Sanctions Investigations in Correspondent Banking


You must be a member of ACAMS to read this article. Please login or join today for full access to and other exclusive member-only content.

Investigations in correspondent banking are challenging enough without involving sanctions risk. Correspondent banking inserts a financial institution (FI) and its regulatory regime in between another bank and its customer; thus, sanctions risk is obfuscated by layers of FIs. The reality of hidden sanctions risk requires an investigator to look beyond a bank’s sanctions screening tool and government watchlist data. Being cognizant of sanctions’ dynamic nature, broad applicability and regional influence is critical to identify what may be missing. As sanctions continue to gain global influence on international business, FIs that offer correspondent banking services must consider integrating sanctions-specific best practices to ensure staff are prepared to detect and prevent sanctions violations.

Sanctions risks in correspondent banking1

Correspondent banking is the provision of banking services by one bank—the correspondent—to another bank—the respondent—without having a physical presence in a location. A correspondent agreement will detail the banking services that are provided (i.e., wire transfers, foreign exchange, check clearing, cash management and payable-through-accounts). The access to strong financial systems and reserve currencies through cash management and foreign exchange is what makes these services arguably more attractive to potential respondent banks. However, they can also present a higher sanctions risk.

To combat this risk, the Financial Action Task Force recommends that in addition to standard customer due diligence (CDD), correspondent banks should conduct a full review of the respondent’s compliance program evaluating their reputation, quality of supervision and any previous regulatory actions. In addition, the respondent’s anti-money laundering/counter-terrorist financing (AML/CTF) controls should be evaluated before requesting senior management approval to establish a relationship as “the ultimate responsibility for CDD measures remains with the financial institution [that is] relying on the third party.”2 Being aware and understanding how compliance is prioritized and executed informs the correspondent on the susceptibility of this relationship as a conduit for financial crime and facilitates assigning a risk rating.

The respondent’s risk rating is important because it helps determine how frequently a customer review is performed. However, sanctions investigations are often the result of an event-driven review triggered by a fundamental change in the correspondent relationship—meaning a change in ownership or services offered—and/ or unusual trends in transaction activity. The indirect nature of correspondent relationships creates vulnerability for abuse that is attributable to limitations in due diligence conducted on transaction originators and beneficiaries as well as the large volume of transactions processed. Due to this indirect nature, sanctions risk is more concentrated and violations are identified more often in transaction activity because sanctions evaders hope to be overlooked.

Identifying sanctions risks in transaction activity

Identifying sanctions risk in transaction activity can be challenging because of sanctions’ dynamic nature, broad applicability and regional influence as well as the many institutional layers in correspondent banking. Awareness of the external factors influencing these characteristics of sanctions risk may escalate an otherwise benign observation to a suspicious inconsistency—thus triggering sanctions investigations in correspondent banking.

How do you spot risk?

Sanctions policies are always changing. In the U.S., the Office of Foreign Assets Control (OFAC) issues a “recent action” update at least weekly if not multiple times per week.3 These recent actions highlight new designations and removals to the Specially Designated Nationals (SDN) list, issuances and changes to general licenses, announcements of new programs or executive orders, etc. Since 2014, OFAC has issued over 700 recent action announcements of which more than 400 were featured changes to the SDN list. As a result of this frequency, maintaining a current sanctions policy is a near full-time responsibility for all FIs subject to OFAC’s regulation.

Since an attractive quality of correspondent banking is access to foreign financial systems and currencies, it is likely that a correspondent relationship is subject to more than one sanctions regime. In addition to the U.S., the European Union (EU) also governs correspondent relationships. However, EU updates are not as frequent as the U.S. and these tend to correspond with changes made by the United Nations (U.N.). With the United Kingdom’s (U.K.) pending exit from the EU, FIs would be wise to prepare for the integration of an additional sanctions regime. In anticipation, Her Majesty’s Treasury (HM Treasury) issued guidance stating the U.K. would—by Parliamentary design—maintain all EU sanctions from the time of exit, ensuring no gaps in implementation and enforcement of existing programs. HM Treasury does stipulate the U.K. would adopt powers allowing the issuance of new sanctions when necessary.4 Since “Brexit” is still pending, the frequency and manner of sanctions issued by the U.K. remains a wild card—thus reinforcing the burden of staying current on sanctions designations.

Juggling updates issued by multiple sanctions regimes takes a wicked twist when an FI must consider the applicability of each regime. Fortunately, the applicability of the three main (non-U.N.) sanctions regimes are consistent, covering their citizens and businesses operating on their soil. However, language applicability for each regime does highlight slight distinctions. The EU points out its measures also apply to “its airspace … branches of EU incorporated businesses, whether or not they are in the EU…and on-board aircraft or vessels under [the flag] of a member state.”5 Despite still being a member of the EU, the U.K. includes language that restates the same applicability but specific to the U.K., which may facilitate a smooth transition of applicability post-Brexit.6

In the U.S., compliance with OFAC regulations extends beyond a primary designation including under certain programs, “foreign subsidiaries owned or controlled by U.S. companies [and] foreign persons in possession of U.S.-origin goods.”7 In addition, the U.S. extends the applicability of its sanctions through the legal mechanism of extraterritorial reach, which allows a government to exercise its authority beyond its borders (i.e., secondary sanctions). Secondary sanctions are measures designed to put pressure on third persons— foreign persons—by threatening to cut them off from the U.S. financial system, even if the activity in question does not affect the U.S. directly.

Secondary sanctions are powerful because they expand the boundaries of sanctions compliance by extending the scope of applicability. As one of Europe’s largest trade and financial partners, the U.S. enforcement of secondary sanctions—particularly against Iran—has dealt a crippling blow to the EU’s economy and business relationships. In response, the EU has worked to develop countermeasures to protect its economic interests in Iran and potentially Russia. However, the need to retain access to the U.S. dollar, financial markets and clients, as well as the obscurity of the secondary measures resulted in a “high degree of overcompliance by European companies and banks.”8 For now, this complex web of applicability creates a significant challenge to correspondent banking relationships because the sanctions risk is uncertain and buried under layers of FIs.

Secondary sanctions were developed to strangle illicit actors from every angle. As relentless or excessive as secondary sanctions may seem, sanctioned entities and individuals are just as persistent at evading these measures. Due to the many layers of correspondent relationships, an investigator should consider the risks associated with the shared borders and economic relationships of neighboring nations. Neighboring nations like China to North Korea as well as Turkey and the United Arab Emirates (UAE) to Iran have been the setting for criminal parties to evade sanctions.

The shared border between China and North Korea has facilitated significant sanctions evading activity. In November 2017, the Financial Crimes Enforcement Network issued an advisory on North Korea’s use of the international financial system that stated the following,

“The proximity of the Chinese province of Liaoning to the North Korean border makes it an attractive location for North Korean illicit actors to access the international financial system. North Koreanrelated financing has been observed involving correspondent account transactions conducted by, or on behalf of, Liaoning-based banks.”9

As a significant world economy, China’s vulnerability to abuse by North Korea increases the risk level of correspondent relationships in and around China, requiring enhanced due diligence of customer relationships and transactional activity.

In the Middle East, the elaborate gold buying scheme between parties in Iran, Turkey and the UAE reinforced the advantages of regional trade relationships for avoiding sanctions. In 2012, Turkish individuals were discovered to have intentionally assisted Iranian businesses in evading U.S. sanctions by importing Turkish gold to pay for billions of dollars’ worth of oil. Since gold was not originally sanctioned, but a commonly traded item in the region, the activity was not considered unusual. Eventually, the U.S. government discovered this loophole and expanded the Iran sanctions program to include all precious metals, including gold. Instead of shutting down the operation, the parties pivoted the scheme to a new jurisdiction leveraging another common trade relationship—the gold trade in UAE. According to the indictment of United States of America v. Reza Zarrab et al,10 Iranian oil proceeds at a Turkish bank were transferred to exchange houses and front companies to buy gold for export from Turkey. After export, the gold was converted to cash or currency and remitted to Iran or it was used to conduct international transfers on behalf of Iranian nationals. The Iranian ties were hidden with false documentation showing the gold exports to Dubai, where conversion activities were executed. The perseverance of these parties and reliance on trade and location emphasizes the duty of care needed in evaluating correspondent relationships and transaction activity between neighbors.

Pinpointing the risk level of sanctions exposure is harder in correspondent banking because the banking relationship is multi-layered. Directly, a correspondent bank’s risk lies with its client, the respondent bank. However, the regulation(s) under which the correspondent is obligated may extend due diligence expectations to the clients of the respondent bank and even its associated parties (branches, subsidiaries, supply chain, etc.). In addition, if the correspondent relationship includes an allowance for downstream banking (i.e., nesting) the correspondent bank must consider the risk presented by not only the respondent bank, but the nested bank and potentially the clients and relationships of that relationship. Unfortunately, the layers of FIs in correspondent banking—occasionally expanded by nesting—create a barrier for information that challenges the effectiveness of CDD measures and the identification of sanctions risk in transaction activity.

Best practices for sanctions investigation

Understanding where sanctions risk can arise in correspondent banking and how to identify it is central for an investigation. Once an investigation is initiated, sanctions risk must be verified and the impact on the confirmed risk must be qualified and quantified for reporting to senior leadership and relevant authorities. The following are tools and strategies an investigator should consider using:

  • Identifying and verifying the sanctions risk
    • Perform an internal database search on the parties to the transactions’ activity. This may highlight relevant historical data on the party or parties, and/or the activity such as suspicious activity reports, requests for information (RFIs) and/or investigations.
    • Conduct a public domain search for any supplemental identifying information on the parties, known details on the purpose of their relationship and/or transaction activity, and negative media (including sanctions lists).
    • Submit an RFI to the respondent bank carefully inquiring about any additional information needed to construct a complete picture of the transaction and possible sanctions violation. Alternatively, submitting a 314(b) request under the USA PATRIOT Act affords FIs with the ability to share information under a safe harbor that offers protections from liability.
    • Understand the transaction flows into, out of and within the institution. This includes being able to identify sanctions avoidance red flags via unusual transaction patterns or through high-risk entities or regions.
    • If it appears the sanctions risk may stem from a systemic deficiency in sanctions controls, request to review the customer file on the respondent bank.
    • Once all information is gathered to establish a complete picture of the transaction, the identities of the parties and business relationship, revisit the sanctions risk factor and compare the details of the activity to the relevant sanctions regulation under bank policy and all applicable authorities
    • If confirmed, the investigator should begin drafting the report for management, including an evaluation of the potential impact of the confirmed risk.
  • Gauging the weight of identified sanctions risk
    • Identify whether the sanctions risk was present in direct relationship to the correspondent bank (i.e., respondent bank, their clients and/or associated parties) or indirectly (i.e., counterparties to the respondent) and if any downstream relationship was present. Where necessary, refer to the correspondent agreement and respondent bank’s customer records.
    • Review the tenets of the sanctions program in question in detail, including the details of internal filters and watchlist(s).
    • If the confirmed risk relates to beneficial ownership, compare the aggregate—direct and indirect—ownership values to internal policies on reporting thresholds for a controlling party. If the ownership percentage is greater than or equal to the number designated by the relevant sanctions regime, this finding must be reported. If the ownership amount is less than what is designated, the determination should be made based on company policy and with the knowledge and approval of relevant senior leadership.
    • Final determinations on the severity of exposure should be included in the report to relevant management and senior leadership. Note that all investigative reports should be accompanied by relevant documentation.
  1. “United States Files Complaint to Forfeit More Than $1.9 Million From China-Based Company Accused of Acting as a Front for Sanctioned North Korean Bank,” United States Department of Justice, June 15, 2017,
  2. “U.S. v. Funds Associated with Mingzheng International Trading Limited et al.,” United States District Court for the District of Columbia, June 14, 2017,
  3. Alex Wellerstein, “Nukemap,” Missilemap, nukemap/?&kt=10&lat=38.89511&lng=-77.03637&hob_psi=5&hob_ ft=2207&psi=20,5,1&zm=13
  4. 4 The gist of the bargain the countries reached under the NPT was that countries with nuclear weapons would eventually disarm while countries without nuclear weapons would get access to peaceful nuclear technology in exchange for their promise not to develop nuclear weapons.
  5. 5 Daniel Salisbury, “Why Do Entities Get Involved in Proliferation? Exploring the Criminology of Illicit WMD-Related Trade,” The Nonproliferation Review, 24:3, 2017, 297-314; Daniel Salisbury, “An Evolving State of Play? Exploring Competitive Advantages of State Assets in Proliferation Networks,” Defense & Security Analysis, January 17, 2019; Daniel Salisbury, “Exploring the Use of ‘Third Countries’ in Proliferation Networks: The Case of Malaysia,” European Journal of International Security, 4:1, 2019,101-122; Glenn Anderson, “Points of Deception: Exploring How Proliferators Evade Controls to Obtain DualUse Goods,” Strategic Trade Review, Volume 2, Issue 2, 2011, 4-24.
  6. Under “catch-all” provisions of export control systems, companies must apply for a license even for a non-listed item, if there is belief, knowledge or suspicion that a good in question may be used in a WMD program.
  7. For this case and other known cases of proliferation financing, see Jonathan Brewer, “Study of Typologies of Financing of WMD Proliferation,” Project Alpha, King’s College London, October 13, 2017, 85.
  8. “S/2019/171,” United Nations Security Council, March 5, 2019, https://, 52-53.< .a>
  9. “FinCEN Issues Advisory on the Iranian Regime’s Illicit and Malign Activities and Attempts to Exploit the Financial System,” Financial Crimes Enforcement Network, October 11, 2018, news/news-releases fincen-issues-advisory-iranian-regimes-illicitand-malign-activities-and
  10. Ibid; UN North Korea Panel of Experts report, 5. For a summary of the report’s findings relevant to the financial sector, see Togzhan Kassenova, “2019 U.N. North Korea Panel of Experts Report: Takeaways for Financial Institutions,” ACAMS Today, March 27, 2019,
  11. “Chinese Man Convicted on Charges of Exporting U.S.-origin Pressure Transducers to Iran,” Iran Watch, Wisconsin Project, February 9, 2016,
  12. 2 For discussion on how export controls and proliferation financing controls relate to each other, see Togzhan Kassenova, “Challenges With Implementing Proliferation Financing Controls: How Export Controls Can Help,” WorldECR: the Journal of Export Control and Sanctions, May 2018, challenges-with-implementing-proliferation-financing-controls-how-export-controls-can-help-pub-76476; Rachel A. Weise, Gretchen Hund, Geoffrey Carr, “Export Controls and Counterproliferation Finance: Two Sides of the Same Underlying Illegal WMD Activity,” The Nonproliferation Review, Volume 25, Issue 1-2, 2018, 129-145.
  13. For a range of helpful resources, see the Royal United Services Institute’s Counter-Proliferation Finance collection: projects/counter-proliferation-finance
  14. “Review of the End User List,” Ministry of Economy, Trade, and Industry,
  15. See recommendations from the UN North Korean Panel of Experts, “S/2019/171*,” United Nations Security Council, 64-65,
  16. Ana Alexandre, “HSBC Blockchain Connection Reduces Transaction Time by 40%,” Cointelegraph, July 10, 2019, news/hsbc-blockchain-connection-reduces-transaction-time-by-40
  17. Austin Cook and Beth Herron, “Harvesting Unstructured Data to Reduce Anti-Money Laundering (AML) Compliance Risk,” SAS Institute,
  18. “National Proliferation Financing Risk Assessment 2018,” U.S. Department of the Treasury, 18,