Are banks and credit unions required to monitor PEPs? The answer is "Yes" or "No," depending on whether the PEP is foreign or domestic. The U.S. Patriot Act of 2001 requires monitoring of foreign PEPs.
There isn't a global definition for a PEP, but the Financial Action Task Force (FATF) has issued guidelines in which the term was defined. Specific country legislation such as the USA Patriot Act or the European Union Directive use similar definitions generally made of these five layers:
Differing definitions appear in laws, regulations and guidance notes internationally. Aside from the differing definitions, there is a growing consensus among banks, governments and regulators that PEPs present heightened money-laundering risks. The two banks performing enhanced due diligence monitoring saw Spitzer's movement of money from one account to another as a possible act of "structuring" and filed a Suspicious Activity Report (SAR).
"We need to reassure institutions they need to take a risk-based approach and identify their customers and level of due diligence they need on those customers," says Sepideh Behram, Senior Compliance Counsel at the American Bankers Association. "Certainly if you have a high political official you may want to take a little more time to look and scrutinize more carefully than you would your average customer."
Are there "domestic" PEPs? Behram says there is no such thing as a domestic PEP. "But there is so much ambiguity around foreign PEPs, there's no single, unified list, like the Office of Foreign Assets Control (OFAC) list, in essence that would equate to a PEP list," she notes, complicating the job for a BSA compliance officer.
Behram likens domestic PEPs (such as a local politician) to a spider's web that a bank becomes entangled in. "Unfortunately we do not have any guidance on monitoring domestic PEPs, so institutions have to do their due diligence and take a risk-based approach, as they would with any other client they have," she says.
PEPs pose a challenge for institutions, just like the OFAC lists, says Debra Geister, Director of fraud prevention and compliance solutions at LexisNexis' Risk and Information Analytics Group. "You have a name, and more baseline information, but in most cases you're doing a match on a name only," Geister observes. It creates a lot of noise for the institution, "So from the institution's perspective, they should absolutely want to know when a customer is politically exposed, because that is part of their exam guidelines. I have to know that and how that risk fits into my organization."
Once the PEP is identified, what action to is another issue. "So if they have a PEP in their database, and most institutions have them," Geister says. "They have to ask how do they monitor that account, and how do they react to that account, and what kind of extra steps do they take?"
Just as an institution needs to have practices in handling SARs, when they have a PEP in their midst, they need to know how deep they're going to get into that and have established practices in handling them from a process standpoint. The institution needs to be able to react when a PEP does something. "They need to clearly delineate and understand the risks to their organization and balance it with the risks that were seen in the Spitzer case. Certainly no institution wants to find itself in the headlines like what was seen in the Spitzer case, it adds a whole new dynamic to their detection model."
Financial institutions should already have a good understanding of the types of transactions that will be processed for their clients who are PEPs from other countries. Once the normal transaction activity is identified, the financials should be aware of and investigate transactions that are outside the norm.
Recommended actions institutions should take:
While privacy once was the "cause celeb," after 9-11 national security suddenly became more important than privacy, says Alan Abel, CPA and Executive Global AML Practice Leader at Crowe Chizek and Company. Abel is also a member of the BSA Advisory Group, which aides FinCEN. "Everything changed very quickly. The PEP became part of the US Patriot Act and a regulatory expectation," Abel says. Institutions are now required to go through their client relationships and identify potential foreign PEPs. If they do find one, it doesn't mean they fire them, "but they have to have a policy that says we do or we don't bank PEPs."
Banking with foreign PEPs means the institution must perform enhanced due diligence on them and maybe monitor their activity more closely to understand what their source of funds is, what their source of wealth is, monitoring transaction to see what they're up to, and see if they're playing around with larger amounts of money than they would be expected to have in the first place.
Because of this increased due diligence, a lot of institutions have decided not to bank foreign PEPs, and they fire them, "Or they go back to the PEP to say, 'We're going to have to do some more homework on you,'" Abel says. The PEP might decide to take their banking elsewhere, but every other institution in the U.S. is subject to the same regulatory requirements, so they'll have a hard time getting banked somewhere else.
Some foreign PEPs try to take their banking outside of the country. "The problem with this is a lot of PEPs are from countries where they don't want the government knowing their business," Abel observes.
Abel sees that a number of institutions have quietly been saying, "We're not expected to look inside the U.S. for these types of people, and we can't call them a PEP -- there's a stigma attached to that name." Maybe the bank can still identify them as a high-risk customer, and still do its enhanced due diligence on their accounts. "If I am banking the mayor in a little town in Arkansas, I'm not going to call him a PEP, but I may treat him like one anyway," Abel says.