Know Your Customer, Politically Exposed Person and Customer Due Diligence
- CIMA Financial Regulation Consultants
Categories: Alternative Investment Broker Dealer Supervision Outsourcing Chief Compliance Officer Services Compliance Reviews and Evaluations Financial Advisory Financial Compliance Consulting Financial Laws Financial Regulation Consultants Financial Regulations Financial Regulations Consulting Financial Risk Management Financial Risk Management Consulting Financial Service Regulation Consulting Firm International Financial Services Risk Management Investment Programs Leadership Coaching Regulatory Audits Regulatory Risk Guidance Sales and Service Training Supervision Program WSP Development
On August 21, 2020 the main regulatory banking agencies from the United States issued a joint statement (Joint Statement) clarifying the obligations of banks in the United States regarding customer due diligence (CDD) and enhanced due diligence (EDD) processes, surrounding Politically Exposed Persons (PEP)1. The Statement is a result of the questions raised by banks in trying to gain efficiencies and reduce compliance costs regarding the level of due diligence required for a client who is considered a PEP and how to apply a risk based approach to PEP’s in a manner consistent with CDD requirements. The Joint Statement does provide some clarity regarding these points, but, in practical terms, does the Joint Statement ease the burden on CDD and EDD obligations?
Before answering this, a brief description of the key takeaways from the Joint Statement:
- PEPs should not be confused with the term “senior foreign political figure” (SFPF) as defined under the BSA private banking regulation, a subset of PEPs.
- BSA/AML regulations do not define a PEP, the term is not recognized under US Law. The term, however, is commonly used to refer to foreign individuals who are or have been entrusted with a prominent public function, as well as their immediate family members and close associates2.
- “Politically Exposed Persons do not to include U.S. public officials. It is not clear, however, if this includes public officials from State, County, City or even territories of the United States (i.e. Puerto Rico, US Virgin Islands, etc.)
- While banks must adopt appropriate risk-based procedures for conducting CDD; there is no regulatory requirement or supervisory expectation for banks to have unique, additional due diligence steps for customers who are considered to be PEPs. Similarly, there is no requirement to have processes to identify PEPs, but, a bank may choose to do so in order to develop a customer risk profile.
- Banks risk based procedures should include, among other things, steps to enable banks to: (i) understand the nature and purpose of customer relationships, and (ii) conduct ongoing monitoring, including conducting periodic reviews, to identify and report suspicious transactions and update customer information.
- Not all PEPs are high risk solely by virtue of their status. Rather, the risk depends on facts and circumstances specific to the customer relationship. For example, transaction
1 Please see: Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network, National Credit Union Administration, Office of the Comptroller of the Currency; August 21, 2020.2 In the securities industry PEP and SFPF have been used interchangeably. Please See: SEC’s Anti-Money Laundering (AML) Source Tool for Broker-Dealers, October 2018: https://www.sec.gov/about/offices/ocie/amlsourcetool.htm and FINRA Regulatory Notice 19-18, where FINRA uses the term PEP as a trigger for red flags.
- Volume, deposit account, known legitimate source(s) of funds, specific products and services used, geography, residency or domicile and/or time out of public office.
- Banks may leverage existing processes for assessing geographic-specific risks when developing the customer risk profile.
- A bank may also consider other factors in assessing the risk of these customer relationships, including the type of products and services used, the volume and nature of transactions, the customer’s activity, the customer’s official government responsibilities, the level and nature of the customer’s authority or influence over government activities or officials, the customer’s access to significant government assets or funds, and the overall nature of the customer relationship.
The Joint Statement seems to provide optimism in that it states that entities will not be reviewed or tested against their ability and success of identifying, establishing special CDD procedures or enhancing monitoring requirement based on a PEP designation. In fact, the guidance is to rather assess the risk of each customer based on the individual set of unique circumstances that the customer presents. Furthermore, it seems that the overall guidance is that if your program has an approach that has risk-based triggers proportionate with the risk presented by each client, entities should be in compliance with regulatory mandates. However, this is where the Joint Statement turns into tongue in cheek.
The Joint Statement is saying that your program should apply CDD and EDD processes that are commensurate to the client risk. When viewed in this context, and all things being equal, PEP’s typically are at the highest level of risk category for clients. Therefore, almost always, they will be triggering EDD protocols. In this regard, the Joint Statement does not provide any relief on CDD/EDD or provides new guidance, if anything, it reiterates what the industry already knows and is doing: Assess the risk based on a clients characteristics and if a client is deemed a PEP, then you should perform an enhanced due diligence and monitoring process.
Now, these are good news, in a certain sense, as we already know what needs to be done as part of a successful risk based Know Your Customer/CDD Program. By helping and working with financial services entities of all sizes that are mainly focused on international clients, we have noticed the following best practices that we share with you: - Perform an assessment and reflect on your Know Your Customer/CDD Program and determine if you have the right framework for your business model. In other words, does your program consider your client target market, products and services offered and footprint.
- These elements, client target market, products and services offered and footprint, are elements that should serve as a starting point or first layer of qualifiers for your risk- based approach. Remember, if you are serving international clients you are expected to be well versed in the international jurisdictions and the risks that they may present.
- Then, supplement them by a second layer which should include customer specific attributes, for example, source of wealth, work used to earn a living (present and past, are they expose to public roles) and domicile of the client.
-
- Use a third layer of broader products and services attributes to round off what would be your client risk profile. These could be, understanding the purpose of account, intended account structure, and expected activity on the account.
- Finally, do not be afraid to seek an independent set of eyes to assist you in your assessment. Remember, assessment is not the same as a review (i.e. audit). An assessment is a natural managerial process of internal reflection on a specific process used to seek and achieve improvements, thus, should not result in findings or exceptions.
Based on these, you should then determine the level of due diligence and monitoring you would be performing for your customers. Again, these are just examples as our experience has shown that each entity is unique and some of these triggers may be differ. But, they are best practices that should be considered.