Managing the risk posed by Politically Exposed Persons

Managing the risk posed by Politically Exposed Persons Thematic Review - 2023 Published: 27 July 2023

© Guernsey Financial Services Commission, 2023 Page 2 of 26 Executive Summary During late 2022 and early 2023, the Commission undertook a thematic review to assess the effectiveness of banks’, fiduciaries’, fund administrators’, insurers’ and lawyers’ monitoring of, and compliance with, requirements for managing the risk posed by Politically Exposed Persons (“PEPs”) set out in the Handbook on Countering Financial Crime and Terrorist Financing (“the Handbook”). PEPs may have the potential to abuse their position for the purpose of committing money laundering and related predicate offences, including bribery and corruption, as well as conducting activity related to terrorist financing1 . That being said, there should not be a presumption that a PEP is undertaking illegal activity and the fact that an individual is a PEP should not be a barrier to business. The assessment of effectiveness of firms’ monitoring of, and compliance with, the PEP requirements is a supervisory function of the Commission. The Handbook notes that there is no ‘one-size fits-all’ approach to applying Enhanced Customer Due Diligence (“ECDD”) measures for PEPs. As such the measures applied should be targeted to the specific risks present within each PEP relationship. In 2022 whilst Bailiwick of Guernsey (“Bailiwick”) firms reported that they had PEP relationships from a range of jurisdictions, the total number equates to a very small proportion of the total business relationships within the Bailiwick of circa 1.4%, of which more than three quarters are foreign PEPs. The Bailiwick’s National Risk Assessment (“NRA”) states that corruption cases usually involve foreign PEPs. Although the Bailiwick’s exposure to PEPs is low relative to the overall number of business relationships, the harm PEPs can do to their countries in terms of value of laundered corrupt funds can be extremely high. An example of this can be seen in case study 252 in the NRA where a foreign PEP misappropriated tens of millions of dollars using Guernsey structures, which resulted in a USD 144 million civil complaint being brought against the foreign PEP. It is imperative that firms devote sufficient resources to understand the intended purpose and nature of the PEP business relationships and take reasonable measures to corroborate their source of funds and wealth in line with the assessed risk. Taking such measures will not only reduce financial crime risks but will also assist firms in having a greater understanding of their customers’ investment objectives. The Commission undertook reviews of thirty firms and 170 PEP customer files across the sectors with the largest exposure to PEPs. The firms ranged from international banking groups to smaller locally owned and managed fiduciary firms. The results showed that the controls employed by firms to mitigate PEP risk were effective, with only three of the thirty firms requiring risk mitigation programmes to remediate identified issues. 1 FATF Guidance: Politically Exposed Persons: June 2013 2 Page 105 of the NRA

© Guernsey Financial Services Commission, 2023 Page 3 of 26 We noted many examples of good practice, and it was encouraging to note the strong performance by fiduciaries specifically in regard to the risk assessment of PEPs. This is likely due to the nature and complexity of fiduciary service offerings which allow for a deeper understanding of the risks present in a relationship. PEP controls appear to be well embedded in Bailiwick firms’ policies and procedures. In all cases an appropriate risk rating had been applied to the PEP relationships reviewed, although some firms were less proficient in documenting their consideration of the risks presented by PEP relationships. The documenting of assessed risk is important to allow firms to demonstrate their understanding of the risks they are exposed to and in order to apply the appropriate level of mitigation. Whilst it is mandatory to conduct ECDD on foreign PEPs and assess the risk for international organisation and domestic PEPs, the level of PEP risk differs depending on the position the PEP holds. For example, the risks relating to PEPs increase when the individual has a prominent public position in a jurisdiction with a higher risk of bribery or corruption. Moreover, firms should ensure that that their risk methodology differentiates between foreign PEPS and domestic PEPs as the type and extent of risk present will be different, and therefore ECDD may not be appropriate for a domestic PEP. The thematic review also gave the Commission the opportunity to assess improvements made by firms following the 2019 source of wealth/source of funds (“SOW/SOF”) thematic. The SOW/SOF thematic noted that it was important to apply a risk-based approach to the corroboration of SOW/SOF. PEP relationships present firms with a higher bribery and corruption risk, and therefore, it is important that robust SOW/SOF is undertaken where a PEP relationship is identified. Whilst some improvement of the SOW/SOF undertaken by firms has been seen, there remains further work to do to ensure that the risks relating to a customer’s wealth are fully assessed, understood, and documented. As part of the Commission’s periodic checks on fiduciaries’ compliance with the filing obligations in the beneficial ownership law, we reviewed the beneficial ownership filings on six separate PEP relationships which included a Guernsey Company in the structure. In all but one case, accurate and up to date beneficial ownership information had been filed with the Guernsey Registry. The one anomaly is being actively followed up as part of our ongoing supervision. We wish to thank the thirty firms that participated in the thematic review. Whilst this thematic review did not capture all sectors, all firms subject to the Handbook are obligated to manage PEP risk and therefore we anticipate that this report will be of interest to firms in all sectors. The Commission will consider how firms have incorporated the findings from this report into their systems and controls as part of its ongoing supervision. Nick Herquin Deputy Director

© Guernsey Financial Services Commission, 2023 Page 4 of 26 Summary of areas for improvement

Identification of PEP positions (page 16) Issue: in some instances firms had not documented the prominent public positions which it would consider to expose the firm to foreign and international organisation PEP risk. Action: ensure that the firm's policies and procedures document the prominent positions to which foreign and international organisation PEP controls should be applied. Identification of close associates (page 18) Issue: in some instances close associates of PEPs had not been identified or were difficult to identify. Action: ensure that the firm's policies and procedures are not solely reliant on commercial screening databases and consider the risk posed by close associates of PEPs and apply the necessary controls. Tailoring Policies & procedures (page 20) Issue: in some instances firms' PEP policies and procedures were largely comprised of copied out sections of the Handbook and did not consider the firm's specific PEP controls. Action: whilst a firm's policies and procedures should reflect the Handbook's PEP requirements, they should also consider the firm's PEP controls and specific processes employed by the firm to mitigate its PEP risks. PEP Risk Assessment (page 22) Issue: in some instances firms were not adequately assessing the risks specific to a PEP relationship. Action: ensure that the risk assessment undertaken is not solely a tick box approach, but documents the risks of the PEP's position to ensure sufficient mitigation is applied appropriate to the nature of the PEP relationship. Source of Wealth & Source of Funds (page 23) Issue: in some instances the SOW/SOF undertaken by firms consisted mainly of gathered corroboration documents with little consideration of the risks posed. Action: ensure that the assessment of SOW/SOF documents include consideration of the risk posed by the PEP e.g. the geographical sphere of the activities and the industry in which funds have been generated and if the SOW/SOF is plausible. Management Information (page 25) Issue: in some instances the management information provided to senior management was lacking in specific detail as to the PEP risk the firm was exposed to. Action: consider the reporting currently received to ensure that senior management are provided with a full picture regarding the firm's PEP exposure.

© Guernsey Financial Services Commission, 2023 Page 5 of 26 Glossary of Terms AML/CFT – Anti-Money Laundering and Countering the Financing of Terrorism Bailiwick – Bailiwick of Guernsey Board – Board of directors (or the senior management where it is not a body corporate) CDD – Customer Due Diligence Commission – Guernsey Financial Services Commission ECDD – Enhanced Customer Due Diligence FATF – Financial Action Task Force Firm – A financial services or prescribed business subject to the requirements of Schedule 3 and the Handbook Guernsey – Bailiwick of Guernsey Handbook – The Handbook on Countering Financial Crime and Terrorist Financing NRA – Bailiwick National Risk Assessment of Money Laundering and Terrorist Financing PEP – Politically Exposed Person Schedule 3 – Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 SOE – State-owned enterprise SOW/SOF – Source of Funds/Source of Wealth

© Guernsey Financial Services Commission, 2023 Page 6 of 26 Contents Executive Summary .................................................................................................................................... 2 Summary of areas for improvement ........................................................................................................... 4 Glossary of Terms....................................................................................................................................... 5 Section 1: Background............................................................................................................................. 7 1.1 FATF & Bailiwick Requirements...............................................................................................................7 1.2 Rationale for the Thematic .........................................................................................................................8 1.3 Scope of the thematic review......................................................................................................................9 Section 2: PEP risk in the Bailiwick ...................................................................................................... 10 2.1 Sector Exposure........................................................................................................................................10 2.2 Geographical Exposure.............................................................................................................................12 2.3 Types of PEP within the Bailiwick...........................................................................................................13 2.4 Declassification of PEP relationships.......................................................................................................13 Section 3: Thematic findings................................................................................................................. 16 3.1 Identification of PEPs...............................................................................................................................16 3.2 Policies and Procedures............................................................................................................................19 3.3 Risk Assessment of PEPs.........................................................................................................................21 3.4 Customer Due Diligence, Enhanced Measures and Enhanced Customer Due Diligence ........................22 3.5 Management Information and Reporting..................................................................................................25 Section 4: Conclusion ............................................................................................................................ 25

© Guernsey Financial Services Commission, 2023 Page 7 of 26 Section 1: Background 1.1 FATF & Bailiwick Requirements The requirement for PEPs to be treated as high-risk stems from FATF Recommendations 12 and 22. It is important to note at the outset that whilst PEPs present a higher bribery and corruption risk, it should not be assumed that PEPs are undertaking criminal activity. The purpose of the PEP requirements is to ensure that the higher risk exposure is identified, understood, and mitigated. The Bailiwick has had a long-standing requirement for firms to undertake ECDD for foreign PEPs. Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999, as amended and the updated Handbook released on 1 March 2019 made changes to the Bailiwick’s handling of PEP relationships. Two of the key changes related to the ability for firms to declassify certain former PEPs, provided they fall within specific criteria, and brought in scope domestic PEPs. Following this change PEPs fall into three distinct types: • Foreign PEP – a natural person who has, or has at any time, held a prominent public function, or who has been elected or appointed to such a function, in a country or territory other than the Bailiwick of Guernsey; • Domestic PEP – a natural person who has, or has at any time, a prominent public function, or who has been elected or appointed to such a function, within the Bailiwick of Guernsey; and • International organisation PEP – a natural person who is, or has been at any time, entrusted with a prominent function by an international organisation. The definition of PEP3 also includes immediate family members and close associates. Immediate family members are individuals such as a spouse, parent or child. Close associates are individuals who are widely known to maintain a close business relationship with a PEP or who are in a position to conduct substantial financial transactions on behalf of a PEP. The Handbook provides firms with guidance as to how to implement policies, procedures and controls for the mitigation of PEP risk, this guidance can be found in Chapter 8. Importantly it is stated that there is ‘no one-size￾fits-all’ approach to mitigating the risks associated with PEPs, as such the measures employed by firms should be targeted at the specific risks posed by the PEPs they provide services to. 3 The definition of PEP, including immediate family members and close associates is detailed at Paragraph 5(4) of Schedule 3

© Guernsey Financial Services Commission, 2023 Page 8 of 26 1.2 Rationale for the Thematic Estimating the global cost of corruption is almost impossible and although a popular estimate is that more than $2.6 trillion, or 5% of global GDP, is lost to corruption annually, this figure has been called materially too small by various organisations and Non-Government Organisations. There is no doubt however that corruption is associated with a range of negative outcomes including, severely hampering inclusive and sustainable development robbing a country’s wealth to the detriment of the population4 . Given the ability of a PEP to potentially misuse their prominent public position to gain wealth through bribes, the NRA notes that PEPs present a higher bribery and corruption risk to local firms. As such it is important for the Commission to ensure that there is a good understanding of the risks and that there are sound controls in place within firms to ensure that the risk of bribery and corruption is mitigated. In the 2019 Public Summary of FIU Tools and Practices for Investigating Laundering of the Proceeds of Corruption published by the Egmont Group of Financial Intelligence Units5 , it is stated that in 54% of the cases surveyed, initial detection of the suspicious activity that could indicate corruption stemmed from information from the regulated financial services sector. Given these findings, the importance for firms to have robust policies, procedures and controls when dealing with PEP relationships is clear. The NRA states that bribery and corruption pose a significant risk to the Bailiwick. It has been identified that corruption cases usually involve foreign PEPs as follows (1) there is the risk of Guernsey being used as a route to receive profits relating to contracts gained through bribing a foreign official and (2) the holding or management of PEP assets that result from illicit enrichment. Illicit enrichment is defined in the United Nations Convention against Corruption (which has been extended to the Bailiwick) as a “significant increase in the assets of a public official that he or she cannot reasonably explain in relation to his or her lawful income”. These cases tend to involve complex ownership structures where assets are linked to an entity established or administered in Guernsey, but where assets are outside of the jurisdiction. Case Studies: PEP Public Statements The Commission has recently released two public statements6 which make specific reference to failings in the PEP controls employed by firms to identify PEPs, risk assess and monitor them properly. 4 What are the costs of corruption? (worldbank.org) 5 2019_Public_Summary_FIU_Tools_and_Practices_for_Investigating_Laundering_of_the_Proceeds_of_Corruption.pdf (egmontgroup.org) 6 Standard Chartered Trust (Guernsey) Limited — GFSC & Safehaven International Limited, Mr Richard John Bach, Miss Tracey Jane Ozanne, Mr David Charles Housley Whitworth, Mr Michael John Good and Mr Stephen John Dickinson — GFSC

© Guernsey Financial Services Commission, 2023 Page 9 of 26 The first notes that whilst the firm had identified PEP indicators for one of its customers, the risk assessments undertaken failed to fully recognise the risk these posed and therefore this relationship was not recorded as a PEP relationship. This failure was compounded by the relationship not being rated as high-risk and therefore ECDD, such as SOW and SOF had not been undertaken. This meant that the firm did not have a full understanding of how the funds within the structure were generated. In the second case, the firm did not rate a relationship as a PEP relationship until two years after take on. The failure to identify the PEP at inception meant that there was no additional scrutiny applied to transactions carried out within that two year period. This exposed the firm to the risk that it could have assisted the PEP in laundering illicit funds originating from corrupt activities. The thematic review was an opportunity for the Commission to review and assess the steps taken by firms to: • Identify PEPs and their specific risks; • Deploy their policies, procedures and controls when dealing with PEP relationships; • Fulfil their CDD and ECDD obligations in relation to PEP relationships; • Ensure sufficient management information is provided to Boards and senior management regarding PEP relationships in order to understand the extent of the firm’s risk exposure; and • Apply the domestic PEP requirements. 1.3 Scope of the thematic review The focus of the thematic was on those sectors which are assessed as having a greater money laundering and terrorist financing risk in line with the NRA. Analysis was also undertaken to understand the exposure each of these sectors have to PEP risk. In total, thirty firms were selected to participate in the thematic as stated below: Sector Firms visited Investment 10 Fiduciary 9 Banking 5 Law (Prescribed Business) 4 Insurance 2 Total 30

© Guernsey Financial Services Commission, 2023 Page 10 of 26 The firms selected were requested to provide the Commission with a copy of their PEP register, together with their policies and procedures and management reporting relating to PEP relationships for our review. From this, six PEP relationships were selected for review for each onsite visit to these firms. For each of the files selected, the CDD and ECDD, the risk assessments (including confirmation of senior management approval), any adverse media screening undertaken, and details of the transaction and activity monitoring undertaken was reviewed. Where relevant, the files selected also included examples where a former PEP had been declassified. Following the completion of the file reviews a meeting was held with representatives of the Board/senior management and the Money Laundering Compliance Officer to assess their understanding of the PEP risk present within their business. Section 2: PEP risk in the Bailiwick 2.1 Sector Exposure Based on the information held by the Commission, the Banking sector has the largest number of PEPs. This is not surprising given that where relationships are held in some other sectors, generally bank accounts will need to be opened too; this is in addition to the PEPs who use Guernsey private banking services in their own right. It should be noted that non-core financial business refers collectively to non-regulated financial services business and prescribed business. Percentage of PEP customers by sector 30% 6% 26% 27% 11% Banking Fiduciary Insurance Investment Non-Core Financial Business

© Guernsey Financial Services Commission, 2023 Page 11 of 26 PEP customers as a percentage of total customers When PEP customers are considered as a percentage of the total customer book of business, as in the chart above, it is seen that PEP exposure across all sectors is under 6% of total business. The fiduciary sector is involved in the formation, management and administration of legal persons and legal arrangements predominantly for non-resident customers; therefore, it is not surprising that the percentage of PEPs would be higher for this sector. The higher percentage of PEP relationships within the fiduciary sector and the possibility that legal persons and legal arrangements can be used to hold illicit enrichment generated from corruption is one of the contributory reasons why the NRA rates the fiduciary sector as higher risk for money laundering. The investment sector comprises both the administration, management and custody of collective investment schemes and the provision of discretionary management, advisory, execution only and custody services. This sector targets non-resident high net worth individuals and therefore also has PEP exposure. The money laundering risk is that PEPs may use collective investment schemes to invest illicit enrichment generated from corruption. Of interest is that PEP exposure has largely remained consistent since the publication of the NRA. This is in line with discussions with the firms taking part in the thematic, where they stated that there was no specific strategy targeting PEPs or reducing PEP exposure; as their PEP relationships would be considered on a case-by-case basis in line with the firm’s risk appetite. 0.00% 1.00% 2.00% 3.00% 4.00% 5.00% 6.00% Banking Fiduciary Insurance Investment Non-Core Financial Business

© Guernsey Financial Services Commission, 2023 Page 12 of 26 2.2 Geographical Exposure Firms within the Bailiwick are required to report jurisdictional information for the PEPs recorded within their business as part of the annual Financial Crime Risk Return. The chart below notes the breakdown of foreign PEP exposure between the higher risk jurisdictions listed within Appendix H7 and I8 of the Handbook, equivalent jurisdictions listed in Appendix C 9 of the Handbook and the rest of the world. Percentage of PEP customers by geographic group The above chart shows that circa 78% of the PEP relationships in the Bailiwick are from lower risk jurisdictions in terms of money laundering and/or terrorist financing. Notwithstanding, almost a quarter of PEP relationships have a relevant connection to jurisdictions with a higher risk of money laundering and/or terrorist financing, many of which are also known to have a higher risk of bribery and corruption. It is noted that whilst there are PEPs with links to jurisdictions subject to a call for action from the FATF, these links relate to individuals who are close associates of persons who previously held a prominent public function but have no current links to these jurisdictions. 7 Appendix H: High risk jurisdictions subject to a call for action by the FATF 8 Appendix I: Countries and territories that are identified by relevant external sources as presenting a higher risk of money laundering and/or terrorist financing 9 Appendix C details those countries or territories which the Commission considers have in place standards to combat money laundering and terrorist financing consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Equivalent Jurisdictions Rest of the World Higher Risk Jurisdictions

© Guernsey Financial Services Commission, 2023 Page 13 of 26 2.3 Types of PEP within the Bailiwick Firms are required to report on the types of PEP relationships they have within their business. The chart below shows the total split in the type of PEP relationships within the Bailiwick: Percentage of PEP customers by PEP type As the Bailiwick is an international financial centre foreign PEPs make up the vast majority of the PEP relationships. Despite there being the ability for firms to rate international organisation and domestic PEPs as other than high risk, we observed from our onsite visits that firms are taking an overly cautious approach and tend to apply a high risk rating and undertake ECDD for all three categories of PEP. Firms should be aware that any risk rating applied to a domestic and international organisation PEP relationships should be done on the basis of the specific risks present in the relationship and not apply a blanket approach to all PEP types as ECDD may not be appropriate for a domestic PEP or international organisation PEP. 2.4 Declassification of PEP relationships FATF guidance on managing PEP risk allows for a risk-based approach to be taken for individuals who no longer hold a prominent public position. It is noted that any consideration for declassification should not be solely reliant on the length of time a PEP has been out of office but should consider all relevant risk factors. The Wolfsberg 82% 15% 3% Foreign PEPs Domestic PEPs International Organisation PEPs

© Guernsey Financial Services Commission, 2023 Page 14 of 26 Group10 takes a slightly different approach to FATF, noting that in order to apply a truly risk-based approach, firms must consider where the risks its business presents are higher and therefore declassifying PEPs, where appropriate, allows focus to be given to the highest of risks. The Wolfsberg Group also notes that the following considerations should be made when determining if it is appropriate to declassify a PEP which firms may find useful when developing their own policies and procedures: • The level of inherent corruption risk in the country of political exposure; • The position held and its susceptibility to corruption or misappropriation of state funds or assets; • Length of time in office and the likelihood of return to office in the future; • The level of transparency about the source of wealth and origin of funds, in particular funds generated while in office; • Links to any industries that are high risk for corruption; • The overall plausibility of the stated customer profile and net worth; • The level of transparency and plausibility of transactions processed through the account; • Whether there is relevant adverse information about the customer published in reputable sources; and • How politically connected they remain once they have left office. One of the key changes made to the Handbook in 2019 was including provisions for firms to be able to declassify PEP relationships, under certain circumstances. This change allows firms to apply a risk-based approach to PEP relationships. It was envisaged that this change would assist firms in relationships such as where the individual who held political office had died some years previously, but ECDD still had to be applied to their close family members although there were no other high risk factors present, and the sources of funds in the relationship and wider wealth was transparent and well understood. Although there is a timescale noted for the declassification, this should not be the only consideration given to declassifying a PEP. It is also noted that declassification should only be applied where the relationship would not be considered as high risk. It is further noted that heads of state/government or persons with the power to direct the spending of significant sums can never be declassified as a PEP as the risks presented by these positions are much higher. This also applies to their immediate family members or close associates. The Commission collects data relating to the declassification of PEP relationships annually. The data shows that the level of PEP declassification has been under 10% of the total number of PEP relationships within the Bailiwick. 10 The Wolfsberg Group is an association of thirteen global banks which aims to develop frameworks and guidance for the management of financial crime risks.

© Guernsey Financial Services Commission, 2023 Page 15 of 26 % PEP customers declassified In general and following the initial reduction in PEP relationships in 2020, the level of PEPs declassified has fallen year on year, as illustrated above. It is also evident that following the initial declassifications during the first two years of the updated guidance, declassifications have significantly declined. The biggest anomaly above relates to one insurer that undertook its initial review for declassification in 2021 rather than 2020, this accounts for three quarters of the declassified PEPs for 2021 in the insurance sector. The fiduciary sector offers multi-generational wealth management structures, and this may explain why it has declassified the most PEPs. In respect of declassifications in the investment fund sector we noted from our review that some investment firms had declassified PEPs who were neither the firm’s customer or beneficial owner of the customer if a legal person/arrangement. Paragraph 8.48 of the Handbook made a distinction on the treatment of PEPs who are connected to a business relationship but are not the beneficial owner/s as they have not contributed to, or draw benefit from, the assets associated with the relationship. In such instances these individuals do not need to be recorded as declassified PEP relationships as the PEP measures, including ECDD, do not apply. One such example could be a government or state level pension scheme investing in a Bailiwick collective investment scheme where members of the pension committee/board of trustee (or equivalent) include a PEP through virtue of his or her senior government position but where they do not meet the definition of beneficial owner (including the senior managing official) of the pension scheme. Those persons have no economic interest in the funds involved in the business relationship or occasional transaction (beyond any pension rights) and the risk of the relationship being used as a vehicle for the laundering of any personal funds is minimal. 7.5% 9.2% 1.1% 7.1% 1.2% 1.1% 1.9% 7.4% 8.2% 7.2% 0.0% 1.0% 0.6% 4.4% 1.5% 3.4% 1.4% 1.2% 0.0% 1.0% 2.0% 3.0% 4.0% 5.0% 6.0% 7.0% 8.0% 9.0% 10.0% Banking Fiduciary Insurance Investment NRFSB Prescribed Business 2020 2021 2022

© Guernsey Financial Services Commission, 2023 Page 16 of 26 Section 3: Thematic findings 3.1 Identification of PEPs The definition of PEP contained within Paragraph 5(4) of Schedule 3 states that the definition of “prominent public position”, includes without limitation – (i) Heads of state or heads of government; (ii) Senior politicians and other important officials of political parties; (iii) Senior government officials; (iv) Senior member of the judiciary; (v) Senior military officers; and (vi) Senior executives of state-owned body corporates. However, the term “prominent” is not defined in either Schedule 3 or the Handbook as it depends on the level of seniority and role held, this can make the identification of a Foreign or International PEP challenging. The FATF notes that what constitutes prominent will change depending on the jurisdiction and specifically its size (both in terms of inhabitants and size of the budget), particular organisational framework of government or international organisation concerned, and the powers and responsibilities associated with particular public functions. Notwithstanding, firms should consider if the public function the individual holds has the requisite seniority, prominence or importance to be categorised as a PEP and document their conclusions in their relationship risk assessments. To assist in the identification of natural persons falling within the definition of domestic PEP, Appendix E to the Handbook lists those positions in Guernsey, Alderney and Sark deemed to fall within the categories listed above. Area for improvement: Identification of PEP Positions To aid staff in the identification of foreign and international organisation PEPs, a firm should define the circumstances where it considers an individual to be either a foreign or international organisation PEP. The Handbook provides a starting point, but the firm should consider if there are any other indicators which would lead to a PEP classification and for this to be detailed within the firm’s policies and procedures. The identification of PEPs can also be particularly challenging when identifying immediate family members or close associates of PEPs. The definition of close associate includes both a person who is widely known to maintain a close business relationship or a person who is in a position to conduct substantial financial transactions on behalf

© Guernsey Financial Services Commission, 2023 Page 17 of 26 of such a person. Having robust procedures for the identification of PEPs (including immediate family members and close associates) is key to being able to assess and mitigate the risks posed to a firm by a PEP. It is considered that a three-step approach should be used to identify PEP connections as follows: It was observed during the onsite visits that these steps had largely been followed by firms. Whilst there is an understanding of what a PEP is within the industry there is a lesser understanding in society at large especially for immediate family members and close associates of PEPs, and therefore it is important that firms assist their customers to understand what contributes to an individual being considered a PEP, so they are able to self-disclose any PEP connections. Good Practice: Identification of a PEP The Commission reviewed a customer (a company) of a law firm, where one of the beneficial owners of the company was a close associate of a PEP. It was noted that this PEP was identified via open source internet searches during onboarding rather than through a commercial screening database. When undertaking the onboarding review it was noticed that there was a large amount of news media noting that one of the individual’s key investment partners is a former Head of State, and therefore it was decided that the individual should be considered a PEP even though he did not appear as a PEP on the commercial database used by the firm. Application Documents •The onboarding forms used by the firm should contain questions asking if there is a PEP connection for the relationship. A description of what constitutes a PEP connection should also be included. Commercial Screening Databases •Commercial screening databases can provide valuable assistance to firms in identifiying PEP connections. They are not infallible however and a firm should consider how much reliance is placed on these databases to ensure that PEP connections are not missed. Open Source Internet Searches •Open source internet searches can provide further clarity on the level of any PEP connections identified and may also identify PEP connections not identified in commercial databases. The sources of any results should be considered by firms when making a determination on the accuracy of the results.

© Guernsey Financial Services Commission, 2023 Page 18 of 26 Case Study: Failure to identify a PEP family connection During a visit to a fiduciary firm, we reviewed a customer, company X where the beneficial owner had an immediate family member who was a PEP. This connection was not identified at take-on. A month after the onboarding, the firm identified through screening undertaken on another customer structure that the son of the beneficial owner of company X was a PEP owing to his former position within a national Government. However, despite this PEP connection being identified, it took a further year for the firm to identify that the owner of company X should have been classified as a PEP. This was described by the firm as a failure of its staff to recognise the connection and resulted in the firm enhancing its procedures specifically in relation to training its staff on its PEP measures to ensure that it does not reoccur. Area for improvement: Identification of Close Associates When it comes to identifying close associates of PEPs it is important for firms to fully consider relationships which may lead an individual to be politically exposed. Close associates are captured by the PEP requirements for two key reasons. The first is that they could act as a nominee for the PEP to obscure the true beneficial owner of the assets. Secondly, it could be that the associate is able to gain favour by exploiting their connection to the PEP. Given these risks, firms should consider business relationships together with publicised personal or social relationships to assess if there is any PEP exposure. For example, if open-source internet searches describe details of substantial financial transactions or reveal a clear business link between the two it’s possible the person should be considered a close associate of a PEP, and further questions should be asked about the nature of the relationship between the two. Other red flags could be economic activity, which is dependent on government licences, if the individual is based in a jurisdiction or connected to an industry with higher corruption levels or high value transactions which are inconsistent with their economic activity. Firms should also be aware that it is possible for a customer to become a PEP during the life of a business relationship. It is important therefore that firms continue to screen individuals to ensure that any PEP indicators are identified in a timely fashion.

© Guernsey Financial Services Commission, 2023 Page 19 of 26 Case Study: Failure to identify a change in political exposure During a recent visit we undertook outside of this thematic review, a customer file was reviewed for an individual resident in a higher risk jurisdiction. At the time of take-on in 2012 the customer was not a PEP, but was risk assessed as high risk. In 2018, the customer became a director of a state-owned oil and gas company. This change in the customer’s circumstances meant that the customer should now be considered a PEP. A failure of the firm’s screening system meant that this change was not identified until 2021 when manual screening was undertaken due to a change in the address of the customer. 3.2 Policies and Procedures There are eight areas that firms should consider when designing their policies and procedures for PEP customers: The Handbook requires firms to make a determination, as part of their CDD measures, as to whether its customer or beneficial owner is a PEP, as well as the type of PEP which applies. In doing so it is required that the firm has policies and procedures in relation to the identification of PEPs. When PEP indicators have been identified the following actions are required: • Where a foreign PEP is identified, the firm must rate this customer as high risk and undertake ECDD. • Where a domestic or International Organisation PEP has been identified, the firm is to determine the risk posed to it by the PEP and apply ECDD where it is deemed the domestic or international organisation PEP presents a higher risk to the firm. In doing so the firm should gather sufficient information in order to understand the role of the individual and their political exposure. Identification - both for new and existing customers Customer Risk Assessment Due Diligence (including Enhanced Measures & Enhanced Customer Due Diligence) Approval Enhanced Monitoring Periodic Review PEP Risk Exposure (business wide) Training and Education

© Guernsey Financial Services Commission, 2023 Page 20 of 26 Area for improvement: Tailoring policies and procedures Whilst the firms’ PEP policies and procedures we reviewed were generally appropriate, there was a large reliance on taking the requirements directly from the Handbook and not tailoring the requirements to the firm’s specific situation. As noted in the case study below whilst firms' policies and procedures should reflect the Handbook's PEP requirements, they should also consider the firm's PEP exposure, and the specific processes employed by the firm to mitigate its PEP risks. Good Practice: Tailored policies and procedures The policies and procedures reviewed at a fiduciary firm contained reference to a specific internal senior committee for the approval of PEP business. Although a separate committee is not required for PEP sign-off it should be documented how a firm has chosen to demonstrate enhanced sign-off of PEP relationships. Whilst reference was made to relevant sections of the Handbook, the document described the process used by the firm to comply with the requirements of each section. This approach allows staff to refer to the Handbook for the requirements and understand the measures the firm has taken to assess and mitigate the PEP risk it is exposed to. For instance, when explaining the process for considering and signing off PEP risk assessments, reference was made to the specific forum which would make the decision. Further, when considering the risk assessment of a PEP relationship, staff are instructed to consider the following: the type of PEP and the rationale for the classification, the powers held by the PEP in the public position, geographical risk factors, SOW and SOF, ECDD and any adverse media. This sets out exactly what senior management expects to see when considering a PEP relationship. Case Study: Incorrect declassification of PEPs When reviewing the PEP declassification register of an investment firm, instances were noted where it appeared that a customer or beneficial owner had been incorrectly declassified as a PEP. For example, the register listed the declassification of an individual investor as they no longer held a position of director at a State-Owned Entity (“SOE”). However, it was seen that the individual still held the role of Chief Executive Officer at the SOE and therefore remains a PEP. Another example of an incorrect declassification was where an individual investor had been declassified despite being a former high-ranking government official and in a position to direct the spending of significant sums, specifically this individual was responsible for the jurisdiction’s treasury.

© Guernsey Financial Services Commission, 2023 Page 21 of 26 The policies employed by this firm consisted of guidance taken directly from the Handbook, but no processes which had been tailored to suit the nature of the firm’s business. Consequently, staff did not have a clear procedure to follow and therefore PEPs were being incorrectly declassified. As a result of these deficiencies the firm was required to complete a risk mitigation programme to review the PEPs it had declassified to assess if the declassifications were appropriate and remediate any relationships where PEPs have been declassified incorrectly. The firm is required to advise the Commission of the findings of the review once it has been completed. 3.3 Risk Assessment of PEPs Although foreign PEPs are mandatory high risk, it is also important for firms to document their understanding of why the particular foreign PEP is exposed to increased risk to ensure appropriate and proportionate controls are put in place to mitigate the identified risk. For instance, a PEP from a jurisdiction which has a higher prevalence of bribery and corruption poses a different risk to one from a lower risk jurisdiction, but where there is a relevant link to a higher risk industry. The nature of the PEP risk will also differ dependent on the nature and complexity of the product offering. For example, a legal person or legal arrangement administered by a fiduciary may be used to route profits generated from bribes given to a PEP. Whilst a PEP may invest in a collective investment scheme or take out a long term life insurance policy simply to store the proceeds of bribery and corruption, and realise a profit. Case Study: Insufficient risk assessment In accordance with Handbook Rule 3.85, the investment firm had adopted a standardised risk assessment checklist for all customers, including risk factors such as country of birth, PEP and SOW/SOF. The Commission did not identify issues with the risk ratings applied to the PEPs reviewed, however it was concerned with the manner in which the risk assessments were conducted. The ‘areas for comment’ sections were rarely used, therefore the risk assessments lacked any documented assessment of the associated risks or rationale for decisions. The Commission reviewed six PEP customer files and concluded that all of them did not consider the risks specific to the PEP, these files included two individuals linked to heads of state and an individual with links to a sanctioned government. For example, the risk assessment would state ‘PEP = Yes’ however it did not go into any detail as to the PEPs position or the specific risks associated with it and therefore what mitigants were appropriate. As a result of these deficiencies the firm was required to complete a risk mitigation programme to undertake a review of its risk assessment policies and procedures to ensure that they allow for the full assessment of risk.

© Guernsey Financial Services Commission, 2023 Page 22 of 26 A risk assessment should fully assess all relevant risks within a relationship to ensure that all risks present are fully identified, assessed and appropriately mitigated by a firm’s controls. It was noted during the onsite visits that this was not an isolated issue however some firms performed better in this respect as shown in the following example. Good Practice: Assessment of PEP risk A fiduciary firm undertook a review of its PEP procedures in preparation for the Commission’s visit for the thematic review. This review highlighted a weakness in the firm’s risk assessment of PEP relationships. As a remedy to this, the Board decided to introduce a PEP classification form (supplemental to other forms completed to record the SOW/SOF of the customer), which is to be completed as part of the risk assessment process. The classification form requires the reviewer to consider the role held by the PEP, the geographical risk, and the length of time in position. The form also requires that the prominence of the position is considered, as well as any adverse media which may have been found relating to the PEP. This allows the firm to document the consideration given to the risks specific to each PEP relationship ensuring that the correct controls are applied to each PEP relationship. Firms should consider how they document the consideration of PEP risk within the processes used and the firm. Area for improvement: PEP risk assessment It is important to note that the risk assessment undertaken is proportionate to the nature of the prominent public function undertaken by the PEP. Not all PEPs are equal and the more senior the role, the more exposure there is to risk. Therefore, firms should tailor their mitigants for managing the risk posed by the PEP in accordance with the risk factors which are present. Firms should ensure that staff undertaking the risk assessment do not take a tick box approach, but also document their consideration of the risks presented by the PEP's political position. Only by fully understanding the pertinent risks can a firm ensure that its policies, procedures, and controls are appropriate in mitigating those risks. 3.4 Customer Due Diligence, Enhanced Measures and Enhanced Customer Due Diligence Undertaking due diligence of PEP relationships involves the collection of customer due diligence documents to verify the identity of the customer, and where relevant the beneficial owner, together with undertaking enhanced measures and ECDD to further understand the nature of the relationship, the SOW/SOF, ensuring monitoring of the relationship is commensurate with the risk and that appropriate internal sign-off of the relationship is applied.

© Guernsey Financial Services Commission, 2023 Page 23 of 26 In general, the collection of customer due diligence was undertaken appropriately at the firms visited as part of the thematic review. In all cases reviewed, firms had collected documents to verify the identity of the PEP. In addition, firms were applying senior management sign-off for PEP relationships; in many cases a meeting was held to discuss the relationship with senior management prior to signing off on it. However, when reviewing the SOW/SOF undertaken by firms on PEP relationships, this was in some cases inadequate. This is disappointing given the extra guidance provided by the Commission through the publication of the SOW/SOF thematic review in 2021. That being said, it was evident that the firms from the fiduciary sector have performed better in establishing and understanding SOW/SOF for their PEP customers. This may, in part, be due to their experience in dealing with high-risk customers and complex structures. Undertaking SOW/SOF is a three-part process, the first step is to gather SOW and SOF information from the customer, the second is corroborating those stated sources using a risk based approach, and finally to assess the plausibility of those sources against other information about the customer and the risks he or she poses. The majority of firms had obtained corroboration documentation for SOW/SOF, the deficiencies were primarily in the assessment of that information. Although firms had generally obtained corroborating documents for SOW/SOF the assessment of the information within these documents was lacking at times. As with all risk assessments a ‘one-size-fits-all’ approach to SOW/SOF for PEPs is not sufficient to mitigate the risk of the relationship. It is important for firms to understand the risk implications of the SOW/SOF for every PEP relationship, as well as determining if these sources are plausible given the salary attached to the political position and the other economic interests of the PEP in relation to the quantum of assets within the firm’s relationship with the PEP. When considering SOW/SOF for PEP relationships it is important for all firms to note that there is a requirement to ensure that where the beneficial owner of a customer is a PEP, that SOW/SOF must be undertaken on the beneficial owners as well as the customer. We noted from all the customer files we reviewed that firms had obtained information on the SOW/SOF of PEPS which were the beneficial owners of a legal person customer. Area for improvement: SOW/SOF Given that the primary risk posed by PEP relationships is in regard to the receipt of funds generated from bribery and corruption, it is considered that the primary way to mitigate PEP risk is by undertaking a comprehensive SOW/SOF assessment. Therefore, firms should pay particular attention to ensuring that the SOW/SOF for its PEP relationships is fully understood and is plausible. Further good practice examples can be found in the Commission’s SOW/SOF thematic report11 . 11 Legislation & Guidance — Commission — GFSC

© Guernsey Financial Services Commission, 2023 Page 24 of 26 Case Study: Failure to corroborate SOW/SOF In relation to three of the six customer files reviewed, the investment firm could not evidence that it had undertaken reasonable measures to establish and understand the SOW/SOF. For example, the only SOW/SOF information held for a PEP with a relevant connection to a higher risk jurisdiction was a note stating, “property investment over several decades”. No further corroboration, such as business interest, accounting records or online searches were held nor was there any consideration of the geographical sphere or the overall net worth of the PEP. In another example, the same firm had not considered the risk implications of a PEP resident in a higher risk jurisdiction and employed within a higher risk industry. This customer was divorced from a former partner, who was a PEP serving a prison sentence for breach of office and corruption in relation to the award of contracts in the same industry as the customer was employed in. The firm had not identified when the couple divorced and therefore did not have any information as to whether the SOW/SOF was potentially tainted; the only corroboration was a CV to confirm the PEP worked within the higher risk industry. It is noted that there was a high value of assets within this relationship. These findings in part contributed to the firm being required to undertake a risk mitigation programme to review and enhance its policies and procedures for the collection and assessment of SOW/SOF information. Good Practice: SOW/SOF When visiting a fiduciary firm, a customer file was reviewed relating to a PEP who had held various senior government positions in a higher risk country. The firm has taken the decision not to declassify PEP relationships in line with its risk appetite. Therefore, although the PEP’s last political position was in 2002 the individual was still considered a PEP. The PEP had a long career dating back to the 1970s and 1980s which had made it harder to corroborate their employment income as part of SOW/SOF. When reviewing the file, the Commission saw a number of file notes detailing the PEP’s career, which had been drawn from various discussions the firm had had with the PEP. Further, in order to corroborate more recent wealth, copies of the PEP’s tax returns had been obtained. Carrying out more frequent and extensive ongoing monitoring also forms part of the ECDD to be undertaken for PEP relationships. It was seen that at all firms visited, PEP relationships were subject to at least annual risk

© Guernsey Financial Services Commission, 2023 Page 25 of 26 assessment together with ongoing screening such as Google alerts to identify any flags which may require investigating. 3.5 Management Information and Reporting Good management reporting allows senior management to maintain appropriate oversight of the risks faced by the firm. Given that PEP relationships present some of the highest financial crime risk to a firm, it is important that relevant information regarding PEP relationships is included within the regular reporting provided to senior management. It is encouraging that some amount of PEP reporting was provided to senior management for all firms reviewed. In the worst cases, the reporting simply included the number of PEP relationships over a given period whereas other firms provided senior management with an analysis of the trends in terms of number of PEPs within the firm’s customer book and any suspicious activity reports for PEP relationships within the reporting period being seen, together with commentary regarding any significant changes in the reporting. This allows for the Board to have a better understanding of the risks present within its business. Area for improvement: Management Information It is considered that good reporting would include the following: • The number and type of PEP relationships at the firm together with any trends during the reporting period; • Value of assets under management for PEP relationships compared to other customers; • Internal and external SARs raised for PEP relationships; • Periodic reviews of PEP relationships undertaken/outstanding during the reporting period; • Commentary of any problem PEP relationships; and • Consideration of the PEP risk faced by the firm with reference to the firm’s risk appetite statement. Section 4: Conclusion We noted many examples of good practice, and it was encouraging to note the strong performance by fiduciaries in regard to the risk assessment of PEPs. PEP controls appear to be well embedded in Bailiwick firms’ policies and procedures. In all cases an appropriate risk rating had been applied to the PEP relationships reviewed. Although some firms were less proficient in documenting their assessment of the risks presented by PEP relationships.

© Guernsey Financial Services Commission, 2023 Page 26 of 26 Most of the firms reviewed had appropriate policies and procedures for the mitigation of PEP risk. The quality of these controls was significantly higher where the documented policies were tailored to the firm and where risk assessments considered the risk attached to the political position the individual held. While it is noted that corroboration of SOW/SOF has improved since the publication of the SOW/SOF thematic report, there is still some work to be done by firms to ensure that sufficient corroboration is collected, and the associated risks fully assessed. It is also considered that further work is required by firms to ensure that the risks specific to a particular PEP relationship are considered during the relationship risk assessment. The following self-assurance questions are intended to assist firms’ consideration of the sufficiency and suitability of their PEP measures: No. Question

1. Are open-source internet checks undertaken in addition to using commercial databases for the identification of PEPs?
2. Are there policies and procedures for the following: a. documenting which prominent public positions are considered politically exposed b. the identification of family members and close associates c. differentiation between types of PEP – i.e. foreign, domestic and international organisation PEPs d. declassification of PEP relationships e. coverage of the 8 areas in section 3.2 of this report f. tailoring specific to the firm
3. Does the customer risk assessment consider the risks specific to the PEP and are these documented in accordance with the nature and complexity of the PEP relationship?
4. Are the risks relating to the SOW/SOF of the PEP considered and documented?
5. Is the ECDD undertaken, including the corroboration of SOW/SOF sufficient, and is there documented consideration of the risks posed?
6. Does the management information provided to senior management provide a suitable overview of the PEP risk faced by the firm together with any trends and is this factored into the firm’s business risk assessments?