CA - discussions on PEPs Free Lists (2008)
Compilation of Compliance Alert forum - May 2008 - the following topic was under discussion:
For a small financial institution with limited resources:
* Do you consider CIA Chif of State as an exclusive list which could be used to check PEPs before starting business relationship?
* Is there a free PEPs list available for download
* Do you consider CIA Chif of State as an exclusive list which could be used to check PEPs before starting business relationship?
* Is there a free PEPs list available for download
Permit me to reply to your questions in reverse order... and please bear in mind that I am NOT affiliated with any vendors named in my response below:
First, I am not aware of any "free" list of PEP data that is comprehensive enough to fit most of definitions of "Politically Exposed Persons" a global scale, as prescribed in FATF Typologies, or under most of the AML legislation or regulations around the world. And while the most if not all of us are conscious about costs, I would caution against not making the proper investment necessary to have ongoing access to a good quality data set in this area.
Because the CIA list is limited to include only the current, most senior or cabinet/ministry level officials, and does not include past or former political position holders, and also does not include family members or known associates of political position holders, I personally would not call this a true list of Politically Exposed Persons.
In my opinion, a true global database of PEP entities should likely include at the very least, the top and mid tier political office holders and political party members from each country, members of the judiciary and senior military officials in those countries, and in cases of government-owned or government-controll ed businesses, the senior managers of such firms. It should also include information about immediate family members and known associates of these 'politically exposed person(s)'.
To provide a comprehensive database of this type of information on a global scale, the data set would need to be comprised of several hundred thousand entity records (at a minimum) and could easily include upwards of 1MM records or more, depending on the comprehensive nature of the database being provided.
And, as I sated earlier, while I am NOT affiliated with any of the key providers in this space, if one is looking for a comprehensive list of Political Entity Data, they should follow up with vendors such as WorldCompliance, Nomino Data, World-Check, Complinet or Factiva, to discuss options with them. Some of these providers are also quite adept at providing content concerning entities involved in financial crime activities as well.
Another alternative would be to investigate this with solution providers who offer both PEP data and screening mechanisms, such as Accuity, Bridger and others.
As one cost effective option, some of these firms offer a one-time screening against a true PEP database to provide you a baseline reading as to your institution' s possible exposure. Also, if the quantity of lookups in one's database is small, the providers mentioned can also provide access to online query or look up services on some sort of a subscription basis.
Absent any of these solutions working to address one's needs, I would certainly use at the CIA Senior Government Officials List as an alternative of last resort... absent use of a more comprehensive content solution that might be deployed.
One last comment is to insure that before embarking on such choices/decisions, to make sure that one has clearly identified what customer data is to be screened against whatever data you select to use, and be clear as to why this data is being screened.
"Should ALL customer data be screened ? Or should one look at customers from their highest risk areas/business lines first? Are my customers domestic or global in nature? What products are they involved with and what is the scope of possible risk exposure that these factors represent. What do local or national regulations require in this area?
Screening results should also tie back into one's client onboarding and risk assessment processes.
I hope this helps...
Shaun Hassett, CAMS
First, I am not aware of any "free" list of PEP data that is comprehensive enough to fit most of definitions of "Politically Exposed Persons" a global scale, as prescribed in FATF Typologies, or under most of the AML legislation or regulations around the world. And while the most if not all of us are conscious about costs, I would caution against not making the proper investment necessary to have ongoing access to a good quality data set in this area.
Because the CIA list is limited to include only the current, most senior or cabinet/ministry level officials, and does not include past or former political position holders, and also does not include family members or known associates of political position holders, I personally would not call this a true list of Politically Exposed Persons.
In my opinion, a true global database of PEP entities should likely include at the very least, the top and mid tier political office holders and political party members from each country, members of the judiciary and senior military officials in those countries, and in cases of government-owned or government-controll ed businesses, the senior managers of such firms. It should also include information about immediate family members and known associates of these 'politically exposed person(s)'.
To provide a comprehensive database of this type of information on a global scale, the data set would need to be comprised of several hundred thousand entity records (at a minimum) and could easily include upwards of 1MM records or more, depending on the comprehensive nature of the database being provided.
And, as I sated earlier, while I am NOT affiliated with any of the key providers in this space, if one is looking for a comprehensive list of Political Entity Data, they should follow up with vendors such as WorldCompliance, Nomino Data, World-Check, Complinet or Factiva, to discuss options with them. Some of these providers are also quite adept at providing content concerning entities involved in financial crime activities as well.
Another alternative would be to investigate this with solution providers who offer both PEP data and screening mechanisms, such as Accuity, Bridger and others.
As one cost effective option, some of these firms offer a one-time screening against a true PEP database to provide you a baseline reading as to your institution' s possible exposure. Also, if the quantity of lookups in one's database is small, the providers mentioned can also provide access to online query or look up services on some sort of a subscription basis.
Absent any of these solutions working to address one's needs, I would certainly use at the CIA Senior Government Officials List as an alternative of last resort... absent use of a more comprehensive content solution that might be deployed.
One last comment is to insure that before embarking on such choices/decisions, to make sure that one has clearly identified what customer data is to be screened against whatever data you select to use, and be clear as to why this data is being screened.
"Should ALL customer data be screened ? Or should one look at customers from their highest risk areas/business lines first? Are my customers domestic or global in nature? What products are they involved with and what is the scope of possible risk exposure that these factors represent. What do local or national regulations require in this area?
Screening results should also tie back into one's client onboarding and risk assessment processes.
I hope this helps...
Shaun Hassett, CAMS
On 2 Jun 2008, at 3:49 AM, Shaun M Hassett wrote:
Thanks, Marie...
I agree that sometimes the data sets might be possible overkill in certain circumstances. .. however most of the vendors in this space are also very good about segmenting the lists (if appropriate to the clients specific needs, risk exposure, etc.), as well.
Another issue to keep in mind is that the "requests" from the legislative and regulatory community concerning "identification of PEPs are DIFFERENT from regulatory watch list screening requirements as the PEP entity is not disqualified from a banking business relationship based solely or even predominantly due to their PEP status... it is simply a significantly important indicator of the need for added due diligence on the part of the FI organization. .. to better understand their client and their source of funds.
I also absolutely concur with your observation about filtering technology.. . as screening matches should not be based on a name match only.
That being said, I think that other unique identifiers concerning a possible PEP entity, as available, such as POB, DOB, government identifier (such as SSN, Cedula # or something similar), Passport Number or other possible identifiers - in addition to name match should be used in a multi-faceted screening process, in order to more accurately yield what would more likely be "true hits"... and reduce the voluminous level of false positives that can otherwise occur from the initial data screenings performed.
Shaun Hassett, CAMS
Marie Kerr > wrote: A risk-based approach, like Shaun suggested, is paramount here. The vendor lists can be enormous, and when you interview potential vendors, understanding the source of the names (and how often they're updated) is also critical. One could argue that some of the screening lists may be overkill, as any number of public data sources are gathered and compiled. Some vendors also perfom link analysis that may point to additional entities, adding names to the lists. While this may make sense in the intelligence community, financial institutions might not need such sophistication, as it's quite expensive.
Which brings up perhaps the most critical issue: How good is the name matching technology? This is incredibly important to avoid avalanches of false positives. I have seen awful "matches" and believe that this is where sophisticated technology is needed.
Marie Kerr, CAMS, PMP
President
ShamrockAML
Thanks, Marie...
I agree that sometimes the data sets might be possible overkill in certain circumstances. .. however most of the vendors in this space are also very good about segmenting the lists (if appropriate to the clients specific needs, risk exposure, etc.), as well.
Another issue to keep in mind is that the "requests" from the legislative and regulatory community concerning "identification of PEPs are DIFFERENT from regulatory watch list screening requirements as the PEP entity is not disqualified from a banking business relationship based solely or even predominantly due to their PEP status... it is simply a significantly important indicator of the need for added due diligence on the part of the FI organization. .. to better understand their client and their source of funds.
I also absolutely concur with your observation about filtering technology.. . as screening matches should not be based on a name match only.
That being said, I think that other unique identifiers concerning a possible PEP entity, as available, such as POB, DOB, government identifier (such as SSN, Cedula # or something similar), Passport Number or other possible identifiers - in addition to name match should be used in a multi-faceted screening process, in order to more accurately yield what would more likely be "true hits"... and reduce the voluminous level of false positives that can otherwise occur from the initial data screenings performed.
Shaun Hassett, CAMS
Marie Kerr > wrote: A risk-based approach, like Shaun suggested, is paramount here. The vendor lists can be enormous, and when you interview potential vendors, understanding the source of the names (and how often they're updated) is also critical. One could argue that some of the screening lists may be overkill, as any number of public data sources are gathered and compiled. Some vendors also perfom link analysis that may point to additional entities, adding names to the lists. While this may make sense in the intelligence community, financial institutions might not need such sophistication, as it's quite expensive.
Which brings up perhaps the most critical issue: How good is the name matching technology? This is incredibly important to avoid avalanches of false positives. I have seen awful "matches" and believe that this is where sophisticated technology is needed.
Marie Kerr, CAMS, PMP
President
ShamrockAML
I don't understand what you mean by "possible overkill". Could someone please explain? How can any screening list have too many names on it?
P
Peter A. Gallo
P
Peter A. Gallo
Part of the consideration should include proper profiling of the organization' s clients and the expected types of transactions (and/or other products) that the cliert is involved with.
If a small community oriented financial institution, that may only have a very few clients that either are high net worth or who are engaged in some form of international banking, may not be able to justify the annual cost of licensing a true PEP database. In such cases the CIA list would likely be an acceptable alternative.
I would be interested to hear how others in this group might address this in their compliance practice.
Shaun
Sent via BlackBerry by AT&T
If a small community oriented financial institution, that may only have a very few clients that either are high net worth or who are engaged in some form of international banking, may not be able to justify the annual cost of licensing a true PEP database. In such cases the CIA list would likely be an acceptable alternative.
I would be interested to hear how others in this group might address this in their compliance practice.
Shaun
Sent via BlackBerry by AT&T
In the contrary, I do not support this attitude, and correct me if i am wrong, there is a difference between Domestic PEPs and Foreign PEPs being considered high risk in today's regulatory environment, knowing that international standards requires an enhanced due diligence when conducting business with a PEP, particularly when they become part of Private Banking.
With a database customers of 20.000 (99%) are you willing to take the risk to do business with PEPs based on CIA Lists only without following adequate Know Your Customer procedures and enhanced due diligence processes.
I do believe, that banks in the MENA Region, have to learn the lessons acquired since September 11, 2001 and the creation of USA Patriot Act, EU 3rd Directive, MiFID, looking for FATF guidelines, in which the term Politically Exposed Person was defined. Local legislations like the USA Patriot Act or the European Union Directive use similar definitions, typically consisting of the following five layers.
- current or former senior official in the executive, legislative, administrative, military, or judicial branch of a foreign government (elected or not)
- a senior official of a major foreign political party
- a senior executive of a foreign government owned commercial enterprise, being a corporation, business or other entity formed by or for the benefit of any such individual
- an immediate family member of such individual; meaning spouse, parents, siblings, children, and spouse's parents or siblings
- any individual publicly known (or actually known by the relevant financial institution) to be a close personal or professional associate.
Do you really think that a CIA list for the past 5 years, do really cover illegal actions committed by those PEPs, does CIA list provide their criminal record, corrupted action, take the case of jean-Pierre Bemba, I have posted 3 days ago, how far do CIA list, will enlighten you on his profile and background and criminal track record.
Taking the arguement to its limit, are you willing to take the risk, in an emrging country like Egypt in North Africa with 70 Million citizens, surrounded by Sudan, Libya, Palestinian Authority, Hamas, Israel, immigrants crossing the borders on daily basis that could disguise a foreign PEP, and from a compliance risk point of view, are you willing to take the risk vis-a-vis your foreign correspondent Banks in USA & Europe, knowing that a screening data-base would cost you per year around $5.000 - $20.000 depends of the company you are dealing with, I will abstain from nominating (will do it through private channel, if requested),
Kind Regards
Bashir
I fully agree. A small business cannot afford increasing cost of compliance particularly when:
- The number of customers is mall )i would say least than 20,000 customers)
- 99% of customers are locals
The CIA list would be sufficient to check who might potentially be a PEP. Many local AML regulations do not define who is a PEP. Even when the definition exists, it does not extend to close associates or family members. In such case, it is sufficient to take CIA list as a reference (normally it would not exceed 40 names for local officials) and you may add some other 60 names for Parliament members. Import the details on Excel sheet sorted by name and distribute it to Customer Service staff for checking before account opening.
Compliance is not an end in itself. It is about doing reasonable measures to comply with the laws and regulations. If you are in doubt about the adequacy of implementing a particular compliance measure, you may consult the regulator.
regards
Note: forwarded message attached.
Note: forwarded message attached.
Hany Abou-El-Fotouh, CAMS
Based on current discussion over PEPs Lists or I may I say over Screening of Data-Base of Customers or a potential customer versus screening softawares, I have read a couple of days ago a comment that might enlight us and provide awareness for using softwares:
False Positive or Type I errors:: the error of rejecting the null hypothesis given that it is actually true; e.g., A court finding a person guilty of a crime that they did not actually commit.
False Negative or Type II errors: the error of failing to reject the null hypothesis given that the alternative hypothesis is actually true; e.g., A court finding a person not guilty of a crime that they did actually commit
David Nordel wrote:
But we should remember that they are just the well-publicised tip of the fraud iceberg. Most frauds committed against banks are much smaller, less painful individually for the institutions, need less skill to commit, and get hushed up in order to avoid embarrassment. Let's take the common credit fraud as an example: a customer, whether retail or corporate, establishes a history with the institution and then borrows a relatively large sum of money. All of a sudden, he disappears without repaying the loan: it may even turn out that his identity was fictitious and his collateral for the loan was fake; but whichever way, he can not be traced.
The truth is that most of the skills of the AML officer can be employed to stop this happening, simply by carrying out full KYC on the customer and due diligence on the collateral; and if the fraud takes place regardless, a good AML officer should be able to use interbank transfer records to at least start the investigation of where the money went in the first place. And several of the transaction monitoring systems used for AML can also produce indicators of frauds being carried out against the accounts of completely legitimate and innocent customers. All of these may be less exciting to deal with than the multi-billion-dollar incidents, but they are much more likely to occur, and therefore much more likely to damage the professional reputation of the bank officer who doesn't design and operate the systems and work practices that would prevent or detect them.
DN
A small business cannot afford increasing cost of compliance particularly when:
- The number of customers is mall )i would say least than 20,000 customers)
- 99% of customers are locals
The CIA list would be sufficient to check who might potentially be a PEP. Many local AML regulations do not define who is a PEP. Even when the definition exists, it does not extend to close associates or family members. In such case, it is sufficient to take CIA list as a reference (normally it would not exceed 40 names for local officials) and you may add some other 60 names for Parliament members. Import the details on Excel sheet sorted by name and distribute it to Customer Service staff for checking before account opening.
Compliance is not an end in itself. It is about doing reasonable measures to comply with the laws and regulations. If you are in doubt about the adequacy of implementing a particular compliance measure, you may consult the regulator.
Hany Abou-El-Fotouh, CAMS