Risk-Based Sanctions Due Diligence and the Risk Assessment

Sanctions due diligence isn't about treating every customer like a suspect; it's about putting your effort where the risk actually is. No institution can apply maximum scrutiny to every relationship, so the risk-based approach, central to FATF Recommendation one and to OFAC's Framework, tells you where to look hardest. The engine that drives it is the sanctions risk assessment: a structured analysis of where your firm is exposed, which then calibrates how deep and how often you do diligence.

Higher-risk relationships get enhanced, more frequent review; lower-risk ones get standard treatment. Get the risk assessment right and everything downstream, screening intensity, diligence depth, resourcing, follows logically.

A sound sanctions risk assessment looks across several dimensions, and the exam expects you to know them. Customers: what types you serve, their behaviors, and their ownership structures, since a customer base heavy in opaque entities carries more risk. Products and services: cross-border payments, trade finance, and correspondent banking carry far more sanctions exposure than simple domestic retail products.

Geographies: the countries, jurisdictions, and routes your business touches, especially proximity to sanctioned or high-risk regions. And delivery channels: whether you deal directly, through intermediaries, or through digital and third-party channels that put distance between you and the real customer. Score each dimension, combine them, and you get a picture of where your sanctions risk concentrates.

Two terms you must keep straight, because they appear in scenarios. Inherent risk is the risk that exists before you apply any controls, the raw exposure of your business. Your controls, screening, diligence, training, and governance, then reduce that inherent risk down to residual risk, which is what you actually carry after the controls do their work.

The whole point of the program is to manage residual risk to an acceptable level. A common exam pattern: a firm with very high inherent risk, say heavy dollar-clearing and trade finance, but weak controls, will have dangerously high residual risk, while a firm with the same inherent risk but strong controls may be well within tolerance. So the answer to is this firm too risky depends on controls, not raw exposure alone.

The risk assessment translates directly into diligence intensity. Ordinary-risk relationships get standard due diligence, verifying identity and screening as a baseline. Higher-risk relationships get enhanced due diligence, E-D-D, which digs deeper into beneficial ownership, source of funds, expected activity, and the business rationale behind transactions.

Triggers for E-D-D include exposure to high-risk or sanctioned-adjacent geographies, opaque or layered ownership, politically exposed persons, complex trade-finance structures, and correspondent or nested relationships. Diligence isn't one-and-done either: you refresh it periodically based on risk, and you trigger an event-driven review whenever something changes, a new owner, a new route, a sanctions designation, or an unexpected pattern of activity.

Two closing disciplines. First, the risk assessment is a living document, not a one-time exercise. Sanctions regimes, lists, and geopolitics move fast, so you refresh the assessment as your business and the world change; an assessment that's three years stale is a finding waiting to happen.

Second, document everything, the methodology, the factors you weighed, and how you reached each conclusion, because regulators evaluate your reasoning as much as your result. A defensible assessment that explains its logic beats a higher-effort one that can't show its work.

Before we move on, see how central this assessment really is, because the exam treats it as the program's hub. The risk rating you assign drives concrete decisions downstream: how tightly you tune screening for a customer segment, how often you refresh a relationship, and where enhanced diligence is mandatory. It's also your justification to regulators for where you do and don't spend resources, you're allowed to do less on genuinely low-risk relationships precisely because the assessment supports it.

And the assessment isn't only an input; it's also an output, because investigations and newly observed evasion typologies feed back in and update where you believe your risk sits. So when a scenario asks why a firm applied light controls to a high-risk corridor, the failure usually traces to a weak or stale risk assessment. With the risk-based foundation in place, the next three lectures get specific: customer and beneficial-ownership diligence, then geographic and trade-finance diligence, then third parties and correspondent banking.

We start with the customer and the ownership chain.