InsightsSome observations on “Wolfsberg Group: Country Risk Frequently Asked Questions 2024”

Some observations on “Wolfsberg Group: Country Risk Frequently Asked Questions 2024”

Bernhard Obenhuber
Mar 06, 2024

Source: Pexels

This week, the Wolfsberg Group published its updated frequently asked questions regarding country risk assessment within the context of the anti-money laundering / counter terrorist financing (AML/CTF) framework of financial institutions. The original document – published in 2018 – was instructive for us when we designed the AML country risk score.

This post reflects on the important points and helpful guidance raised in the updated document. You can find the document here (Link). The Wolfsberg Group describes itself as:“… an association of 12 global banks which aims to develop frameworks and guidance for the management of financial crime risks.”

Q1. What is country risk in the context of financial crime compliance?

At we cover several types of country risks, ranging from sovereign credit risk that measures a country’s ability and willingness to repay foreign debt obligations, to ESG sovereign credit risk, supply chain country risk, and of course AML country risk.

The AML country risk score is designed as an input factor to the customer risk profile of any organisation (e.g., financial institution, payment service provider). The Wolfsberg document defines the scope of AML country risk as Financial Crime Country Risk (FCCR) and is the residual risk that remains after considering the inherent risk of money laundering activities in a country as well as the quality of the country’s AML/CTF framework (e.g., existing AML regulation, quality of institution and effectiveness of enforcement). The AML Country Risk Score follows closely this concept.

Q2. What data sources should be considered when developing a methodology to assess country risk?

To operationalise the above mentioned definition of FCCR, our guiding principle is to help the user understand the ML/TF risks of doing business in a country in a holistic sense. So we ask ourselves questions like, What are common predicate offences that lead to dirty money (e.g., corruption, trafficking, environmental crimes)? Who are key (criminal) actors in the country (e.g., mafia-style groups)? How strong is the control environment in the country (e.g., do authorities have the technical expertise and legal options to identify activities and effectively prosecute them)? The combination of both dimensions leads to the residual risk and allows comparison across countries.

As a data-driven organisation we have ample experience in building quantitative models that measure country risks. Building a model typically consists of three steps: First, one needs to have a tangible measure of risk (e.g., sovereign defaults of a country). Secondly, one selects one or multiple statistical models (e.g., scoring based approach, (logit) regression, neural networks and the like) and looks for indicators that have explanatory power in a statistical sense. Finally, it’s important to  evaluate the overall fit of the model in- and out-of-sample and after implementation also the “live” performance.

When it comes to building a model for FCCR, the main challenge is the first step: There is no objective measure of money laundering risk in a country. Consequently, selecting the data sources cannot be model-derived. So for us, we ask ourselves whether an indicator could help the user gain better understanding of ML/TF risks in a country, which also includes evaluating the quality of the indicator.

Another challenge is incorporating the dynamic or ever-evolving backdrop. For example, the nature of predicate offences – think cyber or crypto crimes – and evasion activities are changing over time. This thus requires close monitoring and having the appropriate steps to measure such risks.

Q3. How often should data sources be refreshed and country risk ratings reviewed?

The Wolfsberg FAQ document states that one should “update ratings no less frequently than annually and one should choose a date when the majority of data is current”. While we understand that more frequent updates can have high internal costs – including review, dissemination in various systems and application to customer risk profiles – we believe that an efficient data pipeline by using APIs can significantly reduce such costs of more frequent updates and reducing the likelihood that unidentified client risks are worsening just because the latest ML/TF risk data is outdated.

We at update all our risk scores monthly, and on an intra-month basis, when FATF country listings are updated. As many of our clients have tailored their AML country risk score, ad-hoc updates might also be triggered by changes in other indicator series. As a result, our clients may receive around 15 updates per year. While this may seem inundating, our clients are not left unaware and risks are mitigated. In any case, each client ultimately chooses the frequency that works well against the nature of their business and workflows.

Q4. How should sanctions be considered in country risk methodologies?

In our view, sancitons within the context of the FCCR are a very difficult topic. Of course, for countries like Iran or North Korea, it is straightforward. The OFAC even has a dedicated page (Link) with the title “Where is OFAC’s Country List? What countries do I need to worry about in terms of U.S. sanctions?” and the first sentence states, “The Office of Foreign Assets Control (OFAC) does not maintain a specific list of countries that U.S. persons cannot do business with”. The rise of thematic sanctions also makes it difficult to relate a certain sanction program to a specific country. has always included sanction information through the angle of predicate offences or evasion activities that create money laundering risks. That said however, we are considering removing this indicator in future updates because of its ambiguous nature and mounting conviction that this specific risk can be monitored better further downstream in the analysis on an individual person or entity basis.

Q5. What methodologies are available to FIs to measure country risk?

We agree with the points raised by the Wolfsberg Group that there is no industry standard and that such models cannot be “subjected to the same kind of quantitatively focused independent model review, as with credit models”. Our guiding principle is to always remain transparent in our methodology, underlying indicators and detailed model outputs.

Q6. What should FIs consider if they choose to purchase and use an off-the-shelf commercial product to determine their FCCR ratings?

The Wolfsberg document lists following minimum requirements:

  • The vendor’s product has produced a documented set of FCCR ratings which is consistent with how the FI considers country risk (e.g. using data points in line with an FI’s expectations);
  • The vendor’s product includes the risk parameters or dimensions covered in Question 2;
  • The information used by the vendor is refreshed on a periodic basis.

We are of course a bit biased here; so, we will not comment too much. But we want to add two points that we’ve found important from various client projects. Firstly, clients came to us with the following situation: They subscribe to an off-the-shelf product or country risk ratings, and the accompanying vendor methodology covers the minimum requirements listed above. But as it often happens, the client makes adjustments to the methodology to capture say, additional risk factors, or tweaking the number of risk categories, and other nuances to capture the organisation’s risk appetite. As soon as such “adjustments” happen, risks and inefficiencies ensue. We strongly advocate for having only one methodology and not two, i.e., the vendor’s and clients’ internal documentation. Look for a vendor that can provide a tailored methodology.

Secondly, the best FCCR information is useless if the organisation cannot distribute it efficiently to the relevant departments and systems. Sending around spreadsheets via email is a recipe for disaster. APIs that are used as a single source of truth are the way to reduce operational risks and increase efficiency.

Q7. Is there a standard/conventional methodology to assess country risk?

This question touches on the comments made earlier regarding modelling and methodology. We apply a scoring-based approach that aggregates underlying indicators to risk sections / topics and then based on section weights to a final risk score. The risk score ranges from 0 to 100 where 0 indicates a country with very low inherent risks and a very strong control environment. The risk score is also mapped to risk categories ranging from very low risk / low risk / medium risk / high risk / very high risk and a matching traffic light colour. Our methodology is publicly available and contains details about the selected indicators, section weights and calculation details. Our clients with a bespoke methodology also receive a detailed document.

Q8. How should FIs determine countries in scope for assessment?

We do as described in the Wolfsberg document. We produce ratings for countries with unique ISO3 codes. We do not provide sub-national ratings where data are insufficient.

Q9. How can FIs assess risk ratings for Overseas Countries & Territories and Dependencies (OCTs)?

We provide both options mentioned in the FAQs (i.e., stand-alone FCCR for OCTs or align with “parent” country risk ratings). When we align with the “parent” country – what we call internally as “jurisdictional mapping” – we also provide a rationale. For instance, in the case of Aland Islands:

  • Aland islands is a self-governing province and territory of Finland
  • Finnish state law applies when the Aland Parliament does not have legal authority such as foreign affairs, civil and criminal law (including AML/CFT)

In addition, we also take guidance from the FATF country assessments. But we also understand that some clients want to do a stand-alone assessment despite strong legal/constitutional ties with a parent country. 

Q10. How can FIs test and validate the effectiveness of their FCCR Models or Methodologies and how frequently should this be undertaken?

We think this is an organisation-specific decision, but we strongly suggest that model or methodology review should occur annually and reflect any changes arising from changing risk landscape, new indicators becoming available or changes to the nature of the client’s business.

Q11. How should an FI deal with missing data points?

Missing data concerning to underlying indicators can be a challenge for certain countries. We at try to approximate each risk factor by having multiple data sources to broaden country coverage and reduce the reliance on a specific data provider. In addition, we provide a data quality score that is based on the share of available indicators. So on the one hand, countries that fall below a minimum threshold do not receive a final risk category. On the other hand, it’s also safe to assume that such countries do not account for any meaningful share of the global GDP. Several of our clients with tailor-made solutions have assigned the highest or second highest risk category to countries with poor data quality.

Q12. Should overrides or discretionary risk rating changes be allowed?

We completely agree with the Wolfsberg guidance to prevent or limit any discretionary risk rating changes as much as possible. One can justify overrides that are part of the overall methodology like: All countries on the EU high risk third country list are automatically assigned the highest risk category. There is no subjective or ad-hoc override. In our experience, we hear statements like, “A country should be in a certain category”, or “Everybody expects that this country should be in a certain risk category”. Such expressions are often not backed by data or grounded in a methodology that can be rigorously applied across all countries and over time in a consistent way.

Q13. Who should maintain ownership of the FCCR methodology and what kind of resources are required?

We do not have much to add to the Wolfsberg reply, except an observation that organisations can benefit from bringing together different departments to provide input to the topic of FCCR. Many aspects – especially related to any inherent country risks, such as corruption, environmental or social crimes and the like – are not only relevant for the client risk profiling but can also be useful for reputational risk management (where to do business) and investment management (e.g., ESG aligned investment fund require a similar analysis and data access). 

Q14. Who are generally the users of the assessment results and how are the ratings disseminated?

The comment for question 13 also applies here. Besides the “who as access” aspect, we also find the “how access is given” an increasingly relevant question. Often the responsible team simply uploads the approved ratings as a spreadsheet to a shared drive or to intranet page, and sends the data around via email. We made the point earlier (see question 6) that the lack of single-source of truth can become a substantial source of operational risk; APIs and centrally-shared dashboards can mitigate such risks. However, equally important is the manner in which information is shared with various stakeholders. Some may simply need to know the risk category, while others require deeper understanding of the various risk drivers for conducting a comprehensive client risk due diligence. Similarly others may need to produce a piece on AML risks for  a large number of countries for reporting reasons. provides three ways for any organisation to disseminate risk ratings. Firstly is through Insights platform with a user-friendly dashboard and interface. Secondly is through an API so that data can be integrated in other systems or business intelligence tools. And finally, through our AI Assistant where the user can interact with the structured information and generate summaries or write ups for various use cases.

Q15. How should the FCCR rating methodology drive CDD and EDD requirements?

We find this an interesting point as the country risk input for a client risk rating might be the average of the country risk based on customer’s country of residence, country of birth and other dimensions. A wide dispersion of relevant country risk scores (e.g., country risk based on residency is low risk because of a “golden” visa scheme versus country risk based on birth is very high risk) must not but can be an indication of risk.

Q16. Should an FI have a country risk assessment expressed as a country risk rating?

At the end of the risk assessment, one needs a clearly defined outcome (e.g., low / medium / high risk). We find that institutions benefit most if the outcome consists of

  • Risk category (e.g., low / medium / high risk) and matching traffic light.
  • A granular risk score (e.g., 0 – 100) that gives additional insights on how far away a country is from the threshold to the next higher / lower risk category.

Information about the drivers of the risk score in numeric or verbal form.

Get in touch with us to learn more about and how we help organisations with their AML country risk analysis needs.

Written by:
Bernhard Obenhuber