Under the “Know Your Customer”-oriented regulatory regime endorsed by organizations like the Financial Action Task Force (FATF), financial institutions and similar entities must apply heightened scrutiny to so-called “politically-exposed persons” (PEPs), as well as their family members and close associates. FATF defines PEPs as individuals who are or have been entrusted with prominent public positions (such as heads of state or government, senior politicians, senior government, judicial, or military officials, senior executives of state-owned companies, and important political party officials), as well as their family members and close associates. (For simplicity, here I’ll use the term PEP to include both the PEPs themselves, and their family members and close associates, as the FATF recommendations make clear that the latter should be covered by the same heightened due diligence rules.) The rationale behind FATF’s recommendation of more stringent due diligence for PEPs is the idea that PEPs are higher-risk customers, because they have more opportunities than ordinary citizens to acquire assets through unlawful means like embezzlement and bribe-taking. Thus, FATF’s Recommendation 12 (which many countries have adopted) advises that countries should require financial institutions to employ additional due diligence measures for foreign PEPs in order to establish the source of the PEP’s assets, and to conduct enhanced ongoing monitoring of the business relationship with the PEP.
That all seems like a good idea. But how, exactly, is a bank supposed to determine whether a prospective client is a PEP? Here, the FATF recommendations say only that financial institutions should “have appropriate risk-management systems to determine” whether a prospective customer is a foreign PEP. In practice, financial institutions rely on a relatively small number of private providers—like World Check (Thompson Reuters), World Compliance (Lexis-Nexis), and a handful of others—to screen prospective clients to see if they are in a database (generated and maintained by the private service providers) of known PEPs. Presumably (though I haven’t been able to figure out whether this is true) financial regulators in countries that have adopted the FATF recommendations on PEP screening will treat a bank’s use of one of these reputable services as satisfying the bank’s responsibility to take reasonable measures to determine whether a client is a PEP, even if in fact the service failed to accurately identify a given customer as a foreign PEP—though the bank might still be on the hook for other legal violations in connection with the PEP’s account.
So, keeping track of who’s a PEP has been entrusted to the private market. There is no “official” PEP list maintained by any national government or inter-governmental organization like FATF, nor does any government (to the best of my knowledge) directly monitor or regulate the private providers like World Check and World Compliance to ensure their PEP lists are accurate and up to date. Is this a problem? Should we be happy leaving PEP screening entirely to the private market, or should there be greater government and/or civil society involvement in generating, maintaining, and revising PEP lists?
This issue came up last month at the “Tackling Corruption Together” conference held the day before the London Anticorruption Summit. David Lewis, the Executive Secretary of FATF, gave a presentation that emphasized (among other things) the importance of due diligence on PEPs. During the Q&A someone from the G20 Research Group (whose name I didn’t catch) asked Mr. Lewis about whether there was the need (and political will) to create public PEP registries, noting both the importance of accurate PEP lists, as well as the inefficiency of individual banks paying private services for screening individual names one at a time. Mr. Lewis replied, quite forcefully, that the creation of public PEP registries would be a “terrible idea.” He knows far more about this issue than I do, and I don’t know nearly enough to come out in favor of public PEP registries, but I have to say, I didn’t really find Mr. Lewis’s reasoning all that persuasive.
Mr. Lewis said that there are three reasons why creating a public PEP registry would be a bad idea:
- First, spending public money on this would be, in effect, subsidizing the banks, taking taxpayer dollars (that could be spent on valuable public goods and services) and using them to pay for a service that right now the banks are paying for themselves.
- Second, Mr. Lewis emphasized that the private market is already meeting the need. (In other words, to paraphrase a bit, the PEP screening system isn’t broken, so why try to fix it?)
- Third, Mr. Lewis argued that if one were to make PEP lists public, that would be the quickest way to undermine the effectiveness of the lists, because banks can just look to see if a prospective client’s name is on the list, and if it isn’t, the bank will feel perfectly comfortable moving forward. (In addition, though he didn’t say this explicitly, I inferred that he was also suggesting that PEPs would find it easier to circumvent the lists if they were public, by finding associates or family members whose names had been left off.)
Now, I’d be willing to accept these responses if (1) the main argument for a public PEP registry was to save the banks money, and (2) if a public PEP registry would function as both the beginning and the end of the required PEP screening. But on the first point, I don’t think that greater efficiency is really the most important argument for moving beyond complete reliance on private screening services. Rather, the concern—which I’ve heard a number of people voice in private, even though I haven’t seen any explicit discussion in any published materials—is that the PEP screening done by the existing service providers not adequate, at least in some countries. This is not to impugn the effort or professionalism of the staff who work for places like World Check and World Compliance. It’s just to say that, even with their best efforts, it’s very challenging to maintain comprehensive, up-to-date lists of all of the PEPs—and especially their family and associates—in certain countries.
As for the concern that a public PEP registry would make it too easy both for the banks to skimp on due diligence and for PEPs to evade the additional screening, it seems to me that there’s an easy fix to that: Simply make clear that the public registry is a floor, not a ceiling – in other words, though inclusion on the public registry would be enough to trigger a requirement of heightened diligence, non-inclusion on the public registry would not be sufficient to determine that a prospective client was not a PEP. The banks, then, would still have to conduct independent screening (for any name not on the public registry), and for that, they would presumably still have to hire a private service. (One could imagine adding a regulatory requirement that any private investigation that determines a given individual is in fact a PEP must submit that name for addition to the public register. I can see both pros and cons to that possibility.) Furthermore, even if a name does appear on the public list, perhaps additional screening should still be required, to verify that the prospective customer is indeed the same person as the person on the PEP list, and that his or her inclusion on the list was proper.
Another advantage of a public PEP registry is that private organizations, including civil society groups, could submit names for addition. For example (to pick a country at random), suppose that the public registry list includes a set of alleged PEPs from Cambodia, but members of Cambodia’s Transparency International chapter notice that a number of associates of the president are not on the list, or perhaps that the public list has failed to note alternative transliterated spellings of certain PEP names. In that hypothetical scenario, or others like it, the civil society organization could submit suggested additions, corrections, and modifications. One could also impose on governments (perhaps as an additional FATF recommendation) an obligation to provide and update the public PEP registry with information on the country’s own PEPs (again, including family and close associates), with the threat of FATF blacklisting for persistent and/or deliberate non-compliance.
Of course, one needs safeguards in place to address concerns about over-inclusion. That concern is less significant here than it is in other contexts, like no-fly lists and credit reports, because the adverse consequences of inclusion on the list are only heightened scrutiny, rather than some more serious restriction on freedom or access to resources. Nonetheless, some effort would need to be taken to deal with that concern. And there’s also a concern about the impact of a public PEP registry on the continued viability of the business model that currently supports services like World Check and World Compliance. This is certainly not a trivial consideration, given my suggestion above that a public PEP registry would only work if it were a supplement to, not a replacement for, the screening conducted by these and other private services.
But on the whole, I’m not sure I find Mr. Lewis’s objections to a public PEP registry compelling. Perhaps I’m not giving his rejoinders enough credit, or perhaps there are other, more powerful objections? I’d love to hear more on this subject from those of you out there who are better-informed. This is all fairly new territory for me.