Russia on the EU high-risk list: How to apply EDD without de-risking

In December 2025, the European Commission adopted a delegated regulation to add Russia to the EU list of high-risk third countries for AML/CFT purposes. For many institutions, the immediate reflex is simple: reduce exposure fast - often through de-risking. 

But this is exactly where risk-based compliance is tested. Many supervisors discourage blanket de-risking, and some explicitly prohibit exiting entire categories of customers without a case-by-case assessment. In practice, that makes EDD the more workable path - but only if it is applied in a way that is consistent, operationally achievable, and defensible. 

So before we talk about how to apply EDD properly, it’s worth being clear on what de-risking means, and why it creates risk of its own.

What “de-risking” means

De-risking is the practice of terminating or refusing the establishment of business relationships with entire categories of customers, primarily to avoid risk rather than manage it through a risk-based AML/CFT framework. 

To be clear: exiting a relationship can be fully justified when residual risk cannot be mitigated. The issue is the blanket approach, for example:

• “we don’t onboard this whole category,”

• “we exit anyone with a certain link,”

• “we withdraw support for specific cross-border routes altogether,”

without showing why the individual risk cannot be controlled.

Why supervisors discourage it (and why some prohibit it)

The FATF has clarified that terminating relationships should be case-by-case, and “de-risking” should not be used as a shortcut to avoid implementing a proper risk-based approach. 

At EU level, the EBA has documented de-risking across the EU and has raised concerns about unwarranted practices that cut off access without adequate individual assessment. 

And some national regulators go further. In Cyprus, the Central Bank of Cyprus AML/CFT Directive (Κ.Δ.Π. 120/2025) states that obliged entities must ensure their policies and controls do not lead to a general refusal or termination of business relationships with whole categories of customers they consider higher risk. Instead, firms must assess each relationship separately, document decisions, and consider alternative risk mitigants before refusing or terminating; decisions must be proportionate, reasoned, and available to supervisors if requested. 

That framing matters. In many cases, blanket de-risking is not a compliant “safe option.” You need a way to manage heightened exposure, especially after a listing decision like Russia’s, through controls you can actually operate and evidence.

Why EDD is usually a better path

EDD is built for this moment: where risk is higher, scrutiny is higher, and the institution needs to demonstrate it can understand, mitigate, and monitor risk within appetite, without automatically exiting the customer.

The goal of EDD is not just to “collect more documents.” The goal is to reduce uncertainty around the specific risk drivers and build a monitoring approach that catches what helps an entity mitigate the higher risks.

Russia on the EU High-Risk AML List: EDD in Practice

Russia’s EU high-risk listing increases expectations around enhanced due diligence (EDD). Here are some tips to apply EDD in a way that is consistent, proportionate, and well-documented:

1) Define what “Russia exposure” means in your context

Treat Russia-linked relationships as higher risk and apply EDD as per your national AML/CFT law. Then define how the Russia link appears in the relationship, so you can target controls and document decisions consistently, for example:

• customer residence or tax residency,

• place of incorporation / main place of business,

• UBO/control links,

• counterparties and payment links,

• intermediaries and third-party involvement.

This becomes the foundation of consistent decisions (and consistent evidence standards).

2) Start EDD with a clear risk hypothesis

Use EDD to document (1) what could go wrong, (2) what you will do to mitigate it, and (3) what you will monitor to detect problems early.

Write the risk drivers in plain language (not generic “high risk”):

• opacity in ownership/control,

• commercial rationale does not match activity,

• repeated third-party payments without explanation,

• complex chains across multiple jurisdictions,

• adverse information that affects integrity and credibility.

If the team cannot articulate the driver, EDD becomes random and inconsistent.

3) Use targeted EDD: match evidence to the risk driver

Generic “high-risk” checklists usually cause one of two outcomes: you either create unnecessary friction, or you collect documents that add no real comfort.

Build targeted EDD modules and apply only the evidence that mitigates the specific risk you identified:

• Ownership & control clarity: deeper verification of UBO/control chain; explanation of structure; corroboration where feasible.

• Source of wealth / source of funds: evidence proportional to profile, plus a narrative linking wealth → funds → expected activity.

• Purpose & expected activity: why this product, why these corridors/counterparties, expected volumes and frequency, what would be “unusual.”

• Counterparty/channel risk: intermediaries, third parties, payment chain logic, and why it makes sense commercially.

• Integrity/adverse information: documented assessment, follow-up questions, and outcome.

Consistency is the point: similar profiles should lead to similar evidence standards and similar outcomes.

4) Turn EDD into ongoing monitoring

EDD doesn’t stop at onboarding. Once you accept a higher-risk relationship, you must monitor both the customer profile and the activity.

Translate the risk drivers into clear monitoring expectations, for example:

• More frequent profile reviews: refresh CDD/EDD more often (e.g., every 6 months instead of annually), and reassess risk when material information changes.

• Tighter “expected vs actual” controls: set clearer thresholds for variance from the expected activity profile (volumes, frequency, counterparties, geographies, channels).

• Defined trigger events: escalate when you see ownership/control changes, new jurisdictions, sudden spikes, new third-party patterns, or shifts in business rationale.

• Practical escalation paths: specify who reviews exceptions, who approves continuation, and how quickly decisions must be made.

This is how you show you manage residual risk over time.

5) Put governance around residual-risk acceptance

When you accept a higher-risk relationship, document the decision clearly:

• who approved it (and at what level),

• what conditions apply (limits, permitted products/corridors, review frequency),

• what triggers escalation or exit.

This protects frontline teams and makes decisions defensible under supervisory scrutiny.

6) Define relationship exit criteria - individually, not by category

A case-by-case approach still includes exits. Define evidence-based exit reasons, for example:

• inability to complete CDD/EDD to the required standard,

• repeated, unexplained deviations from expected activity,

• credible new adverse information that changes the integrity assessment,

• residual risk remains outside appetite even after applying additional controls.

This supports case-by-case decision-making and prevents blanket outcomes (terminate only when you cannot mitigate the risk).

A simple test: can you support this decision?

If a supervisor picks up a file, they should be able to see, quickly:

1. what the risk is,

2. what you did to mitigate it,

3. who approved the outcome, and

4. how you will monitor it going forward.

That is the difference between EDD that exists and EDD that works.

Conclusion

Russia’s addition to the EU high-risk AML/CFT list increases expectations around enhanced due diligence and the quality of decision-making evidence in files.

Apply EDD in a way that teams can operate consistently. Define what Russia-linked exposure means in your business model, document the specific risk drivers, request evidence that addresses those drivers, and set monitoring expectations for both customer information and transaction activity. Record approvals, conditions, and individual exit criteria clearly.

This approach supports case-by-case decision-making after Russia’s EU high-risk listing and strengthens the institution’s ability to evidence control under supervisory scrutiny.