FATF Rec 13: What It Requires and Who It Applies To

What is FATF Rec 13?

FATF Recommendation 13 is an international AML/CFT standard issued by the Financial Action Task Force that governs how banks manage correspondent banking relationships. FATF adopted the current text in February 2012 as part of its revised 40 Recommendations, replacing the earlier 2003 version. The 2016 FATF Guidance on Correspondent Banking Services further clarified expectations in practice.

Correspondent banking is the provision of banking services by one institution (the correspondent) to another (the respondent). Those services typically include processing international wire transfers, holding nostro and vostro accounts, clearing foreign currency, and settling securities transactions. The risk is structural: a respondent bank's customers gain indirect access to the correspondent's payment infrastructure, often across multiple borders and through chains of intermediaries.

FATF introduced Rec 13 to address that risk directly. When a correspondent bank fails to vet its respondents, illicit funds move through its accounts with near-anonymous cover. The 2012 revision tightened the original standard, explicitly prohibiting correspondent relationships with shell banks and requiring documented clarity on which institution holds AML/CFT responsibility for underlying customers.

The FATF interpretive note to Rec 13 makes clear this is an ongoing obligation, not a one-time check. Relationships must be reviewed periodically and whenever material changes occur. Banks that treat correspondent due diligence as a box-checking exercise at onboarding and never revisit it are non-compliant, regardless of how thorough the initial assessment was.

Who does FATF Rec 13 apply to?

Rec 13 applies to any bank providing correspondent banking services. In practice, that means deposit-taking institutions that maintain nostro or vostro accounts for other banks, process foreign currency transactions on behalf of other institutions, or provide clearing and settlement services across borders.

FATF member states (39 members plus 2 regional organizations, representing over 200 jurisdictions through FATF-Style Regional Bodies) are required to implement Rec 13 in national law. That makes it a de facto global requirement for the banking sector. Implementation typically comes through:

• National AML legislation such as the BSA (US-FinCEN) in the United States and the UK MLR 2017 (UK-FCA) in the United Kingdom
• EU directives and the forthcoming EU AMLR (EU), which directly incorporates Rec 13 language
• Regulatory rulebooks and supervisory guidance from national prudential and AML authorities

Covered entities include:

• Global systemically important banks (G-SIBs) that operate as major correspondent hubs
• Regional banks with international clearing operations
• Foreign branches of international banks operating in FATF member jurisdictions
• Banks providing payable-through accounts (PTAs) that allow third-party access to correspondent payment systems
• Banks acting as respondents are indirectly affected: their own due diligence obligations toward underlying customers feed directly into the assessment a correspondent will conduct

Shell banks are explicitly excluded from eligibility. No bank may open or maintain a correspondent account for a shell bank, defined as a bank incorporated in a jurisdiction where it has no physical presence and no affiliation with a regulated financial group.

There's no formal asset threshold in Rec 13, but the intensity of due diligence scales with risk. A small regional bank with one modest nostro account faces a lighter documentation burden than a G-SIB processing billions daily through dozens of respondent relationships.

What does FATF Rec 13 require?

The core obligations, drawing on the standard text and the 2016 FATF Guidance, break into eight distinct requirements:

1. Pre-relationship information gathering. Before establishing any correspondent relationship, the correspondent must collect sufficient information about the respondent to understand its business model, ownership structure, regulatory status, quality of AML/CFT supervision, and whether it has been subject to enforcement actions or suspicious activity reports.

2. Assessment of AML/CFT controls. The correspondent must evaluate whether the respondent's AML/CFT controls are adequate and effective. This means reviewing Customer Due Diligence (CDD) policies, transaction monitoring capability, sanctions screening coverage, and governance. The assessment must be documented, not just inferred.

3. Senior management approval. Before opening any new correspondent account, the relationship must receive approval from genuinely empowered senior management. Regulators look for evidence of actual deliberation, not rubber-stamped sign-offs from middle management.

4. Documentation of responsibilities. Each party must document which institution is responsible for applying CDD measures to underlying customers. Where the respondent conducts CDD on its own customers (the standard arrangement), the correspondent must be confident that the respondent does so to a standard at least equivalent to FATF requirements and that it will provide CDD data on request.

5. Prohibition on shell bank relationships. No correspondent account may be opened or maintained for a shell bank. No payable-through account may be operated in a way that gives undisclosed third parties effective access to the correspondent's systems.

6. Ongoing Enhanced Due Diligence (EDD). The relationship is subject to ongoing review throughout its life. EDD is required for higher-risk respondents, including those operating in jurisdictions on the FATF high-risk list or with complex, opaque ownership structures.

7. Record retention. Rec 13 links directly to FATF Rec 11 (FATF). Due diligence records, senior management approvals, and assessments must be retained for a minimum of five years.

8. Payable-through account controls. For PTAs and similar nested structures, the correspondent must confirm the respondent has applied CDD to all customers with access and can provide that information on request.

What evidence do regulators expect?

When examiners review a correspondent banking program, they want documentation, not assurances. An institution that says "we have a strong due diligence process" with no files to show will not pass the exam.

Policies and procedures:

• A written correspondent banking policy covering risk appetite, approval requirements, restricted categories (including an explicit shell bank prohibition), and review triggers
• Clear ownership of the correspondent due diligence function and documented authority to approve new relationships

Due diligence files:

• Completed questionnaires for each active respondent, covering ownership, regulatory status, AML/CFT program details, and jurisdiction risk ratings
• Evidence that questionnaire answers were verified against independent sources, such as central bank registers, the Wolfsberg Group CBDDQ, or commercial screening databases
• Notes or memos documenting the assessment conclusion and any red flags identified and resolved

Approval documentation:

• Meeting minutes or approval forms signed by senior management for each correspondent relationship
• Evidence that the approver understood the respondent's risk profile, not just their name and address

Ongoing review records:

• Dated evidence of periodic reviews (annually for standard-risk respondents, more frequently for elevated-risk ones)
• Records of any material changes that triggered an interim review, such as a regulatory action against the respondent or a change in beneficial ownership

Transaction monitoring:

• Logs confirming that transactions through correspondent accounts are subject to monitoring
• Records of any SAR (Suspicious Activity Report) filings related to respondent activity

Training records:

• Evidence that relationship managers and compliance staff have been trained on correspondent banking AML obligations within the past 12 months

Examiners will cross-reference due diligence files against the bank's actual respondent population. If the bank has 50 active correspondents but files for only 35, that's an immediate finding.

Common failure modes

Correspondent banking failures show up in exams and enforcement actions in predictable patterns.

• Stale due diligence files. The most common finding. A bank completed thorough onboarding due diligence in 2019, the relationship was never reviewed, and the respondent has since been sanctioned or changed ownership. The 2012 HSBC deferred prosecution agreement with the US Department of Justice documented exactly this pattern: HSBC's US correspondent program failed to monitor HSBC Mexico's activity despite years of escalating red flags already on file.

• No genuine senior management approval. Correspondent accounts opened by relationship managers without formal senior approval. Examiners look for contemporary documentation, not retrospective sign-offs created after an exam notice arrives.

• Shell bank exposure. Banks that unknowingly maintain relationships with institutions that are effectively shell banks, or that allow shell bank accounts to nest inside respondent accounts. The 2004 OCC and FinCEN action against Riggs Bank, which resulted in a $25 million civil money penalty, included findings on inadequate due diligence over foreign correspondent accounts with limited beneficial ownership transparency.

• Information collection without analysis. Due diligence files that contain a completed questionnaire with 40 "yes" answers and no examiner notes. Collecting information is not the same as assessing it.

• PTA non-compliance. Correspondent banks that allow respondents to use payable-through accounts without documenting the underlying customers or the applicable CDD standard.

• No connection between correspondent monitoring and SAR filing. Banks that run transaction monitoring across correspondent accounts but file no suspicious activity reports even when transaction patterns are anomalous. This gap is a direct finding under FATF Rec 20 (FATF).

Penalties for non-compliance

Enforcement for correspondent banking failures comes from multiple bodies depending on jurisdiction: FinCEN and the OCC in the United States, the FCA in the United Kingdom, DNB and BaFin in Europe, MAS in Singapore, and AUSTRAC in Australia.

United States: The HSBC Holdings PLC case remains the reference point. In 2012, the DOJ and FinCEN imposed a $1.9 billion deferred prosecution agreement for AML failures that included systemic gaps in correspondent banking due diligence, particularly in allowing Mexican drug trafficking proceeds to flow through US accounts. In 2019, Standard Chartered Bank agreed to pay over $1 billion in a combined settlement with the DOJ, OFAC, and the New York DFS for processing transactions through correspondent accounts for sanctioned entities, including Iran and Sudan. Riggs Bank paid $25 million in 2004 for AML failures covering foreign correspondent accounts.

United Kingdom: The FCA fined Deutsche Bank AG £163 million in 2017 for AML control failures that included material weaknesses in its correspondent banking due diligence program.

Criminal exposure: Individual compliance officers and senior managers face personal criminal liability in some frameworks, particularly the UK under POCA, Singapore, and EU member states implementing the 6AMLD (EU).

Penalties are not capped at fixed amounts in most jurisdictions. US enforcement combines civil money penalties, disgorgement of profits, deferred prosecution agreements, and enhanced compliance monitorship. The monitorship costs alone can exceed the headline penalty figure over a multi-year term.

Related regulations and frameworks

Rec 13 fits into a dense web of complementary standards.

Within FATF's 40 Recommendations:

• FATF Rec 10 (FATF): The foundational CDD requirement. Rec 13 is a specialized application of Rec 10 to the correspondent banking context, with more prescriptive controls.
• FATF Rec 1 (FATF): The risk-based approach that determines the intensity of due diligence required under Rec 13 for any given respondent.
• FATF Rec 12 (FATF): PEP due diligence applies when a respondent bank has politically exposed persons among its customers whose transactions flow through the correspondent relationship.
• FATF Rec 16 (FATF): The travel rule requires originator and beneficiary information to accompany wire transfers. Correspondent banks are the key nodes in the payment chain where travel rule compliance is verified.
• FATF Rec 24 (FATF): Beneficial ownership transparency feeds directly into correspondent due diligence. A respondent with opaque ownership is a red flag that elevates the due diligence requirement.

National implementing legislation: The BSA (US-FinCEN) and the FinCEN CDD Rule (US-FinCEN) implement Rec 13 requirements domestically. The USA PATRIOT Act Section 312 adds specific enhanced due diligence requirements for correspondent accounts held for foreign banks and private banking accounts. In the EU, EU AMLR (EU) Article 21 governs correspondent relationships directly. In the UK, UK MLR 2017 (UK-FCA) Regulations 33 through 35 cover enhanced due diligence, with the FCA's SYSC 6.3 (UK-FCA) adding governance expectations on top.

Industry frameworks: The Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire is the industry-standard tool for gathering respondent information. While not a regulatory requirement, examiners treat use of a standardized questionnaire as baseline good practice. Absence of a structured questionnaire process is a yellow flag in its own right.

The BIS Working Paper on correspondent banking de-risking documents how Rec 13 compliance costs have contributed to a global decline in correspondent banking relationships, particularly affecting small island states and remittance corridors. Regulators are aware of this tension and have issued guidance discouraging blanket de-risking in favor of risk-based decisions.

How FluxForce supports FATF Rec 13 compliance

FluxForce maps directly onto Rec 13's ongoing monitoring requirements. Aiden Flux and Nova Sentinel continuously screen correspondent account activity against sanctions lists, PEP databases, and adverse news feeds, flagging anomalies before they escalate. The platform maintains timestamped due diligence records and auto-triggers review workflows when a respondent's risk profile changes. Senior management approval flows are built in, with audit trails that satisfy examiner requests on day one of a review. Book a demo to see how correspondent banking compliance runs on FluxForce.