The global architecture of cross-border correspondent banking is undergoing a profound structural evolution, driven by the convergence of stringent anti-money laundering (AML) regulatory mandates, standardised due diligence frameworks, and the comprehensive overhaul of financial messaging networks. At the heart of this evolution lies the concept of "nested" or downstream correspondent banking—a mechanism by which a respondent financial institution leverages its direct relationship with a correspondent bank to process transactions on behalf of third-party, downstream entities.
This mechanism has been extended to include fintech/paytech companies in the correspondent banking ecosystem and has enabled the rapid growth of these new players. While nesting serves as a critical conduit for global financial inclusion and regional market access, it inherently obscures transactional transparency, thereby elevating the systemic risk of money laundering and terrorist financing.
The Financial Action Task Force (FATF) Recommendations, first published in 1990 and frequently revised to address emerging vulnerabilities, serve as the internationally recognised standards for combating money laundering and terrorist financing. Within this framework, Recommendation 13 explicitly governs correspondent banking and other similar cross-border relationships.
The regulatory text requires financial institutions to proactively identify and manage the risks associated with these cross-border relationships. However, the FATF distinguishes between different types of downstream access. The most stringent requirements apply to "payable-through accounts" (PTAs). The Interpretive Note to Recommendation 13 defines PTAs as correspondent accounts that are utilised directly by third parties to transact business on their own behalf. When facilitating PTAs, the correspondent institution is required to satisfy itself that the respondent bank has conducted full Customer Due Diligence (CDD) on the customers possessing direct access to the account, and that the respondent can provide this CDD information upon request. PTAs are increasingly rare these days, no doubt influenced by the regulatory focus.
In contrast, standard "nested" or downstream correspondent banking refers to the use of a bank's correspondent relationship by a number of indirect respondent banks (nested banks) through their relationships with the bank's direct respondent. For standard nested relationships, the FATF 2016 Guidance on Correspondent Banking Services explicitly clarifies that there is no universal expectation, intention, or requirement for the correspondent institution to conduct direct CDD on the underlying customers of its respondent institution. Instead, the correspondent is required to gather sufficient information to understand the respondent bank's business, reputation, quality of supervision, and the efficacy of its AML/CFT controls.
The FATF Guidance also clarifies that Recommendation 13 applies to Money or Value Transfer Services (MVTS), which include MSBs and PSPs, in two specific scenarios:
If the nested MSB or PSP has direct access to the correspondent bank’s accounts (meaning they can move money without the respondent bank manually intervening each time), this is classified as a "Payable-Through Account." Recommendation 13 requires stricter checks if this is the case. The majority of MVTS players don’t access global payment rails directly and depend on banks to move funds for them. There is a trend towards direct access; in the US, many are seeking OCC licenses and Fed access to become the equivalent of banks. In some jurisdictions, such as Brazil, these companies must be licensed as banks. A number of MVTS companies have successfully transitioned to becoming fully licensed banks in the UK and continental Europe.
To fully grasp why FATF and the Wolfsberg Group have placed such intense focus on managing downstream access, one must understand the phenomenon of "de-risking." In the early to mid-2010s, following a series of unprecedented regulatory enforcement actions and multi-billion-dollar fines levied against global correspondent banks for sanctions evasion and AML failures, major financial institutions adopted an aggressive posture. Rather than managing the complex risks associated with downstream relationships, correspondents began terminating business relationships with entire regions, jurisdictions, and classes of customers.
This wholesale termination of correspondent accounts—de-risking—caused severe disruptions to the global financial system. The Committee on Payments and Market Infrastructures (CPMI) reported that the 7,000 banks utilising the SWIFT network for correspondent banking managed over 1 million individual relationships, and the severing of these ties threatened to drive international payment flows into unregulated, underground channels. De-risking disproportionately impacted emerging markets, regional banks, and non-profit organisations, running directly counter to global financial inclusion objectives.
In response, a coordinated effort by the FATF, the Financial Stability Board (FSB), the CPMI, and the Basel Committee on Banking Supervision (BCBS) was launched. The resulting FATF 2016 Guidance and the revised BCBS guidelines on the Sound Management of Risks Related to Money Laundering and Financing of Terrorism explicitly stated that de-risking is not in line with FATF Recommendations. The regulatory bodies affirmed that nested correspondent banking relationships are an integral and generally legitimate component of international finance, allowing regional banks to help small local institutions access the global clearing system.
Consequently, there was a shift from avoidance to rigorous, standardised management. The FATF dictated that correspondent banks must evaluate the types of services the respondent offers to nested banks, the quality of banking regulation in the respondent's host country, and the respondent's ability to maintain payment transparency. Similarly, banks should not treat all MSBs as high-risk by default but should assess the specific respondent's controls over their own customers.
The Wolfsberg Group, an association of global banks, recognised that the systemic contraction of correspondent relationships was exacerbated by the fragmented, inconsistent, and highly bespoke due diligence demands placed upon respondent banks by different correspondents.To resolve this inefficiency, the Wolfsberg Group developed the Correspondent Banking Due Diligence Questionnaire (CBDDQ). Designed as a universal KYC standard, the CBDDQ standardises the collection of critical data regarding a respondent's ownership, product offerings, AML/CFT programs, sanctions compliance, and anti-bribery protocols. The questionnaire represents a foundational pillar of modern correspondent banking, transitioning the industry away from the legacy Wolfsberg AML Questionnaire to a far more granular and robust framework. To maintain the accuracy of this data, the Wolfsberg Group recommends that the CBDDQ be updated on a 12-to-18-month cycle, ensuring that correspondent banks possess dynamic insights into their respondents' evolving risk profiles.
Question 19, located within the "Products & Services" section of the questionnaire, forces the respondent legal entity to map its downstream clearing architecture. The structure of the inquiry eliminates ambiguity regarding both domestic and foreign nested exposure.
The following table illustrates the hierarchical logic of Question 19 as it pertains to traditional bank nesting:
By legally committing to these declarations, the respondent bank establishes the parameters of its relationship with the correspondent. If a respondent answers "Yes" to allowing downstream relationships (19 a1b or 19 a1e), the correspondent institution is immediately put on notice that its payment clearing infrastructure will be utilised by unknown third-party institutions, thereby triggering an elevation in the correspondent's risk scoring and transaction monitoring parameters.
Historically, the definition of nested correspondent banking was strictly limited to interactions between licensed, traditional banking entities. However, the rapid digitisation of global finance, the proliferation of fintechs, and the exponential growth of alternative payment rails fundamentally altered the systemic risk profile. Regulators and the Wolfsberg Group recognised that when a respondent bank utilises its correspondent clearing account to process bulk, aggregated, or netted transactions on behalf of an MSB, MVTS, or PSP, the structural obfuscation of the underlying ultimate originators and beneficiaries is identical to that of a traditional nested bank.
To address this systemic vulnerability, the CBDDQ was expanded. Questions 19 a1g, 19 a1h, and 19 a1i effectively equate the provision of clearing services to MSBs/MVTSs/PSPs with the provision of correspondent banking services to foreign banks.
The inclusion of these specific entity types within the formal "Correspondent Banking" subsection of Question 19 is a watershed development. It signifies a unified global regulatory consensus that processing payments for PSPs and MSBs is correspondent banking. We expect to see Question 19 expanded further to include VASPs over time.
Respondent banks offering services to MSB/MVTS customers, Payment Service Providers, or engaging in high-risk sectors (such as gambling or virtual currencies) are systematically subjected to EDD or restricted on a risk-based approach. The respondent bank is required to prove that it performs additional quality controls on its MSB/PSP clients, ensuring that these non-bank entities are not functioning as opaque conduits for illicit finance.
FATF guidance makes it clear that it is not enough to rely on a static point in time declaration (the CBDDQ) from a respondent; downstream activity must be continuously and independently monitored.
The CBDDQ, while comprehensive, relies on self-attestation. A respondent bank may truthfully state in response to Q.19 a1h that it does not allow downstream relationships with MSBs, MVTSs, or Payment Service Provider (PSPs), but its internal controls may be insufficiently robust to prevent a foreign fintech client from nesting activity through a domestic corporate account. Therefore, the FATF explicitly requires correspondent institutions to maintain independent, continuous oversight.
The FATF 2016 Guidance on Correspondent Banking Services and the subsequent interpretations establish the obligations of the correspondent institution regarding nested relationships:
"The correspondent institution should be informed about the existence of nested relationships and the operations / transactions of the customers of the nested institutions, that the locations in which the nested institutions conduct business are transparent to, and understood by, the correspondent institution, and the respondent is transparent in formatting payment instruction so all involved parties are included for monitoring and screening purposes; The correspondent institution must have measures in place to detect potential, undisclosed nested relationships provided by the respondent and take appropriate follow-up action when a respondent does not disclose the existence of a nested relationship."
The requirement to detect "undisclosed nested relationships" is a primary directive.
To fulfill this continuous monitoring requirement, correspondent banks will employ advanced Transaction Monitoring Systems (TMS) configured with specific typologies and risk-scoring algorithms. These systems continuously ingest payment traffic and analyze it against the static baseline established by the CBDDQ.
Key detection vectors for undisclosed nesting include:
When an anomaly is detected, the correspondent institution will initiate a Request for Information (RFI). The RFI process bridges the gap between automated detection and human compliance analysis. The correspondent may request detailed explanations regarding specific transactions, or seek aggregated, anonymised data concerning the respondent’s customer portfolio (e.g., a breakdown of clients by industry or geography) to verify that the respondent's AML/CFT controls are functioning effectively.
If the RFI reveals that the respondent is indeed facilitating undisclosed nested relationships, or if the respondent is unable to provide adequate transparency regarding the locations and operations of its downstream clients, the correspondent must take risk-mitigating action. Depending on the severity of the breach and the underlying jurisdiction, mitigation strategies range from applying enhanced transaction monitoring and limiting the volume of specific product offerings, to the ultimate sanction: the termination of the correspondent banking relationship.
To streamline this monitoring process and enhance transparency, correspondent banks may require respondents to utilise segregated accounts for specific purposes, such as dedicating distinct clearing accounts solely for nested or downstream relationships. This structural segregation allows the correspondent's TMS to apply highly tailored, aggressive monitoring scenarios to the highest-risk transaction flows.
Transaction monitoring is effective once a correspondent relationship has been established and data on transaction flows is available however at the point of onboarding this information is not yet present. An “ex ante” check on the Q.19 declaration in the Wolfsberg CBDDQ can be performed by verifying whether any downstream respondents have declared to SWIFT that the respondent being onboarded acts as their correspondent.
In the case of MSBs, monitoring depends on the correspondent bank’s ability to identify the status of the entity appearing in a payment message. Without comprehensive reference data detection of MSBs risks being “hit or miss”. BankCheck’s comprehensive global database of regulatory licences allows banks to determine at speed and at scale whether an entity is in fact licensed as an MSB or VASP, etc. by their regulator.
The ability of a correspondent bank to detect undisclosed nesting and monitor downstream activity is intrinsically tied to the structural quality of the data transmitted within the payment message. The transition from the legacy SWIFT MT messaging standard to the ISO 20022 (MX) standard fundamentally alters the technical labels and the visibility of data in nested flows. For decades, the global financial system relied upon the SWIFT MT standard, predominantly utilising the MT103 message for customer credit transfers. However, the MT103 format relies upon a flat, linear structure with strict character limitations and a heavy reliance on unstructured, free-text fields. This legacy architecture inadvertently created compliance blind spots, facilitating the obfuscation of nested relationships and generating high rates of false-positive sanctions alerts.
In a nested correspondent banking scenario, the payment chain involves multiple actors. Let us assume Bank A (the Nested Bank) has a client who wishes to send funds. Because Bank A lacks a direct USD correspondent account, it utilises Bank B (the Respondent Bank) as an intermediary pass-through. Bank B then transmits the instruction to Bank C (the Correspondent Bank).
Under the legacy MT103 standard, capturing the complexity of this multi-tiered chain was highly problematic. The flat structure offered limited dedicated fields:
The critical vulnerability in the MT103 schema manifests when Bank B generates the message to send to Bank C. Structurally, Field 52a was frequently the only "bank" easily visible and readable by automated systems. When acting as a pass-through, Bank B would routinely populate Field 52a with its own Bank Identifier Code (BIC), effectively declaring itself as the Ordering Institution.
The true nested bank (Bank A) was either omitted entirely, crammed into the unstructured Field 50 text block alongside the debtor's name, or relegated to Field 72 (Sender to Receiver Information)—an optional, unstructured field notoriously difficult for automated Transaction Monitoring Systems to parse accurately. Consequently, Bank C (the Correspondent) possessed structural visibility only into Bank B. Bank A operated in the shadows, immune to automated sanctions screening and algorithmic risk profiling.
The global migration to the ISO 20022 standard, governed by the Cross-Border Payments and Reporting Plus (CBPR+) usage guidelines, resolves these structural deficiencies. The ISO 20022 pacs.008 message (the direct equivalent to the MT103) employs a rich, hierarchical XML structure that separates the payment payload into distinct logical groupings: the Group Header (containing characteristics shared by the entire message) and the Credit Transfer Transaction Information (containing the specific payment details).
Crucially, to ensure full transparency throughout complex payment chains, the pacs.008 message introduces dedicated, mandatory tags for every potential agent involved in the lifecycle of the transaction.
The following table compares the legacy flat structure versus the modern hierarchical XML schema:
Under the ISO 20022 rules, when Bank B (Respondent) routes Bank A's (Nested) payment to Bank C (Correspondent), the XML schema enforces strict deterministic roles.
This rigid separation ensures that the correspondent institution (Bank C) receives a machine-readable, structured identifier for the nested entity. Automated compliance filters can screen the <DbtrAgt> against global sanctions lists with precision, neutralising the obfuscation vulnerabilities of the MT era.
The technological supremacy of the ISO 20022 standard is meaningless if participating financial institutions subvert the data requirements. The transition to a structured data environment has fundamentally altered the legal and compliance liabilities regarding how data is populated, manipulated, and preserved during transit.
A critical "Compliance Red Flag," is if the Respondent Bank (Bank B) acts as a pass-through but fails to populate the <DbtrAgt> tag with Bank A’s information. In this case they are "wrapping" the transaction in their own identity, committing an act of "Data Stripping" which violates Payment Transparency Standards. This represents one of the most consequential operational risks in modern correspondent banking.
To formalise these technical obligations, the Wolfsberg Group published comprehensive updates to its Payment Transparency Standards in 2023. These updated standards expanded the regulatory focus from traditional financial institutions to encompass all types of Payment Service Providers (PSPs), Payment Market Infrastructures (PMIs), and fintechs.
A core tenet of the 2023 standards is the universal principle that "a payment is a payment." Whether a transaction originates from a Tier 1 global bank or a regional digital wallet, the originating institution—defined in the ISO 20022 lexicon as the "Debtor Agent PSP"—maintains the absolute, non-delegable obligation to ensure that the payment message is structured appropriately. The Debtor Agent PSP must clearly identify both the ultimate debtor and the ultimate creditor.
Crucially, the standards dictate that even when PSPs bundle or aggregate multiple individual payments into a single bulk transfer for cross-border settlement, the underlying transfer mechanism must remain meticulously structured to preserve total transparency regarding the ultimate originators.
The risk of "wrapping" occurs specifically at the intermediary nodes. If Respondent Bank B receives a fully transparent instruction from Nested Bank A, but subsequently generates an outbound pacs.008 message to Correspondent Bank C where it inserts its own BIC into the <DbtrAgt> tag, it has actively overwritten the true origin of the funds.
In the MT103 era, as noted, this was an easy and frequently normalised practice achieved by simply placing Bank B in Field 52. However, under the strict schema of ISO 20022, altering or omitting the true <DbtrAgt> requires active, intentional data degradation.
In the compliance and financial intelligence community, this intentional truncation or alteration of critical compliance information is commonly known as "Data Stripping". Data Stripping is globally recognised by analytics platforms and regulators as an egregious violation of Payment Transparency Standards and FATF Recommendation 16 (Payment Transparency).
The Wolfsberg Payment Transparency Standards explicitly note that intermediary and correspondent agents have a highly limited ability to identify suspicious activity or conduct accurate sanctions screening when the accompanying payment information is limited, truncated, or stripped. When data stripping occurs during the translation of a data-rich ISO 20022 message across a legacy network node, essential compliance information is destroyed, frequently leading to the receiving bank rejecting the transfer or initiating costly, time-consuming Request for Information (RFI) protocols.
The landscape of cross-border correspondent banking has evolved to reduce opacity in downstream clearing. The synthesis of FATF Recommendation 13, the granular due diligence architectures of the Wolfsberg Group CBDDQ (specifically regarding the regulatory equivalency of non-bank nested entities like PSPs and MSBs), and the deterministic XML hierarchy of the ISO 20022 pacs.008 message establishes a dense matrix of accountability.
By structurally divorcing the Instructing Agent from the Debtor Agent, the ISO 20022 standard exposes the illicit practice of data stripping, rendering the "wrapping" of nested transactions visible to modern compliance algorithms. Consequently, all participants within the global payment chain—from the ultimate downstream PSP to the tier-one correspondent clearing institution—are bound by a framework of transparency, ensuring that nested relationships foster international financial inclusion without serving as conduits for systemic financial crime.
The advent of VASPs and the global growth of non-bank financial services providers has brought an increasing level of complexity to the challenge of identifying and monitoring downstream activity. Partnering with the right data solutions provider will assist industry participants in meeting their regulatory requirements in an effective and efficient manner.
