A guide to dealing with PEPs following the FCA’s findings of its multi-firm review
The FCA recently published findings of its review on how effectively firms are following its 2017 Guidance on the treatment of Politically Exposed Persons (PEPs).
This review, which was requested by the UK Parliament, assessed whether firms are taking a risk-based and proportionate approach in their management and treatment of UK PEPs.
One of the key drivers for the review was the belief among several well-known PEPs that they had been unfairly treated, leading to concerns that certain UK PEPs, including politicians, might be refused access to financial services products purely due to them being a PEP.
The findings of the review are significant for financial firms dealing with PEPs and at a minimum, all firms should review their PEP policies and procedures against these findings.
In this 2-part guide to dealing with PEPs, Bruce Viney discusses the review and delves into the actions that firms should take going forward.
The review findings
Who is a PEP/RCA?
The FCA 2017 Guidance s2.16, highlights the statutory definition of a PEP (individuals entrusted with prominent public functions) and goes on to provide a list of roles that meet that definition. The review notes that half of the firms reviewed used a definition of PEPs or of Relatives and Close Associates of a PEP (RCAs) that was more widely defined than laid out in the 2017 Guidance.
The FCA points out that going beyond the definition in the Guidance may subject customers to Enhanced Due Diligence (EDD) measures inappropriately, leading to asking for disproportionate information.
Whilst the review accepts that a firm may go beyond the definitions in the guidance, this must be done using an appropriate and clear risk-based approach. The same is true when defining RCAs.
Declassifying PEPs
Firms should review any existing PEPs on a regular basis in line with their ongoing monitoring and due diligence.
When a PEP ceases to meet the definition, the Regulations require that the individual should continue to be subject to appropriate EDD for a period of at least 12 months. After that period, firms can consider whether to declassify a PEP on an assessment of their risk. RCAs should be treated as ordinary customers from when the PEP leaves office.
The review reminds firms of the requirements of the Consumer Duty, which requires firms to deliver good outcomes for retail customers, and the link this has to an appropriate, risk-based declassification.
Conducting a proportionate risk assessment of UK PEPs and RCAs
Under the Guidance, firms are required to risk assess on a holistic, case-by-case basis and avoid a generic approach. A holistic review means that no single risk factor should cause a customer to be classified automatically as a PEP.
The Guidance sates that UK PEPs should be treated as lower risk (in the context of applying EDD measures) unless a firm has assessed other risk factors which indicate that they pose a higher risk. RCAs will generally be expected to follow the same risk rating as the PEP unless there is reason not to.
The review highlighted firms that had failed to set out clearly the reasons and rationale for a customer’s risk rating, unexplained changes to that rating, or inconsistent application of risk ratings.
Failing to undertake a holistic risk assessment on a case-by-case basis creates a risk that a customer may be subject to disproportionate measures by firms when applying their EDD obligations.
Proportionate EDD
The Guidance provides examples of risk-based measures that firms can take, depending on the level of risk assessed. Whilst the review found that controls and procedures needed improvement (e.g. greater detail was needed in many cases), the evidence from customer file testing suggested that these issues did not generally translate into excessive or overly burdensome EDD measures in practice.
However other issues included insufficient Source of Wealth (SOW) and Source of Funds (SOF) checks, and most firms had policies, procedures and controls that needed improvement.
For example, failing to include practical guidance as to how to carry out a risk-based approach and to assess its impact on the appropriate levels of EDD, or how to carry out SOF and SOW checks.
Ongoing monitoring
Under the Money Laundering Regulations and FCA Guidance, firms must conduct ongoing monitoring of PEP customers, the nature and extent of which should be dependent on the risk assessment for that customer.
Several of the firms under review fell short. These failures included:
- transaction monitoring that was not adequately risk-based;
- a lack of practical guidance and examples, including examples of ‘triggers’;
- policies and procedures that lacked detail; and
- insufficient evidence supporting transaction monitoring.
Deciding to reject or close accounts
The Guidance states that a firm must not close an account or refuse a customer purely because they are a PEP or RCA. This is intended to ensure that customers are not unjustly denied access to financial services. The review states that they found no evidence of firms breaching this section of the Guidance.
The review found that, where PEPs or RCAs have been refused or an account closed, this has been related to financial crime red flags, which would apply to PEPs and ordinary customers alike.
Communicating with customers
Firms are required to provide all customers with clear and adequate information, for example explaining why certain documents or checks are required. This is consistent with the requirements under the Consumer Duty.
All firms which were part of the review acknowledged the need for effective communications. However, some firms had inadequate processes for customer information requests. In some cases, the justification for additional information was too generic, for example, the firm stating that it needed to fulfil its regulatory obligations.
Keeping PEPs’ AML systems and controls under review
The FCA Financial Crime Guide and Regulation 21 of the Money Laundering Regulations set out that firms must monitor the effectiveness of their policies, procedures and controls.
Some of the firms reviewed did not provide sufficient evidence of adequate and effective testing in the last two years. Some firms also failed to show evidence that any recommendations coming out of testing were implemented.
The review highlights a lack of relevant management information – some firms did not provide any in relation to PEPs or RCAs. In other cases, data was insufficiently granular.
Senior management approval of EDD clients, including PEPs, is a mandatory requirement under Regulation 35 of the Money Laundering Regulations. Most of the firms reviewed did not have a fully effective approach to management sign off.
Staff training
Regulation 24 requires firms to take appropriate measures to ensure that employees are aware of their anti-money laundering (AML) risks and requirements. Training should be appropriate to employees’ roles and, where appropriate, this should include identifying and defining PEPs and RCAs, and explaining the associated customer due diligence (CDD) requirements and processes.
A significant majority of the firms reviewed needed to improve their training. Training lacked practical examples/case studies and examples of good and poor practice in relation to the risk management of PEPs. In some cases, training and guidance given to staff differed.
Actions firms should take
Check that policies, procedures and controls give practical, clear and consistent guidance, with examples, relating to:
- Defining PEPs and RCAs in accordance with the law and Guidance
- Conducting case-by-case holistic risk assessments
- Providing recorded evidence of any decision to treat a customer as a PEP or RCA who does not hold a role described in the Guidance
- When and how to declassify PEPs and RCAs
- Risk assessing UK PEPs and RCAs, including the obligation to treat UK PEPs and RCAs as presenting a lower risk than foreign PEPs if no enhanced risk factors are present
- Applying appropriate and proportionate EDD
- Providing clear guidance and examples for carrying out SOF and SOW checks and senior management approval
- Risk-based ongoing monitoring, including guidance on triggers, and recording sufficient relevant information
- Taking a risk-based approach to closing or rejecting accounts, recording the reasons for the decision and the actions taken
- Gathering and sharing appropriate management information
- Regular, timely and risk-based reviews of all relevant AML controls, procedures and policies.
Make any changes to policies, procedures, controls, or training and ensure that the changes are fully embedded, managed and signed off.
Consider the following sources:
- The FCA PEP Guidance
- The findings of the review
- All relevant obligations under the Money Laundering Regulations
- The FCA Financial Crime Guide
- The Joint Money Laundering Steering Group recommendations
When requesting information from PEPs or RCAs, firms must be clear and effective in communicating the request so that PEPs or RCAs can understand what information is being asked for and why.
Where appropriate, firms should ensure that they comply with the requirements under the Consumer Duty.
Firms should ensure that training is carried out in accordance with their regulatory obligations, which requires training to:
- Focus on a risk-basis on staff’s roles and responsibilities
- Use practical, relevant examples and case studies
- Include guidance and examples on risk assessments, information requests and good and poor practice
- Take place as often as necessary
- Be consistent with policies, procedures, controls and guidelines
- Record and retain training attendance and training materials.
The review findings are significant for financial firms dealing with PEPs; at minimum, all firms should review their PEP policies and procedures against these findings.
To learn about our practical, case-study-led courses and related training resources concerning PEPs, get in touch.
About the Author
Bruce has been working in financial services for nearly 40 years, 25 of these as a learning professional focusing on compliance for a wide range of financial services companies, mainly through the analysis, design, creation and implementation of global training programmes for Tier 1 Banks and FTSE 100 companies. He has been Global Head of Compliance Learning for such firms three times and has provided compliance learning consultancy to similar companies many times.
Bruce has also provided compliance training and consultancy in other fields such as real estate, industrial supply chains, charities, payment services providers, gambling and casinos and many others.
A former Director of Training for CISI, Bruce has extensive experience of compliance and financial services-related qualifications and qualified as a Chartered Accountant with Price Waterhouse (as it was then known).
Bruce provides excellent training events on compliance, with a specific focus on financial crime, including all aspects of anti-money laundering, anti-bribery and corruption, fraud and sanctions.