Changes to the FATF Grey List – comprehensive compliance guide for MLROs

The Financial Action Task Force (FATF) has added Kuwait and Papua New Guinea to its grey list of jurisdictions under increased monitoring.

Under Regulation 33(1)(b) of the Money Laundering Regulations 2017, this addition means UK law firms are now legally required to apply enhanced due diligence measures to any business relationship or transaction involving persons established in these countries. This update has immediate and significant compliance implications for Money Laundering Reporting Officers (MLROs) in UK law firms. This comprehensive guide explains what these changes mean, why they matter, and provides a detailed action plan for ensuring your firm remains compliant with the Money Laundering Regulations 2017.

Understanding the FATF and its lists

What is the FATF?

The Financial Action Task Force is an inter-governmental body established in 1989 to develop and promote policies to combat money laundering, terrorist financing, and proliferation financing. With 40 members including the UK, FATF sets international standards through its Recommendations, which over 200 countries and jurisdictions have committed to implementing.

The Grey List vs The Black List

The Grey List (Jurisdictions Under Increased Monitoring)

Countries on the grey list have committed to resolving strategic deficiencies in their anti-money laundering and counter-terrorist financing regimes within agreed timeframes. Under UK law, grey list countries are classified as ‘high-risk third countries’ under Regulation 33(3)(a) of the MLR 2017. This means that enhanced due diligence is legally required for any business relationship or transaction involving a person established in these jurisdictions. Kuwait and Papua New Guinea now join this list, triggering mandatory EDD obligations for UK firms.

The Black List (High-Risk Jurisdictions)

Countries on the black list have significant strategic deficiencies and pose severe risks to the international financial system. As of October 2025, three countries remain on the black list: North Korea and Iran (both subject to countermeasures), and Myanmar (subject to enhanced due diligence). The FATF calls on all members to apply these measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from these jurisdictions.

UK Legal and Regulatory Framework

Money Laundering Regulations 2017

Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), UK law firms are required to take a risk-based approach to client due diligence. Regulation 33(1)(b) specifically requires enhanced due diligence measures and enhanced ongoing monitoring for any business relationship with a person established in a high-risk third country, or any transaction where either party is established in such a country.

Critically, Regulation 33(3)(a) defines ‘high-risk third countries’ as countries named on the FATF’s ‘Jurisdictions Under Increased Monitoring’ list (the grey list) or ‘High-Risk Jurisdictions subject to a Call for Action’ list (the black list). This means that the addition of Kuwait and Papua New Guinea to the FATF grey list automatically triggers a legal requirement for UK firms to apply enhanced due diligence to clients and transactions connected to these jurisdictions. This is not optional or discretionary—it is a mandatory legal obligation.

Solicitors Regulation Authority requirements

The SRA expects firms to have robust systems and controls in place to comply with money laundering regulations. This includes maintaining up-to-date risk assessments that reflect current intelligence on jurisdictional risks. Failure to update risk assessments following material changes such as FATF list updates could be viewed as a systems and controls failure.

What the Kuwait and Papua New Guinea additions mean

Why these jurisdictions were listed

Kuwait

Kuwait has been identified as having strategic deficiencies in its anti-money laundering and counter-terrorist financing framework. As a major financial centre in the Gulf region with significant cross-border flows, these deficiencies present material risks that UK firms must now factor into their client risk assessments.

Papua New Guinea

Papua New Guinea’s listing reflects concerns about its regulatory framework and implementation of international AML/CFT standards. The jurisdiction’s natural resource wealth and complex corporate structures often used in mining and energy sectors mean UK law firms may have existing client relationships requiring immediate attention.

Risk considerations

When assessing risk, MLROs should consider:

• The nature of the legal services being provided
• The extent of the client’s connection to the jurisdiction (incorporation, beneficial ownership, source of funds/wealth, transaction counterparties)
• The client’s business model and sector (particularly relevant for Papua New Guinea’s natural resources sector)
• Transaction values and complexity
• Presence of other risk factors

Immediate actions required for MLROs

Action 1: Client file review and identification

Scope of review

Conduct a comprehensive review to identify all current client matters where there is any connection to Kuwait or Papua New Guinea. This includes:

• Clients incorporated or registered in either jurisdiction
• Beneficial owners who are nationals or residents of these countries
• Source of funds or wealth originating from these jurisdictions
• Transaction counterparties based in or connected to these countries
• Corporate structures with entities or accounts in these jurisdictions

Practical implementation

Use your case management system to search for references to “Kuwait”, “PNG”, and “Papua New Guinea” in client records. Review corporate registers for entities incorporated in these jurisdictions. Check beneficial ownership registers and source of funds documentation. This review should be prioritised and completed within 14 days.

Action 2: Enhanced due diligence implementation

Legal Requirement for Enhanced Due Diligence

Under Regulation 33(1)(b) of the MLR 2017, enhanced due diligence is legally required for all business relationships and transactions involving persons established in Kuwait or Papua New Guinea. This is a mandatory obligation that applies to:

• All new clients or matters with connections to these jurisdictions
• All existing clients with such connections (who must now be subject to EDD if not already)
• Any transaction where either party to the transaction is established in these countries
• Both individuals (if resident in the country) and legal persons (if incorporated or having their principal place of business there)

For identified client files, assess whether enhanced due diligence measures are already in place and, if not, implement them immediately. The requirement applies regardless of whether other risk factors are present – the geographic connection alone triggers the legal obligation. However, where additional risk factors exist (high-value transactions, complex structures, etc.), the intensity and depth of the EDD measures should be increased accordingly.

Source of Funds verification

Enhanced source of funds checks should trace the origin of funds through multiple layers where necessary. For funds originating from Kuwait or Papua New Guinea, this means:

• Obtaining original documentation evidencing the source (bank statements, sale agreements, employment contracts)
• Verifying the legitimacy of the stated source through independent research or third-party verification
• Understanding the transaction chain from original source to current location
• Assessing whether the stated source is consistent with the client’s profile

Source of Wealth verification

Source of wealth enquiries should establish how the client accumulated their overall net worth. This requires:

• Detailed understanding of the client’s business interests and career history
• Documentation of major assets and their acquisition
• For business wealth: understanding of the business model, revenue sources, and growth trajectory
• Independent verification where possible (e.g., corporate filings, news reports, property records)
• Assessment of whether the accumulated wealth is consistent with known income sources

Additional enhanced due diligence measures

Beyond source of funds and wealth verification, consider implementing:

• More frequent monitoring of the client relationship and transactions
• Obtaining senior management approval for continuing the relationship
• Conducting adverse media searches on the client, beneficial owners, and associated entities
• PEP screening for all individuals connected to the matter
• Sanctions screening beyond initial onboarding
• Enhanced scrutiny of transaction documentation and commercial rationale

Action 3: Update Firm-Wide Risk Assessment

Geographic risk section

Your firm’s risk assessment must be updated to reflect the changed risk profile of Kuwait and Papua New Guinea. In the geographic risk section, these jurisdictions should now be categorised as higher risk, with appropriate controls documented.

The update should include:

• Reference to the FATF grey list inclusion and date
• Description of the specific risks associated with each jurisdiction
• Clear articulation of the enhanced due diligence measures to be applied
• Approval thresholds for accepting new clients with connections to these jurisdictions
• Monitoring and review procedures for existing clients

Documentation and governance

Ensure the risk assessment update is formally approved by the appropriate governance body (typically the compliance committee or board). Document the rationale for the updated risk categorisation. Communicate the changes to all fee-earners who may encounter clients with connections to these jurisdictions.

Operational considerations and best practices

Balancing Mandatory Requirements with Proportionate Application

It is important to understand that while enhanced due diligence is legally required for all clients and transactions connected to Kuwait and Papua New Guinea under Regulation 33(1)(b), firms retain discretion in how they apply these measures. The regulations do not mandate client rejection or relationship termination. The FATF explicitly states that standards do not envisage de-risking or cutting off entire classes of customers.

What this means in practice is:

• EDD is mandatory for geographic connections to these countries – this is non-negotiable
• However, the intensity and depth of EDD measures should be calibrated to the overall risk profile
• A straightforward, low-value matter may require less intensive EDD than a complex, high-value transaction
• Firms can continue to serve clients where satisfactory EDD can be obtained and risk can be adequately managed
• Only decline or terminate relationships where adequate EDD cannot be completed or risk cannot be mitigated

Regulation 33(3A) sets out the minimum measures that must be taken, but firms should apply these with appropriate intensity based on the totality of risk factors present in each case.

Humanitarian and legitimate business flows

The FATF guidance specifically notes that countries should ensure flows of funds for humanitarian assistance, legitimate NPO activity, and remittances are neither disrupted nor discouraged. MLROs should be mindful of this when assessing clients engaged in charitable work, non-profit activities, or legitimate business operations in or connected to these jurisdictions.

Staff training and awareness

Ensure all relevant staff are aware of the FATF update and understand its implications for their work. This includes:

• Fee-earners who may encounter clients with connections to Kuwait or Papua New Guinea
• Client intake teams responsible for onboarding new matters
• Compliance teams conducting due diligence
• Partners with approval authority for high-risk matters

Consider issuing a compliance alert or conducting targeted training sessions to ensure consistent application of enhanced measures across the firm.

Documentation and record-keeping

What to document:

Comprehensive documentation is essential for demonstrating compliance. For each affected client file, maintain clear records of:

• The risk assessment conducted in light of the Kuwait/Papua New Guinea connection
• Enhanced due diligence measures applied and the rationale for choosing these measures
• Source of funds and source of wealth verification steps taken and evidence obtained
• Approval decisions and the decision-makers involved
• Ongoing monitoring activities and findings
• Any concerns identified and how they were resolved

Retention requirements

Under MLR 2017, records must be retained for five years from the end of the client relationship or the completion of the occasional transaction. Given the enhanced scrutiny these matters may receive, consider maintaining even more detailed records than usual to demonstrate your compliance approach if ever questioned by regulators.

Red flags and practical scenarios

Warning signs to watch for

When conducting enhanced due diligence on clients with Kuwait or Papua New Guinea connections, be alert to additional red flags that may indicate heightened money laundering or terrorist financing risk:

• Reluctance to provide information about source of funds or wealth

• Inconsistencies between stated source of wealth and observable lifestyle or assets

• Unnecessarily complex corporate structures involving multiple jurisdictions

• Use of shell companies or nominees without clear commercial rationale

• Transactions that lack obvious economic purpose

• Connections to high-risk sectors (extractive industries, cash-intensive businesses)

• Adverse media about the client, beneficial owners, or associated entities

• Unexpected changes in transaction patterns or business activities

Example scenarios

Scenario 1: Kuwaiti real estate investor

A Kuwaiti national seeks to purchase a £5 million London property through a BVI company. Enhanced due diligence should include detailed verification of the source of the purchase funds, understanding of how the client accumulated their wealth, screening for PEP status, assessment of why a corporate structure is being used, and verification of the commercial rationale for the investment. Given the combination of high value, grey list jurisdiction, and corporate structure, senior management approval should be required.

Scenario 2: Papua New Guinea mining company

A company incorporated in Papua New Guinea operating in the mining sector seeks advice on a UK listing. Enhanced due diligence should verify the legitimacy of the mining operations, understand the ownership structure including ultimate beneficial owners, assess compliance with local regulations and licensing requirements, review any production or financial data to verify business legitimacy, and conduct thorough adverse media searches on the company and its principals. The high-risk combination of extractive industry, grey list jurisdiction, and complex transaction type requires intensive scrutiny.

Implementation timeline and checklist

Recommended timeline

Week 1:

• Update firm-wide risk assessment to include Kuwait and Papua New Guinea

• Issue compliance alert to all relevant staff

• Begin client file review to identify affected matters

Weeks 2-3:

• Complete client file review

• Assess current due diligence status for each identified file

• Prioritise files requiring immediate enhanced due diligence based on risk level

Weeks 4-6:

• Implement enhanced due diligence measures on identified files

• Obtain senior management approvals where required

• Document all decisions and evidence obtained

Ongoing:

• Apply enhanced due diligence to all new matters with Kuwait/Papua New Guinea connections

• Monitor existing client relationships with increased frequency

• Review and update risk assessment as FATF provides further updates

MLRO Action Checklist

1. Review and understand the FATF announcement and implications

2. Update firm-wide risk assessment geographic risk section

3. Obtain governance approval for risk assessment update

4. Issue staff alert explaining the changes and expectations

5. Search case management systems for Kuwait and Papua New Guinea references

6. Review corporate registers for entities incorporated in these jurisdictions

7. Check beneficial ownership records for nationals/residents

8. Assess current due diligence adequacy for each identified file

9. Implement enhanced source of funds verification where required

10. Implement enhanced source of wealth verification where required

11. Conduct or refresh adverse media searches

12. Obtain senior management approvals for continuing high-risk relationships

13. Document all enhanced due diligence measures and findings

14. Update client intake procedures for new matters

15. Update ongoing monitoring procedures for affected files

16. Conduct targeted training for relevant staff

17. Update compliance procedures and guidance documents

18. Schedule review of implementation progress

Additional context and ongoing monitoring
Complete current FATF lists (as at 14 February 2026)

Black List (High-Risk Jurisdictions – as of October 2025)

As of October 2025, three jurisdictions are on the FATF black list: Democratic People’s Republic of Korea (North Korea) and Iran (both subject to countermeasures), and Myanmar (subject to enhanced due diligence only). Any client connections to North Korea or Iran require the application of countermeasures to protect the international financial system. Myanmar connections require enhanced due diligence measures.

Grey List (Jurisdictions under increased monitoring – as of February 2026)

Following the February 2026 additions of Kuwait and Papua New Guinea, and the October 2025 removal of Burkina Faso, Mozambique, Nigeria, and South Africa, the grey list now comprises 21 jurisdictions: Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), and Yemen.

Haiti, Syria, Bolivia, Lebanon, Virgin Islands (UK), and Yemen have deferred reporting in recent cycles, so their current status may not reflect the most recent developments. MLROs should be particularly cautious with these jurisdictions given the lack of current information on their progress toward addressing AML/CFT deficiencies.

It is noteworthy that in October 2025, four African nations successfully exited the grey list after completing their action plans, demonstrating that grey-listing is not permanent and that countries making genuine progress can be removed. This underscores that the lists are dynamic and subject to regular review.

Staying current with FATF updates

The FATF typically publishes list updates three times per year (February, June, and October). MLROs should:

• Monitor the FATF website for announcements

• Subscribe to relevant regulatory updates from the Law Society or SRA

• Review risk assessments promptly following each FATF update

• Maintain a process for rapidly implementing changes when jurisdictions are added or removed

• Subscribe to receive our regular Compliance Lifeline newsletter here

Frequently asked questions

Q: Does grey list inclusion mean we must automatically reject all clients from Kuwait and Papua New Guinea?

A: No. While Regulation 33(1)(b) legally requires you to apply enhanced due diligence to all clients and transactions connected to these countries, it does not require automatic rejection. You must conduct EDD, but you can continue to serve clients where satisfactory enhanced due diligence can be obtained and risk can be adequately managed. Only decline relationships where you cannot complete adequate EDD or where risk cannot be mitigated.

Q: How is this different from black list jurisdictions?

A: Both grey list and black list countries are classified as ‘high-risk third countries’ under Regulation 33(3)(a) and both require enhanced due diligence under UK law. The difference is that for black list countries (North Korea and Iran), the FATF additionally calls for countermeasures to be applied by all member countries. Myanmar, also on the black list, currently requires EDD only. The key distinction is in the international response and severity of measures, not in whether EDD is required under UK law—it is required for both.

Q: What if a client has only a minor connection to these jurisdictions (e.g., a single transaction with a counterparty)?

A: Regulation 33(1)(b) requires EDD for any transaction where either party is established in a high-risk third country. Therefore, even a single transaction with a counterparty established in Kuwait or Papua New Guinea triggers the legal requirement for EDD. However, the intensity and depth of the EDD measures should be proportionate to the overall risk. A one-off, low-value transaction with good documentation may require less intensive EDD than ongoing relationships or high-value transactions, but some level of enhanced measures is legally required.

Q: Do we need to notify existing clients that they’re now subject to enhanced due diligence?

A: While not legally required to notify them of the FATF change, you may need to request additional information or documentation. Frame this professionally as part of your ongoing compliance obligations and periodic review processes.

Q: How detailed should our source of wealth documentation be?

A: Sufficient to understand how the client accumulated their overall net worth and to verify that the stated source is legitimate and consistent with their profile. For high-net-worth individuals or complex situations, this may require substantial documentation including business records, tax returns, property records, and independent verification.

Q: Can we rely on due diligence conducted before these countries were grey-listed?

A: You should review existing due diligence to determine if it meets the enhanced standard now appropriate given the updated risk assessment. In many cases, additional verification will be necessary. This is particularly important if the original due diligence is more than 12 months old.

Q: What if the client refuses to provide the additional information we request?

A: If satisfactory due diligence cannot be obtained, you cannot proceed with or continue the client relationship. Under MLR 2017 Regulation 31, where you cannot apply CDD measures, you must not carry out a transaction through a bank account, establish a business relationship, or carry out an occasional transaction, and should consider submitting a suspicious activity report.

Resources and further reading

For additional guidance and up-to-date information, consult:

1.    FATF Public Documents: https://www.fatf-gafi.org/en/publications.html

2.    FATF Black and Grey Lists: https://www.fatf-gafi.org/en/countries/black-and-grey-lists.html

3.    UK Money Laundering Regulations 2017: https://www.legislation.gov.uk/uksi/2017/692/contents/made

4.    Legal Sector Affinity Group Anti-Money Laundering Guidance (2025): https://www.lawsociety.org.uk/en/topics/anti-money-laundering/anti-money-laundering-guidance

5.    SRA AML Obligations and Guidance: https://www.sra.org.uk/solicitors/resources/money-laundering/guidance-support/

6.    National Crime Agency – Suspicious Activity Reports: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/money-laundering-and-illicit-finance/suspicious-activity-reports

7.     Law Society AML Resources: https://www.lawsociety.org.uk/topics/anti-money-laundering

Conclusion

The addition of Kuwait and Papua New Guinea to the FATF grey list represents a material change in the regulatory landscape for UK law firms. Under Regulation 33(1)(b) of the MLR 2017, these countries are now classified as high-risk third countries, triggering a mandatory legal requirement to apply enhanced due diligence to all business relationships and transactions involving persons established in these jurisdictions.

While EDD is mandatory, this does not mean automatic client rejection. Firms retain the ability to serve clients from these jurisdictions where adequate enhanced due diligence can be obtained and risk can be properly managed. The key is applying the required EDD measures with appropriate intensity based on the overall risk profile, maintaining comprehensive documentation, and only declining relationships where adequate due diligence cannot be completed or risk cannot be mitigated.

MLROs who move swiftly to update risk assessments, identify affected clients, and implement the legally required enhanced due diligence measures will ensure their firms remain compliant while maintaining the ability to serve clients professionally and effectively. The regulatory expectation is clear: mandatory EDD for geographic connections to high-risk third countries, applied with proportionate intensity and supported by robust documentation and risk-based decision-making.