Grey List Removal Does Not Mean the Risk Went Away

The UAE was removed from the FATF grey list in February 2024. The European Commission followed in 2025. Many compliance teams read that as permission to relax their GCC third-party screening programs. That is precisely the wrong conclusion.

Grey list removal reflects legislative progress. It measures whether a country has passed the right laws. It does not measure whether financial crime risk has decreased. In the first half of 2025 alone, the UAE Central Bank issued penalties totaling over AED 339 million for AML failures, including a single AED 200 million fine against one exchange house and the permanent prohibition of its branch manager from any UAE-licensed institution. Enforcement is accelerating because regulators must now demonstrate effectiveness ahead of the UAE’s next FATF mutual evaluation in 2026.

The deeper issue is structural. US Treasury and State Department enforcement actions in 2025 and 2026 have repeatedly identified UAE-based front companies, exchange houses, and trading entities as nodes in Iranian and Russian sanctions evasion networks. The pattern is consistent: fictitious invoices, layered payment routing, transshipment documentation listing the UAE as origin rather than Iran, and nominee ownership structures obscuring the actual beneficial owner. Name-based screening does not catch this. It identifies known bad actors after designation, not the front company flagged last month or the trading company whose beneficial owner controls a sanctioned enterprise. That requires analysis of the underlying transaction structure.

Financial crime risk across the GCC has also converged in ways most US programs have not absorbed. Anti-corruption, AML, sanctions, and beneficial ownership were once separate workstreams. In the GCC today, they are not. A procurement concern involving a UAE or Saudi Arabia-based agent can raise beneficial ownership questions, sanctions screening exposure, and asset tracing implications simultaneously within days. What begins as third-party due diligence becomes a multi-regime investigation. Single-lens programs are operating with a structural blind spot.

I spent nearly a decade leading financial crime investigations across the UAE, Saudi Arabia, Qatar, and Bahrain. The cases were some of the most significant in the region’s recent history, spanning sovereign wealth funds, major corporate fraud, and international sanctions evasion across multiple continents. GCC financial crime risk rarely looks the way a compliance checklist expects. It hides in ownership structures, payment routing, and documentation that appears ordinary on its face.

If your program for UAE or GCC-connected vendors was calibrated to grey list status as the primary trigger, it may be time to recalibrate.