What is Counter Threat Finance?

Counter Threat Finance (CTF) explained: DoDD 5205.14 doctrine, CTF vs. AML, sanctions, shell companies, TBML, and operational software.

Counter Threat Finance is the discipline of detecting, mapping, and disrupting the money that lets adversaries operate. It treats financing as a network to be attacked, not a compliance box to be checked. Where a bank asks "can I do business with this customer," a counter-threat-finance practitioner asks a different question: "whose money is this, where does it move, who does it touch, and what does it let them do." The money always leaves a trail. CTF is the practice of building the sensor network to see it.

The term has a specific institutional home. In U.S. Department of Defense usage, threat finance is an umbrella for the financing methods used by malign actors - terrorists, traffickers, proliferators, and increasingly state and state-linked actors operating below the threshold of armed conflict. Counter Threat Finance is the set of activities that degrade an adversary's ability to raise, move, store, and use that money. It is one instrument inside a larger campaign to pressure threat networks, and it is governed by its own doctrine.

This page covers where that doctrine comes from, how defense CTF relates to the financial sector's anti-money-laundering world, the vocabulary of illicit finance every practitioner needs, and what software has to do to operationalize CTF rather than just describe it.

For quick-reference answers, see the Counter Threat Finance FAQ. For the companion discipline of resolving identities across sources, see What is Entity Resolution?.

The Doctrine: Where CTF Comes From

CTF is not a marketing category. It is codified U.S. policy and joint doctrine, and the lineage matters because it defines the mission.

DoD Directive 5205.14, DoD Counter Threat Finance (CTF) Policy (19 August 2010, incorporating Change 3, 2017) establishes CTF as departmental policy and assigns responsibilities for countering the financing used to engage in terrorism, illicit trafficking networks, and related activities that support an adversary's ability to negatively affect U.S. interests. The directive applies across the Office of the Secretary of Defense, the military departments, the Joint Staff, and the geographic Combatant Commands. A subsequent DoD Inspector General evaluation found the Combatant Commands lacked standardized procedures for conducting CTF, and recommended command-level standard operating procedures and a CTF-specific DoD Instruction - a reminder that the policy exists ahead of the tooling and tradecraft needed to execute it consistently.

Joint Publication 3-25, Countering Threat Networks (21 December 2016) is the doctrinal anchor. CTN provides joint doctrine for commanders and staffs to identify, neutralize, disrupt, or destroy threat networks, and it treats finance as one of the critical functions that sustain a network. JP 3-25 introduces the analytic methods that CTF inherits: Critical Factors Analysis, network engagement, and social network analysis to understand a network's structure, key nodes, and dependencies. The doctrine is candid that a network is rarely defeated outright; the objective is continuous pressure across all instruments of national power to keep it weak. Finance is one of the most durable pressure points, because money has to move through observable channels and leaves records behind.

F3EAD - Find, Fix, Finish, Exploit, Analyze, Disseminate - is the targeting cycle CTF practitioners apply to financial networks. Find and fix the financial node, exploit the documents and identifiers it yields, analyze the network it reveals, and disseminate so the next pivot can begin. CTF is iterative network discovery, not a one-time lookup.

Operationally, the work is distributed. Within U.S. Special Operations Command, CTF lives in the J36 Transnational Threats Division and its Counter-Threat Finance Branch, historically a very small team supporting interagency partners and Special Operations Forces worldwide. SOCOM standardized CTF training across the department through a J35 Counter Threat Finance curriculum delivered via Joint Knowledge Online. The Joint Staff J-7 published a Commander's Handbook for Counter Threat Finance to give Combatant Commands a common reference. Each Combatant Command runs some form of threat-finance cell - SOCOM has used the term Threat Finance Exploitation Branch - and joint interagency constructs such as the Iraq Threat Finance Cell brought Treasury, the FBI, the IRS, and others together in theater. The model that recurs is interagency fusion: the Joint Interagency Task Forces (JIATF-South for counternarcotics detection and monitoring, JIATF-West in the Indo-Pacific) are the template for blending military, law-enforcement, intelligence, and partner-nation effort against a transnational network.

The strategic framing has shifted with the era. Early CTF was dominated by counterterrorism finance after 9/11. The current center of gravity is great power competition - using financial access denial as an irregular-warfare tool against revisionist states and their proxies operating below the threshold of armed conflict. Threat finance now spans terrorism, narcotics, weapons and proliferation, sanctions evasion, and state-linked kleptocracy. The trail is the same; the targets multiplied.

CTF vs AML/CFT: Two Worlds, One Money Trail

Counter Threat Finance is often confused with the financial sector's compliance regime. They share data and vocabulary, but they answer to different masters and ask different questions.

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) are the obligations placed on financial institutions to prevent their systems from being used to launder proceeds of crime or fund terrorism. In the United States the foundation is the Bank Secrecy Act (BSA), modernized by the Anti-Money Laundering Act of 2020. The regime runs on Know Your Customer (KYC) and Customer Due Diligence (CDD) - verifying who a customer is - and on Suspicious Activity Reports (SARs) filed when something looks wrong. It is enforced and supported by the Financial Crimes Enforcement Network (FinCEN), the U.S. Financial Intelligence Unit, which receives and analyzes BSA reporting and disseminates to law enforcement.

The international standard-setter is the Financial Action Task Force (FATF), whose 40 Recommendations define the global AML/CFT framework. FATF Recommendation 29 requires every country to stand up an FIU; Recommendation 40 governs international cooperation between them. The Egmont Group of Financial Intelligence Units is the body through which the world's FIUs exchange financial intelligence, and FATF, the Egmont Group, INTERPOL, and the United Nations Office on Drugs and Crime (UNODC) jointly publish typologies and risk indicators - including the definitive work on trade-based money laundering.

The U.S. Department of the Treasury sits at the center of the U.S. effort through its Office of Terrorism and Financial Intelligence (TFI), established after the September 11 attacks. TFI houses the Office of Foreign Assets Control (OFAC), which administers sanctions; FinCEN; the Office of Intelligence and Analysis (OIA), a formal member of the Intelligence Community producing financial threat assessments; the Office of Terrorist Financing and Financial Crimes (TFFC), which leads the U.S. delegation to FATF; and the asset-forfeiture function. Treasury wields designations, sanctions, and financial-system access as instruments of national power.

Here is the distinction that matters. The compliance world is defensive and institution-bound: it protects one bank's perimeter, asks "should I onboard or keep this customer," and is satisfied by a clean screen. CTF is offensive and network-bound: it asks "who is this actor, what network do they belong to, and how do we degrade it," and a clean screen is the beginning of the question, not the end. The compliance analyst is trying to avoid a penalty. The CTF practitioner is trying to take something away from an adversary. They draw on overlapping data - sanctions lists, beneficial ownership, corporate registries, trade records - but the compliance world stops at the institutional boundary, while CTF follows the money across it, into the physical and operational world where the network actually lives.

That boundary is exactly where most tooling fails, and where the operational requirement begins.

The Vocabulary of Illicit Finance

CTF practitioners and compliance analysts share a working vocabulary. Understanding it is the price of entry.

Money laundering is the process of disguising illicit proceeds as legitimate funds, classically in three stages: placement (getting cash into the system), layering (moving it through transactions to obscure origin), and integration (bringing it back as apparently clean wealth). Terrorist financing runs the logic in reverse - often small sums from legitimate-looking sources moved to fund operations - which is why detection cannot rely on transaction size alone.

Sanctions are restrictions imposed by a government or international body that prohibit dealings with designated persons, entities, vessels, aircraft, or sectors. In the U.S., OFAC maintains the Specially Designated Nationals and Blocked Persons (SDN) List and consolidated sanctions lists; the European Union maintains its Consolidated Financial Sanctions List under the Common Foreign and Security Policy; the United Kingdom maintains the UK Sanctions List through the Office of Financial Sanctions Implementation; and the United Nations Security Council maintains the Consolidated List that all member states are obligated to implement. A designation is the act of adding an actor to such a list.

Debarment and exclusion are the procurement-world cousins of sanctions - federal "do not do business with" determinations that bar an entity from government contracts and assistance. They matter to CTF because an actor barred from federal money is often the same actor a network is trying to route money through.

A Politically Exposed Person (PEP) is an individual entrusted with a prominent public function, along with their close associates and family, who therefore carries elevated corruption and influence risk. PEP status is not an accusation; it is a flag that demands enhanced scrutiny.

A shell company is a legal entity with no real operations, used to hold assets or move money while obscuring the people behind it. Shells become front companies when they layer a veneer of legitimate activity over illicit purpose. The defense against them is beneficial ownership resolution - identifying the natural person who ultimately owns or controls an entity, not just the nominee or registered agent on the filing. The U.S. Corporate Transparency Act (CTA) of 2021 created a beneficial-ownership reporting regime and FinCEN opened its registry in January 2024; in March 2025 FinCEN narrowed the requirement to foreign reporting companies, exempting U.S. companies and U.S. persons. Other jurisdictions run their own registers - the UK's Persons with Significant Control regime among the most useful publicly. The point for CTF is unchanged: ownership is the hardest thing to fake and the most valuable thing to resolve.

Trade-Based Money Laundering (TBML) is among the most complex and widely used laundering methods - moving value by manipulating trade transactions rather than moving money directly. The mechanisms include over- and under-invoicing, multiple invoicing for one shipment, misrepresenting quantity or quality, and phantom shipments. FATF and the Egmont Group publish the authoritative TBML typologies and risk indicators, which flag signals such as commodity prices that do not match the market, trade routes with no commercial logic, and trade-and-company-service-provider addresses that manage many shell entities at once.

Rounding out the lexicon: hawala and other informal value-transfer systems move money outside the formal banking channel; money mules are individuals who move funds on behalf of others; structuring is breaking transactions below reporting thresholds to evade detection; and proliferation finance is the financing of weapons-of-mass-destruction programs in defiance of nonproliferation sanctions.

From Compliance Checkbox to Operational Intelligence

Everything above is the desk-bound view of illicit finance - records, lists, filings, and the analysts who comb them. The operational reality CTF lives in is different, and it is where the discipline earns its place next to the other warfighting functions.

The actors a CTF practitioner cares about are not abstractions in a database. They own the vessel that just went dark on AIS off a sanctioned coast. They are the beneficial owner behind the trust-held aircraft whose flight plan does not match its stated operator. They register the domain that fronts a procurement network and lease the infrastructure it runs on. The financial identity, the corporate identity, the physical platform, and the digital footprint are four lenses on one network - and the network does not respect the seams between them.

Most of the field talks about cyber-physical convergence and stops there. The harder and more useful problem is cyber-physical-financial-operational convergence: resolving the financial and corporate identity of an actor and then tying it, in real time, to where that actor's platforms physically are and what they are doing right now. A sanctioned name on a list is a fact. A sanctioned name on a list that is also the resolved beneficial owner of a vessel currently transiting a chokepoint on your operational picture is an intelligence product - and a decision.

This is the difference between a financial-crime workstation and an operational decision platform. The first tells you who an entity is. The second tells you who an entity is, ties it to the live sensor picture, and lets the operator act on the convergence before the window closes.

What Counter-Threat-Finance Software Actually Requires

If CTF is network discovery under doctrine, then the software that supports it has to do specific things. Most of the market does some of them. The operational mission requires all of them.

A common entity ontology and ruthless normalization. Sanctions lists, corporate registries, beneficial-ownership registers, maritime and aviation records, court and custody data, and leak datasets all describe people and organizations in mutually incompatible formats. Before anything useful happens, they have to be normalized into a single canonical model of persons, organizations, vessels, aircraft, and the relationships among them. Adopting an open ontology - the FollowTheMoney (FtM) schema used across the open investigative-data ecosystem - means the platform can read others' bulk exports and export its own findings in a format partners can consume. Schema comes first. See the companion wiki on Entity Resolution for the depth of this problem.

Always-on screening, not on-demand only. Designations change constantly across OFAC, the EU, the UK, the UN, and consolidated screening lists. Screening has to run continuously against the resolved entity, with deterministic identifier matching where strong identifiers exist and fuzzy name matching where they do not, scored by confidence and suppressed for common-name noise, with compliance-safe language that treats a hit as a lead to verify rather than a final determination.

Entity resolution and network analysis as first-class functions. JP 3-25 calls for social network analysis and critical-factors analysis. That demands an engine that resolves the same actor across sources despite spelling, transliteration, alias, and deliberate obfuscation, then accumulates the resolved entities into a relationship graph the analyst can read, defend, and export.

Pivot-driven investigation that mirrors F3EAD. The analyst follows identifiers from one source to the next - vessel to registry to owner to corporate network to sanctions exposure - accumulating evidence with provenance at every step, with the human deciding each branch. The tool keeps the thread the analyst would otherwise lose to context-switching.

Provenance, audit, and responsible-use controls that ship with the capability, not after it. Every screen and pivot logged with operator identity, every assertion traceable to its source, access role-gated, and the whole investigation defensible in a referral or a compliance file.

Edge deployment and high-performance local analytics. A CTF cell on a disconnected network, a vessel mid-ocean, or a forward node cannot depend on a cloud round-trip. The screening and resolution engines have to run locally, cold-start fast, and operate air-gapped.

And the requirement nobody else treats as a requirement: the tie to the live operational picture. Resolved financial and corporate identity, fed back into the same operational picture that carries the live AIS, ADS-B, and device tracks, so that the financial lens and the physical lens are one surface. That convergence is the product. Everything else is a feature.

Glossary

  • AML (Anti-Money Laundering): The body of law, regulation, and practice aimed at preventing the disguising of illicit proceeds as legitimate funds.
  • AML Act of 2020: U.S. legislation modernizing the Bank Secrecy Act, including beneficial-ownership and information-sharing reforms.
  • Beneficial Owner: The natural person who ultimately owns or controls an entity, as distinct from a nominee, agent, or registered front.
  • BSA (Bank Secrecy Act): The foundational U.S. anti-money-laundering statute requiring recordkeeping and reporting by financial institutions.
  • CDD (Customer Due Diligence): The process by which an institution verifies a customer's identity and assesses risk.
  • CFT (Countering the Financing of Terrorism): Measures to detect and prevent funds reaching terrorist actors.
  • Corporate Transparency Act (CTA): 2021 U.S. law creating a beneficial-ownership reporting regime; the reporting requirement was narrowed to foreign reporting companies in 2025.
  • Critical Factors Analysis: A JP 3-25 method for identifying a network's centers of gravity and the requirements and vulnerabilities that sustain them.
  • CTF (Counter Threat Finance): Activities to detect, map, and disrupt the financing that enables adversary networks; codified in DoDD 5205.14.
  • CTN (Countering Threat Networks): Joint doctrine (JP 3-25) for identifying, neutralizing, disrupting, or destroying threat networks.
  • Debarment / Exclusion: A federal determination barring an entity from government contracts and assistance.
  • Designation: The act of adding a person, entity, vessel, or aircraft to a sanctions or watchlist.
  • DoDD 5205.14: DoD Directive establishing Counter Threat Finance policy and responsibilities.
  • Egmont Group: The international body through which national Financial Intelligence Units exchange financial intelligence.
  • F3EAD: Find, Fix, Finish, Exploit, Analyze, Disseminate - the targeting cycle applied to network and financial exploitation.
  • FATF (Financial Action Task Force): The intergovernmental standard-setter for AML/CFT; author of the 40 Recommendations.
  • FinCEN (Financial Crimes Enforcement Network): The U.S. Financial Intelligence Unit, within Treasury.
  • FIU (Financial Intelligence Unit): A national center for receiving and analyzing suspicious-transaction reporting (FATF Recommendation 29).
  • Front Company: A shell company given a veneer of legitimate activity to mask illicit purpose.
  • ITFC (Iraq Threat Finance Cell): An in-theater interagency CTF construct blending Treasury, FBI, IRS, and military effort.
  • JIATF (Joint Interagency Task Force): Interagency constructs (e.g., JIATF-South, JIATF-West) that fuse military, law-enforcement, intelligence, and partner-nation effort against transnational threats.
  • JP 3-25: Joint Publication for Countering Threat Networks.
  • KYC (Know Your Customer): The practice of verifying customer identity as part of due diligence.
  • Layering: The money-laundering stage of moving funds through transactions to obscure origin.
  • OFAC (Office of Foreign Assets Control): The Treasury office administering U.S. sanctions and the SDN List.
  • PEP (Politically Exposed Person): An individual with a prominent public function, and their associates, carrying elevated risk.
  • Placement: The money-laundering stage of introducing illicit cash into the financial system.
  • Proliferation Finance: Financing of weapons-of-mass-destruction programs in violation of nonproliferation measures.
  • SAR (Suspicious Activity Report): A report filed by an institution when activity suggests possible illicit finance.
  • SDN List (Specially Designated Nationals): OFAC's primary list of blocked persons and entities.
  • Shell Company: A legal entity with no real operations, used to hold assets or move money while obscuring ownership.
  • Structuring: Breaking transactions below reporting thresholds to evade detection.
  • TBML (Trade-Based Money Laundering): Moving value by manipulating trade transactions - over/under-invoicing, phantom shipments, misrepresentation.
  • TFI (Office of Terrorism and Financial Intelligence): The Treasury directorate housing OFAC, FinCEN, OIA, and TFFC.
  • Threat Finance: The financing methods used by terrorists, traffickers, proliferators, and state-linked actors.
  • USSOCOM J36: The SOCOM Transnational Threats Division housing the Counter-Threat Finance Branch.

Related: What is Entity Resolution? | Threat Finance & Entity Resolution capability | Counter Threat Finance FAQ

Related topics

Empyrean Defense

Want to see this in action?

Request a demo or explore the platform capabilities.