Banking regulators have published fresh guidance about how financial firms should perform due diligence on “politically exposed persons” — stressing that you don’t need to take extra steps simply because a customer is a PEP, although banks do need to understand the higher corruption risks PEPs can pose.
The guidance is a joint statement from all the big federal banking regulators, distributed through the Financial Crimes Enforcement Network on Aug. 21. It’s four pages of regulatory navel-gazing about the nature of PEPs, and how financial firms can apply a risk-based approach to PEPs consistent with the requirements of FinCEN’s Customer Due Diligence Rule adopted in 2017.
The bottom line: banks don’t need to adopt extra due diligence procedures for customers who are PEPs; you don’t even need to designate a customer as a PEP at all.
But banks do need to develop accurate customer risk profiles under the CDD rule, and many high-profile enforcement actions involve sketchy characters who are PEPs. So keep those points in mind as you build due diligence policies and procedures for customers generally.
Let’s go straight to the source. First the guidance says this:
There is no regulatory requirement in the CDD rule, nor is there a supervisory expectation, for banks to have unique, additional due diligence steps for PEPs. The CDD rule also does not require a bank to screen for or otherwise determine whether a customer or beneficial owner of a legal entity customer may be considered a PEP.
OK, that’s clear. Banks don’t have any specific regulatory obligation to treat PEPs differently from other customers. You don’t need to create a separate category of due diligence policies and procedures for customers who are PEPs.
Compliance officers would do well to remember that U.S. AML regulations have no formal definition for whom a politically exposed person is. We use the term all the time, and even the guidance itself says, “The term is commonly used in the financial industry to refer to foreign individuals who are or have been entrusted with a prominent public function, as well as their immediate family members and close associates.”
But describing a term of art isn’t the same as providing a formal definition. AML rules don’t provide one. So it logically follows that regulators won’t prescribe specific due diligence steps for a category of person that isn’t defined.
You Need Due Diligence Anyway
That still leaves banks struggling to understand their due diligence obligations under the CDD Rule — and this latest guidance offers no specifics on what you should do. Instead, we have gauzy statements like this:
Banks must apply a risk-based approach to CDD in developing the risk profiles of their customers, including PEPs, and are required to establish and maintain written procedures reasonably designed to identify and verify beneficial owners of legal entity customers.
That only tells you what to do: apply a risk-based approach to developing risk profiles for all customers. It offers no advice for compliance officers’ real challenge, which is how to develop that approach.
Let’s also remember that three weeks ago, FinCEN published related guidance where the agencies refrained from recommending any specific steps or procedures to create a customer risk profile. That earlier guidance is a close fit with this new guidance: both put the onus on the bank and its compliance team to figure out what to do.
You wanted a regulatory system that isn’t overly prescriptive? This is what it looks like.
The closest FinCEN comes to offering concrete advice is to say that if you do decide that a customer is a PEP, you can then consider several other factors about that customer — his or her PEPpiness, so to speak — when building a customer risk profile. That passage is worth quoting at length:
Banks may take into account such factors as a customer’s public office or position of public trust (or that of the customer’s family member or close associate), as well as any indication that the PEP may misuse his or her authority or influence for personal gain. A bank may also consider other factors in assessing the risk of these customer relationships, including the type of products and services used, the volume and nature of transactions, geographies associated with the customer’s activity and domicile, the customer’s official government responsibilities, the level and nature of the customer’s authority or influence over government activities or officials, the customer’s access to significant government assets or funds, and the overall nature of the customer relationship.
You can start to see a way forward in those words. For example, “any indication that the PEP may misuse his or her authority or influence for personal gain” — well, that’s an adverse media report, and any number of due diligence vendors would be happy to provide you one for a reasonable fee.
Likewise, “the type of products and services used, the volume and nature of transactions” is just another way of describing a PEP’s transaction history. Either you have that history in your own records, or you could try getting that history from the client directly or from third-party data vendors as part of onboarding.
But those are only examples of due diligence techniques you can use. Again, they don’t answer the real question here, which is how much due diligence to apply to someone who’s a PEP.
The FinCEN guidance is assiduously evasive on that point.
My concern with this guidance is where it leaves the compliance officer. Because FinCEN only stresses due diligence outcome, that leaves due diligence methods and amounts open to each bank’s interpretation. We all know that client relationship managers will use that wiggle room to argue that due diligence for His Imperial Majesty or Assistant Minister So-and-So doesn’t need to be so rigorous.
So compliance officers will need to defend rigorous customer due diligence procedures against that mentality, and you won’t have clear regulatory guidance — “Thou shalt do this when thy client is a PEP!” — to help argue your case. Success will depend on your ability to make customer due diligence fast and minimally intrusive, and on your senior executives’ commitment to good business conduct.
And how hard can it be to achieve those two things, right? Happy Monday.