AFM Flags Five PEP Due-Diligence Failures: What Firms Must Fix Now
The Dutch Authority for the Financial Markets (AFM) has published the findings of a thematic review into how financial firms handle client due diligence for politically exposed persons (PEPs). The headline conclusion is blunt: firms are applying blanket procedures where the law demands individual risk assessment, and several are doing so with outdated screening lists and undertrained staff. For crypto-asset service providers and the accounting firms that serve them, the AFM's findings are a direct signal that PEP frameworks will face scrutiny.
Why the AFM Reviewed PEP Handling Now
The review was triggered by earlier supervisory findings that surfaced during the AFM's periodic questionnaire cycle. The scope covered investment firms, investment funds, and financial services providers, assessed against their obligations under anti-money laundering, counter-terrorist financing, and sanctions legislation. PEPs occupy a specific position in that framework: because they hold or have held prominent public roles, they are considered more vulnerable to corruption and bribery, making them higher-risk by regulatory default.
The broader AML context
The AFM's review sits within a wider European push to tighten AML controls across all regulated sectors, including crypto-asset service providers now operating under MiCA. Firms that have recently gone through CASP authorization, or are building out compliance infrastructure to meet MiCA obligations, should treat this review as a live benchmark for what regulators expect PEP processes to look like in practice.
The Five Failures the AFM Identified
The review produced five distinct findings, each pointing to a gap between written policy and actual practice. Taken together, they describe a compliance culture that treats PEP screening as a box-ticking exercise rather than a risk-calibrated process.
1. Generic enhanced due diligence instead of individual risk assessment
When firms identified a PEP and applied enhanced due diligence, the AFM found they did not always tailor their measures to that individual's specific risk profile. Not every PEP carries the same exposure: a retired local councillor presents a different risk picture than a serving minister of finance in a high-corruption jurisdiction. The AFM is explicit that firms must assess each PEP on their own circumstances and apply proportionate measures accordingly.
2. Nationality used as a standalone risk criterion
Some firms were found to use a client's nationality as an independent factor in the risk assessment. The AFM flags this as problematic on two levels. First, it is analytically weak: nationality alone says little about an individual's actual corruption exposure. Second, and more seriously, it creates a material risk of unjustified discrimination. Nationality can inform a broader risk picture but cannot carry the weight of the assessment on its own.
3. Inconsistent definition and application of PEP scope
The PEP category covers not just the person holding a prominent public function, but also their immediate family members and close business associates. The AFM found this definition was not applied consistently within firms, with some teams applying a narrower interpretation than the law requires. Inconsistent internal understanding translates directly into missed screening hits and incomplete due-diligence files.
4. Outdated or incorrect screening lists
Even where screening processes existed, some firms were relying on lists that were no longer current. PEP status changes: elections, appointments, and resignations all shift an individual's exposure profile. A person who was a PEP at onboarding may no longer be one; a client who was not a PEP at onboarding may have become one. The AFM notes that changes in PEP status during an ongoing client relationship must be captured, and firms cannot assume their tooling handles this automatically.
5. Policy exists, but execution and documentation fall short
Perhaps the most operationally significant finding: many firms had adequate written policies but could not demonstrate that those policies were being followed in practice, and their documentation of individual due-diligence steps was insufficient. In an enforcement or audit context, an undocumented control is effectively no control. The AFM stresses that each step taken during client due diligence must be properly recorded.
Tooling, Third-Party Providers, and Where Responsibility Sits
Firms increasingly rely on third-party screening tools to identify PEPs, and the AFM does not object to that in principle. What the review makes clear is that outsourcing the screening task does not outsource the regulatory obligation. Firms remain fully responsible for verifying that the tool they use is performing the correct checks, that its lists are current, and that any gaps in its coverage are identified and compensated for through manual processes.
Implications for digital asset accounting and compliance infrastructure
For firms using crypto accounting software or digital asset accounting software to manage client portfolios, this is a relevant operational point. Screening tools integrated into client onboarding or transaction-monitoring workflows carry the same caveat: the firm, not the vendor, owns the compliance outcome. Reviewing vendor SLAs for list-update frequency and accuracy guarantees is a practical immediate step. This connects directly to the due-diligence questions firms should be asking about any data-dependent compliance process, as explored in our piece on how blockchain analytics data quality affects AML screening accuracy.
Staff Training: Fit-for-Purpose, Not Generic
The AFM found that some firms were relying on general financial qualifications to satisfy the training requirement for staff conducting PEP due diligence. The review is clear that this is insufficient. Training must be matched to the specific functions staff perform and grounded in real scenarios. A broad industry diploma does not, by itself, equip an analyst to correctly scope a PEP relationship, assess associated-party risk, or recognise when a client's political status has changed.
Compliance leads should audit their current training programmes against the specific tasks their teams perform in PEP screening and review. Where gaps exist, targeted upskilling, rather than reliance on general credentials, is the expected response.
Practical Steps for Compliance Officers and Accounting Firms
The AFM's findings translate into a clear checklist for firms reviewing their own PEP frameworks. None of these steps require regulatory change: they reflect obligations already in force.
Immediate review priorities
First, audit how enhanced due diligence is actually applied at case level, not just how the policy describes it. Pull a sample of recent PEP files and test whether the measures applied were calibrated to the individual. Second, remove nationality as a standalone risk factor if it currently functions as one. It can remain a contextual data point, but the risk assessment must be driven by the individual's profile. Third, verify that the PEP definition applied by all teams includes family members and close business associates, not just the principal. Fourth, contact your screening tool provider and get written confirmation of how frequently lists are updated and how mid-relationship status changes are flagged. Fifth, document everything. If a step is not recorded, it did not happen from a supervisory perspective.
For firms that have recently engaged with AFM's requirements in other areas, such as those working through AFM's online interface requirements for crypto service providers, PEP due diligence should be treated as part of the same compliance audit cycle, not a separate workstream.
Firms managing PEP workflows across multiple jurisdictions should also note that the underlying obligation flows from the EU Anti-Money Laundering Directives, meaning equivalent supervisory attention is likely in other member states. The AFM's published findings give compliance teams a concrete framework to benchmark against, regardless of where their clients are based.
Source: AFM (Autoriteit Financiële Markten)
What does the AFM's PEP review cover?
The review assessed how investment firms, investment funds, and financial services providers handle client due diligence for politically exposed persons, including their use of screening tools, staff training, documentation, and individual risk assessment practices.
Does using a third-party screening tool satisfy the AFM's PEP requirements?
No. The AFM is explicit that responsibility for the accuracy and completeness of PEP screening remains with the firm. Firms must verify that any tool they use performs correct checks and that its underlying lists are kept current, including capturing mid-relationship changes in PEP status.
Can nationality be used as a factor in PEP risk assessments?
The AFM found that using nationality as a standalone or primary criterion creates a risk of unjustified discrimination and is analytically insufficient. It may form part of a broader contextual picture, but the individual's specific role, history, and exposure must drive the assessment.
Who counts as a PEP under the rules the AFM applies?
The category covers the person holding or having held a prominent public function, their immediate family members, and their close business associates. The AFM found that this full scope was not consistently applied within firms.
What training does the AFM expect for staff conducting PEP due diligence?
Training must be tailored to the specific functions staff perform, not satisfied by general financial qualifications. The AFM expects programmes to be grounded in real practice and matched to the actual PEP-related tasks each role involves.
