Correspondent Banking Compliance: Navigating the Requirements

Correspondent banking — where one financial institution holds accounts for and executes transactions on behalf of another — is the infrastructure backbone of the global payments system. Without correspondent relationships, cross-border USD clearing, SWIFT access, and international trade finance would be impossible for the vast majority of financial institutions. Yet correspondent banking compliance has become one of the most contested and complex areas of financial regulation, as banks navigate the tension between anti-money laundering obligations and the systemic consequences of withdrawing from entire markets and customer segments.

The Wolfsberg Framework

The Wolfsberg Group — a consortium of thirteen global banks including HSBC, Citigroup, Deutsche Bank, and Goldman Sachs — has produced the most widely adopted private sector framework for correspondent banking compliance. The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) is the de facto industry standard for the information that correspondent banks require from respondent institutions before establishing and maintaining a relationship.

The CBDDQ, most recently updated in 2022, covers six core sections: entity and ownership information; regulatory and licensing status; AML/CTF programme details; sanctions programme; correspondent banking controls (including nested account management and payable-through account policies); and transaction monitoring capabilities. Completing and maintaining an accurate CBDDQ is a prerequisite for most correspondent relationships, and many correspondent banks have made CBDDQ submission through the Wolfsberg's SWIFT KYC Registry a condition of relationship maintenance.

The Wolfsberg Principles for Correspondent Banking

The Wolfsberg Correspondent Banking Principles (first published 2002, revised 2014) set out the risk-based approach that correspondent banks should take to managing respondent relationships. Key principles include: conducting customer due diligence on the respondent institution (not merely accepting a general banking licence as sufficient), assessing the quality of the respondent's AML programme, understanding the nature of the transactions that will flow through the account, and applying enhanced monitoring to relationships that involve nested accounts or payable-through access.

Due Diligence Requirements for Respondent Institutions

For a financial institution seeking to establish or maintain correspondent relationships, demonstrating AML programme quality to correspondents has become a significant operational focus. Correspondent banks' due diligence requirements typically include:

• Ownership and management: Full beneficial ownership chart, biographies of senior management and key compliance personnel, board composition, and evidence of fit and proper assessment processes.
• Regulatory status: Current licences, regulatory approvals, evidence of regulatory examination outcomes (without disclosing confidential supervisory information), and any material regulatory actions within the past three to five years.
• AML programme documentation: Written AML policies, evidence of MLRO or BSA Officer appointment, training programme structure, SAR/CTR filing statistics where permissible, and third-party audit reports on AML compliance.
• Sanctions programme: Confirmation of sanctions screening systems used, screening frequency, list sources, false positive management process, and any OFAC or OFSI voluntary disclosure or enforcement history.
• Transaction profile: Description of the expected transaction volume, value, and counterparty geographies, to allow the correspondent to calibrate its own transaction monitoring for the relationship.

The quality and completeness of this documentation directly affects the correspondent bank's ability to justify the relationship to its own regulators. Respondent institutions that cannot provide this information, or that provide it late or incompletely, will face pressure on the relationship regardless of their underlying compliance standard.

Nested Accounts: The Highest-Risk Structure

Nested accounts — where the respondent institution's correspondent account is used to provide payment services to the respondent's own customers, who are unknown to the correspondent — represent the highest-risk structure in correspondent banking. The correspondent effectively provides payment services to customers it has never identified or assessed. This structure was a key vector in multiple major AML failures, including the 2012 HSBC enforcement action involving Mexican drug cartel proceeds channelled through correspondent accounts.

Wolfsberg Principle 7 requires correspondent banks to have policies for identifying and managing nested account risk. Respondent institutions that provide correspondent-style services to sub-respondents (nested within the primary correspondent relationship) must disclose this to the primary correspondent, obtain its approval, and demonstrate that adequate due diligence is conducted on the sub-respondents. Failure to disclose nested arrangements — effectively hiding third-party access within a two-party relationship — is viewed by correspondents and regulators as a fundamental compliance failure and grounds for immediate relationship termination.

Payable-Through Accounts

A payable-through account (PTA) is a correspondent account that allows the respondent's customers to directly access the correspondent's payment systems — for example, by writing cheques drawn on the correspondent's account or initiating transfers directly. PTAs create similar risks to nested accounts, as the correspondent is providing payment services to individuals it has not identified. US federal banking guidance specifically addresses PTA risk, requiring correspondent banks to ensure that respondents with PTA access have AML programmes adequate to cover their customer base.

SWIFT Compliance Requirements

SWIFT membership brings its own compliance obligations. SWIFT's Customer Security Programme (CSP) requires all financial institutions on the SWIFT network to meet mandatory security controls covering logical access security, software integrity, and environment security. Annual attestation against the CSP is required, and failure to attest or attestation of non-compliance can result in notification to supervisors and potential suspension from the SWIFT network.

SWIFT's Compliance Analytics tools — including SWIFT Sanctions Screening and the Know Your Customer (KYC) Registry — are increasingly used by correspondent banks to gather standardised due diligence information and screen transactions in real time. Respondent institutions that participate in the KYC Registry and keep their information current significantly reduce the friction associated with correspondent due diligence requests.

Managing the Relationship: Ongoing Monitoring

Correspondent banking due diligence is not a one-time event. Correspondents are expected to conduct periodic reviews of respondent relationships — typically annually for higher-risk respondents and every two to three years for standard-risk. Trigger events that should prompt immediate out-of-cycle review include: public regulatory action against the respondent, significant changes to the respondent's ownership or management, material changes to the transaction profile, adverse media coverage, and updates to country risk assessments for the respondent's jurisdiction.

For respondent institutions, proactive communication with correspondents during significant changes is strongly advisable. Correspondents who discover material changes through third-party sources rather than from the respondent itself will view the relationship with significantly heightened suspicion — even where the changes are innocuous.

The correspondent banking relationship sits at the intersection of AML compliance, geopolitical risk, and commercial banking. For financial institutions that depend on correspondent access for their business model — which includes virtually every non-bank payment provider — maintaining strong relationships through proactive, transparent, and well-documented compliance is not just a regulatory obligation. It is a core business survival skill.