PEP Reset: Take a risk-based approach to Politically Exposed Persons

How risky are Politically Exposed Persons for your financial institution?

Financial institutions are required to consider and appropriately manage Politically Exposed Persons (PEPs) and their close associates as higher risk customers. They are required to impose strict measures when establishing new business relationships with PEPs and to ensure continual risk evaluation throughout the entire client lifecycle. The intention of most global regulations is to ensure that proper due diligence and approval processes are conducted during PEP onboarding and on an ongoing basis throughout the relationship lifecycle.

Who are PEPs? Unfortunately, there is no consistent global definition; definitions depend on country-specific legislation. However, in general the consensus is that senior government officials, high-ranking officers in the armed forces, senior members of judicial bodies, major players in political parties, and senior executives of state-owned businesses are defined as PEPs. Immediate family members and close business and personal associates, as well as corporations owned by PEPs, fall into the category of “close associates.” 

As holders of powerful and highly influential positions, PEPs have more opportunities to illegally acquire assets than other people do. Crimes such as bribery, kickbacks and other corrupt practices are examples of illegal ways in which money can be funneled into accounts belonging to, or relating to, PEPs.

In the past decade or so, there has been an increased focus on PEPs across the financial industry, as demonstrated in recent publications by FATF, OECD, and the United Nations. In my view, this increased focus is mostly due to the trend of more anti-bribery and corruption legislation and enforcement around the world. Whatever the cause, financial institutions now invest a tremendous amount of effort and resources into evaluating and reviewing potential PEPs and their affiliated parties.

Is this a sound investment? What is the actual risk of serving PEPs?

In principle, there is nothing inherently wrong with having clients who are categorized either as a PEP or as a close associate. In fact, just like anyone else, PEPs need regular access to banking and insurance services to receive their paychecks, make monthly mortgage payments, trade stocks, manage their investments, purchase life insurance, etc. 

PEPs are not inherently more prone to money laundering or embezzlement compared to any random individual. Nor are they any more likely to be involved in corrupt practices. The major differences between PEPs and the rest of the world are: 1) their level of influence in their respective countries; 2) their access to public funds and 3) their access to other “cookie jar” opportunities such as bribes, kickbacks, etc.

However, although only a small fraction of PEPs may be corrupt, once a PEP is involved in corruption, bribery or another financial crime, the resulting impact can be disproportionate, inflicting damages well beyond the direct monetary value of the act.

So while focusing on PEPs makes sense, the diversity of PEPs means that financial institutions’ assessment of them must include a meaningful, risk-based approach that has more granular evaluations, buckets of risk, or tiers for the different risks we are facing as an industry. The fact that this is often not done represents an industry-wide misunderstanding of the actual risk PEPs pose to FIs and to our financial system. 

“A Risk Based Approach to AML/CFT means that countries, competent authorities and financial institutions, are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.” - FATF

Since different PEPs have different exposures, and since each PEP categorization has different risk implications, FIs are expected to make an informed decision – through an appropriate and properly documented approval process, when starting an engagement with a PEP. Each PEP should be considered as an individual customer and his or her exposure must be carefully evaluated. Following that, the FI is expected to assign the appropriate risk level as part of their overall risk-based approach to preventing financial crimes in line with their compliance program. 

“The principle of “once a PEP, always a PEP” runs counter to an appropriate Risk Based Approach and should be considered very carefully before being applied” – Wolfsberg Group

Here, I suggest three ways that financial institutions can take a risk-based approach to assessing PEPs.

Separate domestic PEPs from foreign PEPs

To enable a more precise risk-based approach to PEP risk, the Financial Action Task Force (FATF) recommends that financial institutions further categorize PEPs as domestic versus foreign PEPs. This approach is generally accepted by most FIs.

Domestic PEPs

Financial institutions should expect the majority of their identified PEPs to be classified as domestic PEPs, as PEPs must use banking, insurance services and services from other FIs in their home country to manage their personal, day-to-day finances.

Such individuals should be considered higher risk than other “regular clients.” However, engaging this group is unavoidable. Other factors must be considered in determining the precise risk of a particular domestic PEP.

As an industry, we consider domestic PEPs to be less risky than foreign PEPs as the rational of opening relationship with a local FI can be easily explained. FIs are expected to go through a proper (and auditable) review and approval process to ensure an informed decision is made when entering such an engagement.

Foreign PEPs 

Foreign PEPs are defined as persons holding a key public position on behalf of a government in a country other than the one in which the financial institution is located or licensed to operate.

The occupations considered should be similar to domestic PEPs and include high-ranking positions such as head of state, minister, parliament member, high ranking officer in the armed forces, key judicial position, director of a state-owned corporation, etc.

Any FI, when engaging with a PEP, must first identify the individual as a PEP and then determine if he or she is to be classified as a domestic or foreign PEP. Based on the category, a risk-based process must be initiated to onboard that individual as a customer. From an onboarding perspective, the level of scrutiny and approvals the FI is expected to conduct when reviewing Foreign PEPs is much higher than the bar set for domestic PEPs, as the rational for a foreign PEP to open an account in a different jurisdiction or country must be clarified prior to opening the relationship. This is to ascertain that there is a legitimate need to open such an account and ensure that the source of deposited funds will not be the proceeds of corruption or other illicit activities.

Foreign PEPs should fall into the highest level of risk, regardless of the scrutiny taken during onboarding, as foreign PEPs inherently pose a high risk to the institution.

Take a risk-based approach to PEPs during KYC / CDD through screenings, adverse media searches, periodic reviews and monitoring of both transactional and non-transactional account activity

Know Your Customer (KYC) and Customer Due Diligence (CDD) measures are the indispensable starting point of any rigorous compliance program. The implementation of a proper evaluation and approval process during customer onboarding is the foundation of any solid financial crime mitigation measures taken by the FI.

FATF’s 10th and 12th recommendations are both part of the overall set of customer onboarding requirements adopted, in full or in part, throughout the globe. The ability to determine if either a prospective customer or a beneficial owner is politically exposed (or is a close associate) and as such needs to be classified as a PEP fully depends upon the effective implementation of proper onboarding measures, including the identification, verification, and ongoing due diligence requirements as set out in Recommendation 10 (for financial institutions) and Recommendation 22 (for DNFBPs), as well as the effective application of a risk-based approach (Recommendation 1).

Identification of foreign PEPs is a big challenge for many organizations as a globally accepted definition of what political exposure means does not exist. As such, PEP definitions may differ from country to country. Another challenge is the number of lists available and the number of entities listed as PEPs, family members or close associates.

In their effort to accurately identify PEPs, financial institutions are encouraged to use internet and media searches, commercial databases, public PEP lists issued by governments, the UN and others, available in-house information or data shared between FIs, asset disclosure systems, customer self-declarations and more.

These challenges are intensified without giving proper thoughts into how FIs can best operationalize these activities. There is no doubt that the final decision to onboard a PEP should be made by a human after careful consideration of the exposure and risks involved. However, only through impartial execution of the institution’s compliance risk policy, consistent evaluation of data, automation of checks against public lists and adverse media, and enterprise-level case management to log all actions and decisions taken an FI can truly ensure adherence to the rules. 

The correct identification of PEPs, their family members and close associates as well as understanding of the actual risks associated with a particular PEP (once identified) should normally happen during the course of Customer Onboarding process, including Name Screening, Know Your Customer (KYC), Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures, which forms an integral part of any FI’s AML compliance program. This should include systems, process and controls. Hence, any PEP controls will be only as good as the FI’s overall AML framework.

Take a risk-based approach to PEPs during transaction monitoring

PEPs should always be considered higher risk, which should translate to both the organization’s KYC/CDD process as well as to the ongoing monitoring of accounts – i.e., Transaction Monitoring across the business relationship. The concept is similar to any other high-risk customer (whichever the reason may be), as in a risk-based approach the organization cannot treat all customers, from a risk perspective, as equals.

In practice, the expectation is to link the data across the organization and make use of all information at the FI’s disposal to better evaluate future transactional and non-transactional activity. Simplifying this concept, FIs are expected to make full use of customer KYC/CDD Profile (low/medium/high etc.) as part of the transaction monitoring system to better score activity. They are also expected to leverage data on source of funds and expected behavior information to better monitor the account and highlight any discrepancy.

FIs with the resources to implement electronic monitoring systems are able to achieve such monitoring on a relatively consistent basis. However, small FIs, insurance companies and DNFBPs without the appropriate resources are facing major challenges in achieving the same level of scrutiny through manual processes as a complete manual process (eyeballing lists and transactions) is resource intensive, prone to errors, dependent heavily on training, impartial views, inconsistent and as such prone to fail.

Let us make it clear, the determination a specific customer should be classified as PEP is not an aim by itself but forms part of the process that enables FIs to assess the different types of higher risks customers in their portfolio and focus their ongoing efforts, through a risk-based approach, by using red flags and indicators of illicit activity that can be used to detect abuse of the financial system.

Sample of such red flag categories will be: (1) PEPs Attempting To Shield Their Identity (2) Behavioral Indicators (use of corporate vehicles, uncomfortable / unwilling to provide information, avoiding explanations or providing incomplete information, etc.) (3) Position Or level of Involvement In Businesses (4) Industry / Sector Red Flags (high risk industry, cash intensive business) (5) Transactional Activity (multiple SARs, round amounts, substantial flow of funds, anonymous transactions, etc.), and (6) Country Specific Red Flags.