Updated Wolfsberg Guidance on Correspondent Banking: How do your financial crime controls measure against it?
Last week the Wolfsberg Group published an updated guidance on Correspondent Banking (CB) related principles which replaces guidance published in 2014. The new guidance expands its scope to include non-banking financial institutions (NBFIs) and payment services providers (PSPs) including money service businesses (MSBs) / money or value transfer services (MVTs), FinTechs, virtual asset service providers (VASPs) and new payment method companies (NPMs).
Essentially the new guidance further promotes effective risk management of financial crime risks relating to correspondent banking and calls for financial institutions (FIs) to have a clear understanding of their relationship and risks associated with their Respondent. With that in mind, the guidance encourages FIs to apply a risk-based approach when dealing with their Respondent and ensure the following principles are adhered to:
Responsibility and oversight: FIs’ policies and procedures must clearly allocate responsibility to specific personnel to manage financial crime risks associated with correspondent banking activity. The personnel must have relevant knowledge and experience to carry out their role. Furthermore, a formal governance framework should be in place with representation from all three lines of defence. A clearly defined risk appetite subject to Board approval (or equivalent) which sets out what activity is appropriate and what is not should be clearly communicated and monitored against.
Due diligence: Carry out appropriate due diligence in line with risks faced. Consideration should be given to the Respondent’s products and service offering, client base, jurisdictional exposure, regulatory status, and their ownership and control structure. Further, a critical assessment of their financial crime compliance programme should be undertaken on a risk-based approach.
Enhanced due diligence (EDD): FIs should apply EDD measures to Respondents that present higher risk. This may include politically exposed person (PEP) exposure and / or presence of downstream services offered by the Respondent. Where downstream services are offered by the Respondent, reasonable steps should be taken to understand the types of the downstream FIs to whom the Respondent offers services. Higher level of first line of defence approval is required for higher risk CB relationships both at onboarding and at periodic/trigger event reviews.
Ongoing review: Correspondent banking relationships must be subject to reviews on an ongoing basis to ensure they remain within risk appetite. The effectiveness of the Respondent’s FCC programme should also be revisited as part of the review to determine whether it is commensurate to the size, nature, complexity, and scale of its business.
Monitoring and reporting: FIs must have appropriate policies and procedures to detect and investigate suspicious activity and report to the local FIU as required.
Practical takeaways:
The updated guidance highlights the requirement for institutions to have a good understanding of their respective downstream relationships and ensure their assessment is commensurate to the risks posed, not only at onboarding but throughout the client relationship.
Institutions should revisit their existing controls relating to CB (including policies and procedures, dedicated risk assessments, etc) considering the revised version of the CBDDQ in April 2020 and RFI updates in August 2022, to ensure compliance with best practice. Specifically, ask yourself:
Do you have a defined risk appetite for CB activity?
Are your policies and procedures clear about when CB principles apply (e.g. to what relationships and activities)?
Are due diligence requirements set out on a risk-based approach and where activities are identified as higher risk are these adequately detailed alongside the EDD requirements?
Is adequate consideration and assessment of the respondent’s FC programme undertaken at onboarding and as part of periodic / trigger event reviews?
Is the continuous relationship between transaction monitoring and due diligence adequately detailed and feed into suspicious activity reporting procedures?