FATF Grey List: Definition and Use in Compliance

What Is the FATF Grey List?

The FATF Grey List, officially titled "Jurisdictions Under Increased Monitoring," identifies countries whose anti-money laundering (AML) and counter-financing of terrorism (CFT) regimes have specific strategic deficiencies. Each listed jurisdiction has made a formal political commitment to address those deficiencies under active FATF supervision, following a mutually agreed action plan with defined milestones.

Placement on the grey list isn't a legal sanction. FATF has no enforcement authority over sovereign governments. The consequences are market-driven: when FATF adds a country, correspondent banks review their exposure, multilateral lenders factor it into financing conditions, and rating agencies treat it as a sovereign risk signal. That produces real economic pressure without a single formal penalty being issued.

The grey list sits below the FATF Black List in severity. Countries on the black list, currently Iran and North Korea, face a formal FATF call for countermeasures under Recommendation 19. Member states are expected to apply the highest scrutiny levels and in some cases asset-freezing or transaction blocking. Grey-listed jurisdictions are under increased monitoring, not countermeasures. That distinction matters operationally: institutions can still transact with customers from grey-listed countries, but those transactions require heightened controls that must be documented and defensible to examiners.

FATF updates the list three times per year after plenary sessions in February, June, and October. The updated list is published within 24-72 hours of the plenary statement. Countries exit when they complete their action plan and pass a follow-up on-site assessment confirming that reforms are durable. The average tenure runs two to three years. Pakistan spent three years on the list (2018-2022) before completing 34 specific action items and passing its on-site review. Bulgaria entered in June 2023 with a specific action plan centred on beneficial ownership transparency and supervisory capacity.

FATF publishes a detailed statement per listed country at each plenary, naming the precise deficiencies that triggered listing. These statements, available at fatf-gafi.org, are directly usable by compliance teams to calibrate the specific due diligence questions to ask when onboarding customers connected to that jurisdiction.

How Is the FATF Grey List Used in Practice?

Compliance teams treat the grey list as a live data feed into customer risk rating models. Any customer with a material connection to a grey-listed jurisdiction gets an automatic risk uplift. The connection can be citizenship, corporate registration, primary address, beneficial ownership, or even the routing of funds through accounts in the listed country.

That uplift triggers Enhanced Due Diligence protocols. At a minimum: verification of source of funds, documentation of business purpose, senior compliance sign-off before the relationship opens, and reduced periodic review cycles. Moving from a 24-month to a 6-month review cycle for newly greylisted jurisdictions is common practice at institutions we've worked with.

The most common control gap is update latency. FATF publishes changes three times a year, but internal high-risk country tables at many institutions run on quarterly or annual review cycles. We've seen examiner findings specifically citing failure to update within 30 days of an FATF plenary. That window is the gap to close first.

Transaction monitoring rules reflect the designation directly. A payment originating from or routed through a grey-listed jurisdiction typically adds 20-40 risk points in a rule-based scoring model. In gradient-boosted or ensemble systems, country risk tier is a feature variable. Either way, the grey list status needs to flow into the scoring logic automatically, not manually.

Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) filed on transactions involving grey-listed jurisdictions attract specific examiner attention. Regulators want to see that the grey-listing status was considered in the narrative and that the analyst connected it to the specific deficiencies FATF cited for that country. A generic risk mention isn't enough.

Correspondent banking is where grey listing hits hardest at scale. Respondent banks domiciled in grey-listed jurisdictions find their correspondent partners increasing documentation requirements, restricting product access, or exiting the relationship. The IMF has documented this as a financial-inclusion concern in developing economies and noted it directly in Article IV consultations with affected jurisdictions.

FATF Grey List in Regulatory Context

Major financial regulators translate FATF grey-listing status directly into supervisory expectations, and the alignment across jurisdictions is tighter than many compliance teams realize.

In the EU, the Fourth and Fifth Anti-Money Laundering Directives (4AMLD, 5AMLD) require enhanced customer due diligence (CDD) for customers from FATF-identified high-risk jurisdictions. The European Commission maintains its own third-country list, which overlaps with the FATF grey list but updates on a separate legislative cycle. That divergence means a jurisdiction can be on the FATF grey list but absent from the EU list, or vice versa. Compliance teams in EU institutions need to track both.

In the UK, the FCA's Senior Management Arrangements, Systems and Controls sourcebook (SYSC 6.3) requires firms to apply enhanced measures to business relationships involving persons established in high-risk third countries, a category that includes FATF grey-listed jurisdictions. FCA supervisors have cited firms for failing to update country risk classifications promptly after FATF updates. The standard expectation is a maximum 30-day lag between FATF publication and internal system update.

US regulators approach it similarly. The FFIEC BSA/AML Manual treats grey-listing status as a material country risk indicator. OCC examiners have cited institutions for not factoring FATF grey-listing into country risk tiering within their transaction monitoring and EDD frameworks.

For correspondent banking specifically, the Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire identifies FATF grey listing as a risk factor requiring explicit discussion during correspondent due diligence. The Basel Committee on Banking Supervision's 2016 guidance on correspondent banking, published at bis.org, reinforces that institutions must assess the AML/CFT regime quality of a respondent bank's home jurisdiction. Grey-listing is the most authoritative public signal of that quality.

The Basel Institute on Governance's AML Index scores jurisdictions annually on money laundering and terrorism financing risk. Grey-listed countries consistently score higher across multiple risk dimensions. The Index is a useful secondary reference alongside FATF's own list for institutions building country risk tiers.

Common Challenges and How to Address Them

The most common operational failure is update latency. FATF publishes changes three times per year, but internal country risk tables at many institutions run on quarterly or annual review cycles. A country added to the grey list in February may not appear in the institution's transaction monitoring rules until April or May. That window is a direct exam finding.

The fix is straightforward: tie the internal update cycle to FATF plenary dates. Set calendar alerts for post-plenary publications, automate ingestion of updated lists into transaction monitoring and CDD systems, and build a reconciliation check that flags divergences between the current FATF list and the internal high-risk country table. This process should be owned by a named person, not left to general governance.

The second challenge is proportionality. Blanket EDD for every customer with any connection to a grey-listed jurisdiction creates a review queue that buries analysts in low-value work. A global bank with a subsidiary incorporated in a grey-listed country has a different risk profile than a private individual routing funds from that same country with no documented source of wealth. Treating them identically is operationally inefficient and analytically wrong.

A tiered response works better. Direct country connections (citizenship, primary registration, primary banking relationship) get automatic EDD. Indirect connections (a secondary UBO nationality, a minority shareholder in a listed jurisdiction) get risk-scored treatment calibrated to the customer's overall profile. This requires clear policy documentation, but it produces fewer false positives and better quality reviews.

The third challenge is exit monitoring. When a country leaves the grey list, affected customer records need prompt review and potential downgrading. Failing to do this creates friction for customers whose country risk has genuinely improved and risks disparate treatment of customer cohorts, which has its own fair-lending and regulatory implications.

Finally, grey listing and sanctions screening are separate programs with different legal bases. A customer from a grey-listed country is not an SDN. Conflating the two produces blocking errors for legitimate customers and dilutes the signal in the sanctions workflow. The policy documentation needs to separate them explicitly, with grey-listing handled through the EDD and monitoring framework, not the sanctions blocking framework.

Related Terms and Concepts

The FATF grey list connects to several overlapping designations and compliance frameworks. Knowing where the lines fall prevents both over-controls and gaps.

The FATF Black List is the higher-severity tier. Countries on the black list face a formal FATF call for countermeasures under Recommendation 19. FATF member countries are expected to apply the strictest controls and in some cases restrict or prohibit transactions. The grey list is the step before that: structured, time-limited remediation under oversight, without the countermeasures mandate.

Sanctions screening targets specific individuals, entities, and vessels. The OFAC SDN list, the UN Security Council consolidated list, and comparable programs name specific parties whose assets must be blocked. Grey listing targets sovereign jurisdictions, not named parties. The programs intersect when a grey-listed government or its state-owned entities appear on a sanctions list, as Iran illustrates. For most grey-listed jurisdictions, though, the required response is EDD and monitoring, not asset blocking.

Enhanced Due Diligence is the primary operational response to grey-list connections. Requirements typically include UBO verification to greater depth, source-of-wealth documentation, senior management approval, and increased review frequency. The specific FATF deficiencies cited for each listed country provide a practical template: a jurisdiction listed for inadequate beneficial ownership transparency signals exactly which UBO documentation to push harder on.

Politically Exposed Persons (PEPs) from grey-listed jurisdictions carry compounded risk. Grey-listing often reflects the same governance weaknesses that drive corruption exposure, which is precisely the risk PEP controls address. Automatic EDD for PEPs from grey-listed countries is standard practice at most institutions and straightforward to justify to any regulator.

Adverse media screening frequency often increases for customers with grey-listed-country connections. The FATF deficiency statements provide a typology map: if the deficiency is beneficial ownership transparency, the adverse media sweep should specifically search for hidden ownership structures, nominee arrangements, or shell company activity linked to that jurisdiction.

Know Your Customer (KYC) and Know Your Business (KYB) programs are where grey-list status gets operationalized at the account level. The designation feeds directly into the onboarding risk score that determines which due diligence tier a customer enters, how frequently the profile is refreshed, and at what threshold a relationship requires senior review.