1. AlgoCandyHome
  2. Newsroom
  3. Industry Insights

CSPs should update their IPPC and AML/CFT workflows in a timely manner

On 19 June 2026, the Financial Action Task Force(FATF)published its latest updates to the High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring, commonly known as the FATF “black list” and “grey list”.

For Corporate Service Providers(CSPs)in Singapore, the FATF black and grey lists are not merely information updates. They are important risk indicators that should be continuously reflected in AML/CFT compliance management. CSPs should promptly update their Internal Policies, Procedures and Controls(IPPC), customer due diligence workflows, customer risk assessment criteria, ongoing monitoring rules, AML screening settings, and internal compliance records based on the latest FATF lists.

During customer acceptance, KYC/CDD, risk assessment, periodic review and ongoing monitoring, if a customer, director, shareholder, authorised representative, beneficial owner or related business arrangement is connected with a FATF high-risk or increased monitoring jurisdiction, the CSP should reassess the customer’s risk level and apply appropriate due diligence measures based on a risk-based approach.

FATF Black and Grey Lists Update — June 2026

Key Updates in This FATF Release

According to the FATF June 2026 update, there are currently 3 jurisdictions on the FATF black list and 22 jurisdictions on the FATF grey list.

The key changes in this update include:

  1. New jurisdictions added to the grey list
    • Bosnia and Herzegovina
    • Iraq
  2. Jurisdictions no longer subject to increased monitoring
    • Algeria
    • Namibia
  3. Jurisdictions that have substantially completed their action plans and are pending on-site assessment

FATF stated that Bulgaria, Côte d’Ivoire, Democratic Republic of the Congo and Monaco have substantially completed their action plans and require on-site assessments to confirm whether the AML/CFT reforms have been implemented and are being sustained.

This means that CSPs should not only update the newly added and removed jurisdictions, but also pay attention to changes in jurisdiction status and their impact on customer risk assessment.

FATF Black List: High-Risk Jurisdictions subject to a Call for Action

The FATF black list identifies jurisdictions with serious strategic deficiencies in their AML/CFT/CPF regimes. For these jurisdictions, FATF calls on members and other jurisdictions to apply enhanced due diligence. In the most serious cases, FATF calls for countermeasures to protect the international financial system from money laundering, terrorist financing and proliferation financing risks.

As of 19 June 2026, the FATF black list includes:

  • Democratic People’s Republic of Korea(DPRK)
  • Iran
  • Myanmar

FATF continues to call for countermeasures against DPRK and Iran. For Myanmar, FATF calls for enhanced due diligence measures proportionate to the risks, but does not call for countermeasures.

For CSPs, if a customer or related party is connected with any of the above jurisdictions, special attention should be given to whether enhanced customer due diligence, senior management approval, strengthened ongoing monitoring, or refusal to establish or continue the business relationship may be required.

FATF Grey List: Jurisdictions under Increased Monitoring

The FATF grey list identifies jurisdictions that are actively working with FATF to address strategic deficiencies in their AML/CFT/CPF regimes within agreed timeframes and are subject to increased monitoring.

As of 19 June 2026, the FATF grey list includes:

  • Angola
  • Bolivia
  • Bosnia and Herzegovina
  • Bulgaria
  • Cameroon
  • Côte d’Ivoire
  • Democratic Republic of the Congo
  • Haiti
  • Iraq
  • Kenya
  • Kuwait
  • Lao People’s Democratic Republic
  • Lebanon
  • Monaco
  • Nepal
  • Papua New Guinea
  • South Sudan
  • Syria
  • Venezuela
  • Vietnam
  • Virgin Islands(UK)
  • Yemen

It is important to note that FATF does not call for enhanced due diligence measures to be applied uniformly to jurisdictions under increased monitoring. Businesses and regulated entities should take the FATF information into account in their risk analysis and assess the risks based on the customer’s background, business nature, source of funds, transaction structure and other relevant risk factors.

Therefore, the grey list should not be simply treated as a “prohibited jurisdictions list”. Instead, it should be used as an important risk indicator in customer risk assessment and ongoing monitoring.

How CSPs Should Update Their IPPC and Workflows

Following this FATF update, CSPs are advised to review and update the following areas.

1. Update the High-Risk Jurisdiction Criteria in the IPPC

CSPs should incorporate the latest FATF black and grey lists into their IPPC and clearly define how different jurisdictions should be handled. For example:

  • Black-listed jurisdictions should trigger high-risk identification;
  • Jurisdictions subject to countermeasures should be subject to stricter handling requirements;
  • Grey-listed jurisdictions should be treated as one risk factor, rather than an automatic basis for rejecting a customer;
  • Where a customer structure, source of funds or business arrangement involves multiple high-risk factors, the customer’s risk rating should be reviewed and may need to be elevated.

2. Update the Customer Risk Assessment Form

The customer risk assessment form should be updated in line with the latest FATF lists, so that CSPs can identify whether customers, directors, shareholders, beneficial owners, authorised representatives or related business relationships involve FATF black-listed or grey-listed jurisdictions.

The risk assessment should consider at least the following questions:

  • Is the customer’s place of incorporation or main place of business connected with a FATF black-listed or grey-listed jurisdiction?
  • Are any directors, shareholders, beneficial owners or authorised representatives from relevant jurisdictions?
  • Are the customer’s business activities, source of funds, counterparties or main markets connected with relevant jurisdictions?
  • Is enhanced due diligence or higher-level approval required?
  • Is strengthened ongoing monitoring or a shorter periodic review cycle required?

3. Update Customer Due Diligence and Ongoing Monitoring Workflows

For customers connected with FATF high-risk jurisdictions, CSPs should apply appropriate measures according to the level of risk, such as:

  • Collecting additional information on the customer’s business background, source of funds and source of wealth;
  • Conducting deeper reviews of complex ownership structures or cross-border arrangements;
  • Applying stricter identification and verification procedures for beneficial owners and controllers;
  • Keeping records of risk assessment decisions and approvals;
  • Monitoring sanctions, PEP, adverse media and other risk changes on an ongoing basis;
  • Setting shorter periodic review cycles for high-risk customers.

4. Update AML Screening Lists and System Settings

If a CSP uses an AML screening tool, it should ensure that the country and jurisdiction risk lists, screening rules and risk tags have been updated according to the latest FATF June 2026 release.

For CSPs using manual spreadsheets or internal checklists, outdated lists should also be replaced promptly. Update records should be retained, including the update date, source of update, person responsible and internal confirmation process.

5. Keep Compliance Update Records

During regulatory inspections, CSPs may need to demonstrate not only that they were aware of FATF list updates, but also that the updates were implemented in internal workflows and customer risk management.

CSPs are advised to retain the following records:

  • FATF list update date;
  • IPPC or workflow update records;
  • Risk assessment form or system rule update records;
  • Review records for existing customers connected with newly added jurisdictions;
  • Further risk assessment and handling records where relevant customers are identified;
  • Internal training or notification records.

How AlgoCandy Helps CSPs Respond to List Updates

AlgoCandy provides a one-stop AML/CFT compliance management platform for CSPs, covering customer acceptance, KYC/CDD, AML screening, customer risk assessment, ongoing monitoring and compliance report retention.

With AlgoCandy, CSPs can more efficiently:

  • Identify whether customers and related parties are connected with high-risk jurisdictions;
  • Incorporate FATF black and grey list factors into customer risk assessment;
  • Record, approve and monitor high-risk customers;
  • Maintain complete CDD, screening, risk assessment and audit trail records;
  • Reduce the risk of omissions caused by manual list maintenance and workflow updates.

The FATF black and grey lists will continue to change. For CSPs, timely updates to IPPC, internal workflows and customer risk assessment criteria are an important part of fulfilling AML/CFT compliance obligations.

AlgoCandy will continue to monitor updates from FATF, ACRA and other relevant AML/CFT authorities, helping CSPs complete customer due diligence, risk identification and compliance record-keeping more efficiently.

Source: FATF, High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring, 19 June 2026.

Previous:

Read more

Whatsapp Let’s Talk
SHARE
TOP
🎯 AML/CDD Compliance Training · Free Online Session  ➡️ Register Now
🎁 Enjoy 50% off the basic software fee. ➡️ Book a Demo Now