Russia on the EU High-Risk Country List: What It Means for Your Business

On 29 January 2026, Delegated Regulation (EU) 2026/46 entered into force, officially adding the Russian Federation to the EU list of high-risk third countries in the area of anti-money laundering and counter-terrorism financing (AML/CFT). The regulation amends Delegated Regulation (EU) 2016/1675, which establishes the list of such countries under Directive (EU) 2015/849 (AML Directive 4) and its subsequent amendments under AML Directives 5 and 6.

The updated list applies directly across all EU member states and automatically activates enhanced due diligence (EDD) obligations already embedded in national AML laws. Each member state may also establish stricter requirements at its own discretion, and some do.

The obliged entities under AML law are the financial sector (banks, payment systems, virtual asset service providers / VASPs) and the non-financial sector (auditors, accountants, lawyers, tax advisors, and other obliged persons). They bear the obligations to apply enhanced requirements. But in practice, businesses that are not formally obliged entities also feel the impact: enhanced scrutiny from banks, requests to disclose information about counterparties, payment delays, and the risk of losing their bank account.

Extensive sanctions restrictions have already forced banks to conduct in-depth analysis of payments to Russian banks — and in practice, to refuse such payments altogether more often than not.

Russia's inclusion on the high-risk list creates a separate, additional obligation: banks and other AML-obliged entities must apply Enhanced Due Diligence (EDD) procedures to all clients with a Russian connection (Russian nexus) and their transactions — regardless of whether those transactions involve payments to Russia.

In practice, your bank may request from you:

• additional identification of beneficial owners and disclosure of the ownership structure;
• documentary evidence of the source of funds and source of wealth;
• explanation of the nature of business relationships and the purpose of transactions.

In addition, the bank takes the following steps independently, without client involvement:

• seeks senior management approval to continue the relationship;
• introduces enhanced ongoing monitoring of all account transactions.

The Carnegie Endowment describes the difference this way: while standard customer due diligence (CDD) involves basic verification of passport data, address, and income, EDD is comprehensive and continuous monitoring that turns every transaction into a multilayered quest.

EDD is not a one-time check at account opening. It is a permanent change in the service regime.

A Russian nexus refers to a material connection to Russia that obliges a bank to apply enhanced scrutiny. The primary indicators are:

• Russian citizens among the beneficial owners (UBO) — including through chains of legal entities;
• Russian citizens on the board of directors or in management;
• payments to Russian residents;
• capital or assets originating from Russia.

A key point: an EU residence permit or permanent residency does not remove nexus status. The EU Directive uses the concept of 'persons from a high-risk country' (Art. 18a(2)(c)) — the link is to citizenship, not place of residence.

Given that regulatory pressure on banks exceeds the formal requirements of the law, banks are forced to apply additional caution and raise their own requirements while lowering their risk appetite. The EDD trigger may also be activated by indirect indicators:

• payments to Russian citizens, even if they reside in the EU;
• partners whose founders or directors are Russian citizens, even if the company is registered in the EU, US, or elsewhere;
• publicly available information indicating a connection between counterparties and Russia (media, registries, open sources).

A single Russian nexus indicator is still a manageable situation for most banks. But risks tend to accumulate.

Consider a typical scenario. A European company whose founder is a Russian citizen residing in the EU on a residence permit falls under EDD for the reasons described above. The bank registers the first risk signal — a Russian nexus at the UBO level. The client provides documents. But at the next step, the picture becomes more complex.

During the enhanced review, the bank analyses the client's transactions and finds that a number of counterparties — for example, a service provider or payment intermediary for contractor payouts — also have a Russian nexus. This is the second signal.

The bank requests additional documents: explanations of the nature of relationships with counterparties, confirmation of the source of funds, disclosure of the ownership structure of partners. The decision on whether to continue the relationship is escalated to bank management.

If the bank forms reasonable grounds for suspicion, it is obliged to file a Suspicious Activity Report (SAR) with the relevant regulatory authority — the name and structure of this body varies by country. But even without an SAR, the bank may conclude that serving a client with multiple Russian nexus indicators creates a disproportionate compliance burden and reputational risk. The result is de-risking: the bank closes the account.

For the client, this means restricted operations, inability to pay counterparties and contractors, and finding a new bank with a similar risk profile may take months.

Banks are the most obvious, but not the only obliged entity a business will need to deal with.

Accounting firms and auditors are also subject to AML law and must conduct client due diligence on the same grounds as banks. There is, however, a key difference: while banks analyse transactions selectively based on specific criteria, accountants and auditors by default have access to all client documentation and understand the substance of every transaction.

In several European countries, businesses are already encountering refusals from accounting firms and auditors to serve companies whose activities are directly or indirectly connected to Russia.

For a business, this is no less critical than losing a bank account: unsubmitted tax returns and annual reports lead to fines, and in some jurisdictions — to mandatory removal from the company register (strike-off).

Regulation 2026/46 did not establish a direct prohibition on working with counterparties that have a Russian nexus. But it has significantly changed what that costs — for your bank, your auditor, and ultimately for you.

This article does not assess the proportionality or legitimacy of decisions made by banks and other AML-obliged entities. It describes the mechanics of how those decisions are made — so you can assess your situation in advance, rather than when a payment is already stuck, an account has been closed, or an auditor has refused to engage.

If you would like to understand how your structure looks from a compliance perspective — get in touch with our team.