FATF Update on Risks for Accountable Institutions
This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.
The Financial Intelligence Centre (FIC) has issued three important notices following the February 2026 meeting of the Financial Action Task Force (FATF). These updates affect your risk exposure, your client onboarding, your reporting duties, and ultimately your regulatory liability. The most important aspects are summarised in the Outcomes of the October 2026 meeting of the FATF.
FATF Is Moving From “Policies” to “Proof”
At the February 2026 meeting, FATF adopted new mutual evaluation reports for Austria, Italy and Singapore. The key shift? It’s no longer enough for a country to have AML laws on paper. FATF now focuses heavily on whether systems actually work in practice. Countries must now show:
Real investigations
Real prosecutions
Real confiscations
Real disruption of illicit finance.
Weaknesses now trigger a three-year action roadmap with time-bound fixes.
What this means for you? South Africa is already under scrutiny. Your compliance programme (RMCP) must show effectiveness, not just documentation. If FIC inspects you, they will look at outcomes:
Are you identifying high-risk clients?
Are you filing suspicious transaction reports properly?
Are your controls working in practice?
Paper compliance is no longer protection.
Country Risk Lists Have Been Updated
FATF confirmed changes to monitored and high-risk jurisdictions. Kuwait and Papua New Guinea were added to the “increased monitoring” list. The following countries remain subject to a “call for action” (high-risk):
Democratic People’s Republic of Korea (DPRK)
Iran
Myanmar.
The FIC has issued two separate advisories explaining what this means for accountable institutions:
Advisory on jurisdictions under increased monitoring (19 February 2026), and
Advisory on high-risk jurisdictions subject to a call for action (19 February 2026).
In simple terms:
“Increased monitoring” = Higher risk. Apply stronger scrutiny.
“Call for action” = Very high risk. Enhanced due diligence and possible countermeasures required.
If you have clients with links to these countries, your risk rating must reflect that. Ignoring this is not defensible.
Cyber Fraud Is Now a Major Global Priority
FATF approved a paper on cyber-enabled fraud. Fraudsters are using digital tools to scale scams faster than regulators can react. The scale, speed and complexity of fraud is increasing. FATF has committed to focusing more attention on fraud over the next few years. For us, accountants, this means:
Greater scrutiny of suspicious payment patterns
More attention to digital platforms and cross-border flows
Higher expectations around fraud risk awareness.
If your clients fall victim to fraud, and you failed to identify red flags, questions will be asked.
Crypto and Offshore Virtual Asset Providers Under the Microscope
Two new reports were approved:
Risks of Offshore Virtual Asset Service Providers (oVASPs)
Risks relating to Stablecoins and Unhosted Wallets
The concern is simple. Criminals exploit regulatory gaps. If a crypto service provider operates offshore without proper supervision, it becomes a weak link. Stablecoins and peer-to-peer wallets also create monitoring challenges.
If you deal with:
Crypto clients
Offshore structures
Digital asset flows
High-volume cross-border transfers,
you must reassess your risk exposure. Crypto is not prohibited, but it is high scrutiny.
Russia Remains Suspended
FATF confirmed that Russia’s suspension continues. This reinforces the global political and compliance sensitivity around sanctioned or high-risk jurisdictions.
Practical Steps for Accountants Right Now
This update is not academic, it affects your day-to-day risk. You should:
Review your country risk matrix
Update your onboarding checklists
Reassess any crypto exposure
Ensure your suspicious transaction reporting is active and documented
Train staff on high-risk jurisdictions
Check that enhanced due diligence is properly applied where required.
If you cannot demonstrate that your AML programme works in practice, you are exposed.
