ECSH33337 - Checking customer due diligence: testing procedures in relation to politically exposed persons (PEPs)
Regulation 33(1)(d)of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 sets out that enhanced due diligence (EDD) must be carried out where a business has determined that a customer, or potential customer, is a PEP, or a family member or known close associate of a PEP (in accordance with regulation 35).
Regulation 35(12) of MLR 2017 defines a Politically Exposed Persons (PEP) as an individual who is entrusted with prominent public functions, excluding middle-ranking or more junior officials.
If a customer, or potential customer, is a PEP, or a family member or known close associate of a PEP it must apply the measures shown in regulation 35(5).
Ensure you read the general guidance for EDD and the Relevant Requirements in conjunction with the guidance below.
You can also find more information throughout the Joint Money Laundering Steering Group (JMLSG) guidance and from paragraph 5.5.13 in particular.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Checking the business’s understanding of PEPs and the risks involved
You should check the business’s understanding of PEPs, and the risks associated with them, by referring to the published guidance for the sector/s it operates in. You should also ask if the business has referred to any additional guidance in relation to PEPs, for example the detailed guidance on the treatment of politically exposed persons for anti- money laundering purposes published by the Financial Conduct Authority (FCA).
Checking the business’s risk management systems and procedures
Discuss with the business the likelihood of its customers being PEPs and the checks it carries out to confirm this.
Ask the business questions about how it assesses the level of risk associated with the customer, and the extent of the EDD measures applied in relation to that customer. You will need to consider if this is appropriate to mitigate the risks and check that the business has carried out the prescribed measures and maintained (followed) its PCPs. You should check this on a customer-by-customer basis as the circumstances and risks surrounding each customer will be different.
Additionally, the business should be able to explain what their procedures are for handling a known close associate of a PEP, as this is likely to be different to the procedures for a PEP. For example, enhanced ongoing monitoring must be carried out for 12 months after the PEP is no longer in post, as long as no additional risks exist. Whereas for an individual who was a family member or known close associate of a PEP, the additional measures can be stopped immediately the PEP is no longer in post. If a business’s customer ceases to be a PEP or known close associate of a PEP, you should ask how the business knows this and when this occurred.
A business may have a policy that it does not have any customers who are PEPs and will not deal with PEPs in the future. This is the business’s choice, however it must still have risk management systems and procedures in place to be able to identify PEPs. Consider what the business would do if a customer who it is in a business relationship with becomes a PEP during the business relationship and how it monitors for this situation.
Likewise, the business may consider that it has been in a longstanding business relationship with its customers so they are considered low risk, but it must still carry out the prescribed EDD measures. Please review the paragraph which discusses residual risk within the general EDD guidance.
Deciding whether the levels of PEP checks are appropriate will depend on the size and nature of the business. The business is required to take a risk-based approach. For example, the method a local accountancy service provider (ASP) takes will differ from the approach of a global art market participant (AMP), who should have more sophisticated systems in place.
How to identify a customer is a PEP
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
If you identify potential PEP customers that the business has not, through your own open-source checks, you should ask the business for more information about this customer, transaction or business relationship and the checks carried out at the time the transaction was accepted and throughout the relationship.
You should present the information that the customer may be a PEP and check with the business to see if it’s the same person. If the business agrees that the customer is a PEP but hadn’t originally identified them as one, you should establish how it failed to identify the customer as a PEP. Consider if the risk management systems in place are sufficient to identify PEPs. This may lead to a breach under regulation 35.
Evidence of PEP checks
Where the business has carried out checks to identify PEPs, you may see records of:
- internet or news searches on the customer
- government or parliament website pages
- the Electoral Commission website, Transparency International website and Global Witness website
- search results from commercial providers with a PEP flag (check that the business understands what sources are being searched and check what actions are taken following a false positive, for more information on this, see electronic verification.
- a meeting held or questionnaire the customer filled in, where they were asked if they were a PEP, a family member or close associate of a PEP.
Please note that where a customer is asked to self-disclose that they are a PEP there is a risk that the customer may not understand the term or may not tell the truth. You should check the information provided to customers to ensure it is producing the correct results. See the guidance under the subheading “Scenario” in Regulation 35 for an example of this.
What EDD measures must include
If the business has determined that a customer or potential customer is a PEP, you must see evidence that it has carried out additional due diligence described in regulation 33(5), namely:
- approval from senior management for establishing or continuing the business relationship with that person (a senior manager is an officer or employee who has sufficient knowledge of the business’s exposure to money laundering and terrorist financing risk and is of sufficient authority to make decisions that affect the business’s risk exposure. For example, a director, manager, company secretary, chief executive, member of the management body, or someone who carries out those functions, or any partner in a partnership, or a sole proprietor)
- taking adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person; and
- conducting enhanced ongoing monitoring where a business relationship is entered into (not required for an occasional transaction with a PEP)
This is in addition to other measures the business may take under regulation 35(5), explained within the general EDD guidance.
Case studies
Case study 1: Regulation 33(1)(d)
An art market participant (AMP) has sold a painting to an overseas customer. The AMP established that the customer was a non-domestic PEP at the time of the transaction. Through questioning and reviewing the information and documents obtained, you confirm that although CDD has been carried out to identify and verify the customer’s identity, none of the required EDD checks have been carried out for this customer.
The AMP has breached regulation 33(1)(d) in that it did not apply EDD where it established that its customer is a PEP. You must also consider any corresponding breaches such as regulation 18 if the AMP has not assessed the risks of transacting with customers who are PEPs, regulation 19 and 35 if the AMP does not have procedures in place to identify PEPs and apply EDD or staff training issues under regulation 24. For more guidance on corresponding breaches, see specific breaches of customer due diligence.
Case study 2: Regulation 35
A trust or company service provider (TCSP) provided a client list to you as part of your compliance check. By conducting open-source checks, you identify that one of the TCSP’s clients is known close associate of a PEP. You ask further questions to establish if the TCSP had identified this client as a PEP and if so, whether EDD was undertaken.
The TCSP confirmed that they did not realise that this client would fall under the definition of a PEP and therefore no EDD had been undertaken. Through further questioning you conclude that the risk management systems and procedures in place are not appropriate, which is a breach of regulation 35(1).