Inadequate oversight of lists of high-risk countries in AML-CFT weakens your onboarding processes and complicates your KYC and KYB. It also disrupts transaction monitoring and reduces your ability to provide justification in the event of an audit.
To date, your operational guidelines are based primarily on three standards: the FATF, the list of high-risk third countries of theEuropean Union and the sanctions programs of theOFAC. At At AP Solutions IO, we transform these sources into traceable, configurable decisions that are directly integrated into your AML-CFT.
The three reference lists: the FATF, the European Union, and OFAC
The FATF, the core international standard
The FATF publishes two lists updated three times a year: the list of jurisdictions subject to a Call to Action, commonly known as the blacklist, and the list of jurisdictions subject to enhanced monitoring, often referred to as the gray list. As of February 13, 2026, the blacklist includes North Korea,Iran and Myanmar.
The gray list includes, among others,Algeria,Angola, Bolivia, Bulgaria, Cameroon, Ivory Coast, the Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Laos, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, the British Virgin Islands and Yemen.
The FATF also notes that inclusion on the gray list does not, in and of itself, require the termination of business relationships. It does, however, call for rigorous application of therisk-based approach.
The European Union: A list that directly affects your obligations
The The European Commission publishes and updates its own list of high-risk third countries as part of the European framework for combating money laundering and terrorist financing.
The most recent version is based, in particular, on Delegated Regulations (EU) 2026/46 and (EU) 2026/83, published in January 2026. It notably includes theAfghanistan,Algeria,Angola, Bolivia, the British Virgin Islands, Cameroon, Ivory Coast, North Korea, the Democratic Republic of the Congo, Haiti,Iran, Kenya, Laos, Lebanon, Monaco, Myanmar, Namibia, Nepal, the Russian Federation, South Sudan, Syria, Trinidad and Tobago, Vanuatu, Venezuela, Vietnam and Yemen.
For entities subject to the European AML-CFT, this list triggers enhanced vigilance regarding the business relationships and transactions in question.
The OFAC, a sanctions database distinct from the lists of high-risk countries
TheOFAC does not, strictly speaking, publish a list of high-risk countries for AML-CFT comparable to those of the FATF or theEuropean Union. Its framework is based on an architecture of international sanctions, structured around geographic programs, lists of designated individuals and entities, and continuous updates.
As of April 2026, the official website lists programs related to Cuba,Iran, North Korea, Russia, Venezuela, Sudan and Darfur, as well as thematic sections.
In practice, for a compliance officer, theOFAC becomes a key factor as soon as a relationship, currency, counterparty, or transaction falls within the scope of a sanctions regime or embargo.
Evaluation criteria: transparency, cooperation, regulation
The country risk is never just a name on a list. The FATF targets jurisdictions with strategic deficiencies in anti-money laundering, countering terrorist financing and proliferation financing.
For its part, the European Commission takes this international framework into account while applying its own methodology. In particular, it examines the threat the country poses to the Union’s financial system, its economic weight, its potential status as an offshore center, and its level of cooperation.
In France, the Monetary and Financial Code requires regulated entities to identify and assess their money laundering and terrorist financing , taking into account, in particular, geographic factors.
It also requires a enhanced review of any transaction that is particularly complex, involves an unusually high amount, or lacks an apparent economic justification. The Geography therefore directly influences the level of due diligence, the depth of file review, internal approvals, and the intensity of ongoing monitoring.
This is precisely where the operational challenges begin. Your teams must weigh information from multiple sources, keep track of disparate updates, and distinguish between risk AML-CFT risk from sanctions risk. They must then cross-reference the customer’s country, the beneficial owner’s country, the country of registration, the country of origin of the funds, and the destination country of the transactions. A binary approach then produces two costly effects: on the one hand, false positives that overwhelm analysts, and on the other, an insufficiently rigorous risk assessment, which weakens the justification during an audit. Hence the need for a more nuanced, more consistent, and fully auditable country risk.
Impact on your obligations: increased vigilance, restrictions, reporting
When dealing with a person or entity based in a country listed by the FATF or the European Commission, your obligations are not merely theoretical. They translate, in very concrete terms, into additional due diligence measures:
- a more frequent publication schedule;
- requests for additional documentation;
- enhanced hierarchical approvals and, where necessary, increased monitoring of workflows.
In EU law, operators must apply enhanced due diligence to business relationships and transactions involving high-risk third countries.
For you, the challenge is not simply to identify these standards. It is to demonstrate that this list has a tangible impact on your processes:
- collection of additional supporting documents ;
- more frequent review ;
- any restrictions on the relationship;
- Documentation of decisions and traceability of trade-offs.
In certain situations, the French system may also call for increased vigilance regarding correspondent banking relationships, subsidiaries, branches or the use of third parties. This heightened vigilance is required when these entities are located in countries whose anti-money laundering and counter-terrorist financing are insufficiently robust.
This is where manual methods quickly reach their limits. A spreadsheet is no longer sufficient when it comes to explaining why a case was classified as high risk or why a sanctions alert has been lifted. Nor does it allow for justifying the maintenance of a relationship despite significant geographic exposure. During an audit, the authorityexamine only the stated policy. It also verifies the traceability of its implementation.
Automated Country Risk Assessment: Integrating Lists into Your System
At AP Solutions IO, we handlecountry risk assessment as a key component of AML-CFT, rather than simply as an additional field in a KYC. We integrate the geographic factor into a Glass Boxlogic, which is transparent to your teams and defensible before regulators.
Our approach is based on Augmented Intelligence that places human decision-making at the center, while automating repetitive tasks and providing an explanation for each recommendation.
To be useful, an automated country-level scoring must cross-reference multiple dimensions. In particular, it must take into account:
- the customer's country of residence;
- the country of registration;
- the country of the beneficial owner;
- the source and destination of the funds;
- exposure to a list of FATF or theEuropean Union ;
- the existence of a sanctions regime or an embargo.
It must also incorporate the risk level specified in your internal policy, the review frequency, the documentation requirements, and the KYT scenarios , and escalation rules.
With AP Scoring, we assign a risk level based on AML-CFT criteria AML-CFT well as your own business criteria that can be easily configurable. Geographic factors are integrated from the outset, alongside customer characteristics, distribution channels, the nature of products or services, and transaction terms. The score is not static: it evolves based on screening results, list changes, and developments in the file. This real-time correlation aligns the scoring with operational reality.
Our suite then covers the entire process. AP Scan feeds the relationship input and initial screening. AP Filter detects international sanctions, as well as countries and currencies subject to embargoes. AP Monitoring enhances your transaction monitoring in real time. The entire system operates in SaaS or full API integration, with hosting in France, automatic updates every four months, and a justification logic designed for regulated environments. Depending on the use case and configuration, the reduction in false positives can reach 98%.
This ability to explain things has now taken center stage. Between the requirements forauditabilityand growing expectations regarding algorithmic governance , and the rise of regulated AI, a Black Box creates a blind spot in terms of accountability.
Conversely, a logic Glass Box approach allows you to explain the weighting of the country-specific risk, trace the source used, date the update, and demonstrate the impact on your processing workflow. It is this transparency that ensures the reliability of the decision, the reporting, and the relationship with the supervisory authority.
Learn more about AP Scoring
The lists of the FATF, the list of high-risk third countries and the international sanctions should no longer be kept in separate files. We help you convert them into an automated scoring system, traceable, up-to-date, and directly actionable within your KYC, KYB and KYT, as well as your periodicals. You can also expand on this topic with our article on embargoes, our analysis of the FATF , and our AML-CFT.
Schedule an appointment to assess country risk into your system.
FAQ
What is the difference between the FATF's gray list and blacklist?
The blacklist includes jurisdictions targeted by a call to action due to major strategic deficiencies. The gray list, on the other hand, includes jurisdictions subject to enhanced monitoring and committed to an action plan with the FATF. The operational response is therefore not of the same nature.
Can a customer located in a high-risk country be accepted?
Yes, in certain cases, provided that there are no restrictions related to international sanctions prevents it, and that your enhanced due diligence are appropriate for the level of risk. Acceptance must never be automatic. It must be justified, documented, and strictly consistent with your internal policy.
How often are the lists updated?
The FATF publishes its lists three times a year. TheEuropean Union is updated through delegated regulations, at varying intervals. TheOFAC, for its part, continuously updates its programs and designations as actions are published. It is precisely for this reason that automated monitoring remains more reliable than sporadic manual updates.
