Country Risk
Geographic location is a key factor in compliance risk assessment. TrustGate provides comprehensive country risk management based on sanctions, corruption indices, and AML effectiveness.
Risk Categories
Sanctioned Countries
Countries with comprehensive sanctions programs:
| Category | Countries | Risk Impact |
|---|---|---|
| OFAC Comprehensive | Cuba, Iran, North Korea, Syria, Crimea | +50 |
| OFAC Sectoral | Russia, Venezuela | +30 |
| EU Sanctions | Belarus, Myanmar | +35 |
| UN Sanctions | Various | +40 |
High-Risk Countries
Countries with elevated AML/CFT risk:
| Category | Criteria | Risk Impact |
|---|---|---|
| FATF High-Risk | Countries on FATF blacklist | +25 |
| FATF Increased Monitoring | Countries on FATF grey list | +15 |
| High Corruption | CPI score < 30 | +20 |
| Tax Haven | Non-cooperative jurisdictions | +10 |
Current FATF Lists (October 2025)
Black List (Call for Action):
- Iran (IR)
- North Korea (KP)
- Myanmar (MM)
Grey List (Increased Monitoring) - 21 Countries:
| Country | Code | Risk Score |
|---|---|---|
| Syria | SY | 85 |
| Yemen | YE | 80 |
| South Sudan | SS | 75 |
| Lebanon | LB | 70 |
| Venezuela | VE | 70 |
| DR Congo | CD | 65 |
| Haiti | HT | 65 |
| Algeria | DZ | 60 |
| Angola | AO | 60 |
| Bolivia | BO | 60 |
| Cameroon | CM | 60 |
| Cote d'Ivoire | CI | 60 |
| Lao PDR | LA | 60 |
| Vietnam | VN | 60 |
| British Virgin Islands | VG | 55 |
| Bulgaria | BG | 55 |
| Kenya | KE | 55 |
| Namibia | NA | 55 |
| Nepal | NP | 55 |
| Monaco | MC | 50 |
Removed from Grey List (2025):
- Philippines (Feb 2025)
- Croatia, Mali, Tanzania (June 2025)
- Burkina Faso, Mozambique, Nigeria, South Africa (Oct 2025)
API Endpoints
All jurisdiction risk endpoints are under /api/v1/jurisdiction-risk.
Get Country Risk Rating
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/{country_code}" \
-H "Authorization: Bearer YOUR_API_KEY"
The country_code must be an ISO 3166-1 alpha-2 code (2 characters, e.g. US, RU, IR).
Response
{
"country_code": "RU",
"country_code_alpha3": "RUS",
"country_name": "Russia",
"risk_tier": "high",
"is_blocked": false,
"edd_required": true,
"block_reason": null,
"edd_reason": "OFAC sectoral sanctions and FATF increased monitoring",
"contributing_lists": [
{
"source": "ofac_sectoral",
"tier": "high",
"category": "sectoral_sanctions",
"version_id": "OFAC-SDN-2026-01"
},
{
"source": "fatf_grey",
"tier": "high",
"category": "greylist",
"version_id": "FATF-GREY-2026-01"
}
],
"list_versions_consulted": [...],
"effective_at": "2026-01-15T00:00:00Z",
"tenant_override": null
}
If a tenant-specific override has been approved, the tenant_override field will contain the override details.
List Countries by Risk Tier
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/" \
-H "Authorization: Bearer YOUR_API_KEY"
By default this returns only blocked and high tier countries. Use query parameters to filter:
| Parameter | Type | Description |
|---|---|---|
tier | string | Filter by risk tier: blocked, high, medium |
include_medium | boolean | Include medium-risk countries (default false) |
Example -- list only high-risk countries:
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/?tier=high" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"blocked": [],
"high": [
{
"country_code": "RU",
"country_name": "Russia",
"risk_tier": "high",
"is_blocked": false,
"edd_required": true,
"edd_reason": "OFAC sectoral sanctions",
"contributing_lists": [
{
"source": "ofac_sectoral",
"tier": "high",
"category": "sectoral_sanctions"
}
]
}
],
"medium": [],
"total_count": 12
}
List Blocked Countries
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/blocked" \
-H "Authorization: Bearer YOUR_API_KEY"
Returns an array of countries where onboarding is prohibited (comprehensive sanctions, FATF blacklist).
Response
[
{
"country_code": "KP",
"country_name": "North Korea",
"risk_tier": "blocked",
"is_blocked": true,
"edd_required": false,
"block_reason": "OFAC comprehensive sanctions program",
"contributing_lists": [
{
"source": "ofac_comprehensive",
"tier": "blocked",
"category": "comprehensive_sanctions"
}
]
}
]
Get Active List Versions (Audit)
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/lists/versions" \
-H "Authorization: Bearer YOUR_API_KEY"
Returns which versions of each source list are currently active, for audit trail purposes. Optionally filter by source:
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/lists/versions?source=fatf_grey" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"active_lists": 5,
"lists": [
{
"source": "fatf_grey",
"source_authority": "FATF",
"version_id": "FATF-GREY-2026-01",
"country_count": 21,
"published_at": "2025-10-25T00:00:00Z",
"retrieved_at": "2026-01-15T12:00:00Z"
}
]
}
Tenant Overrides
Tenants can request country-specific risk overrides. Overrides require dual approval -- the approver must be a different user from the requester.
Request an Override
curl -X POST "https://api.bytrustgate.com/api/v1/jurisdiction-risk/overrides" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"country_code": "NG",
"override_tier": "high",
"override_blocked": false,
"override_edd_required": true,
"override_reason": "Elevated fraud risk in our customer base - internal analysis supports higher tier",
"expires_at": "2026-07-01T00:00:00Z"
}'
| Field | Type | Required | Description |
|---|---|---|---|
country_code | string | Yes | ISO 3166-1 alpha-2 code |
override_tier | string | No | Override risk tier (blocked, high, medium, low) |
override_blocked | boolean | No | Override blocked status |
override_edd_required | boolean | No | Override EDD requirement |
override_reason | string | Yes | Justification (minimum 10 characters) |
expires_at | datetime | No | Optional expiry date for the override |
The override is created with approval_status: "pending" and does not take effect until approved.
Response
{
"id": "a1b2c3d4-...",
"tenant_id": "...",
"country_code": "NG",
"country_name": "Nigeria",
"override_tier": "high",
"override_blocked": false,
"override_edd_required": true,
"override_reason": "Elevated fraud risk in our customer base - internal analysis supports higher tier",
"requested_by": "user-uuid-...",
"approved_by": null,
"approved_at": null,
"approval_status": "pending",
"rejection_reason": null,
"effective_at": "2026-01-20T14:30:00Z",
"expires_at": "2026-07-01T00:00:00Z",
"created_at": "2026-01-20T14:30:00Z",
"updated_at": "2026-01-20T14:30:00Z"
}
List Overrides
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/overrides" \
-H "Authorization: Bearer YOUR_API_KEY"
Optionally filter by status:
curl -X GET "https://api.bytrustgate.com/api/v1/jurisdiction-risk/overrides?status=pending" \
-H "Authorization: Bearer YOUR_API_KEY"
| Parameter | Type | Description |
|---|---|---|
status | string | Filter by status: pending, approved, rejected |
Approve or Reject an Override
curl -X POST "https://api.bytrustgate.com/api/v1/jurisdiction-risk/overrides/{override_id}/approve" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"approved": true
}'
To reject, provide a reason:
curl -X POST "https://api.bytrustgate.com/api/v1/jurisdiction-risk/overrides/{override_id}/approve" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"approved": false,
"rejection_reason": "Insufficient justification for lowering risk tier"
}'
Dual approval enforcement: The approving user must be different from the user who requested the override. Attempting to approve your own override returns a 403 error.
Residence vs Nationality
Different risk weights can apply:
| Factor | Description | Typical Weight |
|---|---|---|
| Nationality | Country of citizenship | Higher weight |
| Residence | Current country of residence | Standard weight |
| Birth Country | Country of birth | Lower weight |
| Address Country | Provided address location | Standard weight |
Risk Data Sources
TrustGate aggregates data from:
| Source | Data Provided |
|---|---|
| OFAC | US sanctions lists and programs |
| EU Sanctions | European Union consolidated list |
| UN Sanctions | United Nations Security Council |
| FATF | AML/CFT effectiveness ratings |
| Transparency International | Corruption Perception Index |
| Tax Justice Network | Financial secrecy rankings |
| World Bank | Governance indicators |
Updates and Monitoring
Automatic Updates
Country risk data updates automatically:
- Sanctions lists: Real-time
- FATF status: When published (typically quarterly)
- CPI scores: Annually
- Internal scoring: Monthly review
Country Risk Alerts
Get notified of changes by configuring a webhook:
curl -X POST https://api.bytrustgate.com/api/v1/webhooks \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-system.com/webhooks",
"events": ["country_risk.updated", "country_risk.sanctions_change"],
"active": true
}'
Alert Payload
{
"event": "country_risk.updated",
"country_code": "VE",
"previous_risk_level": "high",
"new_risk_level": "critical",
"change_reason": "New OFAC sanctions program announced",
"effective_date": "2025-01-20",
"affected_applicants_count": 45
}
Using Workflow Rules with Country Risk
You can create workflow rules that automatically act on jurisdiction risk signals. See the Workflow Rules documentation for full details.
Example: auto-escalate applicants from high-risk countries by creating a rule via POST /api/v1/workflows/rules with conditions that check the applicant's country risk tier.
Best Practices
- Review regularly: Check country risk settings quarterly
- Document rationale: Record reasons for custom overrides (the override reason field is mandatory)
- Monitor changes: Subscribe to sanctions and FATF updates via webhooks
- Use dual approval: All overrides require a second reviewer by design
- Audit trail: Use the
/jurisdiction-risk/lists/versionsendpoint to verify which source list versions are active - Train staff: Ensure team understands geographic restrictions
Next Steps
- About Risk Scoring - Overview
- Risk Factors - All risk factors
- Workflow Rules - Automate decisions