.svg)
Mandatory enhanced due diligence (EDD) is set to apply to any Russian connection under EU anti-money laundering/counter-terrorism financing (AML/CTF) law, signalling a structural shift in regulatory expectations.
Delegated Regulation (EU) 2026/46, published on January 9, 2026 and entering into force on January 29, adds Russia to the EU list of high-risk third countries under AML law.
The designation follows a series of legislative actions and assessments conducted throughout 2025 and early 2026.
The process began with the adoption of Delegated Regulation (EU) 2025/1393, published on August 21, 2025, which introduced a review clause into the EU’s AML framework requiring the European Commission to conclude a review of any third countries whose membership in the Financial Action Task Force (FATF) has been suspended.
This category applied to Russia following its 2023 suspension and, with the latest regulation, the country is now legally treated as a structural AML/CTF risk, regardless of its FATF greylist or blacklist status, UK classification or existing sanctions controls.
The immediate compliance consequence is clear: mandatory EDD applies to any Russian connection, leaving firms no discretion to apply lighter-touch measures based on customer type, transaction volume or legacy status.
Interpreting the regulatory signals
This delegated regulation sends a number of signals that should inform how financial institutions’ compliance teams interpret and respond to the change.
To begin with, FATF alignment is no longer the ceiling of EU AML risk classification. Although the EU is not departing from FATF standards, it is signalling that the global body’s public lists are no longer the outer boundary of risk assessment.
In addition, the delegated regulation signals that sanctions risk and AML risk are converging in terms of the authorities’ expectations.
The commission’s assessment highlights issues such as sanctions circumvention, state-enabled illicit finance and organised crime linked to the Russian state. This reframes Russia from a sanctions-compliance issue into a systemic financial-crime risk, meaning that controls designed only for sanctions screening are insufficient.
The regulation also indicates that supervisors’ tolerance for unmanaged exposure to Russia is shrinking. Mandatory EDD removes the ability to justify lighter-touch approaches.
EU regulators are likely to challenge both how firms manage their Russian exposure and why it remains at all, so organisations must be prepared to not only monitor their connection to Russia, but justify it.
Implementing EDD
Under the terms of the regulation, from January 29, 2026, mandatory EDD will apply to EU-regulated firms with respect to customers, transactions, beneficial owners and counterparties with any Russian connection.
The regulatory baseline includes enhanced source of funds and source of wealth analysis, deep scrutiny of ownership structures, senior management approval to onboard or continue relationships, increased transaction monitoring and independent verification where documentation reliability is doubtful.
Senior management approval is intended to embed accountability into Russian exposure decisions, ensuring they are owned, challengeable and defensible under supervisory review.
Because EU requirements now exceed FATF expectations and the UK’s current AML risk classification, firms operating cross-border face a choice between updating processes solely for the EU or aligning group-wide with the EU standard.
The UK maintains its alignment with the FATF lists and has given no indication that it plans to change its approach. Although it has extensive financial sanctions against Russia, targeting individuals, entities and vessels, this is separate from the high-risk country designation for AML/CTF.
By the end of January, EU-regulated firms should have identified their exposure to Russia by checking their customer bases, beneficial ownership registers and transaction flows to identify any Russian connection.
This includes Russian nationals, Russian-registered entities, entities with Russian beneficial owners above 25 percent and payment corridors involving Russian counterparties.
They should ensure that all identified Russian connections are automatically classified as high risk in their systems. Firms that believe they are already insulated due to sanctions de-risking should test that assumption, given that AML exposure can persist in indirect forms.
In addition, firms should confirm that their EDD triggers are functioning and that their systems flag any Russian connection without discretion.
If an existing setup allows manual risk assessment for Russian-linked customers or transactions, that must change before the implementation date.
Beyond immediate implementation steps, firms will need to take a strategic view on how they approach any ongoing connections to Russia.
This may involve defining senior management approval processes and identifying the individuals who will approve Russian relationships, the information they need to make defensible decisions and how approvals will be documented and auditable.
Ultimately, firms will need to assess the sustainability of their exposure to Russia and whether the EDD required is operationally sustainable. Where it is not, controlled de-risking becomes a compliance outcome, not a business decision.
Firms should also expect supervisory scrutiny not only of new onboarding, but of how quickly and credibly they address existing Russian-linked relationships.
The enforcement trajectory
The EU’s Russia designation can be understood as a stress test of compliance maturity. It asks whether firms can translate geopolitical risk into enforceable AML controls without relying on FATF cover or sanctions proxies.
For payments firms, the compliance challenge is not awareness, but prioritisation, governance and execution.
As Vixio’s 2025 Enforcement Outlook highlighted, AML is the EU’s foremost supervisory priority, and this position has been reinforced by the launch of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA).
Non-compliance with Delegated Regulation (EU) 2026/46 therefore runs a significant risk of enforcement action.
Firms that move decisively now will be in a position to demonstrate control. Those that wait for supervisory pressure may find themselves defending decisions they never formally made.
