FATF High-Risk Countries 2026: AML Compliance Obligations

FATF Black and Grey Lists 2026: Compliance Impact for Obliged Entities

As of 13 February 2026, the Financial Action Task Force (FATF) keeps three countries on its blacklist — North Korea, Iran and Myanmar — and 22 jurisdictions under increased monitoring (the grey list), including Algeria, Bulgaria, Kenya, Kuwait, Lebanon, Syria, Venezuela and Vietnam. These designations carry direct, immediate obligations for UK-regulated firms under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the broader anti-financial crime framework supervised by the FCA, HMRC and the National Crime Agency.

Regulatory baseline: Under MLR 2017 Regulation 33, obliged entities must apply enhanced customer due diligence (ECDD) in any situation presenting a higher risk of money laundering or terrorist financing — including when a customer, beneficial owner or correspondent is established in a country identified as having strategic AML/CTF deficiencies by the FATF. The FCA's Financial Crime Guide (FCG) references FATF lists as a primary country-risk indicator.

---

What the FATF Is and Why Its Lists Matter

The FATF is the Paris-based intergovernmental body, established in 1989, that sets the global standards for combating money laundering (ML), terrorist financing (TF) and proliferation financing (PF). Its 40 Recommendations underpin national legislation — including the UK's MLR 2017 — and all EU AML directives.

FATF updates its lists three times per year following plenary sessions in February, June and October. Two distinct documents are published:

Critical distinction: The blacklist calls for countermeasures (restricting transactions, enhanced correspondent banking requirements), while the grey list requires proportionate enhanced due diligence. The FATF explicitly states it does not call for the wholesale termination of business relationships with grey-listed countries.

---

FATF Grey List: The 22 Jurisdictions Under Increased Monitoring (February 2026)

The following countries have made high-level commitments to FATF to resolve identified deficiencies in their AML/CTF/PF frameworks:

Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d'Ivoire, Democratic Republic of Congo, Haiti, Kenya, Kuwait, Laos, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, British Virgin Islands, Yemen.

February 2026 additions: Kuwait and Papua New Guinea were added to the grey list at the February 2026 plenary for strategic deficiencies in their AML/CTF/CPF frameworks.

Recent removals: Countries that complete their FATF action plans are removed after a successful on-site review confirming sustained improvements. The list changes at every plenary — quarterly monitoring is essential to keep your country risk matrices current.

---

Concrete Obligations for UK-Regulated Firms

The presence of a counterparty linked to a FATF-listed jurisdiction triggers specific obligations under the UK AML framework.

Enhanced Customer Due Diligence: What It Requires

Under MLR 2017 Regulations 33–37 and the FCA's Financial Crime Guide (FCG 3.2), enhanced due diligence includes:

• Additional documentary evidence: secondary identity documents, certified copies, independent verification of residential address
• Source of funds and source of wealth: documentary evidence of the origin of funds involved in the transaction and the customer's broader wealth (bank statements, asset disposal records, tax returns)
• Senior management approval: the business relationship must be approved by a senior manager or MLRO before it commences
• Ongoing enhanced monitoring: increased frequency and depth of periodic reviews and transaction monitoring

Industry benchmark: According to the ACFE 2024 Report to the Nations, fraud goes undetected for an average of 87 days in organisations without enhanced controls. Continuous enhanced monitoring of clients linked to high-risk jurisdictions materially reduces detection time.

Suspicious Activity Reports to the NCA

Transactions involving FATF blacklisted countries (North Korea, Iran, Myanmar) require a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) via ukfinancialintelligencev.uk before proceeding, under the consent SAR regime established by the Proceeds of Crime Act 2002 (POCA). For grey-listed countries, the SAR threshold is effectively lowered and the JMLSG guidance requires documented rationale for any decision not to report.

Practical rule: Any payment routed through or to/from North Korea, Iran or Myanmar must be frozen and reported regardless of amount, as these jurisdictions are subject to FATF Recommendation 19 countermeasures.

---

The EU Dimension: Delegated Regulation on High-Risk Third Countries

Post-Brexit, UK firms follow UK law rather than EU delegated regulations. However, EU-regulated entities they transact with (correspondent banks, EU branches) apply the EU list of high-risk third countries published under Article 9 of AMLD4 (extended in AMLD6). The EU list can diverge from the FATF grey list.

January 2026 update: A new EU delegated regulation entered into force on 29 January 2026, updating the list of high-risk third countries under EU AML law. UK firms engaging with EU counterparties should understand how this list affects their correspondents' obligations and the resulting friction on cross-border transactions.

For UK compliance teams: Monitor both:

1. The FATF lists (updated three times/year) — binding reference under MLR 2017
2. The EU delegated regulation list — affects EU counterpart behaviour and correspondent banking access
3. The OFAC SDN list and UK financial sanctions list for sanctions screening

---

Operational Impact: Updating Your AML Programme

Country Risk Matrix Updates

Every FATF plenary update requires a review of your country risk matrices. Best practice is an automated monitoring process triggered within 48 hours of the official publication.

The CheckFile platform covers 32 jurisdictions and supports over 3,200 document types, enabling rapid verification of document nationality and coherence checks on identity documents issued by listed countries — a critical control in high-volume onboarding workflows.

Existing Customer Remediation (KYC Refresh)

A country being added to the FATF grey list is a triggering event for KYC remediation of existing customers with connections to that jurisdiction. Your policies should specify:

• A remediation timeline (typically 30–90 days depending on the customer's risk profile)
• A provisional freeze process for non-responsive customers
• An exit procedure if enhanced due diligence cannot be applied

For detailed guidance on remediation processes, see our enhanced due diligence guide.

Correspondent Banking Risk

For regulated banks, grey-listed countries present a specific correspondent banking risk. Correspondent banks worldwide apply immediate enhanced due diligence when a country is grey-listed — and in severe cases restrict or terminate correspondent relationships. This is distinct from your own EDD obligations and affects your ability to process payments for customers with connections to those jurisdictions.

Our sanctions screening guide covers the intersection of sanctions lists and FATF designations in detail.

---

Sectors Particularly Exposed to FATF High-Risk Country Risk

---

Frequently Asked Questions

How often does FATF update its high-risk country lists?

FATF publishes updates three times per year following plenary sessions, typically in February, June and October. Subscribe to official notifications at fatf-gafi.org to receive updates as soon as they are published.

Is the FATF grey list the same as the EU list of high-risk third countries?

No. The European Commission publishes its own list via delegated regulations, which may include countries not listed by FATF or exclude some FATF-listed countries. UK firms (post-Brexit) follow MLR 2017 which references FATF lists, but should also monitor the EU list for its impact on EU counterparties.

Do I need to terminate all relationships with customers from grey-listed countries?

No. FATF explicitly does not call for wholesale termination of business relationships. The grey list requires proportionate enhanced due diligence. However, if EDD cannot be applied — due to an uncooperative customer or insufficient documentation — you must decline or exit the relationship under MLR 2017 Regulation 31.

What are FATF countermeasures and when do they apply?

Countermeasures apply exclusively to blacklisted countries (North Korea, Iran, Myanmar). They may include: prohibiting or restricting transactions, applying enhanced scrutiny to all transactions, requiring detailed reporting, or requiring correspondent banks to implement additional controls. In the UK, specific countermeasures are implemented via financial sanctions regulations and HMRC/FCA guidance.

How can I automate FATF country risk monitoring?

Options include: subscribing to FATF email alerts, integrating a sanctions/country risk API that includes FATF updates, or using a document verification platform like CheckFile that embeds country risk checks into onboarding flows. See our compliance guide for a full framework overview.