The letter arrives with little warning. The account is being closed. No detailed explanation. No clear path forward. For high-risk merchants, understanding why this happens — and what drives it — is the first step toward preventing it.

De-risking is one of those industry terms that gets used frequently and understood rarely. For merchants who have experienced it, it tends to arrive as a sudden termination notice — a letter from an acquirer or payment provider stating that the relationship is being ended, typically with minimal explanation and a short notice period. For those who haven't experienced it yet, it exists as a background anxiety: the awareness that the payment infrastructure holding the business together could be withdrawn at any point.

Understanding what de-risking actually is, why it happens, and what drives it — at the structural level, not just the surface level — matters for any merchant operating in a high-risk vertical. It changes how you think about acquirer relationships, how you manage your processing profile, and what you can do to make your business a less obvious candidate for the exit.

The Definition

De-risking has a precise definition in regulatory terms. The European Banking Authority describes it as decisions taken by financial institutions to refuse to enter into, or to terminate, business relationships with individual customers or categories of customers associated with higher money laundering or terrorist financing risk, or to refuse to carry out higher-risk transactions. The Financial Action Task Force (FATF) defines it similarly: the termination or restriction of business relationships with clients or categories of clients to avoid, rather than manage, risk.

Both definitions share an important word: avoid. De-risking, as regulators understand it, is the choice to exit a relationship rather than invest in the controls required to manage it. That distinction — avoid versus manage — is central to understanding the whole phenomenon. It is not fundamentally about whether a merchant is operating illegally or causing fraud. It is about whether the compliance cost of serving that merchant category is worth the revenue it generates.

Three-panel graphic showing official definitions of de-risking from FATF, the EBA, and the US Treasury

What Actually Drives It

The US Treasury's 2023 De-risking Strategy — the most comprehensive official analysis of the phenomenon — found that profitability is the primary factor in financial institutions' de-risking decisions. Not fraud rates. Not the risk profile of individual merchants. Profitability. And profitability in this context is shaped by a specific calculus: the cost of implementing the AML and compliance controls required to serve a high-risk customer category, weighed against the revenue that category generates.

When regulators tighten AML requirements — which they have done consistently and significantly over the past decade — the cost of monitoring high-risk merchant relationships increases. Enhanced due diligence, transaction monitoring, KYC documentation, ongoing review: these are not cheap to implement, and they scale with the perceived risk of the customer. For a bank or acquirer with a large, diversified portfolio, the rational response to rising compliance costs is often to exit the categories that generate the highest monitoring burden relative to their revenue contribution.

The result is what regulators call wholesale de-risking: the exit from an entire industry category rather than a case-by-case assessment of individual customers within it. An acquirer does not decide that a specific iGaming merchant is too risky based on their actual fraud rates and chargeback history. They decide that iGaming as a category exceeds their compliance risk appetite, and they exit all of it. Individual merchants with clean processing records lose their accounts not because of anything they have done, but because of the category they belong to.

This is precisely why FATF has explicitly stated that wholesale de-risking is not in line with its risk-based approach. The FATF Recommendations require financial institutions to terminate customer relationships on a case-by-case basis, only where money laundering and terrorist financing risks cannot be mitigated — not to cut loose entire classes of customers without individual assessment. The EBA has issued the same guidance in the EU context. The practice is widespread. The regulatory disapproval of it is equally clear.

Five-step flow diagram showing why de-risking happens — from rising AML compliance costs to the wholesale exit decision

How VAMP Changed the Equation

De-risking has been a feature of the payment landscape for well over a decade. But Visa's introduction of the Visa Acquirer Monitoring Program (VAMP) in April 2025 added a new and significant pressure point that has accelerated the dynamic considerably.

VAMP changed the compliance calculus for acquirers in a fundamental way. Under the previous framework, Visa monitored merchants and acquirers through separate programs. Under VAMP, all fraud alerts (TC40) and disputes (TC15) across a merchant's processing activity are combined into a single ratio, and the acquirer is held directly responsible for that ratio at the portfolio level. If the acquirer's aggregate VAMP ratio across all their merchants exceeds the threshold, Visa fines the acquirer — not the individual merchant.

From April 2026, the thresholds tightened further. The Merchant Excessive tier sits at 1.5%, and the acquirer Above Standard threshold dropped to 0.5%. This means acquirers are now managing their entire merchant portfolio against a tight aggregate ceiling, with direct financial penalties for breach. The rational response — as has been widely observed across the industry — is to exit merchants whose fraud and dispute rates push the acquirers portfolio ratio toward those thresholds. High-risk merchants, who by nature of their verticals run higher dispute rates than standard ecommerce merchants, are the obvious candidates for removal.

VAMP did not create de-risking. But it created a direct, automated, financially quantified incentive for acquirers to proactively trim their portfolios of high-risk relationships — and it made the decision easier to justify internally, because it is now a compliance obligation rather than a discretionary risk management call.

Two-column graphic showing how VAMP creates de-risking pressure on acquirers and how they respond by exiting high-risk merchants

De-risking rarely stops at the first relationship. When a bank decides to exit a high-risk category, payment institutions and electronic money institutions (EMIs) that rely on that bank for their own processing capability can be caught in the same exit. The EBA has explicitly acknowledged this cascade in its 2022 Opinion on de-risking, noting that the phenomenon affects "customers that are themselves institutions such as payment institutions and electronic money institutions." A merchant who has never had a direct relationship with the exiting bank can find their account terminated because their processor's banking partner has changed its risk appetite.

The consequences for a merchant caught in this position are severe and immediate. Processing stops. Revenue stops flowing. Funds already in the system may be held in reserve during a review period. And — critically — the merchant's options for finding a replacement acquirer are constrained by the time pressure of the situation. Underwriting for high-risk merchants takes time. A merchant negotiating from a position of urgency, with a recent termination on record, is negotiating from a position of weakness.

If the termination results in placement on the MATCH list — the industry's shared record of merchants whose accounts have been terminated for cause — the difficulty of finding alternative processing compounds dramatically. Most acquirers screen against the MATCH list as a standard part of their onboarding process.

Timeline showing the de-risking cascade from bank exit through processor impact to MATCH list risk for merchants

What You Can Do

The structural drivers of de-risking — compliance cost economics, VAMP pressure, reputational risk management — are not within any individual merchant's control. What is within a merchant's control is the profile they present to their acquirer, and how much operational leverage they have if a relationship does end.

Maintain a clean processing profile actively, not reactively. Chargeback ratios, fraud rates, and dispute volumes are the numbers acquirers watch. A merchant who manages these numbers proactively — through pre-dispute tools like Verifi RDR and Ethoca Alerts, through clear billing descriptors, through fast customer service resolution — is a materially different risk proposition than one who doesn't. In a portfolio review triggered by VAMP pressure, the merchants who get retained are those who can demonstrate active management of the metrics that matter.

Never rely on a single acquirer. The single most important structural decision a high-risk merchant can make is to avoid single-provider dependency. Multiple acquiring relationships mean that no single bank's exit from a category can halt all processing. It also means the merchant has existing relationships and processing history when alternatives need to be activated — not a cold start under time pressure.

Know your acquirer's risk appetite. Not all acquirers serving high-risk verticals have the same tolerance for specific industries, transaction volumes, or chargeback rates. A specialist acquirer with deep experience in your vertical will have built their compliance infrastructure around it — and will be less likely to exit that vertical when regulatory pressure increases, because it is their core business rather than a peripheral exposure they can afford to shed.

Maintain documentation of your compliance posture. When an acquirer reviews its portfolio under VAMP pressure, the merchants who can provide clear documentation of their fraud controls, dispute management processes, and compliance frameworks are easier to retain than those who cannot. Treating compliance documentation as a commercial asset — not just a regulatory obligation — changes how acquirers perceive the relationship.

MMG Payment Gateway featured image — What De-Risking Actually Means and Why It Keeps Happening to High-Risk Merchants

De-risking is not going away. The compliance cost pressures that drive it are structural, the VAMP framework has added a new and automated enforcement layer, and the direction of regulatory travel in the EU continues toward tighter requirements — not looser ones. For high-risk merchants, the question is not whether the environment is fair. It is whether the business is positioned to operate stably within it.

De-risking is a structural problem. Choosing the right acquirer is not. MMGCorporation specializes in high-risk merchant acquiring — talk to us about your processing setup.