FATF’s Risk List Grows as Scrutiny Deepens on Financial Crime Hotspots

Key Takeaways

• British Virgin Islands and Bolivia land on the grey list, flagged as jurisdictions under increased monitoring.
• Croatia, Mali, and Tanzania are off the list, having shown enough progress to satisfy FATF standards.
• Iran, North Korea, and Burma stay on the black list, with Iran and DPRK still subject to full countermeasures.
• FinCEN guidance underscores risk-based diligence, while warning against wholesale de-risking or cutting ties without cause.
• U.S. institutions must comply with expanded due diligence requirements under Bank Secrecy Act and related rules when dealing with flagged jurisdictions.

Deep Dive

There’s nothing like a fresh list from the Financial Action Task Force (FATF) to remind the world’s financial institutions that risk never sleeps. At its latest plenary meeting this June, the FATF (the global watchdog for anti-money laundering, counter-terrorist financing, and counter-proliferation finance i.e., AML/CFT/CPF) updated its closely watched list of countries with strategic deficiencies in these areas. Two new names made the cut, three were struck off, and the usual suspects remain firmly entrenched in the high-risk zone.

The British Virgin Islands and Bolivia now find themselves in the FATF’s Jurisdictions Under Increased Monitoring list, aka the grey list. It’s not quite financial exile, but it does signal that these jurisdictions have work to do on their AML/CFT/CPF frameworks. The FATF says both countries are working with them on time-bound plans to address the gaps.

For compliance and risk managers, this means updating your risk radar. Financial institutions are expected to tighten controls and apply enhanced due diligence where needed, especially when dealing with foreign financial institutions or correspondent banking relationships linked to these jurisdictions.

But while two names enter the grey list, three exit stage left. Croatia, Mali, and Tanzania have been delisted, an encouraging sign that FATF’s stick-and-carrot approach can produce results. Still, FinCEN reminds institutions to take these changes into account when evaluating overall risk, not just flip a switch.

The High-Risk Club Holds Steady

There’s been no reprieve for the worst offenders. Iran, North Korea (DPRK), and Burma remain firmly on the FATF’s Call for Action list. The stakes are highest for Iran and DPRK, which are still subject to full countermeasures.

If you're a U.S. financial institution, opening or maintaining a correspondent account for Iranian or North Korean banks is not just risky, it’s prohibited. Existing sanctions laws already make that point crystal clear, and FATF’s continued designation reinforces the geopolitical isolation of both regimes.

Burma, while spared countermeasures, still raises red flags. Enhanced due diligence is strongly advised. But FATF has also emphasized a humanitarian carve-out, warning that overly aggressive scrutiny could disrupt legitimate aid and nonprofit flows, a line risk teams must now walk carefully.

FinCEN’s advisory isn’t just about naming and shaming but it’s a call to think critically. Financial institutions are reminded of their obligations under the Bank Secrecy Act, including requirements tied to foreign correspondent relationships and broader risk-based programs.

But one message is just as important: don’t overreact. FinCEN has consistently warned against wholesale de-risking, that is cutting off entire categories of customers or countries. Risk management doesn’t mean retreat. It means understanding the nuance, assessing exposure, and applying controls that are strong enough to satisfy regulators, but smart enough to keep financial channels open for legitimate activity.

That includes following interpretive guidance for money services businesses (MSBs), being aware of obligations around foreign embassies and missions, and knowing where U.S. law and FATF guidance diverge. For example, U.S. restrictions on Iran go far beyond what FATF recommends, thanks to an array of presidential memoranda, OFAC sanctions, and FinCEN’s own Section 311 designation labeling Iran as a primary money laundering concern.

If your job involves risk assessments, transaction monitoring, or due diligence, now’s the time to recalibrate. The list has changed, and with it, so has the shape of your risk landscape.

Don't treat it as a bureaucratic shuffle, it’s a signal. New jurisdictions mean new conversations with internal teams, updated procedures, potential screening adjustments, and fresh reminders to the board and senior leadership that geopolitical risk, financial crime, and compliance are still intimately intertwined.

FinCEN’s advisory isn’t flashy, but it’s one of those quiet warning bells that risk professionals would do well to heed.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.