Compliance Approaches to Mitigate Politically Exposed Person Risks

When companies look overseas for third-party supply partners, they’re legally obliged to check if those partners are politically exposed people. A politically exposed person (PEP) is someone who holds or has held a high office of responsibility in the public sector or state-owned government enterprises.

In this article, we cover the following:

• What the definition of a politically exposed person is
• A 4-step approach to handling varying levels of risk with PEPs
• What happens when dealing with PEPs goes wrong

What Is a Politically Exposed Person?

According to the Financial Action Task Force (FATF), a politically exposed person is a person who is or used to be “entrusted with a prominent public function” whose power could be misused to commit crimes like bribery, corruption, money laundering, terrorist financing, and other criminal activities.

FATF lists the following as examples of politically exposed people — heads of state or government, senior government, judicial and military officials, senior executives of state-owned corporations, and higher-ranking political party officials.

There are differing FATF recommendations on how to classify PEPs:

• Domestic PEPs: These are individuals who have held one or more of the above positions in your home jurisdiction. A domestic PEP could be a person who is or has been entrusted with a prominent function, for example, a mayor.
• Foreign PEPs: These are individuals who have held one or more of the above positions for an overseas government or country.
• International organization PEPs: These are senior managers of overseas organizations including but not limited to directors, deputy directors, and board members.

The immediate family members or close associates of a PEP are also classified as PEPs.

FATF suggests that only the role of a foreign citizen should be a factor in determining PEP status and not their nationality.

When a person could be considered a domestic and a foreign politically exposed person, FATF recommends that businesses classify them as a foreign PEP. They recommend exercising additional caution in dealings with them because “foreign PEPs are always high risk,” according to the document FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22).

The 4 Quadrants of Risk

For anti-money laundering (AML)/combating the financing of terrorism (CFT) purposes, you should apply different risk profiles to a politically exposed person based on their current or former titles. The four quadrants of risk are as follows.

High Risk (Level 1)

• Heads of government or state
• Members of national and regional government
• Members of national and regional parliaments
• Heads of legal, judiciary, and military enforcement
• Central bank heads
• Highest-ranking political party officials

Elevated Medium Risk (Level 2)

• Senior officials in legal, judiciary, and military enforcement agencies
• Senior officials of state bodies and agencies
• High-ranking civil servants
• Senior members of religious organizations
• Diplomatic staff (ambassadors, consuls, and high commissioners)

Medium Risk (Level 3)

• Senior management and board members of state-owned organizations and businesses

Low Risk (Level 4)

• Local, country, city, and district mayors and assembly members
• Senior functionaries and officials of international/supranational organizations

A 4-Step Approach to Mitigating PEP Risks

You should adopt a similar risk management strategy when managing politically exposed people as you do with third parties when complying with sanctions programs. The following four steps should be part of your strategy.

1. Implement a Risk-Based Approach

At the outset, decide on the level of risk you’re willing to expose your business to. With certain suppliers, vendors, or customers, you may choose to tolerate additional risks on a case-by-case basis based on how important an individual PEP is to your business operations.

How you assess the level of risk may depend on a number of factors including:

• Compatibility with your business mission and vision
• Whether dealing with a PEP may contradict your company’s culture, vision, or values
• The legal and regulatory requirements you’re subject to in the U.S. and other countries you do business in
• The level of focus and investment you’re willing to put into onboarding and ongoing monitoring of PEPs

2. Establish a PEP Screening System

Start by running your existing customers and suppliers through your enhanced due diligence and Know Your Customer (KYC) frameworks again. You can purchase third-party PEP list suppliers like NameScan, Fineksus, and LexisNexis to assist you with this.

Information sources you could use when assessing levels of risk include:

• Government databases: The U.S. government has no specific PEP list, but their sanctions lists may provide you with additional details on some PEPs.
• Publicly available information: You can search for information and data on a politically exposed person through public record and in the press.
• Third-party information: You can run credit checks on potential suppliers and customers as well as ask them to provide trade references.
• PEP declarations: You can make it a requirement for PEPs to disclose sources of funds and beneficial ownership of companies for themselves and for their family members and close associates.

What about new suppliers or customers meeting your definition of a PEP? They need to be subject to an enhanced customer due diligence (CDD) process and KYC tests before you establish a business relationship with them.

Within financial institutions, senior management must approve the opening of a bank account or any other facility for potential PEP customers after they’ve completed CDD checks.

3. Perform Ongoing Monitoring

Post-account opening, how often you monitor higher-risk PEPs should depend on the perceived level of risk an individual poses.

Monitor relevant ultimate beneficial owner registers to check for changes within international organizations and other legal entities associated with a politically exposed person. If there are changes, ascertain what implications they have on your continued relationship.

If sanctions on a foreign country are introduced or change because of external events, like the Russian invasion of Ukraine, it may be prudent to schedule an emergency stakeholder meeting to reassess whether an ongoing relationship with a PEP still presents an acceptable risk.

4. Train Your Staff

From initial onboarding to everyday account management, train your staff on what to look out for with PEPs that may pose a risk to your business.

You might want them to establish and maintain a suspicious activity report for individual PEPs. These reports would contain details of all standard transactions as well as non-standard transactions. The latter could include situations where a PEP requests payment of an invoice into a different bank account or to a previously unknown third-party person or organization.

The details of these reports could be used to update individual PEP risk memos, particularly on significant risk contracts.

When Due Diligence Measures Fail

The financial, legal, and reputational threats of getting PEP compliance wrong are significant.

In 2017, Deutsche Bank was fined $150 million for its role in the Jeffrey Epstein case. Although it recognized him as a politically exposed person, the Department of Financial Services passing judgment said, the bank’s scrutiny "was not tailored to the specific risks that he posed."

British bank Standard Chartered has been fined multiple times worldwide because its PEP-related compliance procedures were not of a high-enough standard.

In 2019, Walmart was fined $283 million because it used third-party intermediaries to make payments to government officials in Mexico, India, China, and Brazil. They didn’t do enough to check that these payments weren’t bribes. 

This put the retailer in direct violation of the Foreign Corrupt Practices Act. The severity of the offense was further aggravated because they were tipped off that this may be happening but, in judgment, the Securities and Exchange Commission ruled that the company did not “sufficiently investigate the allegations.”