TL;DR: FATF has added Iraq and Bosnia and Herzegovina to its grey list while removing Algeria and Namibia, highlighting how AML/CFT supervision, beneficial ownership transparency, sanctions-evasion controls, and suspicious transaction reporting remain the operational levers, according to SumSub. Grey-listing is a governance test, not a blanket customer exclusion decision, and practitioners should treat it as a signal to tighten risk-based controls rather than default to indiscriminate de-risking.
NHIMG editorial — based on content published by Sumsub: FATF adds Iraq and Bosnia & Herzegovina to the grey list as Algeria and Namibia are removed
Questions worth separating out
Q: How should organisations respond when a jurisdiction is added to the FATF grey list?
A: Treat grey-listing as a signal to review country risk, due diligence depth, monitoring thresholds, and beneficial ownership evidence.
Q: Why do beneficial ownership controls matter more when AML risk rises?
A: Because ownership data is what connects an entity to the people who control it.
Q: What breaks when firms use blanket de-risking instead of risk-based AML controls?
A: They lose visibility into transactions that still need monitoring, push activity into less transparent channels, and create inconsistent treatment that is hard to justify to regulators.
Practitioner guidance
- Re-score jurisdictional risk immediately Update country risk models when FATF status changes so onboarding and monitoring rules reflect current monitoring status rather than stale labels.
- Verify beneficial ownership evidence freshness Check that ownership records are current, independently supportable, and tied to approval workflows before they are used in customer due diligence.
- Tune suspicious activity escalation thresholds Review alert thresholds and investigator playbooks so grey-listed exposure triggers deeper review without forcing every case into the same queue.
What's in the full analysis
Sumsub's full article covers the policy and market detail this post intentionally leaves for the source:
- The June 2026 FATF plenary context behind the grey-list change and the countries involved.
- The specific AML/CFT commitments Iraq and Bosnia and Herzegovina must work through.
- The IMF-linked macroeconomic impact estimate and why it matters for financial institutions.
- The distinction between increased monitoring and automatic customer exclusion in practice.
👉 Read Sumsub's coverage of FATF grey-list changes and AML risk responses →
Grey listing and AML screening: what compliance teams need now?
Explore further
Grey-listing is a governance signal, not a customer exclusion policy. FATF monitoring tells institutions to reassess AML/CFT controls, not to abandon risk-based decision-making. The mistake many programmes make is turning a jurisdictional signal into a blunt access rule, which weakens both compliance quality and business defensibility. Practitioners should treat the list as an input to control tuning, not as a substitute for case-level judgment.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable for AML decisions when FATF monitoring changes?
A: Compliance, financial crime, and onboarding teams are all accountable for keeping controls aligned to current risk. The governance question is whether the institution can show a documented, proportionate rationale for each decision. That accountability matters as much as the control itself.
👉 Read our full editorial: Grey listing and risk-based screening reshape AML governance