Correspondent Banking has been defined by the FATF (Financial Action Task Force) as “…the provision of banking services by one bank (the “correspondent bank”) to another bank (the “respondent bank”)”. Larger international banks usually act as correspondents for smaller banks around the globe. The provision of correspondent banking services acts as a gateway to the global financial system for respondent banks and their customers, and with that come risks.
Despite the global nature of correspondent banking, it has seen a decline in recent times, due to a number of drivers including business strategy and risk-related considerations by financial institutions, all against the backdrop of stringent enforcement of AML (Anti-Money Laundering)/CFT (Counter Terrorist Financing) regulations in recent years. Despite the decline, the risks to the financial system remain ever-present, even with standards in place aimed at managing correspondent banking risks.
The risks associated with correspondent banking have been widely known for some time, with old and new guidance readily available. The FATF, the Wolfsberg Group and the BIS (Bank for International Settlements) have all issued guidance to assist in managing correspondent banking risks. Due to the nature of the risks, the effective management of them appears to remain an enigma.
The main risks related to correspondent banking centre around the fact that the correspondent bank typically doesn’t have a direct relationship with the underlying customers of the respondent bank. Whilst SWIFT’s (Society for Worldwide Interbank Financial Telecommunication) message information is available to the correspondent bank, it may be limited in context to the actual nature or purpose to the underlying transactions of the respondent bank’s customers.
Many AML compliance professionals may be familiar with risk assessments of correspondent banking relationships. Whilst not an exhaustive list, some of the widely known considerations that are made as part of risk assessments include:
- Ownership of the respondent bank and its management, including any PEP (politically Exposed Person) involvement
- Jurisdiction risk connected to the respondent bank, it’s UBOs (Ultimate Beneficial Owners), management and customers
- Regulatory/supervisory regimes under which the respondent bank operates
- The business and customer base of the respondent bank
- Whether the respondent bank offers ‘Downstream Correspondent Banking’ – i.e. where the respondent bank receiving the correspondent banking services itself provides correspondent banking services to other financial institutions
- The track record of the respondent bank and it’s UBOs, both from a regulatory and legal perspective – i.e. any negative news or fines the respondent or persons connected to it may have been subject to
- AML/CFT controls of the respondent bank
- Additional findings from client visits to the respondent bank, as well as sign off of relationships from senior management
The Wolfsberg Group have also produced an update to their correspondent banking questionnaire, the new CBDDQ (Correspondent Banking Due Diligence Questionnaire), along with supporting guidance to aid financial institutions in managing the risks. The completion of the questionnaire should serve as a starting point in assessment of risks and not a fait accompli that a respondent bank that will complete one presents an acceptable risk to the correspondent bank.
Even with the significant guidance and standards available upon which to assess correspondent banking risks, there remain challenges in how effective the assessment can be. For example, a correspondent bank may present its AML/CFT policies and procedures but it is difficult to assess if they are all fully effective. Equally, the size of a respondent bank’s compliance team may appear to be sufficient in relation to the size of its operations, but it would be difficult to assess the level of expertise of the whole team in managing risks effectively. Whilst all may appear good “on paper”, the effectiveness of the AML/CFT controls may be more difficult to assess. Even areas such as transaction monitoring may appear, on face value, to be sufficient but often no assessment is made on how often threshold-based rule sets have been updated or what analysis has been conducted by the respondent bank on their effectiveness. If AI (Artificial Intelligence) is used by the respondent bank for its transaction monitoring, the correspondent bank may also struggle to determine the effectiveness.
Acting on risk
For the guidance and standards on managing correspondent banking risk to be effective, it must be followed through with practical management of the risks. The recent Consent Order issued to Deutsche Bank by the NYDFS (New York Department of Financial Services) in relation to its management of correspondent banking risks connected to FBME (Federal Bank of the Middle East Ltd) and Danske (Danske Bank A/S), highlights the importance of taking action in the presence of risks.
Although the Dankse case has been widely covered in media, elements of the FBME case are less known. It was noted in Consent Order was that, due to Cypriot laws that placed restrictions on domestic financial institutions that primarily provided offshore banking services, FBME was incorporated in the Cayman Islands in 1986. Then, following the 2001, September 11 terrorist attacks on the United States and the introduction of the USA PATRIOT Act, the Cayman Islands put in place legislation requiring all banks registered in the country to establish a physical local presence. In response to this, rather than complying with the new legislation, FBME began the process of relocating to Tanzania, which it completed in 2003.
The USA PATRIOT Act saw an end to services offered to ‘shell banks’ (banks that have no physical presence in the country in which they are incorporated and licensed) and correspondent banks often ask respondent banks, as part of their due diligence questions, if they prohibit services/relationships with shell banks. Consideration should have been given by Deutsche Bank to FBME’s motivations and rationale for originally locating in Cayman Islands due to restrictions placed in Cyprus, and then moving onto Tanzania when restrictions tightened in Cayman Islands also.
The Consent Order goes on to state that despite the high number of suspicious transactions in relation to FBME, Deutsche Bank facilitated 478,379 dollar-denominated transactions totalling more than $618 billion over the course of the relationship, which ranged from 1999 to 2014. As well as the suspicious transactions noted by Deutsche Bank, they were sometimes not provided beneficial owner information on request for FBME’s clients, with the respondent citing local laws – both issues should have been acted upon when considering risks and whether to maintain the relationship.
When assessing correspondent banking relationships, it is not enough to simply ensure all KYC (Know Your Customer) information is on file. With the limitations noted above, where guidance and standards may not be enough, an assessment should be made by, not only accepting but, interpreting the information presented by the respondent bank also. This may sound obvious, yet on countless occasions I have seen first-hand a lack of actually taking into account what has been presented.
In one example, a bank for numerous years had passed risk assessments with nobody questioning the relationship of an entity and its UBOs in the ownership structure, in relation to the respondent bank. The entity in question was registered in a tax haven and its UBOs, although individually holding less than 10% ownership in the respondent bank, collectively held an over 10% stake. This had been overlooked in previous reviews as on the face of it all the “boxes had been ticked” but further inspection and query revealed that the UBOs were proxies, had no real ownership of the respondent bank and had been placed in the ownership structure purely to lower actual holdings of the true significant owners.
In another example, a European bank should have had automated transaction monitoring in place for its size and scale, but was using a manual method. For the size of its customer base and the volume of activity that would have been passing through it, it would have been impossible to review that level of transactions effectively. In this case, the issue had not been called into question as part of previous risk assessments, despite the relationship manager raising it previously as a point of concern in relation to the relationship.
As a final example, when upgrading the risk assessment standards within a particular bank, it had been totally overlooked that correspondent banking relationships require additional considerations, compared to, for example, a typical corporate entity. Whilst the KYC information would have been on file to the correct standard, actual assessment of risks would have been totally missed. Although I spotted this quite easily with a fix put in place accordingly, how it had been overlooked by the multitude of individuals that would have been involved in the work undertaken to improve the banks controls revealed the under-appreciation of the importance of the risks.
Correspondent banking risk management is not a new challenge or requirement; correspondent banks should have a sound understanding of who they are dealing with. They may not have access to the details of every customer of the respondent bank, but they should take steps to best understand the relationship they are entering or continuing. It could be the difference between facilitating global finance and facilitating financial crime.