Best Practices for Monitoring Politically Exposed Persons
For most financial institutions, sanctions compliance has become increasingly complicated in recent years. When one thinks of sanctions in the United States, the primary focus is of course the specially designated nationals (SDN) list administered by the Office of Foreign Assets Control (OFAC). However, there are a variety of other lists utilized by institutions depending on their level of interaction with international markets and high-risk industries. Then, of course, there is the risk category known as “politically exposed persons,” colloquially known as simply PEP’s. The Financial Action Task Force (FATF) – an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, etc. – defines a PEP as “an individual who is or has been entrusted with a prominent public function.” The Federal Financial Institutions Examination Council’s (FFIEC’s) examination manual for Bank Secrecy Act (BSA) compliance describes a PEP as generally including “a current or former senior foreign political figure, their immediate family, and their close associates.” The FFIEC then interprets those individual terms more exactly, but it is clear from the manual that the primary concern for PEP monitoring is foreign parties. From a Know Your Customer (KYC) perspective, there is no doubt that having knowledge that a customer is also a foreign political figure is important. However, the monitoring of domestic PEP’s is quickly becoming a best practice as well, encouraged by BSA consultants and examiners alike. While there are multiple vendors who can offer PEP lists to financial institutions for use as a filtering tool, an institution needs to consider the costs and benefits of expanding their PEP definition accordingly.
Expanding the definition of PEP’s beyond just foreign parties is certainly understandable, from an anti-money laundering risk perspective. There is no shortage of domestic news stories concerning political corruption. However, a financial institution must be prepared for the effects of purchasing a domestic PEP filter and then simply activating it. False positive matches will likely be voluminous initially, as a U.S. institution’s customer base will certainly include more apparent matches to the names of domestic political figures than to foreign political figures. The frequency of those false positive matches will only increase depending on the scope of the domestic PEP filter; some “enhanced” filters include not only domestic political figures but also their family members and associates, mirroring the definition of a foreign PEP in the FFIEC manual. Consider the following to limit useless false positive alerts when scanning for domestic PEP’s.
• Seek only domestic PEP filters that stratify or classify the names on the list based on the level of influence. In other words, a state bank examiner should not be classified at the same level of risk as a U.S. senator. Similarly, a grandchild of a U.S. senator should not be classified at the same level of risk as the senator’s spouse.
• Potential PEP matches should then be internally classified based upon the risk strata of the matched party. In other words, a potential match to the name “Mike Pence” would a high-risk match; a potential match to the name of your local coroner would be a low-risk match.
• Match-clearing resources should then be directed based on the levels of risk, with high-risk matches receiving immediate attention and low-risk matches receiving less urgent attention.
Of course, a true match to a domestic PEP will be much more likely than with a foreign PEP. Thus, while clearing false positives will likely constitute the majority of an institution’s PEP-related actions, procedures and practices should already exist in anticipation of the positive matches.
• First, an institution needs to assess just how risky some domestic PEP relationships would truly be. Using the same examples from above, would a local coroner or a state bank examiner truly be high-risk customers from a BSA perspective simply because of their positions? The use of a domestic PEP filter with internal risk classifications was discussed above, but an institution should be wary of simply duplicating the same classification logic. Local market considerations, events, or legislation may make a state senator more risky from the institution’s perspective, for example. Thus, risk categories for domestic PEP’s should exist as with other high-risk customer types; and decisions to classify some domestic PEP’s as low- or no-risk should be justified via a documented risk assessment.
• Once a true domestic PEP is identified and classified at a higher level of risk, what happens then? Are that individual’s accounts more closely monitored? Are they personally interviewed? Are transaction limits set? Basically, if an institution feels that classifying domestic PEP’s is a worthy exercise, then decisions must be made as to what additional due diligence will follow. With automated transaction monitoring systems, identification as a domestic PEP may simply be a factor that is considered when prompting an alert; for example, cash activity from a PEP’s account prompts an alert at a lower threshold than for others. In any case, simple classification is not enough; thoughtful consideration of the appropriate monitoring procedures must occur as well.
• What if the positive match is not to a customer but to a payee on a negotiable instrument or the conductor of a cash transaction, possibly a cashed check? Does the purchaser of the negotiable instrument or the issuer of the check then come under greater scrutiny? Materiality considerations should apply here, but even an occasional large payment may simply represent the repayment of a personal loan. A trend of payment activity, on the other hand, may represent a more meaningful concern.
It should be reiterated that, currently, filtering for and enhanced monitoring of domestic PEP’s is more of a best practice than a regulatory requirement. Some caution is needed with that statement, however, as some regulators have different expectations than others; thus, for some institutions, it may already be a de facto requirement. In any case, history has shown that best practices throughout the banking industry often become regulatory expectations. Thus, if your financial institution does not already have a plan in place for domestic PEP monitoring, consider the possibility that your KYC program may have to be expanded to accommodate it.
The Rise of Banking Biometrics
Banking Compliance, Risk, and Regulatory Requirements: Playbook for the Attacker
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power