How to Perform a PEP Risk Assessment for KYB

In brief: 

• A politically exposed person (PEP) risk assessment involves determining whether a person is in a politically exposed position, and if so, how this affects the risk of them becoming (or already being) involved in financial crime.
• PEPs are considered high-risk because their positions give them more opportunities/resources to commit financial crime, make them bigger targets for crime, and magnify the impacts of crimes they commit.
• PEP risk assessment frameworks should include screening both incoming and current customers (and their associates), enhanced due diligence, senior management involvement, and regular anti-financial crime training for all employees.

Some businesses have beneficial owners who may be more susceptible to financial crime than others. This is especially true if they occupy a prominent political or administrative position, where they could cause significant financial disruptions if they abuse their power. These people are known as politically exposed persons, or PEPs.

While it’s possible for you to have professional relationships with these businesses, you still need to take extra precautions when dealing with them. That includes conducting a more thorough risk assessment to determine how likely they are to become (or already be) involved in unlawful activities.

This article outlines why PEPs pose a higher risk of money laundering and other financial crimes, and thus why you need to more carefully assess businesses they’re involved with as clients or partners. We also discuss some general strategies and best practices for conducting these assessments.

We’ll begin by describing what a PEP assessment is, and why businesses need to perform them to protect themselves from undue risk.

‍

A PEP risk assessment is a due diligence process for reviewing a relationship with a business. It’s used to check if a person associated with a business is on a PEP list and, if they are, assess how much risk a relationship with a business involving this individual represents.

PEP stands for “politically exposed person”. It describes a person who holds (or, in some cases, used to hold) an influential public administrative position. Some examples of such a position include:

• Political leader or ambassador
• Judge
• C-suite member of a state-owned corporation
• High-ranking military officer
• Financial institution director
• International committee executive 

Is PEP screening required for compliance purposes?

In a specific sense, there are no universal guidelines for PEP screening. That’s because the definition of who a PEP is — including the circumstances under which a person starts or stops being considered a PEP — varies across national and international AML/CFT/CPF laws.

On the other hand, all of these laws generally expect you to conduct reasonable due diligence in starting and maintaining relationships with businesses. That includes determining if a PEP is involved with a business, and what risk they present of becoming (or already being) involved in criminal activities.

Since financial institutions are required to report PEPs that are suspected of engaging in money laundering and other crimes, failure to identify and report a PEP due to compliance shortcomings can lead to legal liability and reputational damage.

So in a more general sense, PEP screening is required for compliance. This is because whether or not a person involved with a business could be considered a PEP is an important factor in determining the business’s risk profile. We explain why in the next section.

‍

A business owned by a PEP is a high-risk customer because the PEP’s position allows them to exert a degree of public political influence. It also affords them certain administrative and access privileges. This means:

• They have greater opportunities to commit crimes, and/or more resources with which to do so.
• They are bigger targets for criminals, including having their relatives or close associates (RCAs) manipulated or threatened to make them cooperate with illegal activities.
• Their public influence can make any crimes they perpetrate (or at least cooperate in) more impactful and/or have more widespread consequences.

This doesn’t mean, however, that all PEPs are so high-risk that the businesses they’re involved with are impossible to form and maintain relationships with. Indeed, many could go their entire customer lifecycles without ever exhibiting suspicious or illegal behavior. It simply means you have to take extra precautionary measures to make sure a PEP’s authority and power isn’t being used for illicit ends.

Do PEPs pose a higher risk for money laundering?

Yes. A PEP is a money laundering risk because of their public political and administrative authority. On one hand, this affords them more opportunities for social connections—potentially including criminal syndicates wanting to launder money. On the other hand, it can make it easier for them to conceal the movement of crime proceeds as part of their other civic functions.

‍

PEPs have powers and freedoms beyond those of regular citizens, which could be abused for unlawful ends. So how do you minimize the chance of working with a business related to a PEP who does use their position inappropriately? Here are some things to consider.

1. PEP screening at onboarding

Obviously, you should try to determine if the beneficial owner of a business is a PEP as early as possible in the customer lifecycle. That involves gathering enough unique identifying information to reliably match the person against PEP databases.

2. Ongoing client monitoring for PEP status

Just because a business has been a customer for an extended period of time doesn’t mean you should skip PEP screening for them. They still need to be checked on an ongoing basis, as it’s possible a beneficial owner or other person involved with the business becomes a PEP. This would necessitate a re-assessment of the business’s risk profile.

3. Extended PEP screening

The risks of PEPs sometimes don't stop at individuals related directly to your business customers. Some individuals may be considered “relatives or close associates” (RCAs): people who have strong personal or professional connections to PEPs, and so can present similar risks. Likewise, businesses may have entities in their supply chains that could be associated with high-risk PEPs.

4. Risk assessment and enhanced due diligence

Once a PEP is identified, you need to gather more background information on them. That includes the details of their politically-exposed position, their financial transaction history, and their criminal record or adverse media coverage history (if applicable).

Based on the information you find, you need to determine how much risk a business represents by virtue of being associated with a PEP. How influential is the PEP’s position? Is it domestic or international in nature? When did they attain the position, and how long have they held it? If they no longer hold the position, how long ago did they leave it? These are some questions that need to be asked and answered.

You will also need to determine, in the event that you onboard or retain the business as a customer, how to mitigate the risk associated with the PEP via an ongoing monitoring program.

5. Senior management approval

Even if a PEP ends up passing your EDD and risk assessment, a business associated with a PEP is still a high-risk customer. So senior management officials at your company should be involved in the aforementioned processes. They should also have the final say on whether the business associated with the PEP becomes — or stays — a client or partner.

6. General staff training

All (relevant) employees should receive regular anti-financial crime training. This training should include information on what PEPs are and why their positions put them at greater risk of getting — or already being — involved in financial crime (including money laundering, terrorist financing, and WMD proliferation financing). It should also cover how to identify PEPs, as well as the procedures that need to be followed once a PEP is identified.

‍

Once you have a framework in place, the actual steps for assessing PEP risk will look something like this:

1. Collect and verify customer information: Gather and validate details of businesses and their beneficial owners.
2. Cross-check multiple sources for PEP status: Attempt to match these details against several reputable sources, so as to not miss potential matches due to data having errors or being stale.
3. Perform a risk assessment on matches: Matched PEPs should be subjected to enhanced due diligence (EDD), including looking into their political/professional, financial, criminal (if applicable), and media coverage backgrounds.
4. Design continuous monitoring plans: Based on a PEP’s risk rating, you should also develop a strategy outlining how (closely) you will monitor their activity for anything suspicious or illegal.
5. Report to senior management: Risk teams should send their PEP assessments to senior management, who should then make a final decision on whether to onboard (or maintain) the PEP — or the business they represent — as a customer or partner.

Automate PEP screening and other CDD processes with Middesk

It can be a lot of work for you to identify which businesses are associated with PEPs. On top of that, you have to also assess how much risk they represent to you based on the PEP’s circumstances. This can take up a huge amount of resources that you’d rather be spending on other business functions.

Middesk offers a solution to automate CDD, including PEP screening through our Enhanced Screenings add-on package. Enhanced Screenings automates checks for not only PEP and RCA statuses, but also entities’ presence on US or global watchlists. This helps your team assess the risk of forming relationships with other businesses, based on whether or not they’re involved with PEPs and what level of risk those PEPs represent.

To learn more about Middesk, contact our sales team.

‍