How the UK’s financial services industry has invented for itself the right to use data providers to identify Politically Exposed Persons (PEPs)
By Bob Lyddon – 4 minute read
THE DEBANKING of Nigel Farage by Coutts/NatWest has shone a light on the regime in the financial industry for identifying PEPs. The industry claims the regime is an implementation of the laws for combatting Money Laundering and the Financing of Terrorism (known collectively as AML/CFT).
Only it isn’t, as I shall reveal, in three important respects explored in my research just issued.
How the PEP regime differs from AML/CFT laws
Firstly the UK financial industry has agreed with itself, through its own industry body, that it is entitled to ‘place reliance’ on lists supplied by a data vendor (for example through the World-Check system provided by Refinitv) to identify PEPs. This right does not exist in applicable law.
Secondly the concept of the existence of ‘lists of PEPs’ is not grounded in applicable law. It is up to each institution to determine whether a customer is or is associated with a PEP.
Thirdly, and consequentially, the business process for identifying a PEP and then dealing with that determination has come to be significantly at odds with the one inferred by applicable law.
Why firms are not allowed to use a data provider in PEP-related work
Using a data vendor to identify PEPs is not supported in applicable law. Applicable law in this area has arisen from the original, global Financial Action Taskforce Recommendations, through the 4th EU Anti-Money Laundering Directive and into the UK’s transposition of this Directive as The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (the MLRs).
A ‘relevant person’ – meaning a financial institution or any other organization subject to the MLRs – may ‘place reliance’ on a third party for some AML/CFT work, but the third party must also be a ‘relevant person’, and a data vendor is not classified as one.
Furthermore, the tasks over which one ‘relevant person’ can place reliance on another are limited to three: (i) identifying a customer and verifying their identity; (ii) ascertaining who the beneficial owner is of a company, asset or whatever; and (iii) assessing and obtaining information about the purpose and intended nature of a proposed business relationship.
In other words, ‘relevant persons’ must do all their PEP-related work themselves.
How has the right to use a data vendor arisen?
This ‘right’ has been introduced by a financial services industry body, called the Joint Anti-Money Laundering Steering Group (the JMLSG), in their implementation guidance, which has no status in law. The JMLSG has no official status, although its members in aggregate constitute a dominant market power.
In Chapter 5 of the first of its three books of guidance entitled ‘Customer Due Diligence’, JMLSG gives de facto endorsement to the ‘Nature of electronic checks’ (5.3.46 – 5.3.50) and to ‘Criteria for use of a provider of electronic verification of identity’. JMLSG wrongly conflates PEP-related work with the Customer Due Diligence work for which a third-party can be used. By doing this JMLSG makes it appear that these tasks are covered by the permissions contained the MLRs Clause 28 for a ‘relevant person’ to place reliance on third-parties, overlooking both that PEP work is out-of-scope of those permissions and that a data vendor is not a ‘relevant person’.
‘PEP lists’ – a nonsense concept
JMLSG guidance airbrushes away that there can be no such thing as a valid and reliable ‘list of PEPs’. The status of a person as a PEP or not is fluid. The categorization of a person as a PEP is not fully objective: it demands some element of subjective judgement by the ‘relevant person’.
There can be no self-certification, or certification by an ‘authority’, such as the government of a country with a public system open to bribery and corruption giving out a list (and usually a short one) of individuals whom it considers to be PEPs. In fact, no ‘authority’ is entitled to designate towards a ‘relevant person’ that someone is a PEP or not.
The business process for PEP-related work
‘PEP lists’, however, sit at the heart of the business process for PEP-related work, which differs markedly from the one implied by applicable law, as the research paper demonstrates.
Because a capacious data feed is available from a financial technology company (a ‘Fintech’), the industry view is that the data must be captured and processed, and the more the better. This mixture in the industry of belief in data and risk-aversion meets the technical capabilities of the Fintech and its need for revenues to deliver ever-expanding lists, whose veracity ceases to be questioned.
Fintech offerings now permeate the financial industry, to the extent in this case that the industry approach has become built around the Fintechs’ offering, rather than being extrapolated from applicable law.
The result is that the UK, a country with a public system not seen as open to bribery and corruption, has over 90,000 PEPs. The attractions of this for the financial services organization are clear: automation, risk elimination and cost reduction. The result for the subject person is, however, a travesty of the original intentions of the FAFT Recommendations.
UK system of government
That it can have come to this reveals a defect in the formulation and implementation of applicable law in the UK which, while not the fault of the EU directly, has grown up around EU membership, where the formulation of Directives/Regulations and then their practical implementation is subject to the intervention of supplier lobby groups at various stages.
The outcome of that ranges from loopholes (like the one that enables payment scams), to the turning of legislation on its head (like the frustration of the law to cap credit and debit card fees), to – in this case – a group of suppliers awarding themselves rights that operate strongly in their favour.
The UK’s PEP regime has become a self-referencing industry in its own right, causing new and considerable detriments to UK citizens in good standing. The regime serves the interests of the industry for automation and cost-cutting, and supposed risk management, but it is based on self-awarded rights that conflict with what is written in applicable law. One cannot say for sure that it has delivered effective risk management: namely, in stopping the flow of illegal funds through the UK financial system. That itself is an indictment.
Bob Lyddon is an independent financial analyst specialising in international and central banking.
 https://www.refinitiv.com/en/products/world-check-kyc-screening accessed on 31 July 2023
Photo of a NatWest branch office by Belovedfreak – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=11101028