ANALYSIS REPORT

Attention to the Risk-Based Approach for PEPs in Client Due Diligence Remains Important

In brief - The handling of PEPs by financial enterprises requires tailored measures. No PEP is the same, nor do they present the same risks. This tailored approach requires a uniform understanding of what a PEP is and how to handle them. This requires, among other things, good training of employees, clear agreements, and reporting. Enterprises can use external parties or tools for this. However, they remain responsible for the choices and decisions made.

JUNE | 2026

© AFM 2026 | Attention to the risk-based approach for PEPs in client due diligence remains important 2

Background of the Investigation

The AFM conducted a thematic investigation into the handling of politically exposed persons (PEPs) under the Anti-Money Laundering and Counter-Terrorist Financing Act (Wwft) at three investment institutions, two investment firms, and nine financial service providers who mediate in life insurance or use the national regime. The results were previously shared individually with the companies involved. With this publication, we return the most important overarching findings to the sector and share some good practices.

PEPs are defined as persons who hold or have held a prominent public political function, as well as the direct family members (being partners, adult and minor children, and parents) or close associates (for example, someone who has close business relations with a PEP) of these persons. The concept of PEP is not limited only to foreign politically exposed persons: domestic politically exposed persons also fall under this concept.

A PEP is in any case:

a. head of state, head of government, minister, deputy minister, or state secretary; b. member of parliament or member of a similar legislative body; c. member of the board of a political party; d. member of a supreme court, constitutional court, or another high judicial body that issues judgments against which, except in exceptional circumstances, no appeal is possible; e. member of a court of audit or of the board of directors of a central bank; f. ambassador, envoy, or high-ranking officer of the armed forces; g. member of the governing body, supervisory body, or board of a state-owned enterprise; h. director, alternate director, member of the board of directors, or holder of an equivalent function at an international organization.

See also: Wwft: Prominent Public Functions in the Netherlands | Tax and Customs Administration

Business relationships with PEPs require additional measures because this group carries a higher risk of reputational damage, corruption risk, and other risks. The enterprise must have risk-based procedures to determine whether the client or the UBO (Ultimate Beneficial Owner) of the client is a PEP.

PEPs do not automatically carry a high risk of money laundering or terrorist financing.

© AFM 2026 | Attention to the risk-based approach for PEPs in client due diligence remains important 3

Findings of the Investigation

The AFM conducted this investigation based on its risk-based approach and following some findings from the evaluation by the Financial Action Task Force (FATF). We used data from investigations and from the periodic questionnaires we distribute in the context of the Wwft and the Sanctions Act (Sw). Below is an explanation of the main findings.

An enterprise must perform tailored measures when handling a PEP. According to the Wwft, an enterprise must be able to determine whether a client is a PEP. In the case of a PEP, an enterprise must take additional measures to prevent risks of money laundering and terrorist financing. The reason for this is that a PEP can be vulnerable to bribery and corruption. The investigation shows that when taking additional measures, not always attention is paid to the specific risks of a client identified as a PEP. Not every PEP poses a high risk and therefore does not need to be investigated in the same way.

Various risk indicators must be taken into account in the assessment of the client's risk profile, including, for example, the corruption level of a country. We have observed that some enterprises make a distinction between clients with Dutch nationality and clients with non-Dutch nationality. Using nationality as an independent criterion within risk classification can lead to unjustified discrimination, and thus there is a risk of discrimination.

Recent publications by, among others, De Nederlandsche Bank ('Proportionality in Perspective') and the Ministry of Finance ('Information Brochure for Politically Exposed Persons') also emphasize that a risk-based approach is necessary in the risk classification of PEPs. Standardly classifying PEPs as high risk can lead to unnecessarily intensive measures being applied to PEPs with a low money laundering risk. The Dutch Banking Association (NVB) has published a risk-based standard with guidelines describing how client due diligence can be adjusted to concrete risks and which indicators are relevant in this regard.

A risk-based approach in the risk classification and assessment of a PEP

• A PEP is not automatically classified as high risk; instead, each case is assessed separately based on relevant risk factors.
• Nationality is not used as a standalone risk criterion to prevent unjustified discrimination.

A uniform understanding of what is meant by a PEP is necessary within the enterprise. In the absence of a uniform PEP concept and the use of incorrect screening lists, an enterprise cannot determine the PEP status of a client and cannot assess the risks correctly.

In some cases, the measures taken in practice did not align with the PEP policy. This inconsistency increases the risk of confusion among employees and incomplete compliance with Wwft obligations.

© AFM 2026 | Attention to the risk-based approach for PEPs in client due diligence remains important 4

Definitions are clearly recorded

• The statutory PEP definition is applied.
• Specification of sources, tools, and screening lists used.

Outsourcing and tools can provide support, but own control remains necessary.

Enterprises can assess whether a PEP is involved in various ways. Own research is possible based on internal or public sources, as well as the use of services from commercial providers. However, an enterprise must always conduct its own research into the credibility and reliability of the information and cannot rely exclusively on statements from the client.

Some enterprises use an external agency for the determination and assessment of PEPs. However, the procedures do not always clearly record what the concrete role of the external agency is, which definitions and tools (external tooling) are used, and how continuous monitoring takes place. Although engaging an external agency can offer efficiency advantages, the enterprise itself remains responsible for compliance with the legal obligations under the Wwft.

In practice, it can occur that clients acquire or lose PEP status during the relationship. Enterprises must signal these changes in a timely manner so that the risk profile can be adjusted where necessary. The use of tools (external tooling) can support enterprises in continuous monitoring. However, it can happen that tooling is not always timely or complete in signaling changes in PEP status, for example, in periods of political change, such as after elections.

Clear responsibilities are recorded

• When an external party is engaged, the enterprise itself remains responsible for assessing the quality and reliability of the results.
• Changes in PEP status are signaled in a timely manner and supplemented with (manual) actions where necessary.
• Periodically, it is evaluated whether policy and execution still align, and if necessary, this is updated.

Training and recording require extra attention. Enterprises must pay attention to the training of employees regarding PEPs. Employees responsible for client due diligence must undergo appropriate training, which includes the determination and assessment of PEPs. In our 'Guideline Wwft and Sanctions Act' (pdf, 620 kB), it is stated that training should be as effective as possible and tailored to the different functions within the enterprise. During the investigation, it was observed that the policy of some enterprises refers to the Wft-advice diploma as training on the PEP concept. This is not always sufficient to ensure that employees, depending on the nature and size of the enterprise and their function, are aware of current developments and obligations regarding the determination and assessment of PEPs under the Wwft.

Invest in training and awareness

• Employees involved in carrying out client due diligence receive appropriate and targeted training in identifying, assessing, and monitoring PEPs.
• The training program records and makes visible which trainings are followed and how progress is monitored.

Furthermore, the AFM has established that at some enterprises, the recording of the identification and verification of PEPs, as well as the client due diligence and the associated screening results of the PEPs, does not take place in a sufficiently traceable manner. As a result, it is not always clear to the supervisor which additional measures have been taken and which data and documents were used in this regard.

Secure full and traceable recording

• The documents and data used for client due diligence are recorded.
• Data is retained for at least five years and is reproducible.
• A suitable CRM or case management system has been considered for central and clear case formation. © AFM 2026 | Attention to the risk-based approach for PEPs in client due diligence remains important 5