Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 7: Politically Exposed Persons

www.gfsc.gi 7. Politically Exposed Persons AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 Table of Contents 7.1 Measures Applicable to Politically Exposed Persons........................................................................ 3

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 7.1 Measures Applicable to Politically Exposed Persons AML/CFT/CPF Requirements R22 A regulated entity is required to implement adequate systems and controls to mitigate any risk associated with establishing business relationships with Politically Exposed Persons, or their family members and close associates. R23 A regulated entity is required to take into account the continuing risk posed by a PEP, close associate and family member for at least 12 months after they cease to hold the prominent public function. Guidance

1. The term “politically exposed person” is defined under Section 20 of POCA and refers to “natural persons who are or have been entrusted with prominent public functions”. This includes the following1 : a) Heads of State, heads of government, ministers and deputy or assistant ministers; b) Members of parliaments or similar legislative bodies; c) Members of governing bodies of political parties; d) Members of supreme courts, of constitutional courts or of other high-level judicial bodies whose decisions are not subject to further appeal, except in exceptional circumstances; e) Members of courts of auditors or of the boards of central banks; f) Ambassadors, chargés d'affaires and high-ranking officers in the armed forces; g) Members of the administrative, management or supervisory bodies of State-owne enterprises; and h) Directors, deputy directors and members of the board or equivalent function of an international organization.
2. PEPs generally pose a higher inherent risk due to the nature and potential influence a PEP is able to exert whilst holding a prominent function. PEPs, family members and close associates therefore present an increased risk that they may use regulated entities as a vehicle to facilitate ML, TF or PF. In the case of corporate clients, where a PEP has been identified as a shareholder, director, or beneficial owner within a corporate structure, PEP status must be considered within the overall business relationship.
3. POCA outlines the requirement that family members and close associates of PEPs must also be treated as PEPs themselves as they may pose an increased risk of the business relationship being exploited by a PEP to carry out any potential illicit activity2 .
4. When determining whether an individual is a ‘close associate’ or ‘family member’ the following definitions apply3 :

• Family members include a PEP’s parents, partner (or equivalent), their children and their partners (or equivalent) ; and
• A close associate includes a natural person with whom the PEP shares a common business interest or beneficial ownership of a legal entity, legal arrangement or similar 1 Section 20A, Proceeds of Crime Act 2015 2 Section 20, Proceeds of Crime Act 2015 3 Section 20A, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 or a natural person who has sole beneficial ownership of a legal entity, legal arrangement or similar that is known to have been set up for the benefit of a PEP. 5. POCA and these Guidance Notes do not draw a distinction between foreign and domestic PEPs. Therefore, all individuals identified as a PEP, irrespective of geographical location, must be subject to the same requirements outlined in POCA and these Guidance Notes. 6. A regulated entity is obliged to identify all natural persons during the establishment of a business relationship to verify whether they fall within the definition of a PEP, close associate or family member. A regulated entity should determine the most appropriate method to identify PEPs dependent on the size and nature of the products and services it provides. A regulated entity must also have controls in place to determine whether an individual becomes a PEP during the course of a business relationship. 7. A regulated entity must set out within its risk management framework, its risk appetite concerning PEPs, close associates and family members and must have documented clear guidelines for the treatment of PEP clients in line with POCA and these Guidance Notes. 8. A regulated entity must apply enhanced due diligence and enhanced ongoing monitoring measures to all business relationships where a PEP, close associate or family member has been identified. The level of enhanced due diligence undertaken must be commensurate to the risk posed by the PEP, close associate or family member. For further guidance on the application of enhanced due diligence and enhanced ongoing monitoring measures, please refer to the “Customer Due Diligence” and “Ongoing Monitoring” sections of these Guidance Notes. 9. A regulated entity must implement adequate systems and controls to mitigate the risks associated with establishing and maintaining a business relationship with a PEP. The minimum requirements as defined by POCA are as follows:

• A regulated entity must establish and document a clear policy which includes internal guidelines, procedures and controls regarding the treatment of PEP clients as per the legislative requirements outlined in Section 20, 20A and 20B of POCA.
• Maintain an appropriate risk management system to determine whether a potential customer or an existing customer is a PEP;
• Decisions to enter into business relationships with PEPs must be taken, documented and signed-off by senior management; and
• Business relationships which are known to be related to PEPs must be subject to enhanced ongoing monitoring and proactive monitoring of the business relationship.

10. A regulated entity must be able to demonstrate that the following controls have been applied when mitigating the risk posed by the PEP, family member or close associate:

• In the case of corporate customers, when dealing with PEPs, close associates or family members, a regulated entity must take into consideration the level of influence or control the PEP, close associate or family member may exert over the corporate.
• A thorough rationale of the risk assigned to the customer must be evidenced within the client risk assessment in line with the regulated entity’s policies and procedures.
• Source of wealth and/or funds must be documented and independently verified; and
• The PEP must be subject to enhanced ongoing monitoring measures.

11. Where it has been identified that a PEP, family member or close associate has ceased to be entrusted with a prominent public function, the regulated entity must determine whether the individual(s) continues to pose a risk for at least 12 months after ceasing to hold the prominent

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 function. A regulated entity must apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further PEP risks. 12. A regulated entity must ensure it obtains independent verification of the source of wealth and funds for the proposed business relationship and ensure these are appropriately documented. The source of wealth should encompass the entire body of wealth of the PEP and the source of funds should demonstrate where the initial funding has derived from to establish the business relationship. 13. Independent verification means that the information received by the PEP can be evidenced by obtaining independent proof of such, for example, open-source information, enhanced due diligence reports from a third-party provider or similar. The information received must be independent from the PEP in that it should not be from their own website or from a source where the PEP could have created the data themselves. For further guidance on the establishment and verification of source of funds and wealth, please refer to the “Customer Due Diligence” section of these Guidance Notes. 14. Once the nature and intended purpose, including the proposed number of transactions has been obtained, a regulated entity must ensure it conducts more frequent ongoing monitoring of the business relationship in order to establish and verify that the intended purpose is in fact what the corporate vehicle is being used for in practice. Sector-Specific Guidance – Trust & Company Services Providers (TCSPs) 15. TCSPs present particular vulnerabilities which may be exploited as a vehicle to facilitate illicit activity. Complex ownership structures can be utilised by PEPs in an attempt to conceal or hide the true nature of their ownership of an entity. It is imperative that all PEPs within a corporate structure are identified and verified during the onboarding of a new business relationship. In addition to this, the rationale and purpose/nature of the intended business relationship should also be sought and documented. 16. Where high risk jurisdictions are involved, TCSPs must note the increased risk and decide if this falls within the risk appetite of the regulated entity. Certain jurisdictions have a higher propensity to be used for bribery and corruption and drug trafficking leading to potential ML, TF or PF. When onboarding PEP clients from high-risk jurisdictions, the TCSP should ensure it appropriately documents the rationale for establishing the business relationship and the additional measures that are in place to ensure that it is able to verify the purpose for the corporate entity. Sector-Specific Guidance - Banks 17. The accessibility of banking products makes the sector an attractive industry for PEPs to use as a method to integrate illicit funds into the financial system and disguise the origin of the source of those funds. The use of various intermediaries and advisors for wealth management and private banking services may also increase the exposure to the risk of a bank being used to launder the proceeds of overseas bribery and corruption. 18. In these instances, mitigating actions may include increased transaction monitoring. This could include taking into consideration the frequency and amounts of transactions, jurisdictions where transactions are made to/from and a determination of whether these are commensurate with the independently verified source of funds and wealth established at the inception of the business relationship.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6 Example - State Owned Enterprises 19. Generally, in the case of state-owned enterprises, the ultimate beneficial owner is the government, which is therefore itself a PEP institution. In these instances, it is reasonable to assume that the source of wealth will be government funds. However, this does not remove the requirement to ensure that any additional funds or transactions are appropriately verified. 20. In these circumstances, the regulated entity would be expected to identify and verify all the directors within the state-owned enterprise given they will likely exercise and maintain significant control over the entity. Given that a regulated entity may not be able to obtain the initial source of wealth/funds for the business relationship, this should be recorded accordingly within the client risk assessment. The extent of due diligence undertaken must be commensurate with the risk posed by the state-owned enterprise and the customer, country, product and interface risks must still be scored accordingly. 21. A regulated entity is required to carry out enhanced ongoing monitoring of these business relationships to ensure that any changes to the intended nature and purpose of the business relationship, remain unchanged and in line with the expected customer activity.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission