The term Politically Exposed Person (PEP) has varied definitions across the regulatory landscape, but many industry experts agree on the Financial Action Task Force’s widespread definition:
Politically Exposed Persons (PEPs) are individuals who are or have been entrusted with prominent public functions in a foreign or domestic country; for example, Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, or important political party officials.
International organization PEPs are persons who have been entrusted with a prominent function by an international organization, refers to members of senior management or individuals who have been entrusted with equivalent functions, i.e. directors, deputy directors and members of the board or equivalent functions. Business relationships with family members or close associates of PEPs involve reputational risks similar to those with PEPs themselves. The definition is not intended to cover middle-ranking or more junior individuals in the foregoing categories.
Although the definition and interpretation of what constitutes a PEP and who’s covered may vary, PEP screening, risk analysis and risk mitigation have common components within compliance programs intended to mitigate this type of risk, to comply with applicable regulatory mandates.
PEPs present two types of risks:
- Reputational risk: The risk of potential damage to the reputation of an organization, due to the perception that the organization could benefit from the relationship, particularly through a bribe or a facilitating payment.
- Transactional risk: The risk that a facilitating payment (in the form of a “grease” payment, donation—in-kind or monetary—or any other discretionary payments [e.g., to obtain a Visa or permit] ) could be made to a government official to obtain a competitive advantage or a favor during a business transaction.
PEP risk needs to be assessed from both a contextual perspective, taking into consideration different elements of information and circumstances, and on a case-by-case basis to determine the real exposure and the degree of due diligence and risk mitigation activities that need to be conducted.
The purpose of this paper is to introduce the techniques and procedures that can be applied to any facet of compliance to validate screening results related to PEPs findings during a due diligence process. It includes the factors to consider during risk assessments performed on PEPs that can help determine the level of risk exposure and the potential mitigation strategies companies can implement. It is important to note that, depending on the specific area of compliance (e.g. anti-corruption, anti-money laundering, environmental, or health and safety), additional procedures may be required, depending on the objectives for each compliance program.
How to Validate PEP Screening Results
There are four basic steps companies and compliance analysts should undertake in order to validate or rule out PEP alerts: name matching, geography, profiling, and third-party intermediary vs. PEP identification.
- Is the name of the PEP an exact or partial match to the inquired name?
- Is the inquiry name considered “very common” based on cultural background? For example: John Smith and Carlos Gonzalez might be considered common names in their respective cultures. If that is the case, other identifying factors should be applied.
- If the name match is weak (e.g. a partial name match) based on available information, additional research needs to be performed (e.g. open internet searches) to obtain additional information on both inquiry and name found to validate the match.
- Consider whether the PEP resides in the same country as either the subject inquiry or individual searched (i.e., in-country rule).
- Consider the geographical proximity of the reported PEP (e.g. bordering countries, regional proximity).
- Consider the position held by the PEP when analyzing the location. In some cases, depending on the level of risk exposure, geographic validation of PEP alerts should not be limited to one country, as individuals have the tendency to cross borders. One example is a subject inquiry who resides in the USA, but has been identified as having held a previous position at the US Embassy in France.
The analyst should consider the following types of demographic and other related information when comparing the subject inquiry with the PEP name found in an alert:
- Compare age vs. date of birth information if available
- Compare educational history, level of education, and specific degrees obtained.
- Estimate what year the subject graduated from college/university. This will also help confirm the approximate age of the subject inquiry and PEP.
- Career Track. Compare employment history, including industry, companies, titles, positions, and length of time at each position or company.
- Compare subject inquiry’s position or status in the company’s structure with PEP’s position/role.
Services Provided by Third-Party Intermediaries vs. PEP Position/Role
- Compare the type of business conducted by the Third-party Intermediary (TPI)1 in relation to the position held by the PEP or associated PEP. For example, the TPI in question is a freight forwarder, while the individual identified as a PEP is a county supervisor. In this case, the services provided and PEP position do not correlate. This is an indication of a false positive.
- However, if the identified PEP holds a position as a manager of “maritime transportation department” or “customs supervisor,” and the TPI is a freight forwarder, there is a direct correlation between the service provided by the TPI and the role of the identified PEP. In this case, the relation identified as a PEP should be considered riskier.
Case in Point
This hypothetical case represents one of the many scenarios that companies grapple with in today’s business environment in connection with risks associated with PEPs from a compliance regulatory perspective.
John Smith, the Chief Compliance Officer (CCO) of Global Manufacturers Inc. (GMI), a publicly traded company, received a call from Chief Audit Executive Lidia Gonzalez about certain suspicious results obtained during the last audit field visit to the company’s subsidiary in Hong Kong. The results of the audit showed an increase in one of the accounts payable line items called “logistics fees.”
After performing substantial testing and reviewing payment documentation, the auditor was not able to find any evidence supporting the transactions, so she asked local management about the origin of the transactions. It didn’t take long for the auditor to learn that a local third-party company called HK Shipping Enterprises (HKSE)—hired to manage the daily logistics activities at the port on entry on behalf of GMI—was submitting discretionary payments to a Senior Customs Officer, who oversaw the inspection of containers entering the country. Based on this information, CCO Smith advised his team to perform an enhanced due diligence (EDD) on HKSE to obtain more information on its principals, related parties and potential adverse media. The results of the EDD showed that one of the principals of HKSE was the brother of the Customs Officer receiving the “facilitating” payments to expedite the approval of goods shipped to Hong Kong. After further investigation, the CCO discovered that the principal was receiving kickbacks from his brother, a PEP. GMI needed to report the incident to government regulators.
Analysis of Due Diligence Results Pertaining to PEP Findings
Once a potential PEP has been identified, the next step is to assess the risk exposure associated with the findings. The following is a list of elements to include when analyzing PEP risk:
The Inherent Risk Factor
The first step to be considered in the analysis of PEP risk exposure is to establish the type of business conducted by the third-party intermediary. Certain types of TPIs have a higher inherent risk exposure than others, due to the nature of their business activities.
For example, a freight forwarder interacting with government officials, brokers, sales agents, and port authorities is considered riskier than a notary public interacting with lower-level government agencies on purely administrative matters. Normally, the larger the person’s span of control is (determined by frequency and degree of interaction with government officials), the higher the risk. Mitigation activity should be conservative and risk adverse.
Understanding the Activities Performed by a TPI in Connection to PEPs
Compliance analysts also need to determine the specific activities that a TPI will perform. This information is usually captured through the completion of due diligence questionnaires (DDQs) or other applicable forms, implemented by an organization as part of the TPI’s onboarding process.
Understanding the activities performed by the TPI helps the compliance analyst determine the degree to which the TPI could potentially engage in fraudulent activities as a way to influence a decision or take advantage of a transaction by offering or taking a bribe.
A practical measure usually considered as part of this analysis is the “distance” of the PEP in relation to the nature of the services/activities to be performed by the TPI. The rule of thumb applied in this analysis is that the shorter the distance, the higher the ability for a PEP to influence a decision.
For example, let’s take the hypothetical case of a TPI that will be obtaining a permit or license on behalf of an organization by interacting with a government agency at a County Clerk level. During the due diligence process, it is discovered that one of the principals of the TPI is associated with the Minister of Education for the country where the TPI conducts business.
In this case, the analyst may conclude that, even though a PEP holding a position as Minister of Education might be considered high risk, the distance between this position and the County Clerk office is large enough to make an educated assumption that the probability of the PEP influencing the decision to grant a permit or license is minimal.
As a result, the compliance team may determine that the TPI is cleared to be hired, as long as proper controls—such as monitoring—are in place to mitigate the residual risk.
Taking the same example, a different scenario would be if the identified PEP holds a position as District County Manager, overseeing the County Clerk office. In this case, the risk exposure will be higher, as the probability of the PEP being able to influence a decision or offer/accept a bribe will increase, considering the shorter distance between the PEP (District County Manager closer to the transaction) and the services/activity to be performed (requesting a permit).
PEP Influence Within the TPI’s Organization
The compliance analyst should also evaluate the “level of authority” a principal identified as a PEP may have within the structure of the organization, so that they can assess the degree of influence and decision-making power that individual may have.
For example, a PEP with a “Chairman of the Board” title will pose a higher level of risk than an “Operations Manager,” since a Chairman of a Board will have higher authority and power to influence a decision within the organization.
In practice, the compliance analyst should expect a direct correlation between the level of authority of a principal within the organization and the PEP position he/she holds. This relationship within PEP role and level of authority needs to be examined on a case-by-case basis to aid in the analysis of risk exposure, considering how influential a principal could be in making decisions for the organization on one side, while exercising his/her PEP position on the other.
Another aspect the compliance analyst should consider is whether the principal identified as a PEP sits in the organization’s structure on a day-to-day basis. For example, consider whether the PEP is part of the subject entity’s management team or whether he or she is part of the parent or the global ultimate entity. The closer the PEP is to the subject entity, the higher the risk he or she could influence a decision. A practical example is a situation where a PEP association exists with a principal sitting in a company’s global ultimate entity, where he or she may not have the local authority or power to influence a decision at the subject entity’s level.
Beneficial Ownership and PEPs
Similar to understanding a PEP’s influence based on level of authority and position, understanding the beneficial ownership (BO) of an organization is also a key part of the analysis of risk exposure. Analysts should consider the BO structure of the subject entity to be able to pinpoint where the relationship of the identified PEP falls within the global BO of the organization. As an example, a PEP related to the ultimate beneficial owner (UBO) of an organization might be able to influence decisions made at a higher level in the structure of the organization, but not necessarily be able to influence a decision taking place at a lower level. The dynamics of these BO relationships with PEPs, combined with the different regulatory requirements regarding BO thresholds, (such as the Office of Foreign Assets Controls (OFAC) aggregated 50%, Financial Crimes Enforcement Network (FinCEN) 25%, and the U.S. Securities & Exchange Commission (SEC) 5%), can help compliance analysts evaluate different risk mitigation strategies depending on each case.
Location Where the TPI Conducts Business
Another element of analysis is the location (i.e., country, region, state) where the TPI will be performing services for the organization. The Corruption Perception Index (CPI), provided by Transparency International, aids in the determination of risk exposure based on location. The compliance analyst should consider the CPI score to help recognize potential differences in the way government agencies across the board might exercise controls to deter corruption activities, in connection to the performance, responsibilities and accountability of public servants.
In principle, the risk exposure of a PEP holding a government position in a country with a high CPI score such as Denmark (90), will be lower level than a PEP holding the same position in a country with a very low CPI score, such as Haiti (20)2.
Self-Disclosed vs. Non-Self-Disclosed PEPs
As part of the on-boarding of TPIs in the due diligence process, an organization might ask a TPI to complete a DDQ or some other input form in order to obtain specific information on the TPI, as specified by the organization’s compliance policies and procedures. One of the questions usually included in a DDQ is intended for the TPI to self-disclose any principal, shareholder or board member, and any of their relatives, holding a government position or having a relationship or association with a government official or someone running for public office.
A self-disclosed PEP contains two opposing characteristics: a) it is considered a red flag, as a PEP has now been identified as related to the TPI; and b) it is considered a positive sign, as the TPI has self-reported a relationship up front in the due diligence process. The latter helps the compliance analyst in the evaluation of risk exposure and in determining the mitigating steps to be followed.
On the other hand, if a TPI does not self-disclose a PEP or association to a PEP during the on-boarding process, and later during the screening process a PEP related to the TPI is identified, the compliance analyst might perceive this as the TPI not being willing to self-report that information. Consequently, the evaluation and the mitigation activities might take a different direction.
Special Transactions and PEPs
The degree of risk exposure brought by a PEP could also be impacted by the type of transaction taking place.
Examples of the type of transactions and questions the compliance analyst should consider are:
a. Is it a one-time due diligence transaction, or will it require on-going monitoring (e.g., beneficial owners in a real estate transaction compared with a long-term project)?
b. Is the due diligence conducted as part of a social responsibility project? Is the PEP part of the NGO managing a project, or is he or she the contractor performing the work?
c. If the due diligence is conducted on a trust, is the PEP connected to a beneficiary, the CEO, the administrator, or an investor?
d. Does the activity involve travel and hospitality arrangements? Is the PEP associated with any consulate that would potentially facilitate the issuance of a travel visa?
The answers to each of these questions may influence the way PEP risk is approached and mitigated. Companies will have different mechanisms to mitigate each risk, based on their risk tolerance level and the situation in each case. For example, some companies will apply “zero tolerance” and disapprove a transaction if a PEP is identified as associated to the beneficiary of a trust (e.g., a person leasing space to a retail company), while others will consider obtaining an attestation letter from the beneficiary, stating that information found regarding his or her relationship with the PEP is not accurate.
In the compliance arena, PEP risk mitigation is one of the major components of any organization’s anti-corruption due diligence program and a variable most often included as part of risk assessment models.
PEPs can potentially take part in many forms of corruption—such as bribery, illegal gratuities, kickbacks, economic extortion, and bid rigging—increasing both transactional and reputational risk to the organization and impacting social, ethical, environmental, health and safety, and financial regulatory compliance.
For all these reasons, the governance, risk, and control processes in an organization play a significant role in reducing risk. Understanding the elements of the control environment, such as tone at the top, risk appetite and tolerance levels, as well as multiple control layers, internal monitoring processes, and policies and procedures, is critical to assessing PEP risk and determining mitigation strategies.
The Information in this document is provided for education and informational purposes only, without any express or implied warranty of any kind. The Information contained in this document is not intended to be and does not constitute a conclusion, advice or guidance. It is possible that some information in this document is incomplete, incorrect, or inapplicable to particular circumstances or conditions. Dun & Bradstreet does not accept liability for direct or indirect losses resulting from using, relying or acting upon information in this document. You should not make any decision, or take any actions, based on any of the information presented in this document.