Shell Bank: Definition and Use in Compliance

What is a Shell Bank?

A shell bank is a bank that exists on paper but nowhere else. It's incorporated or licensed in a jurisdiction, holds that license, and may even process transactions. But it has no physical office, no real staff, and no meaningful operations in the country where it was created. It's also not part of a banking group that gets consolidated supervision from a legitimate regulator.

That second condition matters as much as the physical presence test. A bank could have a token local address and still qualify as a shell if its parent group sits outside effective supervisory oversight. The two conditions work together.

FATF Recommendation 13 defines a shell bank as "a bank that has no physical presence in the country in which it is incorporated and licensed, and which is unaffiliated with a regulated financial group that is subject to effective consolidated supervision." That's the working definition compliance teams use globally.

In the United States, Section 313 of the USA PATRIOT Act (31 U.S.C. § 5318(j)) codified the prohibition. A U.S. financial institution that maintains a correspondent account for a foreign shell bank faces civil penalties of up to $1,000,000 per violation under the Bank Secrecy Act. The rule applies to the U.S. institution directly, even if the shell bank is the one moving dirty money.

Shell banks are not the same as offshore banks. An offshore bank licensed in the Cayman Islands with genuine staff, AML officers, and auditable records is not a shell bank. What makes an entity a shell bank is the combination of no physical presence and no consolidated regulatory accountability, not the jurisdiction of incorporation.

The closest structural analogue is the shell company: a legal entity with no real operations, created to obscure the flow of funds or beneficial ownership. Shell banks serve the same function, with one critical difference: they hold banking licenses, giving them direct access to international payment systems that a corporate shell company can't reach on its own.

How is Shell Bank Used in Practice?

Every U.S. bank maintaining correspondent banking relationships with foreign financial institutions must comply with 31 C.F.R. § 1010.630. That regulation requires each foreign respondent to certify that it is not a shell bank and will not provide correspondent access to shell banks through nested accounts. The certification must be renewed every three years, or immediately upon any material change in the respondent's status.

Day-to-day, this is a BSA/AML team responsibility. The compliance officer maintains a correspondent register, maps each respondent to its regulatory status and jurisdiction, and flags any entity that can't demonstrate physical presence and genuine oversight. In high-risk jurisdictions, verification typically means requesting a signed statement with supporting documentation: an office lease, an organizational chart with named personnel, or a written opinion from a local law firm confirming the bank's regulatory standing.

Nested access is the harder problem in practice. A legitimate respondent in a high-risk jurisdiction may channel transactions from shell entities behind it. Those transactions flow through the respondent's account at the U.S. correspondent bank, and the U.S. bank has no direct view of those sub-customers.

Enhanced Due Diligence (EDD) for correspondent accounts in high-risk jurisdictions should include review of the respondent's own customer base and AML program, along with contractual language explicitly prohibiting the respondent from granting sub-account access to any shell bank. A right-to-audit clause covering the respondent's compliance with that prohibition strengthens the bank's position in any subsequent examination.

When a shell bank relationship is confirmed, the required response is account termination and a Suspicious Activity Report (SAR) filing covering any transactions processed through the account. Both steps need to be documented. Examiners who find an undocumented termination will treat the absence of a SAR as a second finding even if the underlying call was correct.

Shell Bank in Regulatory Context

The prohibition on shell banks is one of the few AML rules that is categorical. Customer due diligence, transaction monitoring, and sanctions screening all involve calibrated risk judgments. Shell banks don't work that way. No physical presence plus no consolidated supervision equals prohibited. There's no exception for a "well-run" shell bank, no materiality threshold, and no risk-based carve-out.

FATF Recommendation 13 requires member jurisdictions to both prohibit shell banks from operating and ensure that their banks don't maintain correspondent relationships with them. The interpretive note to Recommendation 13 extends the prohibition to nested correspondent accounts, barring banks from allowing their accounts to be used as a pass-through for shell bank access. Countries appearing on the FATF Grey List are automatically higher-risk in correspondent reviews, because supervision failures in those jurisdictions make it harder to verify that a respondent isn't operating as or through a shell.

In the United States, Section 313 of the USA PATRIOT Act created the prohibition and the certification requirement. Section 319(b) added an enforcement mechanism: a U.S. bank must close the account of any foreign correspondent that fails to respond to an information request within 120 hours. This applies regardless of whether the foreign institution is suspected of being a shell bank.

The Basel Committee on Banking Supervision identified correspondent relationships with entities lacking adequate AML oversight as a high-risk category in its 2001 Customer Due Diligence for Banks paper (BCBS 85). The Wolfsberg Correspondent Banking Principles (2014) go further than minimum regulatory requirements, recommending periodic on-site visits to key respondents in jurisdictions with weak supervision to verify that physical presence is real, not merely documented in a certification form.

Common Challenges and How to Address Them

Detection is the first problem. A shell bank doesn't announce itself. It will have a license number, a website, a registered address, and possibly a phone number answered by a service bureau. The compliance team has to verify that the address corresponds to actual premises and actual staff. This typically means requesting physical evidence: an office lease, an organizational chart with real names, a confirmation from the respondent's home regulator, or an independent legal opinion from a local law firm.

Nested access is harder. A well-supervised respondent in a high-risk jurisdiction may have customers who are shell entities operating locally. Those clients' transactions flow through the respondent's account at the U.S. bank, and the U.S. bank has no direct visibility into them. The solution is to require detailed questionnaires from respondents covering their own client-level due diligence practices, to prohibit nested access explicitly in the correspondent agreement, and to conduct periodic transaction-pattern reviews to detect volumes inconsistent with the respondent's stated business.

Certification management is a practical burden. Managing tri-annual certifications across hundreds of correspondent relationships requires a tracking system, a remediation workflow for late or deficient responses, and clear escalation procedures for respondents who can't or won't certify. Examiners expect to see all of this documented, and a gap in the certification register is a finding even if the underlying correspondent is legitimate.

Transaction monitoring can surface indirect signals. A respondent account showing high-volume, low-value payments with no clear commercial rationale may indicate pass-through activity. Those patterns warrant escalation to EDD and, if unresolved, termination.

Commercial pressure is the final challenge. Relationship managers don't want to terminate profitable correspondent accounts on a compliance determination. The MLRO needs documented authority to act without approval from the business line, and the bank's policy needs to make clear that a confirmed shell bank finding ends the relationship.

Related Terms and Concepts

Shell bank risk sits at the intersection of correspondent banking controls, de-risking decisions, and AML program design. Several related structures and mechanisms are relevant to understanding how shell banks gain access to the financial system and how compliance programs detect and block them.

Nested correspondent accounts are the primary access mechanism. A shell bank routes transactions through a legitimate respondent, which routes them through a correspondent. The correspondent bank has no direct relationship with the shell, but it's processing the shell's transactions. This is prohibited under both FATF standards and U.S. law, but it requires active monitoring to detect.

De-risking is a blunt-force response to shell bank risk. Rather than conduct enhanced due diligence on respondents in high-risk jurisdictions, some banks terminate all correspondent relationships in those jurisdictions. This removes the shell bank exposure but also cuts off legitimate financial institutions and their customers. Regulators have pushed back on blanket terminations for this reason, while maintaining that EDD must be genuine, not a box-checking exercise.

Shell banks often pair with opaque ownership structures. Identifying the real owners of a respondent bank can reveal whether the institution has connections to sanctioned parties, politically exposed persons, or criminal networks. This is where UBO disclosure frameworks interact with correspondent due diligence.

Trade-based money laundering frequently uses shell banks as the receiving end of over- and under-invoiced trade transactions. The shell bank receives payment, briefly holds funds, and redistributes them. Without physical presence, there's no paper trail to follow.

For compliance teams, the primary reference texts are FATF Recommendation 13 and its interpretive note, FinCEN's guidance on Section 313 certification requirements, and the Wolfsberg Correspondent Banking Principles. All three address shell bank risk from different angles, and all reach the same conclusion.