Today, 10 January 2024, sees the commencement of the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 (Amending Regulations), which were laid in mid-December and provide for changes to the enhanced due diligence (EDD) requirements in relation to so-called domestic PEPs (i.e. a politically exposed person entrusted with prominent public functions by the UK). Specifically, the Amending Regulations amend regulation 35 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) so as to require that the 'starting point' of any assessment of the risk posed by a domestic PEP is that they pose a lower risk than a foreign PEP. In this briefing we discuss the background to this change, explain the new requirements, and provide a brief overview of the FCA's related work on PEPs.
Background
We provide this background for any readers who are as enthused by AML regulation as the writer of this post. Time-poor readers may wish to skip to the section on the Amending Regulations!
Many PEPs hold positions that can be abused for the purpose of laundering illicit funds or other predicate offences such as corruption or bribery. It has therefore been a long-standing feature of international anti-money laundering (AML) standards that certain EDD steps should be taken in relation to PEP customers – notably including reasonable measures, on a risk-based approach, to establish the PEP's source of funds and source of wealth. The Financial Action Taskforce (FATF), the international standard-setting body which leads global action to tackle money laundering, terrorist and proliferation finance, embeds PEP requirements in its Recommendations, whilst making clear that these requirements are preventative (not criminal) in nature, and should not be interpreted as meaning that all PEPs are involved in criminal activity.
The FATF Recommendations allow (but do not require) countries to draw a distinction between 'domestic' and 'foreign' PEPs. Specifically, they provide for firms to be required to undertake certain EDD steps in relation to foreign PEPs, and to do so in relation to domestic PEPs “…in cases of a higher risk business relationship with such persons”.
Logically, however, this position can be difficult to rationalise. Why should a domestic PEP be considered to be lower risk than a foreign PEP, particularly if the 'domestic' jurisdiction is one where there is experience of political figures being involved in economic crime? Further, every 'domestic' jurisdiction is a 'foreign' jurisdiction for another country, and a differential domestic/foreign standard can lead to challenges in the application of a consistent AML approach across multinational groups.
At an EU level, historically a distinction was recognised between domestic and foreign PEPs. However, the Fourth Money Laundering Directive (Directive (EU) 2015/849) (4MLD) levelled the playing field, and required EDD on both domestic and foreign PEPs (Article 20), albeit it recognises in relation to CDD more broadly that the extent of due diligence measures can be determined on a risk-sensitive basis.
In the period between 2015 (when 4MLD was passed) and 2017 (when it was implemented in the UK via the MLRs), there was concern among some parliamentarians about the potential impact on UK PEPs and their family members of the incoming requirement to conduct EDD on domestic PEPs. This led to the enactment of section 30 of the Bank of England and Financial Services Act 2016 (which was never brought into force) which would have required the FCA to publish guidance about a proportionate, risk based and differentiated approach to PEP obligations.
When the MLRs came into force in June 2017, the requirements (under reg.35) included that:
- Firms have appropriate risk-management systems and procedures to determine whether a customer or the beneficial owner of a customer is a PEP, or a family member (FM) or known close associate (KCA) of a PEP, and to manage the enhanced risks arising from the relevant person's business relationship or transactions with such a customer.
- In determining what risk-management systems and procedures are appropriate, that the firm take account (amongst other things) of the extent to which the risk inherent in its business would be increased by its business relationship or transactions with a PEP, FM or KCA.
- That firms assess the level of risk associated with the customer, and the extent of EDD measures to be applied, taking account of any guidance issued by (inter alia) the FCA.
- Where a relationship with a PEP, FM or KCA is established or maintained:
- have approval from senior management for establishing or continuing the business relationship with that person;
- take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person; and
- where the business relationship is entered into, conduct enhanced ongoing monitoring of the business relationship with that person.
Thus, the MLRs expressly envisaged a risk-based approach to the extent of EDD on PEPs. The MLRs also introduced (at regulation 48) an obligation on the FCA to give guidance to firms in relation to the enhanced customer due diligence measures required under regulation 35 in respect of PEPs, FMs and KCA, including guidance on "how the level of risk associated with a particular individual is to be assessed for the purposes of regulation 35(3), and what approach is to be taken in relation to a PEP, or a family member or known close associate of a PEP, if the PEP, family member or close associate is assessed as presenting a low level of risk".
In March 2017, in anticipation of the MLRs coming into effect and against the back-drop of the 2016 Act provisions referred to above, the FCA consulted upon and then introduced FG17/6 (the Treatment of Politically Exposed Persons for Anti-Money Laundering Purposes) (Guidance). The final guidance was also intended to discharge the FCA's obligation under regulation 48 to publish guidance. At the same time, the FCA made certain changes to the FOS rules regarding complaints by PEPs, FMs and KCAs.
Given the context in which it was prepared, the Guidance has a significant focus on not doing 'too much' EDD on lower risk PEPs, as well as providing some guidance on diligencing higher risk PEPs. It is, however, fair to say that the question of what steps are "adequate" to establish source of wealth and source of funds (particularly in higher risk cases) remains challenging opaque. On this key point, the Guidance simply suggests that in higher risk situations a firm may take "more intrusive and exhaustive steps to establish the source of wealth and source of funds" – which might on one view be considered a statement of the obvious – without clarity on what those steps might be. There is some, but limited, guidance on this issue in the JMLSG Guidance.
This has remained the legal backdrop to firms' obligations in relation to PEPs until today. Thus, the MLRs do not distinguish between domestic and foreign PEPs, but do envisage a risk-based approach to PEP EDD. The Guidance supports a differentiation between lower risk and higher risk PEPs, and provides some thoughts on what lower risk EDD might entail. Firms' practices, however, will vary on the extent to which they take a differential approach to PEPs, and what the 'low end EDD' and 'high end EDD' will entail.
This position was brought into recent focus by the recent controversy around bank account closures, and the question of whether PEP status was impacting onboarding and offboarding decisions. Some argued that the PEP requirements result in individuals being targeted because of their political associations – seemingly conflating the PEP requirements and other risk considerations, and ignoring the international standards with which the UK, and firms, must comply. This led to the enactment of two provisions:
- Section 77 of FSMA 2023: This required the Secretary of State to pass Regulations which have the effect that domestic PEPs are regarded as lower risk/require less EDD than foreign PEPs unless there are enhanced risk factors.
- Section 78 of FSMA 2023: This required the FCA to review its PEP guidance (ie FG17/6), including assessment of whether the guidance is followed by firms and whether it remains appropriate. The FCA is required to complete this review within 12 months
The Amending Regulations
Against the background described above, and in line with section 77 of FSMA 2023, the Amending Regulations have been passed, which come into effect on 10 January 2024 and amend regulation 35 of the MLR.
New regulation 35(3A) will provide that:
"For the purpose of [a firm's] assessment [of the level of risk associate with the customer, under reg.35(3)], where a customer or potential customer is a domestic PEP, or a family member or known close associate of a domestic PEP –
(a) the starting point for the assessment is that the customer or potential customer presents a lower level of risk than a non-domestic PEP, and
(b) if no enhanced risk factors are present, the extent of enhanced customer due diligence measures to be applied in relation to that customer or potential customer is less than the extent to be applied in the case of a non-domestic PEP”.
Thus, the Amending Regulations will formalise into law the approach envisaged by FG17/6, i.e. a differentiated approach to the extent of EDD on lower and higher risk PEPs, with domestic PEPs being rebuttably presumed to be lower risk.
"Enhanced risk factors" in relation to domestic PEPs (and their FMs and KCAs) mean "risk factors other than the customer's or potential customer's position as a domestic PEP or as a family member or known close associate of that domestic PEP". In elevating a domestic PEP to 'higher risk PEP' status, firms will, therefore, need to establish (and document) risk factors other than their PEP status.
For firms which (notwithstanding FG17/6) apply the same level of EDD to all PEPs, this change in law will require early consideration as firms may be in breach of the MLR by doing 'too much' EDD (and indeed may already have been falling short in relation to the requirement to assess the risk of PEP relationships and adapt EDD measures accordingly). This may have a particular impact outside the financial services sector, as not all industry guidance adopts the same differentiated approach, such that an across-the-board treatment of PEPs may be more common in other parts of the AML regulated sector.
For firms which do distinguish between lower risk PEPs and higher risk PEPs, firms will need to consider if this change has an impact on the way that distinction is drawn. In particular:
- Does the assessment take into account whether the PEP is a domestic as opposed to a foreign PEP?
- Are domestic PEPs automatically low risk in the absence of risk factors?
- Are those risk factors matters which are unconnected to the PEP's role?
FCA review of PEPs
As required by section 78 of FSMA 2023, the FCA is also progressing its review of the Guidance.
The FCA announced its review of PEPs on 5 September 2023, including make available the review Terms of Reference: https://www.fca.org.uk/news/press-releases/fca-launches-review-treatment-politically-exposed-persons. The FCA is due to report on its conclusions by the end of June 2024.
The FCA has stated that "We are carrying out this review because of concerns that firms may not be treating customers individually…” and that the view will include how firms are:
- applying the definition of PEPs – are the individuals being treated as PEPs holders of roles which are really senior enough to be PEPs;
- conducting proportionate risk assessments of UK PEPs, their FMs and KCAs;
- applying EDD and ongoing monitoring proportionately and in line with risk;
- deciding to reject or close accounts for PEPs, their FMs and KCAs – including whether decisions in line with the law, guidance and the Consumer Duty;
- effectively communicating with their PEP customers – on account opening, EDD/ongoing EDD and account closures, including responding to questions and complaints; and
- keeping their PEP controls under review to ensure they remain appropriate – including how senior management are informed about and oversee operation of PEP controls.
Whilst there is a clear focus on domestic PEPs (and this is understandable in the political context), the FCA has also said that its review “will consider the concerns around domestic PEPs as part of the wider context of firms’ controls to ensure they are managing the overall risks of all PEPs effectively and proportionately” (emphasis added). It is to be expected that the FCA will, therefore, also look at the appropriate treatment of foreign PEPs.
Interestingly, the Terms of Reference specifically refer to the fact that "As part of the review, we will also consider whether the approach of firms, in particular those headquartered overseas, to UK PEPs is driven by other international requirements that could apply to those firms". This is welcome, since there is an inherent tension between (a) the new UK approach, and (b) for overseas-headquartered firms, any requirement for parent companies to implement a group-wide AML approach in line with their 'home' standards, under which UK PEPs would be 'foreign' PEPs.1
The FCA's work will consider a range of sources, including and feedback with UK PEPs, FMs and KCAs, information collected from relevant firms and stakeholders such as the FOS, and a risk based supervisory reviews of firms, based on the information collected from firms and from their customers, to assess how they are implementing their policies and procedures in practice. The FCA has said that its sample will include both firms where there is intelligence that indicates concerns with their approach to PEPs, and firms with different practices - to identify good practice learnings for the sector.
The outputs from the FCA's work are expected to include publication of the outcome of their review, "engagement" with firms where issues are identified and, if amendment to the Guidance is needed, a consultation on those amendments.
Comment
Whilst the concept of a risk-based approach to PEPs has been a feature of the MLRs since 2017, some may question the government's view that all UK PEPs should by default be considered lower risk – and wonder whether this is really supported by any data. Notably, the UK's score on the Transparency Perception Index fell to 73 in 2023, resulting in the UK falling through the global rankings from 11th to 18th. Nonetheless, this position has now been enshrined in law and, as outlined above, firms will need to consider if their risk assessment methodology and procedures are in line with the new requirements.
More broadly, it is to be hoped that the FCA review of FG17/6 provides some greater clarity on what remains a challenging area of compliance; firms can feel that they are 'damned if they do and damned if they don't', with scope for regulatory criticism both for too little and too much EDD. In that context, the FCA review has the potential to be helpful.
1See for example Article 45 of 4MLD.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.