The Financial Action Task Force (FATF) Plenary held in Paris between 17 and 19 June 2026 marked the final meeting under the Mexican Presidency. The outcomes reinforce a consistent global message: financial crime risks are increasing in complexity, and compliance frameworks must adapt faster to remain effective.
For compliance leaders, AML analysts and risk officers, FATF updates are not theoretical policy signals. They directly influence how regulators interpret risk, how supervisors assess programmes and how financial institutions and designated non-financial businesses should structure controls.
This Plenary included meaningful changes to the FATF grey list, updates to high-risk jurisdictions and continued focus on emerging threats such as cyber-enabled fraud and payment transparency.
One of the most important outcomes from the June 2026 Plenary was the updated list of jurisdictions under increased monitoring.
FATF added the following countries to the grey list:
These jurisdictions are now subject to increased monitoring due to strategic deficiencies in their Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) frameworks. Countries on the grey list are actively working with FATF to address identified gaps through agreed action plans. For compliance teams, this means exposure to these jurisdictions now requires reassessment under risk-based frameworks.
FATF removed the following countries from the grey list:
Both jurisdictions completed their action plans and successfully passed on-site assessments, demonstrating improved compliance with international AML and CTF standards. Many organisations still maintain enhanced monitoring during transition periods to ensure risk stabilisation.
The FATF Plenary also noted that Bulgaria has substantially completed its action plan. An on-site assessment will be conducted before a final decision is made regarding its potential removal from the grey list. This stage is critical because it signals that FATF considers Bulgaria to have addressed most of its strategic deficiencies. However, removal is not automatic and depends on the outcome of the on-site evaluation. Compliance teams should continue to monitor developments closely rather than assume immediate reclassification.
The FATF high-risk jurisdictions list, commonly referred to as the black list, remains unchanged following the June 2026 Plenary.
The following countries continue to be subject to a call for action:
These jurisdictions present significant and persistent strategic deficiencies in their AML and CTF regimes. For regulated entities, this status requires the application of the strongest available risk controls, including enhanced due diligence, transaction restrictions and, in some cases, complete prohibition of business relationships depending on jurisdictional regulations.
Beyond jurisdictional changes, FATF also published updates on several thematic risk areas that continue to shape global compliance expectations.
FATF reaffirmed its support for financial inclusion, emphasising that AML controls should not unnecessarily exclude individuals or businesses from accessing financial services. The key message remains consistent: risk-based approaches should ensure that controls are proportionate to the level of risk, not applied as a blanket barrier.
FATF continued to prioritise improvements in payment transparency across domestic and cross-border transactions.
This includes stronger expectations around:
For compliance teams, this reinforces the importance of accurate customer data and robust screening processes.
Cyber-enabled fraud remains one of the fastest-growing drivers of financial crime globally.
FATF highlighted the increasing convergence between:
This aligns directly with growing regulatory expectations that fraud risk must be treated as part of the broader AML framework, not as a separate control silo.
The Plenary also reinforced ongoing concerns around terrorist financing, particularly the use of:
These risks continue to require strong monitoring systems capable of identifying unusual behavioural patterns rather than relying solely on static thresholds.
FATF reiterated the importance of risk-based supervision across jurisdictions.
Supervisors are expected to focus their attention on:
This reinforces the need for organisations to demonstrate not only compliance documentation but real operational effectiveness.
The June 2026 FATF Plenary creates several immediate review priorities for regulated entities.
Changes to the grey list mean organisations should reassess:
Country risk models should reflect the latest FATF designations without delay.
Organisations should confirm whether:
This is particularly important where automated systems rely on jurisdictional logic.
Firms should review whether they have exposure to:
This applies across onboarding, ongoing monitoring and enhanced due diligence frameworks.
Where exposure exists, organisations should assess whether:
EDD should be dynamic, not static. FATF updates provide a trigger for reassessment.
The June 2026 FATF Plenary highlights both continuity and change in the global AML landscape. While some jurisdictions have progressed and others have been added to increased monitoring, the broader message is consistent: financial crime risk is evolving, and compliance frameworks must evolve with it.
For compliance teams, the priority is clear. Review exposure, update risk assessments, validate screening systems and ensure that enhanced due diligence measures reflect the latest FATF guidance. Organisations must understand their risk exposure in real time and respond proportionately. Static compliance frameworks are no longer sufficient.
The addition of Iraq and Bosnia and Herzegovina to the grey list requires immediate reassessment of country risk ratings and exposure mapping. Compliance teams should identify customers, beneficial owners, counterparties and transaction flows linked to these jurisdictions. Screening rules, onboarding thresholds and ongoing monitoring scenarios should be updated without delay to reflect increased monitoring status.
Key controls include customer onboarding rules, jurisdiction-based risk scoring models, sanctions and PEP screening logic, transaction monitoring thresholds and alert calibration. Firms should also review whether automated systems correctly reflect updated FATF designations and whether manual overrides introduce inconsistency in risk treatment.
FATF’s continued emphasis on cyber-enabled fraud requires closer integration between fraud detection and AML monitoring systems. Identity fraud, synthetic identities, account takeover activity and anomalous behavioural patterns should be treated as AML-relevant signals. Organisations should ensure these indicators feed into risk scoring and not remain isolated within fraud teams.
Payment transparency expectations reinforce the need for complete and accurate originator and beneficiary data throughout the payment lifecycle. Compliance teams should assess whether current systems can consistently identify missing or incomplete data, trace cross-border payment flows and reconcile discrepancies across intermediaries and payment rails.
The immediate priority should be recalibration of country risk assessments, followed by validation of screening system updates and review of customers or transactions linked to newly listed jurisdictions. Secondary priorities include reassessment of EDD triggers, testing of monitoring scenarios and confirmation that beneficial ownership data remains current and verifiable across higher-risk relationships.
Effective FATF-aligned programmes require clear governance ownership of risk typologies, escalation pathways for jurisdictional changes and documented decision-making for risk model adjustments. Senior management should be able to evidence oversight of risk appetite changes, particularly when FATF updates materially impact customer or geographic risk exposure.