What is the difference between FATF blacklist and greylist?

The full answer

The FATF blacklist and greylist are distinct designations with different legal implications for financial institutions.

The blacklist is FATF's "High-Risk Jurisdictions subject to a Call for Action." Three countries appear as of early 2025: Iran, North Korea (DPRK), and Myanmar. FATF Recommendation 21 calls explicitly for countermeasures against blacklisted jurisdictions. That's a stronger requirement than enhanced due diligence. In practice, it means most banks exit correspondent relationships, block all incoming and outgoing payments, and treat any transaction touching those jurisdictions as presumptively suspicious. For Iran and North Korea, U.S. banks also face OFAC primary sanctions, which carry criminal penalties and are entirely separate from the FATF framework.

The greylist (officially "Jurisdictions under Increased Monitoring") operates differently. Countries on it have acknowledged strategic AML/CFT deficiencies and signed a formal FATF action plan with defined timelines. FATF reviews progress at each of its three annual Plenaries. Countries do exit: the UAE left in February 2024, Bulgaria in June 2023. As of the June 2024 Plenary, more than 20 jurisdictions remained on the list, including Nigeria, the Philippines, South Africa, and Vietnam.

The key legal distinction: greylist status triggers FATF Recommendation 19 (enhanced due diligence), not Recommendation 21 (countermeasures). Banks must apply EDD. They don't have to exit relationships unless their own risk appetite or local regulators require it.

Both lists are published by FATF and updated three times a year.

How the EU and US implement these designations

The European Commission maintains a parallel "High-Risk Third Countries" list under the EU Anti-Money Laundering Directives. It's based on the FATF list but not identical. The Commission has kept countries on its list after FATF removed them when it judged that EU-specific risks remain.

In the U.S., FinCEN issues advisories when FATF updates its lists. The Federal Reserve and OCC incorporate FATF designations into examination guidance. A bank that can't demonstrate country-level risk differentiation in its AML program during an exam is likely to receive a finding.

Practical difference at the account level

When a new customer arrives with an address or beneficial ownership tied to a blacklisted country, the answer from most banks is no. Onboarding Iran-linked entities violates OFAC prohibitions regardless of FATF.

For greylisted countries, the answer depends on the bank's risk appetite and the specific customer profile. A retail customer from Nigeria doesn't automatically get declined. But EDD applies: source of funds documentation, beneficial ownership verification to a higher standard, and enhanced transaction monitoring. Customer risk ratings should be refreshed whenever a country's FATF status changes. If a country exits the greylist, accounts tied to it need re-scoring. If a previously low-risk country gets added, those accounts need immediate attention.

What examiners look for

In an AML exam, regulators expect banks to document how FATF designations flow through their programs. Specifically: is there a country risk matrix that distinguishes blacklisted from greylisted jurisdictions? Are transaction monitoring rules calibrated differently? When FATF updates its lists, how quickly does the bank update its controls?

A bank discovering a new addition three months after publication will get questions. Examiners have issued findings at banks that applied the same monitoring rules to greylisted countries as to low-risk jurisdictions. The consequences of a failed AML exam can include formal enforcement actions and mandatory remediation programs.

How sanctions screening works in practice matters here too. OFAC lists, UN lists, and FATF country designations are separate frameworks that banks must run in parallel. A transaction can clear OFAC screening and still require EDD because the counterparty's country is on the FATF greylist.

The OFAC 50 percent rule and FATF designations

One area where the two frameworks interact is beneficial ownership. OFAC's 50 percent rule requires blocking transactions where sanctioned entities own 50% or more of an entity, even if that entity isn't itself named on a list. If that entity also operates from a FATF-greylisted country, the bank faces both a sanctions screening question and an EDD obligation simultaneously.

AML transaction monitoring systems need separate rule sets for greylisted jurisdictions and automatic escalation for blacklisted ones. One catch-all geographic flag is a common and examinable gap.

Why this matters

Missing a FATF designation update isn't theoretical. In 2022, FinCEN issued advisories following Russia-related designation changes. Banks that hadn't updated their screening quickly faced examiner pressure to justify the lag.

The greylist is particularly dynamic. Countries move on and off after each Plenary. A compliance team that checks the FATF list once a year is undermonitoring.

For correspondent banking, the distinction is significant. Correspondent relationships with banks domiciled in greylisted countries require documented risk assessments and, often, enhanced due diligence on the correspondent's own AML program. What triggers a regulatory exam often includes elevated country risk exposure. A bank with heavy transaction volumes through greylisted jurisdictions is more likely to receive enhanced scrutiny.

False positive rates in sanctions screening are a related operational problem. Country-based rules can flood alert queues if poorly calibrated. The fix is precision: separate rule logic for blacklisted versus greylisted countries, tuned to actual transaction patterns, not a single geographic flag.

How to file SARs is a downstream question too. Transactions involving greylisted jurisdictions that meet the suspicious activity threshold still require timely filing. The country designation doesn't change the SAR clock.

Related questions

• What is the FATF Grey List?
• How does sanctions screening work?
• What is the OFAC 50 percent rule?
• What is the difference between CDD and EDD?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What is the FATF Travel Rule?
• What is the difference between AML and CFT?
• What is a beneficial owner?
• Can AI be used for AML transaction monitoring?
• How often should customer risk ratings be refreshed?