The Financial Action Task Force (FATF) monitors and assesses national anti-money laundering and counter-financing of terrorism (AML/CFT) frameworks globally. Its grey list and black list carry direct consequences for KYB and KYC onboarding decisions at banks and fintechs: businesses incorporated or operating in listed jurisdictions present elevated compliance risk, and regulators expect that risk to be captured, assessed, and documented.
This piece explains how FATF lists work, how jurisdiction risk feeds into KYB onboarding decisions, and how to build jurisdiction risk into an automated compliance policy without blocking every business from a listed country.
How FATF lists work
FATF operates two public lists that carry specific compliance implications.
The FATF grey list (formally: Jurisdictions under Increased Monitoring) identifies countries that have committed to addressing deficiencies in their AML/CFT regimes and are actively working with FATF to do so. Grey-listed countries have strategic weaknesses — gaps in their ability to prevent, detect, or prosecute financial crime — but are cooperating with the international standards-setting body. The list is reviewed and updated at each FATF plenary, typically three times a year.
The FATF black list (formally: High-Risk Jurisdictions subject to a Call for Action) identifies countries with significant and unaddressed AML/CFT deficiencies. FATF calls on its members to apply counter-measures — enhanced due diligence (EDD) at minimum, and potentially business restrictions or prohibitions — for entities and transactions connected to black-listed jurisdictions.
The lists are not static. Countries are added and removed as their compliance with FATF standards evolves. Myanmar, Russia, and Iran are among the jurisdictions that have appeared on or been removed from these lists in recent years. Keeping your jurisdiction risk data current is an operational requirement, not a one-time implementation.
Why FATF status matters in KYB onboarding
When a business applies to open an account or access a regulated product, its jurisdictional profile creates risk signals that compliance teams must assess. These signals come from multiple places in the application: the country of incorporation, the operating jurisdictions declared by the business, the nationalities and countries of residence of directors and UBOs, and the jurisdictions of ultimate parent entities in complex corporate structures.
A business incorporated in a grey-listed jurisdiction is not automatically declined — but it should trigger enhanced due diligence processes. The compliance team needs more information: the nature of the business, the sources of funds, whether the business has operations in other jurisdictions, and the identity and background of the people behind it. That information should be collected, assessed, and documented.
A business with connections to a black-listed jurisdiction — through incorporation, UBO residency, or operational exposure — requires careful consideration. Some institutions have blanket policies against onboarding businesses with any connection to specific black-listed jurisdictions. Others operate with enhanced due diligence requirements and referral to a senior compliance officer. The correct policy depends on the institution's risk appetite, its regulatory environment, and the guidance of its compliance leadership.
The overblocking problem
Jurisdiction risk, if applied crudely, creates a significant overblocking problem. Not every business incorporated in a grey-listed country is high risk. A legitimate professional services firm incorporated in the UAE (which has spent time on the grey list) and seeking to open a UK business account presents a different risk profile from a shell company with anonymous shareholders and no clear commercial purpose incorporated in the same jurisdiction.
The FATF lists are a risk signal, not a decision. They should inform the depth of due diligence applied to a case — how many additional questions are asked, how much supporting evidence is required, who in the compliance hierarchy reviews the case — rather than triggering automatic rejection.
Institutions that apply blanket rejection policies for grey-listed jurisdictions face two problems. The first is commercial: they are refusing legitimate businesses that are in fact low risk, damaging conversion rates and reputation without improving compliance outcomes. The second is regulatory: FATF and the UK's Financial Conduct Authority expect a risk-based approach, not a rule-based exclusion list. Demonstrating a risk-based approach requires showing that the institution assesses the specific risk of each case rather than applying a mechanical rule.
Building jurisdiction risk into automated KYB
An automated KYB platform should incorporate jurisdiction risk as a weighted factor in the composite risk score, rather than as a binary flag or an exclusion list.
This means:
Tagging jurisdiction signals across the full application. Jurisdiction risk is not just about where the company is incorporated. It includes the nationalities and residences of directors and UBOs, the operating jurisdictions declared by the business, and — for corporate structures — the jurisdictions of parent entities. A fully automated KYB platform collects and tags all of these signals.
Applying FATF status to each jurisdictional signal. Black-list status carries a higher risk weight than grey-list status. Grey-list status carries a higher weight than a non-listed but high-risk jurisdiction (based on the institution's own assessment). Jurisdictions with no FATF concerns carry no additional weight.
Incorporating jurisdiction risk into the composite score. The jurisdiction risk component is weighted against other factors: ownership complexity, industry sector, screening results, document quality. A business with grey-list jurisdiction exposure but simple ownership structure, clean screening, and high-quality documents may score lower than a business with no jurisdiction flags but complex UBO chain and adverse media hits.
Triggering enhanced due diligence at defined thresholds. When the composite score crosses the EDD threshold, the platform requests additional information from the applicant: source of funds declaration, explanation of business activities in listed jurisdictions, supporting documentation. This happens automatically, without an analyst manually deciding whether EDD is warranted.
Routing to senior review when the score crosses the escalation threshold. Cases with black-list jurisdiction exposure, or where multiple grey-list signals combine with other risk factors, are routed to a senior compliance officer with a full evidence pack: jurisdiction mapping, risk score breakdown, screening results, and a summary of the additional EDD collected.
Staying current with FATF updates
The grey list and black list update three times a year. Compliance teams that are not monitoring these updates may be applying outdated jurisdiction risk assessments — overblocking jurisdictions that have been removed or, more concerning, underweighting jurisdictions that have been added.
In an automated KYB platform, jurisdiction risk data should be sourced from a feed that updates when FATF publishes. The institution's risk rules should then automatically apply the new risk weights to any cases in progress and flag existing customers who have newly acquired elevated jurisdiction risk due to a FATF update — triggering review under the institution's perpetual monitoring programme.
This is one of the clearest examples of why automated KYB is not a one-time implementation. The regulatory environment changes. Jurisdiction risk profiles change. The platform needs to respond to those changes without requiring manual intervention every time FATF convenes a plenary.
The audit trail for jurisdiction risk decisions
When a regulator asks how the institution assessed jurisdiction risk for a specific application, the answer needs to be in the system. This means the audit trail must include: which jurisdictional signals were identified, what FATF status was applied to each, how those signals contributed to the risk score, and what action was taken as a result.
A comprehensive audit trail for jurisdiction risk decisions demonstrates that the institution operates a genuine risk-based approach — not a mechanical exclusion list that could be challenged as disproportionate, and not a permissive approach that ignores material risk signals.
Automated KYB platforms that log every risk scoring decision, with the data used and the result reached, make this demonstration straightforward. Manual processes that rely on analyst notes and email chains do not.
See automated KYB in practice
Book a demo and walk through a live KYB case from application to decision.
Request a demo →