Beyond black lists: Rethinking geographic risk in AML compliance

The concept of “high-risk countries” has long been a fixture in compliance frameworks, often shaping how geographic threats are understood.

But at FFECON25, panellists pushed back against this rigid classification, arguing for a more nuanced approach. Instead of relying on blanket designations, they urged reporting entities to focus on behaviour-based assessments, examining specific risks and actions rather than drawing conclusions based solely on a country’s label.

The geographic risk paradox

For years, geographic risk has been framed as a simple binary: a country is either high-risk or it isn’t. But this rigid approach presents real challenges.

While regulators call for enhanced due diligence in certain jurisdictions, blanket restrictions can shut out legitimate customers and stifle business growth. For those from or linked to a high-risk country, the decision is often made before they have a chance to explain their circumstances.

As one panellist put it, “What if regulators sanctioned entire industries the way we effectively sanction entire countries?"

It’s a fair question. Treating geography as a blunt instrument doesn’t just create inefficiencies - it cuts off access to financial and professional services for individuals and businesses that may pose no real risk.

While such restrictions might seem like the safer choice, they often drive legitimate customers toward informal or less regulated channels. Or, as one panellist put it, “High risk doesn’t mean no appetite. It means greater awareness and stronger controls.”

Treating entire regions as compliance liabilities, particularly in parts of Africa, the Middle East and Southeast Asia, does not reduce financial crime. It simply pushes it out of sight, making it harder to detect and control.

The human cost: When place of birth becomes a liability

One of the most troubling aspects of simplistic geographic risk approaches is their impact on individuals based on factors they cannot change, such as place of birth. As panellists noted, the current framework creates a form of financial discrimination that can follow people throughout their lives, regardless of their actual risk profile.

Imagine a UK citizen who was born in Iran but has spent decades living in London. Despite a clean record and a legitimate financial history, they are routinely flagged as high risk solely because of their birthplace. Every account, loan or investment they pursue is met with heightened scrutiny.

"We're effectively creating a two-tier financial system based on biographical details rather than actual risk behaviours," said one panellist. "Someone born in a high-risk jurisdiction but who has spent their entire adult life in a low-risk country still faces financial obstacles at every turn."

The panel advocated for a smarter, more balanced approach, one that goes beyond nationality or place of birth and considers the broader context. This includes who the customer is, what they do, where their funds originate and how they are exposed to risk.

For instance, a fintech company based in Nigeria shouldn’t be deemed high risk solely because of its location. Meanwhile, a trust based in a secrecy jurisdiction could pose far greater risks, even if the country itself isn’t flagged on any watchlist. The key lies in seeing the full picture and understanding the specific risks at play.

From blunt tool to precision tool

Reporting entities often rely on single third-party country risk ratings, which may not align with their specific risk appetite or customer base. The panel pointed to several alternative approaches. These include:

• Contextual analysis which takes into account the nature of the business relationship, transaction patterns and client profiles alongside geographic factors.
• Enhanced data analytics can help identify unusual patterns specific to geographic corridors rather than applying blanket enhanced due diligence.
• Collaborative intelligence sharing between financial institutions is also crucial in developing more accurate risk profiles for specific regions and business types.

One panellist remarked, "We need to move from treating geographic risk as a reason to say 'no' to seeing it as a factor that determines 'how' we engage."

A smarter and more practical way to handle geographic risk

One of the panel’s most important takeaways was the call to move away from surface-level profiling and toward behaviour-based risk models. Instead of relying on biographical red flags like place of birth or nationality, the focus should be on what truly matters: how a person behaves and transacts.

This means considering factors such as:

• How long someone has lived in a low-risk jurisdiction
• The nature and frequency of any genuine links to high-risk countries
• Actual transaction patterns and financial behaviour over time
• Risk scoring that adjusts when mitigating factors are present
• Disaggregated risk assessments that separate different risk factors (such as corruption, sanctions evasion, and tax evasion) rather than assigning a single risk score to an entire country
• Industry-specific considerations that recognise how geographic risks manifest differently across sectors

As one speaker put it, "The most predictive factor for financial crime risk isn’t where someone was born. It’s their pattern of behaviour over time."

It may seem obvious, but making this shift requires robust systems, accurate data and a willingness to challenge entrenched risk models.

Practical implementation: A graduated approach

The panel outlined a graduated approach to geographic risk management:

• Baseline requirements for all jurisdictions, focusing on standard KYC and transaction monitoring.
• Enhanced measures tailored to specific concerns identified within a jurisdiction, with in-house expertise developed for higher-risk regions rather than relying entirely on external judgment.
• Strategic de-risking only when risks cannot be sufficiently mitigated through enhanced due diligence.

The bottom line

Geographic risk will continue to be a key element of AML compliance frameworks, but its application doesn’t have to be binary or blunt. By adopting more sophisticated approaches to understanding and managing country risk, financial institutions can safeguard themselves against financial crime while still serving clients across a range of jurisdictions.

One of the final questions from the panel lingered, "Are we comfortable cutting off millions of people from the financial system simply because our frameworks can’t handle nuance?"

That question strikes at the heart of the issue. Avoiding risk is not the goal; understanding it, is.