BSA/AML Manual

POLITICALLY EXPOSED PERSONS EXAMINATION AND TESTING PROCEDUES

Objective: Evaluate the bank's policies, procedures, and processes to assess, manage, and mitigate potential risks associated with foreign individual customers who the bank has designated as politically exposed persons (PEPs). Evaluate the bank's compliance with regulatory requirements, such as customer identification, customer due diligence (CDD), beneficial ownership of legal entity customers, and suspicious activity reporting, with respect to these customers. Examiners are reminded that there are no Bank Secrecy Act (BSA) regulations specific to foreign individuals customers who the bank has designated as PEPs.

The following examination and testing procedures are intended to be a subset of a broader review of compliance with Bank Secrecy Act/anti-money laundering (BSA/AML) regulations, such as customer identification, customer due diligence (CDD), beneficial ownership, and suspicious activity reporting. Not all of the examination and testing procedures will apply to every bank or will be used during every examination.

1. Determine whether the bank has developed and implemented appropriate, written risk-based procedures for conducting ongoing CDD for all customers, including bank-identified PEP customers, and that these procedures enable the bank to:
   • Understand the nature and purpose of the customer relationship in order to develop a customer risk profile.
   • Conduct ongoing monitoring:
     • for the purpose of identifying and reporting suspicious transactions; and
     • on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers.
   • Use customer information and the customer risk profile to understand the types of transactions in which a particular customer would be expected to engage, and to establish a baseline against which suspicious transactions are identified.
2. Determine whether the bank, as part of the overall CDD program, has effective processes to develop customer risk profiles that identify the specific risks of individual customers including, as appropriate, bank-identified PEP customers.
3. Determine whether the bank has policies, procedures, and processes to identify customers that may pose higher risk for money laundering, terrorist financing (ML/TF), and other illicit financial activities, which may include bank-identified PEP customers. Policies, procedures, and processes generally include whether and when, based on risk, it is appropriate to obtain and review additional customer information, including guidance for resolving issues when insufficient, inaccurate, or unverifiable information is obtained. Determine whether the risk-based CDD policies, procedures, and processes are commensurate with the bank's ML/TF and other illicit financial activity risk profile.
4. Determine whether the bank's system for monitoring bank-identified PEP customer accounts for suspicious activities, and for reporting suspicious activities, is adequate given the bank's risk profile.
5. Determine if performing risk-focused testing is appropriate based on the review of a risk assessment, prior examination reports, other examination information, or a review of the bank's audit findings. If risk-focused testing is appropriate, select a sample of bank-identified PEP relationships and request applicable documentation to perform risk-focused testing. From the sample selected, perform the following examination procedures:
   • Determine whether the bank collects appropriate information to understand the nature and purpose of customer relationships, and to evaluate such customers according to their particular characteristics when assessing whether the bank can effectively mitigate the potential risk those customers may pose.
   • Determine whether the bank effectively incorporates customer information, including beneficial ownership information for legal entity customers, into the customer risk profile.
   • Review transaction activity for the selected customer relationships and, if necessary, request and review specific transactions and transaction monitoring documentation to determine whether the bank has identified and reported any suspicious activity.
6. Based on examination and testing procedures completed, form a conclusion about the adequacy of policies, procedures, and processes associated with bank-identified PEP customers.