Thursday, January 26, 2017

Money laundering & Financing of terrorism - What correspondent banks and website hosting companies have in common.

Banking is special.” / “Banking is complex.”

I hear those statements all the time. And I always wonder whether this is really true. Indeed, those statements seem sometimes rather self-directed in that they enhance one’s own importance. The underlying message is more “I am special and complex.” than the primary reference to banks.

When the Basel Committee on Banking Supervision recently published a document revising an annex on correspondent banking to the guidelines of sound management of risks related to money laundering and financing of terrorism, I was reminded of the above.

Imagine you are a website hosting company. You are basically providing people access to the Internet by storing their content and making it accessible through a website. You are basically providing a service to your customers without knowing in detail how and for what purpose they will use it.

Correspondent banking is the same: You (the correspondent bank) provide banking services to another bank (the respondent bank) without exactly knowing what the respondent bank is doing with them. In the end, if you knew that precisely, you would perhaps carry out the activities yourself!

Back to our website hosting company: When accepting clients, there are two extreme approaches which you probably cannot run:

  • “I don’t care who publishes what through my platform as long as I am paid.”
  • “I need to know exactly who provides which content to whom and for what purpose.”

The first approach is, at least, unethical, and might as well end up being illegal, for example if you host a platform for the sale of stolen cars. The second would be neither profitable nor feasible in practice. So you will end up in the middle, doing some checks but not monitoring everything.

Because banking is “special”, we call this middle a “risk-based approach”, a “holistic view of risk factors and mitigants” and the like.

I render a service to you and get paid for it.

Now you will rightfully reply to me that it is not enough to know the extremes in order to find the middle.

Let’s go back to the start then and think it over again:

  • I: You are a website hosting company. You should definitely know who you are.
  • render a service: You know what service you are providing; otherwise it would be difficult to sell it. What you don’t know exactly is what your buyer will do with it.
  • to you: You should know who your client is. (Be careful, we are getting closer to banking jargon here!) By contrast, it is not necessary (and probably only feasible to a certain extend) to know who is visiting your client’s website.
  • and get paid for it: Again, you would be a bad seller if you did not know how much money you get in return. Money can obviously take different forms and channels (currency, payment mechanics, maturities, etc.) but let’s leave that aside for now.

If you think about these four elements, you will most likely come very close to the middle.

In the jargon of banking regulators, the formula “I render a service to you and get paid for it.” is called differently:

They rather talk about the following:

  • I: Sorry, the BIS paper doesn’t actually help you to figure out who you are.
  • render a service: “inherent risks resulting from the nature and purpose of services provided”
  • to you: The customer due diligence is about the characteristics of the respondent bank (major business activities, target markets, types of customers served, management and ownership, AML policies in place, level of civil, administrative, or criminal actions) and the environment in which it operates (namely quality and effectiveness of banking regulation and supervision). Regarding the respondent bank’s customer, knowing them is referred to as “KYCC – Know your customer’s customer” and is actually not required.
  • and get paid for it: No comment here from the BIS. This is actually commercial, not regulatory.

Tomorrow is different than today.

Correspondent banking or website hosting is not like selling bananas. If you buy bananas, you can eat them only within the next few days and there is only a limited number of recipes for which you can use your bananas (At least, I think so…). Website hosting is different: Your customer uses it every day and modifies the published content all the time.

This is why, to know the middle, it’s actually not enough to determine your middle once. You have to do it all the time or, at least, in regular intervals.

Bank regulators find other words:

The correspondent bank should have policies in place to ensure ongoing monitoring of the correspondent banking relationship. Above all, inconsistent financial activity and activities contrary to commitments taken by the respondent bank, should be possible to detect.”

Beyond all critics, the BIS paper is useful, I think. Setting standards for compliance checks is perhaps difficult but, if actually applied, can make your day-to-day life in banking much easier.


Basel Committee on Banking Supervision – Revised Annex on Correspondent Banking – November 2016

Monday, January 23, 2017

De-risking correspondent banking – The FATF demystifies KYC obligations.

The Financial Action Task Force (FATF) has recently published a guidance on correspondent banking services. As a reminder, the FATF is an inter-governmental organization developing global anti-money laundering and counter-terrorist financing standards.

At the heart of the guidance are FATF’s worries about “de-risking”. This is a practice that consists of banks avoiding risk instead of managing it. Specifically in the context of correspondent banking, it refers to banks fully terminating business relationships with a specific country or class of customer.

Can anyone wonder why banks do so, given the industry’s obsession for compliance and U.S. fines counting in billions of dollars?

Beyond, why does de-risking actually matter? According to the FATF, it matters because de-risking means less cross-border movements of funds and a more difficult access to financial services across countries and, ultimately, less international trade.

What is correspondent banking?

Correspondent banking is the ongoing provision of banking services by one bank (the “correspondent bank”) to another bank (the “respondent bank”).

In other words, the correspondent bank provides banking services to the respondent bank (and its clients). The focus of a correspondent banking relationship is on the continuing character, as opposed to simple one-off transactions.

Initial compliance obligations of the correspondent bank

The FATF guidance specifies the compliance obligations of the correspondent bank with regard to the respondent bank.

Generally speaking,

  • a simplified due diligence is never appropriate in cross-border correspondent banking because such relationship is, by definition, inherently higher risk;
  • the due diligence should be adapted the degree of risk involved in different types of banking activities.

This seems actually not a good start to counter “de-risking”.

The main general factors that the correspondent bank should consider are the following:

  • Money laundering and anti-terrorism financing risk mitigation measures implemented by the respondent bank;
  • Respondent institution’s jurisdiction;
  • Respondent bank’s products and services;
  • Respondent bank’s customer base.

There is no conclusive list of relevant risk factors and their mitigation. Given the range of relationships and products at hand, this seems obvious. Interesting is, however, why the FATF writes this: “Any effort to define what constitutes a higher risk relationship could have the unintended consequence of encouraging rather than discouraging de-risking by promoting a more rules-based and tick-the-box approach to risk management.”

Beyond general risk factors, the correspondent bank should

  • identify and verify the identity of the respondent institution and its beneficial owner;
  • understand the purpose and intended nature of the correspondent banking relationship;
  • understand what types of customers the respondent institution intends to service through the correspondent banking relationship;
  • evaluate the reputation of the respondent institution and the quality of its supervision;
  • evaluate the respondent bank’s AML/CFT (Anti-Money Laundering / Combating the Financing of Terrorism) systems and controls framework;
  • understand the respondent institution’s business (target markets, customers segments, products and services).

Besides, the correspondent bank should also evaluate the way the respondent institution offers the banking services to its customers:

  • Ultimate clients can do business with the correspondent bank indirectly, through an account which is held by the respondent bank with the correspondent bank.
  • In case of a nested relationship (also called downstream banking), the respondent bank opens an account with the correspondent bank and this account is then used by several “sub-respondent banks”, on behalf of their respective clients.
  • Payable-through-accounts (= pass-by accounts) are directly used by customers of the respondent bank to conduct business in a domestic banking market.

Here we are with a nice list of risk factors, which, in my view, rather encourage “de-risking” than actually discourage it.

KYCC – Know you customer’s customer?

That is one of the really useful clarifications of the FATF guide: No, as a correspondent bank, you don’t have to know your customer’s customer”. Banks are supposed to know and monitor their banking partner (and their business, reputation, and quality of supervision) but not their banking partner’s customers.

Ongoing compliance obligations of the correspondent bank

If you want to lose weight, it’s not enough to skip the dessert once; you have to do it every day. KYC is similar: Any correspondent banking relationship should be monitored throughout its lifetime. Risk management strategies should be adjusted over time and relationships be altered or terminated if they cannot be managed in line with the risk-based approach.

Is that really worth specifying?

Unfortunately, the FATF guidance has a major down-side: It is non-binding and, therefore, subject to national legislation that might overrule it. That is, indeed, the main disadvantage of this kind of guideline: It’s good to know to know them but actually not sufficient. Long live the banking regulation!


FATF Guidance – Correspondent Banking Services – October 2016