Home
>
Insights & Success Stories

What is FATF Blacklist? Updated Black List Countries 2026

 If the FATF Grey List typically reflects acknowledged deficiencies alongside an agreed programme of reforms, the FATF blacklist indicates a far higher level of concern.

Most readers seeking to understand what the FATF blacklist means are trying to resolve two operational questions.

First, which jurisdictions are currently designated under the FATF’s highest risk category?

Second, what additional controls are expected across customer due diligence, transaction monitoring, and governance, particularly in the UAE, where cross-border exposure is a routine feature of business?

The FATF refers to the blacklist as “High Risk Jurisdictions subject to a Call for Action”. This designation signals strategic deficiencies linked to money laundering, terrorist financing, and proliferation financing risks. In response, the FATF calls on its members and all jurisdictions to apply enhanced due diligence and, where warranted, implement countermeasures to safeguard the integrity of the international financial system.

This article is written for UAE-regulated and supervised environments, including DIFC, ADGM, VARA, mainland, and other commercial free zones, with a practical focus on implementing a defensible, risk-based AML framework in day-to-day operations.

What Is FATF Blacklist?

So, what is FATF blacklist in simple terms. It is the FATF list of countries or jurisdictions where AML, CFT, and CPF weaknesses are so significant that they create a serious risk to the international financial system.

The key distinction is the FATF response expectation.

For Grey Listed jurisdictions under increased monitoring, FATF does not call for enhanced due diligence to be automatically applied to those jurisdictions.
For black listed jurisdictions subject to a call for action, FATF urges enhanced due diligence and, for the most serious cases, countermeasures.

This is why the FATF blacklist is treated as a high-impact geographic risk trigger in any country risk assessment AML methodology.

Updated FATF blacklist countries 2026 (as of 13 February 2026)

As of 13 February 2026, the FATF public statement lists the following jurisdictions as High Risk Jurisdictions subject to a Call for Action, commonly referred to as the FATF black list countries 2026.

  • Democratic People’s Republic of Korea

  • Iran

  • Myanmar

What “call for action” means in practice

FATF’s statement explains that for high-risk jurisdictions, all members and all jurisdictions should apply enhanced due diligence, and in the most serious cases, apply countermeasures to protect the international financial system.

The same statement sets out that the DPRK section includes specific countermeasure expectations such as terminating correspondent relationships with DPRK banks and closing subsidiaries or branches of DPRK banks, alongside other restrictions.

Why the FATF blacklist matters in the UAE

The UAE is a global business hub. In practical compliance terms, this means exposure to high-risk jurisdictions can appear in many ordinary-looking scenarios, including corporate ownership chains, trade flows, client residency history, and payment routes.

In the UAE, blacklist exposure commonly shows up through:

Customer and ownership exposure

  • A customer, beneficial owner, or controller is linked to a black listed jurisdiction
  • A corporate structure includes entities, nominees, or opaque layers that reduce beneficial ownership transparency
  • A customer seeks to use UAE entities and accounts to create distance between the origin of funds and their end use

Funds and transaction exposure

  • Payments routed through or connected to a black listed jurisdiction
  • Third-party funding where the payer is unrelated and based in a high-risk jurisdiction
  • Trade payments with poor documentation, inconsistent invoicing, or unclear economic purpose
  • Attempts to move value quickly, through multiple accounts, or through multiple intermediaries

In risk language, this is where geographic risk AML CFT becomes a real control requirement, not a policy paragraph.

DIFC: How blacklist exposure should be treated in a DFSA-regulated programme

For firms under the supervision of the Dubai Financial Services Authority, your AML framework must show a disciplined risk-based approach to AML compliance and evidence that you keep key risk inputs current.

A useful operational point is that the DFSA confirmed AML and Glossary module amendments coming into force on 2 March 2026, linked to the UAE’s updated federal AML framework.

In practical terms, DIFC firms should ensure blacklist exposure is reflected in:

  • Country risk scoring and risk appetite statements
  • EDD triggers and approval thresholds
  • Transaction monitoring scenarios for cross-border payments and correspondent banking exposure
  • Clear escalation pathways to the MLRO and documented rationale for decisions

The inspection risk is usually not that a firm does not know the list exists. The risk is inconsistent application, outdated risk tables, and files that do not explain the conclusion reached.

ADGM: keeping the FATF blacklist current and applying risk-based measures

In Financial Services Regulatory Authority supervision, the expectation is that firms keep the relevant FATF monitoring lists current and reflect them in how they apply risk-based CDD measures.

ADGM guidance explicitly points firms to maintaining up-to-date lists and screening for exposure as part of CDD, then factoring that exposure into the risk-based measures applied.

For blacklist exposure, this usually means your minimum standard should include:

  • Clear enhanced due diligence steps
  • Stronger ongoing monitoring intensity
  • Stricter approval governance for onboarding and continuation
  • Practical restrictions aligned to your risk appetite and legal obligations

VARA and VASPs: blacklist exposure sits in both onboarding and transaction behaviour

For virtual asset firms, blacklist exposure can appear through client onboarding, and also through transaction counterparties, wallet activity, and fiat rails.

VARA’s client due diligence rulebook requires a risk-based application of CDD measures aligned to UAE federal AML CFT laws, and a risk-based assessment of every client with a proportionate risk rating.

In a VARA setting, FATF blacklist exposure should typically drive:

  • Higher client risk ratings
  • Enhanced due diligence
  • Tighter ongoing monitoring scenarios for geographic exposure
  • Stronger case narratives and audit-ready decision records

Considering the FATF Blacklist for Mainland and Commercial Free Zones

Across mainland and most commercial free zones, you still need a clear method for identifying blacklist exposure and converting it into proportionate controls. The best programmes do not rely on one team member recognising a country name. They rely on an operating process that updates lists, adjusts risk logic, and drives consistent onboarding decisions.

A practical expectation is that your ML/FT risk assessment and your customer risk assessment framework are able to show:

  • How you ingest FATF public statements
  • How quickly you update systems and policies after each FATF plenary
  • How you decide when enhanced due diligence is mandatory
  • How you decide whether countermeasures or restrictions are appropriate for your business model

How to respond when you identify FATF blacklist exposure

1. Treat it as a high-risk trigger in your geographic risk model

Blacklist exposure should produce a clear uplift in geographic risk AML CFT scoring. Do not keep it as a footnote. Make it a visible input into the risk engine that drives onboarding steps.

2. Apply enhanced due diligence controls for high-risk countries as a minimum

For blacklist exposure, enhanced due diligence is not an optional add-on. It should be a defined minimum standard, aligned to your policy and regulatory expectations.

EDD in practice should cover:

  • Beneficial ownership transparency, including control rights and verification of ultimate natural persons
  • Source of funds evidence for the specific transaction or funding pattern
  • Source of wealth explanation, supported by credible documents
  • Purpose and economic rationale of the relationship and expected activity
  • Adverse information checks were relevant and proportionate
  • Senior management approval and documented rationale

3. Consider countermeasures and restrictions based on the FATF statement and your risk appetite

FATF describes countermeasures as the stronger end of the response spectrum for the most serious cases.
For example, the DPRK section includes calls to terminate correspondent relationships with DPRK banks and to close subsidiaries or branches of DPRK banks.

Your firm may not be a bank, but the principle still matters. You should define what restrictions are realistic for your business, such as:

  • Prohibiting relationships with customers established in a black listed jurisdiction
  • Restricting certain products and services where geographic risk is unacceptable
  • Rejecting third-party funding linked to black listed jurisdictions
  • Prohibiting payment corridors that create unacceptable cross-border payments AML risk
  • Submitting HRC/HRCA with the UAE FIU goAML portal

4. Strengthen transaction monitoring and case management

Blacklist exposure is not only an onboarding decision. It should raise the intensity of ongoing monitoring.

Examples of monitoring focus areas:

  • Repeated transfers connected to high-risk jurisdictions without a clear purpose
  • Payments split to avoid thresholds or scrutiny
  • Rapid movement of funds through multiple accounts or intermediaries
  • Transactions inconsistent with the customer profile and expected activity

5. Escalate quickly and document the decision trail

In UAE inspections, documentation is often the difference between a concern and a finding.

Maintain clear evidence of:

  • What triggered suspicion or heightened risk
  • What questions were asked, and what evidence was obtained
  • What decision was made, by whom, and why
  • What monitoring steps were set, and how the case will be reviewed

FATF Blacklist and Common Misconceptions

1. Blacklist equals sanctions

Blacklist status is a FATF monitoring and call-for-action position. Sanctions regimes are separate legal frameworks. You need to consider both, but they are not the same thing.

2. We can just de-risk everything

Blanket de-risking often causes commercial harm, customer unfairness, and poor decision-making on compliance. The safer position is a documented risk-based approach with clear risk appetite and controls.

3. Blacklist only affects banks

It strongly affects banks, DNFBPs, capital market companies, corporate service providers, real estate, professional firms, and VASPs, as the risks are linked to beneficial ownership opacity, cross-border value flows, and weak controls.

How GRC Advisors Can Help You Navigate Through the FATF Blacklist Changes

When the Financial Action Task Force updates its list of High-Risk Jurisdictions subject to a Call for Action, the impact is immediate and commercial. It shapes how banks and counterparties assess exposure, whether relationships are approved at all, and how aggressively transactions, trade flows, and payment routes are challenged.

GRC Advisors helps you respond with clarity and control by aligning your actions across the full AML control chain.

We support you in interpreting what blacklist developments mean for your products, customer base, and delivery channels, and how these exposures interact with your UAE regulatory perimeter across DIFC, ADGM, VARA, mainland, and the major commercial free zones.

We then refresh your ML, TF, and PF risk assessment by reassessing inherent risk drivers, validating mitigating controls, and updating residual risk outcomes. This aligns with your customer risk assessment approach, ensuring customer acceptance, risk ratings, approval thresholds, and EDD triggers remain consistent and defensible.

Finally, we update your AML policies and procedures so your documentation clearly operationalises blacklist expectations into day-to-day practice, including governance escalation, account and transaction controls, screening and monitoring enhancements, and evidence-ready decision-making.

Frequently Asked Questions on FATF Grey List Changes

What is the FATF blacklist?

The FATF blacklist is the list of FATF “High Risk Jurisdictions subject to a Call for Action”. It highlights jurisdictions with very serious AML, CFT, and proliferation-finance weaknesses, where stronger measures are expected.

The blacklist calls for action and expects enhanced measures, and in some cases, countermeasures. The Grey List is “increased monitoring”, meaning the country is being monitored against an improvement plan without the same level of call-for-action measures.

No. Sanctions are separate legal regimes. A FATF blacklist status is an AML, CFT, and proliferation financing risk signal. You still need to check sanctions separately.

Typically around FATF plenary cycles. From a compliance perspective, you should treat it as a recurring governance trigger and maintain a clear process for updates.

Not automatically. The right response is to apply your risk appetite and legal obligations using a risk based approach. Many firms restrict or prohibit certain relationships, but you should document the rationale and apply it consistently.

It means firms and jurisdictions are expected to apply enhanced measures for exposures connected to those jurisdictions, and in some cases to apply countermeasures. In practice, you should expect heightened scrutiny, additional evidence requests, and stricter approvals.

Countermeasures are stronger protective steps than standard enhanced due diligence. Depending on the business type, they can involve restricting certain products, limiting payment corridors, or refusing particular relationships where the exposure is unacceptable.

Common triggers include a customer’s residency or incorporation, beneficial owners connected to a blacklisted jurisdiction, source of funds or wealth linked to those countries, or business activity that relies heavily on high-risk corridors.

CDD should become more intensive. You should verify beneficial ownership more carefully, require a stronger source of funds and source of wealth evidence, confirm purpose and expected activity, and ensure approvals are aligned with your risk appetite and submit HRC/HRCA as applicable.

For most regulated firms, blacklist exposure is a clear EDD trigger. Even when you decide not to proceed, you should document why the exposure was unacceptable.

Evidence should be credible, relevant to the specific transaction, and easy to explain. Examples include bank statements showing the build-up of funds, sale agreements, audited financials, salary evidence, dividend records, or proof of legitimate business income, depending on the customer profile.

The source of wealth should explain how the customer accumulated overall wealth over time, not just where one payment came from. The expectation is a coherent narrative supported by documentary proof.

It increases your focus on cross-border payments connected to high-risk jurisdictions, including third-party payments, unusual routing, rapid movement of funds, inconsistent economic purpose, and activity that does not match the customer profile.

No. A filing is driven by suspicion, not by the country label alone. However, blacklist exposure raises risk, so you should ask tougher questions, record the answers, and escalate promptly when the activity does not make sense. Further, if it involves cross-border transfer of funds, then you should submit HRC/HRCA as applicable.

In DIFC, firms regulated by DFSA should reflect blacklist exposure in their country risk assessment, client risk rating, EDD triggers, approvals, and monitoring. The key is consistency and evidence of judgement.

In ADGM, firms regulated by FSRA should keep FATF lists up to date, screen for exposure, apply proportionate enhanced measures, and keep an audit-ready decision trail.

For VARA-supervised firms, blacklist exposure may appear through customer geography, beneficial ownership, fiat rails, or transaction counterparties. It should affect the client risk rating, EDD depth, and ongoing monitoring intensity.

Maintain an audit-ready change log showing when you checked FATF updates, what changed, which systems and policies were updated, who approved it, and how staff guidance was refreshed.

Yes. It should be a formal input into geographic risk scoring and should influence onboarding steps, approval thresholds, and monitoring intensity.

Firms either overreact with blanket decisions and weak documentation, or underreact by treating the exposure as a “tick box”. Regulators typically focus on whether you applied a consistent risk-based approach, asked the right questions, and kept clear records of your decision.

Insights & Success Stories

Related Industry Trends & Real Results

VARA Licensing Requirements in Dubai

VARA Licensing Requirements in Dubai

Learn everything about VARA regulations in the UAE, including licensing, compliance, rulebooks, and operational frameworks for crypto businesses.
A guide to AML laws for TCSPs in UAE

A Guide to AML Laws for TCSPs in UAE

Learn everything about VARA regulations in the UAE, including licensing, compliance, rulebooks, and operational frameworks for crypto businesses.
VARA Regulations Explained

VARA Regulations Explained: Licensing, Compliance, and Operational Framework in UAE

Learn everything about VARA regulations in the UAE, including licensing, compliance, rulebooks, and operational frameworks for crypto businesses.
A Guide to AML Laws for Real Estate Agents in UAE

A Guide to AML Laws for Real Estate Agents in UAE

The UAE property market operates at international velocity. Residential towers are fully subscribed before foundations are poured.