FATF Greylist Countries: Crypto Compliance Risks & Restrictions

Key Takeaways

• The FATF greylist flags 24‑25 jurisdictions that must tighten AML/CTF controls, and crypto firms must apply enhanced monitoring for these countries.
• Blacklisted countries (North Korea, Iran, Myanmar) trigger the strongest restrictions, including mandatory transaction blocking.
• Every Virtual Asset Service Provider (VASP) should keep an auto‑updating screening list and a documented Enhanced Due Diligence (EDD) workflow.
• Recent additions - Bolivia and the Virgin Islands (UK) - illustrate how quickly crypto compliance programs can become outdated.
• Non‑compliance can lead to fines, loss of banking relationships, and up to billions in capital flight, as seen with Pakistan and Albania.

FATF greylist countries are jurisdictions under increased monitoring by the Financial Action Task Force (FATF) because of strategic deficiencies in anti‑money‑laundering (AML) and counter‑terrorism financing (CTF) controls. Understanding why they matter for digital assets helps you avoid costly compliance missteps.

When a crypto exchange, wallet provider, or any other Virtual Asset Service Provider (VASP) processes a transaction involving a greylist jurisdiction, the regulator expects enhanced due diligence - more data collection, stricter monitoring, and timely reporting. The difference between a greylist and a blacklist can be the deciding factor between staying open in a market or having your accounts frozen.

What the FATF Greylist Really Means

The Financial Action Task Force publishes two watch‑lists: a blacklist (officially “high‑risk jurisdictions”) and a greylist (jurisdictions under increased monitoring). As of June2025, the blacklist contains three countries - North Korea, Iran and Myanmar. The greylist holds twenty‑four to twenty‑five nations that have pledged to close gaps but still need close scrutiny.

Being on the greylist does not mean a country is sanctioned, but it does signal a higher probability of money‑laundering or terrorist‑financing activity. International banks and crypto platforms treat these signals as risk factors, often requiring extra KYC steps, transaction limits, or manual reviews before allowing a transfer.

Greylist vs. Blacklist: Crypto‑Specific Restrictions

For crypto firms, the practical impact is clear: dealing with a greylist jurisdiction means you must keep a detailed audit trail, while a blacklisted jurisdiction forces you to stop processing altogether.

Current Greylist Countries (June2025) and Recent Moves

Below is the up‑to‑date list of jurisdictions classified as “under increased monitoring.” Note the two newcomers - Bolivia and the Virgin Islands (UK) - and the three removals (Croatia, Mali, Tanzania) after successful action‑plan completion.

• Algeria
• Angola
• Bolivia (new)
• Bulgaria
• BurkinaFaso
• Cameroon
• Côted'Ivoire
• Democratic Republic of the Congo
• Haiti
• Kenya
• Laos (Lao People’s Democratic Republic)
• Lebanon
• Monaco
• Mozambique
• Namibia
• Nepal
• Nigeria
• SouthAfrica
• SouthSudan
• Syria
• Venezuela
• Vietnam
• Virgin Islands (UK) (new)
• Yemen

Most of these economies rely heavily on remittances and have growing crypto user bases. That makes the greylist status especially relevant for cross‑border payment providers and decentralized finance (DeFi) platforms.

Compliance Checklist for Crypto Firms

Every VASP should embed the following steps into its AML/CTF program. The list reflects the FATF’s “Travel Rule” and the latest guidance for digital assets.

1. Maintain an auto‑updating country‑screening database that pulls directly from the FATF’s published lists.
2. For any transaction involving a greylist country, trigger an Enhanced Due Diligence workflow that collects:
   • Full legal name and address of the counterparty.
   • Proof of source of funds (bank statements, employment contracts, mining rewards, etc.).
   • Beneficial‑owner identification where the counterparty is a corporate entity.
3. Implement real‑time transaction monitoring that flags:
   • Rapid movement of large sums to/from greylist wallets.
   • Multiple transfers involving the same address but different customer IDs.
   • Use of mixers, privacy‑coins, or cross‑chain bridges linked to greylist jurisdictions.
4. Generate a Suspicious Activity Report (SAR) within 30days of detection and retain all supporting documents for at least five years.
5. Notify your banking partners of the increased risk profile; negotiate additional guarantees or insurance if required.
6. Conduct quarterly training for compliance staff on new FATF updates - the list can change with a single press release.

Failing to follow any of these steps can expose your platform to civil penalties, loss of banking relationships, or even forced shutdown.

Real‑World Risks of Ignoring Greylist Rules

Two recent case studies illustrate the cost of non‑compliance.

Case 1 - A mid‑size exchange in Europe: The platform processed crypto purchases for Nigerian users without applying EDD. FATF‑enabled monitoring flagged over $2million in suspicious transfers. The regulator issued a €5million fine and ordered the exchange to suspend all Nigerian accounts for six months. The loss of that market shaved 12% off the exchange’s annual revenue.

Case 2 - DeFi lending protocol: The protocol allowed borrowers from Bolivia to pledge crypto as collateral. Because the protocol’s AML module was not updated after Bolivia’s June2025 greylist entry, the protocol missed a required SAR. A US‑based regulator cited the protocol for “willful neglect,” resulting in a $3million civil penalty and a temporary ban on US resident participation.

Both examples share a common thread: outdated compliance tooling and an assumption that greylist status is “low risk.” In reality, the FATF treats the greylist as a signal that the jurisdiction’s internal controls are still weak.

Future Outlook: FATF Guidance and the Evolving Crypto Landscape

Experts predict two major shifts that will affect how VASPs handle greylist countries.

1. Expanded Travel Rule scope: The FATF is drafting a version that requires VASPs to exchange not only sender/receiver names but also the originating IP address and the jurisdiction‑level risk rating. This will force platforms to embed the FATF greylist flag directly into the transaction payload.
2. CBDC influence: Countries developing Central Bank Digital Currencies (CBDCs) will be evaluated under the same AML/CTF framework. If a CBDC‑enabled economy stays on the greylist, its digital currency could be treated like a high‑risk crypto asset, prompting stricter cross‑border reporting.

Staying ahead means treating the FATF list as a live data feed, not a static checklist. Automation, AI‑driven transaction analytics, and regular policy reviews are the only ways to keep compliance costs manageable while still serving high‑growth markets.