04 June 2025
Basel Institute on Governance (2025) ¦ How to build Effective Corruption Risk Indicators and Red Flag Systems
How to build effective corruption risk indicators and red-flag systems: lessons from the FALCON project
Setting the scene: research to action
Corruption often hides in routine administrative choices and everyday transactions, making early detection difficult. The FALCON project, funded by the EU’s Horizon programme (grant 101121281), collected multidisciplinary evidence over three years and translated it into practical, data-driven red flags and risk indicators to support law enforcement and policymakers. By combining social science research, advanced analytics and collaboration with end users, the project created tools to better detect corruption risk in three high‑risk domains: public procurement, sanctions circumvention and border management.
Defining the problem and mapping techniques
A clear, operational definition of the corrupt behaviour to be detected is the first essential step. In the procurement use case, FALCON defined corruption as steering a contract to favour a bidder without detection, accomplished by restricting competition, tailoring specifications or sharing privileged information. This definition acts as a guide for which behaviours to search for in administrative records and how to translate techniques into observable traces. Researchers mapped common corruption techniques — chopping large tenders into smaller ones, negotiated procedures without publication, single‑bid awards, ownership concealment and similar tactics — to specific decision points in procurement lifecycles and to the administrative data that typically record them.
Indicator design: types and logic
FALCON developed three main types of indicators: binary indicators that flag presence or absence of a risk feature; categorical indicators that compare discrete procedure types (with an explicit low‑risk reference such as open competition); and continuous numeric indicators, such as buyer–supplier concentration measured as the supplier’s share of a buyer’s annual spending. Each indicator is chosen to reflect an administrative trace of a corruption technique. The indicators must be objective, defined at a micro level (contract, buyer or supplier), comparable across contexts and usable over time. Availability and quality of administrative data determine which indicators can be built in each jurisdiction.
Validation through empirical testing
Indicators are useful only if they reliably relate to corrupt outcomes. FALCON used an observable proxy — single bidding, where only one bid is submitted — as the primary corruption proxy for validation, since single bidding is closely linked to restricted competition and thus to the project’s working definition. Researchers employed appropriate econometric models (for example, logistic regressions for binary outcomes) and included controls for market structure, geography, buyer type and time to isolate the partial association between candidate indicators and the corruption proxy. An indicator is validated when it maintains a significant association after controlling for confounders. This process guards against false positives that arise from legitimate market features, such as technical monopolies or projects that naturally attract few bidders.
Aggregating signals into a corruption risk index
To prioritise scarce investigative resources, validated indicators were combined into a Corruption Risk Index (CRI). The CRI used in FALCON is an unweighted average of available validated indicators for a given contract or actor. Aggregation improves robustness: when many indicators point to risk, the CRI rises and a contract becomes a candidate for targeted review. The unweighted approach reflects a deliberate choice to treat different corruption techniques equally, although specific use cases may justify bespoke weighting. The CRI also enabled modeling of estimated extra spending attributable to higher risk, allowing the project to estimate possible cost reductions from targeted interventions.
Sanctions circumvention: translating case evidence into operational indicators
FALCON’s sanctions work combined systematic open‑source analysis of nearly one hundred case studies with corporate network analysis using commercial ownership datasets matched to sanctions lists. Two main forms of violation emerged: sectoral breaches involving prohibited trade and targeted breaches involving concealment of ownership or asset transfers to evade freezes. Common tactics included the use of shell and front companies, trusts, intermediaries and satellite jurisdictions, rapid ownership changes shortly after sanctions, dilution of shareholdings and rerouting payments through offshore accounts or cryptocurrencies. From these patterns the project derived a set of primary indicators — 18 in total — grouped by customer, transaction and destination features. Indicators included ownership changes shortly after sanctions, links to sanctioned markets, use of high‑risk jurisdictions and sudden shifts in payment channels. Temporal proximity to sanctions imposition proved a particularly useful signal.
Border corruption: combining multiple signals to reduce noise
Border environments produce many legitimate behaviours that can mimic corruption signals, such as frequent crossings for daily work or shopping. For borders, FALCON emphasized red‑flag patterns rather than single indicators. The team identified domains where anomalies matter: unusually frequent associations between specific officials and private actors suggesting collusion; abnormal waiting-time patterns that may indicate coercive rent-seeking; vehicle and cargo discrepancies pointing at smuggling; unexplained enrichment of officials; and social network ties between traders and officials. Available data sources include vehicle recognition feeds, customs declarations, national single-window trade information, company registries and asset records, but access and integration are frequently constrained. Combining indicators into composite patterns reduces false positives and makes alerts operationally useful for border agencies.
Operational and policy recommendations
Indicators need local validation. An indicator that predicts risk in one country or sector may not work elsewhere; validation must account for market structure and administrative specifics. Combining multiple complementary indicators and aggregating them into a score helps prioritise resources. Data integration is crucial — procurement, customs, company and sanctions lists, and asset records are the foundation of quantitative detection; investment in data quality, interoperability and access is necessary. Close, iterative collaboration with end users (law enforcement, customs, procurement authorities) ensures feasibility and reduces the risk that technical alerts are unusable in practice. Indicators are tools for triage and intelligence‑led investigation, not standalone proof; every alerted case requires human review and legal follow-up. Finally, indicators must be updated continuously because evasion tactics evolve, and private–public cooperation improves detection through information sharing.
Limitations and cautions
FALCON’s approach highlights several constraints. Administrative data do not fully capture negotiation phases, off‑book communications or the informal arrangements that often underlie corruption. Beneficial ownership opacity, proxies and indirect payment channels weaken detection. Legal protections on personal and commercial data require careful handling and compliance. Even validated indicators produce false positives; their value is in directing limited investigative capacity toward the most suspicious cases rather than proving guilt.
How research became a practical resource
The FALCON project shows that a disciplined pipeline — definition, mapping of techniques to traces, indicator construction, statistical validation, aggregation and piloting with end users — can convert academic research into operational detection tools. The project’s mix of social scientists, technologists and law‑enforcement partners produced indicators and early tools that can be adapted to country specifics. Where administrative data are rich and accessible, procurement and border systems can feed automated red-flag systems; where data are limited, expert validation and targeted data collection are critical.
From indicators to action
To make red-flag systems effective, agencies should start small: validate a compact set of indicators in their context, pilot alerts with operational teams, refine thresholds and logic, and expand as data access and analytical capacity grow. Combining signals, prioritising alerts, and ensuring human-in-the-loop review will limit harmful false positives while focusing enforcement where it matters most. Where sanctions or geopolitical events change the operating environment, systems should actively monitor ownership and transaction structure changes and flag sharp shifts for review.
Conclusion
Corruption detection benefits from rigorous, evidence‑based indicator design and validation. By mapping corruption techniques to observable administrative traces, empirically testing candidate indicators against corruption proxies, aggregating multiple signals into robust indexes and working iteratively with end users, detection systems can become practical tools to prioritise investigations and inform policy. The FALCON project demonstrates how interdisciplinary research and data-driven methods can materially improve early detection of corruption across procurement, sanctions circumvention and border settings, while underscoring the need for strong data access, ongoing validation and collaborative implementation with enforcement agencies.