Derisking as Defence: Managing Unacceptable AML/CFT Exposure in the UAE

When a client’s profile—be it due to geopolitical factors, involvement in a high-risk sector, or persistent issues uncovered during Ongoing Monitoring—crosses a predetermined risk threshold, the MLRO must weigh the commercial benefit against the catastrophic cost of non-compliance. Our advisory service frames derisking not as an act of avoidance, but as a calculated defence of the firm’s global banking access, license integrity, and corporate reputation.

When is Derisking Justified? The MLRO’s Threshold

The decision to derisk is highly sensitive and must be based on objective, documented triggers, not mere speculation. A strategic derisking process is warranted when standard or Enhanced Due Diligence (EDD) cannot reasonably mitigate the identified risks. Common triggers include:

1. Unverifiable Information: Persistent failure to provide complete or verifiable KYC or UBO documentation upon request.

2. Adverse Intelligence: Confirmation of significant, credible Adverse Media or links to jurisdictions deemed high-risk by the FATF or local authorities.

3. Risk Profile Mismatch: Transactional activity fundamentally inconsistent with the client’s declared Customer Risk Rating (CRR), declared business model, or expected source of funds/wealth.

4. Sanctions Proximity: Direct or indirect ownership connections to entities or individuals on local or international Sanctions Lists.

5. Regulatory Direction: Specific instruction or heightened scrutiny from a Supervisory Authority related to the client or the client’s sector.

The Protocol: Executing a Compliant Exit

A poorly executed derisking can itself generate regulatory risk, leading to legal challenges or accusations of improper conduct. The process requires a clear, auditable protocol:

• Risk Re-Assessment and Documentation: The MLRO must complete a final, comprehensive CRR update, documenting the precise reasons why the residual ML/TF risk is now deemed unacceptable and cannot be mitigated by further controls.

• STR Determination: Critically, the MLRO must determine if the conduct leading to the derisking decision requires the immediate submission of a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) via the GoAML platform. The decision to exit the relationship must not prejudice the reporting obligation.

• Senior Management Approval: The high-stakes nature of derisking necessitates documented approval from the highest level of the organisation’s senior management or board.

• Controlled Termination: The exit strategy must adhere to all contractual and legal notification requirements. The process must be clean, coordinated, and designed to minimise the chance of the client attempting to transfer funds or assets in a manner that could be deemed suspicious.

• Record Retention: All correspondence, risk reports, internal decision memos, and KYC files related to the client must be retained for the minimum mandated period (currently five years after the relationship ends in mainland UAE, 6 years in DIFC/ADGM) to satisfy future regulatory audits.