FATF Rec 13: What It Requires and Who It Applies To

**

What is FATF Rec 13?

FATF Recommendation 13 is the international AML standard that governs due diligence requirements for correspondent banking relationships. The Financial Action Task Force, an intergovernmental body established by the G7 in 1989, published the current version of its 40 Recommendations in February 2012, with Recommendation 13 specifically addressing how banks must assess and manage the risks created by maintaining accounts for foreign financial institutions.

Correspondent banking is the arrangement where one bank (the "correspondent") provides payment services, account-holding, or currency clearing on behalf of another bank (the "respondent"). It's the infrastructure behind most cross-border wire transfers. When a bank in Lagos needs to clear a USD payment, it routes through a U.S. correspondent bank with dollar clearing access. That routing creates an indirect exposure: the correspondent is, in effect, extending access to the international financial system to the respondent's entire customer base.

FATF strengthened the correspondent banking standard in its 2012 revision, building on mutual evaluation findings that showed widespread gaps in how banks were managing respondent relationships. Years of enforcement actions had made the risks impossible to ignore. By 2012, regulators in the U.S., UK, and Australia had all cited major institutions for weak correspondent controls.

Rec 13 sits within the broader FATF framework. It builds on FATF Rec 10 (Customer Due Diligence) by extending CDD obligations to the respondent bank itself, and it connects to FATF Rec 1 (Risk-Based Approach) to calibrate due diligence intensity by risk level.

Who does FATF Rec 13 apply to?

The recommendation applies to any bank providing correspondent banking services. That's a broader population than most compliance officers initially assume.

Covered entities include:

• Global transaction banks: institutions like Citibank, JPMorgan Chase, Deutsche Bank, and Standard Chartered that clear USD, EUR, or GBP for respondent banks worldwide
• Regional intermediary banks: mid-tier institutions in Europe, the Middle East, or Asia that sit between local respondents and global clearing banks
• Banks offering payable-through accounts (PTAs): accounts where the respondent institution's own customers can transact directly, creating a deeper and harder-to-monitor indirect customer exposure
• Banks with nested correspondent relationships: where the respondent itself maintains downstream correspondents, extending the chain further
• Foreign branches and subsidiaries of covered banks: a bank's overseas operation acting as the respondent in a relationship is itself subject to Rec 13 obligations when it acts as a correspondent for others

FATF's standard has no size threshold. A small regional bank that happens to clear currencies for a foreign institution falls in scope. The FATF Methodology for Assessing Compliance confirms this: the obligation follows the activity, not the balance sheet.

Jurisdictional scope covers all 39 FATF member countries, which collectively represent over 90% of global economic output. Non-member jurisdictions are assessed against FATF standards through Mutual Evaluation Reviews conducted by FATF-Style Regional Bodies (FSRBs). In practice, any institution with access to USD, EUR, or GBP correspondent banking is indirectly exposed to Rec 13 compliance requirements through its correspondent's own vetting obligations.

What does FATF Rec 13 require?

The core obligations are specific. Here's what the text actually mandates:

1. Gather sufficient information about the respondent. Before opening a relationship, collect the respondent's full business profile: its regulatory jurisdiction and license status, ownership structure, key management personnel, the products it offers, and its customer base. This is essentially a Know Your Business (KYB) assessment applied to another regulated institution.

2. Assess the respondent's AML/CFT controls. Determine whether the respondent has a written AML compliance program, whether it's subject to effective supervision in its home jurisdiction, and whether it applies Customer Due Diligence (CDD) on its own customers. Asking the respondent to self-certify is not sufficient.

3. Obtain senior management approval before opening. New correspondent relationships require documented sign-off from a senior manager or committee with genuine authority. A relationship manager's approval alone isn't sufficient, and the documentation must trace the approval chain.

4. Document each party's AML/CFT responsibilities in writing. The agreement between correspondent and respondent must clearly allocate compliance duties. For payable-through accounts specifically, the respondent must confirm it has performed CDD on its direct customers and will produce that information on request.

5. Prohibit relationships with shell banks. FATF Rec 13 is explicit: no correspondent relationships with shell banks. A shell bank is defined as a bank incorporated in a jurisdiction where it has no physical presence and no affiliation with a regulated financial group. This prohibition is absolute; no risk-based exception applies.

6. Apply Enhanced Due Diligence (EDD) where risk warrants it. Respondents based in higher-risk jurisdictions, those with opaque ownership structures, or those offering higher-risk products require EDD treatment rather than standard due diligence.

7. Monitor the relationship on an ongoing basis. Correspondent relationships require periodic review. FATF doesn't specify a fixed cycle, but high-risk relationships should be reviewed at least annually and more frequently when adverse information emerges.

8. Maintain records for a minimum of 5 years. All correspondent banking due diligence files must be retained for at least 5 years, in line with FATF Rec 11 (Record Keeping).

What evidence do regulators expect?

Examiners arrive at an audit with a single question: can you show how you assessed this relationship, who approved it, and how you're watching it now?

The audit-day checklist:

• Due diligence files for every active correspondent: covering the respondent's regulatory license, full ownership chain including Ultimate Beneficial Owner (UBO) identification, financial statements, and the respondent's own AML policy documentation
• Senior management approval records: board minutes, credit committee approvals, or documented sign-off from a named executive with demonstrable authority; an email from a relationship manager doesn't satisfy this
• A written correspondent banking policy: covering risk acceptance criteria, the shell bank prohibition, escalation procedures, and controls specific to payable-through accounts
• Risk-tiering documentation: a written framework showing how each correspondent is classified as low, medium, or high risk, and how that classification drives review frequency and due diligence depth
• Periodic review records: dated evidence of annual or more frequent reviews for high-risk relationships, with a named reviewer and a documented conclusion
• Transaction monitoring logs: evidence that activity on correspondent accounts is monitored and that alerts are resolved with documented analyst reasoning, not just a disposition code
• Role-specific training records: proof that staff managing correspondent banking relationships have received AML training covering correspondent-specific risks, dated within the review period
• Payable-through account agreements: signed documentation confirming CDD responsibility allocation, where PTAs are offered

The OCC Comptroller's Handbook on Bank Secrecy Act/AML lists these categories in detail, and examiners at U.S.-supervised institutions work through each one systematically.

Common failure modes

Enforcement actions over the past decade show the same failures repeating. Most aren't exotic. They're operational.

• "Set-and-forget" due diligence: collecting documents at onboarding and never revisiting them. Westpac's AUSTRAC case (2020) cited 23 million transactions totaling A$11 billion that passed through correspondent channels without proper monitoring. The A$1.3 billion civil penalty remains the largest in Australian corporate history.

• Taking the respondent's word for its compliance program: rather than independently verifying it. FinCEN's 2005 guidance on obtaining and retaining beneficial ownership information explicitly warned against self-certification. It's still common.

• Shell bank blind spots: failing to determine whether a respondent's underlying customers include shell entities. In the HSBC case (2012), the bank maintained correspondent relationships where the beneficial ownership of accounts flowing through them was never investigated.

• Weak PTA controls: treating the customers behind payable-through accounts as invisible. U.S. Patriot Act Section 312 requires enhanced due diligence for PTAs, but compliance quality varies widely across institutions.

• Missing senior management approval trails: relationship managers opening accounts with informal email approvals, or sign-off documented only after the account was already active.

• Inconsistent risk ratings: applying different standards to structurally similar respondents based on business relationship value rather than actual risk indicators. Examiners treat this as a governance failure, not just a documentation gap.

Penalties for non-compliance

U.S. enforcement generates the largest numbers, but the penalty regime is global.

Named enforcement actions:

• HSBC (2012): $1.92 billion deferred prosecution agreement with the U.S. Department of Justice and FinCEN, covering AML failures in correspondent banking alongside sanctions violations. HSBC was also required to install an independent compliance monitor for five years. DOJ press release, December 2012

• Commerzbank (2015): $1.45 billion settlement with the DOJ, FinCEN, and the New York Department of Financial Services for sanctions violations and failure to maintain adequate controls over correspondent banking activity routed through Iranian entities.

• Westpac (2020): A$1.3 billion civil penalty from AUSTRAC, with 23 million contraventions of Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 cited. Correspondent monitoring failures were at the center of the case.

Beyond monetary penalties, regulators can impose:

• Deferred prosecution agreements with mandatory external compliance monitors, typically lasting 3 to 5 years
• Cease and desist orders restricting a bank from opening new correspondent relationships
• License revocation in extreme cases
• Personal liability for senior compliance officers in jurisdictions with senior manager accountability regimes, including the UK's Senior Managers and Certification Regime (SM&CR) and Australia's Banking Executive Accountability Regime (BEAR)

The FCA's enforcement powers under the Money Laundering Regulations 2017 allow unlimited fines and criminal prosecution of senior managers in cases of gross negligence.

Related regulations and frameworks

FATF Rec 13 doesn't operate in isolation. It connects to a network of related standards.

Within the FATF 40 Recommendations:

• FATF Rec 10 (Customer Due Diligence): the foundational CDD standard. Rec 13 is essentially Rec 10 applied specifically to a bank-as-customer. What CDD requires for any customer, correspondent due diligence requires for a respondent institution.
• FATF Rec 12 (PEPs): if a respondent bank's beneficial owner is a politically exposed person, Rec 12's enhanced obligations layer on top of Rec 13's requirements.
• FATF Rec 16 (Travel Rule): correspondent payment chains are the primary vehicle for Travel Rule compliance. Originator and beneficiary information must travel with wire transfers flowing through correspondent accounts.
• FATF Rec 11 (Record Keeping): sets the minimum 5-year retention period for all due diligence files generated under Rec 13.

National implementations:

• United States: 31 CFR 1010.610 (minimum due diligence for correspondent accounts) and 31 CFR 1010.620 (enhanced due diligence and PTA rules) under the Bank Secrecy Act, as amended by USA PATRIOT Act Section 312
• European Union: Articles 19 to 24 of the Fifth Anti-Money Laundering Directive (5AMLD) implement the correspondent banking standard across EU member states
• United Kingdom: Regulation 34 of the Money Laundering Regulations 2017 implements FATF Rec 13 directly, with the FCA as the primary supervisory body for banks

The Basel Committee on Banking Supervision's 2016 paper on correspondent banking addresses risk management in correspondent relationships and is widely cited in national supervisory frameworks. It's a useful reference when drafting internal policy.

How FluxForce supports FATF Rec 13 compliance

FluxForce AI agents automate correspondent bank due diligence by continuously monitoring respondent risk profiles, flagging ownership changes, and surfacing transaction pattern anomalies in real time. Aiden Flux runs Enhanced Due Diligence workflows that pull sanctions lists, adverse media, and regulatory status updates in minutes rather than days. Nova Sentinel handles ongoing transaction surveillance on correspondent accounts. Every decision produces a full audit trail that examiners can inspect. To see how this maps to your institution's correspondent banking program, book a demo with FluxForce.

**