Scoring Methodology
What this measures
SafeZoneAI Supply assigns each supplier in your portfolio an integer risk score from 1 to 10. The score is supplier-level, not country-level — a US-based vendor on the OFAC SDN list scores worse than a perfectly clean manufacturer in Yemen.
The score answers one question: should someone on my team look at this row before we send a PO?
Inputs
Every supplier row ingested through a CSV or PDF upload contributes three fields: name, country, and address. Name is required. Country and address are strongly recommended — a missing country falls back to a neutral default score.
Version 1.0 factors
1. Country baseline
Each country maps to a 1–10 score derived from three published indices, weighted equally:
- Fund for Peace — Fragile States Index 2025 (institutional pressure)
- Institute for Economics & Peace — Global Peace Index 2025 (conflict + security)
- OFAC country programs + EU geographic sanctions (regulatory exposure)
Countries are matched by ISO 3166 name or common alias. The mapping is published in shared/country_risk.json alongside the code that reads it — every score a customer sees is reproducible from public inputs.
2. Sanctions screening — multi-regime
Each supplier name is compared — exact match only, including every published alias — against four primary-source sanctions lists:
- US OFAC SDN — Specially Designated Nationals and Blocked Persons
- UK OFSI Consolidated — HM Treasury's financial sanctions list
- EU FSF — Consolidated EU restrictive measures (DG FISMA)
- UN Security Council — Consolidated List
On any hit the score is set to 10 regardless of country and the row is flagged sanctions_flag: true. Every regime that hit is recorded in sanctions_lists_hit, with each list's own canonical id preserved — so a single supplier matched on three regimes shows up as ["UK-OFSI","EU-FSF","OFAC-SDN"] with all three source ids cited in the audit JSON.
Names are normalized before comparison: lowercased, punctuation stripped, and one trailing corporate suffix (Inc, Ltd, GmbH, AG, PJSC, ООО, etc.) removed. Build-time and lookup use identical rules.
Bands
Scores are bucketed for display:
| Score | Band | What it typically signals |
|---|---|---|
| 1–3 | low | Stable rule-of-law country, no sanctions exposure. |
| 4–6 | moderate | Active country programs or elevated institutional pressure. |
| 7–8 | elevated | Major sanctions jurisdiction (e.g. China sector controls, Russia). |
| 9–10 | critical | Comprehensive sanctions, active conflict, or direct SDN match. |
Refresh cadence
- Country baseline: refreshed quarterly when the underlying indices publish updates.
- Consolidated sanctions index: rebuilt from each regime's public feed and shipped with every deployment. Current snapshot is identified by the
sanctions_versionfield stamped on every scored row (e.g.sanctions-v2-2026-05-03). Per-regime build timestamps are surfaced via the API health endpoint. Daily auto-refresh is on the roadmap.
What v1.0 is not
Being explicit about the limits keeps this useful:
- Not legal advice. Compliance decisions remain with the buyer.
- Entities, vessels, and groups — not individuals. Common surnames false-positive against unrelated suppliers; we'd rather miss a person posing as a corporate counterparty than burn buyer trust on noise.
- BIS Entity / Denied Persons / Unverified, DDTC Debarred, and the Commonwealth lists (Canada SEMA, AU DFAT, CH SECO, JP METI) are next in the queue — the orchestrator already understands these list ids; only the per-regime fetchers remain.
- No fuzzy or phonetic matching. Deliberate. See the callout above.
- No second-order ownership lookups. A supplier owned 50%+ by a sanctioned entity is not flagged automatically (OFAC's 50% Rule). This is the highest-priority gap after the remaining list integrations.
- No ongoing monitoring (yet). You see the score at ingest time; changes to upstream lists don't retroactively re-flag your portfolio. Scheduled re-scoring is on the roadmap.
Data sources
- Fund for Peace — Fragile States Index 2025 · fragilestatesindex.org
- Institute for Economics & Peace — Global Peace Index 2025 · economicsandpeace.org
- U.S. Treasury OFAC — Specially Designated Nationals (SDN) List + Alternate Names · sanctionslistservice.ofac.treas.gov
- UK HM Treasury OFSI — Consolidated list of financial sanctions targets · gov.uk/financial-sanctions-consolidated-list-of-targets
- European Commission DG FISMA — Consolidated Financial Sanctions File (FSF) · webgate.ec.europa.eu/fsd/fsf
- UN Security Council — Consolidated List · scsanctions.un.org
Reproducibility
Every scored row carries two audit fields: methodology_version (which scoring rules produced the score) and sanctions_version (which dated snapshot of the consolidated index was used). That pair plus sanctions_lists_hit is enough to re-derive any score from the published code and the dated source data.
Change log
- 1.1 · 2026-05-03 — sanctions screening expanded from OFAC SDN alone to four primary-source regimes (OFAC SDN, UK OFSI, EU FSF, UN SC) with per-regime audit attribution. Index orchestrator extracted into a per-source plugin layout for easy expansion.
- 1.0 · 2026-04-24 — initial publication: country baseline + OFAC SDN exact/alias match.
Questions, corrections, or a score you disagree with?
Email hello@safezoneaitech.com. Methodology drift is how this kind of product goes stale — we want to hear about the case where our number doesn't match yours.