Third Parties, Correspondent Banking, and Nested Relationships

Some relationships don't just add risk, they multiply it, because they give you exposure to customers you never onboarded and can't see directly. Correspondent banking is the clearest example: when you provide accounts and payment services to another bank, you're effectively serving that bank's customers, inheriting their sanctions risk through a relationship one step removed. Third parties, agents, distributors, and intermediaries raise the same problem, acting in your name with parties you don't control.

This final diligence lecture is about reaching through those relationships, because the facilitation rules and the sanctions still apply even when the risky party isn't your direct customer.

In correspondent banking, the bank providing the account is the correspondent, and the bank using it is the respondent. Your diligence focuses on understanding the respondent's own sanctions and anti-money-laundering program: do they screen effectively, what customer base and geographies do they serve, and can you rely on their controls? Tools like the Wolfsberg Group's Correspondent Banking Principles and its standardized questionnaire exist precisely for this, and the concept of know-your-customer's-customer, K-Y-C-C, captures the idea that you need a view through the respondent to the risk behind it.

A respondent serving high-risk jurisdictions or opaque customers warrants enhanced diligence and closer transaction monitoring, and a respondent you can't get comfortable with is one you may need to decline.

The most dangerous correspondent-banking trap is nesting. Nesting happens when your respondent quietly allows its own respondent banks, downstream institutions you never assessed, to access the account you provided. Suddenly your correspondent account is being used by banks and customers several layers removed from anything you reviewed, and a sanctioned party can ride in undetected.

The red flag is activity that doesn't fit the respondent you actually onboarded, payments to or from jurisdictions and parties that have no business in their profile. The control is to set clear expectations about who may use the account, monitor for nested activity, and investigate flows that don't match the relationship you signed up for. On the exam, unexpected jurisdictions appearing through a correspondent account often signal nesting.

Third parties raise a parallel issue. Agents, distributors, introducers, and intermediaries act in your name or channel business to you, so their sanctions failures become your problem. Two principles govern here.

First, you can't outsource away your obligations: relying on a third party doesn't transfer your accountability, so you must perform diligence on the third party and gain assurance over how they manage sanctions risk. Second, beware facilitation, using a third party to accomplish indirectly what you're prohibited from doing directly is itself a violation, as we saw earlier. The defenses are contractual controls, sanctions clauses, audit and information rights, plus ongoing monitoring of what the third party actually does, not a one-time check at onboarding.

The unifying skill across correspondent banking and third parties is reaching through the relationship to the ultimate parties and flows, rather than stopping at your direct counterparty. You build an expected profile for the relationship, then monitor for activity that breaks it, the nested bank, the unexpected jurisdiction, the third party transacting outside its mandate. When you lose visibility into who's really behind the activity, that loss of visibility is itself the risk, and the disciplined response is to escalate, restrict, and, if necessary, exit, not to keep processing in the dark.

Let's name one more structure and then recap the domain. A payable-through account is a correspondent arrangement where the respondent bank's own customers are given direct ability to transact through the correspondent account, sometimes with their own sub-account access. The sanctions risk is the same as nesting: customers you never assessed are moving money through an account you provided, so a sanctioned party can ride in unseen, and you must understand and control who actually has access.

Step back and the whole diligence domain reduces to a few principles you can carry into the exam: apply effort in proportion to risk, resolve who really owns and controls the parties, reach through correspondent and third-party relationships to the ultimate flows, and remember that relying on someone else never transfers your own accountability. When visibility fails, you escalate and restrict rather than process blind. That completes the sanctions due-diligence domain.

Next, we move into the control that runs every day in the background and that the exam weights heavily, sanctions screening, beginning with the fundamentals of what you screen, when, and against which lists.