Fetch KYC Provider lists of grey/blacklisted countries

[Tieumsan]

Problem statement

We need to provide a up-to-date list of the countries blacklisted by our KYC provider. We don't want to maintain the list manually so we need to get the lists dynamically from the source.

Our KYC provider uses as the following resources as references for their list of blacklisted countries

• https://www.fatf-gafi.org/en/countries/black-and-grey-lists.html
• https://orpa.princeton.edu/export-controls/sanctioned-countries

We need to fetch the content from those lists and merge them into one set (greylist and blacklist should be aggregated). Since we want to ensure that the same list is used by all platforms, we might need to add an API on the SORA Card backend.

Definition of Done

• [ ] Establish method and endpoint to fetch the content of the lists
• [ ] Establish how the list gets updated and the frequency of update

Requirements

Same list used by all platforms.

[BenoXYZ]

Countries Subject to Prohibition on Military Exports

Please DO NOT use this list of countries for the blacklist unless they are mentioned in another list of the FATF or ORPA

[drejcslo]

We work with several partners, including banks and cryptocurrency exchanges (CEX), who require clients to go through a process called KYC/KYB onboarding in order to use fiat currency (traditional currency like dollars or euros). All our partners have agreed to accept a unified onboarding process for our users (conducted by our KYC provider), which includes identification verification, liveliness checks, a questionnaire, and PEP&Sanctions screening. However, each partner has slightly different risk preferences and local regulatory requirements. To enable our platform users to access all our services, we need to comply with the combined requirements of all our partners.

All our partners adhere to the FATF (Financial Action Task Force) and OFAC (Office of Foreign Assets Control) "black and grey" lists, which identify countries and individuals associated with money laundering, terrorism financing, and other illicit activities. However, each partner interprets these lists based on their own internal compliance rules.

1. FATF: The FATF updates its lists of countries during its Plenary meetings held in February, June, and October each year. Therefore, we should check the FATF lists three to four times annually.

You can find upcoming assessments here: FATF Assessments Link The current "black and grey" list can be found here: FATF Black and Grey Lists Link

2. OFAC: Unlike FATF, OFAC does not maintain a specific list of countries that U.S. persons cannot do business with. The U.S. sanctions programs vary in scope, some targeting specific individuals and entities, while others have broader geographic restrictions (e.g., Cuba, Iran). Therefore, determining if a specific country is blacklisted or greylisted for our partners' services requires checking the individual "Executive Orders" issued by the U.S. The interpretation of these lists is overseen by the compliance departments of our partners.

You can search the OFAC Sanctions list here: OFAC Sanctions Search Link However, this search is focused on individuals, and there is no comprehensive "country list" available.

3. Other: There are additional lists we should consider, such as the "Consolidated list of persons, groups, and entities subject to EU financial sanctions", which can be found here: EU Consolidated Sanctions List Link Additionally, individual countries, even those within the EU or certain alliances, may have their own variations of rules.

CONCLUSION:

• Our KYC provider already checks all PEP&Sanctions lists, so we are covered in that regard. We do not have access to any personal data of wallet users. Our banking and CEX partners are responsible for compliance due to the onboarding process and regular checkups.
• The compliance departments of our banking and CEX partners determine which jurisdictions to exclude. However, they do not provide us with lists of excluded countries accessible through an API.
• We want to prevent users from certain jurisdictions from starting the onboarding process, as we do not want them to be rejected after beginning KYC/KYB.
• There is no direct external source for the FATF/OFAC/EU "black and grey" country lists. Even if such a source existed, it would still need to align with the rules set by our banking and CEX partners.

SUGGESTION:

• We should continue using our internal SORACARD list, which contains the "black and grey" country lists.
• Our regulated partners must inform us of any changes in country lists.
• I suggest conducting a yearly check of the FATF pages to ensure alignment between our SORACARD list of excluded countries and the current FATF list. Additionally, we should check which countries are on the agenda for the upcoming FATF meetings.