Correspondent banking has a structural KYC flaw that regulators identified in the 1990s, enforced through multi-million dollar penalties, and never fully solved. It’s called the Payable-Through Account or PTA. Understanding how it works, why it fails, and where the same logic is reappearing in crypto AML is still directly relevant for compliance practitioners today.
The core problem: payable-through accounts AML failures expose a structural blind spot that neither correspondent banking nor crypto has solved. The invisible customer problem persists because it’s embedded in how institutions design their infrastructure.
What’s a PTA, exactly?
A correspondent bank opens an account for a foreign respondent bank. Standard setup. But in a PTA arrangement, the respondent bank’s customers, so individuals, businesses, exchange houses – can transact directly through that account. They get checkbooks, they make deposits and wire funds. All through the respondent bank’s account at the correspondent bank.
The correspondent bank never sees them and never vets them. And often doesn’t even know their names.
That’s the AML problem in one sentence – you’re running a banking relationship with customers you’ve never met and whose existence you may not even be aware of.
This structural blind spot is why payable-through accounts AML remains one of the most persistent compliance challenges in correspondent banking.
The Lombard Bank case
In the early 1990s, Lombard Bank with the license in Vanuatu, held a PTA at American Express Bank International (AEBI) in Miami. Lombard’s Central American customers had access to that account. They brought cash to Lombard representatives across four countries. And when couriers transported it to Miami, it went into the PTA.
Over roughly two years, up to $200,000 in cash was deposited on 104 separate occasions. AEBI had no idea who was depositing it or where it came from.
The funds were connected to a Mexican drug cartel laundering Colombian cocaine proceeds through the US financial system. In 1994, AEBI paid its first fine. It remains one of the earliest documented correspondent banking AML failures directly tied to a payable-through account structure.
The core KYC failure in this payable-through account money laundering case wasn’t exotic: AEBI treated the respondent bank as its only customer and stopped there. No CDD on sub-account holders, no source of funds analysis. No transaction monitoring calibrated to actual end users.
→ If you’re new to how criminals move funds through the financial system, start with our overview of how cash laundering works in practice.
Three things that failed – and still fail
1. The “one customer” illusion. When sub-account holders have direct access to funds, the risk profile of the relationship reflects them, not the respondent bank. A single PTA can embed hundreds of unvetted individuals inside your AML perimeter. This is the core payable-through account risk that most correspondent banking due diligence frameworks still underestimate.
2. CDD stopped at the wrong layer. KYC was performed on the entity visible in the contract – not the people actually moving money. Documentation was present. Understanding was absent. This is the same logic failure as onboarding a company without understanding its beneficial ownership structure or business model.
See also: KYC challenges in remote banking – the same gap shows up in digital-only environments.
3. Transaction monitoring saw the wrong thing. The system monitored the respondent bank’s aggregate activity, not underlying individual flows. Patterns that would have flagged individual customers became invisible in aggregation. Effective AML transaction monitoring has to be calibrated to the actual end user, not the institutional wrapper around them. A related problem appears in micro-structuring typologies, where illicit activity hides inside normal-looking aggregates.
AEBI’s story has a second chapter worth noting. After the 1994 settlement, AEBI went through remediation and regulatory exams. Then, between 1999 and 2004, it failed again – same jurisdiction, same business lines, same structural gaps. In 2007, total penalties across DOJ, FinCEN, and the Federal Reserve reached $65 million. The $65 million AEBI penalty remains a reference case in correspondent banking AML enforcement – not because the scheme was sophisticated, but because the structural failure survived remediation. Repeat enforcement against the same institution for the same category of failure is a pattern the industry still hasn’t resolved.
The same problem, repackaged in crypto
PTAs as a product largely declined after regulators tightened correspondent banking controls post-2001. But the structural problem they represent – a financial institution providing access to its infrastructure without visibility into who’s actually using it, hasn’t gone away.
In crypto, it’s resurfaced under different names.
A VASP onboards a business customer. That customer operates a peer-to-peer platform, an OTC desk, or a sub-custody arrangement. The VASP sees one counterparty, but behind it there are dozens or hundreds of end users whose identities, risk profiles, and transaction purposes are unknown. This is nested correspondent banking risk, just without the correspondent banking label.
Travel Rule was designed in part to address this – forcing data about originators and beneficiaries to travel with the transaction. But crypto AML compliance doesn’t work on good intentions alone. Implementation is uneven, technical interoperability between VASPs is still being worked out, and in jurisdictions without full MiCA or FATF-aligned frameworks, the VASP due diligence gap remains wide. For a deeper look at how unhosted wallets complicate this further, see Hosted vs. Unhosted Wallets: The Crypto AML Dilemma.
The invisible customer problem hasn’t been solved. It’s been repackaged.
What to check in your own program
The lessons from payable-through accounts AML failures are direct and actionable. If you work in correspondent banking AML, B2B fintech, or crypto compliance, ask yourself:
- Do your institutional clients provide their own customers access to your infrastructure by making you a de facto payable-through account without the label?
- Is AML transaction monitoring calibrated to detect subaccount-level patterns or only aggregate behavior?
- When you perform CDD on a business client, do you understand their customer base and beneficial ownership structure – not just their registration documents?
The invisible customer is still there. The question is whether your AML program is designed to see them.
Sources:
- CAMS Study Guide v6.5 – acams.org
- FinCEN civil money penalties against AEBI (2007) – fincen.gov
- Federal Reserve cease-and-desist order against AEBI (2007) – federalreserve.gov
- DOJ deferred prosecution agreement with AEBI (2007), via Lexology – lexology.com
- AEBI SEC filing re: 1994 settlement – sec.gov
Leave a Reply