Most people don't know about the part of the financial system called correspondent banking, but most money launderers do. It is the plumbing through which a payment made in Lagos is transmitted to a beneficiary in Frankfurt, routed through a chain of banks none of which has a direct relationship on both ends. That same plumbing, opaque, multi party, built for speed, is the reason why correspondent banking has been at the heart of almost every landmark money laundering scandal over the past two decades.
The gaps between institutions become the laundering channel when billions flow through accounts that no single institution fully understands.
This is also the AML surface that is hardest to monitor well. What the correspondent bank sees are wires, not customers. These banks take on a risk that it did not make and can often not see. In 2026, the fundamental message standard itself simply changed: The decades old SWIFT MT formats that carried cross border wires have been retired in favor of ISO 20022, reshaping both the data available for monitoring and the blind spots that remain. For a detailed explanation of how Sanction Scanner combines both, check here.
This guide covers monitoring correspondent wire flows in that environment. The following sections are:
- What Is Correspondent Banking?
- Correspondent Banking: The Most Risky AML Surface
- The Anatomy of SWIFT MT103 and its Successor ISO 20022
- Nested Correspondent Risk
- Payable Through Accounts (PTA)
- Wolfsberg Group Guidelines
- KYCC: Know Your Customer’s Customers
- Specific Detection Patterns for Correspondent Flow
- The Problem of De Risking
![]()
What Is Correspondent Banking?
Correspondent banking is the setup that enables a bank to provide services in a currency or country where it has no physical presence. Bank A (the respondent) maintains an account with Bank B (the correspondent). Bank B can use that account to provide its own customers with international payments, foreign currency clearing, trade finance and cash management, which it could not provide itself because it does not have direct access to the relevant payment system or jurisdiction.
The structure becomes clear in a concrete example. Consider a midsized bank in a smaller market that does not have a U.S. branch and no direct access to U.S. dollar clearing, but wants to offer its customers the opportunity to send U.S. dollar payments. It opens a correspondent account at a large global bank that does. When the customer of this smaller bank sends a payment in dollars, the instruction goes through the account of the correspondent, who then moves the dollars into the U.S. clearing system, and the payment reaches its destination. The respondent's customer is unaware of the correspondent's existence.
This is what global trade is all about. Because without it, cross border payments would mean that every bank would have to have accounts in every currency in every jurisdiction, which is impossible. That’s where correspondent banking comes in. It allows a relatively small number of big global banks to act as gateways, and allows thousands of smaller banks to access the world through them. It is, quite literally, the infrastructure of international finance. It is the infrastructure of international money laundering for the same reasons.
Correspondent Banking: The Most Risky AML Surface
The danger is not incidental, but rather structural. The correspondent serves the respondent’s customers without knowing them, which is what makes correspondent banking useful.
If Bank A processes a wire for a customer of Bank B, Bank A has not done any direct due diligence on that customer. It has done its own due diligence on Bank B, the respondent institution. It relies on Bank B to have done its own due diligence on the underlying customer. The correspondent’s knowledge of who actually moves the money is second hand, often tenuous, and mediated. To Bank B the customer is real, to Bank A the customer is essentially invisible.
Add more banks to the chain and responsibility dilutes even further. A payment could pass through an originating bank, the originator’s correspondent, an intermediary, the beneficiary’s correspondent, and the beneficiary bank five institutions, each seeing only its slice, none with the full picture. Each can reasonably expect that another link did the legwork. That diffusion of responsibility is exactly the environment in which illicit flows thrive: Everyone is somehow responsible, so no one is fully accountable.
The enforcement record gives the abstraction flesh. At the heart of the biggest money laundering scandals of the modern era, those that include Danske Bank, Deutsche Bank, BNP Paribas and HSBC, were correspondent banking failures. In each case large flows of high risk transactions went through correspondent relationships that were either poorly understood, poorly monitored or willfully blind. The common thread was not one missing control but a structural inability to see what was really flowing through the pipes.
The regulatory response has been to consider correspondent banking as inherently higher risk by default, and thus requiring enhanced due diligence on respondent relationships and ongoing monitoring of the flows through them, and, critically, an expectation that the correspondent understands the respondent’s customer base at least in aggregate. Most of the operational difficulty lies in that last expectation, and we return to it under KYCC below.
The Anatomy of SWIFT MT103 and its Successor ISO 20022
For decades, the SWIFT MT103 was the standard cross border wire instruction. You still have to understand its anatomy, because the whole discipline of monitoring grew up around its fields, and the data concepts it encoded map directly into its replacement.
Most of the anti-money laundering (AML) work was done in three fields. Field 50 was the originator, the person sending the money. Field 59 was the beneficiary, the person who received it. Field 70 was used for remittance information, suc as the free text “what is this payment for” field. A monitoring system was built on top of an MT103 to provide answers to the three most important questions: Who is paying, who is being paid and why.
The official end to the coexistence period of MT and ISO 20022 was the replacement of the MT message families, traditionally used for cross border payments (including the MT103), with their ISO 20022 equivalents. Pacs.008 replaced the MT103 for customer credit transfers and pacs.009 replaced the MT202 family for financial institution transfers. Payment messages such as MT103 and MT202 for in-scope cross border activity have been formally retired in favour of their ISO 20022 equivalents.
This shift has large and underappreciated AML consequences. ISO 20022 is more data rich and structured: Rather than the old free text blobs, it uses discrete separately tagged fields for originator name, structured address, beneficiary details, purpose codes etc. Structured data is data that can be filtered. A structured originator address can be matched against sanctions and high risk geography logic more reliably than a free text line. A structured purpose code supports automated analysis that a free text remittance field was insufficient. The migration was specifically designed, in part, to prevent payment party data from being lost or truncated as a payment moves down the chain precisely the failure mode that undermined sanctions screening in the MT era.
The transition doesn’t go smoothly. After the deadline, residual MT instructions are converted into the new format with a contingency translation service and not all MT message types were retired; some nonpayment families are still being used. So institutions are operating in a hybrid environment where both formats still need to be recognised. But the way is clear. Below is a table that maps legacy concepts practitioners still use to their present day homes and monitoring use.
|
Legacy MT103 element |
ISO 20022 (pacs.008) equivalent |
Monitoring use |
|
Field 50 — Originator |
Structured debtor name + structured postal address |
Sanctions/PEP screening; originator risk; geography logic |
|
Field 59 — Beneficiary |
Structured creditor name + structured address |
Beneficiary screening; counterparty risk; mule indicators |
|
Field 70 — Remittance info |
Structured remittance + purpose codes |
Purpose analysis; trade based laundering signals |
|
Field 52/57 — Institutions |
Structured agent fields (debtor/creditor agents) |
Chain reconstruction; nested relationship detection |
The practical takeaway is that the institutions that retuned their monitoring and screening logic to exploit the richer structured data got a real detection advantage. Those which just translated the new messages back into old format approximations kept the old blind spots within a new standard.
Nested Correspondent Risk
Nesting is where correspondent risk compounds into something really hard to see.
The correspondent has two banks, the basic one. Nesting creates layers behind the respondent. Bank B is a correspondent client of Bank A. But Bank B in turn provides correspondent services to Bank C, using the very account it has at Bank A. And Bank C might serve Bank D. The result is customers of Bank C and Bank D are doing business through Bank A's correspondent account, and Bank A may have no idea those banks or their customers exist. Bank A contracted with Bank B, and inherited the whole tree behind Bank B without seeing it.
Nested relationships are sometimes called “downstream correspondents”. They are a recurring feature of large laundering cases precisely because they obscure the true provenance of flows behind a chain of intermediary banks. From the monitoring chair of Bank A a payment looks like it is coming from its respondent, Bank B, in a known jurisdiction, when it really started with an unknown customer of an unknown bank several layers down, maybe in a jurisdiction Bank A would never knowingly serve.
The defensive expectation is that correspondents identify and assess nesting: Understand if a respondent provides downstream correspondent services, who to and in what jurisdictions, and incorporate that into the risk rating of the relationship and the intensity of monitoring. The structured agent fields in ISO 20022 are helpful, as it is easier to reconstruct the chain of institutions involved in a payment when the institutional parties are tagged separately rather than hidden in free text.
The blunt response to nesting risk has traditionally been to exit. To refuse to serve respondents who nest; or to fire those who are found to do so. That answer feeds straight into the de-risking problem discussed at the end of this article, where the cure has created a disease of its own.
Payable Through Accounts (PTA)
The nested risk of payable through accounts is that they remove the filter of the intermediary bank. A PTA is a correspondent account that the respondent bank customers can use directly, writing instruments, making payments and transacting through the correspondent's account, as if it was their own.
That makes a great difference. In a standard correspondent relationship, the respondent bank is between its customers and the correspondent: Each customer payment is processed, at least nominally, by the respondent first. That intermediary step is eliminated or thinned out with a payable through arrangement. The respondent’s customers deal with the correspondent’s account more or less directly, sometimes through sub accounts linked with the master PTA. The correspondent now faces people it has never on-boarded, trading through its own books.
This means that PTAs are subject to increased scrutiny in virtually every regulatory regime that addresses PTAs. The expectation is that the correspondent does enhanced due diligence not only on the respondent but on a meaningful understanding of PTA sub account holders, closer to direct customer due diligence than the aggregate understanding tolerated elsewhere in correspondent banking. Where that understanding cannot be attained by the correspondent, the regulatory direction is to decline the arrangement.
PTAs also cut across the sanctions architecture. U.S. sanctions authorities have restrictions that function specifically at the level of correspondent and payable through accounts. These sanctions authorities prohibit or condition the maintenance of correspondent or payable through accounts for designated foreign banks. A respondent can have severe restrictions on its correspondent accounts without being a fully blocked party because these restrictions are on the OFAC Non-SDN lists, not the SDN list itself.
If screening against the SDN list only, they are missed entirely. We detail this list architecture in our article on OFAC Non-SDN lists.
Wolfsberg Group Guidelines
If there is a rulebook for the correspondent banking industry, it is the work of the Wolfsberg Group, an association of global banks that has published the de facto standards for managing financial crime risk in this space since the year 2000.
The Wolfsberg principles for correspondent banking define what constitutes good practice: A risk based approach to respondent relationships, enhanced due diligence proportionate to the assessed risk, prohibition of relationships with shell banks, ongoing monitoring of flows through correspondent accounts, and periodic review of each relationship at a frequency driven by its risk rating. The Group’s Correspondent Banking
Due Diligence Questionnaire (CBDDQ) has become the standard mechanism for correspondents to collect structured information about respondents, a common format that enables a global bank to assess hundreds of respondent relationships against consistent criteria.
The crux of the framework is that correspondent risk can't be managed at onboarding. Low risk respondent relationships can drift, for example, when the respondent enters new markets, adds downstream correspondents or changes its customer mix. Only continuous monitoring and planned periodic review can pick up that drift. The cadence is driven by the risk rating. Higher risk respondents are reviewed more often and monitored more closely; lower risk respondents are not as much. This is the same risk based logic that drives threshold calibration in other parts of an AML program.
KYCC: Know Your Customer’s Customers
One of the thorniest expectations in correspondent banking carries an awkward acronym: KYCC, or Know Your Customer’s Customer. A respondent must understand not only its respondent but the respondent’s customer base, at least in the aggregate.
KYCC doesn’t necessarily mean that the correspondent must onboard every customer of every respondent one by one; that would be impossible and is not what regulators expect. This means that the correspondent must understand the type of customers the respondent serves, the markets in which it operates, the products it offers and the risk profile of its book in aggregate; enough to judge whether the flows passing through the correspondent account are consistent with the respondent's stated business. KYCC is intended to uncover a contradiction, as presented by a respondent that describes itself as a retail bank serving a domestic market, but whose flows through the correspondent account are dominated by large cross border payments to high risk jurisdictions.
The practical mechanism is partly documentary and partly experimental. The documentary part is the Correspondent Banking Due Diligence Questionnaire (CBDDQ) and the attachments where the respondent discusses its business and its customer base. The correspondent tests that represent against actual flows, sometimes by sample testing of underlying transactions, looking at whether the originators and beneficiaries behind the respondent’s wires match the customer profile the respondent described, are empirical. Risk indicators that should trigger further investigation include flows that are inconsistent with the respondent’s reported geography, transaction volumes that are inconsistent with the apparent size of the respondent, concentrations in high risk corridors, and nested patterns that the respondent did not report.
The one expectation that most clearly separates a genuinely risk-managing correspondent bank from one that’s simply processing wires and hoping is KYCC. It is also expected to make the richer ISO 20022 data more accessible. Aggregate analysis of a respondent’s flows is much more robust where originator and beneficiary data are received in a structured format rather than as free text.
Specific Detection Patterns for Correspondent Flow
Correspondent flow monitoring requires patterns specific to the risk of the channel, patterns based on the relationship between the flows and the respondent, not the behavior of a particular customer.
Volume anomalies versus stated business. The basic correspondent pattern compares the actual volume and value going through a respondent's account to what the respondent's stated business would suggest. The single strongest correspondent red flag is a respondent with throughput an order of magnitude larger than its size, market and customer base, it points to either undisclosed nesting, customer base that does not match the representation, or both.
Geographic patterns not consistent with footprint. Flows that go to jurisdictions the respondent has no stated reason to serve. One region has a respondent with a correspondent account with ongoing activity to and from unrelated high risk jurisdictions, with the geographic signature of either downstream correspondents or pass through laundering.
Sanctions screening is overlapping. Correspondent flows should be screened in real-time against sanctions lists and, as noted above, against the restrictions on the OFAC Non-SDN lists that are applicable to the correspondent account, not just the SDN list. The richer structured party data of ISO 20022 directly improves reliability of this screening, by reducing truncated and malformed names that defeated MT era matching.
Repeated contacts with high risk jurisdictions. Even if no one payment is suspicious in isolation, routing or referencing higher risk jurisdictions in a series of payments can create a pattern of corridor exposure that per payment screening can’t catch. This is where monitoring at the aggregate relationship level comes into its own as opposed to a transaction by transaction review.
Nesting and chain reconstruction. Rebuild the full bank chain for a payment using the structured institution fields and flag if that bank chain has intermediaries or downstream correspondents not in the known relationship. Only chain reconstruction has a nesting indicator, a payment nominally from a known respondent but whose institutional chain suggests an undisclosed downstream bank.
And the common thread is that correspondent monitoring is relationship centric not transaction centric. Rarely is the question "is this single wire suspicious?" Rather it is "are the flows through this respondent's account, in the aggregate and over time, consistent with what we understand this respondent to be?"
The Problem of De-Risking
The defensive logic of everything above leads, carried to its conclusion, somewhere troubling. If correspondent relationships carry inherited, hard to spot risk, and if regulators punish correspondents for laundering that flows through them, then the safest course for a global bank is to exit the riskiest relationships altogether. And that is what has happened.
De-risking is the wholesale abandonment of correspondent relationships that are deemed high risk, often entire categories of respondent, or correspondents in entire regions, abandoned not because a specific relationship was found to be bad but because the category was deemed not worth the compliance burden and regulatory exposure. Over the past decade, large banks have dropped thousands of correspondent relationships, with the pullback concentrated in smaller and developing economies, in regions already on the financial margins.
The effects have shaken the very bodies that initiated the underlying scrutiny. The Financial Action Task Force (FATF) and the Financial Stability Board have repeatedly warned that de-risking is not a step forward for financial integrity but a threat to it. “Financial exclusion is what happens when legitimate banks in a region lose access to correspondent services. Remittance corridors that families rely on shut down, legitimate businesses are denied trade finance, and entire economies are pushed towards less transparent channels. Flows don’t stop. They go underground, into informal value transfer and unmonitored rails, where they are harder to trace than ever within the regulated correspondent system. The FATF has made it clear that it believes financial institutions should be managing correspondent risk on a case by case, risk based approach, not through blanket termination of categories of customer or region, which the FATF has described as a misapplication of the risk based approach.
There is a real tension and it is unresolved. The correspondent monitoring poorly reinforces enforcement; the correspondent de-risking automatically contributes to exclusion that regulators also penalize. The path for the standard setters is somewhere between the two: Invest in the monitoring capability of structured data screening, relationship level analytics, KYCC, chain reconstruction that allows you to keep serving higher risk corridors safely, rather than walking away from them. That is a more expensive answer to exit. It is also the only one that does not solve a bank's risk problem at the expense of the system's.
