What is the FATF Grey List?
Quick answer
The FATF Grey List is FATF's register of countries under increased monitoring for strategic AML/CFT deficiencies. Listed countries have committed to a time-bound action plan with FATF to fix identified gaps. Banks must apply Enhanced Due Diligence to transactions involving these jurisdictions under FATF Recommendation 19.
The full answer
The FATF Grey List, formally "Jurisdictions under Increased Monitoring," is published by the Financial Action Task Force three times a year: after its February, June, and October plenary sessions. It identifies countries with strategic deficiencies in their anti-money laundering (AML), counter-terrorist financing (CFT), or counter-proliferation financing regimes that are actively cooperating with FATF under a time-bound action plan to fix them.
The list is separate from FATF's Black List ("High-Risk Jurisdictions subject to a Call for Action"), which covers countries facing an outright call for countermeasures. North Korea and Iran sit on the Black List. Grey-listed countries are working through an agreed remediation process with FATF, which is a meaningful distinction when calibrating your response.
Countries reach the Grey List through mutual evaluations conducted by FATF or a FATF-Style Regional Body (FSRB). The evaluations measure both technical compliance with FATF's 40 Recommendations and real-world effectiveness: asset recovery rates, quality of financial intelligence outputs, prosecution outcomes. Weak effectiveness is the more common route to listing than technical gaps alone.
Under FATF Recommendation 19, countries must apply countermeasures proportionate to the risks posed by a listed jurisdiction. For grey-listed countries, that translates to Enhanced Due Diligence (EDD) on all business relationships and transactions. EDD means verifying the beneficial owner to a higher standard than standard Customer Due Diligence (CDD), obtaining source-of-funds documentation, getting senior management sign-off, and running ongoing monitoring at higher frequency. See what's different between CDD and EDD for the practical threshold.
IMF research on financial crime has documented average reductions in net capital inflows around 7% of GDP for newly grey-listed countries. Correspondent banks tighten terms or exit relationships with financial institutions in affected countries, which raises costs across the system and restricts access to major currency clearing.
Countries exit when they complete their action plan. Pakistan spent more than four years on the list (June 2018 to October 2022) and completed a 34-point action plan. The UAE was listed in March 2022 and exited in February 2024. Removal doesn't mean all AML weaknesses are resolved; it means the specific deficiencies in the action plan have been addressed to FATF's satisfaction.
After a country exits, don't immediately revert to standard CDD. Reassess country risk within 60 to 90 days of delisting, update your risk ratings, and let current intelligence drive the adjustment rather than the listing status alone.
Why this matters
Grey-listed jurisdictions create direct, documented obligations for every financial institution with exposure to those countries. A compliance team that doesn't update its country risk matrix promptly after a new FATF plenary is sitting on a gap that examiners will find.
The risk-based approach under FATF Recommendation 1 doesn't mean ignoring list status. It means calibrating controls to actual risk, and a FATF grey-listing is one of the clearest signals available that a country's AML controls haven't been verified as effective. Financial institutions in grey-listed countries face a cascading problem: correspondent banking relationships get harder to maintain, which restricts access to global payment systems and raises transaction costs throughout the financial system.
For banks in non-listed countries, the impact is transactional. Payments, trade finance, and remittances involving grey-listed jurisdictions require documented rationale and tighter controls. Examiners will look at whether the institution updated its KYC refresh cycle for customers with ties to newly listed countries and whether monitoring thresholds were adjusted promptly.
The Basel Institute on Governance's AML Index, published annually, incorporates grey-list status into its country risk scores and is used by many institutions as a benchmark for tier assignments. It's a useful cross-reference when you need a defensible, named source for a country risk decision beyond just the FATF page itself.
The monitoring challenge is volume. A grey-listed country can mean hundreds of thousands of individual customers across a single institution's portfolio. AI-driven transaction monitoring lets institutions apply differentiated rule sets and risk scores at the customer and transaction level rather than blunt country-wide blocks that generate unnecessary false positives and kill legitimate business.
Regulators treat the grey list as a live instrument. If your institution had exposure to a country added at the October plenary and controls weren't updated until March, that six-month gap is documentable and will come up in the next exam cycle.
Related questions
- What is the difference between CDD and EDD? — Grey-listed jurisdictions trigger EDD by default. Understanding exactly where standard CDD ends and EDD begins determines the scope of your response.
- What is a beneficial owner? — EDD requirements for grey-listed country customers include verifying beneficial ownership to a higher standard. The definition matters when you're deciding how far up the ownership chain to go.
- Can AI be used for AML transaction monitoring? — Applying differentiated monitoring rules to grey-listed corridor transactions at scale is where AI provides the most direct operational benefit.
- What triggers a regulatory exam? — Documented exposure to grey-listed jurisdictions without updated controls is a known exam trigger.
- How much does AML compliance cost a mid-market bank? — Grey-listing exposure adds meaningfully to compliance overhead through enhanced monitoring requirements across affected customer portfolios.
Related concepts and regulations
- Enhanced Due Diligence (EDD) — The standard triggered by grey-listed jurisdiction exposure under FATF Recommendation 19. Applies to business relationships and transactions involving affected countries.
- Customer Due Diligence (CDD) — The baseline that EDD builds on. Understanding the CDD floor is necessary to understand what EDD adds.
- FATF Recommendation 1: Risk-Based Approach — Grey-list status is a primary input to country risk scoring under the risk-based approach. This recommendation governs how institutions are expected to calibrate controls to country risk.
- FATF Recommendation 10: Customer Due Diligence — Sets the CDD requirements that get escalated to EDD when a customer has ties to grey-listed jurisdictions.
- FATF Recommendation 13: Correspondent Banking — Grey-listing directly affects correspondent banking relationships in affected countries. This recommendation governs how respondent banks should be assessed and monitored.