De-Risking: Definition and Use in Compliance

What is De-Risking?

De-risking is the practice of exiting or refusing to accept business relationships with entire customer categories to eliminate regulatory exposure, rather than managing risk at the individual customer level. A bank practicing de-risking doesn't assess the threat posed by a specific account holder. It exits the category wholesale.

The most frequently de-risked customer types are money services businesses (MSBs), charities operating in conflict zones, cryptocurrency exchanges, foreign correspondent banks in high-risk jurisdictions, and shell companies with complex ownership structures. The decision to exit is typically driven by regulatory pressure, a failed examination, or a consent order. Rarely is it driven by evidence that every customer in the category poses a demonstrable threat.

This is the essential distinction from a genuine Risk-Based Approach (RBA). Under an RBA, each customer gets a risk score based on documented factors: business type, geographic exposure, transaction behavior, ownership structure. Controls are calibrated to that score. A high-risk customer gets enhanced due diligence; a lower-risk customer gets proportionately lighter treatment. De-risking skips that process entirely.

The consequences are not abstract. When banks exit MSB customer segments, migrant workers who previously sent remittances through regulated channels get pushed toward informal transfer operators with minimal AML controls. That shift makes the financial system more opaque, not less. The systemic risk the bank was trying to avoid relocates to somewhere harder to monitor.

FATF stated in its 2021 guidance on correspondent banking that de-risking "is not in keeping with the FATF Standards." Their position is that wholesale exits without individual customer assessment contradict the proportionality principle the entire AML/CFT framework is built on. Supervisors are expected to push back on banks that cite regulatory uncertainty as justification for categorical exits.

How is De-Risking used in practice?

In most banks, de-risking decisions originate at the executive or board level after an adverse event: a failed AML examination, a consent order, or a public enforcement action against a peer institution. The instruction that flows to compliance is typically "reduce exposure in this area," and the team is left to operationalize it in a defensible way.

Account closure at scale is the most visible form. A bank classifies all customers in a segment, instructs relationship managers to send 60-day termination notices, and records the rationale in a policy memo. The challenge is that this process often happens without genuine individual assessment. Customers who have been model accounts for years receive the same letter as recently flagged ones. That uniform treatment is exactly what regulators are starting to question.

Correspondent Banking terminations work differently. A large U.S. or European bank sends notice to a respondent bank that it is ending the relationship, citing "risk appetite" or "strategic realignment." The respondent institution then has 90 days to find an alternative. For banks in sub-Saharan Africa or small Pacific island economies, that replacement can be nearly impossible. Some jurisdictions have ended up with fewer than three active USD correspondent relationships globally.

A subtler form is onboarding refusal: instructions to front-line staff to decline new applications from certain customer types without formal review. This rarely appears in writing, which is partly why it continues.

The right practice is a documented proportionality analysis before any exit. Can adequate controls manage the actual risk this customer type presents? If yes, exit is de-risking. If no, exit with proper documentation is defensible. The difference is paper. Banks that skip the analysis expose themselves to supervisory questions about whether the exit was proportionate or simply convenient.

De-Risking in regulatory context

De-risking occupies awkward regulatory territory. It's not prohibited, but it draws scrutiny from multiple directions. Prudential regulators appreciate reduced high-risk exposure on paper. Financial inclusion bodies, community development regulators, and the G20 Financial Inclusion Framework treat the exclusion that de-risking produces as a systemic problem in its own right.

FinCEN and the U.S. Treasury issued a joint fact sheet in 2014 specifically addressing MSB account closures. The document stated that banks unable to manage the BSA/AML risks of a specific MSB should decline or close that account; it also made clear that blanket refusals without individual customer assessment may create their own compliance exposure under fair lending standards. The message: exit a specific customer you've assessed, not a whole sector you haven't.

The Financial Action Task Force (FATF) went further in 2021. Its guidance on correspondent banking stated explicitly that national supervisors should clarify that the FATF Recommendations "do not require financial institutions to apply de-risking." This addressed a common bank argument that regulators themselves were forcing exits through vague guidance.

The World Bank's 2015 report "Withdrawal from Correspondent Banking" quantified the damage. Seventy-five percent of large global banking groups reported reducing correspondent relationships between 2009 and 2015. The regions most affected were sub-Saharan Africa, Latin America, and small Pacific island economies.

In Europe, the European Banking Authority published guidelines in 2022 (EBA/GL/2022/11) on managing ML/TF risk in correspondent banking, explicitly calling out de-risking as a systemic problem. Institutions that can't demonstrate proportionality in their exit decisions now face supervisory scrutiny on the exits themselves, separate from any scrutiny of their underlying AML controls.

Common challenges and how to address them

The core problem with de-risking is that it feels like prudent risk management but functions as risk avoidance. Avoiding risk removes a customer. It doesn't remove the underlying threat from the financial system. It relocates it, usually to somewhere with less regulatory oversight.

Banks cite real pressures. Customer Due Diligence (CDD) on complex customer types is expensive. A thorough onboarding review of a mid-size MSB can take 40-80 hours of analyst time. Transaction monitoring on MSB accounts generates high alert volumes and disproportionate false positive rates. If an account generates $5,000 in annual revenue and costs $20,000 in compliance overhead, the commercial logic for exit is straightforward.

The problem is that the cost argument only works if exit genuinely reduces systemic risk. If the customer migrates to a bank with weaker controls, or to an informal operator with none, the financial system is worse off. The compliance cost saved at one institution transfers to the broader system as increased opacity.

Better risk stratification is the practical solution. Modern transaction monitoring can process MSB account patterns at volume, flag genuine anomalies, and distinguish high-volume legitimate activity from structuring or layering. Banks that invest in sharper monitoring tools find they can serve MSB customers at compliance costs that are commercially viable. We've seen institutions cut their MSB-related alert volumes by more than 60 percent after retooling their monitoring rules, without exiting the segment.

Documentation discipline matters equally. If a bank has genuinely analyzed a customer type and concluded that risk is unmanageable even with enhanced controls, that analysis needs to be in writing, reviewed at MLRO level, and approved by senior management. Undocumented exits based on informal policy are the ones that attract examiner attention.

The question to settle before any exit: is this closure driven by a documented assessment that the risk is genuinely unmanageable, or by the fact that it's cheaper and easier than building adequate controls? Regulators increasingly know the difference, and enforcement records show they're willing to act on it.

Related terms and concepts

De-risking intersects with several concepts that compliance teams need to keep distinct in practice.

Financial exclusion is the aggregate outcome de-risking produces at scale. When enough banks exit the same customer categories, individuals and businesses in those segments lose access to formal financial services entirely. The FATF, World Bank, and G20 Financial Inclusion Framework have all identified financial exclusion as a systemic risk amplifier, particularly in developing markets where informal channels carry minimal AML controls.

The Risk-Based Approach (RBA) is the framework that de-risking contradicts. Under an RBA, institutions assign each customer a risk rating based on documented factors, then apply controls proportionate to that rating. High-risk customers get enhanced scrutiny; lower-risk customers get lighter treatment. The RBA requires individual assessment. De-risking replaces that assessment with a categorical decision, which is why the two are fundamentally incompatible.

Correspondent banking withdrawal is the highest-profile form of de-risking at the institutional level. When a major correspondent exits a respondent relationship, the respondent loses access to USD or EUR clearing capacity. The impact is asymmetric: small banks in frontier markets feel it acutely, while the exiting institution typically replaces the lost revenue quickly through other relationships.

Adverse Media screening sometimes accelerates de-risking decisions. A high-profile enforcement case involving one actor in a sector, amplified by negative news coverage, can trigger pressure to exit the entire sector even when the majority of participants are legitimate. Compliance teams should treat adverse media as an input to individual risk assessment, not as a trigger for categorical exits.

Suspicious Activity Reports (SARs) are often what's missing from de-risked relationships. When a bank exits a customer category instead of monitoring it, it loses the ability to detect and report suspicious activity in that segment. The regulator doesn't receive the SAR. The intelligence gap that creates can ultimately be harder to defend than the compliance cost the bank was trying to avoid.