The Financial Action Task Force (FATF) has published the outcomes of its June 2026 plenary. Thistle Initiatives Manager Elliott Day sets out what has substantively changed, why it matters and what UK-regulated firms should be thinking about now.
The Financial Action Task Force June 2026 plenary concluded on Friday, 19th June. The main outcome added Bosnia and Herzegovina and Iraq to the list of jurisdictions under increased monitoring, with Algeria and Namibia removed following successful remediation. The plenary also reinforced its direction of travel on fraud, payments and emerging technologies, alongside confirmation of priorities under the incoming UK presidency from July 2026. For UK firms, FATF list updates typically feed through quickly into onboarding judgements, the depth of customer due diligence (CDD) and alert volumes once exposure to a newly listed jurisdiction is identified.
Key Changes
Bosnia and Herzegovina and Iraq were added to the FATF grey list
Bosnia and Herzegovina and Iraq have been added to the FATF grey list following the June 2026 plenary.
Algeria and Namibia were removed following remediation
Algeria and Namibia have been removed from the list following successful on-site visits and completion of their action plans.
Consultation on cross-border payment transparency (Recommendation 16)
FATF approved a public consultation on new guidance to support strengthened cross-border payment transparency under Recommendation 16.
New publications on emerging risks and criminal methods
FATF approved new publications covering areas including terrorist financing via digital platforms, underground banking and evolving criminal methods, with further outputs due later in 2026.
Further work on virtual assets and decentralised finance
FATF progressed further work on virtual assets, including a targeted update on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) and a separate report on decentralised finance (DeFi), to be published next month.
UK presidency priorities confirmed
The UK presidency priorities from July 2026 were confirmed, with a focus on fraud, risk-based supervision and information sharing.
Update to Recommendation 6 on humanitarian exemptions
FATF updated Recommendation 6 to include a humanitarian exemption aligned with United Nations Security Council Resolutions, clarifying how sanctions should operate in practice.
Why This Matters for UK Regulated Firms
Grey listing does not in itself prevent firms from doing business with a jurisdiction. The key consideration is whether firms can demonstrate that the shift in risk has been recognised and reflected in their controls.
In practice, grey listing usually leads to greater scrutiny of well‑established risk areas: the quality of CDD, visibility over ownership and control structures, the role played by intermediaries and the extent of reliance on local supervisory regimes. These are typically areas where underlying assumptions may no longer be fully reliable.
The June plenary also signals a broader supervisory shift. Alongside list updates, FATF continues to emphasise the interaction between fraud, payment systems and emerging technologies, with a clearer expectation of more structured information sharing and public‑private coordination between firms and authorities.
The forward-looking element is also relevant. With a UK FATF presidency from mid‑2026 and a clear emphasis on fraud, risk‑based supervision and information sharing, supervisory attention is likely to sharpen across cross‑border activity, payment transparency, offshore structures and the links between fraud, AML and sanctions controls.
For firms with payment exposure, correspondent relationships, crypto-related activity or international customer bases, the impact is less about the introduction of new requirements and more about increased scrutiny of how decisions are evidenced and justified.
Practical Implications
The impact of the strategy will vary by business model, but several themes are likely to be relevant where sanctions exposure exists.
Country risk ratings
Grey list exposure, sitting in a low or medium risk band, will be questioned without a clear and current rationale.
Customer due diligence and enhanced due diligence
Where firms have exposure to the relevant jurisdictions, more cases are likely to require deeper analysis of the source of funds and wealth, ownership and control and the stated purpose of activity.
Transaction monitoring
Where activity is connected to these jurisdictions, geographic risk triggers and cross‑border corridors may drive higher alert volumes and follow‑up work.
Banking relationships
Partner banks may seek clearer articulation of how grey list exposure is identified, approved and overseen.
Payments transparency
Forthcoming guidance on recommendation 16 is likely to increase focus on the completeness and quality of originator and beneficiary information in cross‑border payments.
Virtual asset activity
Forthcoming FATF reports are likely to influence near‑term expectations for firms supporting stablecoins, wallets or VASP customers.
Fraud and information sharing
Increasing emphasis on fraud and structured information sharing may lead to greater scrutiny of how firms participate in intelligence‑sharing arrangements and respond to scam‑related risks.
What Firms Should Consider Now
Against this backdrop, firms may wish to reflect on a small number of core questions.
Have country risk assessments and exposure mapping been revisited?
Map direct and indirect exposure to Bosnia and Herzegovina and Iraq across customers, counterparties, PSPs, agents, intermediaries and settlement chains. Use CPI and internal intelligence as a reasonableness check alongside transaction data and typologies.
Are enhanced due diligence triggers and approval routes clearly defined and understood?
Be clear on when grey list exposure leads to enhanced due diligence (EDD) by default and when a more targeted, product or activity‑led review is appropriate. Ownership evidence, control structures and consistency between profile and behaviour are likely to attract more attention.
Do payments and sanctions controls operate effectively in practice?
Reconfirm how originator and beneficiary information is captured and assessed, including how incomplete or poor‑quality payment data is handled and documented. For cross‑border flows, ensure controls reflect the highest‑risk point in the chain, not just the customer’s domicile.
Is transaction monitoring appropriately calibrated to geographic risk?
Review scenarios sensitive to geographic risk, rapid movement of funds and layering through multiple counterparties. Make sure model governance can explain why thresholds and risk weightings remain appropriate following the list update.
Is your firm prepared for increased scrutiny of virtual assets and fraud exposure?
Where relevant, test the firm’s ability to identify offshore VASP relationships, unhosted wallet interaction and high‑velocity peer‑to‑peer activity. First-line teams should be comfortable challenging technical explanations that avoid basic questions around ownership, control and purpose.
Our Closing View
While FATF list updates are a routine development, they remain a consistent point of focus for supervisors, banks and auditors. Firms that can demonstrate how changes in country risk translate into practical control responses are more likely to avoid retrospective challenge.
The June plenary points to a broader shift beyond jurisdictional risk, with increased focus on fraud, payment transparency and the role of emerging technologies. With further FATF publications expected and a UK presidency now beginning, this is a sensible point for firms to check that their risk appetite, control design and supporting evidence remain aligned with how expectations are evolving, particularly for cross‑border and digitally‑enabled activity.
How Thistle Initiatives Can Help
Thistle’s financial crime team provides clear, independent assurance that shows whether your systems and controls operate effectively in light of evolving global standards.
We review risk assessments end-to-end, assess country and corridor risk methodologies and highlight gaps that may expose firms to heightened regulatory scrutiny. We then provide practical steps to strengthen oversight, risk scoring and control effectiveness. Our aim is simple: to help firms demonstrate a robust, well-evidenced financial crime compliance framework that stands up to regulatory and stakeholder scrutiny.
Get in touch at info@thistleinitiatives.co.uk or call 0207 436 0630 to speak with our team.
Meet the Expert
Elliott Day, Manager 
Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.
Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.