Correspondent banking relationships are once again in the news. As regulators and correspondent banks increase their scrutiny of these relationships and, in the case of correspondent banks, demand more and more rigorous controls, respondent banks face the threat of account terminations and de-risking by their correspondent banks. Now is the time for respondent banks to re-assess the strength and transparency of their relationships with correspondent banks and re-examine the sufficiency of their own anti-financial crime controls to ensure continued access to major financial centers.
International finance and trade systems rely on the global network of correspondent banking relationships that clear transactions, regardless of where the transactions take place. While the number of clearing institutions in major finance hubs is limited, a significant number of banks rely on those clearing institutions to provide services to domestic and international customers.
Respondent banks are already aware that maintaining correspondent accounts in countries with a robust enforcement record carries certain risks as these countries may leverage their market strength to pursue domestic and foreign policy objectives. For example, US regulatory authorities and courts have asserted jurisdiction over the use of a correspondent account by non-US financial institutions for alleged violations of money laundering, sanctions, and other financial crime laws.1 Moreover, US law enforcement and regulatory authorities have used the mere existence of a US correspondent account to demand from respondent banks extensive information about their customers, for example, through the PATRIOT Act and Bank of Nova Scotia subpoenas, foreign financial agency regulations, and demand letters.
Despite these risks, respondent banks worldwide value correspondent banking relationships. Direct access to US markets facilitates banks’ operational independence, allows them to provide critical services to customers, and, in some cases, is necessary for the banks’ continued existence. This article is intended to help respondent banks understand the regulatory, supervisory, and enforcement pressures on correspondent banks and provide an overview of how to best manage correspondent banking relationships.
Managing Correspondent Banking Risks
Correspondent banks typically manage their relationships with respondent banks with two principal objectives in mind: (1) meeting specific regulatory obligations in connection with maintaining correspondent relationships; and (2) meeting general compliance and supervisory obligations to report suspicious activity, prevent money laundering, and comply with economic sanctions.
Specific Regulatory Obligations in Connection with Maintaining Correspondent Relationships
Anti-money laundering/countering the financing of terror (“AML/CFT“) practitioners have long recognized the risks posed by correspondent bank accounts. These accounts often entail both large volumes of transactions and large transaction amounts, with little insight into the nature of the underlying transactions. In the United States, Congress specifically addressed the AML risks of correspondent banking relationships in sections 311 to 313 of the USA PATRIOT Act, which require US correspondent banks to conduct specific enhanced due diligence on relationships with respondent banks or terminate those relationships.2 Despite the heightened risks posed by correspondent relationships and the expectations for enhanced due diligence, US regulators have issued guidance emphasizing that due diligence should be focused on the respondent banks and not on any respondent bank customers.3 In other words, there is no obligation to conduct “know your customer’s customer” checks. Nevertheless, the regulatory expectation that correspondent banks conduct due diligence on respondent banks will permeate the correspondent bank’s relationship with both the respondent bank and the regulator, and will continue to be a significant issue in the supervision process.
General Compliance Obligations
Although a strict reading of the specific regulatory requirements may suggest a need to focus on the respondent bank rather than its customers, such an approach may run counter to a bank’s more generalized AML/CFT and sanctions obligations (collectively, “anti-financial crimes” or “AFC“). From an AML/CFT perspective, banks are required to report suspicious activity and reasonably manage their risk of being exploited for money laundering purposes. From a sanctions perspective, US authorities expect correspondent banks to manage their risks wherever they lie. Although violations are enforced on a strict liability basis that is designed to disregard the knowledge and intent of the party in violation, the subject person’s knowledge, intent, and compliance efforts are critically important factors that US authorities take into account when considering an appropriate enforcement response.
Fulfilling those responsibilities and managing those risks is challenging without access to information about the respondent bank’s underlying customers, which is not often immediately available. In lieu of robust due diligence on a respondent bank’s customer(s), correspondent banks typically use requests for information (“RFIs“) to obtain detailed information about the state of a respondent bank’s AFC program, home country AFC regime, effectiveness of its AFC supervisor, and, on a case-by-case basis, specific information about transactions or customers that raise red flags in the correspondent bank’s transaction monitoring system.4
Correspondent bank failures to comply with its specific and general obligations regarding correspondent accounts has resulted in significant criminal and civil liability, including deferred prosecution and other settlement agreements, with fines and forfeitures in many billions of dollars. In some cases, monetary penalties have been accompanied by costly commitments to create or improve compliance programs, overseen by an external compliance consultant or monitor. Consequently, the questions raised by a correspondent bank may be as searching as those asked by the respondent bank’s home country regulator. In many cases, the correspondent bank may be more demanding in its RFIs and general diligence than the home country regulator, as it is not solely concerned with compliance with the law, but rather, with effective management of AFC risks in an environment of heightened scrutiny by correspondent bank regulators. For some correspondent banks, the enforcement risks may be too high and the compliance burdens too onerous to continue to offer correspondent accounts, resulting in decisions to close or “de-risk” respondent bank accounts.
What Can a Respondent Bank Do?
From the perspective of a respondent bank, the analogy between a correspondent bank and an AFC regulator is an important consideration, as it also applies to how a respondent bank should manage its relationship with its correspondent bank. Managing the relationship with a regulator or a correspondent bank is, in theory, relatively straightforward for a respondent bank in terms of complying with its own risk management obligations, including demonstrating a robust audit trail. In practice, however, maintaining an effective AFC program entails complexity, requires commitment of significant financial and human resources, and requires a high-level of proactive engagement from the respondent bank.
Effective Risk Management
Correspondent banks want to establish relationships with respondent banks that do not create additional enforcement risks and that minimize compliance burdens by addressing AFC risks before they are potentially passed on to a correspondent bank. The key to ensuring that senior management of a correspondent bank can get comfortable with a respondent bank’s AFC program and approve a correspondent account is for the correspondent bank to understand fully the nature of the respondent bank’s business and the extent and effectiveness of its AFC systems and controls.5
The building blocks of a best-in-class AFC program that a correspondent bank will look for in its respondent bank relationships include:6
- an appropriate risk assessment based on the respondent bank’s business and operating strategy;
- robust AFC compliance policies and procedures (including KYC processes and the reporting of suspicious activity);
- a governance structure providing for appropriate escalation to experienced, well-trained, engaged, and accountable executives and to the board of directors, if appropriate;
- a culture of compliance that ensures sufficient resources to the AFC compliance program;
- periodic firm-wide training for all personnel with first-, second-, or third-line AFC responsibilities; and
- regular, thorough, and independent reviews and internal audits of the AFC program.
In particular, a correspondent bank may want to be satisfied that, in respect of a respondent bank’s customers who have direct access to accounts with the correspondent bank, the respondent bank has performed appropriate (and at times even heightened) due diligence and is able to provide to the correspondent bank, upon request, all such information. Both the correspondent and respondent banks should understand and clearly document their respective AFC compliance responsibilities in conducting due diligence and sharing information.
The correspondent bank will also form a view about the reputation of the respondent bank and the quality of its regulatory supervision, possibly with the assistance of a corporate intelligence firm and local legal advice, and often in consultations with the correspondent bank’s own regulators.
Engagement with the Correspondent Bank
After a respondent bank has built out its program, it must effectively, and often proactively, communicate its approach to the correspondent banks in which it is seeking to establish a correspondent account. Filling out a questionnaire and responding to RFIs about a transaction are no longer sufficient, particularly if the respondent bank is located in a high-risk jurisdiction.7 Rather, the respondent bank must establish a dialogue with its correspondent bank, through extensive ad hoc consultations, site visits, and regular updates, to demonstrate that it has appropriately identified its AFC risks and is continuously taking appropriate steps to address such risks. It also is important for a respondent bank to identify proactively those transactions that may be considered high-risk by its correspondent bank and explain how and why it made a determination to process the transaction. Respondent banks need to be able to prove that they can reliably identify risks and take meaningful steps to mitigate them, even as the risk environment evolves.
This kind of transparency can be challenging. Many respondent banks may not lawfully share certain types of customer due diligence data with third parties, such as correspondent banks, due to strict data protection and bank secrecy laws. In particular, the EU imposes tight restrictions on the ability of respondent banks to transfer KYC and AML data out of the EU for the purpose of satisfying legal obligations applicable to correspondent banks.8 While some respondent banks have found success by working with their home governments or regulators to find mutually satisfactory policy responses to this challenge, others may need to turn to technology for solutions, and obtain appropriate legal advice. Advances in technology now include privacy-enabled databases and communication systems that allow respondent banks to communicate critical risk-relevant information to their correspondent banks, without exposing more customer data than is absolutely necessary. In some cases, it may also be necessary to enter into binding agreements to limit the use of such data by the correspondent bank. The ability to share customer data is critical to establishing productive relationships with correspondent banks and developing game-changing due diligence utilities.
For a respondent bank, consistent correspondent account access can mean independence, stability, and strategic success. While correspondent banks may bring another layer of increased scrutiny to these relationships, there are steps that respondent banks can take to protect themselves. At a minimum, establishing and maintaining a solid AFC program is a foundational element for a respondent bank seeking to establish a long-lasting partnership in a correspondent banking relationship.
of Anti-Money Laundering and Sanctions Policy and Enforcement (January 18,
see also Licci v. Lebanese Canadian Bank, 732 F.3d 161 161, 168 (2d Cir. 2013).
2 Pub. L. 107-56, October 26, 2001, codified at 31 USC. §§ 5318A, 5318(i), and 5318(j), respectively.
3 US Department of the Treasury and Federal Banking Agencies Joint Fact Sheet on Foreign Correspondent Banking: Approach to BSA/AML and OFAC Sanctions Supervision and Enforcement (August 30, 2016), https://www.occ.treas.gov/topics/compliance-bsa/pub-foreign-correspondent-banking-fact-sheet.pdf
4 The Wolfsberg Group of large, international financial institutions created a questionnaire correspondent banks can use with their respondent banks that is commonly used today, https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%27s_CBDDQ_220218_v1.2.pdf
5 See the regulatory requirements for due diligence of correspondent accounts from US and UK authorities, respectively at 31 CFR § 1010.60 and Section 34 of The Money Laundering, Terrorist Financing and Transfer of Funds Regulations (2017).
6 Anti-financial crimes agencies in the United States have set forth their expectations for compliance programs, with very similar criteria, in regulation and guidance. See Financial Crimes Enforcement Network: Anti-Money Laundering Programs for Financial Institutions, Final Rule, 67 FR 21110 (April 29, 2002) and Advisory to US Financial Institutions on Promoting a Culture of Compliance, FIN-2014-A007 (August 11, 2014) available at https://www.fincen.gov/sites/default/files/advisory/FIN-2014-A007.pdf; Office of Foreign Assets Control: A Framework for OFAC Compliance Commitments (May 2, 2019) available at https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf; and Department of Justice: Evaluation of Corporate Compliance Programs (April 2019) available at https://www.justice.gov/criminal-fraud/page/file/937501/download.
7 High-risk jurisdictions can include countries identified by the FATF as either having systemic or strategic deficiencies in their AML programs, major money laundering centers identified in the US Department of State’s International Narcotics Control Strategy Report, or countries subject to comprehensive economic sanctions.
8 See Article 44 of the General Data Protection Regulation (EU) 2016/679.