Grey listing and risk-based screening reshape AML governance

At a glance

What this is: FATF’s June 2026 plenary added Iraq and Bosnia and Herzegovina to increased monitoring while removing Algeria and Namibia after AML/CFT improvements.

Why it matters: For identity and compliance teams, the takeaway is that risk-based onboarding, beneficial ownership checks, and monitoring controls must adapt to jurisdictional change without turning into blunt exclusion rules.

By the numbers:

• The IMF estimated that grey-listing has historically been associated with an average decline in capital inflows equivalent to 7.6% of GDP.

👉 Read Sumsub's coverage of FATF grey-list changes and AML risk responses

Context

Grey-listing is a formal signal that a jurisdiction has AML/CFT weaknesses that require closer monitoring, not a mandate to shut out every customer or counterpart immediately. In practice, it forces compliance, fraud, and identity teams to distinguish between jurisdictional risk, customer risk, and transaction risk before applying controls.

For IAM and compliance programmes, this matters because customer due diligence, beneficial ownership verification, sanctions screening, and ongoing monitoring all depend on the quality of the identity data feeding them. When a jurisdiction moves onto or off the FATF grey list, the control posture should change with it, but in a proportionate way that still supports access, onboarding, and auditability.

Key questions

Q: How should organisations respond when a jurisdiction is added to the FATF grey list?

A: Treat grey-listing as a signal to review country risk, due diligence depth, monitoring thresholds, and beneficial ownership evidence. Do not assume every customer or payment from that jurisdiction is high risk by default. A proportionate response is easier to defend and usually produces better detection than blanket exclusion.

Q: Why do beneficial ownership controls matter more when AML risk rises?

A: Because ownership data is what connects an entity to the people who control it. If that information is incomplete or stale, sanctions screening, onboarding checks, and investigations lose context. In grey-list environments, weak ownership data creates blind spots that make risk-based decisions less reliable.

Q: What breaks when firms use blanket de-risking instead of risk-based AML controls?

A: They lose visibility into transactions that still need monitoring, push activity into less transparent channels, and create inconsistent treatment that is hard to justify to regulators. Blanket de-risking also consumes operational capacity without improving the quality of case decisions. Risk-based controls are more precise and more auditable.

Q: Who is accountable for AML decisions when FATF monitoring changes?

A: Compliance, financial crime, and onboarding teams are all accountable for keeping controls aligned to current risk. The governance question is whether the institution can show a documented, proportionate rationale for each decision. That accountability matters as much as the control itself.

Technical breakdown

What the FATF grey list changes in risk operations

Grey-listing is a supervisory signal that a jurisdiction has committed to fixing AML/CFT weaknesses under FATF monitoring. It does not automatically mean every relationship tied to that country is suspicious, but it does mean firms should revisit country risk ratings, beneficial ownership evidence, transaction thresholds, and escalation rules. The operational challenge is separating jurisdiction-level concern from entity-level evidence so that controls remain defensible and consistent.

Practical implication: Recalibrate country risk scoring and review triggers when a jurisdiction is added or removed from increased monitoring.

Beneficial ownership and suspicious transaction reporting under pressure

The article highlights two recurring failure points in AML programmes: incomplete beneficial ownership data and weak suspicious transaction reporting. Beneficial ownership is only useful when it is accurate, current, and linked to real decision-making, while STR quality depends on analysts seeing patterns across accounts, counterparties, and payment routes. Where these controls are weak, grey-listing tends to expose process gaps rather than create new ones.

Practical implication: Validate beneficial ownership fields and STR workflows for completeness, freshness, and investigator usability.

Why risk-based controls beat blanket de-risking

A risk-based approach means firms apply stronger scrutiny where evidence warrants it, rather than excluding entire customer classes because of geography alone. That matters because broad de-risking can reduce visibility, push activity into less transparent channels, and create a false sense of compliance. The better model is tiered due diligence, continuous monitoring, and documented rationale that can be defended to auditors and regulators.

Practical implication: Use documented, tiered controls instead of blanket prohibitions for grey-listed jurisdictions.

NHI Mgmt Group analysis

Grey-listing is a governance signal, not a customer exclusion policy. FATF monitoring tells institutions to reassess AML/CFT controls, not to abandon risk-based decision-making. The mistake many programmes make is turning a jurisdictional signal into a blunt access rule, which weakens both compliance quality and business defensibility. Practitioners should treat the list as an input to control tuning, not as a substitute for case-level judgment.

Beneficial ownership quality is the control hinge in grey-list environments. If ownership data is incomplete or stale, every downstream AML control becomes less reliable, from onboarding checks to sanctions screening and investigations. That is why grey-listing often exposes identity data governance weaknesses as much as financial crime exposure. The practical conclusion is to prioritise evidence quality, not just more screening volume.

Grey-listing pressure often reveals where AML programmes over-rely on static rules. Jurisdiction tables and one-time review decisions age quickly, while criminal typologies and regulatory expectations change. Institutions that cannot adapt thresholds, case handling, and escalation logic to current risk conditions are left with controls that look strict on paper but miss the actual exposure. Practitioners should build governance that can move with the data.

Capital-flow impact is a reminder that compliance and access decisions have business consequences. The IMF’s estimate of a 7.6% GDP-equivalent decline in capital inflows shows why grey-listing affects more than regulatory posture. Risk teams need to coordinate with onboarding, payments, and correspondent banking stakeholders so that tightening controls does not become operational paralysis. The discipline is calibrated restriction, not reflexive retreat.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For a broader governance lens, compare this with the NHI Lifecycle Management Guide to see how lifecycle discipline reduces control drift across identity types.

What this signals

Grey-list events expose whether compliance teams can change posture without losing governance discipline. The practical test is not whether an institution can tighten controls, but whether it can do so proportionately, with clear evidence, and without freezing legitimate activity. As jurisdictions move in and out of increased monitoring, static rule sets become less credible than case-based decisioning supported by documented rationale.

Identity and compliance programmes should expect more pressure on evidence quality than on rule count. The institutions that cope best will be the ones that can prove ownership, source-of-funds, and transaction context quickly enough to support timely review. For a useful control baseline, the NHI Lifecycle Management Guide remains a good reference point for thinking about governance around identity state changes, even outside machine identity.

The broader signal is that risk-based governance is becoming the default expectation across identity-adjacent compliance work. Whether the subject is AML, access reviews, or secrets hygiene, the winning pattern is the same: accurate data, documented thresholds, and fast operational escalation. In other words, policy volume is not the same thing as control maturity.

For practitioners

• Re-score jurisdictional risk immediately Update country risk models when FATF status changes so onboarding and monitoring rules reflect current monitoring status rather than stale labels.
• Verify beneficial ownership evidence freshness Check that ownership records are current, independently supportable, and tied to approval workflows before they are used in customer due diligence.
• Tune suspicious activity escalation thresholds Review alert thresholds and investigator playbooks so grey-listed exposure triggers deeper review without forcing every case into the same queue.
• Document proportionate de-risking decisions Record the rationale for enhanced scrutiny, standard review, or relationship exit so auditors can see the control logic behind the outcome.

Key takeaways

• FATF grey-listing should be treated as a governance input, not a blanket prohibition trigger.
• The strongest AML controls in this article are beneficial ownership accuracy, proportionate monitoring, and documented escalation logic.
• Institutions that cannot adjust controls quickly to jurisdictional changes will struggle to prove compliance and maintain operational flexibility.

Key terms

• Grey Listing: Grey listing is FATF’s increased monitoring status for jurisdictions with AML/CFT weaknesses. It signals that a country has committed to an action plan, and that institutions should adjust their risk posture with evidence, not with blanket exclusion.
• Beneficial Ownership: Beneficial ownership is the identification of the real person or persons who ultimately control or benefit from an entity. In AML programmes, it is only useful when the data is current, verified, and connected to decision workflows that investigators can trust.
• Risk-Based Approach: A risk-based approach applies controls in proportion to the evidence, exposure, and operating context. In AML, that means stronger scrutiny where needed, lighter treatment where justified, and a documented rationale that can withstand audit and regulatory review.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: FATF adds Iraq and Bosnia & Herzegovina to the grey list as Algeria and Namibia are removed. Read the original.