FATF June 2026 Grey List: Iraq, Bosnia & KYC EDD
FATF added Iraq and Bosnia-Herzegovina to its June 2026 grey list. Here is what compliance teams must update in their KYC programs and EDD workflows.

The Financial Action Task Force held its June 2026 plenary in Paris from June 17 to 19. When the outcomes were published on June 19, the headline was direct: Iraq and Bosnia-Herzegovina have been added to the FATF grey list. Algeria and Namibia have been removed. The total count of jurisdictions under increased monitoring now stands at 22.
For most compliance teams, a grey list update reads as regulatory housekeeping. It should not. Two large, strategically positioned jurisdictions joined the list in the same cycle. The incoming UK FATF Presidency launched with fraud as its headline priority. And a public consultation on payment transparency — with direct implications for how cross-border transactions are screened — opened the same week.
This is a compliance update worth acting on before the summer ends.
What the FATF Grey List Actually Means
The FATF grey list — formally, "Jurisdictions Under Increased Monitoring" — does not carry legal sanctions. It is not a block list and it does not prohibit business. It identifies countries that have committed to addressing identified deficiencies in their anti-money laundering, counter-terrorist financing, and counter-proliferation frameworks.
The practical effect is that regulated firms must factor grey-listed jurisdictions into their country risk assessments and, where the risk assessment supports it, apply enhanced due diligence or enhanced ongoing monitoring to relevant customers and transactions.
This is a critical distinction. Enhanced due diligence is not automatic on grey-listing. The grey list is an input to a risk-based assessment, not a tripwire. Blanket de-risking — refusing to transact with any customer connected to a grey-listed country, without a documented rationale — is itself a compliance failure. Regulators, particularly under AMLA's evolving framework, have been explicit about this.
What compliance teams must do is update their frameworks:
- Country risk scoring models
- Enterprise-wide risk assessments (EWRA)
- Customer due diligence and EDD triggers
- Transaction monitoring geographic risk parameters
- Ongoing monitoring review schedules for existing customers with exposure
AMLA's guidelines on ongoing monitoring establish that jurisdictional risk changes must flow through to customer-level risk posture reviews — not as a one-time event, but as part of a continuous monitoring cycle. A grey list change is precisely the kind of trigger those guidelines anticipate.
Iraq: Why This Addition Is Significant
Iraq is among the largest jurisdictions added to the FATF grey list in recent years, with a population of approximately 48 million and a regional economic footprint driven by oil exports, remittances, and an expanding formal banking sector.
FATF's decision reflects identified strategic deficiencies across several risk areas. Financial institutions with exposure to Iraqi customers, correspondent banking relationships with Iraqi banks, or transaction flows through Gulf financial centers that channel Iraqi business should treat this addition as material.
| Sector | Key Risk Driver |
|---|---|
| Oil and gas payments | Structured through correspondent chains; beneficiary tracing is non-trivial |
| Remittances | High-volume informal channels; hawala networks retain documented relevance |
| Real estate | Offshore holding structures are common; beneficial ownership verification is complex |
| Virtual assets | Growing crypto adoption; EU Travel Rule controls apply to all Iraq-linked transfers |
For crypto-asset service providers, this addition intersects directly with Travel Rule obligations. The MiCA Travel Rule framework requires verified originator and beneficiary data on every transfer regardless of amount. A grey-listed jurisdiction elevates customer risk at the account level, which must feed through to transaction-level screening thresholds — not be treated as a separate compliance event.
Bosnia-Herzegovina: The European Complexity
Bosnia-Herzegovina presents a different risk profile. It is a candidate country for EU accession and has deep economic integration with the EU — two factors that make its grey-listing both politically sensitive and operationally complex for European financial institutions.
The deficiencies identified by FATF relate to weaknesses in the country's AML/CFT institutional framework, not documented high volumes of criminal proceeds. But the listing requires action from regulated firms with exposure to the region, particularly in:
- Trade finance flows through the Western Balkans
- Real estate transactions involving Bosnian beneficial owners
- Correspondent banking relationships with Bosnian financial institutions
- Investment structures connected to EU-Bosnia economic corridors
EU-regulated firms face a layered compliance consideration. AMLA's risk factor guidelines — part of the 23 Level 2/3 measures package due by July 10, 2026 — specifically address geographic risk factors and require that country risk assessments be updated when the risk landscape changes. Bosnia-Herzegovina's grey-listing is exactly such a change.
Algeria and Namibia: What Removal Means for KYC Programs
The removal of Algeria and Namibia from the grey list is the other side of the same compliance event. Both countries completed successful on-site visits demonstrating meaningful progress against their action plans. For firms that applied elevated measures to these jurisdictions in direct response to grey-list status, the removal triggers a review process.
The correct process is not simply to de-escalate automatically:
- Document the removal and update the country risk model
- Review individual customers where EDD was applied specifically because of grey-list status
- Determine whether elevated measures remain justified based on other risk factors
- Update the EWRA and relevant risk appetite statements
- Record every step for audit purposes
Removing a jurisdiction from elevated monitoring without documented individual customer review is as problematic as failing to apply EDD in the first place. Risk-based compliance requires documented reasoning in both directions.
The New UK FATF Presidency: What It Signals for KYC
The June 2026 plenary was the final one under Mexico's Presidency. The UK's Giles Thomson takes over from July 1, 2026, with a two-year mandate running to June 2028. The UK Presidency's declared priorities carry direct implications for regulated firms.
Fraud, including scam compounds
Fraud is the lead priority. The UK Presidency will focus on strengthening the international response to financial crime linked to scam compounds — large-scale organized operations combining social engineering, synthetic identity, and laundering through informal channels. For KYC programs, this signals increased regulatory scrutiny of onboarding controls that detect fraud-linked financial flows.
The connection between synthetic identity fraud and money laundering has been growing. Synthetic identity fraud already costs $3.1 billion annually in the US alone, and it now sits at the center of FATF's incoming agenda. Compliance programs that treat identity verification as a one-time onboarding check — rather than a continuous risk function — are increasingly out of alignment with where the regulatory standard is heading.
Strengthening the risk-based approach
The risk-based approach is FATF's foundational principle and also the one most unevenly implemented. The UK Presidency's focus here signals continued pushback against two failure modes: over-compliance (blanket de-risking without documented assessment) and under-compliance (nominal risk frameworks not calibrated to actual customer behavior).
Information sharing and public-private partnerships
Deeper intelligence-sharing between financial institutions and law enforcement is a stated priority. This increases the value of structured, continuously maintained KYC data. Firms with well-organized, current identity records will be better positioned to respond as sharing obligations expand.
The Recommendation 16 Payment Transparency Consultation
The plenary approved a public consultation on updated guidance for FATF Recommendation 16 — the wire transfer and payment transparency standard. The consultation opened the week of June 22, 2026.
Recommendation 16 requires that identification information travel with wire transfers and electronic payments. The updated guidance addresses modern payment infrastructure, with fraud as the primary concern.
For compliance teams, this is an early signal of where payment transparency rules are heading:
- Correspondent banking: more detailed beneficiary verification requirements are likely
- Crypto Travel Rule: alignment pressure between the FATF standard and jurisdictions maintaining minimum thresholds
- Instant payment systems: assessment of whether existing controls apply adequately to fast-payment rails
The direction is clear: more verified identity data traveling with payments, not less. Firms that treat identity verification as a periodic exercise rather than an infrastructure layer will face increasing difficulty meeting these evolving standards.
Joinble's AI Agents are built for this architecture — maintaining verified, structured identity records that are always current and ready to accompany transactions. As the Recommendation 16 guidance evolves, the gap between firms with continuous identity infrastructure and those running periodic review cycles will widen further.
The Practical Compliance Checklist
Within two weeks:
- Update country risk scoring for Iraq and Bosnia-Herzegovina
- Document Algeria and Namibia removal in the EWRA
- Flag existing customer portfolios with exposure to all four jurisdictions for review
Within 30 days:
- Complete customer-level risk reassessments for high-exposure relationships
- Update transaction monitoring geographic risk parameters
- Brief relationship managers on grey list changes and their risk implications
Within 90 days:
- Incorporate UK Presidency fraud priorities into the annual AML policy review
- Register for the Recommendation 16 consultation if relevant to your operations
- Update EDD procedures documentation to reflect the current 22-jurisdiction grey list
For firms already running continuous monitoring, a grey list change feeds automatically into risk scoring recalculations and review workflows. For firms still running periodic review cycles, each grey list update is another case for moving to infrastructure that propagates jurisdictional changes to individual customer risk profiles in real time.
FAQ
Does FATF grey-listing require automatic enhanced due diligence? No. Grey-listing is an input to a risk-based assessment, not an automatic EDD trigger. Firms must update their country risk models and apply enhanced measures only where their documented assessment supports it. Blanket EDD or de-risking solely based on grey-list status, without individual assessment, is itself a compliance problem.
Which sectors are most affected by Iraq's grey-listing? The highest-risk areas are correspondent banking with Iraqi banks, remittance flows, real estate with Iraqi beneficial owners, and virtual asset transfers linked to Iraq. Complex oil and gas payment chains with Gulf correspondent intermediaries also warrant heightened review.
What should firms do about existing customers from Algeria and Namibia? Document the removal, then review individual customer risk profiles. EDD applied specifically because of grey-list status should be formally reassessed. If other risk factors justify continued elevated measures, keep them in place and document the rationale. The process works in both directions.
How does the grey list affect crypto-asset service providers specifically? For CASPs subject to the Travel Rule, grey-listed jurisdictions raise customer risk scores, which should flow through to transaction monitoring thresholds. Under MiCA's TFR, transfers linked to higher-risk counterparties may require additional verification steps beyond standard Travel Rule data transmission.
What is the significance of the UK FATF Presidency's fraud focus? The UK's two-year presidency directs FATF's research, mutual evaluation, and guidance programs. A fraud-first agenda means upcoming typologies reports, mutual evaluations, and guidance documents will increasingly address the intersection of fraud, money laundering, and identity-based financial crime — directly shaping how regulators interpret adequate KYC controls.
What does the Recommendation 16 consultation mean for payment compliance? It signals that FATF intends to update its wire transfer standard to address modern payment systems, with fraud as a primary concern. Compliance teams should monitor outcomes and assess whether current payment identification controls will meet updated expectations once final guidance is published.
Related Articles

Perpetual KYC: One-Time Verification Is Dead
Perpetual KYC replaces annual reviews with continuous monitoring. AMLA's July 2026 guidelines make it a compliance imperative — here's the operational case.

Ikano Bank's AML Fine: The EDD Failures KYC Teams Must Fix
Sweden's Finansinspektionen fined Ikano Bank SEK 140M in June 2026. These three EDD failures are what regulators are now targeting across the EU.

GENIUS Act KYC: What Stablecoin Issuers Must Do Now
FinCEN's June 2026 proposed rule forces stablecoin issuers to build bank-grade KYC programs. Here's what the GENIUS Act means for your compliance stack.