PEP Levels: Why Level 3 and 4 Create Compliance Risk

During Operation Car Wash, procurement officials who facilitated billions in kickbacks through Petrobras were not senior political figures. These individuals fall under Level 3 and Level 4 in FATF classification and often remain absent from standard PEP screening databases. That gap is still present in most compliance programs running today.

The exposure that leads to enforcement measures and financial fines usually follows a different pattern. This could involve the city councilor who greenlit a $40 million infrastructure contract. The regional licensing official who handled permits for a construction company, or the municipal procurement officer whose choices impacted numerous local vendors. These individuals qualify as Politically Exposed Persons (PEPs). However, they are not always present in the databases of the routine screening programs.

FATF Recommendations 12 and 22 require financial institutions and designated non-financial businesses and professions (DNFBPs) to apply enhanced due diligence (EDD) across the full PEP population in a risk-calibrated manner. The emphasis lies on full coverage across all PEP categories. Most PEP screening programs are not running full coverage; they’re running coverage of the top two tiers and calling it complete.

What Are PEP Levels in AML Screening?

The Financial Action Task Force (FATF) structures PEP risk across four levels. Each level reflects a different category of political exposure, not a ranking of which individuals matter for compliance purposes. All four levels carry regulatory obligations.

What The Four FATF PEP Levels Actually Cover

There are 4 primary levels in which PEPs are categorized based on the risk they pose and the power and authority they hold. So here is the breakdown:

Level 1, Senior National Officials: At the first and most noticeable level, these are most often the executive or higher, such as heads of state, prime ministers, presidents, senior cabinet ministers, judges of the Supreme Court, and senior military commanders. They are often covered by commercial databases of PEP, and with good reason: their risk of exposure is the greatest, and their public presence simplifies the task of data collection.

Level 2, Legislators and Senior State-Owned Enterprise Executives: The second level also includes the well-known people of the state, whether they are politicians or not, such as the members of parliament, as well as the senior executives and board members of state-owned enterprises. It also includes senior central bank officials and prominent political party officials. Level 2 coverage is widespread, but not universal. The emerging markets and jurisdictions where state enterprise structures are opaque or are often reorganized present gaps.

Level 3, Mid-Tier Government Officials: This level includes provincial officials, regional judges, mayors of large cities, and mid-level regulatory appointees. This is the point of significant coverage gaps. The population is large, data is inconsistently available, and the connection between role and financial influence is less visible, even though the practical access to public funds and procurement decisions at this tier can be substantial.

Level 4, Local Officials and Sub-National Functionaries: This category is the most consistently underrepresented in commercial PEP databases. It includes the city councilors, district-level officials, local licensing authorities, and equivalent roles. It is also the tier most frequently exploited in documented grand corruption cases involving public procurement, land-use decisions, and licensing, precisely because local officials exercise significant discretionary authority with limited oversight.

The compliance obligation does not end at Level 2. FATF’s risk-based approach requires institutions to assess and document their rationale for treating each level, rather than assuming lower levels fall outside the scope.

Where Most PEP Screening Programs Actually Break Down

The gap does not usually stem from policy design. Most compliance teams understand that PEP coverage should be broad. The issue is the availability of data and coverage of vendors, not will.

Level 1 and Level 2 profiles are the most common types found in commercial PEP databases. This is mainly because this information is easier to find. There are many public records available, and most sources are in English. The risk of not identifying a city councilor is much higher than missing a head of state. As a result, organizations that often check their databases are most of the time unprepared for Level 3 and Level 4 risks without realizing that they need screening as well.

This creates a specific audit vulnerability within the screening process. Therefore, during a regulatory examination, a compliance officer can demonstrate the policy. What they are unable to constantly prove is that the database they rely on actually includes Level 3 and Level 4 individuals in the jurisdictions their customers belong to. As a matter of fact, the coverage of data and policy requirements often does not align with each other.

The EU has improved its anti-money laundering (AML) rules with a new legislative package. The Anti-Money Laundering Authority (AMLA) will play a key role in supervision once it is fully operational. The updated regulations follow FATF guidance and provide clearer expectations for politically exposed persons (PEPs), including more regional and local officials. Organizations in EU member states now need to document their screening processes and the quality of the data they use.

What Are the Risks of Missing Level 3 and Level 4 PEPs?

The total amount of AML fines for non-compliance in 2023 exceeded 6.6 billion globally. A large part of the enforcement action stemming from PEP-related failures is not associated with situations in which institutions lacked a screening process. However, this certainly occurs when the screening process is not applied sufficiently far down the PEP hierarchy.

The Real Cost of Level 3 and Level 4 Blind Spots

There is a significant pattern of risk that is clear and consistent. An account is opened by a local procurement official who has the authority to make contracts. The PEP screen from the institution shows this person is not listed, as the database only includes national politicians. The account will go through the onboarding process. It initiates transactions that indicate the access of the official to the public funds. When the pattern is escalated or an external investigation leaks out, then months of exposure to the institution have been experienced, and a documented screening gap is recorded.

As regulators usually ask at that point, a single question will be addressed: could this have been picked up by a properly structured PEP screening program? When the answer is yes, and with Level 4 coverage, it usually would be, the risk-based approach of the institution is hard to justify.

Level 3 exposure is the same at greater levels of transactions. Judicial appointments to the middle tiers, provincial budget administrators, and regional licensing officials have significant financial power. They do not lack in a database, and this is not a compliance defense.

Why Relatives and Close Associates Make the Coverage Problem Worse

FATF Recommendation 12 specifically states that institutions should screen not only PEPs, but also their Relatives and Close Associates (RCAs). When Level 4 coverage is already sparse, effective RCA coverage at Level 4 resides in most standard databases.

The typology is well-documented: a local official having no opportunity to safely control assets in his/her name uses a spouse, sibling, or a trusted business partner as the formal owner of the vehicle. The pattern of transaction seems to be a usual business interaction until the hidden PEP connection is revealed.

A system that is not able to detect the PEP at Level 4 has no system to flag its RCAs. This restriction increases the risk exposure.

The Coverage-Workload Tradeoff: What Happens When You Actually Screen All Four Levels

Increasing PEP coverage from Level 2 to Level 4 doesn’t simply enhance detection; it increases alert volume. The 200 PEP alerts handled per week by a compliance team with Level 1200 coverage can potentially increase to 400 under FATF complete coverage.

The industry-wide percentage of AML alerts is about 90% false positives. In the absence of a system that can discriminate between true positives and false positives at scale, increased coverage only brings about burnout among the analysts rather than enhanced compliance.

For MLROs evaluating Level 4 expansion, the consideration extends beyond data availability; it’s “can our team work the data without being buried by it.” It is not the problem that is to be solved after the coverage problem, but rather the operational problem.

TruRisk cuts down false positives by 44% and reduces manual reviews by 70-80%. The tool integrates PEP, sanctions, watchlists, and adverse media screening into a single risk-scoring tool.

Building a PEP Screening Program That Holds Up Under Scrutiny

A PEP screening program that is not rejected by regulatory review consists of three elements beyond the screening process itself. Here is how it works:

Coverage documentation: The compliance teams should be able to demonstrate specifically what degree of PEP their database addresses. Also, in which jurisdictions and how the RCA data is handled. It is not hypothetical research but what investigators demand.

Risk-based calibration: FATF does not imply that all four levels are to be treated equally; it requires a documented risk-based approach. For instance, a company that primarily serves domestic retail customers has a different Level 4 exposure profile than one that serves international corporate customers. Actual customer risk, and not vendor defaults, should be reflected in the calibration.

Ongoing monitoring: PEP status is not static. Level 3 and Level 4 officials switch positions, move in and out of offices, and constantly build new relationships. An onboarding point-in-time screen is not adequate. The only process that keeps the program up to date is ongoing monitoring, which reflects changes in status in real-time.

Level 3 and Level 4 compliance gap is not an intent failure, but rather a data infrastructure failure. It will need a database constructed to cover the full spectrum rather than the simplest coverage areas.

Moreover, TruRisk reduces false positives by 44% and manual reviews by 70-80%. The tool integrates PEP, sanctions, watchlists, and adverse media screening into a single risk-scoring tool.

How AML Watcher Closes the Level 4 Gap

Most PEP screening providers focus on high-ranking officials, which leaves gaps in coverage. AML Watcher addresses these gaps by collecting information on over 100,000 sources across over 235 regions. It addresses the four levels of the FATF PEP, including local officials, who are usually neglected.

The RCA data is combined, i.e., it is collaborative rather than maintained separately. It not only covers inaccessible areas such as Crimea and Northern Cyprus, but also updates in real-time on the evolving lower-level positions. An identity database using biometric face recognition is used to identify individuals when name matching fails.