Attention to the Risk-Based Approach to PEPs in Client Due Diligence Remains Important

ANALYSIS REPORT Attention to the Risk-Based Approach to PEPs in Client Due Diligence Remains Important In brief - the handling of PEPs by financial enterprises requires tailored measures. No PEP is the same or presents the same risk. This tailored approach requires a uniform understanding of what a PEP is and how to deal with it. This requires, among other things, good training of employees and clear agreements and reporting. Enterprises can use external parties or tools for this. However, they remain responsible for the choices and decisions made. JUNE | 2026

© AFM 2026 | Attention to the Risk-Based Approach to PEPs in Client Due Diligence Remains Important 2 Background of the investigation The AFM conducted a thematic investigation into the handling of politically exposed persons (PEPs) under the Act on the Prevention of Money Laundering and Terrorist Financing (Wwft) at three investment firms, two investment companies, and nine financial service providers that mediate in life insurance or make use of the national regime. The results were previously shared individually with the involved enterprises. With this publication, we return the most important overarching findings to the sector and share some good practices. PEPs are understood to be persons who hold or have held a prominent public office and the direct family members (being partners, adult and minor children, and parents) or close associates (for example, someone who has close business relations with a PEP) of these persons. The concept of PEP is not limited to foreign politically exposed persons: domestic politically exposed persons are also covered by this concept. A PEP is in any case: a. head of state, head of government, minister, deputy minister or state secretary; b. member of parliament or member of a similar legislative body; c. member of the board of a political party; d. member of a supreme court, constitutional court or another high judicial body that issues rulings against which, except in exceptional circumstances, no appeal lies; e. member of a court of auditors or of the board of directors of a central bank; f. ambassador, envoy or high-ranking officer of the armed forces; g. member of the executive, supervisory or administrative body of a state-owned enterprise; h. director, alternate director, member of the board of directors or holder of an equivalent function at an international organization. See also: Wwft: Prominent Public Offices in the Netherlands | Tax and Customs Administration Business relationships with PEPs require additional measures because this group carries a higher risk of reputational damage, corruption risk and other risks. The enterprise must have risk-based procedures to determine whether the client or the UBO of the client is a PEP. PEPs do not automatically carry a high risk of money laundering or terrorist financing.

© AFM 2026 | Attention to the Risk-Based Approach to PEPs in Client Due Diligence Remains Important 3 Investigation findings The AFM conducted this investigation based on its risk-based approach and following some findings from the evaluation by the Financial Action Task Force (FATF). We used data from investigations and from the periodic questionnaires we distribute in the context of the Wwft and the Sanctions Act (Sw). Below is an overview of the main findings. An enterprise must perform tailored measures when handling a PEP. According to the Wwft, an enterprise must be able to determine whether a client is a PEP. In the case of a PEP, an enterprise must take additional measures to prevent risks of money laundering and terrorist financing. The reason for this is that a PEP can be vulnerable to bribery and corruption. The investigation shows that when taking additional measures, the specific risks of a client designated as a PEP are not always considered. Not every PEP poses a high risk and therefore does not need to be investigated in the same way. Various risk indicators must be taken into account when assessing the client's risk profile, including, for example, the corruption level of a country. We have observed that some enterprises make a distinction between clients with Dutch nationality and clients with non-Dutch nationality. Using nationality as an independent criterion within risk classification can lead to unjustified discrimination and thus there is a risk of discrimination. Recent publications from, among others, De Nederlandsche Bank ('Proportionality in Perspective') and the Ministry of Finance ('Information Brochure for Politically Exposed Persons') also emphasize that a risk-based approach is necessary when risk-classifying PEPs. Standardly classifying PEPs as high risk can lead to unnecessarily intensive measures being applied to PEPs with a low money laundering risk. The Dutch Banking Association (NVB) has published a risk-based standard with guidelines describing how client due diligence can be aligned with concrete risks and which indicators are relevant in this regard. A risk-based approach to the risk classification and assessment of a PEP • A PEP is not automatically classified as high risk, but each case is assessed separately based on the relevant risk factors. • Nationality is not used as a standalone risk criterion to prevent unjustified discrimination. A uniform understanding of what is meant by a PEP is necessary within the enterprise. In the absence of a uniform PEP definition and the use of incorrect screening lists, an enterprise cannot determine the PEP status of a client and cannot correctly assess the risks. In several cases, the measures taken in practice and the PEP policy did not align. This inconsistency increases the risk of confusion among employees and of incomplete compliance with Wwft obligations.

© AFM 2026 | Attention to the Risk-Based Approach to PEPs in Client Due Diligence Remains Important 4 Definitions are clearly documented • The statutory PEP definition is applied. • Specification of sources, tools, and screening lists used. Outsourcing and tooling can provide support, but internal control remains necessary. Enterprises can assess whether a PEP is involved in various ways. Internal research is possible based on internal or public sources, as well as the use of services from commercial providers. However, an enterprise must always conduct its own research into the credibility and reliability of the information and cannot rely solely on statements from the client. Some enterprises use an external agency to establish and assess PEPs. However, the procedures do not always clearly specify the concrete role of the external agency, which definitions and tools (external tooling) are used, and how ongoing monitoring takes place. Although engaging an external agency can offer efficiency benefits, the enterprise itself remains responsible for compliance with the statutory obligations under the Wwft. In practice, clients may acquire or lose PEP status during the relationship. Enterprises must detect these changes in a timely manner so that the risk profile can be adjusted where necessary. The use of tools (external tooling) can support enterprises in ongoing monitoring. However, it can occur that tooling is not always timely or complete in detecting changes in PEP status, for example during periods of political change, such as after elections. Clear responsibilities are documented • When an external party is engaged, the enterprise itself remains responsible for assessing the quality and reliability of the results. • Changes in PEP status are detected in a timely manner and supplemented with (manual) actions where necessary. • Periodically, it is evaluated whether policy and execution still align, and if necessary, this is updated. Training and documentation require extra attention. Enterprises must pay attention to employee training regarding PEPs. Employees responsible for client due diligence must follow appropriate training, which includes the identification and assessment of PEPs. In our 'Guideline Wwft and Sanctions Act' (pdf, 620 kB), it is stated that training should be as effectively tailored as possible to the different functions within the enterprise. During the investigation, it was observed that the policy of some enterprises refers to the Wft-advice diploma as training on the PEP concept. This is not always sufficient to ensure that employees, depending on the nature and size of the enterprise and their function, are aware of current developments and obligations regarding the identification and assessment of PEPs under the Wwft. Invest in training and awareness • Employees involved in conducting client due diligence receive appropriate and targeted training in identifying, assessing, and monitoring PEPs. • The training program documents and makes visible which trainings are followed and how progress is monitored. Furthermore, the AFM has established that at some enterprises, the documentation of the identification and verification of PEPs, as well as the client due diligence and the associated screening results of the PEPs, is not carried out in a sufficiently traceable manner. As a result, it is not always clear to a supervisor which additional measures have been taken and which data and documents were used in this regard. Ensure complete and traceable documentation • The documents and data used for client due diligence are documented. • Data is retained for at least five years and is reproducible. • A suitable CRM or case management system has been considered for central and clear file management.