When a client calls me after receiving a letter from their bank, the first question is almost always the same: "What did we do wrong?"
The answer, in most cases, is nothing. The account is closing not because of anything the business did, but because of a category the business belongs to — a category the bank has decided, as a matter of policy, it no longer wishes to serve. The client has not been found to have done anything wrong. They have been classified. The distinction matters enormously, and it is almost never explained in the letter.
De-risking is one of those terms that has migrated from regulatory language into everyday banking conversation without acquiring a clear meaning along the way. Clients hear it. Relationship managers use it. It appears in letters explaining why an account is being closed or a relationship terminated. And yet almost nobody who encounters it understands what it actually describes — or why it is happening to them specifically.
The confusion is not accidental. De-risking, as banks use the term, does not describe a judgement about a specific business. It describes a systemic response to regulatory pressure — one that produces outcomes for individual clients that have very little to do with anything those clients have actually done.
Over the past two decades, banks in developed jurisdictions have faced a sustained and accelerating increase in regulatory pressure around financial crime. Anti-money laundering requirements have become progressively more demanding. Sanctions compliance has expanded in scope and in the severity of consequences for violations. The penalties for failing to detect and report suspicious activity have grown substantially: regulatory fines in the hundreds of millions, sometimes billions, of dollars; personal liability for senior compliance officers; reputational damage that affects share prices and franchise value.
In this environment, a bank's compliance function operates under conditions of asymmetric penalty. The cost of a compliance failure — a sanctions violation, a finding that the bank processed funds for a prohibited client — is very large. The cost of being overly cautious — of declining a relationship that turned out to be entirely legitimate — is relatively modest.
The rational response to this asymmetry is to reduce exposure at the margin: not by reviewing every client relationship with greater rigour, which would be prohibitively expensive, but by identifying categories of clients whose risk profile appears elevated in the aggregate — and exiting those categories as a matter of policy.
This is de-risking. It is a portfolio-level decision, not a client-level one.
When a bank decides to de-risk a category of clients, it does not review each client individually and make a considered judgement about whether that specific relationship is acceptable. It identifies the category — defined by geography, by industry, by corporate structure, by the presence of certain types of counterparty or transaction — and exits it as a whole.
The categories that attract de-risking are broadly predictable: businesses with complex cross-border structures involving multiple jurisdictions, particularly those that include low-tax or offshore elements; businesses with cryptocurrency exposure; businesses operating in sectors with elevated financial crime associations; and businesses incorporated or operating in jurisdictions that appear on internal country risk matrices in elevated categories.
A business that falls into one of these categories does not fall into it because of anything it has done. It falls into it because the category exists, because the bank has decided the category carries more regulatory risk than it wishes to carry, and because the policy applies to the category regardless of the individual merits of the businesses within it.
The effect, for an individual business, is indistinguishable from being found to have done something wrong. The account closes. The relationship ends. The letter — if there is one — uses language like "a change in our risk appetite" or "a strategic review of our client portfolio." None of this explains what has actually happened. None of it gives the business any basis on which to respond, because the decision was never about the business specifically.
Geography is one of the most significant de-risking triggers, and one of the least understood by the businesses it affects.
I work primarily from Cyprus, and I see this pattern regularly. A company incorporated here, conducting entirely legitimate business across multiple jurisdictions, finds that certain banks in the United Kingdom or Germany are unwilling to maintain a relationship — not because of anything the company has done, but because Cyprus appears on internal country risk matrices in a category the bank's policy requires it to avoid. The business is not being judged. Its address is.
A group with a subsidiary in a jurisdiction that has been subject to FATF grey-listing — the Financial Action Task Force's monitoring list for countries with identified deficiencies in their anti-money laundering frameworks — will find that correspondent banks become reluctant to process transactions connected to it, regardless of what those transactions actually are. A subsidiary that made sense operationally is now creating banking friction for the entire group, not because of what it does, but because of where it sits.
This is the aspect of de-risking that is hardest to accept: the bank is not making a judgement about the client at all. It is making a judgement about a place. And the client, who cannot simply relocate their entire structure, absorbs the consequence.
De-risking is not a finding that a business has done something wrong. It is not a regulatory sanction. It is not a conclusion that the client's funds are of suspicious origin or that any law or regulation has been violated.
This distinction matters enormously, because the practical effect — the loss of a banking relationship — can look and feel identical to the consequence of having been found to have committed a financial crime. The account closes in the same way. The funds are returned in the same way. The relationship ends.
But the underlying reality is entirely different. De-risking is a commercial decision by a bank operating under regulatory pressure, applied at a portfolio level, with no implication about the specific conduct of the specific client. A business that has been de-risked has not been accused of anything. It has been caught in a category.
This distinction matters for practical reasons as much as emotional ones. A business that believes it has been found to have done something wrong will try to defend its conduct — which is irrelevant, because conduct was never the issue. A business that understands it has been caught in a systemic classification will focus instead on the classification: on how it is perceived, how its structure reads, and how it can position itself to fall outside the categories that attract de-risking. That is a problem with a structural answer.
De-risking cannot be eliminated. It is a systemic feature of the current banking environment, and it will persist for as long as the regulatory pressure that created it persists. But its impact on a specific business can be managed — and the businesses that manage it most effectively are those that address it structurally, not reactively.
The first step is an honest assessment of how the business looks from the outside: which de-risking categories it falls into, which jurisdictions create exposure, which elements of the corporate structure are likely to trigger conservative treatment. This assessment has to be conducted from the bank's perspective, not the client's. What looks like an obvious and legitimate business arrangement from the inside often reads, from outside, as precisely the pattern the bank's de-risking policy was designed to avoid.
The second is separation where separation is possible. Elements of the business that trigger de-risking categories — a cryptocurrency layer, a subsidiary in a higher-risk jurisdiction — can often be held in separate legal entities, architecturally distinct from the entities that maintain the banking relationships that matter most. A cryptocurrency layer that is properly separated does not disappear from the structure, but it stops contaminating the risk assessment of entities to which it has no direct connection.
The third is the narrative. A bank that has adopted a de-risking policy applies it at the category level. But the category level is precisely where the narrative can intervene. A business that presents itself clearly — whose structure is coherent, whose cross-border or cryptocurrency elements come with explanation already attached — gives the compliance officer a reason to look past the category-level concern and assess the relationship on its specific merits. Some banks have adopted categorical de-risking policies that genuinely do not allow for individual assessment. But many have not. For those banks, the quality of the narrative is a real determinant of the outcome — and a well-prepared narrative has saved relationships that a silent file would have lost.
For international businesses operating across multiple jurisdictions, with complex structures and any degree of cryptocurrency exposure, de-risking is a permanent feature of the banking landscape. Relationships will end for reasons that have nothing to do with conduct. Letters will arrive that explain nothing useful.
The question is not whether de-risking will affect the business. It will. The question is whether the business is positioned to manage it: whether banking relationships are diversified across multiple institutions so that no single de-risking decision is catastrophic; whether the most sensitive relationships are held in entities with the lowest de-risking exposure; whether the narrative is ready to be deployed quickly when a relationship comes under pressure.
Businesses that treat de-risking as something that simply happens to them — an external force against which they are helpless — are right that the force is external. They are wrong that they are helpless. The architecture of a corporate structure, and the narrative that describes it, determine which category a bank places a business in. That architecture and that narrative are things the business controls.
In a banking environment shaped by systemic de-risking, structure is not just a legal or tax consideration. It is the primary tool available for managing the relationships that the business depends on. The businesses that understand this — and build accordingly — are the ones that keep the banking access that everyone else is quietly losing.
Vladimir Shuvalov works with international businesses and private clients on corporate structure, banking acceptability, and cryptocurrency architecture from Nicosia, Cyprus.
Thinking Globally — thinking-globally.com
Thinking Globally Consulting Limited
Registered in England & Wales · Company No. 17138834
128 City Road, London EC1V 2NX, United Kingdom
© 2026 Thinking Globally Consulting Limited · All rights reserved