De-risking is one of those terms that has migrated from regulatory language into everyday banking conversation without acquiring a clear meaning along the way. Clients hear it. Relationship managers use it. It appears in letters explaining why an account is being closed or a relationship terminated. And yet almost nobody who encounters it understands what it actually describes — or why it is happening to them specifically.
The confusion is not accidental. De-risking, as banks use the term, does not describe a judgement about a specific business. It describes a systemic response to regulatory pressure — one that produces outcomes for individual clients that have very little to do with anything those clients have actually done.
Understanding what de-risking is, how it operates, and what it means for an international business that has never violated a single rule is the starting point for managing the risk it represents. And it is a risk worth understanding, because for the businesses most exposed to it, de-risking is not a theoretical concern. It is a recurring feature of commercial life.
To understand de-risking, it is necessary to understand the environment in which banks operate.
Over the past two decades, banks in developed jurisdictions — the United Kingdom, the European Union, the United States, and the major financial centres — have faced a sustained increase in regulatory pressure around financial crime. Anti-money laundering requirements have become progressively more demanding. Sanctions compliance has expanded in scope and in the severity of consequences for violations. The penalties for failing to detect and report suspicious activity have grown substantially: regulatory fines measured in hundreds of millions, sometimes billions, of dollars; personal liability for senior compliance officers; reputational consequences that affect share prices and franchise value.
In this environment, a bank's compliance function is not simply a cost centre. It is a risk management function operating under conditions of asymmetric penalty. The cost of a compliance failure — a sanctions violation, a finding that the bank processed funds for a prohibited client, a failure to detect a pattern of suspicious activity — is very large. The cost of being overly cautious — of declining a relationship that turned out to be legitimate — is relatively modest.
The rational response to this asymmetry is to reduce exposure at the margin. Not by investigating every client relationship with greater rigour, which would be prohibitively expensive. But by identifying categories of clients whose risk profile, in the aggregate, appears elevated — and exiting those categories, or refusing to enter them, as a matter of policy.
This is de-risking. It is a portfolio-level decision, not a client-level one.
When a bank decides to de-risk a category of clients, it does not review each client in that category individually and make a considered judgement about whether that specific relationship is acceptable. It identifies the category — defined by geography, by industry, by corporate structure, by the presence of certain types of counterparty or certain types of transaction — and exits it as a whole.
The categories that attract de-risking are broadly predictable. Correspondent banking relationships with banks in jurisdictions perceived as higher risk. Money service businesses — foreign exchange dealers, payment processors, remittance companies. Businesses operating in sectors with elevated financial crime exposure: gambling, weapons, cannabis where it is legally regulated. Businesses with complex cross-border structures involving multiple jurisdictions, particularly those that include low-tax or secrecy jurisdictions. Businesses with cryptocurrency exposure.
A business that falls into one of these categories does not fall into it because of anything it has done. It falls into it because the category exists, because the bank has decided the category carries more regulatory risk than it wishes to carry, and because the bank's de-risking policy applies to the category regardless of the individual merits of the businesses within it.
The effect, for an individual business, is indistinguishable from being found to have done something wrong. The account closes. The relationship ends. The letter — if there is one — uses language like "a change in our risk appetite" or "a strategic review of our client portfolio" or, occasionally, "de-risking." None of this explains what has actually happened. None of it gives the business any basis on which to respond, because the decision was never about the business specifically.
Geography is one of the most significant de-risking triggers, and one of the least understood by the businesses affected by it.
A company incorporated in Cyprus, conducting legitimate business across multiple jurisdictions, may find that certain banks in the United Kingdom or Germany are unwilling to maintain a relationship with it — not because of anything the company has done, but because Cyprus appears on internal country risk matrices in a category that the bank's de-risking policy requires it to avoid or limit.
A business with operations in a jurisdiction that has been subject to FATF grey-listing — the Financial Action Task Force's list of countries under increased monitoring for deficiencies in their anti-money laundering frameworks — will find that banks in correspondent relationships with institutions in that jurisdiction become reluctant to process transactions connected to it, regardless of the nature of those transactions.
An international group with a subsidiary in a jurisdiction that carries elevated risk perceptions — not necessarily because of anything specific about that subsidiary, but because of the jurisdiction itself — will find that the presence of that subsidiary affects how the entire group is treated by banks that have adopted a conservative de-risking posture.
This jurisdictional dimension is particularly significant for businesses that operate across multiple countries and cannot simply relocate. The de-risking is happening not to them but to their geography. The bank is not making a judgement about the client. It is making a judgement about a place.
De-risking is not a finding that a business has done something wrong. It is not a regulatory sanction. It is not a conclusion by the bank that the client's funds are of suspicious origin or that the client has violated any law or regulation.
This distinction matters enormously, because the practical effect of de-risking — the loss of a banking relationship — can feel, and look, identical to the consequence of having been found to have committed a financial crime. The account closes in the same way. The funds are returned in the same way. The relationship ends.
But the underlying reality is entirely different. De-risking is a commercial decision by a bank operating under regulatory pressure, applied at a portfolio level, with no implication about the specific conduct of the specific client. A business that has been de-risked has not been accused of anything. It has been caught in a category.
Understanding this distinction matters for practical reasons as well as emotional ones. A business that believes it has been found to have done something wrong will respond very differently from a business that understands it has been caught in a systemic classification. The former will try to defend its conduct, which is irrelevant. The latter will focus on the classification — on how it is perceived, how its structure reads, and how it can position itself to fall outside the categories that attract de-risking.
De-risking cannot be eliminated. It is a systemic feature of the current banking environment, and it will remain one for as long as the regulatory pressure that created it persists. But its impact on a specific business can be managed — and the businesses that manage it most effectively are those that address it structurally rather than reactively.
The structural approach to de-risking has three elements.
Understand which categories apply. The starting point is an honest assessment of how the business looks from the outside: which de-risking categories it falls into, which jurisdictions create exposure, which elements of the corporate structure — holding companies, cryptocurrency exposure, complex cross-border flows — are likely to trigger conservative treatment by banks operating under de-risking policies. This assessment has to be conducted from the bank's perspective, not the client's.
Separate what can be separated. Where elements of the business that trigger de-risking categories can be held in separate legal entities — distinct from the entities that maintain the banking relationships that matter most — that separation reduces the contamination risk. A cryptocurrency layer that is architecturally separate from the main banking entities does not disappear from view, but it ceases to affect the risk assessment of entities to which it has no direct connection. A subsidiary in a higher-risk jurisdiction that is properly separated from the group's primary banking entities limits the jurisdictional exposure of the group as a whole.
Build the narrative that pre-empts the classification. A bank that has adopted a de-risking policy applies it at the category level. But the category level is where the narrative operates. A business that presents itself clearly — whose structure is coherent, whose purpose is articulable, whose cryptocurrency or cross-border elements come with explanation already attached — gives the compliance officer reviewing it a reason to look past the category-level concern and assess the relationship on its specific merits. This does not always succeed. Some banks have adopted de-risking policies that are effectively categorical and do not allow for individual assessment. But many have not, and for those banks, the quality of the narrative is a genuine determinant of the outcome.
The practical reality for international businesses operating across multiple jurisdictions, with complex structures and any degree of cryptocurrency exposure, is that de-risking is a permanent feature of the banking landscape. It will happen. Relationships will end for reasons that have nothing to do with conduct. Letters will arrive explaining nothing useful.
The question is not whether de-risking will affect the business. The question is whether the business is positioned to manage it when it does: whether banking relationships are diversified across multiple institutions so that no single de-risking decision is catastrophic; whether the structure is organised so that the most sensitive banking relationships are held in entities with the lowest possible de-risking exposure; whether the narrative is ready to be deployed quickly and coherently when a relationship comes under pressure.
Businesses that treat de-risking as something that happens to them — an external force against which they are helpless — are right that the force is external. They are wrong that they are helpless. The architecture of a corporate structure, and the narrative that describes it, determine which category a bank places a business in. That architecture and that narrative are things the business controls.
In a banking environment shaped by systemic de-risking, structure is not just a legal or tax consideration. It is the primary tool available to a business for managing the relationship with the institutions it depends on. The businesses that understand this, and build accordingly, are the ones that maintain the banking access that everyone else is losing.
Vladimir Shuvalov is a legal and tax adviser with thirty years of experience in international corporate structuring, banking acceptability, and cryptocurrency architecture.
Thinking Globally — thinking-globally.com
Thinking Globally Consulting Limited
Registered in England & Wales · Company No. 17138834
128 City Road, London EC1V 2NX, United Kingdom
© 2026 Thinking Globally Consulting Limited · All rights reserved