FATF Plenaries happen three times a year. Most operators only update their country risk matrices once. That gap is where regulators and PSPs find compliance failures.

The February 2026 Plenary added Kuwait and Papua New Guinea to the grey list. Twenty-two jurisdictions are now under FATF increased monitoring. The Cyprus Gaming Commission publicised the update to its licensees within three days, signalling that gaming regulators expect their licensees to react to FATF outcomes the same way banks and EMIs are expected to react.

This post walks through the practical iGaming compliance response. What changes, what stays the same, and what the regulator is going to look for in the next audit.

What changed in February 2026

The FATF Plenary held in Mexico City on 13 February 2026 made one set of changes to the grey list. No removals. Two additions:

Kuwait was added based on the 2024 Mutual Evaluation Report conducted by the Middle East and North Africa FATF (MENAFATF). The published deficiencies cover three areas. Beneficial ownership transparency is the headline: the national registry is significantly under-populated, and there are no effective sanctions for legal persons that file inaccurate or outdated information. Money laundering prosecutions exist but mostly for simple cases involving corruption or forgery; complex ML cases are rarely investigated or prosecuted. Terrorist financing investigations are limited and have frequently failed to result in convictions, revealing a gap between the legal framework and its practical application.

Papua New Guinea was added based on the 2024 Asia/Pacific Group on Money Laundering (APG) Mutual Evaluation Report. The deficiencies cited include broad challenges in technological capability, gaps in implementation of targeted financial sanctions, and limited institutional understanding of emerging financial crime risks. Poor AML enforcement and limited convictions despite high inherent risk featured prominently in the FATF reasoning.

No countries were removed from the list at this Plenary. The previous Plenary in October 2025 removed four (South Africa, Nigeria, Mozambique, and Burkina Faso) so the list movement over the past nine months is two added and four removed, leaving it at 22 jurisdictions in total.

Two countries on the list are flagged as near-exit. Algeria and Namibia have substantially completed their action plans, and on-site verification visits are pending. The June 2026 Plenary is the likely venue for confirming their removal. Compliance teams should pencil in the June Plenary date and prepare to update country risk matrices again at that point.

Why iGaming compliance teams should treat this as material

Three reasons.

First, the regulator-tier expectation is now set. The Cyprus Gaming Commission published the update directly to its licensees on 16 February 2026, three days after the Plenary. This is the gaming sector regulator treating FATF Plenary outcomes as material information requiring licensee awareness. Other gaming regulators have historically taken longer to respond, but the direction of travel is clear, gaming regulators expect licensees to react to FATF changes within the same timeframe banks and EMIs do.

Second, the FATF list affects PSP and banking access regardless of where your operator is licensed. A Curacao-licensed B2C operator with players from Kuwait now has a greater compliance burden than it did on 12 February. Your PSPs will be applying enhanced due diligence to transactions touching Kuwait. Your acquiring banks will be applying it to your account if your player base shows material Kuwaiti volume. The licence does not insulate you from the list change. The payment chain transmits the impact regardless.

Third, the audit trail matters. When a regulator or PSP audits you in 12 months, they will check whether you tracked the FATF Plenary outcomes, when you updated your controls, and how you documented the change. An undated update or a missing audit trail is itself a compliance finding. Document the change in real time. Date everything.

The 30-day response framework

What a compliance team should do in the four weeks following any FATF Plenary. This is the framework we run for every operator we work with. Adapt it to your needs as you choose.

Week 1 Risk classification update

Update your country risk matrix to reflect the new grey list. Move Kuwait and Papua New Guinea into your enhanced due diligence band. Review your existing classifications for the 20 other grey-list jurisdictions to confirm the rating is correct. If you classify by tier, both new entries take whatever tier you assign to grey-list countries.

Document the change with a dated entry in your compliance log. Include the FATF source URL, the effective date of the Plenary, and the date you applied the change internally.

Week 2 Existing customer review

Run a query against your existing player base. Identify any account holders with declared residence, declared nationality, payment instrument origin, IP origin, or device origin tied to Kuwait or Papua New Guinea. The query should pull players who have transacted in the last 12 months, not just active players. Dormant accounts can reactivate.

For each flagged player, run an enhanced due diligence review. Confirm source of funds, source of wealth where the deposit volume warrants it, and PEP status. Document the review and the decision (continue, restrict, exit) for each player.

The common mistake here is to apply EDD only to new onboardings going forward. The FATF expectation is that existing relationships are reassessed when the jurisdictional risk changes, not just new ones.

Week 3 Transaction monitoring recalibration

Update your transaction monitoring rules. The threshold at which a Kuwaiti or Papua New Guinean transaction triggers a review should drop. Specific scenarios to examine:

·       Cross-border deposits from either country exceeding your tier-2 threshold

·       Withdrawal patterns to either country

·       Player payment methods registered to either country

·       Patterns of activity that suggest layering through accounts touching either jurisdiction

The monitoring rules should produce more alerts after the change than before. If the volume of alerts has not increased materially, your rules are not properly calibrated.

Week 4 Policy and training update

Amend your AML policy to reference the current grey list. The amendment does not have to be substantial. A dated revision noting the February 2026 Plenary outcome and the effective change to your country risk treatment is sufficient. The point is the audit trail.

Update your KYC procedures to reflect any threshold or risk-rating changes. Brief your customer service and compliance team on the change. Document the briefing.

If your training programme covers FATF list awareness, update the training materials. If it does not, add a short module. AML training is required at least annually by most regulators, and FATF list updates are exactly the kind of content the regulator expects to see in current training.

What the regulator and PSP will look for in an audit

Four audit findings come up consistently when operators have not handled FATF Plenary updates correctly.

Stale country risk matrix. The matrix in the operator's documented procedures references a previous version of the grey list. The audit cross-checks the matrix against the current FATF list and finds the gap. This is the most common single finding. The fix is trivial; the absence is not.

EDD applied to new players only. The audit finds that EDD was applied to players onboarded after the FATF change but not to existing players from the same jurisdictions. This is documented misalignment with the FATF expectation. The fix is a backward-looking review of existing relationships.

Undated change record. The operator made the changes but did not document the timing. The audit cannot verify whether the response was within 30 days. This is interpreted as inadequate audit trail and produces a deficiency finding even where the substantive work was done.

Training not refreshed. The compliance team treats the change as a quiet internal update. The wider operations team is not briefed. When the regulator interviews staff during audit, they cannot articulate how the recent FATF change affected the operator's controls. This is a control failure, even though the documented controls themselves are correct.

Beyond the calendar event

FATF list updates are not one-off events. They are recurring quarterly inputs to the AML framework, and the framework should be designed to absorb them as routine.

The operators we work with who handle FATF updates well share three traits. They have an operating rhythm that includes a quarterly compliance review, scheduled to land within 30 days of each FATF Plenary. They have a country risk matrix maintained as a separate, dated document that can be updated without rewriting the whole AML policy. They have a compliance log that captures every framework change as a dated entry with source URL and rationale.

The operators who handle FATF updates poorly typically share a different trait. They treat compliance as a state achieved at licence issuance and assume the state persists. The state does not persist. The framework needs to be maintained. FATF is one of the recurring drivers of that maintenance, alongside regulator output, legislative change, and operational evolution.

The document and the operation have to match. That is the whole game. FATF Plenary outcomes are one of the things that change the document. The operation has to change with it.

What ICOS does on this

For operators on our monthly retainer service, FATF Plenary outcomes are tracked the day they publish. Country risk matrix updates, AML policy amendments, and compliance log entries are produced within seven days of the Plenary. Operators get a written briefing on what changed and what they need to do.

For operators not on retainer, the same work is available on a per-event basis or as part of a one-time framework review.

If you want to talk about your specific compliance framework and how it handles regulatory updates, tell us your situation. Recommended jurisdiction, fixed price, realistic timeline. Within 24 hours.