A correspondent banking compliance checklist is a structured set of mandatory steps that financial institutions must follow to meet AML/CFT regulations and manage risk in correspondent relationships. Regulatory bodies including FATF and AUSTRAC set the baseline expectations, covering everything from customer due diligence (CDD) to senior management approval. For compliance officers at currency exchange and international money transfer companies, these requirements are not optional guidelines. They are enforceable obligations with direct consequences for failing to document, monitor, or escalate risk appropriately.
1. What belongs on a correspondent banking compliance checklist?
A complete correspondent banking compliance checklist covers six core areas: due diligence, beneficial ownership, risk assessment, senior management approval, documentation, and ongoing monitoring. Each area maps directly to FATF Recommendation 13 and equivalent national rules. Skipping any one of them creates a gap that regulators will find.
Core checklist components:
- Customer due diligence (CDD) and enhanced due diligence (EDD): Verify the respondent bank's legal status, ownership structure, AML/CFT program quality, and regulatory history before opening any account.
- Ultimate beneficial owner (UBO) identification: 25% ownership threshold is the standard trigger for mandatory UBO disclosure. Any individual or entity at or above that threshold must be named and verified.
- Senior management approval: Regulators require documented deliberation, not a rubber stamp, before establishing new or high-risk relationships.
- Risk assessment: Assign a formal risk rating based on geographic location, ownership complexity, product types, and the respondent's regulatory track record.
- Shell bank prohibition: Confirm the respondent is not a shell bank and does not maintain accounts for shell banks.
- Payable-through account controls: FATF standards prohibit payable-through accounts unless the correspondent has conducted full CDD on the underlying customers.
- Documentation timelines: Complete written records of all due diligence assessments within the required regulatory window.
Risk ratings are not static labels. They must be revisited whenever the respondent's business model, ownership, or regulatory standing changes.
2. How to conduct correspondent banking risk assessment
Risk assessment in correspondent banking means evaluating the respondent bank as if its AML/CFT controls were your own. Proxy verification of the respondent's controls is the standard, not a courtesy check.
Compliance teams verify respondent bank licenses, ownership structures, and AML programs, then assign risk ratings based on geographic location, ownership complexity, and product types. A bank operating in a high-risk jurisdiction with complex layered ownership warrants a higher rating and more frequent review cycles. A straightforward domestic institution with a clean regulatory record may qualify for standard CDD.
Geographic risk is one of the most objective inputs. FATF publishes updated lists of jurisdictions with strategic AML/CFT deficiencies. Any respondent bank operating in or routing transactions through those jurisdictions automatically triggers enhanced scrutiny.
Business model risk is less obvious but equally important. Respondent banks that offer high-volume cash services, cryptocurrency exchange, or cross-border remittance to high-risk corridors carry elevated exposure. Your risk rating must reflect those product-level factors, not just the bank's home country.
3. KYC procedures in correspondent banking: what the process looks like
KYC procedures in correspondent banking go well beyond collecting a license number and a signed form. Enhanced due diligence includes background checks on the respondent's senior management and investigations into past regulatory actions and suspicious activity reports.
The Wolfsberg Correspondent Banking Due Diligence Questionnaire is a baseline tool that must be supplemented by independent research and in-depth audits. Relying solely on the questionnaire leaves material blind spots. Supplement it with public-source research, third-party audit reports, and direct interviews with the respondent's compliance leadership.
Document every step. The KYC file for a correspondent relationship should contain the original due diligence assessment, all supporting evidence, the risk rating rationale, and the senior management approval record. That file must be available for regulatory inspection on short notice.
Pro Tip: Set a calendar trigger for every correspondent relationship review. Do not wait for a regulatory exam or a news event to prompt reassessment. Proactive scheduling is the difference between a clean audit and an enforcement action.
4. Documentation and approval processes that regulators actually check
Regulators do not just ask whether you completed due diligence. They ask whether you completed it on time and whether the approval process reflected genuine deliberation.
Financial institutions must complete a written record of ongoing due diligence for correspondent relationships within 10 business days. That timeline is a strict regulatory expectation, not a soft target. Missing it creates a documented compliance gap even if the underlying assessment was thorough.
Documentation requirements at a glance:
- Written due diligence assessments completed within 10 business days of the review trigger
- Senior management approval records with documented rationale, not just a signature
- Contracts specifying AML responsibilities, shell bank prohibitions, and subaccount restrictions
- Audit rights clauses allowing the correspondent to verify the respondent's controls directly
- Record retention aligned with FATF's minimum five-year standard
Contracts deserve particular attention. A well-drafted correspondent banking agreement explicitly prohibits shell bank relationships, restricts multi-tier subaccounts, and requires the respondent to disclose any nested banking arrangements. Vague contracts create enforcement risk for both parties.
| Documentation item | Regulatory standard |
|---|---|
| Periodic due diligence record | Completed within 10 business days |
| UBO identification | 25% ownership threshold |
| Senior management approval | Documented deliberation required |
| Record retention period | Minimum five years (FATF standard) |
| Contract AML clauses | Shell bank prohibition mandatory |
5. Ongoing monitoring: how to stay ahead of risk between reviews
Risk is never static. Treating due diligence as a one-time event is the most common cause of compliance failures in correspondent banking. Ongoing monitoring means actively watching for changes in the respondent's business, ownership, regulatory status, and transaction behavior.
Trigger events that require immediate reassessment include:
- A material change in the respondent's ownership or senior management
- A new regulatory action, fine, or license suspension against the respondent
- Unusual transaction volumes or patterns inconsistent with the respondent's stated business
- News reports or public records indicating financial crime exposure
- Any indication that the respondent has added new nested banking arrangements
Transaction monitoring is the operational backbone of ongoing oversight. Your monitoring system must be calibrated to flag activity that deviates from the respondent's established baseline. A sudden spike in high-value wire transfers from a previously low-volume correspondent is a signal, not background noise.
Pro Tip: Build a formal escalation path for monitoring alerts. Every flagged transaction should have a documented outcome: cleared with rationale, escalated for EDD, or reported. Undocumented alerts are as problematic as missed ones.
6. Nested banking and offshore correspondent banking risks
Nested banking is the practice of a respondent bank providing correspondent services to other financial institutions through your account without your direct knowledge. It is one of the highest-risk structures in correspondent banking and one of the hardest to detect.
Contracts with respondent banks should require explicit declarations of all nested banking arrangements. That contractual obligation does not eliminate the risk, but it creates a legal and compliance record that shifts accountability and gives you grounds to exit the relationship if disclosure is withheld.
"Due diligence must consider whether the respondent bank service involves nested clearing services or multi-tier subaccounts that introduce complexity and risk." Contracts should explicitly prohibit multi-tier subaccounts and require transparent disclosure of nested services.
Offshore correspondent banking relationships carry compounded nested risk. When the respondent operates in a jurisdiction with weaker AML oversight, the likelihood of undisclosed nested arrangements increases. Your offshore banking compliance checklist should include a specific line item requiring the respondent to certify, in writing, that no undisclosed nested arrangements exist.
Communication quality from respondent banks is a critical risk indicator. Evasive or non-responsive behavior during due diligence or monitoring is a formal risk signal requiring documented re-evaluation. A respondent that delays providing ownership information or deflects questions about nested arrangements is telling you something important.
Assess the controls of downstream financial institutions wherever possible. If the respondent's respondents are opaque, your exposure extends further than your direct relationship suggests.
7. De-risking decisions and how to document them properly
De-risking, the decision to exit or decline a correspondent relationship due to compliance risk, is itself a regulated activity. De-risking decisions must be documented meticulously as compliance obligations, not just commercial strategies.
A poorly documented de-risking decision creates two problems. First, it exposes the institution to claims of arbitrary or discriminatory termination. Second, it fails to demonstrate to regulators that the decision was grounded in a genuine risk assessment rather than convenience.
The de-risking file should contain the original risk assessment, the specific triggers that elevated concern, the escalation record, senior management sign-off, and the formal notice sent to the respondent. That file must be retained for at least five years under FATF standards. Treat every exit as a potential exhibit in a future regulatory review.
Key Takeaways
A correspondent banking compliance checklist is only effective when it combines thorough due diligence, documented approvals, and continuous monitoring into a single repeatable process.
| Point | Details |
|---|---|
| Complete CDD and EDD before onboarding | Verify licenses, ownership, AML programs, and senior management backgrounds before any account opens. |
| Apply the 25% UBO threshold consistently | Identify and document every beneficial owner at or above the 25% ownership level without exception. |
| Document within 10 business days | Periodic due diligence records must be completed within the 10-business-day regulatory window. |
| Treat nested banking as a primary risk | Require written disclosure of all nested arrangements in contracts and monitor for undisclosed changes. |
| Document de-risking decisions fully | Exit decisions require a complete compliance file, not just a commercial rationale. |
What I've learned from watching compliance teams get this wrong
The most common failure I see is not ignorance of the rules. Compliance officers at currency exchange and money transfer companies generally know what FATF Recommendation 13 requires. The failure is in execution: due diligence files that are thorough at onboarding and then never touched again, monitoring alerts that are cleared without documentation, and de-risking decisions recorded as "business decision" with no compliance rationale attached.
The second failure is underestimating communication quality as a risk signal. When a respondent bank takes three weeks to answer a straightforward ownership question, that delay is data. I have seen teams accept the eventual answer and move on without noting the delay in the file. That is a missed opportunity to document a genuine risk indicator that could matter enormously in a later review.
The third failure is treating the Wolfsberg questionnaire as a complete solution. It is a starting point. The institutions that pass regulatory scrutiny are the ones that supplement it with independent research, direct conversations with respondent compliance teams, and periodic audits of the respondent's actual controls.
The checklist is not the compliance program. The checklist is the minimum. Building a program that treats every correspondent relationship as a living risk, not a closed file, is what separates institutions that manage correspondent banking well from those that manage it reactively.
— Bartas
Currexchanger and correspondent banking compliance management
Currency exchange operators managing multiple branches face a specific challenge: maintaining consistent compliance documentation across every location without creating redundant manual work.
Currexchanger is built for exactly that environment. The platform integrates AML/KYC compliance workflows, document verification, and real-time transaction monitoring into a single system that scales from a single office to a full branch network. Audit trails are automatic. Risk assessment records are centralized. When a regulator asks for a due diligence file, it is already organized and retrievable. Compliance officers can manage currency exchange compliance without rebuilding their documentation process from scratch for every new correspondent relationship.
FAQ
What is correspondent banking compliance?
Correspondent banking compliance is the set of AML/CFT obligations a financial institution must meet when providing banking services to another institution, covering due diligence, risk assessment, monitoring, and documentation under standards like FATF Recommendation 13.
What is the UBO threshold in correspondent banking KYC?
The standard threshold for identifying ultimate beneficial owners in correspondent banking KYC is 25% ownership or control. Any individual or entity at or above that level must be named, verified, and documented.
How often should correspondent banking relationships be reviewed?
Correspondent relationships require periodic due diligence reviews on a schedule tied to their risk rating, plus immediate reassessment whenever a material change occurs in the respondent's ownership, regulatory status, or transaction behavior.
What is nested banking and why does it matter?
Nested banking occurs when a respondent bank provides correspondent services to third-party institutions through your account without direct disclosure. It creates hidden exposure to financial crime risk that standard due diligence may not detect without explicit contractual disclosure requirements.
How long must correspondent banking records be retained?
FATF standards require a minimum five-year retention period for all correspondent banking due diligence records, approval documentation, and monitoring files.