Advisor and CEO
AML Audit & Advisory AB
This post provides an overview of PEP management procedures and best practices, outlining the specific requirements companies must follow. It also emphasizes the upcoming EBA AML guidelines, which will introduce significant changes of the AML organization in 2024. With this information, businesses can effectively manage risks and prepare for the new regulations in the upcoming months.
Navigating PEP Compliance: The Nuances and Imperatives of Enhanced Due Diligence
In the intricate landscape of regulatory compliance, one area often gets the attention of the authorities: how companies deal with “PEP”, an acronym for “politically exposed persons”.
The requirements are not clearly formulated, so companies have varying routines – some better than others. A well-functioning PEP management procedure is necessary to manage risks and reduce the risk of sanctions. See the full definitions in Chapter 1. Sections 8-10 of the Swedish Money Laundering Act.
The basis of the rules is that companies must investigate whether the customer or beneficial owner is a PEP, a known employee or a family member of a PEP. When this is the case, so-called enhanced customer due diligence measures must be taken. Furthermore, the customer must be followed up extra carefully during the course of the customer relationship.
PEP Identification: Best Practices, Regulatory Expectations, and Risk Management
The measures that should be taken to identify PEP vary with the risk level in the customer relationship in general. Many companies, probably the majority, have a procedure for checking the entire customer base and associated beneficial owners against such PEP lists provided by various private organizations (in Sweden, no PEP lists are drawn up by public actors). The regulations do not explicitly require searches against PEP lists, but the method is currently the only reliable one. Furthermore, an expectation has been established at the Swedish Financial Supervisory Authority that searches should be carried out daily.
Even when a company searches against listings, the customer should be asked about the PEP status. I also recommend that companies in agreements oblige their customers to inform when the PEP status changes.
Customer due diligence measures must always be adapted to the individual risk. The regulations designate certain mandatory stricter measures, namely to investigate the origin of the funds, apply more careful follow-up and obtain the approval of the competent decision-maker to initiate the relationship.
Different types of PEP are associated with different levels of risk. How big is the person’s real influence? In a country with an increased risk of corruption, war, etc.? The PEP shall be included in an overall assessment of the risks in general.
The risk classification and related measures relating to PEP must be carefully documented and kept up to date.
For a comprehensive understanding, the FATF (Financial Action Task Force) and SIMPT (Swedish Anti-Money Laundering Institute) have developed guidelines for the management of PEP.
EBA’s New Guidelines on AML Organization: The January 2024 Implementation Deadline Approaches
Please note that the guidelines do not apply to all categories of companies.
The Swedish Financial Supervisory Authority has announced that the European Banking Authority’s guidelines (EBA/GL/2022/05) regarding AML organization will be applied in Sweden as of 1 January 2024. The application of the guidelines means that the Swedish regulations (FFFS 2017:17) need to be updated, which has not been done yet. Companies therefore need to monitor news from the Swedish Financial Supervisory Authority and be prepared for a rapid implementation during the second half of 2023.
What do the Updated EBA Guidelines Mean for Organizations?
The guidelines impose certain specific responsibilities and tasks on different parts of the organization, which differ from the current regulation for e.g. money-laundering officers (Sw. ”central funktionsansvarig”). This means that, for example, the AML guidelines and procedures and job descriptions need to be updated.
Furthermore, it is stipulated that internal reporting regarding AML must have a certain minimum content, which is a novelty for Sweden.
Companies are also required to establish a “business plan” for AML, which includes risk assessments and controls in all areas of AML. The requirements go beyond the compliance control plans that many companies use today.
To ensure the robust execution and oversight of these extensive AML measures, there’s another pivotal step for organizations – companies need to appoint a board member as responsible for AML.
Stay tuned for future articles where I will share more information on internal reporting in the context of AML, as well as advice on what criteria to apply and what measures to take when it comes to appointing a board member as responsible for AML.
Meeting Swedish AML requirements with Penneo KYC
I collaborated with Penneo to develop the legal framework for their KYC software, adapted to the requirements of the Swedish AML laws.
Penneo KYC is now available in Sweden. Book a personalized session with our KYC experts.
Disclaimer: Disclaimer: This article applies to the AML updates in Sweden. Be aware that country-specific differences exist, if you are dealing with AML compliance in a country different from Sweden.
