FATF High-Risk Countries 2026: Canada AML/PCMLTFA Obligations
FATF grey list and blacklist updated February 2026: impact on Canadian AML obligations under PCMLTFA, FINTRAC advisories, and how reporting entities must adapt their compliance programmes.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokFATF High-Risk Jurisdictions 2026: Canadian PCMLTFA Compliance
As of February 13, 2026, the Financial Action Task Force (FATF) keeps three countries on its blacklist — North Korea (DPRK), Iran and Myanmar — and 22 jurisdictions under increased monitoring (the grey list), including Algeria, Bulgaria, Kenya, Kuwait, Lebanon, Syria, Venezuela and Vietnam. For Canadian reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), these designations directly shape AML compliance obligations supervised by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada).
Regulatory baseline: FINTRAC issued its advisory on financial transactions related to FATF-identified countries on March 2, 2026, following the February 2026 FATF plenary. FINTRAC expects reporting entities to review FATF updates and adjust their risk assessments, policies, and compliance measures accordingly. The PCMLTFA's 2026 amendments, which received Royal Assent on March 26, 2026, further strengthened the requirement that compliance programmes be "reasonably designed, risk-based, and effective."
FATF Lists and Their Legal Effect Under PCMLTFA
Unlike EU law, Canada does not maintain a statutory list of high-risk jurisdictions with automatic EDD requirements. However, FATF designations are a recognised risk indicator within FINTRAC's risk-based compliance framework and examination methodology.
| FATF Designation | Canadian regulatory implication |
|---|---|
| Blacklist (DPRK, Iran, Myanmar) | Subject to sanctions under the Special Economic Measures Act (SEMA) and Freezing Assets of Corrupt Foreign Officials Act (FACFOA); Suspicious Transaction Reports (STRs) required |
| Grey list (22 countries) | Elevated country risk in PCMLTFA programme; Enhanced EDD best practice; STR threshold effectively lowered |
Important distinction: Canada's sanctions regime (administered by Global Affairs Canada) and PCMLTFA AML obligations are separate frameworks. Assess both independently: a grey-listed country may have no comprehensive Canadian sanctions but still require enhanced AML diligence.
FATF Grey List: Current 22 Jurisdictions (February 2026)
Countries committed to addressing AML/CFT deficiencies with a FATF action plan:
Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d'Ivoire, Democratic Republic of Congo, Haiti, Kenya, Kuwait, Laos, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, British Virgin Islands, Yemen.
February 2026 additions: Kuwait and Papua New Guinea were added at the February 2026 plenary. FINTRAC's March 2026 advisory specifically identifies these additions and calls on reporting entities to update their risk assessments accordingly.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotConcrete Obligations for Canadian Reporting Entities
Enhanced Due Diligence Under PCMLTFA
Under PCMLTFA Part 1, the PCMLTF Regulations (SOR/2002-184), and FINTRAC's compliance guidance, reporting entities must apply enhanced measures when FATF country risk is elevated:
- Identity verification: Primary identity documents (Canadian passport, provincial driver's licence, or Permanent Resident Card for individuals) must be obtained; for clients from grey-listed jurisdictions, additional secondary ID (foreign passport, government-issued documents) is required
- Source of funds and source of wealth: Documentary evidence of the origin of funds involved and the broader wealth of the client (bank statements, CRA Notice of Assessment, property records)
- Senior management approval: For high-risk jurisdiction clients, approval by a compliance officer or senior manager should be documented before the business relationship commences
- Ongoing enhanced monitoring: Increased frequency of periodic reviews and enhanced transaction monitoring parameters
Industry benchmark: The ACFE 2024 Report to the Nations reports fraud persists 87 days on average without enhanced controls. Continuous monitoring of clients linked to high-risk jurisdictions shortens this detection window.
Suspicious Transaction Reports (STRs) to FINTRAC
Under PCMLTFA section 7, reporting entities must file an STR with FINTRAC "as soon as practicable" when they have reasonable grounds to suspect a transaction is related to ML or TF. For transactions involving FATF blacklisted countries (DPRK, Iran, Myanmar), an STR is warranted regardless of amount.
For grey-listed countries, FINTRAC's examination guidance confirms that country risk alone is a reasonable ground to suspect — any unusual transaction pattern involving grey-list jurisdictions without a plausible lawful explanation should result in an STR filing.
2026 PCMLTFA amendments: The strengthened enforcement framework increases maximum Administrative Monetary Penalties (AMPs) to $40,000 for minor violations (up from $1,000) and $4,000,000 for serious violations. FINTRAC can use these enhanced penalties for inadequate country risk programmes.
Canada-Specific Considerations
Social Insurance Number (SIN) and Provincial ID
For Canadian clients, SIN cards are not acceptable primary ID under PCMLTFA. For clients from grey-listed jurisdictions, the identification hierarchy is: foreign passport → government-issued ID from the country of residence → additional government document with address. For permanent residents, the PR Card is acceptable.
PIPEDA and Provincial Privacy Laws (Including Loi 25 in Québec)
Collection of enhanced due diligence documentation from foreign nationals must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, or applicable provincial legislation. Québec's Loi 25 (Loi sur la protection des renseignements personnels dans le secteur privé), as amended in 2022, imposes strict requirements on the retention and cross-border transfer of personal data, including identity documents from foreign nationals.
Correspondent Banking
For Canadian banks, grey-listed countries trigger specific requirements under Part I.1 of PCMLTFA (foreign financial institutions). Enhanced scrutiny of correspondent accounts connected to grey-listed jurisdictions is expected by OSFI under its AML/ATF guideline.
The CheckFile platform covers 32 jurisdictions and supports over 3,200 document types, enabling Canadian compliance teams to verify foreign identity documents efficiently in high-volume onboarding workflows — essential for PCMLTFA CDD requirements.
Operational Steps: Updating Your Canadian AML Programme
| Action | Timing | Responsible party |
|---|---|---|
| Review FINTRAC advisory post-plenary | Within 48 hours | CAMLO / Compliance officer |
| Update country risk assessment | Within 10 business days | Compliance team |
| Trigger EDD review for affected clients | Within 30 days | Compliance / relationship managers |
| Update transaction monitoring rules | Within 60 days | Analytics / IT compliance |
For enhanced due diligence process details, see our EDD compliance guide. For sanctions screening integration, see our OFAC and sanctions screening guide.
Sectors With Elevated FATF Country Risk in Canada
| Sector | Specific risk | Recommended measure |
|---|---|---|
| Banks and credit unions | Correspondent banking, wire transfers | Counterparty screening + beneficial owner verification |
| Money services businesses (MSBs) | Remittances to grey-list countries | EDD + STR for unusual patterns |
| Real estate | Cash transactions, foreign ownership | FINTRAC Geographic Targeting + enhanced CDD |
| Securities dealers | HNWI clients with offshore assets | Source of wealth verification |
| Accountants and lawyers | Corporate structures in listed jurisdictions | EDD + refusal if documentation insufficient |
Frequently Asked Questions
Does FINTRAC require automatic EDD for all clients from FATF grey-listed countries?
FINTRAC's approach is risk-based rather than prescriptive. Grey-list designation is a strong risk indicator that warrants enhanced measures, but the specific EDD steps should be proportionate to the overall risk profile of the client and transaction. The 2026 PCMLTFA amendments require programmes to be "reasonably designed and effective."
Are Canadian sanctions and FATF designations the same?
No. Canadian sanctions (administered by Global Affairs Canada under SEMA) prohibit dealings with designated individuals and entities or countries subject to comprehensive measures. FATF designations identify AML/CFT deficiencies. A grey-listed country may have no Canadian sanctions but still require enhanced AML diligence.
Do Québec-based reporting entities have additional obligations under Loi 25?
Loi 25 adds requirements for personal data collected in Québec, including: privacy impact assessments before data transfers outside Québec, clear retention policies, and notification obligations. Enhanced KYC data collection for grey-list country clients should be reviewed against Loi 25 requirements by Québec-based institutions.
How often should we update our country risk assessment?
Best practice aligned with FINTRAC examination expectations: update within 10 business days of each FATF plenary publication (February, June, October). The updated country risk matrix should be retained with documentation of the review date and approver.
What are the PCMLTFA penalties for inadequate high-risk country programmes?
Following the 2026 amendments, AMPs range from $1 to $4,000,000 for serious violations. FINTRAC has published enforcement cases where inadequate country risk assessment was cited as a programme deficiency. CAMLO certification of the programme's effectiveness is now explicitly required.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.