What Is the FATF? How It Affects Fintech Compliance in the U.S.

If you have encountered references to FATF grey lists, FATF black lists, or FATF Recommendations in compliance documentation, you may have wondered exactly what the FATF is and why it matters for your fintech.

The Financial Action Task Force is the most influential international body shaping AML compliance standards globally — including in the United States. Its Recommendations form the foundation of AML frameworks in more than 200 countries, and its country assessments directly affect the risk decisions fintechs must make every day.

What Is the FATF?

The Financial Action Task Force is an intergovernmental organization established in 1989 by the G7 summit, headquartered in Paris, with 37 member countries plus two regional organizations including the European Commission.

The FATF's mandate is to set international standards for combating money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction. It develops and promotes policies to protect the integrity of the global financial system from these threats.

The FATF does not have enforcement authority over individual financial institutions. It works through its member countries — influencing national legislation, regulatory frameworks, and supervision standards that then apply to financial institutions within those jurisdictions.

The FATF Recommendations

The FATF issues 40 recommendations covering the full scope of an effective AML and counter-terrorism financing framework. Member countries — including the United States — implement them through national law and regulation.

Recommendation 10 — Customer Due Diligence

Requires financial institutions to implement CDD measures including identifying and verifying customer identity, identifying beneficial owners of legal entities, understanding the purpose of the business relationship, and conducting ongoing monitoring. This is the foundation of KYC and CDD requirements implemented in the U.S. through FinCEN's CDD Rule.

Recommendation 15 — New Technologies

Requires countries and financial institutions to identify and assess money laundering risks that may arise from new products, services, and delivery mechanisms — specifically including virtual assets and virtual asset service providers. This underpins regulatory frameworks for crypto and fintech compliance globally.

Recommendation 16 — Wire Transfers and the Travel Rule

Requires financial institutions to obtain and pass along originator and beneficiary information with wire transfers — the basis of the BSA Travel Rule in the U.S. and equivalent rules in other jurisdictions.

Recommendation 20 — Reporting of Suspicious Transactions

Requires financial institutions to report suspicious transactions to the financial intelligence unit — in the U.S., this is FinCEN. This is the global foundation of SAR filing requirements.

The FATF Grey List and Black List

The FATF Grey List — Jurisdictions Under Increased Monitoring

The FATF grey list includes countries identified as having strategic deficiencies in their AML frameworks but that have committed to addressing those deficiencies through FATF action plans.

Being on the grey list signals elevated financial crime risk. Customers from or transactions involving grey-listed jurisdictions typically require Enhanced Due Diligence. Ignoring grey list status in customer risk assessment is a compliance gap that regulators and sponsor banks notice.

The FATF Black List — High-Risk Jurisdictions Subject to a Call for Action

The FATF black list includes countries with severe and ongoing AML deficiencies posing significant risk to the international financial system. FATF calls on member countries to apply enhanced due diligence and in the most serious cases counter-measures to protect the financial system.

Currently Iran and North Korea are the primary black-listed jurisdictions. Transactions with parties in these countries are also generally prohibited under OFAC sanctions, so black list status and sanctions exposure overlap significantly.

Why FATF Matters for Your Fintech Compliance Program

Customer and Geographic Risk Assessment

Your AML risk assessment must account for FATF country assessments. Customers from or conducting business with grey-listed or black-listed jurisdictions carry elevated risk that must be reflected in your risk ratings and approach to due diligence.

Ongoing List Monitoring

The FATF updates its grey and black lists regularly — typically in February, June, and October each year. Your compliance program must have a process for monitoring these updates and reassessing affected customer relationships when a country's list status changes.

Regulatory Expectations

U.S. regulators and sponsor banks expect fintechs to incorporate FATF country risk assessments into their AML risk frameworks. A risk assessment that does not reference FATF grey and black list status when evaluating geographic risk is incomplete.

Frequently Asked Questions

Is the FATF the same as OFAC?

No. The FATF and OFAC are entirely separate bodies with different roles. The FATF is an international standard-setting body that assesses countries' AML frameworks. OFAC is a U.S. government agency that administers sanctions programs and maintains lists of sanctioned individuals, entities, and countries. FATF list status and OFAC sanctions status are different designations though they often overlap for the most high-risk jurisdictions.

Does a fintech need to monitor FATF list updates?

Yes. Your AML compliance program should include a process for monitoring FATF list updates published approximately three times per year and assessing the impact on your customer portfolio when list status changes.

How does the FATF affect crypto compliance?

The FATF has been highly active in setting international standards for virtual asset service providers including the Travel Rule extension to crypto transactions. Fintech and crypto companies with international operations need to monitor FATF guidance on virtual assets as it continues to evolve.

How ComplyOne Helps

ComplyOne helps fintechs incorporate FATF country risk assessments into their AML risk frameworks, monitor list updates, and build compliance programs that meet both U.S. regulatory requirements and international standards — through advisory services, compliance technology, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.