📣  DRAFT FOR COMMUNITY INPUT

This article reflects our current thinking on AML sector risk methodology — but it is deliberately not the final word. We are sharing it at this stage because we believe the best frameworks are built in dialogue with the expert community. If you work in AML compliance, financial regulation, risk modelling, or a related field, we want to hear from you. Please reach out to us if you are interested in the detailed methodology document and the current sector risk classifications. Please also share your reactions, challenge our assumptions, and suggest what we may have missed. Contact us at [email protected].

If your client is a casino operator, the risk calculus is fundamentally different from that of a residential care provider — regardless of which country either is based in. That simple observation sits at the heart of a problem that AML compliance has been slow to fully solve: the systematic measurement of sector-level money laundering risk.

Country risk has attracted data, methodology, and investment for decades. FATF mutual evaluation results, the Corruption Perceptions Index, World Bank governance indicators — the infrastructure for measuring jurisdiction-level AML exposure is rich, standardised, and widely adopted. Sector risk, by contrast, has largely remained a matter of gut feel, internal heuristics, and binary tick-boxes.

At CountryRisk.io, we think that needs to change. This post sets out why sector risk matters, why building a sector risk framework is harder than it might look — and fundamentally different in nature from building a country risk model — and how we have approached the challenge. We are sharing our methodology openly because we believe the best risk frameworks are built in conversation with the community that uses them.

The Case for Taking Sector Risk Seriously

AML compliance is inherently a layered discipline. A robust framework considers risk across at least six dimensions: country, sector, legal entity type, product, individual, and transaction. Each layer adds information that the others cannot supply on their own.

Country risk tells you about the regulatory environment of a jurisdiction — how effectively it supervises financial flows, how pervasive corruption is, how aligned its legal framework is with FATF standards. But country risk says almost nothing about the structural vulnerabilities of a specific business activity.

Sector risk fills that gap. It captures characteristics that are inherent to an industry regardless of geography:

• A real estate business in Switzerland still operates in a sector with well-documented vulnerabilities to layering and beneficial ownership concealment.
• A money service business in Singapore still handles the kind of value transfer that criminal networks find attractive — despite Singapore's strong supervisory regime.
• A casino in a well-regulated Nordic market still operates with cash intensity, anonymous chips, and delivery channels that generate consistent ML typologies worldwide.

By evaluating sector risk as a standalone, systematic dimension, compliance teams ensure that this critical layer of analysis is neither overlooked nor — perhaps more dangerously — quietly absorbed into country or customer risk assessments where it loses its analytical clarity.

The regulatory direction of travel reinforces the point. The EU's new Anti-Money Laundering Authority (AMLA) places explicit emphasis on sector-specific risk. FATF has long required financial institutions to consider business activity in their risk assessments. Supervisors increasingly expect a structured, auditable answer to the question: "How did you assess the inherent ML risk of this customer's sector?"

Why Sector Risk Is Harder to Measure Than Country Risk

At first glance, building a sector risk model might seem like a natural extension of the country risk modelling that the industry has already mastered. It is not. The two challenges are structurally different — and understanding why matters for evaluating any sector risk methodology you might consider adopting.

The data infrastructure simply does not exist

Country risk modelling benefits from a rich ecosystem of standardised, publicly available, regularly updated datasets. FATF publishes structured mutual evaluation results. Transparency International produces the Corruption Perceptions Index annually. The World Bank's governance indicators cover around 200 jurisdictions. Researchers and regulators can triangulate across sources, check for consistency, and update models as new data arrives.

At the sector level, no comparable infrastructure exists. There is no globally standardised index of ML prevalence by industry. There is no cross-country dataset measuring cash intensity, transaction opacity, or regulatory oversight quality for individual economic sectors. National risk assessments sometimes include sector analysis, but they vary enormously in scope, methodology, granularity, and update frequency. The definitions rarely align across borders.

This is not a gap that more effort can simply fill. It reflects the fundamental difference in how statistical infrastructure develops: jurisdictions have incentives to produce standardised governance data; individual sectors do not. Sector risk measurement must therefore start from a different epistemic position — and any methodology that pretends otherwise should be treated with scepticism.

The unit of analysis shifts from a single jurisdiction to an abstracted activity

Country risk scores are anchored to a discrete, well-defined entity: a sovereign jurisdiction with a name, a legal system, and a set of institutions. Sector risk scores are anchored to a category of economic activity that plays out differently depending on context, geography, and the specific firm in question. "Gambling and betting" is not the same everywhere — the cash intensity varies, the regulatory oversight varies, the dominant delivery channels vary.

This means that a sector risk score is inherently more abstract than a country risk score. It captures the inherent, structural characteristics of a sector type — the features that are broadly persistent across contexts — rather than the observed state of a specific jurisdiction. That abstraction is a feature, not a bug: it is precisely what makes sector risk scores portable across geographies. But it requires an explicit methodological choice about what you are measuring and what you are not.

Expert judgment is not optional — it must be structured

Because the data does not exist to simply aggregate, sector risk assessment requires expert judgment. This is where many internal frameworks run into trouble: expert judgment is hard to standardise, difficult to audit, and prone to inconsistency across teams, time periods, and geographies.

The methodological challenge is therefore not to eliminate expert judgment — which is impossible — but to structure it so rigorously that it becomes transparent, replicable, and auditable. That means decomposing the construct of "sector risk" into clearly defined, independent dimensions; anchoring scores to explicit, consistent criteria; and applying the framework uniformly across all sectors rather than cherry-picking which industries receive structured treatment.

This is fundamentally different from how country risk models work, where the primary challenge is selecting, weighting, and aggregating quantitative data sources. Sector risk methodology is more akin to structured expert elicitation — a well-established technique in fields like intelligence analysis and actuarial science — than to index construction.

Our Approach: Eight Dimensions, 501 Sectors

The CountryRisk.io sector risk framework addresses these challenges by decomposing ML/TF sector vulnerability into eight clearly defined dimensions, each capturing a distinct facet of risk. Each dimension is weighted equally at 12.5%, ensuring that no single perspective dominates. The eight dimensions are:

• Sector Characteristics  
• Customer Risk 
• Product/Service Risk  
• Transaction Risk
• Geographic Risk 
• Regulatory Environment 
• Delivery Channels 
• Criminal Typology Exposure

Each dimension is assessed through four to five standardised questions, scored on a 0–5 scale with explicit anchors: 0 means a risk factor is entirely absent; 5 means it is pervasive and represents a critical vulnerability. Dimension scores are averaged to produce an overall sector risk score, which maps to one of five risk categories: Very Low, Low, Medium, High, or Very High.

The framework was grounded in 137 national risk assessment reports published by 128 countries — the broadest available empirical base for sector-level ML/TF vulnerability analysis. It was then applied systematically across four international sector classification standards: WZ2025, NACE Rev. 2.1, NAICS 2022, and GICS, producing 501 individual sector risk assessments using the best large language models from various providers.

What the data reveals

The results are instructive. Across 501 assessed sectors, scores range from 1.00 to 4.38 on the five-point scale, with a mean of 3.39. Fully 81% of sectors fall in the High or Very High categories — a finding that reflects the reality that most economic activity, when assessed on a global basis against comprehensive ML/TF risk dimensions, carries material inherent exposure.

The highest-scoring sectors include financial exchanges, gambling and betting, and mining of metal ores. The lowest-scoring sectors include residential care homes, commercial printing, and household production. Among the eight dimensions, Criminal Typology Exposure carries the highest average score (3.63), confirming that historical patterns of criminal exploitation are the dominant driver of sector-level risk globally. Regulatory Environment scores lowest on average (2.89) — which is arguably the most encouraging finding, since it is also the dimension most susceptible to genuine improvement.

Sector + Country: A Combined Risk View

Sector risk scores and country risk scores are most powerful when used together. Neither alone captures the full ML/TF exposure of a business relationship. The CountryRisk.io framework provides a combined risk classification matrix that maps sector risk against country risk, producing an averaged combined score on a five-tier scale.

The matrix produces practically meaningful distinctions. A casino operator (sector score: 3.81, High) in a well-supervised Nordic market might land at a combined score of 2.5 — Medium — reflecting the genuine mitigating effect of a robust national AML regime. The same operator in a High country-risk jurisdiction scores 4.0 — warranting full enhanced due diligence. In a Very High country-risk jurisdiction, the combined score reaches 4.5 — the threshold for maximum scrutiny and a potential risk-appetite question for the institution.

This is, we think, how sector risk should be used: not as a standalone trigger, but as one rigorous, systematic input into a layered risk mosaic that ultimately drives proportionate, auditable due diligence decisions. 

Limitations and Open Questions

We believe strongly that transparency about methodology includes transparency about limitations. Ours are real.

• The framework relies on structured expert genAI assessment rather than statistical data. This is a deliberate choice given the data gap described above — but it means that scores reflect the quality of expert judgment and the recency of underlying typology information.
• Sector risk scores are global abstractions. They do not capture country-specific regulatory variation within sectors. A sector that carries high inherent risk globally may be genuinely better-managed in some jurisdictions than the score implies.
• Classification standards vary. The same economic activity is carved up differently across WZ2025, NACE, NAICS, and GICS. Cross-standard comparisons require care.
• The methodology was encoded and applied systematically using a large language model. This enables scale and consistency, but introduces its own forms of potential bias and error that warrant ongoing scrutiny.

These limitations do not undermine the case for systematic sector risk assessment — they are arguments for doing it carefully and continuously improving it. Which is precisely why we are publishing this methodology openly.

We Want to Hear From You

This framework is a starting point, not a final answer.

We are actively seeking input from the expert community — AML compliance professionals, regulators, risk modellers, academics, and practitioners who work with sector risk day to day.

Specifically, we would welcome views on:

• Are the eight risk dimensions the right ones? Are there dimensions missing, or dimensions that should be disaggregated further?
• Is equal weighting across dimensions the right approach, or should some dimensions carry more weight for certain sector types?
• How should sector risk scores be adjusted for jurisdiction-specific regulatory variation?
• How are you currently handling sector risk in your own frameworks, and what gaps do you face?

Reach us at [email protected], or connect with us on LinkedIn. Every response will be read and considered as we refine the methodology. Please reach out to us if you are interested in the detailed methodology document and the current sector classifications.