September.16.2020
The Financial Crimes Enforcement Network (FinCEN) and federal banking regulators recently issued a Joint Statement intended to clarify the due diligence obligations of banks under the Bank Secrecy Act (BSA) regarding customers who are Politically Exposed Persons (PEPs). According to the Joint Statement issued on August 21, 2020, the regulators issued it in response to questions from banks about handling PEPs in a manner consistent with FinCEN’s Customer Due Diligence Final Rule (CDD Rule).[1] While the Joint Statement did not create any new obligations with respect to due diligence requirements for PEPs, it serves as a useful reminder to banks about their obligations under the CDD Rule.
The CDD rule enshrined a so-called “fifth pillar” of anti-money laundering (AML) programs by making explicit the existing regulatory expectations that banks, among other covered financial institutions, “implement appropriate risk-based procedures for conducting ongoing customer due diligence.”[2] (The CDD Rule also mandated the collection of beneficial ownership information for accounts held by legal entities.) FinCEN indicated at the time that this requirement did not represent new law; it merely codified existing expectations under the BSA for covered financial institutions to identify and report suspicious transactions and to know and understand their customers.[3]
Although the Joint Statement confirmed that the CDD Rule did not create any new or special due diligence requirements for PEPs, it also reaffirmed banks’ existing obligations under the BSA to identify and report illicit transactions by foreign PEPs. The Joint Statement clarified that the level and type of CDD for PEPs, as with other customers, should be commensurate with customer risk, that not all PEPs are high-risk, and that the risk presented by any particular PEP will depend on the facts and circumstances specific to that customer relationship. These observations do not materially change the PEP regulatory landscape. They are in line with previously articulated supervisory expectations from the Federal Financial Institutions Examination Council (FFIEC), BSA Examination Manual (FFIEC Manual), and prior FinCEN guidance. For those banks that have already built into their BSA/AML programs a risk-based approach for assessing the potential AML risks of PEP accounts, the guidance is not likely to warrant significant changes to existing policies and procedures.
Not All PEPs Are Created Equal
While BSA/AML regulations do not define PEPs, the term is commonly understood to include individuals who are or have been entrusted with a prominent public function, as well as their immediate family members and close associates.[4] The Joint Statement notes that PEPs should not be confused with “senior foreign political figures” (SFPFs), as defined in FinCEN’s private banking accounts regulation, which are a subset of PEPs.[5] Accounts held by PEPs may be at increased risk for holding illicit proceeds from corruption or other illegal activities linked to the account holder’s public position of authority and trust. For this reason, banks traditionally have been expected to “take all reasonable steps to ensure that they do not knowingly or unwittingly assist in hiding or moving the proceeds of corruption” by PEPs.[6]
Even prior to the CDD Rule, banks were not expected to screen and handle all PEPs in the same way, but rather to apply risk-based due diligence standards. The FFIEC Manual section on PEPs, most recently updated in 2015[7], cautions that identification of an account holder as a PEP “should not automatically result in a higher-risk determination,” but that the PEP status “is only one factor the bank should consider in assessing the risk of a relationship.”[8] Because “the risks presented by PEPs vary by customer, product/service, country, and industry,” the Manual recommends a risk-based approach for identifying, monitoring, and designing controls for PEP accounts and transactions as part of a bank’s AML program. According to FinCEN, ”[t]his could include obtaining risk-based due diligence information on PEPs, such as countries of residence of the accountholder(s) and beneficial owner(s) and the level of corruption and money laundering risk associated with those countries, source of wealth and funds, and information on immediate family members and close associates.”[9] The obligation of banks to file suspicious activity reports (SARs) is also relevant to monitoring PEP activity, as the obligation applies if a bank knows, suspects, or has reason to suspect a transaction involves the use of the bank to facilitate foreign corruption.[10]
For private banking accounts held by SFPFs, the BSA imposes enhanced due diligence program requirements. The program must be designed to identify any such account owned by, or on behalf of, an SFPF, and banks are required to apply enhanced scrutiny to such accounts that is reasonably designed to detect and report transactions that may involve the proceeds of foreign corruption.[11]
PEP Accounts Are Subject to the Same Risk-Based Due Diligence AML Program Requirements as Other Accounts
Fundamentally, banks are required to conduct risk-based due diligence when dealing with PEPs, as they do with all accounts. Not all PEPs will require the same level of CDD attention. The CDD Rule did not create new BSA/AML legal or regulatory requirements for PEPs. FinCEN and the banking regulators explicitly confirmed this in the Joint Statement, noting that the rule does not require that “banks have unique, additional due diligence steps for customers who are considered PEPs.”
The Joint Statement observed that an account holder’s status as a PEP, by itself, is not inherently risky, and that not all PEPs will require an increased level of CDD merely because they are foreign political figures. Rather, as with any customer, the guidance directs that “the level and type of CDD should be appropriate for the customer risk.” For example, a PEP from Singapore (a country with a Transparency International CPI Score of 85), who has low transaction volumes and a consistent, verifiable income, would be less risky than a PEP from Russia (CPI Score 28) with several sporadic high-value, rounded wire transfers and no discernable legitimate source of wealth or income.
Below, we discuss how the CDD Rule impacts each of the four core customer due diligence requirements identified by FinCEN specifically with respect to PEPs.[12]
(1) Customer identification and verification
The CDD Rule does not require banks to collect specific information on a customer’s PEP status. Indeed, it does not require the collection of any particular customer due diligence information beyond that needed to develop a customer risk profile, conduct monitoring, and collect beneficial ownership information.[13] If a customer, including a PEP, has a low-risk profile, the amount of information needed to understand the customer relationship would be less than if the customer presents a higher-risk profile.
(2) Beneficial ownership information and verification
Under the CDD Rule, banks are required to establish and maintain written procedures reasonably designed to identify and verify the identities of beneficial owners of legal entity customers, including PEP accounts. However, according to the Joint Statement, the CDD Rule does not require a bank to determine whether a customer or beneficial owner of a legal entity customer may be considered a PEP. Yet “[a] bank may choose to determine whether a customer is a PEP at account opening, if the bank determines the information is necessary for the development of a customer risk profile.”[14] In other words, depending on the level of risk, it may be necessary to determine whether an account holder or beneficial owner is a PEP. FinCEN has also noted that the beneficial owner requirements in the CDD Rule “should facilitate the identification of legal entities that may be owned or controlled by PEPs.”[15]
(3) Understanding the nature and purpose of customer relationships to develop a customer risk profile
Banks are expected to use the information gathered at account opening to develop a customer risk profile. The information should be used to develop a baseline against which customer activity, such as the customer’s expected use of wires or typical number of deposits in a month, can be assessed for possible suspicious activity reporting.[16] To develop a customer risk profile for PEPs, the Joint Statement identifies various factors that banks may consider, including: the customer’s public office and official government responsibilities; existing geographic-specific money laundering, corruption and terrorist financing risks; the level and nature of the customer’s authority or influence over government activities or officials; and indications the PEP may misuse their authority or influence for personal gain.
(4) Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information
The Joint Statement makes clear that while it does not establish new supervisory expectations or alter existing BSA/AML legal or regulatory requirements, it “does not require banks to cease existing risk management practices if the bank considers them necessary to effectively manage risk.”[17] Nor, according to the guidance, should it be construed to “diminish the serious national security or criminal threats posed by PEPs, including SFPFs, who engage in illicit acts and crimes” such as terrorism, corruption, human trafficking, and other crimes. Thus, banks should continue to leverage the information in PEP customer risk profiles in transaction monitoring, SAR reporting, and SFPF EDD programs.
Conclusion
The Joint Statement urges banks to continue applying an approach they should already have in place: risk-based due diligence procedures on all customers, including PEPs. Banks should tailor the risk profiles of customers based on facts that are specific to that customer, including the customer’s status as a PEP or potential PEP. The Joint Statement is explicit that the CDD Rule creates no new regulatory requirements or supervisory expectations, and it does not require banks to change any due diligence policies that they consider necessary. This public acknowledgement should be useful to banks in understanding regulatory expectations and should provide guidance to banking regulators as they examine banks’ AML compliance programs.
[1] Bd. Governors Fed. Rsrv. Sys., et al., Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons, FinCEN (Aug. 21, 2020), https://www.fincen.gov/sites/default/files/shared/PEP%20Interagency%20Statement_FINAL%20508.pdf.
[2] Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016); see also 31 CFR Parts 1010, 1020, 1023, 1024, and 1026.
[3] Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398, 29420 (May 11, 2016).
[4] See Joint Statement, at 1. In contrast, AML and counterterrorist financing standards promulgated by the Financial Action Task Force (FATF) apply to both foreign and domestic PEPs. See FATF Guidance, Politically Exposed Persons, Recommendations 12 and 22, FATF-GAFI (June 2013), http://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf.
[5] 31 C.F.R. § 1010.620. An SFPF is a current or former Senior Official or Executive (someone with “substantial authority over policy, operations, or the use of government-owned resources”) (1) in the executive, legislative, administrative, military, or judicial branches of a foreign government (whether elected or not); (2) of a major foreign political party; or (3) of a foreign government-owned company. The term also includes companies formed by or for the benefit of such individuals, such individuals’ immediate family members (spouses, parents, siblings, children and a spouse’s parents and siblings), and persons widely and publicly known, or actually known by the bank, to be close associates of such individuals. 31 C.F.R. § 1010.605.
[6] FFIEC, BSA/AML Examination Manual, “Politically Exposed Persons – Overview,” FFIEC 290 (Feb. 27, 2015), https://bsaaml.ffiec.gov/docs/manual/09_RisksAssociatedWithMoneyLaunderingAndTerroristFinancing/23.pdf.
[7] The cited section on PEPs is dated 2/27/2015. Id. Regulators updated several other sections of the manual on April 15, 2020. See Federal and State Regulators Release Updates to BSA/AML Examination Manual, FFIEC (Apr. 15, 2020), https://www.ffiec.gov/press/pr041520.htm.
[8] FFIEC, supra note 6, at 291.
[9] FIN-2018-A003, Advisory on Human Rights Abuses Enabled by Corrupt Senior Foreign Political Figures and their Financial Facilitators, June 12, 2018, at 3 (citing 31 CFR § 1010.620).
[10] See FIN-2008-G005, Guidance to Financial Institutions on Filing Suspicious Activity Reports Regarding the Proceeds of Foreign Corruption (Apr. 2008); SAR Activity Review, Issue 19, Focus: Foreign Political Corruption May 2011.
[11] 31 C.F.R. § 1010.620(c). According to the FFIEC Manual, the bank should “obtain[]information regarding employment and other sources of income, . . . “seek information directly from the client regarding possible senior foreign political figure status . . . . check references,” and “make reasonable efforts to review public sources of information regarding the client.” FFIEC, supra note 6, at 293.
[12] See Information on Complying with the Customer Due Diligence (CDD) Final Rule, https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule (last viewed Sept. 15, 2020).
[13] See FIN-2020-G002, Frequently Asked Questions Regarding Customer Due Diligence (CDD) Requirements for Covered Financial Institutions (Aug. 3, 2020), at 2.
[14] Joint Statement, at 2.
[15] FIN-2018-A003, at 7.
[16] FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions 23 (Apr. 3, 2018).
[17] Joint Statement, at 2.