If you are new to AML/CTF, "FATF grey list" probably sounds like someone else's problem, a global body naming faraway countries. It isn't. Under your Tranche 2 obligations, a client's connection to a high-risk country is one of the clearest signals that you need to do more than a basic ID check. So when the Financial Action Task Force (FATF) updated its list on 19 June 2026, the map of which clients warrant extra scrutiny changed with it.
Here is the current list, what it actually means for an Australian accountant, lawyer, conveyancer or real estate agent, and the part that matters most: when a country connection tips a client into enhanced due diligence.
What the FATF lists actually are
The FATF is the global standard-setter for anti-money laundering. It maintains two lists of countries with weak controls:
- The grey list, officially "Jurisdictions under Increased Monitoring." These countries have committed to fixing identified weaknesses and are being watched while they do. This is the list that changes most often.
- The black list, officially "High-Risk Jurisdictions subject to a Call for Action." As of June 2026 this names three: Iran and North Korea (DPRK), the most serious category, and Myanmar. Any dealing connected to these demands the highest level of caution.
Neither list is Australian law by itself. But AUSTRAC expects you to factor foreign-jurisdiction risk, including FATF-listed countries, into your ML/TF risk assessment. In practice, a connection to a listed country is a risk factor that pushes a client up your risk scale, and when the risk is high, enhanced due diligence follows.
The current FATF grey list (as of 19 June 2026)
The June 2026 plenary added Iraq and Bosnia and Herzegovina, and removed Algeria and Namibia after they completed their action plans. That leaves 22 jurisdictions on the grey list:
Angola · Bolivia · Bosnia and Herzegovina (new) · Bulgaria · Cameroon · Côte d'Ivoire · Democratic Republic of the Congo · Haiti · Iraq (new) · Kenya · Kuwait · Laos · Lebanon · Monaco · Nepal · Papua New Guinea · South Sudan · Syria · Venezuela · Vietnam · Virgin Islands (UK) · Yemen
A few of these will matter more to Australian firms than others. Papua New Guinea is the obvious one: a close neighbour that turns up regularly in Australian property, business and family dealings. But Monaco, Vietnam, Lebanon and the UK Virgin Islands (a common company-structuring jurisdiction) also appear often enough in ordinary Australian client work that you should recognise them on sight.
What a high-risk country connection actually requires of you
Here is the calm version, because the instinct to either ignore the flag or refuse the client outright is usually wrong.
A grey-list connection is not a reason to decline a client. It is a risk factor to manage. Plenty of entirely legitimate clients have ties to these countries: a Vietnamese-born business owner, a family with property in PNG, a company with a Monaco shareholder. What the connection does is raise the risk rating, and a high risk rating is what triggers enhanced due diligence (EDD) rather than standard checks.
In practice, EDD for a high-risk-country client means:
- Taking reasonable steps to establish the client's source of funds and source of wealth, not just their identity.
- Getting senior sign-off before taking on or continuing the relationship.
- Applying closer, more frequent ongoing monitoring than you would for a low-risk client.
- Documenting all of it, so your file shows you identified the country risk and managed it, rather than missed it.
What counts as a "connection"?
It is broader than where the client lives. A high-risk-jurisdiction link can come from any of:
- The client is a resident or citizen of a listed country.
- Their funds are sourced from, or flow to, a listed country.
- A beneficial owner or controller sits in a listed country.
- The client's business operates there, or the transaction touches it.
This is exactly why identifying beneficial ownership matters: a client in Sydney can still carry high-risk-country exposure through the people or money behind them.
Don't confuse the FATF list with sanctions
One important distinction. Being on the FATF grey list is not the same as being sanctioned. Sanctions (administered in Australia by DFAT) are legally binding: dealing with a sanctioned person or entity can be a criminal offence, and a confirmed sanctions match stops the transaction. A FATF grey-list connection, by contrast, is a risk factor. It shapes how much due diligence you do; it doesn't prohibit the work. You need to handle both, but they are different tools doing different jobs.
Put it in your program, and keep it current
Two practical steps close this out.
First, your AML/CTF program's risk assessment should name high-risk foreign jurisdictions as an explicit risk factor, and your customer risk-rating should lift a client's score when a listed-country connection is present. If "country risk" isn't written into your methodology, an auditor can't see that you consider it.
Second, the list moves. FATF reviews it three times a year (roughly February, June and October), so the grey list you rely on today will be out of date within months. Algeria and Namibia were on it until June; two new countries just joined. Build a habit, or use a tool, to refresh country risk after each FATF plenary, rather than hard-coding a list once and forgetting it.
AML Mate builds country risk into your client risk assessment and screening, so a high-risk-jurisdiction connection is flagged and factored into the risk rating automatically, and your AML/CTF program's risk methodology already names it. Run a free compliance check to see where your firm stands, or view pricing to generate your full AUSTRAC-ready program today.
