Recent PEPs Screening Guidance from Regulators
Knowing how to assess the risk associated with a Politically Exposed Person (PEP) and understanding when and how to conduct the appropriate amount of due diligence for PEP clients is not always straightforward. Watch as Ola Tucker, JD, CAMS, shares her expertise on what constitutes a PEP and their associated varying levels of risks. She also reviews why relationships with certain PEPs may present increased financial crime threats and the importance of conducting risk-based customer due diligence (CDD) for PEPs.
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. It is not intended to provide legal or other professional advice, and should not be relied on as such.
Q: Is there a free PEP list available for screening?
A: There is no official or comprehensive PEP list that is available. Very few countries publish lists of domestic PEPs. In fact, even the CIA and the UN have a list of heads of states that are available, but these lists generally fall below the definitions of PEP that are given by the FATF.
Although a few organizations publish free information, almost all of these lists lack the coverage necessary to meet regulations. For example, most of the free lists do not include things such as local governments or international organization PEPs. It’s also very hard for many of these free lists to include family members or close associates.
The latest FATF recommendations mention that these free lists have potential shortcomings because they’re usually incomplete, lacking aliases, and other identifiers, and relatives. These lists also become quickly outdated. So, you may find some free lists out there but that’s not the best way to go.
Q: Would a famous actor or actress be considered a PEP?
A: A person would not be considered a PEP simply by virtue of being famous or well known. This doesn’t necessarily mean that a particular individual isn’t high risk or wouldn’t present a high AML risk to the institution, it just means that they wouldn’t be classified as a PEP according to the definition of PEPs.
If an actor or an actress also held a position in a public office in addition to their acting role, or was married, or closely related to a PEP, then they may be characterized as a PEP simply by their association. If this were the case, it would necessitate that the financial institution apply enhanced due diligence measures to that customer.
Q: Can an entity be considered a PEP?
A: Many state and government-owned entities and public sector bodies will have individuals that are PEPs in controlling positions within the organization. However, this does not always mean that the PEP will transfer corruption risk to that organization. Nonetheless, some state-owned entities will have genuine PEP risk. Many of the commercially available screening lists will also have entities that are designated as PEPs. So, the short answer is that an entity could in some cases be considered a PEP.
Q: Does an institution need to have a stand-alone policy to address PEPs?
A: Neither FinCEN guidance nor the Bank Secrecy Act requirements mandate that financial institutions, at least in the U.S., maintain separate and distinct policies pertaining to PEPs, but PEPs, including things such as screening procedures and EDD measures, this should be addressed somewhere in an institution’s AML policy along with applicable KYC and CDD measures. Many U.S. financial institutions include PEP screening protocols in their AML and our sanctions policies.
Q: A longtime customer was flagged as a family member of a PEP and therefore rated as high risk. However, the PEP connected to the customer has recently deceased, so can the customer, the family member, now be downgraded to low risk?
A: This depends. In the U.S., unlike in Canada, there’s no length of time that’s specified for how long a PEP should be considered a PEP. The Wolfsberg Guidance says that this should be a risk-based decision, so institutions should check with their local laws and follow from there.
Q: How often must a customer profile be updated and what would be an example of something that would trigger an update to a customer profile?
A: There’s no specific time frame prescribed for updating customer profiles. Rather, this should be done on a risk basis or when an institution reasonably becomes aware of a change during the regular and usual course of monitoring. Generally, the best practice is that the profile is updated no less frequently than every two years or so, maybe even every year. Again, this will be based on your particular institution. Some examples of things that would trigger an update to a customer profile are changes in occupation or job status or employment status or other things such as unexplained increase in the number of transactions or perhaps relocation to a high-risk country.
Q: Regarding the classification of immediate families as PEPs, does it relate to a high, medium and low-risk PEPs?
A: The guidance defining associates does not make that distinction between the categories.
Q: Would a friend of a PEP be classified as a PEP too?
A: This is something that would have to be looked into on an individual basis, but it’s generally close associates. So, not just any friend but someone like a lawyer or maybe an accountant that is close with the PEP, someone in a position with potential access to government funds or assets or otherwise be able to yield influence as a result of that relationship.
Q: Is PEP screening based on the bank’s risk or do they need to ask a set of questions during CDD to all new customers to help them identify if they are a PEP?
A: It should be determined for all customers whether they are PEP or not. You shouldn’t just ask some customers and not others. In the U.S the guidance is that institutions must determine whether their customers are or are not PEPs.
Q: It was noted that the time the customer has been out of the office may guide the determination of the risk level of the PEP. Now, how many years would a PEP need to be out of the office to be considered medium and low risk? So, Canada gives guidance on seizing of PEP status but the person’s question was really, at what point can you start to lower the risk status?
A: This is a risk-based determination that should be made. There are no prescribed time frames given, so it really depends on an overall analysis, what exactly was their role, how influential were they, other considerations like that. It’s more of an overall analysis.
Q: Are there instances where a PEP must be rejected? And if you have encountered that, what may be some conditions where you might reject a PEP as a customer and do you have suggestions on how you would manage the process of not having this person as a customer?
A: Institutions have rejected certain customers because the risk presented by that customer is just too high for the institution. Perhaps they don’t think that their levels of internal controls are sufficient to take on that customer. Whatever the reason is, there are reasons to decline customers, and each institution will have to make that decision on an individual basis.
If an institution has a very strong control, they may be more willing to take a higher risk customer than another institution that doesn’t have quite the level of controls in place or quite the level of sophistication. Usually, larger international institutions have quite sophisticated controls, spend a lot of money, perhaps they’d be willing to take on more risk. But again, this is a case-by-case basis decision.
If an institution does take on that customer, they’re going to have to apply the highest level of controls and monitoring to that customer. During the course of the relationship, they might find that they might have to break off that customer relationship at some point if it does become too unmanageable. For example, if there’s significant negative news that comes out, such as that person being involved in financial crime.
Q: Where PEPs are beneficial owners of companies, would the entities be classified as PEPs?
A: I don’t know of any guidance that definitively says yes, that that company would then be considered a PEP, but I would certainly consider that company high risk because of their association with the PEP. So, the institution might not necessarily classify that company as a PEP but they would rate that company as high risk and apply higher internal control when doing financial transactions or other transactions with that entity.