GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

SWIFT / Learning brief

Correspondent onboarding and de-risking

Your notes

What this means in plain language

Correspondent banking lets one bank access another's market by holding an account with it. Establishing a relationship means exchanging authorisations, performing due diligence, and opening accounts; withdrawing from relationships, known as de-risking, can cut off access to payments.

Correspondent banking is how a bank operates in a currency or country where it has no branch of its own. It opens an account with a local bank, the correspondent, and uses that account to make and receive payments. From the account holder's side this is a nostro account (from the Italian for ours); from the correspondent's side the same account is a vostro (Italian for yours). Setting up such a relationship takes three main steps. The banks exchange an RMA (Relationship Management Application) authorisation, the SWIFT permission that lets two institutions send each other messages. The correspondent then performs due diligence, checking the other bank's ownership, licence, and controls against money laundering and sanctions. Finally the accounts are opened and operating terms agreed. Sometimes a bank decides a relationship or a whole market is not worth the risk and cost, and withdraws. This withdrawal, called de-risking, can leave banks and their customers cut off from cross-border payments.

Understand the full idea, step by step

Before a single cross-border payment can flow between two banks, someone has to open a door — and keep deciding, year after year, that the door should stay open. This lesson is about both decisions: how a correspondent relationship is established, and why a bank sometimes closes one, a withdrawal the industry calls de-risking.

What is actually being opened

The account Meridian opens sits on Meridian's books, and the same account carries two names depending on who is speaking. To Cassia Bank it is a nostro — "ours", the money we hold with you. To Meridian it is a vostro — "yours", the account we keep on your behalf. When a Cassia customer needs to pay someone in that currency, Cassia instructs Meridian, and Meridian uses its own clearing access to complete the payment from the account's balance. Meridian is the correspondent; Cassia, the bank that needed the access, is the respondent. The relationship is a standing arrangement of account-keeping and trust that connects banking systems which would otherwise not touch.

How the relationship is opened

  1. Business case and risk appetite. Meridian first decides whether it wants relationships of this kind at all: which markets, which respondent profiles, what expected revenue against what due-diligence and monitoring cost.

  2. Due diligence. Meridian performs customer due diligence (CDD) on Cassia — and enhanced due diligence (EDD) where risk is higher — examining ownership and beneficial owners, banking licence and primary regulator, countries served, products offered, and the strength of Cassia's own controls against money laundering (AML) and the financing of terrorism.

  3. The questionnaire. Much of that evidence arrives as a standard industry questionnaire that Cassia completes and attests to — the Wolfsberg CBDDQ — so Meridian can compare respondents on the same basis and spot missing answers.

  4. Messaging authorisation. The banks exchange RMA (Relationship Management Application) permissions over SWIFT, controlling whether they can send each other messages and, in granular form, which message types. Without RMA, instructions between them are not accepted.

  5. Account opening and terms. Operating terms, pricing, cut-offs, and — critically — an expected activity profile are agreed: what volumes, corridors, and counterparties normal business should produce. That profile is what later monitoring will test reality against.

CBDDQCorrespondent Banking Due Diligence Questionnaire

An industry-standard questionnaire published by the Wolfsberg Group, an association of international banks that develops financial-crime frameworks. The respondent answers set questions about its ownership, licensing, markets, products, and financial-crime programme, and attests to the answers. Two answers carry particular weight: whether the respondent lets other banks route payments through its account, and whether its own customers can use the account directly — both add parties the correspondent cannot see by default.

COMMON CONFUSION

Once two banks have exchanged RMA over SWIFT, they hold accounts with each other and can settle payments.

RMA is a messaging authorisation — permission to send one another certain message types — and nothing more. It is not proof of an account relationship, and it settles nothing. A bank can hold RMA with thousands of counterparties while holding accounts with only a fraction of them. The account, the due diligence, and the messaging permission are three separate strands of onboarding.

De-risking: managing by leaving

Sometimes a bank concludes that a relationship, a customer type, or an entire market carries more risk or cost than it is willing to bear — and rather than manage that risk, it exits. This is de-risking. At the level of one bank the drivers are understandable: due diligence and monitoring are expensive, penalties for control failures can be severe, margins on some corridors are thin, and sanctions exposure is real. The decision is defensive, and often rational. The trouble appears in aggregate.

WHAT IF — Meridian's annual review concludes that a corridor's revenue no longer justifies its risk and monitoring cost, and it decides to exit

What happens: Cassia receives notice; the vostro is wound down in an orderly way and closed. Cassia must find another correspondent — or reach the currency through a longer chain, adding cost and time to every customer payment.

How it is handled: For Cassia this is a treasury and relationship problem, not a disgrace: exits happen to well-run banks in higher-risk regions too. For the wider system it is what supervisors watch — when many correspondents exit the same region, banks there can lose access to major currencies and remittance corridors that families depend on become costlier, or push flows toward channels that are harder to supervise.

If every individual exit is rational, what exactly is the problem?

The sum. International bodies including the Financial Stability Board (FSB) and the Financial Action Task Force (FATF) have tracked a sustained decline in active correspondent relationships and warned that blanket de-risking — dropping whole categories or countries without assessment — runs against the risk-based approach, which expects risk to be judged case by case. A bank that exits everything difficult also exits its ability to see and report what flows through difficult corridors. The supervisory expectation is manage where you can, exit where you must — not the reverse.

STRICTLY SPEAKING

Strictly speaking, correspondent due-diligence expectations differ by jurisdiction: FATF's recommendations set the international baseline for cross-border correspondent relationships, but each country's regulator implements and sharpens them differently, and the balance between managing and exiting a relationship remains a live supervisory question rather than a settled rule. The CBDDQ is an industry standard, not a legal requirement — a bank may ask more.

FOR NOW, REMEMBER

  • A correspondent relationship means one bank (the respondent) holds an account with another (the correspondent) to reach a market it cannot serve directly — nostro from the holder's side, vostro on the correspondent's books.
  • Onboarding has distinct strands: business case, due diligence (CDD/EDD, commonly via the Wolfsberg CBDDQ), RMA messaging authorisation, and account terms including an expected activity profile.
  • RMA authorises messages only — it is not an account and proves no account relationship.
  • De-risking is exiting a relationship, customer type, or market rather than managing its risk; individually rational, collectively capable of cutting regions off from payments.
  • Supervisory bodies expect a risk-based, case-by-case approach — not blanket withdrawal.

TRY IT YOURSELF

Cassia Bank's completed CBDDQ arrives at Meridian. Most answers are solid, but the question on whether other banks route payments through Cassia's accounts is left blank, and Cassia serves several money remitters in higher-risk markets. What should Meridian's onboarding team do?

Decline the relationship — a blank answer plus higher-risk customers means the risk cannot be managed.

Not this one — That is blanket de-risking in miniature: exiting instead of assessing. A gap in the questionnaire is a reason to ask, and higher-risk customer types are a reason for enhanced diligence — neither is automatically a reason to refuse.

Require the blank answer to be completed, apply enhanced due diligence to the remitter exposure, and set the expected activity profile and senior sign-off accordingly before any account opens.

Correct — Exactly the risk-based approach. The nesting question is one of the two answers that matter most, so it cannot stay blank; the higher-risk elements call for more evidence, tighter monitoring, and senior approval — managed risk, not avoided risk.

Open the account now and chase the missing answer afterwards, since the RMA exchange already authorises messaging between the banks.

Not this one — RMA authorises messages, nothing more — and due diligence exists to be completed before the correspondent starts moving money for customers it cannot see. Opening first and asking later defeats the control.

The door is open. The next lesson takes the risk view of what flows through it: credit and liquidity exposure on nostro balances, and the structures — nesting, stripped payment details — that monitoring is built to surface.

KEEP GOING

Three things to remember

  1. 01

    Correspondent banking lets a bank reach a currency or country through an account, a nostro, held with a local correspondent bank.

  2. 02

    Onboarding combines an RMA (Relationship Management Application) authorisation, due diligence on the counterparty, and opening the account.

  3. 03

    De-risking is the wholesale withdrawal from relationships or markets, which can cut affected banks off from the payment system.

Where you would use this

USE CASE 01

A correspondent bank's onboarding team runs due diligence on a prospective respondent, reviewing licence, ownership, and financial-crime controls before opening an account.

USE CASE 02

A financial-crime team reviews a due-diligence questionnaire and decides whether a relationship needs enhanced due diligence (EDD) or should be declined.

USE CASE 03

A network manager exchanges RMA authorisations so two banks can begin sending each other payment messages.

Put the idea into a real situation

Illustrative example: a fictional bank, Solenne Bank, based in a fictional country, wants to make US dollar payments, so it applies to open a correspondent relationship with a larger fictional institution, Meridian Trust. Meridian Trust runs customer due diligence (CDD): it collects Solenne Bank's licence, ownership, and a completed due-diligence questionnaire, and because the home country is rated higher risk it applies enhanced due diligence (EDD), a review that takes 9 weeks. The banks exchange an RMA (Relationship Management Application) authorisation and open a nostro account with an agreed minimum balance of USD 250,000.00. Two years later, after reviewing thin margins and rising compliance cost, Meridian Trust exits the market and closes the account with 60 days notice, and Solenne Bank must find a new route for its dollar payments.

Evidence & review

REVIEWED 2026-07-13

Cross-border correspondent banking generally; FATF baseline with jurisdiction-specific implementation. CBDDQ described as industry practice, not law.

What this brief simplifies: Onboarding is presented as five clean strands — real programmes interleave them and add legal, tax, and operational workstreams. No decline statistics are quoted; the FSB/FATF trend is described qualitatively.

Sources for this brief3
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Recommendation 13 — correspondent banking due diligence

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Market practice

    Correspondent banking (final report)CPMI, Bank for International Settlements · CPMI report on correspondent banking — relationship structure and withdrawal drivers

    Defines correspondent banking arrangements, including nostro/vostro account relationships, and analyses the decline in correspondent relationships and its drivers. · Checked 2026-07-12

    Published in July 2016; its statistics cover 2011-2015 and are dated, but the definitions and arrangement types remain widely used.

  3. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View SWIFT archive

What a payment declares about itself — and who carries it

Every ISO 20022 payment carries two kinds of metadata: coded fields that declare what the payment is — service level, local instrument, category purpose, purpose — and an agent chain that names who moves it, bank by bank. This article reads a fictional pacs.008 field by field: what each code means, why there are four purpose-ish fields and not one, and how the instructing, previous-instructing, intermediary and reimbursement agents thread a payment across borders.

READ BRIEF

The ISO 20022 migration timeline

The move from MT to ISO 20022 is a dated schedule, not a single switch: CBPR+ coexistence from March 2023, CHIPS in 2024, Fedwire's cut-over on 14 July 2025, the end of cross-border MT coexistence in November 2025, mandatory structured or hybrid addresses from 15 November 2026, and later statement-message retirements through 2027-2028.

READ BRIEF