Checklist to Identify AML/CFT Programme Alignment with FATF Grey List Updates

With the Financial Action Task Force (FATF) updating its “Grey List” or “Jurisdictions under increased monitoring” list thrice a year, it becomes vital for Regulated Entities in UAE to be prepared with the necessary actionable steps, processes, and workflows that can be triggered immediately upon revision, addition, and deletion to the FATF Grey List.

Each time FATF issues a Grey List update, Regulated Entities are required to recalibrate their:

Enterprise-Wide Risk Assessment
Customer Risk Assessment Models
Enhanced Due Diligence triggers and procedures
Recalibration of AML/CFT Software and tools.

Our Checklist + RACI Matrix helps Regulated Entities to be prepared and armed with necessary measures as and when FATF issues new Grey List, with additions and deletions of countries, directly impacting the geographic risk component, that need to be modified and incorporated into the Regulated Entity’s AML/CFT Policies, Procedures, and Controls Documentation.

Do not wait for the regulator’s next inspection to find a gap pertaining to FATF Grey List adherence in your AML/CFT Framework. Demonstrate proactive AML/CFT compliance by downloading and arming yourself with the Checklist to Identify AML/CFT Programme Alignment with FATF Grey List Updates.

Why do Financial Institutions and DNFBPs need a dedicated FATF grey list alignment checklist?

The FATF conducts plenary meetings and updates its list of “jurisdictions under increased monitoring”, more popularly known as the grey list, several times a year. Each FATF plenary decides if a country needs to be added or removed from the grey list.

The AML programme of UAE DNFBPs and FIs must reflect the changes in jurisdictional risk profile to keep themselves compliant with AML/CFT laws, and CBUAE, MOECT, MoJ, VARA, FSRA, DFSA, and SCA rules and guidelines.

The FATF grey list compliance checklist provides DNFBPs and Fis with a clear and actionable roadmap to stay compliant and make necessary changes in the EWRA, CRA, EDD triggers, software configuration, jurisdictional risk, and AML/CFT procedures.

Who is this FATF grey list readiness checklist designed for in the UAE?

The FATF grey list readiness checklist is designed for financial institutions, VASPs, and DNFBPs in UAE. These reporting entities are supervised by CBUAE, VARA, MOECT, MoJ, SCA, DFSA, FSRA, and other authorities in UAE. The FATF grey list alignment checklist is relevant for:

Banks, Financial Institutions
Exchange Houses
Insurance Companies
Payment Service Providers
Dealers in Precious Metals and Stones
Trust and Company Service Providers
Real Estate Agents and Brokers
Lawyers, Notaries, and Other Legal Professionals
Auditors and Accountants
Virtual Asset Service Providers

The RACI chart provided in the FATF grey list alignment checklist defines who needs to do what and in what capacity. The grey list readiness checklist is helpful to the frontline staff, compliance team, auditors, and management.

What does the FATF grey list alignment checklist actually cover?

This checklist covers four core compliance obligations that need to be revised as and when the FATF grey list gets revised.

Enterprise-Wide Risk Assessment (EWRA)
Customer Risk Assessment (CRA) parameters
Enhanced Due Diligence triggers and parameters
AML/CFT Software and tools such as Sanctions Screening, CDD, CRA, etc.

Further, the checklist also aids in confirming whether updates to these compliance obligations have been incorporated into the Regulated Entity’s AML/CFT Policies and Procedures Framework.

How should UAE firms use this checklist when FATF updates the grey list?

This checklist can be used by Regulated Entities whenever FATF updates the grey list to carry out compliance updates in three phases, namely: Phase 1: Impact Mapping

Identifying which newly added or deleted countries are included in the:

- Regulated Entity’s customer base, including UBOs
- Regulated Entity’s correspondent banks and payment partners
- Regulated Entity’s transaction corridors and transport routes.

Identifying which parts of AML/CFT procedures and controls are likely to be impacted using the checklist, for instance, CRA rules or parameters, ongoing monitoring scenarios, etc.

Phase 2: Checklist Walk Through and Gap Catagorisation

The compliance teams within Regulated Entities can go through the checklist and mark their current compliance and controls stance as:

Aligned: Where existing control measures are in alignment with the revised grey list

Partially Aligned: Where existing control measures are not completely aligned but require tweaks and adjustments for complete alignment with the latest grey list updates

Not Aligned: Where there are no control measures to mitigate risks posed by the latest additions to the grey list.

Phase 3: Update Completion Documentation and Sign-Off

Compliance teams must ensure that for every item marked as “aligned” in the checklist, the Regulated Entity has in place the following documentation, such as:

Revised AML/CFT Policies, Procedures, and Controls Framework

AML Software Configuration logs with dates

AML/CFT Training Records

The compliance team must also prepare summarised reports for Senior Management and the Board, confirming the completion and conclusion of aligning AML control measures with the latest grey list updates.

How does the RACI matrix work with this grey list checklist?

The RACI Matrix, forming part of this checklist, helps Regulated Entities define who is responsible, accountable, consulted and informed for which specific realignment and compliance mapping tasks. It helps in allocating roles and responsibilities across teams for better coordination and establishing seamless workflows that ensure task completion.

Typical RACI for Regulated Entities

The RACI in this checklist helps distribute FATF Update recalibration responsibilities such as tracking FATF updates, revising EWRA, CRA and risk registers, conducting reKYC and EDD, revising AML/CFT Policies and Procedures, etc, across the following roles:

Frontline Team
KYC Analyst
Screening Analyst
Transaction Monitoring Analyst
AML Compliance Officer/ MLRO
Senior Management.

How often should UAE firms run this grey list alignment checklist

Compliance teams of Regulated Entities must run this grey list alignment checklist every single time the FATF issues a fresh grey list update, typically this happens thrice a year. The checklist can be incorporated as a standard ML/FT risk mitigation measure rather than a one-time use checklist.

FAQ s about Checklist to Identify AML/CFT Programme Alignment with FATF Grey List Updates

This checklist is designed to assist AML Compliance teams in navigating the obligation to update their AML/CFT Compliance Framework as and when the FATF issues the latest “jurisdictions under increased monitoring” or more commonly referred to as “Grey List” with ease, as the checklist helps Regulated Entities demonstrate to regulatory authorities that:

They are equipped to track changes in the FATF grey list
They have a documented, repeatable process to update their EWRA, CRA, reKYC, EDD, and AML Software configurations as and when the grey list gets updated
They have clearly defined workflow procedures in place that helps allocate responsibilities across various, demonstrated through the RACI matrix that gets operational whenever FATF grey list is updated.