implementa la R.19 a través de la lista interna y políticas operativas:

Listas GAFI grise y negra

México alinea sus políticas de país con las listas trimestrales del GAFI (febrero, junio, octubre). La actualización febrero 2026 mantuvo en lista negra a Corea del Norte, Irán y Myanmar; agregó Kuwait y Papua New Guinea a la lista gris.

Listas GAFI: países de alto riesgo

Guía UIF Países de Riesgo y FT 2026

La UIF publicó en abril 2026 una guía con 20+ indicadores de riesgo país y FT, incluyendo banderas operativas para entidades financieras y AV cuando hay flujos hacia jurisdicciones identificadas.

Guía UIF Países de Riesgo y FT 2026

EBR y matriz de riesgo país

Cada sujeto obligado debe incorporar el riesgo país en su matriz EBR (Art. 18 Fr. VII LFPIORPI reforma julio 2025; DCG CNBV para sector financiero). Operaciones con países lista gris/negra automáticamente activan riesgo alto.

Milestones

  1. 2003

    Original Recommendation 21 on countries of concern

  2. 2007

    ICRG (International Cooperation Review Group) review process begins

  3. 2012

    Renumbered as Recommendation 19

  4. 2025

    October 2025 update emphasises proportionate, risk-based countermeasures

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 10 R.10 Customer due diligence (CDD) 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 18 R.18 Internal controls & foreign branches 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 19, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org