The 'High-Risk' Label Is Broken — Here's How to Fix It

I want to make a case that might seem surprising coming from the CEO of a specialist payment business that serves what the industry calls "high-risk" clients: the "high-risk" label, as currently used, is doing more harm than good. It's not that the concept of risk differentiation is wrong — it's that the category has been so bluntly applied, so inconsistently defined, and so routinely weaponised as a substitute for genuine risk assessment that it now actively undermines the financial crime objectives it was designed to serve. Let me explain what I mean and what I think should replace it.

The Problem with Categories

When a bank's risk appetite framework categorises a business sector as "high-risk" or "prohibited," that decision removes individual assessment from the equation. The licensed iGaming operator with nine years of clean transaction history is treated identically to an unlicensed offshore gambling site. The FCA-authorised crypto exchange with institutional-grade AML systems gets the same "no" as a wallet service operating without supervision. The legal cannabis company in a regulated Canadian market is declined at the same rate as a criminal drug distribution operation.

This is not risk management. This is risk avoidance dressed up as risk management. The distinction matters enormously because genuine risk management — the kind that actually reduces financial crime — requires accurate discrimination between high-risk entities within a sector and lower-risk entities within the same sector. Blanket category refusal doesn't make that discrimination. It simply pushes all entities in the category toward less regulated channels, reducing overall visibility of their financial flows and creating exactly the intelligence gap that financial crime prevention frameworks are supposed to prevent.

What 'High-Risk' Actually Contains

The categories routinely labelled high-risk by major banks include: gambling and iGaming, cannabis, adult entertainment, firearms retailers, money services businesses, crypto and digital assets, payday lending, and multi-level marketing. Let me ask a simple question: what is the actual financial crime rate within the legitimately licensed and regulated portion of each of these sectors?

The data, where it exists, is not what you'd expect from the category reputation. Licensed iGaming operators in MGA or UKGC regulated markets have extensive AML programmes and produce substantial volumes of suspicious activity reports — which means they're generating financial intelligence, not concealing crime. Legal cannabis businesses in North America are typically subject to more intensive regulatory scrutiny than any comparable retail business. Firearms retailers in the UK operate under tight Home Office licensing. These are not sectors characterised by widespread financial crime at the licensed operator level. They're sectors where the licensing regime creates elevated compliance obligations and elevated monitoring — which should make them more transparent to the financial system, not less.

The Incentive Structure Problem

The deeper problem is the incentive structure within large banks' compliance functions. Compliance careers advance through finding and avoiding risks, not through accurately assessing and managing them. There is no reward mechanism for a compliance officer who correctly assesses that a licensed iGaming operator poses acceptable risk and recommends banking the relationship. There is significant career risk for that same officer if the client subsequently causes a problem — however remote the probability. The rational response to this incentive structure is to err heavily on the side of refusal. That's what we observe.

Fixing this requires changing the incentive structure, which requires either external pressure from regulators (the FCA has started applying this pressure, but inconsistently) or leadership from bank boards and CEOs who are willing to reframe accurate risk assessment as a core compliance competency. I don't see much evidence of the latter. The regulator route is slower but probably more realistic.

What Better Risk Assessment Looks Like

The alternative to category-based de-risking is entity-level risk assessment — which is, in fact, what the regulatory frameworks actually require. The FATF guidance, the FCA's risk-based approach, the EBA's guidelines on risk factors: all of them say that risk assessment should consider the specific characteristics of the client, not just the sector. The sector is an input, not a conclusion.

Entity-level assessment for a gambling business should consider: is the operator licensed, and by which authority? What is the quality of their AML programme — not in theory but as evidenced by their actual compliance documentation? What does their transaction history look like? What is their customer base — retail consumers in regulated markets, or unnamed players in unregulated jurisdictions? Who are the beneficial owners and what is their background? What is the mechanism for player fund segregation?

This assessment takes more time and more expertise than a category decision. But it produces a genuinely risk-proportionate answer — and it produces it in a way that regulators who actually read the frameworks should recognise as correct. The banks that are developing this capability are finding, unsurprisingly, that the risk profile of properly assessed specialist-sector clients is manageable and profitable.

What I'd Change Systemically

Three things. First, the FCA should publish explicit guidance confirming that blanket sector-based de-risking is not compliant with the risk-based approach requirements and constitutes a failure of proportionate risk assessment. They've hinted at this but haven't said it unequivocally. Second, the supervisory framework should require banks to report refusal rates by sector, so that systematic de-risking becomes visible and subject to supervisory challenge. Third, the industry needs to develop shared standards for what adequate risk assessment of high-risk sector clients looks like — so that banks have a reference framework to work from rather than making isolated judgments driven by reputational caution.

None of this eliminates the need for robust financial crime controls. Some businesses genuinely are too risky to bank, and every financial institution has the right — and obligation — to decline them. What it eliminates is the lazy shortcut of refusing entire sectors without looking at the entities within them. That shortcut costs the economy, harms legitimate businesses, and — I'd argue most importantly — makes the financial intelligence system worse, not better.