The FATF grey-listing: What It Is, Who’s On It, and What Your Compliance Program Must Do

The FATF grey-listing: What It Is, Who’s On It, and What Your Compliance Program Must Do

The FATF grey-listing is not a sanctions list. Understanding that distinction is the foundation of a correct compliance response.

The Financial Action Task Force (FATF) publishes two lists of jurisdictions with weaknesses in their anti‑money laundering and counter‑terrorist‑financing (AML/CFT) frameworks. These lists are updated three times per year, following FATF plenary sessions held in February, June, and October.

• The FATF blacklist is officially titled “High‑Risk Jurisdictions Subject to a Call for Action.”
  Countries on this list have critical, unresolved deficiencies and are failing to cooperate with FATF. FATF calls on its member states to apply countermeasures, the strongest available restrictions, against these jurisdictions.
  As of February 2026, three countries are on the blacklist: Iran, North Korea (DPRK), and Myanmar.

• The FATF grey-listing is officially titled “Jurisdictions Under Increased Monitoring.”
  Jurisdictions on this list have identified strategic deficiencies in their AML/CFT frameworks but are actively working with FATF under agreed action plans. grey-listing triggers mandatory enhanced due diligence (EDD) for businesses conducting transactions involving those jurisdictions.

AMLI Analysis:
Grey‑listed countries are not sanctioned; transactions are not prohibited. The standard is clearly higher: EDD is mandatory, risk ratings must be updated, and every decision must be documented.

What Is FATF and Why Its Lists Matter

The Financial Action Task Force (FATF) is an intergovernmental policy‑making body established in 1989 by the G7 Summit in Paris. It sets international standards for AML, counter‑terrorist‑financing (CTF), and counter‑proliferation‑financing (CPF). FATF has 40 member jurisdictions plus 2 regional organizations representing the world’s major financial centers.

FATF’s core output is its Forty Recommendations, the global baseline for AML/CFT controls. Compliance with these recommendations and the risk‑based approach they establish is the standard against which every jurisdiction and institution is ultimately measured.

The FATF grey-listing and blacklist carry real financial consequences, even though FATF itself has no direct enforcement authority. When FATF grey‑lists a jurisdiction:

• Correspondent banks apply enhanced due diligence or restrict transfers.

• Trade finance becomes more expensive.

• Insurance underwriters raise premiums.

• Some banking relationships are paused or closed, even without a legal requirement.

For businesses operating with or within grey‑listed jurisdictions, the compliance burden increases immediately, regardless of whether local regulators explicitly mandate it.

For the authoritative current list, use the FATF official grey and black list page. Third‑party lists should be verified against the FATF primary source after each plenary.

The Current FATF Lists: February 2026 Update

The February 13, 2026, plenary updated the lists but left the blacklist unchanged. Compliance teams with exposure to the affected regions should act accordingly.

FATF Blacklist: High‑Risk Jurisdictions (as of February 2026)

As of February 2026, the blacklist contains three countries. There have been no additions or removals since Myanmar was added in 2022.

FATF grey-listing: Jurisdictions Under Increased Monitoring (as of February 13, 2026)

As of February 13, 2026, 20 jurisdictions are under increased monitoring. Two were newly added at the February 2026 plenary: Kuwait and Papua New Guinea.

1. Algeria: Added October 2024. Deficiencies in supervision and beneficial ownership transparency.

2. Angola: Added October 2024. Gaps in financial intelligence utilization and investigation capacity.

3. Bolivia: Added June 2025. Structural weaknesses in AML supervision and enforcement.

4. British Virgin Islands: Added June 2025. Gaps in beneficial ownership transparency and cross‑border cooperation.

5. Cameroon: Ongoing action plan. Deficiencies in suspicious transaction reporting quality.

6. Côte d’Ivoire: Added October 2024. AML supervision and enforcement gaps.

7. DR Congo: Persistent deficiencies in financial intelligence and prosecution effectiveness.

8. Haiti: Ongoing. Structural AML/CFT weaknesses and limited supervisory capacity.

9. Kenya: Ongoing. Supervision and enforcement gaps across higher‑risk sectors.

10. Kuwait: Newly added February 2026. Operational effectiveness gaps: detection, intelligence use, and enforcement outcomes.

11. Laos: Added February 2025. Structural AML/CFT weaknesses and limited supervisory capacity.

12. Lebanon: Added October 2024. AML program deficiencies and enforcement gaps.

13. Monaco: Ongoing. Beneficial ownership and supervision gaps.

14. Namibia: Ongoing. Deficiencies in suspicious transaction reporting and investigation.

15. Nepal: Added February 2025. AML/CFT framework gaps and limited enforcement outcomes.

16. Papua New Guinea: Newly added February 2026. Structural weaknesses in AML supervision, financial intelligence utilization, and beneficial ownership transparency.

17. Senegal: Ongoing. AML supervision and reporting gaps.

18. South Sudan: Ongoing. Significant AML/CFT capacity and infrastructure weaknesses.

19. Syria: Ongoing. Severe structural deficiencies and ongoing conflict conditions.

20. Venezuela: Ongoing. AML/CFT deficiencies overlapping with targeted OFAC sanctions on specific entities.

21. Vietnam: Ongoing. Supervision and beneficial ownership gaps.

22. Yemen: Ongoing. Significant structural weaknesses under conflict conditions.

Recent Changes: Additions and Removals Since 2025

The FATF list changes at every plenary. Tracking these changes and reflecting them in your risk assessment is an operational compliance obligation, not an administrative task.

Countries Removed from the grey-listing: October 2025 and June 2025

• South Africa: Removed October 2025. Progress in AML supervision, beneficial ownership reforms, and enforcement outcomes.

• Nigeria: Removed October 2025. Improvements across financial intelligence, investigation, and prosecution.

• Mozambique: Removed October 2025. Progress in supervisory effectiveness and reporting quality.

• Burkina Faso: Removed October 2025. AML/CFT improvements recognized by FATF.

• Croatia: Removed June 2025. EU-aligned reforms and supervisory improvements.

• Mali: Removed June 2025. Progress in AML/CFT framework implementation.

• Tanzania: Removed June 2025. Improved supervisory outcomes and reporting capacity.

When a country is removed from the grey-listing, compliance teams should review whether EDD triggers for that jurisdiction can be de‑escalated and document that review and its rationale. FATF does not recommend automatic de‑risking. Removing controls without a documented rationale is an undocumented risk decision.

In practice, regulators assess not whether EDD was applied universally, but whether the level of due diligence applied was proportionate to the actual risk exposure.

What grey-listing Means for Your Compliance Program

Your AML program must reflect the operational consequences of grey-listing across customer onboarding, transaction monitoring, and risk assessment.

Enhanced Due Diligence Is Not Optional

When a jurisdiction is on the FATF grey-listing, enhanced due diligence (EDD) is the expected standard for any customer or transaction with meaningful exposure to that country. EDD means:

• Collecting additional information about the customer’s business presence, fund flows, and counterparties in that jurisdiction.

• Implement stronger or independently verified identity and source-of-funds checks.

• Documenting the rationale for accepting, restricting, or proceeding with the relationship or transaction.

• Applying tighter monitoring parameters for these corridors.

• Obtaining senior approval where required by policy or supervisory expectations.

AMLI Analysis: EDD is proportionate, not binary. A small retail flow may need only extra source‑of‑funds questions, whereas a large correspondent‑banking relationship demands a full‑scale review.

Your Risk Assessment Must Reflect the Current List

The FATF grey-listing changes three times per year. A risk assessment reviewed once annually will be out of date within months of each plenary. Regulators and partners expect it to reflect current, verified information about jurisdictions you transact with.

In practice, this means:

• Assigning a team member to review the FATF list after each February, June, and October plenary.

• Updating the risk assessment or keeping a risk assessment change log for additions and removals.

• Reviewing whether existing EDD triggers for customers or counterparties need to be activated or de‑escalated.

• Documenting the review and outcome, even when no changes are required.

Transaction Monitoring Must Cover These Corridors

Transaction monitoring logic should capture elevated risk from grey-listed jurisdictions without resorting to blanket alerts on every transaction touching a country code. Your monitoring coverage inventory should explicitly include these jurisdictions, and alert parameters for these corridors should reflect their higher risk profile.

The Operational Effectiveness Shift: Why Kuwait’s grey-listing Matters Beyond the Middle East

Kuwait’s February 2026 grey-listing highlights a shift in FATF’s focus from “having rules” to whether controls actually work in practice.

Kuwait has a mature, well‑developed regulatory framework. The issue FATF identified was operational effectiveness: gaps in detection, financial intelligence use, and enforcement outcomes. The problem is not that the law is missing. It is that its real-world impact is weak.

Regulators globally are moving the same way:

• The FinCEN NPRM (April 7, 2026) shifts the US AML standard from technical compliance to demonstrable effectiveness.

• The FCA’s Financial Crime Guide (April 2025) emphasizes outcomes over checklists.

• The AMLA’s direct‑supervision approach (starting 2028) is built on the same logic.

AMLI Analysis: Regulators now judge AML programs by results, not just paperwork. Detection quality, investigation consistency, and enforcement matter more than policy documents. Compliance teams that prioritize documentation over outcomes will face the same scrutiny Kuwait does.

A Practical Compliance Response to the February 2026 Update

The following steps are the minimum operational response expected after any FATF plenary update, and especially after the February 2026 additions.

1. Verify the Current List Against the Primary Source
   Confirm from the list here.

2. Treat the FATF primary source as authoritative and verify it after each February, June, and October plenary.

3. Identify Affected Customers, Counterparties, and Corridors
   Review your customer base and transaction flows against the updated list. Focus on customers with business presence, registered addresses, fund flows, or counterparties in newly listed jurisdictions, notably Kuwait and Papua New Guinea, and flag them for EDD review.

4. Document the Risk Assessment Update
   Update your risk assessment or risk assessment change log to reflect the new list. Even if the impact is minimal, document that you reviewed the change and assessed its effect. This is what you will need during a regulator or partner review.

5. Trigger EDD Reviews Where Required
   For customers and counterparties with meaningful exposure to newly grey‑listed jurisdictions, initiate EDD reviews: collect additional information, document findings, and obtain required approvals. For newly de‑listed jurisdictions, document whether and why EDD de‑escalation is appropriate.

6. Review Monitoring Coverage
   Ensure your transaction monitoring coverage inventory includes the updated list. Adjust alert logic for Kuwait and Papua New Guinea corridors to reflect their elevated risk, and document the rationale in your monitoring change log.

FATF grey-listing and OFAC Sanctions: Two Different Regimes

FATF listing and OFAC sanctions are separate legal regimes administered by different bodies. Confusing them can cause over‑restriction of legitimate business or under‑recognition of real risk.

• FATF is an intergovernmental standard‑setter with no direct enforcement power. Its lists drive market practice, not legal bans.

• OFAC is a US enforcement agency. Its sanctions can impose legal prohibitions and civil or criminal penalties.

Examples:

• Iran and North Korea appear on both the FATF blacklist and comprehensive OFAC sanctions lists. The primary compliance constraint here comes from OFAC’s legal prohibitions, not FATF’s call for countermeasures.

• Venezuela is on the FATF grey-listing and faces targeted OFAC sanctions on specific entities, not a blanket countrywide prohibition. Assess FATF risk and OFAC compliance separately.

For compliance teams, both regimes must be assessed independently and in combination. A transaction can be FATF-compliant but OFAC-prohibited or OFAC-clear but FATF-elevated-risk. Your risk framework must address both explicitly.

AMLI Analysis: Treating the grey-listing as a simple “sanctioned vs. not‑sanctioned” line is a mistake. It sits in the middle: allowed but higher‑risk, requiring risk‑based EDD and documented decisions.

Implications as Scale and Exposure Increase

The compliance burden related to grey‑listed jurisdictions scales with the nature and volume of your activity.

• For a fintech serving retail customers in a single domestic market, grey‑list exposure may be limited and manageable.

• For a payments processor, MSB, or financial institution with cross‑border corridors, the operational complexity increases sharply.

As exposure grows, expect intensifying requirements for:

• EDD scope: more detailed information and deeper verification.

• Monitoring sensitivity: more frequent and granular transaction review for these corridors.

• Counterparty due diligence: stronger scrutiny of correspondent banks and payment partners in grey-listed jurisdictions.

• Documentation volume: more case notes, rationales, and approval logs.

• Senior oversight: more governance involvement for new and existing relationships.

Institutions with correspondent‑banking exposure in grey‑listed jurisdictions face a particularly complex environment. Their compliance program must satisfy both local regulators and the due diligence expectations of banking partners.

Frequently Asked Questions

Is the FATF grey-listing the same as a sanctions list?
No. The FATF grey-listing identifies jurisdictions with identified AML/CFT deficiencies that are working to address them. It is not a sanctions list. Transactions with grey‑listed countries are not prohibited, but enhanced due diligence is mandatory. OFAC sanctions, which do carry legal prohibitions, are a separate regime that must be assessed independently.

How often does the FATF grey-listing change?
Three times per year, after FATF plenaries in February, June, and October. Compliance teams should review the FATF primary source after each plenary and update their risk assessments accordingly.

What does our compliance program need to do when a country is added?
At minimum:

• Verify the update against the FATF primary source.

• Identify customers and counterparties with meaningful exposure to the newly listed jurisdiction.

• Update your risk assessment or risk assessment change log.

• Trigger EDD reviews where required.

• Review monitoring coverage for affected corridors.

• Document all steps and rationales.

What happens when a country is removed from the grey-listing?
When a jurisdiction is removed, review whether EDD controls for that country can be de‑escalated and document that review and its rationale. Automatic and immediate removal of controls without documentation is an undocumented risk decision.

Does FATF grey-listing require us to exit existing relationships?
No. FATF does not require the automatic termination of relationships with grey‑listed jurisdiction customers or counterparties. It requires a risk‑proportionate, documented EDD response. Whether to continue, restrict, or exit a relationship is a business decision that must be supported by documented compliance rationale.

Get In Touch Now

Grey‑listed‑jurisdiction exposure tests both your technical controls and your demonstrable effectiveness, from onboarding and EDD to transaction monitoring and governance. At AML Incubator, we offer targeted services to help you meet this higher standard:

• CAMLO & MLRO Services for AML Compliance 

• AML Audit & Effectiveness Review Services 

• Grey‑Listed Jurisdiction Risk Strategy

If your firm is exposed to FATF grey-listed jurisdictions through payments, trade finance, or correspondent-banking relationships, book a Discovery Call to review your risk posture, identify gaps in controls and documentation, and determine whether your program truly meets the heightened expectations of regulators and banking partners.