Correspondent Banking Due Diligence: A Risk Framework

For financial institutions seeking to establish or maintain correspondent banking relationships, the due diligence process has grown substantially in scope and depth over the past decade. What was once a relatively brief identity check and licence verification has evolved into a comprehensive risk assessment process that can take weeks, require hundreds of pages of documentation, and involve multiple layers of senior management review. Understanding what correspondent banks actually look for — and how to present your institution compellingly — is a critical operational skill for any payment institution or smaller bank that depends on correspondent access.

The Wolfsberg CBDDQ: The Industry Standard

The Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire (CBDDQ) is the de facto global standard for correspondent banking information requests. Developed collaboratively by major global banks and published in its most recent form in 2022, the CBDDQ provides a structured framework for the information correspondent banks require from respondent institutions. Most major correspondent banks use the CBDDQ as the basis for their due diligence, either directly or as a template for their proprietary questionnaires.

The CBDDQ is organised into six modules: Entity and Ownership Structure; Regulatory and Licensing Status; AML/CTF Programme; Sanctions Programme; Correspondent Banking Controls; and Payments and Transaction Monitoring. Each module contains a combination of yes/no questions and open-ended narrative responses. The quality of narrative responses — not just the yes/no answers — is often what differentiates successful from unsuccessful respondent applications.

Key Risk Dimensions That Correspondents Assess

Ownership and Control Structure

Correspondent banks will assess the respondent's ownership structure at multiple levels. Ultimate beneficial ownership must be clearly identified and documented. The presence of PEPs, sanctioned persons, or individuals with adverse media in the ownership chain is a significant negative factor. Opaque or complex structures — particularly those involving nominee shareholders, bearer shares, or multiple layers of offshore holding companies — attract heightened scrutiny. Correspondents are looking for: transparency, stability, and evidence that the ownership structure is driven by legitimate commercial rationale rather than anonymity.

Regulatory Standing

Current licensing and regulatory history are fundamental to the risk assessment. Correspondents will verify: the current status of all regulatory licences and registrations; the identity and supervisory powers of the primary regulator; the history of regulatory examinations and their outcomes; any public enforcement actions or regulatory sanctions in the past five years; and whether there are ongoing investigations or proceedings. A clean regulatory history is a significant positive factor; recent enforcement action is a major concern that requires detailed explanation and evidence of remediation.

AML Programme Quality

The quality of the respondent's AML programme is typically the most scrutinised dimension of the CBDDQ. Correspondent banks are not simply checking that an AML programme exists — they are assessing whether it is genuinely effective. The assessment typically covers:

• Whether the AML programme has received independent audit or third-party assessment, and the outcomes
• The qualifications and experience of the MLRO/BSA Officer and their direct access to the board
• The transaction monitoring system and the methodology for scenario selection and threshold setting
• SAR filing statistics (volumes and rates) as an indicator of programme sensitivity
• KYC/CDD standards for the respondent's own customers, particularly in higher-risk segments
• Training programme scope, frequency, and completion rates

Respondents who can provide third-party audit reports, documented transaction monitoring methodology, and evidence-based SAR programme statistics will be viewed significantly more favourably than those whose responses are purely narrative.

Sanctions Programme

The sanctions compliance section of the CBDDQ assesses: which sanctions lists the respondent screens against (at minimum, UN, OFAC, and the respondent's national list); the screening system used and its update frequency; the false positive management process; whether the 50% ownership rule for OFAC purposes is applied; and the history of any voluntary self-disclosures to sanctions authorities. For respondents with significant cross-border transaction volumes, demonstrating real-time screening capabilities and a documented false positive review process is increasingly expected.

Ongoing Monitoring: Beyond Onboarding

Correspondent banking due diligence is not a one-time event. Correspondents maintain ongoing monitoring obligations that require periodic re-assessment of respondent relationships, typically on a risk-tiered annual or biennial schedule. High-risk respondents (those in higher-risk jurisdictions, those with complex ownership, those with adverse regulatory history) are reviewed more frequently than standard-risk relationships.

Trigger-based monitoring supplements scheduled review. Triggers that prompt an immediate relationship review include: public enforcement action against the respondent; adverse media concerning the respondent's ownership, management, or compliance programme; material changes to the respondent's business (new products, new geographies, changes in ownership); and FATF grey-listing of the respondent's home jurisdiction. Respondents who proactively notify their correspondents of material changes — rather than waiting for the correspondent to discover them independently — are viewed more favourably and reduce the risk of an abrupt review without prior engagement.

Transaction Monitoring for Correspondent Relationships

Correspondent banks must maintain transaction-level monitoring for the activity flowing through respondent accounts. This monitoring is calibrated using the transaction profile information provided in the CBDDQ — the expected volumes, values, and counterparty geographies. Where actual transaction patterns deviate materially from the disclosed profile, the correspondent will investigate and may request updated information or enhanced documentation.

Respondents should proactively update their transaction profile disclosures when business volumes or counterparty demographics change materially. Operating a correspondent account that consistently processes significantly different activity than was disclosed creates a trust deficit that can ultimately lead to relationship termination even where there is no underlying compliance issue.

Termination Decisions: Process and Consequences

When a correspondent bank decides to exit a respondent relationship, the notification requirements depend on the jurisdiction. In the UK, the Payment Services Regulations 2017 and FCA guidance require reasonable notice (minimum two months for payment accounts in most circumstances). The correspondent should provide a reason for termination where possible without revealing confidential information (including any ongoing SAR or law enforcement referral).

For respondent institutions, proactive engagement at the first sign of a relationship review is strongly preferable to waiting for a termination notice. Requesting a relationship meeting, providing updated due diligence documentation proactively, and demonstrating responsiveness to compliance queries can make the difference between relationship continuation and termination in marginal cases.