High-risk third countries: Navigating the FATF lists in the 2025 LSAG update

What are the FATF lists?

The FATF identifies jurisdictions with weak measures to combat money laundering and terrorist financing (AML/CFT) in two FATF public documents that are issued three times a year. The FATF’s process to publicly list countries with weak AML/CFT regimes has proved effective.

The two lists that UK law firms now need to follow are commonly known as the "black list" and "grey list".

It’s important to understand the difference between them:

• The 'Black List' (High-Risk Jurisdictions subject to a call for action)

  This is the most serious list. It identifies countries with major weaknesses in their systems to fight money laundering and terrorism funding. For these high-risk countries, the FATF asks all member countries to perform extra checks when doing business with them. In the worst cases, countries are urged to take protective measures to shield the international financial system from money laundering and terrorism financing risks coming from these countries.

• The 'Grey List' (Jurisdictions under increased monitoring)

  This list is much longer and identifies countries that are actively working with the FATF to address strategic deficiencies. Being on this list means a country has committed to resolving identified issues within an agreed timeframe but is not yet compliant.

Your new routine: Checking the lists

The guidance is clear: your firm must stay informed of the FATF's updates.

These updates are published on a reliable schedule: every February, June, and October. The best way to manage this is to create a recurring calendar reminder for your team for these months.

You can find the most up-to-date lists on the FATF website:

• The Black List (High-risk jurisdictions)

• The Grey List (Jurisdictions under increased monitoring)

A client is on the list. What now?

When a transaction involves a client from a country on either the black or grey list, you are required to apply stringent enhanced due diligence (EDD) measures, as outlined in Regulation 33 of the Money Laundering Regulations.

In practice, this must include in line with R33(3A):

(a) obtaining additional information on the customer and on the customer’s beneficial owner;

(b) obtaining additional information on the intended nature of the business relationship;

(c) obtaining information on the source of funds and source of wealth of the customer and of the customer’s beneficial owner;

(d) obtaining information on the reasons for the transactions;

(e) obtaining the approval of senior management for establishing or continuing the business relationship;

(f) conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

This isn't a theoretical risk. As noted in the webinar, the recent addition of the British Virgin Islands (BVI) to the grey list is a significant development that will impact many UK law firms and their clients.

Integrating a regular check of the FATF lists into your client inception and review process is now a fundamental part of UK compliance. By building a simple, repeatable process, you can ensure your firm stays on the right side of the regulations and confidently manages high-risk clients.