Imagine launching a cryptocurrency exchange today. You have the best tech, a slick interface, and users signing up from everywhere. But then, a user from Kenya or Nigeria tries to deposit funds. Your compliance software flashes red. Is this a ban? A warning? Or just extra paperwork? The answer lies in the FATF greylist, officially known as Jurisdictions Under Increased Monitoring by the Financial Action Task Force.
For anyone running or using Virtual Asset Service Providers (VASPs), understanding these lists is no longer optional. It’s the difference between staying open and getting shut down by regulators. As of mid-2026, the landscape has shifted again. New countries joined the greylist, others left, and three nations sit on the dreaded blacklist. This guide breaks down exactly what this means for your crypto operations, your compliance costs, and your ability to move money across borders.
Understanding the FATF Lists: Grey vs. Black
The Financial Action Task Force (FATF) is the global watchdog for anti-money laundering (AML) and counter-terrorist financing (CTF). They don’t just make rules; they enforce them through two distinct lists. Confusing these two is a common mistake that leads to either over-compliance (losing customers unnecessarily) or under-compliance (facing massive fines).
The Blacklist contains jurisdictions with severe strategic deficiencies. These are not just "high risk"; they are effectively cut off from the formal international financial system. As of June 2025, the blacklist includes North Korea, Iran, and Myanmar. If you see a transaction linked to these countries, you block it. Period. Enhanced Due Diligence (EDD) here means total restriction because the risk of sanctions evasion or terrorist funding is too high.
The Greylist, or Jurisdictions Under Increased Monitoring, is different. These countries have identified weaknesses but have committed to fixing them within an agreed timeline. They are working with the FATF. However, until they graduate, they face intense scrutiny. In June 2025, the list expanded to include Bolivia and the British Virgin Islands, while Croatia, Mali, and Tanzania were removed after successfully addressing their issues.
| Feature | Blacklist (High Risk) | Greylist (Increased Monitoring) |
|---|---|---|
| Action Required | Block transactions, terminate relationships | Enhanced Due Diligence (EDD), increased monitoring |
| Countries (2025/2026) | North Korea, Iran, Myanmar | Bolivia, BVI, Kenya, Nigeria, South Africa, etc. |
| Customer Onboarding | Prohibited | Allowed with stricter KYC/KYB checks |
| Banking Relationship Risk | Immediate termination likely | Higher fees, slower processing, potential de-risking |
Current Greylist Status: Who Is on the List?
Knowing which countries are on the greylist is critical for geofencing and risk scoring. The list changes twice a year, so static databases become liabilities quickly. As of the latest update, the greylist includes 24-25 jurisdictions. Key economies like South Africa, Nigeria, and Lebanon remain under monitoring. These are significant markets for crypto adoption due to local currency instability, yet they carry higher compliance burdens.
New additions in mid-2025 included Bolivia and the British Virgin Islands (BVI). The BVI addition is particularly notable for the crypto industry. The BVI is a major hub for corporate registrations and offshore entities. Its inclusion signals that even traditional financial havens are under pressure to tighten AML controls. For VASPs, this means any wallet address or corporate entity registered in the BVI now triggers enhanced screening protocols.
Conversely, seeing countries like Croatia leave the list is a positive sign. It shows that compliance work pays off. When a country graduates, the friction for businesses operating there drops significantly. This dynamic nature requires your compliance team to have real-time data feeds, not quarterly manual updates.
Crypto-Specific Implications for VASPs
The FATF doesn’t just regulate banks anymore. Since the implementation of the Travel Rule guidance for Virtual Assets, VASPs are treated similarly to traditional financial institutions. This brings specific challenges when dealing with greylisted jurisdictions.
- Enhanced Customer Due Diligence (EDD): For customers residing in or sending funds from greylisted countries, you cannot rely on standard ID checks. You need to verify the source of wealth and source of funds more rigorously. Why is this person moving $10,000 worth of USDT from Lagos? Standard answers won’t suffice. You need documentation.
- Transaction Monitoring Thresholds: Many exchanges lower their transaction limits for users in greylisted regions. A user in Germany might transfer $50,000 instantly. A user in Kenya might be capped at $1,000 per day unless they provide additional proof. This isn’t discrimination; it’s risk management required by regulators.
- The Travel Rule Complexity: The Travel Rule requires sending and receiving VASPs to share customer information. If the receiving exchange is in a greylisted country, they may lack the infrastructure to comply fully. This creates a bottleneck. Some major exchanges simply refuse to process transfers to/from certain greylisted jurisdictions to avoid the liability gap.
Decentralized Finance (DeFi) poses a unique problem here. Protocols don’t have a central compliance officer. However, if you are building a front-end or providing liquidity via a centralized bridge, you are still exposed. Regulators are increasingly looking at who provides access to these protocols. Ignoring FATF lists in DeFi interfaces is a growing legal risk.
The Economic Impact: Why Compliance Costs Money
You might think skipping strict EDD saves time and money. It doesn’t. The economic impact of being associated with non-compliant jurisdictions is severe. Look at Pakistan, which was greylisted for years before its removal. Estimates suggest it lost billions in capital flight and faced higher borrowing costs. For a crypto business, the cost is reputational and operational.
When your bank sees transactions flowing to or from greylisted countries, they get nervous. Banks are the lifeblood of crypto exchanges. They hold your fiat reserves. If your bank perceives you as a gateway for money laundering into a greylisted zone, they will de-risk-meaning they close your account. We’ve seen this happen repeatedly. One bad batch of transactions from a high-risk jurisdiction can freeze your entire operation.
Furthermore, institutional investors are wary. If you plan to raise venture capital or partner with traditional finance firms, your compliance framework is scrutinized. Showing that you actively block blacklisted traffic and monitor greylisted traffic proves you are a serious player. It’s a competitive advantage, not just a hurdle.
Navigating Geopolitical Delays and Corruption
Not all delays in delisting are technical. Sometimes, they are political. Syria and Yemen have been on the greylist since 2020. Technically, they may have addressed some action plan items, but FATF cannot conduct on-site visits due to security risks. This indefinite limbo means crypto operators must treat these regions as permanently high-risk.
Corruption is another factor. Studies show that countries with high public servant corruption rates are five times more likely to appear on the Grey List. Corrupt officials may fail to prosecute financial crimes, creating systemic gaps. For a crypto operator, this translates to a higher likelihood of encountering sophisticated fraud rings or state-sponsored hacking groups originating from these areas. Your fraud detection algorithms need to be tuned to recognize patterns associated with these specific geopolitical contexts.
Practical Steps for Crypto Businesses in 2026
So, what do you actually do? Here is a checklist for your compliance and product teams:
- Automate Screening: Integrate real-time FATF list APIs into your onboarding flow. Don’t rely on CSV files downloaded last month. When Bolivia got added in 2025, did your system update instantly? If not, you had a window of vulnerability.
- Segment User Limits: Create tiered withdrawal and deposit limits based on jurisdiction. Users from stable, compliant regions get higher limits. Users from greylisted regions get lower limits with faster escalation paths for manual review.
- Train Your Support Team: Customer support agents often handle the first line of defense. They need to know why a transaction from Nigeria is taking longer than one from Canada. Empower them to ask for source-of-funds documentation without sounding accusatory.
- Review Banking Partners: Have an open conversation with your banking partners. Ask them specifically about their stance on transactions involving current greylisted jurisdictions. Align your internal policies with their risk appetite.
- Monitor Chain Analytics: Use blockchain analytics tools that flag addresses interacting with known illicit actors in blacklisted countries. Even if a user is from a compliant country, if their funds came from a mixer linked to North Korea, you must act.
Future Outlook: CBDCs and Stricter Rules
Looking ahead to late 2026 and beyond, expect the FATF to tighten its grip further. The rise of Central Bank Digital Currencies (CBDCs) adds a new layer. Governments want control over digital money flows. This means less room for anonymity and more integration between traditional banking data and blockchain analytics.
We may also see expanded guidance on DeFi. While protocols themselves are hard to regulate, the entry points-exchanges, bridges, and wallets-are fair game. Expect the Travel Rule to become more automated, potentially requiring smart contract-level verification of sender identity for large transfers.
The message is clear: the era of wild west crypto is over. Compliance is now a core product feature. By treating FATF greylist and blacklist restrictions seriously, you protect your business, your users, and your future. Don’t wait for a regulator to knock on your door. Build the walls yourself.
What happens if I ignore FATF greylist restrictions?
Ignoring FATF greylist restrictions can lead to severe consequences, including heavy fines, loss of banking relationships, and potential criminal charges for aiding money laundering. Regulatory bodies in major jurisdictions like the US, EU, and UK closely monitor VASP compliance. Failure to implement Enhanced Due Diligence for greylisted countries demonstrates negligence, which regulators punish harshly.
Can I serve customers from blacklisted countries?
Generally, no. Serving customers from blacklisted countries (North Korea, Iran, Myanmar) involves extreme legal and reputational risks. Most reputable VASPs block all transactions associated with these jurisdictions. Attempting to bypass these blocks using privacy coins or mixers is illegal in many countries and can result in asset seizure and imprisonment.
How often does the FATF update its lists?
The FATF typically updates its lists twice a year, usually around February and June. However, emergency measures or rapid assessments can lead to interim notices. Crypto businesses should integrate real-time API feeds rather than relying on manual bi-annual checks to ensure immediate compliance with any changes.
Does the greylist affect decentralized exchanges (DEXs)?
While DEXs themselves are protocol-based and harder to regulate, the front-ends and aggregators that provide user access are increasingly held accountable. Additionally, if you use a centralized bridge or custodian service to interact with a DEX, those services will enforce FATF restrictions. Indirectly, yes, the greylist affects accessibility and functionality for users in monitored jurisdictions.
What is the 'Travel Rule' in crypto?
The Travel Rule, established by the FATF, requires VASPs to share originator and beneficiary information for transactions above a certain threshold (often €1,000 or equivalent). This aims to prevent anonymity in money transfers. For greylisted countries, complying with the Travel Rule is more challenging due to varying levels of regulatory maturity, leading many VASPs to restrict cross-border transfers with these regions entirely.
