Most international businesses do not think about sanctions until they encounter them. And when they encounter them, the encounter is rarely what they expected. Not a formal finding. Not a letter from a regulator. Not an allegation. Something quieter and in many ways harder to respond to: a payment that does not arrive, a correspondent bank that has stopped processing, a relationship manager who explains, carefully, that the bank is no longer comfortable with certain transaction flows.
The business has done nothing wrong. It is not on any list. Its counterparties are not on any list. And yet something that looks and feels like a sanctions consequence has happened. Understanding why — and what to do about it — requires a clearer picture of how sanctions exposure actually operates than most business owners have.
This distinction is fundamental, and the failure to understand it is the source of most of the confusion I see.
Sanctions, in the strict sense, are legal prohibitions. A designated person or entity — one whose name appears on a sanctions list maintained by a competent authority — is prohibited from conducting certain activities, and others are prohibited from dealing with them. The prohibitions are specific, the lists are published, and a business that conducts proper screening against those lists and finds no matches has, in the strict legal sense, no sanctions problem.
Sanctions exposure is different. It is not a legal concept. It is a risk management concept — one that describes the degree to which a business, its structure, its counterparties, or its transaction flows create the possibility of contact with sanctioned activity, whether direct or indirect.
A business that has no sanctioned counterparties may nonetheless have high sanctions exposure. It may operate in a jurisdiction subject to broad sectoral sanctions — where the prohibition is not on specific named persons but on categories of activity within that country. It may have counterparties who are themselves in commercial relationships with entities in sanctioned jurisdictions, creating an indirect connection that is several degrees removed from the business itself but still visible on the transaction record. It may have a corporate structure that includes an entity in a jurisdiction whose banking relationships with the wider world are constrained because correspondent banks have decided that the sanctions risk of maintaining those relationships exceeds the value of the business they generate.
None of these conditions require the business to have done anything wrong. They are structural and relational — the product of where the business operates, how it is organised, and who it deals with. And they are the conditions that determine, far more than legal compliance alone, how a bank or a payment processor or a correspondent institution will treat the business.
A bank assessing the sanctions risk of a client relationship is not conducting a legal analysis. It is conducting a risk assessment — one that asks not whether the client has violated sanctions law but whether the relationship creates an exposure that the bank's compliance framework cannot comfortably absorb.
That assessment operates at several levels simultaneously.
The first is the client itself. Who is the beneficial owner? What is the nationality, the jurisdiction of residence, the business history? Are any of these factors associated with sanctioned jurisdictions, sanctioned sectors, or patterns of activity that appear in the bank's internal risk typologies?
The second is the client's counterparties. Where do the client's funds come from, and where do they go? Which jurisdictions appear in the transaction record? A single transaction with a counterparty in a jurisdiction under broad sectoral sanctions can change the risk classification of an entire banking relationship, regardless of whether that transaction was itself prohibited.
The third is the structure. Does the corporate architecture include entities in jurisdictions that create correspondent banking limitations? Does the ownership chain pass through jurisdictions that other banks have designated as elevated risk? Does the structure create beneficial ownership uncertainty — a configuration in which the ultimate controller of the assets is not immediately apparent from the documentation?
Each of these levels is assessed not as a binary — sanctioned or not — but as a spectrum of exposure. A bank operating under conservative de-risking policies will set the threshold for acceptable exposure low. A bank operating in a more permissive environment will set it higher. But the threshold is always there, and businesses that do not understand where they sit relative to it will be surprised when they encounter it.
Geography is the most significant single driver of sanctions exposure for the international businesses I work with — and the one most often misunderstood.
The misunderstanding takes a specific form. A business that has no operations in a sanctioned jurisdiction, no counterparties there, and no transactions flowing through it believes that its jurisdictional exposure is negligible. What it has not accounted for is the effect of its corporate structure on how correspondent banks — the major banks that process international payments — perceive the jurisdictions in which its legal entities are incorporated or registered.
A company incorporated in a jurisdiction that appears on the internal country risk matrices of major correspondent banks as elevated — not necessarily because it is sanctioned, but because of its regulatory environment, its historical association with financial crime typologies, or its designation by bodies such as the Financial Action Task Force — will find that its payment flows are subject to greater scrutiny, slower processing, and higher rates of rejection than the same flows from a company incorporated in a lower-risk jurisdiction. This is not a sanctions consequence in the strict legal sense. It is a sanctions exposure consequence — the cost, in operational terms, of being located in a jurisdiction that carries elevated risk perception.
For international groups with entities in multiple jurisdictions, the effect is cumulative. The jurisdictional risk profile of the group as a whole reflects the jurisdictional risk profile of its most exposed elements. A group that has a clean operating history and straightforward commercial relationships but that includes an entity in a jurisdiction with elevated risk perception will find that the elevated perception applies, to some degree, to the group as a whole — unless the structure is designed to separate the elements that carry elevated risk from those that need to be protected.
The sanctions consequences that most surprise business owners are not those arising from their own activities. They are those arising from the activities of their counterparties — and, more specifically, from the activities of their counterparties' counterparties.
Modern sanctions enforcement, particularly in the United States and the European Union, operates through what is sometimes described as secondary exposure: the risk that dealing with a party that itself deals with a sanctioned entity creates regulatory exposure for the business that initiated the original relationship. The practical effect — the effect that banks act on in their compliance frameworks — is that transaction flows passing through jurisdictions or institutions with elevated sanctions risk are treated with additional caution regardless of whether the specific transaction is itself prohibited.
For a business conducting trade across multiple jurisdictions, this means that the sanctioned or elevated-risk portion of its counterparty network affects the perceived risk of the entire transaction flow. A correspondent bank processing a payment does not have full visibility into where the beneficiary's funds ultimately originate or where they will ultimately go. It sees a transaction that passes through its systems and carries whatever risk characteristics are visible in the payment details and the associated documentation.
The business's responsibility, in this environment, is not to eliminate all indirect exposure — which is often impossible — but to understand where its exposure lies and to structure its commercial relationships so that the most significant banking dependencies are held in entities whose transaction records are as clean as they can be made.
Sanctions exposure cannot be eliminated by legal compliance alone. A clean legal record is necessary but not sufficient. What matters, in addition to the legal position, is the structural position: how the business is organised, how its transaction flows are routed, and how the narrative it presents to banks accounts for the elements of its structure and counterparty network that create elevated risk perception.
There is a reason why internal assessments of sanctions exposure are usually incomplete. People inside a structure see intentions — they know why certain counterparty relationships exist, why certain entities are registered where they are, why certain transaction flows pass through certain jurisdictions. Banks see patterns. They see transaction records, ownership chains, and jurisdictional characteristics. They do not see the reasoning behind the structure; they see what the structure looks like from the outside. A business that assesses its own exposure from the inside will systematically underestimate it, because the internal view includes context that the bank does not have and will not ask for.
The structurally aware response to sanctions exposure has three elements.
Understand where the exposure actually sits. This requires an honest assessment conducted from the outside — asking not why the structure is organised as it is, but what it looks like to a bank that has no prior knowledge of the reasoning. The assessment has to identify not just direct sanctions exposure but jurisdictional exposure, correspondent banking exposure, and indirect counterparty exposure.
Separate what should be separated. Where elements that carry elevated risk perception can be held in legal entities that are distinct from the entities maintaining the most critical banking relationships, that separation reduces the contamination of the banking relationships by the risk characteristics of the elevated-risk elements. This is the same architectural principle that applies to cryptocurrency separation — the logic is identical, applied to a different source of risk.
On the mechanics of that separation: Separating Crypto from the Rest of the Group →
Build the narrative before it is needed. A bank or a payment processor encountering elevated risk characteristics in a transaction flow will act quickly — more quickly than the business can respond after the fact. The narrative that explains the structure, the transaction flows, and the commercial rationale for counterparty relationships that might otherwise appear anomalous needs to be prepared and documented before the question arises. A business that scrambles to assemble an explanation after the fact is already in difficulty.
Sanctions exposure, for an international business with a complex structure and cross-border transaction flows, is not a problem that can be solved once and filed. The sanctions landscape changes — new designations, new jurisdictional assessments, new correspondent banking policies adopted by the major institutions that process international payments. A structure that was positioned correctly relative to that landscape two years ago may not be positioned correctly today.
This means that the assessment of sanctions exposure is not a one-time exercise. It is an ongoing discipline — one that requires the business to maintain a current understanding of its own structure and transaction flows, of the risk perceptions attached to the jurisdictions it operates in, and of the correspondent banking relationships that its payment flows depend on.
Businesses that treat this as a periodic exercise — reviewing the exposure at fixed intervals, updating the narrative as the structure changes, monitoring the jurisdictional landscape for developments that affect the risk profile — are the ones that maintain banking access in an environment where others are losing it.
The work is not dramatic. It is structural and ongoing. And it is, in my experience, far less expensive than the alternative — which is to encounter the consequences of unmanaged exposure at the moment when they are most difficult to address.
Vladimir Shuvalov works with international businesses and private clients on corporate structure, banking acceptability, and cryptocurrency architecture from Nicosia, Cyprus.
Thinking Globally — thinking-globally.com
Thinking Globally Consulting Limited
Registered in England & Wales · Company No. 17138834
128 City Road, London EC1V 2NX, United Kingdom
© 2026 Thinking Globally Consulting Limited · All rights reserved