EBA’s Anti-De-Risking Framework: EBA-Guidelines on policies and controls for the effective management of ML/TF risks when providing access to financial services
For years, many financial institutions responded to elevated AML/CFT risks with a simple solution:
Reject the customer.
This practice — commonly referred to as “de-risking” — became widespread across the EU, particularly affecting:
- refugees,
- asylum seekers,
- payment institutions,
- fintechs,
- NGOs/NPOs,
- customers linked to higher-risk jurisdictions,
- politically exposed persons (PEPs),
- vulnerable individuals without traditional identification documents.
Now, the European Banking Authority (EBA) has fundamentally changed the supervisory narrative.
With the publication of the EBA Guidelines on policies and controls for the effective management of ML/TF risks when providing access to financial services (EBA/GL/2023/04), institutions are no longer expected to simply avoid risk.
They are expected to manage it.
What Are the EBA De-Risking Guidelines?
The EBA Guidelines EBA/GL/2023/04 establish a new EU-wide framework for:
- AML/CFT risk management,
- customer onboarding,
- access to financial services,
- proportionality,
- and anti-de-risking governance.
The Guidelines were issued in response to growing concerns that financial institutions were:
- rejecting entire categories of customers,
- using AML/CFT as blanket justification,
- and excluding legitimate individuals and businesses from the financial system without proper individual assessment.
The EBA explicitly states that blanket de-risking may indicate ineffective AML/CFT risk management.
This is a major regulatory shift.
Why the EBA Issued These Guidelines
The EBA identified significant negative consequences caused by unwarranted de-risking, including:
- financial exclusion,
- increased use of unregulated payment channels,
- reduced transaction transparency,
- marginalisation of vulnerable persons,
- and reduced effectiveness of financial crime prevention.
According to the EBA, access to financial services is:
“a prerequisite for participation in modern economic and social life.”
The Guidelines therefore aim to balance:
- effective AML/CFT controls,
with - fair access to financial services.
The Core Principle: No Blanket De-Risking
The most important message in the Guidelines is clear:
Financial institutions must not reject customers solely because they belong to a higher-risk category.
Instead, institutions must:
- differentiate between category-level risk and individual customer risk,
- perform customer-specific risk assessments,
- and apply proportionate mitigating measures before rejecting a customer.
This means:
- no automatic rejection of PEPs,
- no automatic refusal of refugees,
- no category-wide exclusion of fintechs or payment institutions,
- no discriminatory onboarding models.
AML/CFT Compliance Is No Longer Binary
Historically, many institutions treated AML/CFT onboarding as a binary decision:
- Accept
or - Reject.
The EBA now promotes a third option:
Controlled Access
Institutions are expected to consider targeted risk mitigation measures before terminating or refusing a relationship.
Examples include:
- transaction limits,
- country restrictions,
- reduced product functionality,
- deposit caps,
- enhanced monitoring,
- limitations on third-party payments,
- restrictions on foreign transfers,
- basic payment accounts.
This is one of the most operationally important changes introduced by the Guidelines.
Enhanced Monitoring Instead of Exclusion
The EBA strongly encourages institutions to:
- intensify monitoring,
rather than - deny access outright.
Financial institutions are expected to:
- define expected customer behaviour,
- monitor transaction patterns,
- regularly reassess risk profiles,
- update customer information,
- review deviations from expected activity.
This aligns directly with the EU’s broader risk-based AML/CFT framework.
New Documentation Requirements for Rejected Customers
One of the most significant governance implications is the mandatory documentation requirement.
Institutions must now document:
- every refusal,
- every termination,
- and the reasons behind those decisions.
Supervisors increasingly expect evidence that:
- mitigating measures were considered,
- proportionality was applied,
- decisions were not discriminatory,
- and the institution followed a documented process.
This creates a new audit trail requirement for:
- Compliance,
- AML/CFT functions,
- Internal Audit,
- Risk Management,
- and governance teams.
Alternative Identification for Vulnerable Customers
The Guidelines specifically address customers who cannot provide traditional identity documentation.
This includes:
- refugees,
- asylum seekers,
- homeless persons,
- vulnerable individuals without fixed addresses.
The EBA allows institutions to consider alternative forms of identification, such as:
- expired ID documents,
- social services documentation,
- Red Cross confirmations,
- migration authority documents,
- local authority certifications.
This is highly relevant for:
- onboarding policies,
- branch procedures,
- remote onboarding frameworks,
- digital KYC solutions.
Digital Onboarding and AI Risks
The Guidelines also target automated onboarding systems.
The EBA warns institutions that:
- digital onboarding solutions,
- automated decision engines,
- AI-based onboarding models,
must not produce discriminatory outcomes.
This is particularly important where:
- nationality,
- customer segmentation,
- geography,
- or vulnerable customer characteristics
could indirectly trigger automated rejection.
Institutions must therefore ensure:
- explainability,
- proportionality,
- governance over AI decisions,
- and non-discriminatory onboarding logic.
Impact on AML/CFT and Compliance Functions
The operational impact of the Guidelines is substantial.
Financial institutions may need to redesign:
- onboarding frameworks,
- customer acceptance policies,
- transaction monitoring logic,
- escalation procedures,
- rejection documentation processes,
- vulnerable customer handling,
- digital onboarding governance,
- and audit trails.
The Guidelines also increase expectations regarding:
- governance,
- explainability,
- proportionality,
- and evidence-based decision-making.
AMLA and the Future of AML/CFT Supervision
These Guidelines are widely viewed as a preview of the future AMLA supervisory philosophy.
The emerging EU AML framework increasingly expects institutions to:
- manage risk professionally,
rather than - eliminate risk through exclusion.
This reflects a broader transformation in European AML/CFT supervision:
from:
- defensive de-risking,
towards: - intelligent, proportionate, evidence-based risk management.
Key Takeaways
The EBA’s anti-de-risking Guidelines fundamentally reshape AML/CFT governance in the EU.
The new expectations are clear:
- No blanket de-risking
- No automated exclusion without individual assessment
- Enhanced monitoring before rejection
- Mandatory documentation of refusals
- Proportionate risk mitigation
- Fair access to financial services
- Governance over onboarding algorithms
- Controlled inclusion instead of binary exclusion
For AML/CFT, Compliance, Risk and Internal Audit functions, these Guidelines are no longer a theoretical policy paper.
They are becoming a core supervisory expectation for the AMLA era.