Summary
The FATF grey list is the operational name for FATF's Jurisdictions under Increased Monitoring list. As of the FATF statement published on 13 February 2026, the list contains 22 jurisdictions. Kuwait and Papua New Guinea were added in that update; no jurisdictions were removed.
From an MLRO perspective, the list is not a reject list and it is not a sanctions list. It is a country-risk input. Use it to decide whether customer risk scoring, review cadence, transaction-corridor monitoring, beneficial ownership checks, or case escalation should change for customers with a real connection to a listed jurisdiction.
Small jurisdictions such as Monaco and the British Virgin Islands may not be visible on this world-map projection.
Last checked: 14 June 2026 Latest official FATF increased-monitoring update covered here: 13 February 2026 Added: Kuwait and Papua New Guinea Removed: none in the February 2026 update Current grey-list count: 22 jurisdictions
FATF states that it does not call for enhanced due diligence measures to be applied to grey-listed jurisdictions as a class. Grey-list exposure should be treated as a geographic risk input for AML risk assessment, customer review, ongoing monitoring, and case escalation where the broader risk profile justifies it.
Latest FATF update
FATF's increased-monitoring statement dated 13 February 2026 added Kuwait and Papua New Guinea. The statement did not announce removals. FATF also noted that Haiti and Syria deferred reporting, so previous statements for those jurisdictions remain included while they stay on the list.
FATF announced a June 2026 plenary for 17-19 June 2026, with outcomes to be published after the meeting. As of 14 June 2026, the February 2026 list remained the latest published FATF list update.
For broader implementation priorities beyond the country list, see the FATF 2026 Compliance Playbook.
| Item | Current position |
|---|---|
| Latest official increased-monitoring statement | 13 February 2026 |
| Countries added | Kuwait, Papua New Guinea |
| Countries removed | None announced in the February 2026 update |
| Current call-for-action countries | Democratic People's Republic of Korea, Iran, Myanmar |
Current FATF grey list countries
These are the jurisdictions listed by FATF under increased monitoring in the 13 February 2026 statement.
| Jurisdiction | FATF status |
|---|---|
| Algeria | Jurisdiction under increased monitoring |
| Angola | Jurisdiction under increased monitoring |
| Bolivia | Jurisdiction under increased monitoring |
| Bulgaria | Jurisdiction under increased monitoring |
| Cameroon | Jurisdiction under increased monitoring |
| Côte d'Ivoire | Jurisdiction under increased monitoring |
| Democratic Republic of the Congo | Jurisdiction under increased monitoring |
| Haiti | Jurisdiction under increased monitoring |
| Kenya | Jurisdiction under increased monitoring |
| Kuwait | Added to increased monitoring in February 2026 |
| Lao PDR | Jurisdiction under increased monitoring |
| Lebanon | Jurisdiction under increased monitoring |
| Monaco | Jurisdiction under increased monitoring |
| Namibia | Jurisdiction under increased monitoring |
| Nepal | Jurisdiction under increased monitoring |
| Papua New Guinea | Added to increased monitoring in February 2026 |
| South Sudan | Jurisdiction under increased monitoring |
| Syria | Jurisdiction under increased monitoring |
| Venezuela | Jurisdiction under increased monitoring |
| Vietnam | Jurisdiction under increased monitoring |
| Virgin Islands (UK) | Jurisdiction under increased monitoring |
| Yemen | Jurisdiction under increased monitoring |
FATF grey list vs call-for-action list
FATF separates Jurisdictions under Increased Monitoring from High-Risk Jurisdictions subject to a Call for Action.
The grey list is not a sanctions list and it is not the same as FATF's call-for-action list. Treat it as a country-risk signal that should feed a risk-based AML review.
| FATF list | What it means | Current jurisdictions |
|---|---|---|
| Jurisdictions under Increased Monitoring | Strategic deficiencies exist, but the jurisdiction has committed to resolve them under FATF monitoring. This is commonly called the grey list. | Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), Yemen |
| High-Risk Jurisdictions subject to a Call for Action | Serious strategic deficiencies. FATF calls for enhanced due diligence, and in the most serious cases countermeasures. | DPRK, Iran, Myanmar |
For DPRK and Iran, FATF calls for countermeasures. For Myanmar, FATF calls for enhanced due diligence proportionate to the risks.
What an MLRO should do with the grey list
Grey-list status is a material jurisdiction risk signal. It should not be treated as an automatic rejection rule or a blanket EDD trigger. The defensible position is to show that the firm considered the FATF update, identified affected exposure, and applied proportionate controls where the wider customer or transaction profile justified them.
In a risk-based AML program, grey-list exposure matters when a customer, beneficial owner, director, counterparty, transaction corridor, source of funds, source of wealth, or business activity has a meaningful link to a listed jurisdiction.
Update country risk and customer risk
After each FATF plenary, compliance teams should check whether the country-risk model and customer-risk settings need a refresh. A grey-list update can affect:
- customer country or incorporation risk;
- beneficial owner residence or nationality risk;
- payment corridor or transaction-counterparty risk;
- source-of-funds and source-of-wealth review;
- sector and delivery-channel risk;
- review cadence and monitoring intensity.
Decide whether EDD is justified
FATF says it does not call for enhanced due diligence measures to be applied to grey-listed jurisdictions as a class. That matters: applying EDD to every customer solely because of nationality or incorporation can create over-compliance and weak decision records.
Grey-list exposure should trigger reassessment, not automatic rejection. Where the wider profile supports it, the firm can apply targeted review, additional information gathering, closer ongoing monitoring, or case escalation.
Keep evidence of the decision
The key audit question is not only whether the firm screened the list. It is whether the firm can show:
- which customers, UBOs, counterparties, or corridors were affected;
- whether the change altered the customer-risk assessment;
- whether EDD, standard review, ongoing monitoring, or no action was chosen;
- who reviewed the decision;
- what evidence supports the final outcome.
This is where software workflows matter. A practical control stack connects:
- sanctions screening for sanctions and call-for-action exposure;
- PEP screening for public-role and RCA risk;
- adverse media screening for negative news and regulatory signals;
- ongoing monitoring for changes after onboarding;
- case management for documented review and escalation;
- audit evidence for proportionate decision records.
What not to say in policy or customer review
Do not say that FATF grey-list status means automatic rejection. FATF says its standards do not envisage de-risking or cutting off entire classes of customers.
Do not say that every customer from a grey-listed jurisdiction automatically requires enhanced due diligence. FATF says it does not call for enhanced due diligence measures to be applied to increased-monitoring jurisdictions as a class.
Do not equate the grey list with the call-for-action list. FATF publishes them as separate classifications with different operational implications.
Operational checklist for grey-list changes
A defensible FATF-related country-risk process should combine source updates, customer and UBO data, transaction context, and review evidence.
- Track FATF increased-monitoring and call-for-action updates after each FATF plenary.
- Map customer, beneficial owner, counterparty, source-of-funds, and transaction-corridor exposure to listed jurisdictions.
- Identify customers whose CRA score, risk tier, review cadence, or monitoring profile may need recalculation.
- Apply proportionate controls based on the full customer and transaction profile.
- Use sanctions, PEP, adverse media, and beneficial ownership checks to add context.
- Document reviewer, rationale, escalation, final decision, and supporting evidence in a case record.
FAQ
What is the FATF grey list?
The FATF grey list is the common name for FATF's Jurisdictions under Increased Monitoring list. It includes jurisdictions with strategic AML/CFT/CPF deficiencies that have committed to resolve them within agreed timeframes.
Which countries are currently on the FATF grey list?
As of the 13 February 2026 FATF statement, the list includes Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), and Yemen.
Which countries were added in the latest FATF update?
Kuwait and Papua New Guinea were added in the 13 February 2026 FATF update.
Which countries were removed in the latest FATF update?
FATF did not announce removals in the February 2026 increased-monitoring update.
What is the difference between the FATF grey list and the FATF call-for-action list?
The grey list covers jurisdictions under increased monitoring that have committed to address strategic deficiencies. The call-for-action list covers high-risk jurisdictions with serious strategic deficiencies. FATF calls for enhanced due diligence for high-risk jurisdictions and countermeasures in the most serious cases.
Which countries are currently subject to a FATF call for action?
The current call-for-action countries are Democratic People's Republic of Korea, Iran, and Myanmar. DPRK and Iran are subject to countermeasures. Myanmar is subject to enhanced due diligence proportionate to the risk.
Does FATF grey-list status require enhanced due diligence for every customer?
No. FATF says it does not call for enhanced due diligence measures to be applied to grey-listed jurisdictions as a class. Grey-list exposure should be assessed through a risk-based approach.
Does FATF grey-list status mean a business relationship must be rejected?
No. FATF says its standards do not envisage de-risking or cutting off entire classes of customers. Grey-list exposure is a risk factor, not an automatic rejection rule.
How should grey-list exposure affect ongoing monitoring?
Grey-list exposure can justify closer monitoring where the overall customer, transaction, corridor, or counterparty profile is higher risk. It can also be used as a trigger for customer-risk reassessment when FATF adds or removes jurisdictions.