The FATF Grey List Changed on June 19. Your CDD System Probably Didn't.
The June 2026 FATF Plenary added Iraq and Bosnia and Herzegovina to the grey list. For TCSPs and fund administrators, this is not just a news update. It is a data task that most CDD systems are not equipped to run automatically. This article explains why the gap matters and what adequate ongoing monitoring requires.

On June 19, 2026, FATF published its updated list of jurisdictions under increased monitoring. Iraq and Bosnia and Herzegovina joined. Algeria and Namibia came off. Twenty-two jurisdictions are now on the grey list. For most compliance officers, this landed as a news item. For management companies and TCSPs with clients who have beneficial ownership interests touching these markets, it should have landed as a data task.
Most firms read the grey list update. Fewer have a system that can tell them, on the morning of June 20, which of their clients have a beneficial owner resident in Baghdad or Sarajevo.
What the June Plenary Actually Changed
The FATF Plenary of June 17-19, 2026 added Iraq and Bosnia and Herzegovina to the list of jurisdictions under increased monitoring. Bosnia was added following its MONEYVAL mutual evaluation published in December 2024, which identified strategic deficiencies in its beneficial ownership regime and supervision of designated non-financial businesses and professions. Iraq was added for failures in money laundering investigations, prosecutions, and the use of financial intelligence in a cash-intensive economy. Both countries have made high-level political commitments to action plans.
Algeria and Namibia were removed, having completed their action plans and passed on-site verification visits.
The headline finding is that 22 jurisdictions are now under increased monitoring. The deeper finding is what this change requires of obliged entities, and on what timeline.
The FATF List Is a Risk Variable, Not a Policy Statement
The FATF grey list is not a compliance conclusion. It is a data point. The Anti-Money Laundering Regulation (AMLR) and its predecessor frameworks treat FATF's increased monitoring designations as material inputs to the risk-based approach. Under Article 20 of the AMLR, the European Commission may formally designate third countries with strategic deficiencies as high-risk jurisdictions, which triggers mandatory enhanced due diligence for business relationships involving those countries.
The Commission's designation process takes time. FATF lists. The Commission assesses. The delegated regulation follows. The gap between FATF action and formal EU designation has historically been measured in months.
But the risk-based approach does not wait for the Commission designation. AMLR Article 17 requires obliged entities to apply enhanced scrutiny to business relationships presenting a higher risk of money laundering or terrorist financing. A FATF grey list addition is precisely the kind of development that a robust risk assessment framework is supposed to capture.
A management company that waits for the Commission regulation before reviewing its clients' exposure to Iraqi or Bosnian beneficial ownership interests is not applying a risk-based approach. It is applying a designation-based approach. The supervision examiner knows the difference.
The Beneficial Ownership Data Problem
The jurisdiction flag is only as useful as the data beneath it. For a TCSP or fund administrator, exposure to Iraq is not a client-level concept. It is a beneficial owner-level concept. A fund structure may have a Luxembourg-domiciled holding company whose ultimate beneficial owners are resident in a jurisdiction that has just been grey-listed.
Most CDD systems capture beneficial ownership at the point of onboarding and update it on a periodic review cycle. Some update it when a client triggers a life event: change of control, new transaction, renewal of mandate. Very few have a mechanism that runs a targeted query when an external data point changes. The FATF list is an external data point. When it changes, the system should be able to answer a specific question within a defined timeframe: which of our clients have beneficial owners, controlling persons, or connected parties with addresses, nationalities, or tax residencies in the newly listed jurisdiction?
If the answer to that question requires a manual exercise, the CDD system is not operationally adequate for the AMLR's ongoing monitoring requirements. The AMLA draft guidelines on ongoing monitoring of business relationships, currently under consultation until September 3, 2026, make clear that obliged entities must maintain a systematic capability for detecting changes in client risk profiles. A change in a jurisdiction's FATF status is a systemic change. It does not affect one client. It affects every client with a relevant nexus.
The EDD Execution Gap
Even firms that identify the impacted clients face a second problem. Enhanced due diligence is not just a label change in the client risk rating. It is a documented set of measures applied to the relationship. Under AMLR Article 20(3), EDD measures include obtaining additional information on the client and the beneficial owner, obtaining senior management approval for establishing or continuing the relationship, understanding the source of wealth and funds used in the relationship, and conducting enhanced ongoing monitoring.
The documented execution of these measures is what a supervisor examines. The CSSF and the FSC assess not whether a firm has a high-risk rating on a client file, but whether the file contains evidence that enhanced measures were applied, when they were applied, and what they found. A risk rating update with no supporting documentation of enhanced scrutiny is a finding, not a compliance outcome.
For the TCSP processing the June 19 grey list update, the question is not just which clients are affected. It is: for each affected client, what EDD has been documented, when will the next enhanced review occur, and who approved the decision to continue the relationship?
What This Means for Management Companies and TCSPs
Management companies, TCSPs, and fund administrators in Luxembourg and Mauritius regularly work with capital that is structured through jurisdictions appearing on evolving risk lists. The FATF grey list is one of several dynamic data inputs that should be flowing into ongoing monitoring frameworks alongside sanctions list updates, adverse media signals, PEP status changes, and regulatory enforcement actions.
The AMLA Single Rulebook applies from July 10, 2027. It will not create the requirement to respond to FATF grey list updates. It will codify what the risk-based approach has always required. Firms that have structured their CDD data and ongoing monitoring workflows around static periodic reviews are already operating below the standard that supervisors are applying now.
The compliance team that received the June 19 FATF update and has not yet run a beneficial ownership query against that jurisdiction is not behind schedule. It is operating without a system that makes the query possible in the first place.
The Position
The June FATF update is not exceptional. Every FATF Plenary produces a grey list revision. Countries are added and removed. The list in February was different from the list in June. The list in October will be different again.
A compliance program that treats each revision as a one-off event requiring a manual review exercise to assess client exposure will always be running behind the data. That is a structural problem with the workflow, not with the scale of any given change.
The grey list exists because some jurisdictions have not yet built adequate controls against money laundering. The compliance programs that can respond to its changes automatically, systematically, and with documented evidence are the ones that have built those controls for their own operations.