The FIC Just Named 22 Countries. Is Your Client List Clean?

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Two FIC advisories were issued on 22 June 2026.

• FATF public statement on high-risk jurisdictions that are subject to a call for action – June 2026, and

• FATF public statement on jurisdictions under increased monitoring – June 2026

They contain a full jurisdiction watchlist update and specific due diligence instructions for accountable institutions. Here is what changed and what you need to do.

Jurisdictions under increased monitoring

The FATF added Bosnia and Herzegovina and Iraq to its increased-monitoring list. Algeria and Namibia were removed after addressing their strategic deficiencies.

The full list now covers 22 countries: Angola, Bolivia, Bosnia and Herzegovina, Bulgaria, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Haiti, Iraq, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), and Yemen.

The FIC's instruction is direct: if any of your clients have business links, banking relationships, or transaction flows connected to these countries, your client risk assessment must reflect that. Update your RMCP accordingly.

The three high-risk jurisdictions: Democratic People’s Republic of Korea (DPRK), Iran, Myanmar

These three remain on the FATF's call-for-action list. Unlike the monitored list, this category requires countermeasures.

• DPRK

  • Apply enhanced due diligence to all transactions and business relationships involving DPRK entities or their intermediaries, which may be located in other jurisdictions. Do not rely on third parties to supply due diligence information. Targeted financial sanctions under sections 26A to 26C of the FIC Act are absolute. Refer to PCC 44A for guidance. Terminate any correspondent relationships with DPRK banks where required by UN Security Council resolutions.

• Iran

  • Apply enhanced due diligence to any business relationships or transactions involving persons or entities in Iran, especially where terrorist financing risk is elevated. Do not rely on third parties in Iran for customer due diligence. Limit new business relationships to cases where you are confident you can manage the risk. Transactions are not prohibited, but your due diligence must match the risk.

• Myanmar

  • Apply enhanced due diligence to any clients with links to Myanmar. The FIC notes that fraud and cyber scam operations in Myanmar present significant illicit finance risks. When applying enhanced due diligence, do not disrupt legitimate humanitarian assistance, non-profit activity, or remittances, particularly in relation to current earthquake relief efforts.

For all three, strengthen your suspicious transaction reporting under section 29 of the FIC Act.

What to do this week

Update your jurisdiction risk lists in your RMCP. Check your client base for exposure to any of the 22 monitored countries or the three high-risk jurisdictions. Document your assessments, source-of-funds checks, and senior management sign-offs. A poorly calibrated risk model is one of the most common compliance gaps the FIC finds in small practices.