BSA/AML Manual

POLITICALLY EXPOSED PERSONS

Objective: Evaluate the bank's policies, procedures, and processes to assess, manage, and mitigate potential risks associated with foreign individual customers who the bank has designated as politically exposed persons (PEPs). Evaluate the bank's compliance with regulatory requirements, such as customer identification, customer due diligence (CDD), beneficial ownership of legal entity customers, and suspicious activity reporting with respect to these customers. Examiners are reminded that there are no Bank Secrecy Act (BSA) regulations specific to foreign individual customers who the bank has designated as PEPs.

Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations do not define the term Politically Exposed Person (PEP),¹ Available resources for use in assessing risks of PEPs include: "Guidance on Politically Exposed Persons" (2013); "Concealment of Beneficial Ownership" (2018); "Wolfsberg Guidance on Politically Exposed Persons (PEPs)" (2017); "International Narcotics Control Strategy Report" (2020); and "National Drug Control Strategy" (2020). and the term should not be confused with "senior foreign political figure" (SFPF), a subset of PEP.² 31 CFR 1010.605(p) (Definitions) and 31 CFR 1010.620 (Due diligence programs for private banking accounts); see also "FinCEN Advisory on Human Rights Abuses Enabled by Corrupt Senior Foreign Political Figures and their Financial Facilitators," (June 2018). Specific to SFPFs, refer to the Private Banking Due Diligence Program (non-U.S. Persons) section for more information. The term PEP is commonly used in the financial industry to refer to foreign individuals who are or have been entrusted with a prominent public function, as well as to their immediate family members and close associates.³ See "Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons," issued by the federal banking agencies (Federal Reserve, FDIC, NCUA, OCC) and FinCEN.

Examiners are reminded that no specific customer type automatically presents a higher risk of money laundering, terrorist financing (ML/TF), or other illicit financial activity. Further, banks that operate in compliance with applicable BSA/AML regulatory requirements and reasonably manage and mitigate risks related to the unique characteristics of customer relationships are neither prohibited nor discouraged from providing banking services to foreign individuals who the bank may consider to be PEPs (referred to in this section as "bank-identified PEPs").

Risk Factors

Bank-identified PEP customers present varying levels of ML/TF and other illicit financial activity risks, and the potential risk to a bank depends on the presence or absence of numerous factors. Not all bank-identified PEP customers pose the same risk, and not all bank-identified PEP customers are automatically higher risk. By virtue of their public position or relationships, some bank-identified PEPs may present a risk higher than other customers by having access to funds that may be the proceeds of corruption or other illicit activity. Some foreign individuals who are bank-identified PEPs have used banks as conduits for their illegal activities, including corruption, bribery, ML/TF, and other illicit financial activity. The potential risk to the bank depends on the facts and circumstances specific to the customer relationship, such as transaction volume, type of activity, and geographic locations.

Bank-identified PEPs with a limited transaction volume, a low-dollar deposit account with the bank, known legitimate sources of funds, access only to products or services subject to specific terms and payment schedules, or a limited number of accounts with which the bank-identified PEP is associated, could reasonably be characterized as having lower customer risk profiles.

Risk Mitigation

Understanding a customer's risk profile⁴ For more information about customer risk profile, see the Customer Due Diligence section. enables the bank to apply appropriate policies, procedures, and processes to manage and mitigate risk and comply with BSA/AML regulatory requirements. Like all bank accounts, those held by bank-identified PEPs or associated with bank-identified PEPs are subject to BSA/AML regulatory requirements. These requirements are related to customer identification,⁵ 12 CFR 208.63(b)(2), 211.5(m)(2), and 211.24(j)(2) (Federal Reserve); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 748.2(b)(2) (NCUA); 12 CFR 21.21(c)(2) (OCC); and 31 CFR 1020.220 (FinCEN). customer due diligence (CDD),⁶ 31 CFR 1010.210 and 1020.210(a)(2)(v). beneficial ownership of legal entity customers,⁷ 31 CFR 1010.230. and suspicious activity reporting.⁸ 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Federal Reserve); 12 CFR 353 (FDIC); 12 CFR 748.1(c) (NCUA); 12 CFR 21.11 and 12 CFR 163.180 (OCC); and 31 CFR 1020.320 (FinCEN). However, there is no BSA/AML regulatory requirement or supervisory expectation⁹ There may be supervisory expectations for other reasons, such as safety and soundness standards, corporate governance, bank-specific enforcement actions and conditions for obtaining bank charters and deposit insurance. for banks to have unique or additional customer identification requirements or CDD steps for any particular group or type of customer.

Consistent with a risk-based approach, the level and type of CDD should be commensurate with the risks presented by the customer relationship. The CDD rule does not require a bank to screen for or otherwise determine whether a customer or beneficial owner of a legal entity customer may be considered a PEP. A bank may choose to determine whether a customer is a PEP at account opening if the bank determines the information is necessary to develop a customer risk profile. Further, the bank may conduct periodic reviews with respect to bank-identified PEPs as part of, or in addition to, the required ongoing risk-based monitoring to maintain and update customer information.

Banks must have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships, and to develop a customer risk profile.¹⁰ 31 CFR 1020.210(a)(2)(v). Examiners should assess how a bank evaluates bank-identified PEP customers according to their particular characteristics to determine whether the bank can effectively mitigate the potential risk these customers may pose. Consistent with a risk-based approach for conducting ongoing CDD, a bank should typically obtain more customer information for those customers with a higher customer risk profile and may collect less information for customers with a lower customer risk profile, as appropriate.

The information collected to create a customer risk profile should also assist banks in conducting ongoing monitoring to identify and report suspicious activity. Moreover, performing an appropriate level of ongoing CDD commensurate with the customer's risk profile assists the bank in determining whether a customer's transactions are suspicious.

Based on the customer risk profile, the bank may consider obtaining, at account opening (and throughout the relationship), more customer information in order to understand the nature and purpose of the customer relationship. The following information may be useful for a bank in understanding the nature and purpose of the customer relationship and, therefore, in determining the ML/TF and other illicit financial activity risk profile of bank-identified PEP customers:

• The type of products and services used.¹¹ For example, some banks have wealth management accounts that fall outside of the definition of "private banking account" but may still pose a higher risk of illicit financial activity. These accounts are often held by high net worth individuals, and the accounts may contain large balances or be used for high dollar transactions. Banks are required to comply with BSA/AML regulatory requirements including, but not limited to, CDD and suspicious activity monitoring and reporting in relation to such wealth management accounts. Adherence to the existing BSA/AML framework will assist banks in identifying and managing the potentially higher risks associated with these customers and accounts.
• The volume and nature of transactions.
• Geographies associated with the customer's activity and domicile.
• The customer's official government responsibilities.
• The level and nature of the customer's authority or influence over government activities or officials.
• The customer's access to significant government assets or funds.

Banks may leverage existing processes for assessing geographically specific ML/TF, corruption, and other illicit financial activity risks when developing the customer risk profile. Existing processes may also take into account the jurisdiction's legal and enforcement frameworks, including ethics reporting and oversight requirements. For a bank-identified PEP who is no longer in active government service, banks may also consider the time that the customer has been out of office and the level of influence he or she may still hold as factors in the customer risk profile.

When developing customer risk profiles and determining when to collect additional customer information, and what to collect, banks may take into account such factors as the customer's public office or position of public trust (or that of the customer's family members or close associates), as well as any indication that the bank-identified PEP misuses his or her authority or influence for personal gain.

Refer to the Customer Due Diligence and Suspicious Activity Reporting sections for more information.

Examiner Evaluation

Examiners should evaluate the bank's processes for assessing risks associated with customers that are bank-identified PEPs. Examiners should determine whether the bank's internal controls are designed to ensure ongoing compliance and are commensurate with the bank's risk profile. Examiners should also determine whether internal controls manage and mitigate ML/TF and other illicit financial activity risks for bank-identified PEPs. Examiners may conduct this assessment when evaluating the bank's compliance with regulatory requirements such as customer identification, CDD, and suspicious activity reporting. More information can be found in the Assessing the BSA/AML Compliance Program - BSA/AML Internal Controls and Assessing Compliance with BSA Regulatory Requirements sections of this Manual.