Category Archives: PEP Lists

01.18.13
by

Why PEPs should include local officials…

I’m a fan of sometimes keeping to the letter of the regulation if it keeps operational costs down. And, then, a news item pops up that shows me the weakness of that argument:

The former Finance Director of Cherryville, NC just pled guilty to the embezzlement of over $435,000. An excerpt from the FBI news release:

According to the bill of information and the filed plea agreement, up until her retirement in December 2011, Alexander was employed by the city of Cherryville as its finance director and supervised the city’s Finance Department. In that capacity, Alexander oversaw the city’s accounting, financial reporting, and treasury divisions, as well as the city’s revenue collections and customer service departments. As the finance director, Alexander also had access to and was able to process payroll payments to Cherryville employees, direct payments for city expenses, issue checks on behalf of the city, remove cancelled checks from the city’s records, and make adjustments to Cherryville’s electronic accounting systems, court records indicate.

From about August 2005 through December 2011, Alexander embezzled at least $435,294 of Cherryville’s funds and used the money to pay personal expenses. Court documents show that Alexander made weekly payroll payments to herself that were more than 300 percent of her authorized net pay from the city. In total, Alexander embezzled approximately $309,594 from the city of Cherryville in this manner.

Court records also show that Alexander used city funds to pay for personal expenses, including shopping and travel expenses, that she charged on her personal American Express credit card by issuing checks from the city of Cherryville made out to American Express. According to filed documents, Alexander issued the city checks and forged on those checks the signature of another Cherryville employee who was the authorized signatory on the account. Then, to avoid detection, after the forged checks had cleared and were returned by the bank, Alexander would remove them from the city’s records, court documents show. Alexander issued and forged a total of 26 checks from the city of Cherryville totaling approximately $97,000 to pay off personal charges on her American Express card.

So, if your firm had considered this official a PEP, could you have caught this fraud earlier?

Perhaps I should retool my mantra about this: you should consider as PEPs people from your client base who are either government officials in the geographic area your firm serves that have some authority and or fiduciary responsibility, and their families and associates. So a small local bank might be on the lookout for local officials, while a regional might care about those folks and state officials (in addition to any foreign officials).

Link:

FBI Press Release

01.16.13
by

Time is of the essence

An essential question of any watchlist screening program is “when”, which actually comes in two flavors:

  • When does the company’s data need to be screened?
  • When do watchlists need to be updated?

I could weasel out of both of these by saying “in a timely manner”, of course – and I’d be right. However, let’s try to be more precise.

It is true that the frequency of data updates and screening processes is a risk-based decision. However, there are some limitations. For example, business transactions – things that transfer assets or create obligations to transfer those assets – generally have to be screened against sanctions lists “real-time”, which is to say, before the item goes out the door and/or gets finalized on the books (and gives the client access to those assets). Why “generally”, you might ask? While the most prominent sanctions regulations are designed to prevent sanctioned entities from having access to assets, some (South Africa being the one Mr. Watchlist is most familiar with) only require the reporting of suspicious transactions after the fact. If the assets are no longer in the firm’s control when the government moves to seize them, oh, well… (no, I’m not kidding – at least as of a few years ago).

I should note that transactions are less frequently screened against non-sanctions lists – especially the PEP list. A match to an off-the-books party doesn’t mean much if you can’t monitor their ongoing activity in the aggregate – with the potential exception of law enforcement lists. And you know Mr. Watchlist is not a fan of law enforcement lists because the generic nature of the names on the lists and the limited information about them – perhaps that’s why all the online most wanted lists are primarily photo indices.

Screening static data is a whole ‘nother kettle of fish. If assets are not entering or leaving one’s account, the impetus for timeliness is much less urgent. So, a weekly or monthly (or quarterly) screening against other list is not unheard-of – if you’re also screening the transactions.

There is one good argument for screening static data more frequently, though – and it’s all about staff allocation and productivity. If you screen more frequently, you will, in general, spread the manual review work out more evenly. In addition, when there are changes to lists that cause a real increase in matches, screening more frequently might allow a firm to make a rules-based false positive reduction (FPR) change that will pay more benefits sooner, reducing or eliminating the increase on the subsequent screenings.

Now, to the second question: how often do you have to update your watchlists? Economic sanctions lists should be updated as available from your data provider and as practical for your business. Translation, please?

First, there will be a lag between the time a list update is made by the regulator and the time it is made available by the data vendor. The data needs to be reformatted in your software’s format, and often will need to be enhanced to include things like matching phrases.

Second, with some applications, ongoing processing may halt or be slowed by processing a list update. Therefore, waiting until a slack period in the day (e.g. lunch time), or after hours is prudent and not unreasonable.

Let’s look to the OFAC Enforcement Guidelines again. OFAC considers how recently the listing which caused the violation was added to the SDN list as a mitigating or aggravating factor when assessing a violation. Miss an item issued two hours ago? You’re not going to get fined for that – that’s as close to a guarantee Mr. Watchlist will ever give. On the other hand, if you haven’t updated the SDN list in a month… that’s not a pretty picture to paint for the regulator or auditor.

Beyond sanctions lists, the question of how frequently to update your lists is largely up to you. For example, one PEP and adverse media provider updates its database daily, while another data provider provides weekly updates. Obviously, the sooner you can identify a potential problem, the sooner you can decide what to do about it. On the other hand, unless you’re planning on terminating a relationship that matches one of these lists, an extra day, week or even month is unlikely to make a real difference to your risk in the overwhelming majority of cases.

So, like Mr. Watchlist said, with the exception of screening business transactions, you have to handle these things “in a timely manner”. And you get to define “timely”… it’s a wonderful thing.

12.31.12
by

Set phasers (not) to stun!

A lot of this seems daunting, doesn’t it? So many possible lists, system settings to consider… and so much work to process Day 1. Seems a little nuts to me…

Well, even if you’re facing down the loaded end of a C&D (cease and desist), one doesn’t have to implement a whole raft of changes in the blink of an eye. You can phase in your changes.

What auditors and regulators want to see is, of course, an acceptable program – eventually. What matters more is the plan to get there. These folks aren’t ogres (at least, not the ones I’ve met).

Imagine the following paths to “full” compliance:

  1. In January, you screen all accounts with an average daily balance of $1MM US against your PEP list. In March, you lower that threshold to $750,000. In May, you lower the threshold to $500,000. In August, it goes down to $250,000 and finally, in January of the next year, you drop it to $100,000…
  2. In the beginning of January, you start screening your accounts against sanctions lists using exact matching. In mid-January, you start using fuzzy screening at 93%. In mid-February, the fuzzy threshold drops to 91% – in mid-March, to 90%, in mid-April, to 88%, in mid-May, to 87%…
  3. In January, you begin screening against OFAC, the HMT (Her Majesty’s Treasury) list, the UN list and the EU list, because they’re your highest-volume currencies. In February, you add the second tier – the Canadian lists (OSFI, plus the DFAIT economic sanctions countries and cities, which include some city names that are very common in the US), the Japanese Ministry of Finance, the Monetary Authority of Singapore list and the Hong Kong Monetary Authority list. In March…
  4. In January, you start screening account information against national and international-level foreign PEPs that are still in office. In February, you include officials who have left office within the last 3 years. In March, you include national and international-level domestic PEPs who are still in office. In April, you include domestic officials who have left office within the last 3 years. In April, you include provincial/state-level domestic PEPs. In May, you include local-level domestic PEPs.
  5. In January, you start out with what you consider the bare minimum list of sanctions lists, including OFAC. Over the next few months, you add transaction-specific lists, such as BIS (Bureau of Industry and Security), BISN (Bureau of International Security and Nonproliferation), DTC (Directorate of Defense Trade Controls) and the World Bank Debarred List. In the second half of the year, you add a screen to your client onboarding process against law enforcement lists, including US Marshal Service, FBI, and Interpol.

Making some of these changes may increase the overall number of matches over time (e.g. changing the fuzzy logic level), while others may just increase the number of matching entity listings (which increases the time to clear each item).

Why phase in changes, instead of a “big bang” that gets your program up to snuff immediately? First, there’s the cost – a large increase in matches will either mean overtime, a large increase in staff or temporary help and/or less time devoted to making a decision on each match. Second, there’s the likelihood that a massive set of changes will overwhelm your staff, making them less, rather than more, productive (which adds to costs and errors). Third, making significant changes requires that compliance processes still keep their focus on the proper set of priorities – like, economic sanctions items are most important, followed by PEP screening, followed by other due diligence efforts (that’s an example – your priorities might be different). Priorities can easily get lost amidst the rush to get the decks cleared on a daily basis.

So, plan getting from here (where you are today) to there (where you want to end up) in an orderly fashion, like they tell you to do in movie theaters for if there’s an emergency, like a fire – instead of in the mad rush that usually happens. There will be fewer bruises all around if you do.

12.28.12
by

What makes PEP different

Identifying Politically Exposed Persons, or PEPs, are a mandatory part of typical anti-money laundering (AML) regulations issued by governments. PEPs pose a greater than normal risk of being involved in financial crimes, such as fraud and money laundering, because of their access to, and influence over, large amounts of capital.

When one identifies who is a PEP, there is a business decision to be made: will the business relationship be maintained and, if so, will any additional ongoing monitoring of the customer’s transactions take place so as to identify possible malfeasance?

A whole ‘nother kettle of fish

This makes PEP screening fundamentally different than in a number of ways than economic sanctions screening. Firstly, one generally only screens static data like account information to identify PEPs; identifying patterns of conduct involving someone not on the firm’s books is very difficult, at best.

Secondly, since a PEP is not inherently a “bad guy” who you have to report to the authorities, the standard of care in identifying them can be different. For example, one could exclude defined contribution accounts (e.g. pensions, 401K, 403B, and 529 accounts) from a PEP screening under the reasonable assumption that those accounts cannot credibly be involved in a fraud or other financial crime due to the restrictions on those accounts, while you would have to screen those against sanctions lists. Or, you could use a more stringent matching methodology to find PEPs (also driven by how much larger PEP lists are – one commercial provider has over 1.1 million named individuals on its list), since the implications of “missing” a PEP are only an issue if that client actually launders money or commits a fraud through the account.

Who am I looking for?

Now, here’s the real problem: what’s a PEP, and how does one gets lists of them? On the first point, there are no globally-accepted definitions. Countries typically set the standards for their regulated entities, or piggyback on definitions from international groups like FATF (Financial Action Task Force) or the Wolfsberg Group.

The definitions, at a very basic level, define classes of persons connected with governments, their family members and close associates, when one becomes a PEP, and when one ceases to be considered a PEP. Unfortunately, these vary wildly: in some countries, “family members’ are parents, children, siblings and spouses, while in others, extended family members are included as well. In some countries, people become PEPs when they decide to run for political office, win or lose. And the “expiration” of a PEP designation ranges from 1 year out of office to no standards whatsoever. The one common thread appears to be, however, is that the officials who are designated as PEPs are federal-level officials, not provincial or local-level functionaries (although in practice, not so much).

A new wrinkle has arisen recently from the offices of FATF. Until now, PEPs generally were understood to be foreign officials, not domestic ones – in fact, a number of regulators referred to them as PEFPs (Politically Exposed Foreign Persons). While this still can result in high match rates, it is generally lower in countries that are not particularly ethnically diverse; scanning names in Portugal may hit Brazilian officials and those of Portuguese extraction around the world, but will not match a lot of names from Russia or Japan or..

FATF recently updated their AML/CFT Recommendations to include screening against domestic PEPs. As one can imagine, that will significantly, if not exponentially, increase the number of PEP matches – and the ratio of false positives to true matches.

PEP Lists

On the second point (knowing what PEPs there are out there), regulators say you must identify PEPs, but give no real assistance as to identifying who these people are. The lists which drive PEP screening are all provided by commercial vendors. And, since “bigger is better”, since it reduces the risk of missing someone, commercial PEP lists are enormous – there is a real “arms race” to have the biggest, most “complete” database.

Part of that reason is that the driving force behind PEP identification is to prevent financial crime; officials in control of only part of a country are just as capable, albeit on a smaller scale, of committing fraud as national figures. And regulated firms, especially the largest, want to identify those persons, too – from a purely financial and reputational risk perspective (no one wants to be mentioned in a story about fraud or money laundering). Therefore, commercial PEP lists have come to include provincial/state and local officials as well as national ones. As you can imagine, there are many more of those than federal-level officials, in general.

In general, if a government employee with a title can be identified, they have a decent chance of ending up on a commercial PEP list. Years ago, I searched for my last name on the PEP lists we used. I found a Jeff Sohn (no relation), who was a project manager with the NY State Library Department. A very wide net, indeed.

The bottom line

So, it lands on the compliance professional to manage the onslaught of data. This can be done by setting corporate standards for how frequently to screen, which relationships to screen, and which PEP listings to screen against, among other potential parameters. Those decisions are part of a firm’s “risk-based” AML program, where the risk of financial or regulatory liability is matched off against the cost of reviewing the potential matches.

12.07.12
by

Are you drowning in PEPs?

If you are, and you belong to ACAMS, you can check out my article (over at ACAMSToday.org or on the ACAMS Today iPhone app) on why the number of Politically Exposed Persons has exploded recently, and what you can consider doing to stem the tide from overwhelming you.

And, when I get a PDF copy, it’ll go up on the Published Articles page (and into an updated version of my resume, of course).

I welcome any feedback, positive or negative, on any of my articles – or my posts here, naturally.

Update: the article is now here, on the Published Articles page.

12.07.12
by

Get yer watchlists – HERE!

In the interest of “one-stop shopping” (or at least fewer stops), I’ve added a Watchlists page to this site. It’s got a bunch of watchlists in a number of forms, ranging from HTML and PDF on the one hand through XML and Excel-compatible formats on the other.

Included are lists from OFAC, BIS and DTC in the US, OSFI from Canada. HMT from the UK, DFAT from Australia, the UN, the World Bank and Transparency International. This is by no means a comprehensive list – I’ve gone for the lists that were well-organized into either easily readable or downloadable formats. That means that the FBI, US Marshals and Interpol lists, which are highly visual and the DFAIT-administered sanctions in Canada, which are more descriptive text than a list format, are not included here – as well as the country-level sanctions lists that are not available on the Internet (e.g. the Israeli Ministry of Defense Terror list).

If you have a link to a list I don’t have here, please share it and I’ll be happy to add it to the site.