GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

The SWIFT KYC Registry

Your notes

What this means in plain language

The KYC Registry is a shared platform where banks contribute and consume standardised due-diligence data and documents, so correspondent know-your-customer information is collected once and reused instead of exchanged bilaterally many times over.

Banks that hold accounts for one another, called correspondent relationships, must each perform due diligence to understand who they are dealing with. KYC (know your customer) is that process: gathering standard facts and documents about an institution's ownership, licences, and controls. Done bilaterally, the same bank ends up sending nearly the same information to dozens of partners, each in a slightly different format. The KYC Registry is a shared platform that replaces those repeated exchanges. An institution contributes a standardised set of baseline data and supporting documents once, and its partners consume that entry when they need it, subject to the institution's permission. Because the data follows an agreed structure, including the industry's standard due-diligence questionnaire, everyone reads the same fields the same way. Collecting due diligence once and reusing it lowers duplicated effort, improves consistency, and gives each institution a clearer, more comparable view of its counterparties.

Understand the full idea, step by step

Fill out the same medical form at every clinic you visit — same name, same history, same allergies, re-copied each time — and you quickly see the waste: the facts barely change, yet everyone asks again in their own layout. Correspondent banks had exactly this problem with the paperwork of knowing each other. Their answer was to collect it once and share it, carefully. That is the registry we look at here.

The duplication problem in correspondent due diligence

Correspondent banking works through relationships in which one institution holds an account for another so payments can reach places it does not serve directly. Each side must understand its counterparty, which means collecting due-diligence information: ownership, licensing, regulatory status, financial-crime controls. When this is exchanged bilaterally, the effort multiplies — a bank with many correspondents answers many near-identical requests, each in a different layout, and sends its own to each partner in turn. The facts are largely stable and largely the same from one request to the next, yet they are gathered, formatted, and checked over and over.

The KYC RegistryKYC = know your customer

The KYC Registry is a shared platform where an institution assembles a standardised set of baseline data and supporting documents describing itself, and publishes that entry once. It turns many bilateral exchanges into one maintained record. Know your customer is the broad obligation to understand who you are dealing with; here the "customer" is a correspondent bank, and the registry is where the evidence of that understanding is collected and shared.

Contribute once, consume with permission

An institution publishes its entry to the platform, and partners that need the information request access — the contributing institution controls who may see it. The data is shared with permission, not published openly. When a licence, address, or control changes, the update is made once and every permitted partner sees the same refreshed record. This is the core of the model: maintain a single record, and let many partners consume it, instead of keeping a separate answer alive for each relationship.

Wolfsberg CBDDQCorrespondent Banking Due Diligence Questionnaire

A central part of the structure is the CBDDQ — an industry-standard set of questions, from the Wolfsberg Group, covering an institution's ownership, business, and financial-crime controls. Because everyone completes the same questionnaire and supplies data in agreed fields, a consuming institution reads each counterparty in a consistent shape rather than deciphering a bespoke form. A shared question set also makes it harder for an important question to be quietly skipped.

If the data is standardised and shared, does the registry decide whether Meridian Bank should take Nordbank on?

No — and this is the important line. The registry standardises and distributes information; it does not make the compliance decision. Meridian Bank still assesses whether Nordbank fits its own risk appetite, applies enhanced review where its policy requires it, and decides whether to open, continue, or exit the relationship. What changes is the starting point: Kabir's team begins from clean, comparable, permission-controlled data instead of chasing forms — so effort goes to judgement, not to formatting.

COMMON CONFUSION

Using the registry means a bank has outsourced its know-your-customer decision to the platform.

Reusing due-diligence data does not move the decision anywhere. Each institution still reviews the counterparty against its own policy, records its own assessment, and owns the outcome. The registry improves the inputs — consistent fields, a shared questionnaire, a maintained record — which is exactly what makes gaps easier to spot. The judgement stays with the bank.

STRICTLY SPEAKING

Strictly speaking, real due-diligence obligations vary by jurisdiction and by the risk of each relationship, and enhanced measures apply where policy or law demands them. The registry is a foundation that supports the process — cleaner data, a clearer audit trail of which version was relied on and when — not a substitute for it. Framed defensively, it strengthens controls: comparable fields make an omission visible, a shared questionnaire resists a skipped question, and a maintained record reduces reliance on stale information.

FOR NOW, REMEMBER

  • Correspondent due diligence is largely the same facts asked many times; the KYC Registry replaces those bilateral exchanges with one shared record.
  • An institution contributes a standardised entry once and controls which partners may consume it — shared with permission, not published openly.
  • The Wolfsberg CBDDQ gives everyone a common question set, so counterparties can be read in a consistent shape and gaps are easier to see.
  • The registry standardises and distributes data; each bank keeps the compliance decision, applies its own risk appetite, and owns the outcome.

TRY IT YOURSELF

Kabir reads Nordbank's complete, up-to-date CBDDQ on the registry and finds no obvious concerns. Which action fits how the registry is meant to be used?

Use the clean, comparable data as the starting point, then apply Meridian Bank's own risk assessment and policy before deciding on the relationship.

Correct — Right. The registry supplies consistent, permission-controlled inputs; the decision to open, condition, or decline the relationship remains Meridian Bank's, made against its own risk appetite and any enhanced review its policy requires.

Treat a clean CBDDQ as the registry's approval of the relationship and open the account automatically.

Not this one — The registry does not approve anyone. It standardises and shares data; reading a completed questionnaire as an automatic yes hands the bank's own judgement to a platform that never had it.

Disregard the registry data and send Nordbank a fresh bespoke questionnaire, since shared data cannot be trusted.

Not this one — That recreates exactly the duplication the registry removes. The standardised, maintained record is a stronger starting point than a re-copied bespoke form, not a weaker one.

Knowing who a counterparty is answers one risk. Another is how well it secures the systems that create and send messages. Next: the programme that sets a common security baseline and asks every connected institution to prove it meets it.

KEEP GOING

Three things to remember

  1. 01

    The KYC Registry lets institutions publish standardised due-diligence data once and share it with permitted partners.

  2. 02

    A common structure, including the Wolfsberg CBDDQ, makes counterparty information comparable across institutions.

  3. 03

    Collecting due diligence once and reusing it reduces duplicated requests without removing each bank's own review.

Where you would use this

USE CASE 01

A correspondent bank publishes its baseline data and documents so partners can request access instead of emailing forms.

USE CASE 02

A compliance team consumes a counterparty's registry entry when refreshing periodic due diligence.

USE CASE 03

An onboarding analyst checks a prospective partner's standardised questionnaire before opening a relationship.

Put the idea into a real situation

Illustrative example: a fictional bank, Aldergate Commercial, maintains correspondent relationships with 40 partner banks. Instead of answering 40 separate due-diligence requests each year, it publishes one standardised entry, including its completed questionnaire and 12 supporting documents, to the registry. When a partner refreshes its review, it consumes the entry directly. Aldergate estimates it answered 40 near-identical requests before; now it maintains a single record and grants access, cutting repeated form-filling while its partners still make their own risk decisions.

Evidence & review

REVIEWED 2026-07-13

Swift's KYC Registry for correspondent banking due diligence, and the Wolfsberg CBDDQ as its standardised question set. Defensive framing only.

What this brief simplifies: Presents the registry as contribute-once/consume-with-permission; the platform's document handling, baseline data set, and access workflows are richer. Due-diligence obligations are described generally and point to jurisdiction-specific law rather than quoting it.

Sources for this brief4
  1. Market practice

    Swift products and servicesSwift

    Describes Swift's messaging, connectivity, global payments innovation, platform, and compliance services offered to member institutions. · Checked 2026-07-13

    Used for the public overview of product details documented behind swift.com.

  2. Market practice

    Wolfsberg Group Payment Transparency StandardsThe Wolfsberg Group

    Industry standards on preserving complete and accurate party information through payment chains, expressed in ISO 20022 terminology. · Checked 2026-07-12

    The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.

  3. Market practice

    Correspondent banking (final report)CPMI, Bank for International Settlements

    Defines correspondent banking arrangements, including nostro/vostro account relationships, and analyses the decline in correspondent relationships and its drivers. · Checked 2026-07-12

    Published in July 2016; its statistics cover 2011-2015 and are dated, but the definitions and arrangement types remain widely used.

  4. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

Learn this properly

Related briefs

View Fraud & Compliance archive

KYC and customer due diligence basics

Know your customer (KYC) identity checks and customer due diligence (CDD) establish who a customer is, who owns them, and how much risk they carry, before an account opens and throughout the relationship, with screening as one input.

READ BRIEF

The SWIFT Payment Controls Service

The Payment Controls Service is an in-network control that screens outgoing payment messages against configurable limits and rules, flagging or holding unusual instructions so fraud and errors can be caught before a message leaves the institution.

READ BRIEF

Screening for politically exposed persons (PEPs)

Politically exposed persons hold prominent public roles that carry higher corruption risk. Screening flags them so a bank applies enhanced due diligence — a deeper, documented review and senior sign-off — rather than the hard payment stop a sanctions match triggers.

READ BRIEF