FATF High-Risk Countries 2026: US AML Compliance Obligations
FATF grey list and blacklist updated February 2026: how FinCEN, BSA, and OFAC requirements interact for US financial institutions, and what enhanced due diligence steps are required for high-risk jurisdictions.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokFATF High-Risk Jurisdictions 2026: US Compliance Implications
As of February 13, 2026, the Financial Action Task Force (FATF) maintains three countries on its blacklist โ North Korea (DPRK), Iran and Myanmar โ and 22 jurisdictions under increased monitoring (the grey list), including Algeria, Bulgaria, Kenya, Kuwait, Lebanon, Syria, Venezuela and Vietnam. For US financial institutions and covered non-financial businesses, these designations intersect directly with obligations under the Bank Secrecy Act (BSA) / 31 U.S.C. ยง 5311, FinCEN's implementing regulations (31 CFR Chapter X), and OFAC sanctions programs.
Regulatory baseline: FinCEN issues advisories following each FATF plenary โ most recently the March 2, 2026 advisory โ instructing US financial institutions to "consider the FATF's stance when reviewing their obligations and risk-based policies, procedures, and practices." Blacklisted countries (DPRK and Iran) are subject to comprehensive OFAC sanctions, making any financial dealings with them effectively prohibited under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).
How FATF Lists Intersect with US AML Law
Unlike EU law, US law does not automatically translate FATF designations into statutory enhanced due diligence mandates. However, FATF designations are a recognized risk indicator that triggers obligations under the BSA's risk-based AML program requirement (31 CFR ยง 1020.210 for banks, ยง 1022.210 for MSBs).
| FATF Designation | US regulatory implication |
|---|---|
| Blacklist (DPRK, Iran, Myanmar) | Covered by comprehensive OFAC sanctions; prohibited transactions (DPRK: E.O. 13722; Iran: ITSR; Myanmar: E.O. 14014) |
| Grey list (22 countries) | Elevated country risk in BSA program; EDD best practice; SARs more likely warranted |
OFAC vs. FATF: OFAC sanctions and FATF designations are separate legal frameworks. A country can be on FATF's grey list without comprehensive OFAC sanctions (e.g., Venezuela has a targeted sanctions program, not a comprehensive embargo). Compliance teams must assess both independently.
FATF Grey List: Current 22 Jurisdictions (February 2026)
Countries committed to addressing AML/CFT deficiencies with a FATF action plan:
Algeria, Angola, Bolivia, Bulgaria, Cameroon, Cรดte d'Ivoire, Democratic Republic of Congo, Haiti, Kenya, Kuwait, Laos, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, British Virgin Islands, Yemen.
February 2026 additions: Kuwait and Papua New Guinea were added at the February 2026 plenary for strategic deficiencies in their AML/CFT/CPF frameworks.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotPractical Obligations for US Financial Institutions
Risk-Based AML Program Requirements
Under the BSA, every covered financial institution must maintain a written AML program that is reasonably designed to prevent and detect money laundering (31 CFR ยง 1020.210). FATF grey-list status is a mandatory risk factor in your institution's country risk assessment. The regulatory expectation, supported by FinCEN guidance and OCC examination procedures, includes:
- Customer Due Diligence (CDD) rule (31 CFR ยง 1010.230): Collecting beneficial ownership information for legal entity customers with connections to grey-listed jurisdictions
- Enhanced Due Diligence (EDD): Additional documentation on source of funds and source of wealth for customers from or transacting with high-risk jurisdictions
- Correspondent banking: For foreign financial institutions in grey-listed countries, Regulation YY and 31 CFR ยง 1010.610 require enhanced screening and may require enhanced correspondent due diligence
Suspicious Activity Reports (SARs)
Transactions involving FATF-listed jurisdictions significantly lower the SAR filing threshold. Under 31 CFR ยง 1020.320, a SAR must be filed when a US financial institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity. Involvement of a blacklisted country is considered per se suspicious and warrants SAR filing regardless of amount.
ACFE benchmark: The ACFE 2024 Report to the Nations reports that fraud persists for an average of 87 days without enhanced controls. Robust transaction monitoring for high-risk country flows reduces this exposure.
DPRK and Iran: Special Prohibitions Under US Law
For North Korea and Iran specifically, US obligations go far beyond EDD:
North Korea (DPRK):
- Executive Order 13722 prohibits virtually all transactions with DPRK and DPRK-linked parties
- FinCEN Rule 31 CFR ยง 1010.659 prohibits US correspondent accounts for DPRK financial institutions
- Secondary sanctions risk exists for non-US institutions transacting with DPRK parties
Iran:
- The Iran Transactions and Sanctions Regulations (ITSR), 31 CFR Part 560, prohibit most transactions
- OFAC's SDN list includes thousands of Iranian individuals and entities
- Specific authorizations (OFAC general and specific licenses) are required for any permissible dealings
Myanmar:
- Executive Order 14014 authorizes targeted sanctions against military-linked entities and individuals
- Not a comprehensive embargo โ transactions with non-designated parties are permitted but require enhanced screening
State-Level Considerations
US financial institutions must also consider state-level AML requirements, which can be stricter than federal standards:
- New York (23 NYCRR ยง 504): Requires annual certification of transaction monitoring and filtering programs by the Chief Compliance Officer
- California (DFPI regulations): Money transmitters face state-specific enhanced due diligence requirements for high-risk jurisdictions
- FinCEN Geographic Targeting Orders (GTOs): May apply additional cash reporting requirements in specific geographic areas for transactions involving high-risk countries
Corporate Transparency Act (CTA) Intersection
The Corporate Transparency Act (CTA), effective January 1, 2024, requires beneficial ownership reporting for most US entities. For entities with ownership linked to FATF grey-list jurisdictions, the CTA information filing creates an additional verification touchpoint for AML programs โ beneficial owner documentation from high-risk countries requires particular scrutiny.
Operational Steps: Updating Your BSA/AML Program
The CheckFile platform covers 32 jurisdictions and supports over 3,200 document types, enabling US compliance teams to rapidly verify foreign identity documents from grey-listed jurisdictions โ essential for CDD rule compliance and SAR-filing decisions.
Key operational updates required after each FATF plenary:
| Action | Timing | Responsible party |
|---|---|---|
| Update country risk matrix | Within 48 hours of publication | BSA Officer |
| Trigger EDD review for affected customers | Within 30 days | Compliance team |
| Review and update transaction monitoring rules | Within 60 days | Analytics / BSA team |
| Update training materials | Within 90 days | Training / compliance |
For more on enhanced due diligence practices, see our EDD compliance guide. For the intersection with sanctions programs, see our OFAC and EU sanctions screening guide.
Frequently Asked Questions
Does FinCEN require automatic EDD for all customers from FATF grey-list countries?
No automatic statutory requirement exists for grey-list countries the way EU law does. However, the risk-based BSA framework requires enhanced scrutiny when country risk is elevated. A grey-list designation is strong evidence of elevated risk, and failure to apply proportionate EDD could result in BSA program deficiencies cited by examiners.
Are OFAC sanctions and FATF designations the same thing?
No. OFAC sanctions prohibit transactions with specific parties (individuals, entities, governments) or countries (comprehensive embargoes). FATF designations identify countries with AML/CFT deficiencies and recommend enhanced due diligence. A country can be grey-listed by FATF without being sanctioned by OFAC, and vice versa.
What happens if we process a transaction involving a FATF-blacklisted country inadvertently?
For Iran and DPRK, inadvertent violations of OFAC sanctions are still violations. OFAC's penalty guidelines allow for voluntary self-disclosure, which typically results in reduced penalties. You should also file a SAR with FinCEN. Consult counsel immediately and consider filing for retroactive OFAC authorization or a no-action request.
How often should we update our country risk assessment in light of FATF updates?
Best practice and OCC examination guidance align on a minimum quarterly review to capture all three FATF plenary updates. Your written BSA/AML program policies should specify this review cycle and document evidence of each review.
Do non-bank financial institutions (MSBs, crypto exchanges) have the same FATF-related obligations?
Yes โ all FinCEN-registered reporting entities have BSA-based AML program obligations that incorporate country risk. For crypto exchanges registered with FinCEN, the Travel Rule (31 CFR ยง 1010.410) adds additional transmission record-keeping requirements for transactions involving high-risk jurisdiction counterparties.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.