The Fourth Directive and politically exposed persons – what you need to know

Money in water

Under the Fourth Directive, the rules involving politically exposed persons (PEPs) are no longer limited to foreign officials. Local PEPs will now be subject to the same scrutiny as foreign PEPs. Here are some key guidelines regarding PEPs, the regulations regarding them and how to spot red flags.

Politically Exposed Person (PEP) Definition

A politically exposed person is defined as an individual who is entrusted with prominent public functions, including members of legislative bodies, government ministers, judges, high ranking members of the armed forces and senior officials of state-owned enterprises. The Fourth Directive extended the definition of politically exposed persons to include domestic citizens, as well as foreign ones.

Politically exposed person criteria

Providing a politically exposed person list is difficult as the criteria is broad and varies from country to country. The Financial Action Task Force (FATF) also issues frequent recommendations on PEPs, adding to the challenge of having a definitive PEPs “list”.

However, most countries base their PEP definitions on the guidance issued by the FATF, which categorize PEPs as:

  • Government Officials: this could include current or former officials in domestic government positions or positions abroad. It could also include heads of state or individuals working in executive, legislative, administrative, military, or judicial branches, in elected and unelected roles.
  • Political Party Officials: Senior officials appointed to roles in major political parties at home or in foreign countries could be categorized as PEPs.
  • Senior Executives: this includes individuals serving in senior executive roles, such as directors or board members, in government-owned commercial enterprises or international organisations.
  • Relatives and Close Associates: A relative or close associate of any of the above could also be considered a PEP.

Identifying a PEP

Family members or known close associates of politically exposed persons must also be dealt with under PEP rules. This means applying enhanced due diligence. A family member of a PEP includes; a spouse or civil partner, children of the PEP and their spouses or civil partners, and parents of the PEP. A known close associate of a PEP means an individual known to have joint beneficial ownership of a legal entity or any other close business relationship, or an individual who has sole beneficial ownership of a legal entity known to have been set up for the benefit of the PEP.

Beneficial ownership

A beneficial owner is any person controlling or owning more than 25% of the shares or voting rights. An ultimate beneficial owner (UBO) is always a natural person who ultimately owns or controls the person on whose behalf a transaction is being conducted. The details of beneficial owners must be recorded and held on a central register accessible to competent authorities. Organisations should take reasonable measures to identify whether or not a beneficial owner is a PEP or not and assess the risks of working with that client.

Suspicious Activity Report

If a firm, such as a financial institution, suspects a transaction could be illegal, they must submit a suspicious activity report (SAR). Law enforcement will make a decision after a SAR has been submitted. It may be a tipping off offence to reveal to the customer that a SAR has been submitted.

Enhanced due diligence

The Fourth Directive describes the requirements relating to PEPs as “of a preventative and not a criminal nature and should not be interpreted as stigmatising politically exposed persons as being involved in criminal activity”. Nonetheless, the Directive requires further investigation, known as enhanced due diligence (CDD), in order to establish whether or not a PEP is committing a crime. Involvement of high risk jurisdictions, suspicions about beneficial owners, questions about the source of funds or any other cause for suspicion must be recorded and reported to the designated officer in your organisation. For law firms and financial institutions this is usually the MLRO (money laundering reporting officer).

Politically exposed person red flags

Here are some red flags that may come up when dealing with politically exposed persons:

  • A local MP of the area your firm is conveyancing is selling a house and gets angry when informed that enhanced due diligence is required
  • A politically exposed person is from a country, such as Uzbekistan, with much weaker AML regulations
  • Someone who may be a politically involved person seems in a rush to move forward with the purchase of land or property
  • Someone who may be a politically exposed person insists on paying for the full amount of a piece of land in cash
  • A client is looking to buy a property on behalf of a diplomat from another country

Fifth Directive and PEPs

The planned Fifth Anti-Money Laundering Directive, currently under discussion by the European Union, may amend the strict procedures required of domestic or EU PEPs. Member states may decide to apply standard, rather than enhanced, due diligence to politically exposed persons where there are no further risk factors to suggest an overall higher risk.

VinciWorks’ anti-money laundering course covers PEPs

VinciWorks’ latest anti-money laundering course, AML: Know Your Risk, covers six modules, including PEPs. The course allows users to delve into realistic anti-money laundering scenarios. Users can also receive instant feedback on their answers to the questions in the course. You can demo the course for free here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.