I initially asked:

Assume you are a sanctions officer. Besides the obvious (countries subject to targeted sanctions only), what sources would you use to assess third parties’ geographic risk? How would those sources help identify low-risk, moderate-risk and high-risk countries?

and got back this response:

As a Sanctions Officer, I operate under the assumption that sanctions lists tell you where the fire is, but geographic risk data tells you where the smoke is blowing.

Most modern sanctions violations do not happen directly with a sanctioned country (e.g., Iran or Russia); they happen through a “clean” third country that serves as a transshipment hub or financial conduit.

To assess this “shadow risk,” I rely on five specific data sources outside of the standard sanctions lists. Here is how I use them to build a Low/Moderate/High risk model.

1. The Financial Backbone: FATF Lists

The Financial Action Task Force (FATF) identifies jurisdictions with weak anti-money laundering (AML) and counter-terrorist financing (CFT) controls.

• Source: FATF “High-Risk Jurisdictions subject to a Call for Action” (Black List) and “Jurisdictions under Increased Monitoring” (Grey List).
• The Logic: If a country cannot police money laundering, it cannot police sanctions evasion. Sanctions evaders flock to these jurisdictions to wash funds.
• Risk Classification:
  • High Risk: FATF Black List (e.g., Myanmar). Treat as functionally sanctioned.
  • Moderate Risk: FATF Grey List (e.g., South Africa, Vietnam). Requires Enhanced Due Diligence (EDD) to verify source of funds.
  • Low Risk: FATF Member countries with compliant Mutual Evaluation Reports.

2. The Corruption Proxy: Transparency International (CPI)

Corruption is the grease that moves sanctioned goods across borders. Customs officials in highly corrupt regimes can be bribed to falsify End-User Certificates (EUCs) or ignore “ghost shipments.”

• Source: Transparency International Corruption Perceptions Index (CPI).
• The Logic: There is a direct correlation between low CPI scores and high diversion risk. A “clean” country on paper with a CPI score below 30 is a high-risk jurisdiction for export controls.
• Risk Classification:
  • High Risk: CPI Score < 30 (e.g., Turkmenistan, Venezuela). Assumption of government complicity in illicit trade.
  • Moderate Risk: CPI Score 30–50. Frequent facilitation payments but not necessarily state-sponsored evasion.
  • Low Risk: CPI Score > 60. Strong rule of law.

3. The Diversion Hubs: BIS & Trade Data

The US Bureau of Industry and Security (BIS) and the EU publish alerts on “Transshipment Hubs”—countries that are friendly allies but are used by adversaries to bypass sanctions.

• Source: BIS “Common High Priority Items” Alerts, FinCEN Joint Alerts, and trade flow data (e.g., Import/Export spikes).
• The Logic: If a country’s imports of semiconductors increased by 400% immediately after Russia invaded Ukraine, that country is a diversion hub.
• Risk Classification:
  • High Risk: Known transshipment hubs for dual-use goods (e.g., Turkey, UAE, Kyrgyzstan, Kazakhstan, Armenia). Note: These are often “friendly” nations, making them dangerous blind spots.
  • Moderate Risk: Major logistics hubs with high volume but strong enforcement (e.g., Singapore, Hong Kong—though Hong Kong risk is rising).
  • Low Risk: Countries with strict export control alignment (e.g., UK, Japan, Australia).

4. The Ownership Veil: Tax & Secrecy Indices

Sanctioned entities use shell companies to hide ownership. We need to know which countries make it easy to hide the “Ultimate Beneficial Owner” (UBO).

• Source: Tax Justice Network’s Financial Secrecy Index or the EU List of Non-Cooperative Jurisdictions for Tax Purposes.
• The Logic: If a jurisdiction allows bearer shares or does not maintain a public corporate registry, we cannot verify the 50% Rule (ownership by sanctioned parties).
• Risk Classification:
  • High Risk: Jurisdictions with high secrecy scores and no public registry (e.g., certain Caribbean offshore centers).
  • Moderate Risk: Jurisdictions with registries but limited access/validation.
  • Low Risk: Jurisdictions with fully transparent, searchable UBO registries (e.g., most EU member states).

5. The Future Indicator: Human Rights Reports

Sanctions are increasingly thematic (e.g., Global Magnitsky Act). Today’s human rights violator is tomorrow’s SDN (Specially Designated National).

• Source: US State Department Country Reports on Human Rights Practices or Freedom House “Freedom in the World” Reports.
• The Logic: Doing business with state-owned enterprises in authoritarian regimes carries a high risk of future designation.
• Risk Classification:
  • High Risk: “Not Free” status with reports of forced labor (e.g., Xinjiang region relevance).
  • Moderate Risk: “Partly Free” with civil unrest.
  • Low Risk: “Free” with stable democratic institutions.

---

Summary: The Risk Matrix

As your Sanctions Officer, I would combine these sources into a weighted score to automate our third-party risk assessment.

Risk Level	Indicators (Composite)	Action Required
High Risk	FATF Grey/Black List OR CPI < 30 ORKnown Transshipment Hub	Compliance Veto. Transaction requires C-level approval and verified End-User Certificate.
Moderate Risk	CPI 30–50 OR Tax Haven OR Political Instability	Enhanced Due Diligence. Must obtain full ownership structure (UBO) and negative news screening.
Low Risk	FATF Member, CPI > 60, Strong Export Controls	Standard Screening. Automated list matching only.

But I also knew there were other data sources, perhaps less frequently used – so I asked Gemini whether or not they should be included in the model. The first one that came to mind was the OECD country risk data, honestly. Ultimately, we got a more complete model:

Here is the consolidated Comprehensive Geographic Risk Framework.

This framework integrates financial crime data (FATF, TI) with macro-political indices (OECD, World Bank, EIU) to create a “Defense in Depth” model. It moves beyond simple sanctions list matching to identify the underlying environmental risks—corruption, authoritarianism, and lack of rule of law—that enable sanctions evasion.

Part 1: The Consolidated Source List

We use these nine authoritative sources to triangularize risk. No single source is sufficient; together, they cover the full spectrum of compliance and commercial risk.

A. The “Hard” Legal & Financial Gates

1. Sanctions Lists (OFAC/UK/EU/UN): The absolute legal baseline. (Target: Sanctioned Jurisdictions)
2. FATF Lists (Financial Action Task Force): The global standard for Money Laundering/Terrorist Financing controls. (Target: Illicit Finance Hubs)
3. BIS & Trade Data: Alerts on transshipment hubs and dual-use goods diversion. (Target: Sanctions Evasion Routes)

B. The “Soft” Environmental Indicators

4. Transparency International (TI) CPI: Measures public sector corruption. (Target: Bribery & Facilitation)

5. OECD Country Risk Classifications: Assesses country credit risk and likelihood of sovereign payment default. (Target: Economic Stability)

6. World Bank Worldwide Governance Indicators (WGI): Specifically “Rule of Law” and “Political Stability.” (Target: Legal Enforceability)

7. EIU Democracy Index: Classifies regime types from Democracy to Authoritarian. (Target: Future Sanctions Risk)

8. Human Freedom Index (Cato/Fraser): Measures economic and personal liberty. (Target: Business Environment/Capital Controls)

9. Tax Justice Network / EU Tax Lists: Identifies secrecy jurisdictions. (Target: Hidden Ownership/Shell Companies)

---

Part 2: The Integrated Risk Model

This model applies a “Weakest Link” logic (also known as “The Worst Score Wins”). If a country flags as “High Risk” on any primary trigger, the entire jurisdiction is treated as High Risk, regardless of how well it scores on other metrics.

Risk Classification	Primary Triggers (Automatic Classification)	Secondary Indicators (Aggravating Factors)	Operational Restrictions
PROHIBITED (The Black List)	Sanctions: Embargoed Countries (Iran, Cuba, North Korea, Syria, etc.) FATF: Black List (High-Risk Jurisdictions)	N/A	No Trade. Immediate exit. Block all transactions.
HIGH RISK (The Red Zone)	FATF: Grey List (Jurisdictions under increased monitoring) TI CPI: Score < 30 OECD Risk: 6 or 7	EIU: “Authoritarian Regime” Tax: Non-Cooperative / High Secrecy Score BIS: Known Transshipment Hub	Executive Veto Required. Requires C-Level approval, verified End-Use Certificates (EUC), and independent audit rights.
MODERATE RISK (The Amber Zone)	TI CPI: Score 30–50 OECD Risk: 3 to 5 World Bank WGI: Bottom 50th Percentile	EIU: “Hybrid Regime” or “Flawed Democracy” Human Freedom:Bottom Quartile (Economic Freedom)	Enhanced Due Diligence (EDD). Mandatory “look-back” on partners, ownership (UBO) verification, and negative news screening.
LOW RISK (The Green Zone)	FATF: Member / Compliant TI CPI: Score > 60 OECD Risk: 0 to 2	EIU: “Full Democracy” World Bank WGI: Top 25th Percentile	Standard Screening. Automated watch-list screening only. Business as usual.

---

Part 3: Methodology & Threshold Derivation

You asked specifically how we determined the “cut-off” points for High, Medium, and Low risk. These thresholds are not arbitrary; they are derived from statistical correlations with financial crime and industry benchmarks for “risk appetite.”

1. Why is the Transparency International (TI) Cut-off at 30?

• The Derivation: The TI CPI scales from 0 (Highly Corrupt) to 100 (Very Clean).
• The Logic: In the FCPA (Foreign Corrupt Practices Act) compliance community, a score below 30 is widely viewed as the threshold for “Systemic Corruption.”
  • < 30 (High Risk): Corruption is institutionalized. You likely cannot do business without paying a bribe (e.g., to clear customs or get a permit). This creates immediate legal liability.
  • 30–50 (Moderate Risk): Corruption exists but is often transactional rather than systemic. You can navigate it with strong controls.
  • > 60 (Low Risk): Generally indicates strong rule of law and functioning institutions.

2. Why use the OECD 0-7 Scale?

• The Derivation: The OECD Export Credit Group classifies countries to set minimum insurance premiums for export credits.
• The Logic: This is a proxy for economic collapse, which often precipitates political crises and sanctions.
  • 6-7 (High Risk): Indicates a high probability of sovereign default or inability to service debt. Countries in financial collapse often resort to illicit trade to generate hard currency.
  • 0-2 (Low Risk): These are “Investment Grade” economies. The risk of sudden regime change or capital controls is minimal.

3. Why the EIU “Democracy Index”?

• The Derivation: The Economist Intelligence Unit categorizes regimes into four types based on electoral process, civil liberties, and functioning of government.
• The Logic: This is our Predictive Metric.
  • “Authoritarian Regimes”: These governments are the primary targets of Western sanctions (e.g., Russia, Belarus, Venezuela). If you invest heavily here, you risk your assets becoming “stranded” by future sanctions.
  • “Full Democracies”: Almost never sanctioned by the US/EU/UK.

4. Why “The Worst Score Wins”?

In risk management, positive attributes do not cancel out negative ones.

• Example: The UAE has a high OECD rating (wealthy, stable economy) but has been gray-listed by FATF (money laundering concerns).
• Result: We treat it as High/Moderate Risk. The wealth of the country does not negate the fact that it is a hub for illicit finance. We cannot let a “Green” score on one index hide a “Red” flag on another.