How to Conduct Third-Party Risk Assessments for Suppliers in High-Risk Markets

14:29

Africa's foreign direct investment rebounded to $97 billion in 2024 — a 75% increase in a single year — and 12 of the 20 fastest-growing economies globally in 2025 were African, according to the African Development Bank. The Middle East similarly continues to attract cross-border capital at scale. The commercial case for engagement across these regions is well established. The compliance case for how to engage responsibly is less so.

Supplier relationships in high-risk markets introduce exposure that internal controls frequently underestimate. Sanctions violations, undisclosed beneficial ownership, and opaque corporate structures are documented enforcement outcomes — not hypothetical risks. OFAC issued over $262 million in civil penalties in 2025 alone, with several of the largest actions tracing back to a single failure: inadequate identification of the beneficial owner behind a third-party relationship.

A robust third-party risk management framework does not eliminate this exposure, but it creates the governance infrastructure to identify, escalate, and mitigate it before it becomes a liability.

Why High-Risk Markets Demand a Different Approach to TPRM

Standard vendor due diligence processes — designed for mature, well-documented corporate environments — are structurally inadequate for high-risk jurisdictions. Three factors drive this inadequacy.

Corporate registry gaps. In many markets across the Middle East and Africa, beneficial ownership disclosure requirements are nascent or inconsistently enforced. Corporate registries may be incomplete, manually maintained, or not publicly accessible. A supplier may present a clean registration certificate while operating through layers of nominee shareholders that obscure the true controlling party.

Regulatory fragmentation. Compliance obligations in high-risk markets are rarely unified. A supply chain spanning Egypt, Nigeria, and the UAE simultaneously requires alignment with FATF mutual evaluation frameworks, local central bank guidance, and the extraterritorial reach of the EU's Anti-Money Laundering Directives and the U.S. Foreign Corrupt Practices Act (FCPA). Each jurisdiction adds a layer of complexity that a single-template assessment cannot adequately address.

Dynamic risk environments. Political transitions, sanctions designations, and financial intelligence disclosures move quickly. As of the February 2026 FATF Plenary, 23 jurisdictions remain under increased monitoring — with Kuwait and Papua New Guinea newly added — and three countries (Iran, North Korea, and Myanmar) remain on the FATF blacklist subject to counter-measures. A supplier that passed assessment at onboarding may be materially different six months later. Static, point-in-time assessments are operationally insufficient in this environment.

The Core Framework: Five Stages of Third-Party Risk Assessment

A credible third-party risk management program for suppliers in high-risk markets is built on five sequential stages: scoping, risk tiering, due diligence, approval, and ongoing monitoring.

Stage 1 — Supplier Scoping and Risk Classification

The first step is defining who requires assessment and at what depth. Not every supplier carries equivalent risk. A company providing office supplies in a low-risk jurisdiction presents a fundamentally different profile than a logistics intermediary operating along a corridor flagged for illicit financial flows.

Risk tiering frameworks typically classify suppliers across three bands — high, medium, and low — based on factors including: the jurisdictions in which the supplier operates, the nature of the goods or services provided, the financial value and strategic criticality of the relationship, and whether the supplier handles funds, data, or regulated activities on behalf of the engaging organization.

High-risk tier suppliers in high-risk markets should trigger the most intensive due diligence protocols, including UBO identification to the natural person level, adverse media screening, sanctions and PEP checks, and in some cases, enhanced due diligence requiring in-country verification.

inf risk 1_1

Stage 2 — Identity Verification and Beneficial Ownership Analysis

For suppliers operating in high-risk jurisdictions, entity-level verification must go beyond surface-level checks. This stage involves confirming the legal existence and standing of the supplier, mapping the corporate ownership structure to identify all entities with a 10% or greater ownership interest (or the threshold defined by applicable regulation), and identifying the ultimate beneficial owners — the natural persons who ultimately own or control the entity.

In markets where corporate registries are limited, this process requires cross-referencing multiple data sources: commercial databases, company registries where available, court records, gazette announcements, and intelligence derived from local networks. The Financial Action Task Force's Recommendations 10 and 22 establish the baseline obligation for beneficial ownership transparency, and regulators increasingly expect institutions to evidence genuine investigative effort rather than relying solely on self-declared ownership structures.

The 2025 OFAC enforcement record reinforces this point directly. Several enforcement actions, including the $1.09 million December 2025 settlement with a former trust fiduciary, explicitly identified the use of legal structures — trusts, holding companies, nominee arrangements — to conceal a blocked person's beneficial interest. Regulators treat the failure to identify such structures as an aggravating factor, not an oversight.

Politically exposed persons (PEPs) and their associates warrant particular attention. Suppliers with PEP-connected ownership in jurisdictions with high Corruption Perceptions Index scores — Transparency International's CPI 2025 recorded a new global low average of 42 out of 100, with 122 of 182 countries scoring below 50 — present an escalated profile that should trigger senior management sign-off.

Stage 3 — Jurisdictional and Sanctions Risk Assessment

Assessing the jurisdictional risk profile of a supplier requires more than checking whether the country appears on a watchlist. It involves evaluating the regulatory environment of every jurisdiction where the supplier operates, is registered, or has significant business relationships.

Key reference frameworks include FATF's updated grey and black list publications (issued three times annually), the Corruption Perceptions Index published by Transparency International, the Basel AML Index 2025, and bilateral sanctions regimes maintained by OFAC, the UN Security Council, the EU, and HM Treasury. Where a supplier operates across multiple flagged jurisdictions, risk scores compound rather than cancel.

Notably, the Basel AML Index 2025 also introduced a more refined three-tier risk categorisation, replacing an overcrowded middle band. For compliance teams, this supports more proportionate, risk-calibrated controls rather than binary "high-risk vs. everyone else" approaches — a shift that also reflects FATF's growing emphasis on proportionality in risk-based frameworks.

Sanctions screening must cover not only the supplier entity itself but its directors, shareholders, and beneficial owners against consolidated screening lists. Name-matching algorithms that fail to account for transliteration variations — a particularly relevant concern in Arabic-language markets — introduce gaps that regulators do not accept as mitigating factors.

Stage 4 — Adverse Media, Integrity, and Reputational Screening

Structured data sources — sanctions lists, registry filings, court records — capture formal designations and legal outcomes. They do not capture emerging risk signals: regulatory investigations that have not yet concluded, credible journalistic reporting on fraud or corruption, or associations with entities that have subsequently been designated.

Adverse media screening addresses this gap. A systematic review of negative news coverage, structured around risk categories including financial crime, fraud, corruption, human rights violations, and environmental breaches, provides a qualitative intelligence layer that complements the quantitative screening process.

For suppliers in markets with constrained press freedom or limited English-language coverage, adverse media screening must extend to Arabic, French, Swahili, Amharic, and other relevant languages. Relying exclusively on English-language sources in an assessment covering North or West Africa materially limits the intelligence gathered.

in-inmage-article-1

Stage 5 — Continuous Monitoring and Periodic Review

Third-party risk is not static. The most significant enforcement failures in recent years have involved relationships that were initially compliant but deteriorated over time — ownership changed, sanctions were imposed on previously clean counterparts, or investigations surfaced months after onboarding was complete.

A credible TPRM program treats supplier approval as the beginning of the risk management cycle, not the end. Continuous monitoring involves automated alerts when a supplier or its beneficial owners appear on updated sanctions lists, trigger-based re-screening when material changes occur (ownership restructuring, jurisdiction changes, contract expansions), and scheduled periodic reviews calibrated to risk tier — annually for high-risk suppliers, bi-annually or on-event for medium-risk.

The pace of sanctions list changes alone justifies this approach. OFAC published 1,876 sanctions list update notices through June 2026, spanning counter-terrorism, Iran-related, Russia-related, and DRC-related programs, among others. Compliance teams operating on static schedules cannot adequately track this volume of change.

Building the Governance Infrastructure

A technically sound assessment process without appropriate governance architecture produces inconsistent outcomes. Three governance elements are essential for a defensible TPRM program.

Clear escalation pathways ensure that suppliers who cannot be cleared at a standard review level — due to unresolved ownership questions, adverse media hits, or sanctions proximity — are elevated to senior compliance or legal review before a commercial decision is made. The escalation path should be documented, not ad hoc.

Documented rationale for approval decisions protects organizations during regulatory examination. OFAC's Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501, Appendix A) explicitly treat the absence of a documented compliance program as an aggravating factor. In 2025, OFAC also extended its sanctions-related record-keeping requirements from five to ten years — a clear signal that regulators expect durable, longitudinal compliance documentation, not point-in-time snapshots.

Data quality standards determine the reliability of the entire assessment. Where data is derived from commercial intelligence providers, procurement teams and compliance officers need assurance about the source, currency, and methodology behind the data — particularly in markets where local company registries are unreliable or inaccessible.

Conclusion

Conducting third-party risk assessments for suppliers in high-risk markets is no longer simply a compliance requirement. As organizations expand across emerging markets, supplier due diligence has become a critical component of operational resilience, corporate governance, and sustainable growth.

A robust Third-Party Risk Management (TPRM) framework combines risk-based supplier classification, beneficial ownership verification, sanctions and adverse media screening, and continuous monitoring. Together, these measures help organizations identify emerging risks, make informed decisions, and maintain visibility throughout the supplier lifecycle.

For businesses operating across the Middle East and Africa, balancing opportunity with risk requires access to reliable information. In markets where transparency varies and public records may be fragmented, high-quality business intelligence remains the foundation of effective third-party risk management.

Sources & References

African Development Bank Group — Africa Macroeconomic Performance and Outlook (MEO) 2026 (March 2026) https://www.afdb.org/en/news-and-events/press-releases/africas-economic-resilience-holds-firm-amid-global-headwinds-says-new-afdb-report-91978
Basel Institute on Governance — Basel AML Index 2025 (December 2025) https://baselgovernance.org/publications/basel-aml-index-2025
Financial Action Task Force (FATF) — Jurisdictions under Increased Monitoring, February 2026 https://www.fatf-gafi.org/en/publications/High-risk-and-other-monitored-jurisdictions/increased-monitoring-february-2026.html
Transparency International — Corruption Perceptions Index 2025 (February 2026) https://www.transparency.org/en/cpi/2025
U.S. Department of the Treasury — OFAC — Civil Penalties and Enforcement Information 2025 https://ofac.treasury.gov/civil-penalties-and-enforcement-information/2025-enforcement-information
U.S. Department of the Treasury — OFAC — Sanctions List Updates (ongoing) https://ofac.treasury.gov/recent-actions/sanctions-list-updates
U.S. Department of the Treasury — OFAC — Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501, Appendix A) https://ofac.treasury.gov/civil-penalties-and-enforcement-information
United Nations Security Council — Consolidated Sanctions List (ongoing) https://www.un.org/securitycouncil/content/un-sc-consolidated-list

Find Useful

Question & Answer

Check our FAQs for quick answers to frequently asked questions we receive.If you have other questions write.

What is third-party risk management (TPRM)?

Third-party risk management (TPRM) is the structured process by which organizations identify, assess, monitor, and mitigate risks arising from their relationships with external parties — including suppliers, vendors, distributors, agents, and service providers. A TPRM program encompasses due diligence at onboarding, continuous monitoring throughout the relationship lifecycle, and defined escalation and remediation processes for identified risks. In high-risk markets, TPRM frameworks must address sanctions exposure, beneficial ownership opacity, corruption risk, and jurisdictional regulatory complexity.

What is a third-party risk assessment?

A third-party risk assessment is a structured evaluation of the risk profile of an external supplier or business partner before or during a commercial relationship. It typically covers identity verification, beneficial ownership analysis, sanctions and PEP screening, adverse media review, and jurisdictional risk evaluation. Assessments are calibrated to the risk tier of the relationship — high-value or high-risk suppliers receive enhanced due diligence, while lower-risk relationships may require only standard checks.

Why is supplier risk management more complex in high-risk markets?

Supplier risk management in high-risk markets is more complex for three principal reasons: corporate registry data is frequently incomplete or inaccessible; regulatory requirements span multiple, sometimes conflicting, jurisdictions; and the pace of sanctions designations and political change means that risk profiles can shift significantly between periodic reviews. As of February 2026, FATF maintains 23 countries on its grey list and 3 on its blacklist. Standard due diligence processes designed for mature markets are structurally insufficient for jurisdictions with elevated AML, corruption, or sanctions risk.

What information is required to verify beneficial ownership in high-risk jurisdictions?

Verifying beneficial ownership in high-risk jurisdictions typically requires identifying all natural persons who own or control 10% or more of the entity (or the applicable regulatory threshold), cross-referencing ownership claims against multiple data sources — including commercial databases, registry filings, gazette records, and court documents — and confirming that no identified beneficial owner appears on sanctions, PEP, or adverse media watchlists. Where local registries are incomplete, enhanced due diligence may involve in-country verification or engagement with specialist business intelligence providers.

How often should third-party risk assessments be repeated?

The frequency of third-party risk assessment reviews should be determined by the risk tier of the supplier. High-risk suppliers — those operating in flagged jurisdictions, handling regulated activities, or presenting complex ownership structures — should be reviewed at minimum annually, with real-time monitoring for sanctions and adverse media between reviews. Medium-risk suppliers typically require bi-annual review. Trigger-based re-screening should be conducted whenever a material change occurs, including changes in ownership, jurisdiction, contract scope, or the regulatory environment.

What is the difference between TPRM and vendor due diligence?

Vendor due diligence typically refers to the point-in-time assessment conducted before entering a relationship — verifying the supplier's legal standing, financial health, and compliance profile. TPRM is a broader, ongoing governance program that encompasses initial due diligence, continuous monitoring, periodic review, escalation protocols, and documented risk acceptance decisions across the entire lifecycle of the third-party relationship.

Which regulators require organizations to manage third-party risk?

Multiple regulatory frameworks impose third-party risk management obligations. The FATF Recommendations establish baseline due diligence requirements for third-party relationships. The EU's Anti-Money Laundering Directives impose enhanced due diligence obligations for relationships involving high-risk third countries. OFAC's Economic Sanctions Enforcement Guidelines — with record-keeping requirements extended to ten years in 2025 — hold institutions liable for violations involving third parties where adequate due diligence was not conducted. The UK's Money Laundering Regulations and Bribery Act extend third-party compliance obligations throughout the supply chain.