FATF Black List: Definition and Use in Compliance

What is FATF Black List?

The FATF Black List, formally called "High-Risk Jurisdictions subject to a Call for Action," is a public designation maintained by the Financial Action Task Force (FATF) identifying countries with critical strategic deficiencies in their AML/CFT regimes. Persistent members include Iran and North Korea. Myanmar was added in June 2022 following FATF's assessment of its military-controlled financial system. FATF updates both lists three times annually after each Plenary session.

What distinguishes the Black List from the FATF Grey List is the obligation to act rather than monitor. Grey List jurisdictions face increased scrutiny, but financial institutions still apply a risk-based approach calibrated to the specific facts of each relationship. Black List jurisdictions require counter-measures: restricted or prohibited correspondent relationships, mandatory Enhanced Due Diligence (EDD) on all related transactions, and in several regulatory frameworks an outright prohibition on certain payment flows.

A financial institution processing a wire transfer routed through a Black List jurisdiction, even when the originating and receiving parties are themselves clean, carries sanctions evasion exposure. That routing choice is a documented evasion technique, and regulators expect it to be flagged and reviewed.

For compliance teams, the Black List is a categorical risk designation. Banks that treat Black List exposure the same as a borderline Grey List country are underweighting their regulatory obligation. Supervisors in the US, EU, and UK have made this distinction explicit in examination guidance, and enforcement actions have followed where institutions failed to apply counter-measures consistently. The informal name has persisted in practitioner usage because it accurately conveys the stakes: this is a hard line, not a scoring input.

How is FATF Black List used in practice?

Day-to-day, the Black List shapes decisions at three points: customer and counterparty onboarding, transaction monitoring, and correspondent banking governance.

At onboarding, any Know Your Customer (KYC) or Know Your Business (KYB) workflow that surfaces a Black List jurisdiction connection must trigger EDD. The connection can be direct, such as a customer resident in Myanmar, or indirect, such as a customer whose Ultimate Beneficial Owner is a company incorporated in Iran. Either way, simplified due diligence is off the table and senior management sign-off is required before the relationship can proceed.

During ongoing monitoring, transaction screening systems flag any payment with a nexus to a Black List country for mandatory analyst review. Straight-through processing should be blocked by default. If the nexus is indirect, for instance a payment routed through a Black List jurisdiction between two otherwise unremarkable counterparties, the routing pattern itself is a risk signal requiring documented review. Some institutions have automated rules that generate Suspicious Transaction Reports (STRs) for this pattern without requiring a human to initiate the referral.

For correspondent banking, the standard practice at large institutions is a blanket prohibition on new correspondent relationships with banks domiciled in Black List jurisdictions. Existing relationships where the respondent bank has sub-correspondent exposure to a Black List country require documented escalation and a senior management decision on whether to continue.

The MLRO typically owns the country risk matrix and the update process. A gap of more than 72 hours between a FATF Plenary publication and a matrix update is an exam finding in most regulatory jurisdictions. FATF publishes updates on its website immediately after each Plenary. There's no operational reason to be slow.

FATF Black List in regulatory context

Most regulatory AML frameworks either reference FATF's list directly or use it as a minimum threshold for their own country risk designations.

In the United States, FinCEN has issued specific advisories requiring financial institutions to apply Section 311 special measures under the USA PATRIOT Act for transactions involving Iran and North Korea. FinCEN Advisory FIN-2017-A008 on North Korea identifies specific evasion typologies, including the use of front companies and shell companies to route funds through third-country banks. These measures go further than standard FATF counter-measures: they can prohibit US institutions from opening or maintaining correspondent accounts entirely, with no risk-based carve-out.

In the European Union, the European Commission publishes its own high-risk third-country list under the Anti-Money Laundering Directives. The EU list isn't identical to FATF's, but Black List jurisdictions consistently appear on it. Under 6AMLD, criminal liability for money laundering predicate offenses extends to conduct in third countries, which amplifies exposure for institutions that mishandle Black List connections through correspondent chains or trade finance.

In the UK, the Financial Conduct Authority requires firms to apply EDD automatically for customers and transactions connected to Black List jurisdictions, with no option to apply simplified treatment. This is codified in Regulation 33 of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.

The Counter-Financing of Terrorism (CFT) dimension is often the sharper risk. Iran and North Korea carry OFAC sanction programs with extraterritorial reach, meaning a non-US bank that processes a payment ultimately benefiting a sanctioned Iranian entity faces potential US enforcement action independent of whether its home jurisdiction has separately designated the transaction as prohibited.

Common challenges and how to address them

The most common gap is a slow update cycle. FATF publishes three times a year, but some institutions run their country risk matrix through quarterly internal review cycles that don't align with FATF's publication schedule. A bank that misses a February Plenary update and won't review again until April is operating on stale data for two months. The fix is straightforward: subscribe to FATF publication alerts and build a written workflow requiring the compliance team to action each update within 48 hours, with documented sign-off.

Indirect exposure is harder. A payment from a French importer to a Singapore trader looks clean at first glance. If that Singapore entity is majority-owned by an Iranian holding company, the connection surfaces only through UBO disclosure and entity resolution work. Where ownership structures have been deliberately obscured through nominee shareholders or layered shell companies, the connection won't be visible without deep due diligence and sometimes external data sources.

The correspondent banking problem is specific. A clean correspondent relationship can still carry nested Black List exposure through that correspondent's own sub-correspondents. The nested correspondent account issue requires institutions to ask respondents directly about their sub-correspondent relationships and to document the answers in writing.

Alert volume is a real operational burden. Geographic flags for Black List jurisdictions generate significant alert traffic. An analyst team managing hundreds of weekly alerts, many of them triggered solely by country-level proximity, will miss material risk buried in the noise. Calibrating transaction monitoring rules so Black List geography is one risk factor combined with behavioral signals, rather than a standalone alert trigger, reduces volume without reducing detection quality.

Every decision to proceed with a transaction or relationship that has Black List exposure requires documented rationale, EDD evidence, and senior approval. Regulators don't assume good judgment; they read files.

Related terms and concepts

The FATF Black List sits at the top of a hierarchy of geographic risk tools used in AML/CFT compliance.

The FATF Grey List is the intermediate tier, covering jurisdictions under increased monitoring. These countries have strategic deficiencies but have committed to a time-bound action plan. The key operational difference: Grey List status allows a calibrated risk-based approach; Black List status does not. Compliance teams can apply differentiated treatment for Grey List countries based on specific relationship factors. For Black List countries, counter-measures are the starting position, and any deviation requires explicit board-level justification documented in the institution's AML program.

Sanctions screening is the operational mechanism through which Black List exposure is detected at the transaction and customer level. The FATF designation operates alongside, not instead of, dedicated sanctions programs managed by OFAC. The Specially Designated Nationals List (SDN) targets specific individuals and entities, often including citizens and companies from Black List jurisdictions. Both can apply to the same transaction simultaneously, creating compounded compliance obligations.

Adverse media screening can surface Black List exposure that doesn't appear in structured ownership or sanctions data. A customer with no formal connection to Iran might appear in news coverage of trade with Iranian state entities. That's worth investigating even when the ownership screen is clean.

Proliferation financing is the specific financial crime concern that makes North Korea's position on the Black List particularly sensitive. FATF Recommendation 7 deals with targeted financial sanctions related to the financing of weapons proliferation, and North Korea is the primary case study. Institutions with any exposure to dual-use goods trade or arms-adjacent industries carry amplified risk on this dimension.

Finally, the risk-based approach (RBA) applies differently here than it does for most other risk factors. For the majority of AML risk drivers, the RBA allows calibrated treatment based on the specific facts of a relationship. Black List treatment begins at counter-measures, with deviations requiring documented justification at the board level in the institution's AML risk assessment.