Skip to content

FATF February 2026 Plenary: Grey List Additions and a Sharper Focus on Virtual Assets

Feb 20, 2026 2:49:19 PM

 A few key changes came out of the Financial Action Task Force's (FATF) February 2026 plenary last week, including a newly appointed president. Thistle Initiatives Manager, Elliott Day, expands on the changes and why it matters for UK-regulated firms. 

The Financial Action Task Force (FATF) latest plenary concluded on 13th February 2026. The main outcome was the addition of Kuwait and Papua New Guinea to the list of jurisdictions under increased monitoring, with no countries removed in this round. The plenary also reinforced the FATF's direction of travel on fraud and virtual assets, with two further reports due next month and confirmation that a UK representative will take over the FATF presidency from July 2026.

For UK firms, FATF list updates rarely stay theoretical. They tend to show up quickly in onboarding decisions, customer due diligence (CDD) depth and alert volumes once exposure to a newly listed jurisdiction is identified.

Key Changes

  • Kuwait and Papua New Guinea have been added to the FATF grey list

  • No jurisdictions were removed, and all other monitored countries remain unchanged

  • FATF confirmed two virtual asset reports will be published next month, covering offshore VASPs, stablecoins and unhosted wallets

  • Giles Thomson (UK) has been appointed FATF president from 1 July 2026

  • FATF updated its public statement on Iran, reiterating its existing call for action with no change to Iran’s overall status

Why This Matters for UK-regulated Firms

Grey listing does not create an automatic prohibition on doing business. The real issue is how firms evidence that they have understood the change in risk and adjusted their controls accordingly. In practice, grey listing tends to drive closer scrutiny of areas that are already familiar pressure points: the reliability of CDD, the transparency of ownership and control structures, the role of intermediaries and how confident firms are in local supervision and enforcement. These are often the areas where assumptions have built up over time.

It would also be prudent to re‑test country risk assessments against wider indicators. Transparency International’s 2025 Corruption Perceptions Index (CPI) was also published this month and scores Kuwait at 46 and Papua New Guinea at 26. That does not dictate a risk rating, but it is a useful sense check on whether existing assessments and control intensity still feel credible when viewed externally.

Looking ahead, a UK FATF president from mid‑2026 and a clear emphasis on cyber‑enabled fraud and virtual assets, expectations around cross‑border activity, offshore structures and the interaction between fraud, AML and sanctions controls are likely to tighten. For firms with payment flows, correspondent exposure, crypto touchpoints or international customer bases, this is less about new rules and more about stronger challenge on evidence and decision‑making.

Practical Implications

  • Country risk ratings: grey list exposure sitting in a low or medium risk band will be questioned without a clear and current rationale.

  • CDD and Enhanced Due Diligence (EDD): where firms have exposure to the relevant jurisdictions, more cases are likely to require deeper analysis of the source of funds and wealth, ownership and control and the stated purpose of activity.

  • Transaction monitoring: where activity is connected to these jurisdictions, geographic risk triggers and cross‑border corridors may drive higher alert volumes and follow‑up work

  • Banking relationships: partner banks may seek a clearer articulation of how grey list exposure is identified, approved and overseen.

  • Virtual asset activity: forthcoming FATF reports are likely to influence near‑term expectations for firms supporting stablecoins, wallets or Virtual Asset Service Providers (VASP) customers.

What Firms Should Consider Now

Revisit country risk assessments and exposure mapping
Map direct and indirect exposure to Kuwait and Papua New Guinea across customers, counterparties, PSPs, agents, intermediaries and settlement chains. Use CPI and internal intelligence as a reasonableness check alongside transaction data and typologies.

Check EDD triggers and approval routes
Be clear on when grey list exposure leads to EDD by default and when a more targeted, product or activity‑led review is appropriate. Ownership evidence, control structures and consistency between profile and behaviour are likely to attract more attention.

Review payments and sanctions controls where relevant
Reconfirm how originator and beneficiary information is captured and assessed, including how incomplete or poor‑quality payment data is handled and documented. For cross‑border flows, ensure controls reflect the highest‑risk point in the chain, not just the customer’s domicile.

Sense‑check transaction monitoring calibration
Review scenarios sensitive to geographic risk, rapid movement of funds and layering through multiple counterparties. Make sure model governance can explain why thresholds and risk weightings remain appropriate following the list update.

Prepare for increased scrutiny of virtual asset exposure
Where relevant, test the firm’s ability to identify offshore VASP relationships, unhosted wallet interaction and high‑velocity peer‑to‑peer activity. First-line teams should be comfortable challenging technical explanations that avoid basic questions around ownership, control and purpose.

Our Closing View

FATF list updates are a routine feature of the AML landscape, but they are a common trigger for challenge from supervisors, banks and auditors.

Firms that can show how country risk decisions translate into due diligence, monitoring and governance tend to avoid reactive remediation later. With further FATF publications imminent and a UK presidency approaching, this is a sensible point for firms to check that their risk appetite, control design and supporting evidence remain aligned with how expectations are evolving, particularly for cross‑border and digital asset activity.

How Thistle Initiatives Can Help

Our financial crime team provides clear, independent assurance that shows whether your systems and controls operate effectively in light of evolving global standards.

We review risk assessments end-to-end, assess country and corridor risk methodologies and highlight gaps that may expose firms to heightened regulatory scrutiny. We then provide practical steps to strengthen oversight, risk scoring and control effectiveness. Our aim is simple: to help firms demonstrate a robust, well-evidenced financial crime compliance framework that stands up to regulatory and stakeholder scrutiny.

Get in touch at info@thistleinitiatives.co.uk or call 020 7436 0630 to speak with our team. 

Meet the Expert

Elliott Day

Elliott Day, Manager  LinkedIn

Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.

Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.