AML Implications for Politically Exposed Person (PEP)
Businesses operating in the UAE, particularly the Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Services Providers (VASPs), may occasionally encounter customers that are classified as Politically Exposed Persons (PEPs) according to the Federal Decree Law on Anti-Money Laundering (AML). This blog provides insights into the AML compliance implications for a regulated entity when they deal with a Politically Exposed Person (PEP).
It becomes essential for businesses such as DNFBPs and VASPs to conduct Customer Due Diligence (CDD) of existing and prospective customers to identify the sanctioned individuals or entities and individuals who hold the capacity to influence their business decisions, such as allocation of funds in a certain project or may knowingly or unknowingly facilitate money laundering (ML), financing of terrorism (FT), and proliferation financing (PF) risks along-with the increased risk of corruption and bribery, such as PEPs.
The blog also covers situations where an existing low-risk customer has recently been classified as PEP and its AML compliance implications.
UAE Regulatory Framework Concerning PEPs
The UAE has implemented robust AML laws to combat financial crimes, including ML, FT, and PF. The regulatory framework in the UAE includes federal laws that are aligned with international standards set out by the Financial Action Task Force (FATF).
Legal Framework concerning PEPs:
Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations as amended by Federal Decree Law No. (26) of 2021 (“AMLCFT Law”).
Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended by Cabinet Decision 24 of 2022 (“AML-CFT Decision”).
Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures.
Legal Framework concerning PEPs
Cabinet Decision No. 74/2020 Concerning the UAE List of Terrorists and the Implementation of UN Security Council Decisions Relating to Preventing and Countering Financing Terrorism and Leveraging Non-Proliferation of Weapons of Mass Destruction, and the Relevant Resolutions.
The AML-CFT Decision, in Article 15, imposes specific Customer Due Diligence (CDD) obligations on regulated entities with respect to Customers who are Politically Exposed Persons (PEPs), which include the Direct Family Members or Associates Known to be Close to the PEPs.
FATF Guidance on PEPs
The Financial Action Task Force (FATF) is the global watchdog that gives recommendations and guidance for combating ML/FT and PF risks. The FATF has issued a guidance named, Politically Exposed Persons (Recommendations 12 And 22).
The FATF Recommendations and guidance on recommendations 12 and 22 elaborate on steps to be taken while onboarding a customer who is a PEP or continuing a business relationship with a customer who is recently classified as PEP.
Understanding Politically Exposed Persons within AML Landscape
Who is categorised as a PEP?
The UAE Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) laws define a Politically Exposed Person (PEP) as a natural person assigned with prominent public functions in any Emirate in UAE or any country other than UAE.
PEP and PEP Screening under UAE AML Regulations pre
A prominent public function does not necessarily need to be popular, but it holds considerable importance to society at large. Such a position puts a PEP in the driver’s seat where they can influence public policy, government programs, and the functioning of any business, establishing a business relationship either directly, through beneficial ownership, or close associates or family. A PEP may acquire a prominent public function or position in a government or government organization using an appointment, promotion through civil ranks, or majority from an election.
Identifying PEPs while carrying out AML compliance is important because PEPs are persons with political power who can exercise political influence or pressurize businesses to carry out business activities and other administrative tasks at their discretion without creating a paper trail.
It is noteworthy that not only the person with the political power but also the family, friends, and close associates are also considered high-risk customers owing to the relationship they share with the PEP. Here are broad categorizations of PEP.
Domestic PEPs
Politically Exposed Persons who have been assigned to prominent public posts in the UAE are known as domestic PEPs.
Foreign PEPs
Politically Exposed Persons who have been assigned with prominent public posts in any other foreign country are known as foreign PEPs.
Heads of International Organizations (HIOs) PEPs
Politically Exposed Persons who have been appointed with the management or any prominent function within an international organization are known as the Heads of International Organizations (HIOs).
Family & Friends
The direct family members of a PEP, i.e. parents, children, spouses, and spouses of children, are treated as PEPs. The regulated entities need to take a risk-based approach and consider whether the relationship between the customer and the PEP could be exploited or abused to obscure the PEP’s connection to illicit funds, as the above is not an exhaustive list.
Business Associates
People with close business relationships with PEP are also considered persons associated with PEPs; people holding joint beneficial ownership or legal arrangements with the PEP are considered with similar risk as PEP themselves. Associates who conduct transactions on behalf of the PEP are also categorized according to the degree of risk they pose.
What are examples of Politically Exposed Persons?
Here are the examples of persons considered as PEPs:
Examples of Domestic PEPs include heads of government or state, senior government, military and judicial officials, senior executives of state-owned corporations, and important political party officials holding official posts within the government.
Examples of Foreign PEPs include heads of government or state, senior government, military and judicial officials, senior executives of state-owned corporations, and important political party officials holding official posts within the government.
Examples of HIOs PEPs or International Organisation PEPs include managing director, secretary, chairperson, president, and such designations in international organizations such as the World Bank and International Monetary Fund, to name a few.
Examples of close associates of PEPs include natural persons having joint ownership rights in a legal person or arrangement or any other close business relationship with PEP, and natural persons having individual rights in a legal person or arrangement established in favor of PEP.
Examples of related persons include direct family members, close associates, partners, prominent members of the same political party or civil organizations as the PEP, close friends or advisors, business partners or associates, etc.
Importance of Including PEP Screening within AML Framework
There are several factors that businesses operating in the UAE need to consider in their AML risk assessment, such as the type of business, the nature, category, demographics of their customers, the country in which it operates, and the local AML regulations.
The AML framework of the DNFBPs and VASPs needs to include and clearly state the steps, procedures, methods, and approach when it comes to onboarding a customer who is classified as PEP or addressing customer due diligence enhancement when an existing low-risk customer is newly classified as PEP.
Businesses must be mindful of covering the aspect in their AML framework where the UBOs of legal entity customers are identified and screened across relevant databases to find out if such UBO, or UBO’s family, friends, or close associates qualify as PEP, and take necessary customer due diligence measures, derived from the risk-based approach.
It is important for businesses intending to establish business relationships with individuals or legal entities to identify the true nature of the person involved in such proposed business relations.
Businesses need to ensure that their establishment does not get abused or misused as an instrument to carry out illicit activities such as ML/FT and PF and related predicate offenses.
Identification of PEPs becomes important as a prospective individual customer or beneficial owner of a legal entity might try to evade AML/CFT, anti-bribery, and anti-corruption measures. The following is the list of reasons that make undertaking PEP screening important:
Importance of Including PEP Screening within AML Framework
Compliance with AML/CFT and TFS Laws
The AML/CFT and Targeted Financial Sections (TFS) regulations in the UAE require businesses such as DNFBPs and VASPs to have mitigation measures in place to curb ML/FT and PF risks to which they are exposed by their customers. They need to formulate and undertake effective policies, define processes, and implement relevant measures to identify PEPs and mitigate any potential risks associated with PEPs. The identification of PEPs through screening will help DNFBPs and VASPs implement appropriate controls to mitigate risks effectively associated with PEPs.
Identify and Mitigate ML/FT and PF Risks Associated with PEPs
The DNFBPs and VASPs must specify in their AML framework the PEP screening software, tool, and Application Programming Interface (APIs) used to access government, public, commercial, and other forms of databases maintained by relevant organizations regarding PEPs.
The AML framework must also specify if the business is going to rely on any in-house database or information system for sharing data within the group organizations. The AML framework also needs to mention whether they are issuing customer self-declaration forms, seeking information from customers themselves, and whether any of them are PEP or associated with PEP in any manner.
Only when PEP identification is timely and successful can the ML/FT and PF risk mitigation measure-related workflows be triggered, such as enhanced customer due diligence by seeking sources of funds and sources of wealth from the PEP and obtaining senior management approval for establishing or continuing such a business relationship.
Reputation Management
The DNFBPs and VASPs attract tremendous reputational risk whenever establishing or continuing a business relationship with a PEP. The knowledge of whether their customer is a PEP enables them to take suitable and effective ML/FT and PF risk mitigation measures. If they fail to identify a customer who is a PEP and fail to deploy necessary risk mitigation measures, then such a situation may result in their organization being misused or abused by corrupt PEPs to carry out illicit activities such as ML/FT and PF or corruption and bribery.
Involvement of any business with crimes leads to severe reputational loss, leading to business crumbling in no time. The correct and timely identification of PEP helps DNFBPs and VASPs undertake timely risk mitigation measures and maintain reputation and trust among regulatory bodies as well as customers.
Adherence with Global Standards
The implementation and adoption of PEP identification processes that help in managing PEP risk have been recognized as an essential element of FATF recommendations to combat ML/FT and PF risks. DNFBPs and VASPs, by including PEP screening, formulation, and deployment of adequate PEP risk mitigation measures within the AML framework, showcase their adherence to the global standards for mitigation of ML/FT and PF risks from PEPs.
Maintain Autonomy of Decision-Making
There have been instances where corrupt PEPs have taken up unofficial control of businesses such as DNFBPs or VASPs through legal entities of which they are UBOs and used such business relationships to further their illicit motives by exerting their undue influence on the DNFBPs or VASPs to make decisions regarding its operations and functioning.
Businesses such as DNFBPs and VASPs are at risk of being used by corrupt PEPs to carry out their illegal tasks by exerting their influence, power, and control where the business or its board of directors loses their autonomy to decide their course of action. The chance of businesses being held hostage by corrupt PEPs is a risk that can be effectively mitigated by screening business relationships for PEP identification and taking timely PEP risk mitigation measures.
Politically Exposed Person
Devising PEP Risk Assessment Methodology
Once PEP identification and risk mitigation measures have been included in the AML framework, the AML framework needs to address PEP risk assessment methodology; the business needs to assess the ML/FT and PF risk posed by such a PEP on their business. For this purpose, DNFBPs and VASPs need to undertake PEP risk assessment and assign PEP risk rating according to set criteria.
PEP Risk Rating Criteria
The PEP risk rating is assigned by consideration of several factors as follows:
A. The nature of PEP’s position to influence or control decisions.
The nature of PEP’s control over issues or decisions.
The extent of PEP’s control over the disbursement of funds.
The extent of PEP’s autonomy or independence in decision-making.
The PEP’s rank or status within the government or international organization.
B. The anti-corruption controls in place in PEP’s own country (in case of a foreign PEP).
The country’s rating on transparency and corruption aspects.
The level of investigations and prosecutions on the charges of high-level corruption in a country.
The internal audit function within the PEP’s entity (in case PEP is a UBO of a legal entity).
The asset disclosure requirements on the part of PEPs in the country or jurisdiction.
C. Other risk factors related to products, services, customers, geographies, delivery channels, and technology should be given due consideration.
D. If there are more than two PEPs involved in an entity where one of the PEPs carries high risk, then the treatment of the entity as high-risk should be considered.
Assessing PEP Risk against Risk Appetite
Risk appetite means the ability of a company to navigate and deal with the consequences of a risk, if, in any event, such a risk materializes.
Every business must formulate its ML/FT and PF risk assessment, within which the ML/FT and PF risk appetite statement must be defined. The risk appetite statement defines the degree and extent of ML/FT and PF risk that the business is willing to take in pursuit of forming business relationships and engaging in profitable transactions. To implement effective AML measures for PEP risk management and assessment, businesses need to assess and compare risks imposed by every PEP against its risk appetite statement.
Do all PEPs pose a risk?
Different PEPs pose different levels of risk to a business. A customized approach is needed to identify a PEP, perform a PEP risk assessment, and assign a PEP risk rating, as not all PEPs can be classified as high-risk. It depends on the regulatory requirements, the businesses’ internal AML policies, and their risk-based approach.
Businesses cannot employ a blanket approach as not all PEPs pose a high degree of ML/FT/PF, corruption, and bribery risk. DNFBPs and VASPs need to develop a holistic approach that considers several factors, such as the nationality of the PEP, the ability of a PEP to influence business autonomy, connection to the transaction, and nature of the transaction with the said PEP, and so on, before assigning a risk rating to a PEP.
Steps to Identify a PEP
As the PEP risk assessment methodology is drafted and included in the AML framework, businesses must chart out steps through which they will identify if their existing or prospective customers are PEP. There are no strict steps defined anywhere in the regulation for identifying PEPs, but generally, PEP identification is carried out by a step-by-step methodology for effective identification of a PEP:
1. Collection of Key Identifier Details
The first step in identifying a PEP is ascertaining the correct name and profile of the natural person or UBO of a legal person and readying their details for carrying out a PEP screening exercise. This process includes collecting key identifier information such as name, aliases, last known address, ID or passport information, nationality, occupation, and age of the customer. This helps regulated entities assess the risk associated with customers by allowing them to understand the purpose and nature of the business relationship.
5 Steps to Identify a PEP
2. Entry of Key Identifier Details into Name Screening Software
The next step is to carry out a screening process against the PEP database. As part of this step, businesses need to subscribe to relevant lists and utilize databases that contain lists of known PEPs, their family members, and close associates. This facilitates businesses such as DNFBPs and VASPs in comparing customer information against these databases to identify any matches.
3. Running PEP Search in Name Screening Software
This step involves the name screening software running the process of comparing customer details across various databases containing names and related details of PEPs.
4. Disambiguation of Matches
After the screening, DNFBPs and VASPs need to check if the potential matches found during screening are false matches or true matches. If false matches are found, the company can onboard such a customer without conducting enhanced due diligence. If a true match is found, the appropriate enhanced due diligence measures must be carried out depending upon the steps prescribed in the DNFBPS or VASPs AML framework.
5. Establishing if Match is a Domestic PEP or Foreign PEP
Lastly, upon ascertaining a true match, the DNFBPs or VASPs need to ascertain if the PEP is a domestic PEP or a Foreign PEP to ascertain the degree of ML/FT or PF risk posed by such a PEP and take necessary further steps.
Identifying PEPs is crucial for assessing their risks and further undertaking mitigating measures. Thus, the identifying process is an important factor in overall PEP risk assessment, aiding regulated entities in fulfilling their legal obligations and mitigating the risk of being involved in ML/FT/PF or predicate crimes or unethical practices associated with PEPs.
Implementation of AML Compliance Measures for Dealing with PEPs
Like any other ML/FT and PF risks, the UAE has also included AML provisions to deal with PEPs and their associated ML/FT and PF risks.
The following is the list of regulatory requirements that DNFBPs or VASPs need to conduct when engaging with PEPs:
Know Your Customer (KYC)
DNFBPs or VASPs need to identify the PEP status before establishing a business relationship or engaging in transactions with them. For this purpose, the AML-regulated framework in the UAE mandated all regulated entities to undertake KYC processes and procedures for PEPs.
Name Screening
The regulated entities must carry out name screening to identify sanction and PEP matches, if any. If matches are found, they need to be disambiguated with proper reasons.
Customer Risk Assessment
Identifying PEP is not enough to assess the risks associated with it, as the risks would vary for various reasons, such as depending on the nature of PEP, the country they belong to, and any prior connection with financial crimes. Therefore, UAE’s AML regulatory framework requires DNFBPs or VASPs to undertake customer risk assessment processes to assess the risks associated with each person designated as PEP.
Enhanced Due Diligence (EDD) Procedure
The regulatory framework in the UAE requires regulated entities to conduct enhanced due diligence for high-risk customers. Generally, all PEPs are recognized as high-risk due to their power to influence the government’s decision-making and spending.
However, there is a possibility that the particular nature of a specific transaction or business relationship may not pose any significant risk; therefore, DNFBPs or VASPs are required to adopt a risk-based approach in formulating their customer onboarding policy on PEPs and allocate adequate PEP risk rating according to the risk rating matrix applicable for their own business. In simple words, a blanket approach is not recommended, and case-to-case decisions must be made considering the risk-based approach.
Ongoing Monitoring of Business Relationships
When regulated entities decide to engage with a person recognized as PEP and have taken all necessary measures to mitigate any risks associated with them, they still need to keep an eye on such persons. Therefore, DNFBPs and VASPs must conduct ongoing monitoring of business relationships with PEPs to safeguard themselves from any probable ML/FT and PF risks associated with PEPs.
Transaction Monitoring
In addition to ongoing monitoring of business relationships, DNFBPs and VASPs also need to monitor transactions entered with PEPs. This is done to assess transactions undertaken by PEP that show any suspicion of financial crimes or have monies that might be proceeds of such illicit activities. Therefore, to combat ML/FT and PF activities related to such transactions, DNFBPs, and VASPs need to monitor transactions in which PEPs deal.
Reporting Suspicion
Regulated entities must report any activities or transactions that raise concerns over ML/FT and PF. When assessing PEP’s status or transactions, if DNFBPs and VASPs encounter any suspicious transaction or activity, they must report it to the regulatory authorities on the goAML platform.
CDD Measures for Foreign PEPs
Adequate and appropriate AML risk management tools and systems to find out whether any customer or Ultimate Beneficial Owner (UBO) of a legal entity or legal arrangement customer with whom the business relationship is ongoing or proposed to be established can be classified as a PEP.
Seek senior management approval prior to commencing a business relationship or continuing an ongoing business relationship with a PEP.
Seek a source of funds and source of wealth for customers and UBOs identified as PEP.
Insisting that the first payment for the transaction comes from the bank account help in PEP’s own name
Carry out enhanced ongoing monitoring of such business relationships.
CDD Measures for Domestic PEPs and PEPs who held prominent public functions in the past
An inadequate and appropriate mechanism or system is needed to identify if a customer or a UBO can be classified as a domestic PEP or someone who used to be a PEP.
Adequate and appropriate measures for:
Seeking senior management approval prior to commencing a business relationship or continuing an ongoing business relationship with a PEP.
Seeking the source of funds and source of wealth of customers and UBOs identified as PEP.
Insisting that the first payment for the transaction comes from the bank account help in PEP’s own name.
Carrying out enhanced ongoing monitoring of such business relationships.
Challenges in Assessing and Managing PEP Risk
Assessing whether a customer is PEP is a crucial part of the AML framework. However, DNFBPs and VASPs may come across various challenges when assessing and managing PEP Risk.
Here’s a list of a few challenges:
1. Evolving Regulations
The legal landscape is dynamic as it keeps evolving with the introduction of new ML/FT and PF typologies, resulting in amendments and repeal of redundant laws, to be replaced by new and more effective legislation. Therefore, it is difficult for DNFBPs and VASPs to keep pace with ever evolving regulatory landscape, which ultimately results in regulatory changes concerning and governing treatment of customers classified as PEP.
2. Updates in the PEPs Status
Political power or prominent public position keeps changing hands with changes in political tides due to elections and the removal or elevation of political officials; a PEP may not always hold the same influential position as he held in the present or past. Also, a new low-risk individual can be classified as PEP. These changes in the nature of the person from being a PEP to a non-PEP or from being a non-PEP to a PEP result in mismatch or inaccurate PEP screening results. These updates in the nature of PEPs make the whole process of identifying PEPs much more difficult.
3. Verification and Identification of Status
The identification and verification of PEPs is a challenge in itself due to the difficulties involved in collecting and verifying their identification documents. These difficulties arise as PEPs may or may not always cooperate in providing the necessary information. In addition, businesses may rely on government websites or databases containing details of PEP for identifying the PEPs. However, the same databases do not always provide sufficient details to verify the identity of PEPs, or such databases may not contain updated or latest details of the PEPs, leaving the businesses in a state of confusion and incomplete compliance as there is no sufficient data to verify the identity of the PEP for completion identification and verification requirements.
4. Resources Intensive
The inclusion of PEP identification in the AML framework requires a lot of time and resources from DNFBPs and VASPs. Some of them might not be equipped or have the resources to implement robust processes for PEP screening and risk-mitigating measures, leaving them to deal with the ML/FT and PF risks.
5. Foreign PEPs
Foreign PEPs are people who hold important public positions in foreign countries. It is difficult to identify foreign PEPs in the absence of a central database of PEPs. The regulated entities depend on their software vendors to maintain a comprehensive database of PEPs. Since there are no benchmarks set in terms of the quality of the data, it becomes difficult to ascertain whether the PEP screening results are accurate.
Regulations surrounding PEPs vary by country. Therefore, it is difficult to assess the degree of risk posed by foreign PEP on a DNFBP or VASP operating in the UAE. The DNFBPs and VASPs need to adopt a risk-based approach and onboard foreign PEP by assessing their ML/FT and PF risk and assign appropriate risk rating on a case-by-case basis.
Best Practices for Managing PEP Risk
In order to effectively identify and assess the risks associated with PEPs, DNFBPs and VASPs in the UAE need to incorporate best practices that effectively mitigate any financial risks imposed by PEPs.
Here’s a list of best practices that regulated entities must implement for managing PEP risks:
1. Establishing Robust Policies and Procedures
The foremost thing that DNFBPs and VASPs need to manage ML/FT and PF associated with any customer, including PEP, is establishing robust policies and procedures. The AML framework of the DNFBPs or VASPs must provide an onboarding policy for customers who are classified as PEPs and mention steps, methodologies, and workflows to be carried out for risk mitigation, such as enhanced due diligence process. The AML framework must also provide for steps to be taken to identify if an existing low-risk customer is classified as PEP and further due diligence requirements.
2. Senior Management Oversight
Decisions related to high-risk customers require oversight by senior management. In addition to this, senior management also keeps oversight when monitoring and reviewing PEP’s status. The tone at the top guides the compliance and business team in complying with the regulatory requirements.
3. Training and Awareness Programs
Screening PEPs manually or with the help of software requires skills. DNFBPs and VASPs should conduct training and awareness programs that are tailored towards enhancing the skills and abilities of staff when undertaking the name screening process for screening any recognised PEPs.
4. Monitoring and Reviewing
DNFBPs and VASPs need to continuously monitor and review the risks associated with PEPs and their activities. The regulatory framework of UAE also requires DNFBPs and VASPs to monitor and review CDD/EDD information on high-risk customers such as PEPs at regular intervals to keep a check on ML/FT and PF risk associated with them. Such measures help DNFBPs and VASPs to keep an eye on PEPs and safeguard themselves against any probable illicit activity, including corruption and bribery.
5. Utilising Name Screening Software
Screening customers to identify if any one of them is a PEP manually takes up a lot of time and also has the chance of human errors in such results. Further, there is no comprehensive list available to screen names against. Therefore, to overcome such challenges, DNFBPs and VASPs should incorporate name-screening or PEP screening software that is capable of effectively screening the PEP against various lists in minimal time with utmost efficiency. The regulated entities must evaluate the quality of the PEP database offered by the name screening software to ensure that it doesn’t miss out on positive matches.
6. Periodic review of Recognized PEP
When a DNFBPs and VASPs decides to onboard a person recognised as PEP after undertaking EDD and other measures at the initial stage, it is necessary that the DNFBPs and VASPs conduct periodic reviews of the recognised PEP in order to keep a check on their activities and transactions to ensure that PEP is not engaging in any illicit activities include ML, FT and PF. The practice of keeping a check also helps DNFBPs and VASPs to identify if any existing PEP is not a PEP anymore and shift their risk rating from high to low appropriately.
Conclusion on AML Requirements for PEPs
The prominent public function exercised by PEPs is what makes them special when it comes to an assessment of ML/FT/PF, corruption, and bribery risks associated with them. The DNFBPs and VASPs in the UAE must establish a sound AML framework that contains provisions on the procedural aspects of treating a customer accordingly if they are identified as PEP. The DNFBPs and VASPs can rely on the best practices discussed in this blog and make sure they can steer clear of challenges faced while assessing and managing PEP risks. Ultimately, DNFBPs and VASPs must rely on the concept of a risk-based approach when assigning risk rating and carrying out diligence measures when conducting business with PEPs or associates or relatives of PEPs.
Lastly, DNFBPs and VASPs must always strive to investigate deeper as to the nature of UBOs in the case of customers who are legal entities or legal arrangements. DNFBPs and VASPs must make sure that legal entities they are about to establish a business relationship with or have an existing business relationship with are not mere shell companies or shelf companies; if legal entities are shell companies, then its UBO who is PEP may be much riskier to conduct business with.
Copyright © 2023 SA Auditors - All Rights Reserved.