FinWiki
EN

FATF Grey List / Black List and the AML/CFT Country Evaluation Mechanism

Confidence: Certain Updated 2026-05-26 Review by 2026-08-08 Sources 5 Machine-translated Original (JA)
#fintech#law#regulation#aml#cft#fatf
On this page

Wiki route

This entry sits under fintech index. Read it with Japan financial regulation for adjacent context and Japan stablecoin regulatory landscape for the broader system boundary.

[!info] TL;DR FATF (Financial Action Task Force) evaluates each country’s AML/CFT framework through 40 Recommendations and 11 Immediate Outcomes, and updates the jurisdiction lists 2 times per year: Black list (Call for Action, North Korea / Iran / Myanmar as of 2026-05) and Grey list (Increased Monitoring, 23 countries as of 2026-05). Recommendation 15 (VASP) and Recommendation 16 (Travel Rule, USD/EUR 1,000 threshold) are the 2 core provisions that directly bind the crypto sector.

Key facts

  • FATF was established in 1989 by the G7, is headquartered in Paris, and consists of 41 member jurisdictions plus 9 regional bodies (FSRBs).
  • Its legal status is non-binding, but de facto enforcement is strengthened through IMF / World Bank processes and bilateral sanctions.
  • Evaluation cycle: each jurisdiction receives a Mutual Evaluation Report (MER) roughly every 7-10 years, with interim follow-up reviews.
  • As of 2026-05, the lists were black 3 (DPRK / Iran / Myanmar) and grey 23.
  • Hong Kong 2019 MER: TC 35/40 and Effectiveness 9/11, placing it in the global top tier.
  • Singapore 2016 MER: TC 36/40 and Effectiveness 10/11.
  • USA 2016 MER: TC 31/40 and Effectiveness 7/11 (mid-tier); 2024-25 follow-up completed.

Mechanism / How it works

FATF evaluations use a dual-track structure. Technical Compliance (TC) measures whether the 40 Recommendations have been implemented in law and regulation, while Effectiveness measures real-world outcomes through the 11 Immediate Outcomes. Each jurisdiction completes a Mutual Evaluation Report (MER) approximately every 7-10 years, with follow-up reviews in between.

The two lists have different consequences. Call for Action (Black list) triggers mandatory countermeasures and enhanced due diligence. Increased Monitoring (Grey list) triggers continued monitoring and remediation through an action plan.

There are 2 core crypto-related provisions. R.15 (Virtual Assets, revised 2019-10) requires VASPs such as exchanges, wallet custodians, ICO platforms, and stablecoin issuers to obtain a licence or registration and applies the AML/CFT requirements in R.10-21. R.16 (Travel Rule) requires virtual-asset transfers of USD/EUR 1,000 or more to include originator and beneficiary information, forcing VASP-to-VASP information sharing. See FATF Travel Rule overview for details. For a global comparison, see global VASP regulatory comparison matrix.

Origin & evolution

FATF was established at the 1989 G7 Paris Summit and was initially focused on anti-money laundering. After 2001, it expanded into counter-terrorist financing. In 2012, the prior 40+9 framework was consolidated into the current 40 Recommendations.

At the 2019-10 G20 Osaka summit, the extension to crypto assets was formalized through the revisions to R.15 and R.16, bringing VASPs into the global AML/CFT framework. FATF’s 2025-09 Targeted Update on Virtual Assets noted that 75% of jurisdictions still had not fully implemented R.15 / R.16, highlighted self-hosted wallet and DeFi risks, and promoted RegTech standards for cross-border Travel Rule messaging. For Japan’s VASP timeline, see Japan VASP regulatory timeline.

Sources