Counter Threat Finance FAQ

Counter Threat Finance FAQ: CTF vs AML, sanctions screening, OFAC SDN, beneficial ownership, TBML, and operational CTF.

Quick-reference answers on counter threat finance, sanctions screening, beneficial ownership, and the operational requirements for tying financial intelligence to a live sensor picture. For the full technical reference, see What is Counter Threat Finance?.

What is counter threat finance?

Counter Threat Finance (CTF) is the discipline of detecting, mapping, and disrupting the money that lets adversaries operate. It is codified in DoD Directive 5205.14 and Joint Publication 3-25, Countering Threat Networks. Where a bank asks "can I do business with this customer," a CTF practitioner asks "whose money is this, where does it move, who does it touch, and what does it let them do."

CTF treats financing as a network to be attacked - not a compliance box to be checked. The targeting cycle is F3EAD: Find, Fix, Finish, Exploit, Analyze, Disseminate, applied iteratively to financial networks. See What is Counter Threat Finance? for the full doctrinal lineage.

What is the difference between counter threat finance and anti-money laundering?

AML is defensive and institution-bound; CTF is offensive and network-bound. AML protects one bank's perimeter and asks "should I onboard or keep this customer." CTF asks "who is this actor, what network do they belong to, and how do we degrade it." A clean screen is the end of the AML question and the beginning of the CTF question.

They share data and vocabulary - sanctions lists, beneficial ownership, corporate registries, trade records - but the compliance world stops at the institutional boundary. CTF follows the money across it, into the physical and operational world where the network lives.

What is counter threat finance doctrine?

DoDD 5205.14 establishes CTF as departmental policy across DoD. JP 3-25, Countering Threat Networks provides joint doctrine and introduces Critical Factors Analysis, network engagement, and social network analysis. F3EAD is the targeting cycle: find and fix the financial node, exploit the documents and identifiers it yields, analyze the network, disseminate so the next pivot can begin.

Within SOCOM, CTF lives in the J36 Transnational Threats Division. The Joint Staff J-7 published a Commander's Handbook for Counter Threat Finance. Each Combatant Command runs a threat-finance cell, and Joint Interagency Task Forces (JIATF-South, JIATF-West) are the template for interagency fusion.

What is sanctions screening?

Sanctions screening matches names and identifiers against designated-persons lists with confidence scoring. The relevant lists include OFAC SDN and Consolidated, EU CFSP, UK FCDO, UN Security Council, OpenSanctions (PEPs, crime, debarment, FARA), and the BIS/DDTC Consolidated Screening List.

Credible screening uses deterministic identifier matching where strong identifiers exist and probabilistic fuzzy-name matching where they do not, scored by confidence, with common-name suppression to manage false positives. A hit is a lead to verify, not a final determination.

What is the OFAC SDN List?

The Specially Designated Nationals and Blocked Persons (SDN) List is OFAC's primary sanctions instrument. It designates persons, entities, vessels, and aircraft with which U.S. persons are generally prohibited from dealing. A designation freezes the target's assets under U.S. jurisdiction and blocks transactions through the U.S. financial system.

The SDN List is one of several OFAC programs. The Consolidated Sanctions List aggregates entries from all OFAC programs into a single reference. Screening against the SDN alone is necessary but not sufficient - a complete screen includes EU, UK, UN, and consolidated sources.

What is beneficial ownership?

The beneficial owner is the natural person who ultimately owns or controls an entity, as distinct from a nominee, agent, or registered front. Resolving beneficial ownership is how you see through a shell company to the actual actor. It is the single most valuable and hardest-to-fake fact in an investigation.

The U.S. Corporate Transparency Act (2021) created a reporting regime; FinCEN opened its registry in January 2024 and narrowed the requirement to foreign reporting companies in March 2025. The UK's Persons with Significant Control regime remains among the most useful publicly available registers. Resolution from multiple sources remains essential.

What are shell companies and front companies?

A shell company is a legal entity with no real operations, used to hold assets or move money while obscuring the people behind it. They become front companies when they layer a veneer of legitimate activity over illicit purpose. Both are vehicles for sanctions evasion, money laundering, and ownership obfuscation.

The defense is beneficial-ownership resolution - tracing the corporate chain to the controlling natural person. Offshore-leaks data (ICIJ, FinCEN Files) and corporate registries (GLEIF LEI, UK Companies House, US state registries) are the primary sources for piercing shell structures.

What is trade-based money laundering?

TBML moves value by manipulating trade transactions rather than moving money directly. Mechanisms include over- and under-invoicing, multiple invoicing for one shipment, phantom shipments (no goods move at all), and misrepresenting quantity or quality. FATF and the Egmont Group publish the authoritative typologies.

TBML is among the most complex and widely used laundering methods because it exploits the complexity and volume of international trade. Risk indicators include commodity prices inconsistent with market rates, trade routes with no commercial logic, and company-service-provider addresses managing many shell entities simultaneously.

What is a Politically Exposed Person?

A PEP is an individual entrusted with a prominent public function, along with their close associates and family members. PEP status is not an accusation or a determination of wrongdoing; it is a risk flag that warrants enhanced due diligence due to elevated exposure to corruption and undue influence.

PEP screening is standard in both AML compliance and CTF analysis. The OpenSanctions dataset consolidates PEP lists from multiple jurisdictions into a single queryable source alongside sanctions, crime, debarment, and FARA registrations.

What are the software requirements for counter threat finance?

Operational CTF software must satisfy all of the following, not a subset:

  • A common entity ontology (ideally open, like FollowTheMoney) with disciplined normalization of every source
  • Always-on screening across 10+ sanctions and watchlist sources with confidence scoring
  • Entity resolution and network analysis as first-class functions, not bolt-ons
  • Pivot-driven investigation that mirrors F3EAD with provenance at every step
  • Immutable audit trail, role-gated access, and compliance-safe finding language
  • Edge deployment - local, cold-startable, air-gap capable
  • The tie to the live operational picture - resolved identity joined to streaming sensor feeds

What is the FollowTheMoney format?

FollowTheMoney (FtM) is the open ontology for investigative data used across the open-data ecosystem. It defines entity types (Person, Organization, Company, Vessel, Aircraft, Address) and the relationships among them. OpenSanctions, ICIJ Offshore Leaks, and Aleph all publish in FtM format.

A platform built on FtM can ingest these bulk exports directly and export its own investigations in the same format, enabling clean interchange with partners, referrals, and downstream case-management systems without custom integrations.

What is cyber-physical-financial convergence?

The practice of resolving financial and corporate identity and tying it to the live sensor picture in real time. Most financial-crime tools resolve who an entity is and stop. Operational convergence means joining that resolved identity to where the actor's platforms physically are right now - the vessel on AIS, the aircraft on ADS-B, the device in the field.

A sanctioned name on a list is a fact. That same name resolved as the beneficial owner of a vessel currently transiting a chokepoint on your COP is an intelligence product - and a decision. This convergence is what separates a research tool from an operational one.


For the full technical reference, see What is Counter Threat Finance?. Related: Entity Resolution FAQ | Threat Finance & Entity Resolution capability

Related topics

Empyrean Defense

Want to see this in action?

Request a demo or explore the platform capabilities.