What is the difference between FATF blacklist and greylist?
Quick answer
The FATF blacklist covers jurisdictions with severe AML/CFT failures where counter-measures are recommended. The greylist covers countries that have committed to fixing deficiencies under FATF monitoring with agreed action plans. Both require enhanced due diligence from banks, but blacklisted jurisdictions face the strictest controls and frequently lose correspondent banking access.
The full answer
The FATF blacklist and greylist are both public warnings, but they signal very different things about a country's AML/CFT status and what your bank must do about it.
Blacklist: High-Risk Jurisdictions Subject to a Call for Action
The blacklist is reserved for countries with severe, unaddressed AML/CFT failures. "Unaddressed" is the word that matters here. North Korea, Iran, and Myanmar (as of 2025) are on this list not simply because their financial systems have problems, but because FATF determined those governments either aren't engaging meaningfully or aren't making credible progress. FATF explicitly calls on member countries to apply counter-measures. In practice, most banks won't touch transactions originating from or destined to these jurisdictions. Correspondent banks withdraw. Trade finance dries up.
Greylist: Jurisdictions Under Increased Monitoring
The greylist works differently. Countries land here when FATF identifies strategic deficiencies, but the country has committed to a remediation plan with an agreed timeline. It's an active process, not a condemnation. A wire arriving from a greylisted country isn't automatically a red flag; it's a trigger for enhanced due diligence.
The greylist has included over 20 countries at various times, across Sub-Saharan Africa, Southeast Asia, Eastern Europe, and the Caribbean. Nigeria exited in June 2023 after completing its action plan. The Philippines also exited in June 2023. South Africa, added in February 2023, was still working through its plan as of early 2025. These movements matter because each one should trigger risk rating reviews across your customer portfolio.
The shared requirement: enhanced due diligence
For both lists, enhanced due diligence is the minimum. What differs is the intensity and acceptable outcome:
| Category | EDD Required | Counter-Measures | Business Permitted |
|---|---|---|---|
| Blacklisted | Yes | FATF recommends | Banks typically exit entirely |
| Greylisted | Yes | Not recommended | Permitted with stronger controls |
The FFIEC BSA/AML Examination Manual states that US banks must implement risk-based controls for transactions involving FATF-listed jurisdictions. Examiners will check whether your jurisdiction risk model captures list changes promptly after each plenary.
What changes when a country moves between lists
A greylist addition mid-year requires immediate action: re-screen your customer base for exposure, tighten transaction monitoring thresholds for flows from that jurisdiction, and document the decision and rationale. A move from greylist to blacklist is more serious. If you have correspondent relationships or significant customer volumes from that country, expect examiner questions at your next regulatory exam.
IMF working paper research estimated that greylisting alone reduces capital flows by roughly 7.6 percent. Blacklisting is far more severe: North Korea and Iran are effectively isolated from international financial systems. The FATF official lists update after each plenary, so your screening feeds and jurisdiction risk tables need to pull the latest version after each session.
Why this matters
Jurisdiction risk is one of the most common findings in AML examinations. Regulators expect institutions to track FATF plenary outcomes in real time, not at the end of an annual review cycle.
The practical questions examiners ask:
- Does your institution have a process to update jurisdiction risk ratings after each FATF plenary?
- How do you screen existing customers when a new country enters the greylist?
- What is your policy on transactions involving blacklisted jurisdictions, and can you demonstrate consistent enforcement?
Getting this wrong is expensive. What happens when a bank fails an AML exam often traces back to gaps in jurisdiction risk management: stale risk ratings, inadequate EDD documentation, or failure to tighten monitoring on high-risk corridors after a list change.
How sanctions screening works intersects directly here. FATF designations don't replace OFAC, UN, or EU sanctions lists, but they inform the risk context for the same transactions. Alert thresholds for jurisdictions should be calibrated to FATF status, not just sanctions list hits.
The FATF Travel Rule adds another layer for crypto transactions. If a virtual asset service provider is domiciled in a greylisted jurisdiction, the Travel Rule data you receive (or fail to receive) from them is itself a compliance data point worth flagging.
Your customer risk rating refresh process needs to be responsive to FATF plenary cycles. A customer whose country of incorporation shifts from greylisted to blacklisted mid-year needs an immediate rating update, not one that waits for the next scheduled review.
Related questions
- What is the FATF Grey List? — A detailed look at how greylist designations work, which countries are currently listed, and what the exit criteria look like.
- What is the difference between CDD and EDD? — When enhanced due diligence applies and what it actually requires in practice.
- How does sanctions screening work? — OFAC, UN, and EU lists differ from FATF designations; here's how they interact operationally.
- What triggers a regulatory exam? — Jurisdiction risk gaps are a common exam trigger, especially after FATF list changes.
- How often should customer risk ratings be refreshed? — FATF plenary cycles are one of the primary drivers of rating reviews.
Related concepts and regulations
- What is the FATF Travel Rule? — FATF's information-sharing requirement for wire transfers and virtual asset transactions.
- What is the difference between AML and CFT? — FATF's mandate covers both, and both factor into how countries are evaluated for the lists.
- What happens when a bank fails an AML exam? — The enforcement consequences, including consent orders and monitorships.
- What is the OFAC 50 Percent Rule? — Sanctions screening rules that apply alongside FATF jurisdiction risk classifications.