One Constellation
Book a Demo
Regulations

FATF Grey List 2026: Current Jurisdictions & Risk Implications

The FATF maintains two public lists of jurisdictions with strategic AML/CFT deficiencies — the high-risk 'Black List' (Iran, North Korea, Myanmar) and the broader 'Grey List' of jurisdictions under increased monitoring. Inclusion on either list drives EDD obligations across every regulated firm in every other jurisdiction. This guide covers the current Grey List, what listing operationally means, and the supervisory expectations on firms with Grey List exposure.

Published: May 2026 Category: Regulations Read time: ~12 minutes
Quick Answer
The FATF Grey List — formally 'Jurisdictions under Increased Monitoring' — identifies countries that have committed to addressing strategic AML/CFT deficiencies within agreed timeframes. Listing is reviewed three times annually at FATF plenary meetings (typically February, June and October). As of the most recent plenary in early 2026, the Grey List includes (approximately, subject to plenary updates): Bulgaria, Burkina Faso, Cameroon, Côte d'Ivoire, Croatia, Democratic Republic of the Congo, Haiti, Kenya, Mali, Monaco, Mozambique, Namibia, Nigeria, Philippines, South Africa, South Sudan, Syria, Tanzania, Venezuela, Vietnam, and Yemen. The Black List ('High-Risk Jurisdictions subject to a Call for Action') currently contains Iran, the Democratic People's Republic of Korea (DPRK), and Myanmar. Listing triggers Enhanced Due Diligence obligations on customers, transactions and counterparties connected to the listed jurisdictions across every regulated firm globally. The operational impact is significant: customers from Grey-Listed jurisdictions face higher onboarding friction, transaction patterns through them face enhanced monitoring, and counterparty relationships often face restriction or termination.

The FATF Grey List functions as a coordinated supervisory pressure mechanism. Listing is consequential — it signals to the global financial system that the listed jurisdiction has been formally identified as having strategic deficiencies and is operating under specific commitments to address them. The financial-flow consequences of listing are substantial: cross-border investment slows, correspondent banking relationships face pressure, customers and counterparties in the jurisdiction encounter friction in routine financial activity. The pressure is intentional — the framework's theory of change is that the operational cost of listing motivates the jurisdiction to implement the required reforms quickly.

For compliance teams, the Grey List is a live operational input. Every customer, counterparty and transaction touching a listed jurisdiction enters an elevated-risk category requiring documented EDD. The list changes regularly — adding or removing jurisdictions at each plenary — and compliance programmes need to track the updates and reflect them in their risk frameworks. The guide below covers the listing mechanics, the current state, and the operational implications.

How FATF Listing Works

FATF operates two public lists with distinct meanings and operational implications:

The Black List — 'High-Risk Jurisdictions Subject to a Call for Action'. Reserved for jurisdictions where FATF assesses that the strategic deficiencies are severe enough to warrant active counter-measures. The Call for Action calls on FATF members and other jurisdictions to apply counter-measures to protect the international financial system from the AML/CFT risks emanating from the listed jurisdiction. Current Black List jurisdictions: Iran, DPRK (North Korea), Myanmar. The Iran and DPRK listings have been stable for over a decade; Myanmar was added in October 2022 following the 2021 military coup.

The Grey List — 'Jurisdictions Under Increased Monitoring'. For jurisdictions that have strategic deficiencies but have provided high-level political commitment to address them within agreed timeframes. The listing signals heightened risk without rising to Black-List counter-measures. Listed jurisdictions work with FATF on an action plan; progress is reviewed at each plenary; jurisdictions exit the list when FATF determines they have substantially addressed the deficiencies.

The listing process. Jurisdictions enter listing primarily through the FATF Mutual Evaluation process — peer reviews assessing compliance with the 40 Recommendations and the operational effectiveness of the AML/CFT framework. Jurisdictions with significant deficiencies enter follow-up processes; sustained failure to address deficiencies escalates to Grey List inclusion. The plenary process (the FATF body that makes listing decisions) involves consensus among the 40 FATF members and is typically preceded by working-group analysis.

Exit from listing. Grey List exit requires demonstration that the action plan has been substantially implemented — including, importantly, that the implementation is operational rather than only legislative. The exit process is bilateral between FATF and the listed jurisdiction, with sustained engagement and verification. Recent exits include Mauritius (2021), Botswana (2021), the Cayman Islands (2023), Panama (2023), the United Arab Emirates (2024), and several others. Average time on the Grey List is approximately 2–3 years.

What Listing Means Operationally

The operational implications of FATF listing flow through national regulatory frameworks. Different jurisdictions implement the listing implications differently, but the structural pattern is consistent:

  • EDD on customers from Black-Listed jurisdictions. Mandatory enhanced due diligence is the floor in essentially every regulated framework globally. Many firms apply effective restriction or termination policies — refusing new relationships and considering termination of existing ones. The operational reality is that doing business with customers in Iran, DPRK or Myanmar requires substantial compliance investment and acceptance of significant residual risk.
  • EDD on customers from Grey-Listed jurisdictions. Most regulatory frameworks (EU AMLR, MAS Notice 626, UK MLR 2017, FinCEN guidance, AUSTRAC AML/CTF Rules) require enhanced due diligence on customers from Grey-Listed jurisdictions. The EDD includes deeper source of funds verification, more frequent CDD review, lower transaction monitoring thresholds, and senior management approval for higher-risk relationships.
  • Counter-measures for Black-Listed jurisdictions. Beyond EDD, firms typically apply specific counter-measures: prohibition on correspondent banking relationships, prohibition on certain types of transactions, enhanced monitoring of all activity involving the jurisdiction. The counter-measures align with FATF's Call for Action and with national sanctions frameworks (which often impose tighter restrictions than FATF itself requires).
  • Correspondent banking pressure. Banks providing correspondent services to institutions in listed jurisdictions face supervisory expectation to perform enhanced due diligence on the correspondent and to monitor the activity flowing through the relationship. Many correspondent relationships terminate following Grey List inclusion of the respondent's home jurisdiction — the operational cost of maintaining the relationship under EDD often exceeds the commercial value.
  • Customer-base review on listing changes. When a jurisdiction is added to the Grey List, regulated firms typically conduct a review of their existing customer base in that jurisdiction — applying EDD retroactively to relationships that did not require it before listing. When a jurisdiction exits the Grey List, the EDD obligations relax but the firm's documentation should reflect the timeline of the change.

Current Grey List (Early 2026)

The Grey List composition changes at each plenary; the snapshot below reflects the most recent confirmed listing at the time of writing and should be verified against FATF's public listings before operational use. Recent additions, retentions and removals worth understanding:

  • Long-standing listings: Several jurisdictions have been on the Grey List for multiple cycles — Burkina Faso, Cameroon, Haiti, Mali, South Sudan, Syria, Yemen, DR Congo. The persistence reflects the difficulty of operational AML/CFT reform in jurisdictions facing concurrent governance challenges.
  • Significant 2024–2025 additions: Venezuela was added in mid-2024 following sustained concerns about its AML/CFT framework. Monaco was added in mid-2024, with the listing reflecting specific deficiencies in beneficial ownership transparency and the supervision of high-value sectors. Croatia was added in mid-2024 on similar grounds.
  • Recent removals: The United Arab Emirates exited the Grey List in February 2024 after substantial implementation of its action plan. Türkiye exited in late 2023. Albania and Jordan exited in October 2023 and October 2023 respectively. These removals reflect concentrated implementation effort and demonstrate that exit is achievable.
  • Major-economy listings: Several G20-adjacent jurisdictions are or have recently been on the Grey List — South Africa (October 2023, still listed at time of writing), the Philippines (2021, still listed), Nigeria, Vietnam. The presence of significant economies on the list emphasises that listing is not limited to small or developing jurisdictions.

The full current list, the specific deficiencies identified for each jurisdiction, and the action plans agreed are published at fatf-gafi.org and updated after each plenary. Compliance teams should integrate the FATF site as a primary jurisdictional risk source and re-run their risk assessments following each plenary update.

EDD Expectations on Grey-Listed Exposure

Where the firm has customer or transaction exposure to Grey-Listed jurisdictions, EDD expectations include:

  • Enhanced identification. Beneficial ownership verified through independent sources where available; identity document verification using more rigorous standards; in-person or supervised remote verification where the regulatory framework permits.
  • Source of funds and source of wealth. Documented and verified with independent evidence proportionate to the relationship's size and complexity. For higher-value relationships, this includes tax records, asset documentation, business activity verification.
  • Purpose and intended nature of the relationship. Documented in detail — what the customer will use the relationship for, expected transaction volumes, counterparties, jurisdictions. The documented expectations become the baseline for transaction monitoring.
  • Senior management approval. Onboarding decisions for higher-risk Grey-List-exposed customers escalated to senior management, with the decision and supporting rationale documented in the customer file.
  • Enhanced transaction monitoring. Lower thresholds for alert generation; more granular review of patterns; customer-specific baselining applied with tighter deviation tolerances. The transaction monitoring rules should explicitly flag activity involving listed jurisdictions.
  • More frequent CDD refresh. Annual or more frequent review of higher-risk Grey-List-exposed relationships, with full re-documentation rather than periodic update.
  • Specific sanctions and adverse-media screening. Enhanced screening on customers and counterparties from listed jurisdictions, including against country-specific lists where applicable (US Treasury Department designations, EU Council Regulations, national sanctions frameworks).

The EDD evidence becomes the answer to inspection questions about jurisdictional risk management. Programmes that documented their methodology and apply it consistently across the customer base have a defensible position; programmes that flag listed jurisdictions without operational follow-through accumulate findings.

Operational Patterns That Work

Five operational practices distinguish well-functioning Grey-List management from documentation-only approaches:

  • Automated re-screening on listing changes. When the FATF plenary changes the Grey List, the firm's customer base should be re-screened against the new list automatically. Customers newly in scope receive EDD treatment; customers exiting scope have their classifications updated with documentation.
  • Integration with broader country-risk matrix. FATF listing is one input into a broader country-risk matrix that also reflects sanctions exposure, Transparency International CPI scores, Basel AML Index ratings, and the firm's own historic loss experience by jurisdiction. The integrated matrix drives EDD scoping rather than FATF listing alone.
  • Distinct treatment of Black List vs Grey List. Programmes that treat Black-Listed jurisdictions and Grey-Listed jurisdictions identically are over-restricting one category or under-restricting the other. The two listings have substantively different supervisory implications and should drive different operational responses.
  • Customer engagement on EDD-relevant changes. When the firm's risk classification of a customer changes because of a jurisdictional listing update, the customer should typically be informed of the resulting requirements (additional documentation, more frequent review). The communication can be operational rather than legal in tone.
  • Tracking jurisdiction-specific action plan progress. Where a customer's home jurisdiction is on the Grey List, the firm can track the jurisdiction's progress against its FATF action plan as part of its ongoing risk assessment. Jurisdictions making genuine progress represent declining risk; jurisdictions stagnating represent stable or rising risk.

For broader AML platform context see our AML/CFT solution, and for the predicate-offence framework that intersects with jurisdictional risk see our 6AMLD guide.

Jurisdictional Risk, Operationally Managed

One Constellation supports Grey List management with automated country-risk scoring, customer re-screening on plenary updates, and integrated EDD workflow — turning jurisdictional listing changes into operational responses rather than spreadsheet exercises.

Book a Demo Explore AML/CFT
← AUSTRAC Tranche 2 FinCEN CTA & BOI → All Articles
Scroll to Top