What’s meant by the FATF Grey List?

The FATF Grey List is a public designation published by FATF (the Financial Action Task Force) identifying jurisdictions that have agreed to work with FATF to address identified weaknesses in their anti-money laundering (AML), counter-terrorist financing (CTF) or counter-proliferation financing (CPF) frameworks. 

Formally known as the list of Jurisdictions Under Increased Monitoring, it signals that a country’s systems have gaps but that the country is engaging constructively to close them.

For regulated UK firms, a client or transaction connected to a Grey Listed jurisdiction carries specific obligations under the Money Laundering Regulations 2017 (as amended) (MLRs). 

Understanding what the Grey List means, how jurisdictions end up on it and what it requires of you in practice is an important part of managing jurisdictional risk.

How the Grey List works

FATF assesses countries against its global AML, CTF and CPF standards through a programme of mutual evaluations. Where weaknesses are identified, FATF works with the relevant country to agree an action plan.

Jurisdictions that are subject to that process, and where FATF considers the issues significant enough to warrant public attention, are placed on the Grey List.

The Grey List is updated at each FATF plenary, which takes place three times a year. Countries can be added when new concerns are identified or removed when FATF is satisfied that agreed improvements have been made and sustained. 

Removal from the Grey List is a meaningful milestone. It reflects a formal FATF determination that the jurisdiction’s framework has improved to an acceptable standard.

The Grey List sits below the Black List in terms of severity. Black-Listed jurisdictions present more serious and immediate concerns. 

What puts a jurisdiction on the Grey List?

A jurisdiction typically ends up on the Grey List following a FATF mutual evaluation that identifies significant gaps between its legal and regulatory framework and the standards FATF expects.

The issues can vary considerably from country to country but these are some common themes:

• Gaps in AML, CTF or CPF legislation that leave certain sectors, transactions or risk types inadequately covered
• Weak supervision of financial institutions or designated non-financial businesses and professions, meaning rules exist on paper but are poorly enforced
• Limited beneficial ownership transparency, making it difficult to identify who ultimately controls companies, trusts or other structures
• Insufficient investigation and prosecution of money laundering and terrorist financing even where laws are in place
• Weaknesses in sanctions implementation or proliferation financing controls
• Limited international cooperation on financial crime matters

The distinction from the Black List is that Grey-Listed jurisdictions have acknowledged these issues and committed to an action plan. The commitment to reform is real, but so are the underlying risks while that reform is in progress.

How the Grey List affects your obligations under the MLRs

The UK’s Money Laundering Regulations 2017 require regulated businesses to apply enhanced due diligence (EDD) when a client is established in a high-risk third country, or when a transaction involves a party based there. 

High-risk jurisdictions are designated by the UK government and broadly reflect both FATF’s Grey and Black lists, updated to reflect geopolitical developments.

Following Brexit, the UK maintains its own list of high-risk third countries, which may diverge from FATF’s designations but generally doesn’t. Checking the UK government’s current list alongside FATF’s publications gives you the most complete picture.

Once you identify a connection to a Grey Listed jurisdiction, through a client’s place of incorporation, ownership structure, source of funds or counterparty location, the EDD obligation is triggered.

The level of scrutiny should reflect the actual risk involved, applying the risk-based approach proportionately rather than treating all Grey Listed connections as equivalent.

What enhanced due diligence looks like in practice

EDD for Grey Listed jurisdictions goes beyond standard customer due diligence. The specific steps will depend on the nature of the connection and the risk it introduces, but some examples are:

• Gathering more detailed information about the client, their business and the purpose of the relationship or transaction
• Independently verifying source of funds and, where relevant, source of wealth, rather than relying on the client’s own account
• Conducting more robust beneficial ownership checks, using multiple independent sources where possible
• Obtaining senior management approval before establishing or continuing the relationship
• Increasing the frequency and depth of ongoing monitoring

A client with a straightforward, well-documented connection to a Grey-Listed country might present a different risk from one whose ownership structure runs through multiple jurisdictions, one of which is Grey-Listed.

Your EDD should reflect that distinction. The goal is a genuine understanding of the risk, not a formulaic response to a list.

The overlap with sanctions and proliferation financing

Grey Listed jurisdictions sometimes coincide with areas of sanctions concern or proliferation financing risk, though this is more pronounced for Black-Listed countries. 

Where a Grey-Listed jurisdiction has known weaknesses in sanctions implementation or export controls, that adds a further dimension to your risk assessment.

FATF’s increasing emphasis on proliferation financing means that jurisdictional weaknesses in this area are now given greater weight than they were previously.

The UK’s National Risk Assessment (NRA) reflects that shift. For professionals working on international transactions, corporate structuring or trade-related matters, being aware of where Grey-Listed jurisdictions intersect with these risks is increasingly important.

Sanctions screening should be current and ongoing. Where a Grey-Listed jurisdiction is involved, make sure escalation routes are clearly defined and that your team understands what to do if a potential match arises.

Keeping your risk assessments current

The Grey List changes regularly. Jurisdictions are added and removed at each FATF plenary. A country that was Grey Listed at the point you onboarded a client may have since been removed or a country that was clear may have been added.

Your ongoing monitoring obligations under the MLRs require you to keep client information current and to reassess risk when circumstances change.

A jurisdiction moving onto the Grey List after onboarding is a material change that should trigger a review of the relevant client risk assessments.

In practice, this means building awareness of FATF updates into your compliance processes and linking that awareness directly to your client risk assessments. Staying on top of the Grey List is part of what ongoing monitoring means.

Documenting your reasoning

When a client or transaction involves a Grey-Listed jurisdiction, your records need to show more than that EDD was completed.

They should show how the jurisdictional risk was identified, how it fed into the overall risk assessment, what enhanced steps were taken and why those steps were considered proportionate.

Supervisors reviewing AML compliance look for evidence of reasoning, not just evidence of activity. A file that shows PEP and sanctions checks were run and source of funds was requested is a starting point.

A file that explains why those steps were considered appropriate given the specific risk profile of the client and the jurisdiction involved is what demonstrates genuine compliance.

Clear documentation also provides protection. If a relationship is later scrutinised, a well-reasoned audit trail shows that decisions were informed, considered and proportionate.

Final thoughts

The FATF Grey List identifies jurisdictions where weaknesses in AML, CTF or CPF frameworks have been formally acknowledged and where reform is underway. 

For regulated UK professionals, a connection to a Grey-Listed jurisdiction triggers enhanced due diligence obligations under the MLRs. This requires a proportionate, well-documented response.

The Grey List changes frequently, which means jurisdictional risk assessments need to be live rather than static. When FATF updates, client risk assessments should reflect that. When EDD is applied, the reasoning behind it should be clear. 

That combination of current awareness, proportionate action and documented reasoning is what sound jurisdictional AML risk management looks like in practice.