If you operate in the UAE, even as a purely local business, you are rarely “local” in risk terms. Payments, investors, suppliers, beneficial owners, and clients often span multiple jurisdictions. That is exactly why people keep searching for what the FATF Grey List is and why it matters so much in the UAE context.
The FATF Grey List is another name for the FATF list of jurisdictions under increased monitoring.
These are jurisdictions with strategic deficiencies in their systems to counter money laundering, terrorist financing, and proliferation financing. They have committed at a high political level to fix the issues within agreed timeframes, and they remain subject to increased monitoring while progress is assessed.
For regulated firms in the United Arab Emirates, Grey List exposure is a key input into country risk assessment, customer risk assessment, and cross-border payments AML risk decisions.
What Is FATF Grey List?
So, what is the FATF Grey List in simple terms? It means the country’s controls to prevent and detect money laundering, terrorist financing, and proliferation financing are considered materially weak in certain areas, but the country is actively working on an action plan with FATF monitoring.
For your business, this usually translates into:
More scrutiny on customers, counterparties and payments connected to those jurisdictions
Higher expectations for risk-based approach AML compliance decisions
Stronger evidence standards for enhanced due diligence in high-risk countries cases
Tighter monitoring of transaction patterns, especially international flows
This is not about panic. It is about applying consistent judgment and showing your workings.
Updated FATF Grey List countries 2026 (FATF grey list update February 2026)
As of 13 February 2026, the FATF lists the following jurisdictions under increased monitoring, commonly referred to as the FATF grey list countries 2026.
Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), Yemen.
Recent Grey List changes you should reflect in your controls
The FATF grey list update in February 2026 newly identifies Kuwait and Papua New Guinea under increased monitoring.
That one change alone can affect payment friction, onboarding time, and the level of due diligence expected by banks and regulators, particularly for trade, remittances, and virtual asset activity.
Grey List changes and its impact on regulated entities in the UAE
The UAE is a high-volume international business hub. Grey List exposure commonly appears through:
Customer residency or nationality, where relevant to risk
Source of funds and source of wealth tied to a Grey Listed country
Beneficial owners or controllers located in, or connected to, Grey Listed jurisdictions
Third-party payments from unrelated parties in Grey Listed jurisdictions
Multi-jurisdiction corporate structures and layered ownership
Cross-border payments routed through counterparties in Grey Listed jurisdictions
For a compliance team, the key is not to treat Grey Listing as a label. Treat it as a structured input into your customer risk assessment and your country risk assessment AML methodology.
DIFC perspective on FATF Grey List: DFSA expectations and the risk-based approach
In the Dubai International Financial Centre (DIFC), firms regulated by the Dubai Financial Services Authority (DFSA) are expected to apply a clear risk based approach AML compliance and reflect high risk country developments in governance and controls.
Two practical points matter for DIFC firms:
Country and jurisdiction risk is not optional. Your framework should explicitly consider country risk and apply proportionate measures, including where a jurisdiction is on FATF public statements.
Recent DFSA updates are directly linked to the UAE’s new federal AML legislation. The DFSA announced that its updated AML and Glossary Modules came into force on 2 March 2026, following the new UAE federal AML legislation introduced in late 2025.
What this means for your DIFC programme is straightforward. If your policy, screening logic, CRA model, or transaction monitoring scenarios have not been refreshed to reflect current FATF monitoring statements and the updated UAE legal framework, you create unnecessary inspection risk.
ADGM Perspective on FATF Grey List: Keeping FATF monitoring lists current in CDD
In the Abu Dhabi Global Market (ADGM), regulated firms under the Financial Services Regulatory Authority (FSRA) are expected to consider exposure to FATF monitored jurisdictions as part of risk based CDD and to keep the relevant lists current.
ADGM guidance summarises the expectation in practical terms: maintain up to date lists of jurisdictions under increased monitoring and jurisdictions subject to a call for action, screen for exposure as part of CDD, and reflect that exposure when developing and applying risk based measures.
That is a very clear operational message for ADGM firms: list updates should flow into onboarding and review processes, not sit as a passive compliance reference.
VARA perspective on FATF Grey List: Risk-based CDD and high risk jurisdictions
For virtual asset firms regulated by the Virtual Assets Regulatory Authority (VARA), risk based CDD is a core expectation.
VARA’s rulebook requires VASPs to adopt a risk-based application of CDD measures in line with UAE federal AML/CFT laws and to conduct a risk based assessment of every client and assign a risk rating proportionate to the AML CFT risks associated with that client.
VARA also states it regulates virtual assets across Dubai’s free zones and mainland, except DIFC.
In a VARA context, Grey List exposure often surfaces through:
Client location and beneficial ownership complexity
Source of funds from higher risk geographies
Counterparties and wallet activity linked to higher risk jurisdictions
Cross border fiat rails connected to monitored jurisdictions
So for VASPs FATF Grey List materially affects client risk rating, ongoing monitoring intensity, and the evidence you need for source of funds and source of wealth.
Mainland and other commercial free zones: The federal baseline still governs
Across UAE mainland and most commercial free zones, your baseline obligations flow from federal AML legislation and competent authority expectations. The UAE issued a new federal AML law in late 2025, published as Federal Decree Law No. 10 of 2025.
You do not need to overcomplicate this for implementation. The simple governance principle is:
When FATF issues an updated Grey List, you must show how your programme ingests that change and converts it into risk based controls.
That is the heart of risk-based approach in AML compliance.
FATF Grey List Changes: a practical five step approach for AML compliance in UAE
These steps work across DIFC, ADGM, VARA, mainland and other free zones.
1. Make Grey List status a defined input into country risk assessment AML
Document how FATF jurisdictions under increased monitoring influence your geographic risk scoring. This is the cleanest way to keep decision making consistent.
2. Apply enhanced due diligence high risk countries controls only when the overall risk warrants it
Grey List exposure is a risk indicator. Your decision should still consider product risk, delivery channel risk, ownership complexity, transaction behaviour, and adverse information where relevant. This is the essence of a defensible risk based approach AML compliance.
3. Strengthen evidence standards for source of funds and source of wealth
For higher risk cases involving Grey List exposure, require evidence that is both credible and explainable. Many firms collect documents but fail to connect them to a coherent narrative.
4. Upgrade monitoring scenarios for cross border payments AML risk
FATF Grey List exposure frequently shows up in payment flows. Strengthen triggers around third party payments, unexpected international transfers, rapid movement of funds, and inconsistent economic purpose.
5. Maintain an audit ready change log
You should maintain an audit ready change log evidencing that FATF Grey List changes are duly incorporated in your AML/CFT Programme:
Grey List Change Date
Date systems updated with updated Grey List
Policies and Procedures impacted such as screening, CRA, onboarding checklists, monitoring scenarios
Senior management approval
What changed and why
This single control reduces inspection pain dramatically.
Common misconceptions concerning the FATF Grey List
Misconception 1: FATF Grey List equals sanctions
It does not. Sanctions regimes are separate. FATF Grey List status is about AML CFT CPF weaknesses and increased monitoring.
Misconception 2: FATF Grey List requires automatic rejection
Blanket decisions often create discrimination and de-risking issues. The right approach is risk-based, proportionate, and documented.
Misconception 3: FATF delisting means no risk
Delisting is a positive signal, but customer and transaction risks can remain. Your CRA and monitoring should still respond to facts, not labels.
How GRC Advisors Can Help you Navigate Through the FATF Grey List Changes
When FATF updates the grey list, the impact is rarely theoretical. It changes how banks and counterparties view risk, how quickly onboarding is approved, and how closely transactions are questioned.
GRC Advisors helps you stay ahead of those shifts by linking your response across the full AML control chain.
GRC services help you with AML/CFT Compliance to interpret what the latest increased monitoring developments mean for your business model and regulatory perimeter in the UAE, including DIFC, ADGM, VARA, mainland and the major free zones.
We then update your ML, TF and PF Risk Assessment to refresh your inherent risk and then align it with your Customer Risk Assessment.
We also redraft your AML Policies and Procedures to demonstrate that your documentation translates FATF Grey List changes into practical operating discipline.
Frequently Asked Questions on FATF Grey List Changes
What is FATF Grey List?
The FATF Grey List is the list of jurisdictions under increased monitoring with strategic AML, CFT and CPF deficiencies that have committed to reforms and are monitored for progress.
What is the updated FATF grey list countries 2026 list?
As of 13 February 2026, the FATF statement lists 22 jurisdictions under increased monitoring, including Kuwait and Papua New Guinea newly identified in that update.
How should DIFC firms treat Grey List exposure?
DIFC firms should embed Grey List exposure into country risk assessment AML and apply a risk based approach AML compliance through proportionate CDD and monitoring, aligned to DFSA expectations and recent Rulebook updates.
How should ADGM firms treat Grey List exposure?
ADGM guidance expects regulated firms to keep FATF monitoring lists up to date, screen for exposure as part of CDD, and use that exposure when applying risk based measures.
How does VARA expect VASPs to handle country risk and CDD?
VARA requires a risk based application of CDD measures aligned to federal AML CFT laws, with a risk rating assigned to each client based on assessed AML CFT risk.
