Skip to main content
Advisory Note20 min read

UAE Businesses: Navigating FATF Grey List Additions for Kuwait, Papua New Guinea

FATF added Kuwait and Papua New Guinea to its grey list in Feb 2026. UAE businesses must update AML/CTF risk assessments, implement enhanced due diligence, and bolster transaction monitoring.

FATF grey listKuwait AML CTFPapua New Guinea AML CTFUAE business complianceenhanced due diligencerisk assessmenttransaction monitoringAML regulations UAECTF compliancefinancial crime prevention
Share

Introduction

The Financial Action Task Force (FATF) officially added Kuwait and Papua New Guinea to its list of jurisdictions under increased monitoring, commonly known as the 'grey list,' following its February 2026 Plenary. This pivotal development necessitates an immediate and thorough review of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) compliance frameworks by all UAE businesses conducting transactions or maintaining relationships with entities in these nations. Adherence to these evolving global standards is crucial for mitigating financial crime risks, protecting business integrity, and avoiding severe penalties.

This article provides a comprehensive overview of the FATF's latest pronouncements, detailing the implications for UAE-based financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs). We will outline the actionable steps required to update risk assessments, implement enhanced due diligence measures, and bolster transaction monitoring systems, ensuring full compliance with national and international AML/CTF obligations. Readers will gain clear insights into the regulatory landscape, the risks of non-compliance, and best practices for safeguarding their operations amid these updated global financial integrity standards.

What is the FATF Grey List and Why Does it Matter for UAE Businesses?

The Financial Action Task Force (FATF) is an independent intergovernmental body established to develop and promote policies to combat money laundering, terrorist financing, and proliferation financing. Its influence is global, with its standards forming the bedrock of national AML/CTF regimes worldwide. The FATF maintains a public list of "Jurisdictions under Increased Monitoring," often referred to as the 'grey list,' which identifies countries with strategic deficiencies in their AML/CTF frameworks that have committed to resolving these shortcomings within agreed timelines.

Inclusion on the grey list is a significant indicator to the global financial community. It signals that while a jurisdiction is actively working to improve its AML/CTF systems, there remain weaknesses that warrant heightened vigilance. Unlike the 'blacklist' (High-Risk Jurisdictions Subject to a Call for Action), the grey list does not typically call for countermeasures but rather for increased scrutiny and the application of Enhanced Due Diligence (EDD) measures. For the UAE, a nation deeply committed to upholding international financial integrity and implementing robust AML/CTF measures as outlined in Federal Law No. 20 of 2018 and its Executive Regulations, the FATF's designations are critical. Any country added to the grey list immediately impacts the risk assessment for UAE companies engaged in trade, investment, or any financial dealings with them. This is not merely about regulatory adherence; it is about protecting businesses from financial crime, reputational damage, and potential operational disruptions. The UAE, having successfully exited the grey list itself in February 2024, understands firsthand the importance of these designations and the need for its businesses to reflect global shifts in their compliance efforts.

Key Implication for UAE Businesses

The designation of a country to the FATF grey list mandates that UAE financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs) treat all transactions and relationships involving that country as inherently higher risk. This requires a fundamental shift in risk assessment and the automatic application of Enhanced Due Diligence (EDD) measures, irrespective of the initial perceived customer risk.

What Did the FATF Announce Regarding Kuwait and Papua New Guinea?

During its February 2026 Plenary session, the FATF reviewed the progress of various jurisdictions in addressing their identified AML/CTF deficiencies. The Plenary concluded that both Kuwait and Papua New Guinea demonstrated strategic shortcomings in their frameworks for combating money laundering and terrorist financing that warranted their placement under increased monitoring.

For Kuwait, the FATF noted persistent challenges in areas such as identifying and confiscating proceeds of crime, implementing targeted financial sanctions related to terrorism and proliferation, and strengthening supervision of DNFBPs. Papua New Guinea was identified for deficiencies pertaining to its national risk assessment, supervisory effectiveness, transparency of beneficial ownership, and the investigation and prosecution of money laundering. As a result of these strategic deficiencies, both nations must now work with the FATF to develop and implement comprehensive action plans to rectify their identified weaknesses. This move immediately triggers a global mandate for increased vigilance and the application of Enhanced Due Diligence requirements by financial institutions and DNFBPs worldwide when interacting with entities or individuals from these countries.

Which UAE Businesses Are Affected by These Updates?

All UAE businesses that have existing or prospective dealings with Kuwait, Papua New Guinea, or any other jurisdiction currently on the FATF grey list, must enhance their compliance measures. This broad scope reflects the UAE's commitment to implementing international AML/CTF standards across its economy.

1. Financial Institutions

This category includes entities directly supervised by the Central Bank of the UAE (CBUAE) and financial free zones authorities such as the Dubai Financial Services Authority (DFSA) in the Dubai International Financial Centre (DIFC) and the Financial Services Regulatory Authority (FSRA) in the Abu Dhabi Global Market (ADGM). Affected institutions include:

  • Banks and finance companies: Engaged in commercial banking, investment banking, and lending activities.
  • Exchange houses and money service businesses: Facilitating remittances and currency exchange.
  • Payment service providers: Handling electronic transactions and digital payments.
  • Insurance companies and brokers: Offering life insurance or other investment-related insurance products.
  • Securities and commodities brokers and dealers: Operating under the Securities and Commodities Authority (SCA).
  • Fund management companies and investment firms: Managing assets and providing investment advice.

These entities are typically at the forefront of implementing EDD measures due to their direct exposure to financial flows.

2. Designated Non-Financial Businesses and Professions (DNFBPs)

DNFBPs, supervised by the Ministry of Economy (MoEc) and other relevant authorities, are also crucial in the AML/CTF ecosystem. Their obligations extend when they conduct specific activities for or on behalf of clients. This includes:

  • Real estate agents and brokers: When involved in the buying, selling, or intermediating property transactions. This includes both mainland and free zone real estate activities.
  • Dealers in precious metals and precious stones (DPMS): When engaged in any cash transaction exceeding a threshold determined by the regulatory authority, or when conducting transactions for high-value items.
  • Lawyers, notaries, and other independent legal professionals: When preparing for or carrying out transactions for clients concerning buying/selling property, managing client money, opening/managing bank accounts, creating/operating companies, or buying/selling business entities.
  • Accountants and auditors: When preparing for or carrying out transactions for clients in relation to the same activities as legal professionals.
  • Company and trust service providers (CTSPs): When acting as formation agents, directors, secretaries, or providing registered office facilities.
  • Virtual Asset Service Providers (VASPs): Entities involved in the exchange, transfer, custody, or issuance of virtual assets are also subject to stringent AML/CTF rules, which extend to interactions with grey-listed jurisdictions.

Broader Regulatory Context

The UAE's commitment to combating financial crime is enshrined in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations, complemented by Cabinet Decision No. 10 of 2019 concerning its Executive Regulations. All regulated entities must align their internal policies and procedures with these national laws, which are directly informed by FATF standards. Learn more about the proactive compliance requirements for UAE businesses amidst global scrutiny in our insight on FATF & AML/CFT: Proactive Compliance for UAE Businesses Amid Global Scrutiny.

Immediate Action Plan: What Steps Should UAE Businesses Take?

Proactive and decisive measures are essential to navigate these updated global standards effectively. UAE businesses must immediately implement the following actionable steps to ensure robust compliance and mitigate heightened risks.

1. Re-evaluate and Update Risk Assessments

A foundational element of AML/CTF compliance is a comprehensive and dynamic risk assessment framework. Following the FATF's additions, this framework must be immediately reviewed.

  • Identify Exposure: Pinpoint all current and potential business relationships, transactions, and investments involving Kuwait, Papua New Guinea, and any other grey-listed countries. This includes direct relationships, as well as indirect exposures through supply chains, intermediaries, or ultimate beneficial owners.
  • Adjust Risk Matrices: Update your internal risk assessment methodologies and matrices to reflect the heightened country-specific risk associated with these jurisdictions. This involves assigning a higher inherent risk score to customers, transactions, and products/services linked to these nations.
  • Document Findings: Maintain clear, auditable records of your updated risk assessments, including the rationale behind any changes, the data sources used, and the revised risk ratings assigned. This documentation is vital for demonstrating compliance to regulatory bodies.
  • Periodic Review: Establish a schedule for more frequent reviews of risk assessments, especially concerning high-risk jurisdictions or customers, to ensure ongoing relevance and effectiveness.

2. Implement Enhanced Due Diligence (EDD) Protocols

For any entities or individuals from grey-listed nations, standard Know Your Customer (KYC) procedures are insufficient. EDD measures must be applied rigorously.

  • Deepen Customer Scrutiny: Conduct more in-depth checks on beneficial ownership, sources of wealth, sources of funds, and the ultimate purpose of the business relationship or transaction. This may involve seeking additional documents, conducting independent verification, or corroborating information from multiple reliable sources.
  • Senior Management Approval: Obtain documented approval from senior management for establishing or continuing business relationships with high-risk customers or those linked to grey-listed jurisdictions.
  • Rationale for Transactions: Insist on clear and verifiable economic or legitimate reasons for complex, unusually large, or unusual patterns of transactions, especially those involving grey-listed countries.
  • Adverse Media Screening: Implement robust and ongoing adverse media screening specifically tailored to detect any negative news, criminal allegations, or sanction risks associated with entities or individuals from these jurisdictions.
  • Independent Verification: Where possible, seek independent verification of information provided by customers, such as through public registries, official documents, or reputable third-party data providers.

Best Practice for EDD

Develop specific EDD checklists and templates for dealing with grey-listed jurisdictions. These tools ensure consistency, thoroughness, and proper documentation across all relevant client engagements. Provide clear guidelines on what constitutes sufficient proof for source of funds/wealth and beneficial ownership.

3. Strengthen Transaction Monitoring Systems

The enhanced risk profile of grey-listed jurisdictions necessitates increased vigilance over financial flows.

  • Increased Scrutiny: Implement heightened scrutiny of all transactions to and from grey-listed jurisdictions, regardless of their monetary value. Focus on detecting unusual patterns, amounts, or frequencies that deviate from expected business activities or customer profiles.
  • Automated Alerts: Leverage technology to configure or adjust automated transaction monitoring systems to generate specific alerts for transactions involving grey-listed countries. Define thresholds and parameters that trigger review by compliance officers.
  • Behavioral Analysis: Train monitoring teams to identify subtle shifts in transaction behavior that could indicate attempts to circumvent controls, such as structuring transactions, using multiple accounts, or involving complex layering.
  • Prompt Reporting: Ensure that any detected suspicious transactions are thoroughly investigated by a qualified compliance officer. If deemed suspicious, a Suspicious Transaction Report (STR) must be filed promptly with the UAE's Financial Intelligence Unit (FIU) in accordance with CBUAE guidelines. Timeliness and accuracy are paramount in STR submissions.

Navigating Complexities: Operational Adjustments and Strategic Oversight

The FATF's additions of Kuwait and Papua New Guinea require not just procedural updates but also a re-evaluation of operational strategies and internal governance structures.

1. Enhanced Staff Training and Awareness

An effective compliance framework relies heavily on the competence and vigilance of personnel across all levels of the organization.

  • Targeted Training Sessions: Conduct immediate and mandatory training sessions for compliance officers, front-line staff, relationship managers, and senior management. These sessions should cover the specific implications of the FATF update, the heightened risks associated with grey-listed jurisdictions, and the practical application of new EDD and monitoring procedures.
  • Recognize Red Flags: Equip your teams with updated knowledge to identify red flags specifically associated with money laundering and terrorist financing risks originating from grey-listed countries. This includes unusual payment methods, circuitous routes for funds, shell companies, and adverse media mentions.
  • Compliance Culture Reinforcement: Emphasize the critical role each employee plays in maintaining the company's compliance integrity. Foster a culture where reporting concerns is encouraged and supported without fear of reprisal.
  • Regular Refreshers: Implement a schedule for regular refresher training, especially as FATF guidance or UAE national regulations evolve.

2. Meticulous Record-Keeping and Data Management

Comprehensive and accessible record-keeping is a cornerstone of demonstrable compliance and a key requirement under UAE AML/CTF laws.

  • Detailed Documentation: Keep comprehensive, accurate, and easily retrievable records of all due diligence performed, risk assessments conducted, transaction monitoring activities, internal investigations, and decisions made regarding relationships with grey-listed jurisdictions. This includes all correspondence, documents obtained, and analytical reports.
  • Centralized Repository: Utilize a centralized, secure data management system for all AML/CTF-related records. This ensures data integrity, facilitates audits, and allows for efficient information retrieval when required by regulators.
  • Retention Periods: Adhere strictly to the prescribed data retention periods under UAE law, which typically mandate keeping records for a minimum of five years from the termination of a business relationship or the date of a transaction.
  • Audit Trail: Ensure that all actions taken within the compliance process, including approvals, reviews, and modifications, are logged with a clear audit trail.

Common Pitfall: Inconsistent Application

A frequent error is the inconsistent application of enhanced due diligence measures across different departments or client-facing teams. This creates vulnerabilities and demonstrates a lack of robust internal controls. Ensure standardized policies, regular audits, and clear escalation protocols for all high-risk engagements.

Need expert guidance on navigating FATF updates and UAE compliance?

AURNE provides specialized advisory services to help UAE businesses review, update, and implement robust AML/CTF frameworks, ensuring full compliance with national and international standards. Safeguard your operations and reputation with our tailored solutions.

What Are the Risks of Non-Compliance for UAE Businesses?

Failing to adapt to these new compliance requirements can expose UAE businesses to a myriad of significant risks, extending beyond immediate financial penalties to long-term reputational damage and operational disruptions.

1. Severe Financial Penalties

UAE regulatory authorities, including the CBUAE, MoEc, SCA, DFSA, and FSRA, have clear mandates and powers to impose substantial fines for breaches of AML/CTF laws and regulations.

  • Monetary Fines: Penalties can range from AED 50,000 up to AED 5 million for individuals, and up to AED 100 million for institutions, depending on the severity and recurrence of the violation. These fines are designed to be deterrents and can significantly impact a business's profitability.
  • Loss of License: In extreme cases of repeated or severe non-compliance, regulatory bodies possess the authority to suspend or revoke operating licenses, effectively forcing a business to cease operations.
  • Asset Seizure and Freezing: Funds or assets involved in illicit activities, or belonging to non-compliant entities, can be frozen or seized by authorities.

2. Significant Reputational Damage

Reputation is a cornerstone of trust in the financial and business world. Non-compliance can severely erode this trust.

  • Loss of Public Trust: Being associated with financial crime or regulatory breaches can damage a company's standing among clients, investors, and the wider public.
  • Adverse Media Coverage: Regulatory actions or investigations often attract negative media attention, which can be difficult to counteract and can have lasting negative effects on brand image.
  • Investor Confidence Erosion: Potential investors may shy away from businesses with poor compliance records, impacting capital raising and expansion plans.

3. Banking Relationship Strain and De-risking

Financial institutions globally are increasingly cautious about exposure to AML/CTF risks, leading to a phenomenon known as 'de-risking.'

  • Account Closures/Restrictions: Banks may limit or terminate services to businesses perceived as high-risk or those that fail to demonstrate robust AML/CTF controls. This can cripple international operations.
  • Increased Scrutiny from Correspondent Banks: UAE banks dealing with international correspondent banks will face increased scrutiny themselves if their clients are seen as lax in compliance, potentially leading to higher transaction costs or service limitations for the UAE business community.
  • Operational Challenges: Without stable banking relationships, fundamental business activities like payroll, international payments, and trade finance become challenging, if not impossible.

4. Operational Disruptions

Non-compliance can lead to tangible disruptions in day-to-day business operations.

  • Transaction Delays or Rejections: International transactions involving grey-listed jurisdictions may face significant delays or outright rejections by correspondent banks or payment processors, impacting supply chains and financial flows.
  • Increased Compliance Costs: Reacting to a compliance failure often costs more than proactive prevention, involving external consultants, fines, and remedial system upgrades.
  • Resource Diversion: Internal resources will be diverted from core business activities to address regulatory investigations, implement corrective actions, and respond to legal challenges.

5. Legal and Criminal Consequences

Beyond corporate penalties, individuals within the organization can face severe legal repercussions.

  • Criminal Charges: Individuals responsible for AML/CTF failures, particularly those involving wilful negligence or complicity, may face criminal charges, imprisonment, and substantial personal fines under UAE law.
  • Extradition Risk: Involvement in international financial crime can lead to extradition requests and prosecution in other jurisdictions.

Note: The UAE Federal Law No. 20 of 2018 and its Executive Regulations provide a clear framework for these penalties. Staying updated and compliant is not merely good practice but a legal imperative, safeguarding both the business entity and its key personnel. Further insights into global AML standards and their impact on UAE businesses can be found in our article on Global AML Standards: What FATF's Latest Monitoring Means for UAE Businesses in Offshore Finance.

Practical Guidance: Strengthening Your AML/CTF Framework

Building a robust and adaptable AML/CTF framework is paramount for UAE businesses operating in an increasingly complex global regulatory environment. Proactive measures minimize risks and foster a culture of compliance.

1. Strategic Action Plan and Timeline

Developing a clear action plan with defined responsibilities and timelines is crucial for effective implementation of the updated FATF requirements.

  1. Immediate Assessment (Within 2 weeks): Conduct an urgent internal review of all current business relationships, transactions, and exposure to Kuwait and Papua New Guinea. Identify existing contracts, payment flows, and customer types.
  2. Policy and Procedure Update (Within 4 weeks): Revise internal AML/CTF policies, procedures, and controls to explicitly incorporate EDD requirements for grey-listed jurisdictions. This includes updating customer acceptance policies, risk scoring models, and transaction monitoring rules.
  3. System and Tool Configuration (Within 6 weeks): Update any automated compliance systems, such as KYC/EDD platforms and transaction monitoring software, to reflect the new risk parameters and screening requirements. Ensure sanctions screening tools are up-to-date and run against all relevant lists.
  4. Staff Training and Communication (Within 8 weeks): Roll out comprehensive training programs for all relevant personnel, detailing the changes, red flags, and new procedural requirements. Ensure clear communication channels for reporting suspicious activities.
  5. Ongoing Monitoring and Review (Continuous): Establish a heightened schedule for monitoring relationships and transactions linked to grey-listed jurisdictions. Implement a quarterly review process for overall AML/CTF framework effectiveness and an annual independent audit.

2. Comprehensive Compliance Checklist

This checklist provides a structured approach to ensuring all necessary adjustments are made.

  • Update AML/CTF Policies: Ensure explicit mention of grey-listed jurisdictions and the mandatory application of EDD.
  • Review Risk Assessment Framework: Adjust country and customer risk scoring for Kuwait and Papua New Guinea.
  • Enhance Due Diligence (EDD) Procedures: Define specific steps for deeper beneficial ownership verification, source of wealth/funds inquiries, and senior management approvals.
  • Strengthen Transaction Monitoring Rules: Configure systems to flag unusual transactions involving grey-listed countries or entities.
  • Conduct Refresher Training: Educate all relevant staff on the new risks, red flags, and reporting obligations.
  • Verify Sanctions Screening Effectiveness: Ensure all customers and transactions are screened against current international sanctions lists, including those from the UN, OFAC, and local UAE lists.
  • Improve Record-Keeping: Document all EDD actions, risk assessment updates, and monitoring results meticulously for audit purposes.
  • Review Internal Reporting Mechanisms: Confirm that internal escalation and Suspicious Transaction Report (STR) filing processes are clear and efficient for the UAE Financial Intelligence Unit (FIU).
  • Appoint a Dedicated Compliance Officer: Ensure a qualified and empowered compliance officer is in place, especially for DNFBPs.
  • Independent Audit: Schedule regular independent audits of your AML/CTF framework to identify gaps and ensure continuous improvement.

3. Common Pitfalls to Avoid

Even well-intentioned businesses can fall prey to common mistakes that undermine their compliance efforts.

  • Generic Compliance Approach: Treating grey-listed jurisdictions with a 'one-size-fits-all' approach instead of applying specific, heightened measures. Each grey-listed country may have distinct deficiencies requiring tailored scrutiny.
  • Over-Reliance on Technology: Assuming that automated systems alone guarantee compliance without human oversight, regular configuration updates, and expert interpretation of alerts.
  • Insufficient Documentation: Failing to meticulously record all steps taken during EDD, risk assessments, and monitoring. Without a clear audit trail, demonstrating compliance becomes challenging.
  • Inadequate Staff Training: Assuming staff are aware of changes without formal, targeted training. A lack of understanding at the front line is a major vulnerability.
  • Neglecting Indirect Exposure: Focusing only on direct clients from grey-listed countries and overlooking indirect exposure through complex ownership structures, intermediaries, or multi-jurisdictional transactions.
  • Delayed Action: Procrastinating on updates, assuming a 'wait and see' approach. Regulatory expectations require immediate action upon FATF announcements.
  • Underestimating Reputational Risk: Prioritizing cost savings over robust compliance, leading to exposure to reputational damage that can be far more costly in the long run.

Key Takeaway

The FATF's additions of Kuwait and Papua New Guinea to the grey list mandate an immediate and comprehensive recalibration of AML/CTF risk assessments and due diligence practices for all UAE businesses. Proactive, precise, and well-documented implementation of enhanced measures is not just a regulatory obligation but a strategic imperative to safeguard operations, reputation, and financial integrity in the global economy.

Conclusion

The FATF's decision to add Kuwait and Papua New Guinea to its grey list serves as a crucial reminder of the dynamic nature of global AML/CTF standards and the ongoing requirement for UAE businesses to remain highly vigilant. This development necessitates an immediate and comprehensive review of existing compliance frameworks, particularly concerning risk assessments, enhanced due diligence protocols, and transaction monitoring systems. Failure to adapt proactively carries significant financial, reputational, and legal risks.

By implementing the actionable steps outlined in this advisory, including updating internal policies, providing targeted staff training, and maintaining meticulous records, UAE businesses can effectively navigate these new challenges. A robust and adaptable AML/CTF framework not only ensures adherence to national and international obligations but also reinforces the UAE's position as a responsible and trusted global financial hub.

In an environment of escalating regulatory scrutiny, professional guidance is invaluable. AURNE stands ready to assist UAE businesses in reviewing their current compliance frameworks, updating risk assessments, and implementing robust due diligence procedures. Our expertise ensures that your operations remain resilient and compliant, protecting your business from the evolving threats of financial crime and demonstrating your commitment to global financial integrity.

Source & References

This article is for general information only and does not constitute professional, legal, tax, or financial advice. Speak to AURNE for guidance specific to your situation.

Need help with your compliance strategy?

Our licensed advisors provide tailored guidance for your specific structure and jurisdiction.

A
AURNÉ Advisory TeamCorporate Services Provider· Licensed CSP in Dubai

Our team combines deep regulatory knowledge with practical experience across Dubai free zones, mainland company formation, and international corporate structuring.

Share

Continue Reading

Advisory Note

FATF's June 2026 Plenary: Shaping UAE AML/CFT Compliance

The Financial Action Task Force's June 2026 Plenary will redefine global AML/CFT standards. Learn how these updates, including country grey list changes, impact UAE business compliance and risk management.

13 min readRead
Advisory Note

FATF's Evolving Focus: Sustained AML/CFT Effectiveness for UAE Businesses

Explore why the FATF's shift to sustained AML/CFT effectiveness is critical for UAE businesses. Understand regulatory changes, actionable strategies, and how to protect your enterprise from financial crime risks.

21 min readRead
Advisory Note

Navigating Global AML Standards: FATF Monitoring and Its Impact on UAE Businesses in Offshore Finance

Understand FATF's robust global AML/CFT monitoring process, its implications for UAE businesses engaging with offshore financial centers, and essential compliance strategies.

17 min readRead

Frequently Asked Questions

Need Expert Advice on This Topic?

Our advisory team can help you navigate the complexities covered in this article. Get tailored guidance for your specific situation.

Speak With an Advisor

Practical, jurisdiction-specific guidance from licensed professionals