The Long View

The FATF Grey List and Jurisdictional Risk

The Desk, 5 min read

The Financial Action Task Force (FATF) maintains two lists relevant to financial crime: the blacklist (jurisdictions subject to a call for action) and the greylist (jurisdictions under increased monitoring). The blacklist is short and stable. The greylist is longer and moves with the FATF plenary cycle four times a year.

For a private client with banking, investment, or property exposure to a greylist jurisdiction, the consequences are practical. A jurisdiction on the greylist triggers enhanced due diligence at any UK, EU, US, or Swiss obligated entity that handles transactions to or from it. The enhanced due diligence is not, in itself, an accusation of wrongdoing; it is a regulatory requirement.

The cumulative effect is friction. Bank transfers from greylist jurisdictions take longer. Onboarding new banking relationships with exposure to greylist jurisdictions takes longer. Source-of-funds documentation is required to be more comprehensive. Some institutions decline new business outright.

The mid-2026 greylist includes (in changing combination across the recent plenary cycles): Bulgaria, Croatia, the Democratic Republic of the Congo, Mozambique, Nigeria, South Africa, the United Arab Emirates (removed in early 2025 then re-listed in late 2025), Vietnam, and several others. The Cayman Islands and the British Virgin Islands have been removed from the greylist following completion of their action plans.

For a private client the practical question is whether their position is exposed to a greylist jurisdiction and, if so, what the exposure looks like to a third-party reader. The audit identifies the exposure: a directorship in a greylist jurisdiction's company, real-estate holdings, a bank account, a related-party transaction. Where the exposure is structural (the client holds property in a greylist jurisdiction), the audit notes it. Where the exposure is incidental (a former directorship that has been resigned but not yet updated at the register), the audit identifies the lag.

The list itself moves; what matters more than any particular jurisdiction's current status is the client's ability to read their own exposure as the list updates. The audit gives the baseline; continuing arrangements track the updates.

Get in touch
Related reading
The Long View
How We Stay Ahead of the Rules
The Long View
Central Bank Digital Currencies by Jurisdiction
The Long View
Common Reporting Standard After Eight Years