The business of fighting money laundering is defined as much by the need for structure as by the unpredictability of risk. For financial crime units and regulators, deciding where to look—who, exactly, to prioritize for checks and audits—has never been straightforward. There are only so many investigators and so much time, yet the diversity and scale of economic activity are vast. What is needed is a rational way to sift the landscape and focus resources where they are most likely to make a difference. This is where the International Standard Industrial Classification, or ISIC, comes into its own.
ISIC codes provide a common language for categorizing business activities, and they make it possible to sort economic entities into coherent groups for risk assessment. Certain categories have long been recognized as high risk for money laundering: casinos, which fall under ISIC 9200, and real estate agencies, covered by ISIC 6831, are obvious starting points. Others, like dealers in precious stones or luxury vehicles, or sectors characterized by large volumes of cash or complex transactions, also deserve close attention.
The first task for any compliance team is to assemble a list of entities operating in these sectors, tagged by their ISIC codes. This can be achieved by mining business registries, licensing databases, or—where available—integrated supervisory platforms. The more precisely firms are coded, the easier it becomes to group them for statistical analysis, trend monitoring, or targeted review.
With the universe of high-risk entities identified, attention shifts to building a working risk matrix. It is not enough to simply know which sector a business falls into. One must understand the typical transaction patterns within that sector. For casinos, cash flows are large and rapid, with funds moving in and out at a pace that can obscure illicit activity. Real estate agencies, on the other hand, deal in fewer but much larger transactions, often involving cross-border flows or complicated ownership structures.
Within each ISIC-coded sector, compliance teams should gather data on average transaction volumes, deal frequency, and any outliers—patterns that fall well outside sector norms. These benchmarks can be established using regulatory filings, suspicious transaction reports, or periodic sectoral surveys. Over time, the accumulation of this data enables a clearer distinction between routine activity and conduct that may merit deeper investigation.
Geography adds a further layer. Some regions, due to proximity to financial centers, ports, or border crossings, or due to historic patterns of financial crime, are inherently more vulnerable. Integrating a geographic vulnerability index—sometimes built from national risk assessments, regulatory advisories, or international watchlists—makes it possible to sharpen the focus further. A casino operating in a known high-risk area, or a real estate agency handling significant international transactions in a flagged jurisdiction, deserves more attention than a similar business elsewhere.
The goal is to translate these variables into a living risk matrix. Each entity or sector can be scored according to its ISIC code, typical transaction patterns, and geographic risk factors. Scores can be adjusted as new information emerges, whether from real-time monitoring, regulatory findings, or changes in the legal or economic environment. Importantly, the process should be transparent and replicable, so that priorities can be explained—and defended—if questioned.
Such a matrix is not only a tool for directing compliance checks, but a foundation for dialogue with the private sector. Regulators can use the insights it provides to shape outreach and training, clarify reporting requirements, or explain why certain sectors are facing greater scrutiny at a given moment. Over time, the process of continuous feedback—between data, compliance practice, and supervisory policy—yields more sophisticated approaches to risk, rooted in actual sectoral and regional realities rather than generic global guidance.
Some limitations are unavoidable. Not every business is correctly or consistently coded. New risks emerge, sometimes outside established categories. Yet the discipline of using ISIC codes, rather than intuition or legacy lists, encourages a more systematic, forward-looking approach. It is a way to move beyond the reactive, toward prevention—a state where resources are allocated not to those who are merely visible, but to those most likely to pose a genuine threat.
For financial crime units adapting to new technologies, emerging sectors, and ever-evolving typologies, the use of ISIC codes is more than administrative housekeeping. It is an essential step toward smarter, more responsive anti-money laundering oversight—one grounded in evidence, clarity, and a real understanding of risk.