Concentration Risk: Definition and Use in Compliance

What is Concentration Risk?

Concentration risk is the exposure a financial institution carries when too much of its risk sits in one place: one borrower, one sector, one country, one product, or one type of customer. Diversification is supposed to spread risk so that no single failure can sink the institution. Concentration is what happens when that spreading breaks down.

Think of a regional bank where 35% of the loan book is commercial real estate in a single metro area. On paper the bank has thousands of loans. In reality it has one bet. If that property market turns, the losses arrive together, because the exposures are correlated. The same logic applies to funding. A bank that relies on three large depositors for most of its liquidity has a concentration problem even if its lending looks diversified.

Financial crime teams use the same frame. A payments firm that earns 60% of its volume from money service businesses carries concentrated money laundering risk, regardless of how clean any single customer looks. Concentration here means a cluster of high-risk activity that raises the odds of a missed Suspicious Activity Report (SAR) or a sanctions breach.

The risk has four standard dimensions: single-name, sectoral, geographic, and product or funding. AML practice adds customer-type and channel concentration. What ties them together is correlation. When exposures move in the same direction, the comfort that diversification normally provides disappears, and a single shock does outsized damage. That's why supervisors track it as a category in its own right rather than folding it into general credit or operational risk.

How is Concentration Risk used in practice?

Risk teams turn concentration from an abstract worry into numbers on a report. The starting point is usually a top-counterparty exposure list: rank the largest exposures, express each as a percentage of Tier 1 capital, and compare against internal limits and the regulatory cap. Anything approaching the limit triggers a review.

A credit committee uses these reports to set hard caps. "No more than 20% of the book in any single sector" is a typical rule. When new lending pushes a sector past the cap, the committee either declines the deal or offsets it elsewhere. The metric drives the decision, not gut feel.

AML teams run a parallel process on financial crime exposure. They measure what share of transaction volume runs through correspondent banking relationships, how many customers fall into the highest Customer Risk Rating (CRR) band, and whether one channel produces most of the high-value alerts. Suppose an analyst finds that 70% of cross-border wire alerts trace back to a single respondent bank. That's a concentration finding that goes straight into the enterprise-wide risk assessment.

The output shapes real action. Banks adjust limits, demand more collateral, raise pricing on concentrated exposures, or exit relationships entirely. Some firms over-correct and start de-risking whole customer segments, which carries its own regulatory scrutiny. Done well, concentration management feeds directly into capital planning, board reporting, and the bank's stated risk appetite.

Concentration Risk in regulatory context

Supervisors treat concentration as a named risk with its own rules. The Basel Committee on Banking Supervision sets the anchor: its large exposures framework caps a bank's exposure to a single counterparty or group of connected counterparties at 25% of Tier 1 capital, with a tighter 15% limit between global systemically important banks. You can read the framework directly on the Bank for International Settlements site.

Beyond hard caps, banks must assess concentration inside their Internal Capital Adequacy Assessment Process (ICAAP). Supervisors expect an institution to hold capital against concentrations that the standard risk weights don't capture. A portfolio that's technically within limits but heavily correlated still needs a capital buffer and a documented rationale.

On the financial crime side, the Financial Action Task Force (FATF) risk-based approach requires firms to understand where their money laundering risk concentrates and to apply Enhanced Due Diligence (EDD) where it's highest. FATF guidance on correspondent banking, available through the FATF website, specifically warns about concentrated exposure to high-risk jurisdictions.

US examiners follow the same logic. The interagency guidance on commercial real estate concentrations, issued by the federal banking agencies, sets supervisory thresholds: CRE loans above 300% of capital, or construction loans above 100%, trigger heightened scrutiny. The FCA in the UK and the ECB through its supervisory review process apply comparable expectations. Across all of them, the message is consistent: identify concentration, measure it, limit it, and hold capital for what remains.

Common challenges and how to address them

The first challenge is seeing concentration at all. Connected counterparties hide it. Two borrowers that look independent may share a parent, a guarantor, or a common revenue source. Banks address this with entity resolution and a golden record that links related parties, so a "group of connected counterparties" is calculated correctly rather than counted as separate names.

The second challenge is correlation that only appears under stress. Exposures that look diverse in calm markets move together in a downturn. Single-factor reports miss this. The fix is scenario analysis and stress testing that models how a sector shock or a regional recession hits multiple exposures at once. A bank with auto loans, dealer floor-plan financing, and supplier credit lines may discover all three concentrate on the same industry under stress.

A third challenge sits with AML teams: customer and channel concentration drifts over time. A firm that onboarded a balanced book five years ago may now earn most of its fee income from a handful of high-risk customers. The answer is periodic recalculation tied to the risk-based approach, with transaction monitoring feeding fresh data into concentration metrics rather than relying on onboarding snapshots.

The overcorrection trap is real too. Some banks respond to concentration by cutting whole segments, which regulators have criticized as blanket de-risking. The better approach is granular: tighten limits, raise monitoring intensity, and price for the risk rather than exiting entire customer categories. Concentration management works best when it adjusts exposure deliberately instead of swinging between ignore and abandon.

Related terms and concepts

Concentration risk lives inside a wider risk vocabulary, and understanding the neighbors sharpens the concept. It sits close to inherent risk and residual risk: concentration raises inherent risk, and the controls a bank applies determine how much residual risk remains. A concentrated portfolio with strong limits and active monitoring carries lower residual risk than the raw exposure suggests.

It connects directly to risk appetite, since concentration limits are one of the most concrete ways a board expresses how much risk it will accept. "We will not exceed 20% in any single sector" is a risk appetite statement with teeth.

On the financial crime side, concentration interacts with the Customer Risk Rating (CRR) and the enterprise-wide risk assessment, both of which aggregate individual risk into a portfolio view. Correspondent banking concentration ties to Enhanced Due Diligence (EDD), because high-concentration relationships demand deeper scrutiny.

The governance scaffolding around it includes the Three Lines of Defense, where the first line manages exposure, the second sets limits and challenges, and the third audits the whole framework. Capital frameworks like Basel III and the ICAAP translate concentration into capital requirements. Read together, these terms describe a single discipline: knowing where your risk piles up, and making sure no single failure can take you down.