FATF High-Risk Countries 2026: Australia AML/CTF Compliance
FATF grey list and blacklist updated February 2026: how AUSTRAC, the AML/CTF Act 2006, and the 2026 reforms affect Australian reporting entities' obligations for high-risk jurisdiction customers.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokFATF High-Risk Jurisdictions 2026: Australian AML/CTF Obligations
As of February 13, 2026, the Financial Action Task Force (FATF) maintains three countries on its blacklist โ North Korea (DPRK), Iran and Myanmar โ and 22 jurisdictions under increased monitoring (the grey list), including Algeria, Bulgaria, Kenya, Kuwait, Lebanon, Syria, Venezuela and Vietnam. For Australian reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), these designations directly shape compliance obligations supervised by AUSTRAC (Australian Transaction Reports and Analysis Centre).
Regulatory baseline: AUSTRAC published its February 2026 update on FATF jurisdictions, identifying Kuwait and Papua New Guinea as new grey-list additions and noting that reporting entities should use FATF updates to guide their ML/TF risk assessments, compliance programmes, and decisions about submitting Suspicious Matter Reports (SMRs). Australia faces a FATF mutual evaluation in 2026, making robust country risk programmes a regulatory priority.
FATF Lists and Their Legal Effect Under Australian AML/CTF Law
The AML/CTF Act requires reporting entities to conduct enhanced Customer Due Diligence (ECDD) if a customer or beneficial owner is "physically present in, or formed in, a high-risk jurisdiction that the FATF has called for enhanced CDD to be applied." This statutory language creates a direct legal obligation tied to FATF blacklist designations, and a strong regulatory expectation for grey-list countries.
| FATF Designation | Australian AML/CTF implication |
|---|---|
| Blacklist (DPRK, Iran, Myanmar) | Statutory ECDD obligation under AML/CTF Act + targeted financial sanctions (DFAT) |
| Grey list (22 countries) | AUSTRAC expects high-risk rating; ECDD strongly recommended; SMR threshold effectively lowered |
Important: AUSTRAC's guidance states: "You should apply a high-risk rating to countries on the Financial Action Task Force (FATF) grey and blacklists."
FATF Grey List: Current 22 Jurisdictions (February 2026)
Countries committed to addressing AML/CFT deficiencies with a FATF action plan:
Algeria, Angola, Bolivia, Bulgaria, Cameroon, Cรดte d'Ivoire, Democratic Republic of Congo, Haiti, Kenya, Kuwait, Laos, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, British Virgin Islands, Yemen.
February 2026 additions: Kuwait and Papua New Guinea were added at the February 2026 plenary. AUSTRAC's February 2026 update specifically flags these jurisdictions for Australian reporting entities.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotConcrete Obligations Under Australia's AML/CTF Act 2006
Enhanced Customer Due Diligence (ECDD)
Under Part 2 of the AML/CTF Act and AUSTRAC's Rules, ECDD for high-risk jurisdiction clients includes:
- Identity verification: Australian passport or driver's licence for Australian residents; foreign passport, ImmiCard or government-issued photo ID for international clients โ with additional independent verification for clients from grey-listed jurisdictions
- Source of funds and source of wealth: Documentary evidence (bank statements, ATO tax assessments, property settlement statements, trust deeds) establishing the origin of funds and broader wealth
- Senior management sign-off: The commencement of a business relationship with a high-risk jurisdiction customer should be approved by a senior compliance officer or the MLRO
- Ongoing enhanced monitoring: Increased frequency of periodic reviews and enhanced parameters in transaction monitoring systems
Industry data: According to the ACFE 2024 Report to the Nations, fraud remains undetected for an average of 87 days without enhanced controls. Enhanced monitoring of high-risk jurisdiction clients significantly reduces this exposure.
Suspicious Matter Reports (SMRs) to AUSTRAC
Under section 41 of the AML/CTF Act, a reporting entity must submit an SMR to AUSTRAC "as soon as practicable" โ and in any case within 24 hours for terrorism financing suspicions โ when there are reasonable grounds to suspect a matter involves proceeds of crime or terrorist financing.
For transactions involving FATF blacklisted countries (DPRK, Iran, Myanmar), an SMR is warranted regardless of amount. DPRK and Iran are also subject to targeted financial sanctions administered by the Department of Foreign Affairs and Trade (DFAT). Australia implements UN Security Council sanctions โ violating these carries criminal penalties under the Charter of the United Nations Act 1945.
Australia's 2026 AML/CTF Reform Context
Australia's AML/CTF Act is undergoing significant reform, with AUSTRAC publishing implementation guidance in anticipation of a 2026 FATF mutual evaluation. Key reforms relevant to high-risk jurisdictions:
- Tranche 2 entities: Lawyers, accountants, real estate agents and trust and company service providers will become reporting entities โ expanding the population of firms required to conduct country risk assessments
- Modernised ECDD triggers: The 2025โ2026 AML/CTF reforms clarify when ECDD is required, including an explicit reference to FATF high-risk jurisdiction status
- AUSTRAC's regulatory expectations (2026): AUSTRAC published updated regulatory expectations in February 2026, emphasising that grey-list country risk assessments must be documented and defensible upon examination
The CheckFile platform covers 32 jurisdictions and supports over 3,200 document types, enabling Australian reporting entities to efficiently verify foreign identity documents from grey-listed jurisdictions as part of ECDD processes.
Australian Privacy Act 1988 and Identity Document Collection
Collection of enhanced due diligence documentation must comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs). Key points:
- APP 3: Collecting personal information โ only collect what is reasonably necessary for ECDD compliance
- APP 8: Cross-border disclosure โ foreign identity document verification involving overseas data transfer must comply with APP 8 or use an approved exception
- Retention: Reporting entities must retain CDD/ECDD records for 7 years under AML/CTF Rule Part 10
The Office of the Australian Information Commissioner (OAIC) has published guidance on the interaction between AML/CTF obligations and Privacy Act requirements.
Operational Steps: Updating Your Australian AML/CTF Programme
| Action | Timing | Owner |
|---|---|---|
| Review AUSTRAC FATF update notice | Within 24 hours of publication | MLRO / Compliance |
| Update country risk assessment | Within 10 business days | Compliance team |
| Trigger ECDD review for affected customers | Within 30 days | Compliance / relationship managers |
| Update transaction monitoring thresholds | Within 60 days | Analytics / IT |
| Update AML/CTF Programme document | At next annual review (or sooner if material change) | MLRO |
For detailed EDD processes, see our enhanced due diligence guide. For sanctions screening integration, see our sanctions screening guide.
Sectors With Elevated FATF Country Risk in Australia
| Sector | Specific risk | Recommended measure |
|---|---|---|
| Banks and credit unions | Correspondent banking, SWIFT payments | Counterparty screening + beneficial owner verification |
| Money remitters (MSBs) | Remittances to grey-listed countries | ECDD + SMR for unusual patterns |
| Real estate agents (Tranche 2) | Foreign buyers, cash transactions | CDD at contract stage; EDD for high-risk jurisdictions |
| Crypto exchanges (AUSTRAC-registered) | Pseudonymity, cross-border flows | Travel Rule + blockchain analytics |
| Accountants and lawyers (Tranche 2) | Offshore structures in listed jurisdictions | ECDD + refusal if documentation insufficient |
Frequently Asked Questions
Does AUSTRAC require automatic ECDD for all customers from FATF grey-listed countries?
The AML/CTF Act creates a statutory ECDD obligation for customers from countries the FATF has called for enhanced CDD (blacklisted countries). For grey-listed countries, AUSTRAC's guidance directs reporting entities to "apply a high-risk rating" โ which in practice requires ECDD proportionate to the customer's overall risk profile.
What is Australia's Tax File Number (TFN) role in AML compliance?
TFN is a tax identifier, not a primary AML identity document. For AML purposes, primary ID is a driver's licence, passport, or other government-issued photo ID. TFN can be used as a secondary identifier when cross-referencing with ATO records in EDD.
How do Australia's AML/CTF reforms affect Tranche 2 entities from 2026?
Lawyers, accountants, real estate agents and others becoming reporting entities under the 2025โ2026 AML/CTF reforms will need to implement full AML/CTF programmes โ including risk assessments that incorporate FATF country risk. AUSTRAC's phased implementation guidance provides transition timelines and compliance expectations.
What are the penalties for inadequate AUSTRAC country risk compliance?
AUSTRAC can impose civil penalties up to AUD $22.2 million for serious programme deficiencies, and criminal penalties apply for deliberate non-compliance. AUSTRAC has demonstrated willingness to apply large penalties โ notably in the Westpac (AUD $1.3 billion) and CBA (AUD $700 million) enforcement actions.
How should we handle a customer whose country becomes grey-listed after onboarding?
This is a re-assessment triggering event: review the customer's KYC file, apply ECDD if not already in place, document the review, and if EDD cannot be applied (uncooperative customer, insufficient documentation), exit the relationship and file an SMR with AUSTRAC.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.