PEP Screening: What It Is, How It Works & Why It Matters

The World Bank estimates that over $1 trillion in bribes is paid each year. The Stolen Asset Recovery Initiative puts annual theft by public officials in developing countries at $20–40 billion. These aren’t abstract figures; they represent the financial flows that Politically Exposed Person (PEP) screening exists to detect and disrupt.

In November 2024, the FCA fined Starling Bank £28.96 million specifically for PEP and sanctions screening failures. A month earlier, TD Bank pleaded guilty to systemic AML violations and paid $1.8 billion, one of the largest AML penalties in US banking history.

The regulatory pressure is clear, yet many institutions still struggle with the fundamentals of PEP screening and its role within AML PEP compliance frameworks.

What Is PEP Screening?

PEP screening is the process of identifying whether a customer, counterparty, or beneficial owner holds or has held a prominent public function, and applying enhanced due diligence accordingly. Its policy foundations trace to the United Nations Convention Against Corruption (UNCAC, 2003), which influenced early international expectations around politically exposed persons. FATF built on this through Recommendations 12 and 22, which remain the primary global reference points.

FATF Recommendation 12 requires financial institutions to apply enhanced due diligence to foreign PEPs and to apply a risk-based approach for domestic and international organization PEPs. Implementation details vary across jurisdictions based on national AML frameworks. It also mandates senior management approval before establishing or continuing high-risk PEP relationships. Recommendation 22 extends equivalent obligations to Designated Non-Financial Businesses and Professions (DNFBPs), real estate agents, lawyers, accountants, and dealers in precious metals.

These FATF standards are implemented through national frameworks: EU 5AMLD expanded PEP-related requirements and strengthened beneficial ownership transparency, while EU 6AMLD focused on harmonizing predicate offenses and criminal liability across member states. The UK Money Laundering Regulations 2017 codify PEP, sanctions, and adverse media obligations; FinCEN’s Customer Due Diligence rule requires US institutions to identify PEPs.

PEP screening is distinct from sanctions screening. Sanctions screening blocks transactions with prohibited parties. PEP screening identifies elevated-risk individuals who require additional scrutiny; they are not banned from doing business, but their relationships require documented EDD.

Screening programs must also account for former PEPs because political influence, access to state networks, and corruption exposure may continue after an official leaves office.

Who Qualifies as a PEP?

FATF defines a PEP as an individual entrusted with a prominent public function. That definition covers three categories: domestic PEPs (nationals holding senior public roles within their own country), foreign PEPs (nationals of another country in equivalent roles), and international organization PEPs (senior officials of bodies such as the UN, World Bank, or IMF).

Domestic PEPs include heads of state, government ministers, senior judicial officials, military commanders, central bank executives, and executives of state-owned enterprises. International organization PEPs cover ambassadors, directors-general, and equivalent senior leadership.

Jurisdictional definitions diverge meaningfully. FATF’s criteria are broad by design. The UK’s FCA applies an expansive interpretation that includes family members and close associates by default. The US, through FinCEN guidance, focuses on senior foreign political figures with a more graduated risk-based approach domestically. Canada defines PEPs under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act with specific named role categories. Individuals such as celebrities, athletes, and entertainers are not considered PEPs solely because of their public visibility unless they hold, or previously held, a prominent public function. However, compliance scrutiny may still arise through adverse media exposure, sanctions links, or associations with politically connected individuals and corruption networks.

PEP Risk Segmentation Used in Compliance Programs

Many compliance programs segment PEP risk into multiple tiers based on seniority and exposure, although FATF itself defines PEPs in broader categories rather than fixed levels.

Level 1 covers heads of state, senior cabinet ministers, and the most senior political leadership. These individuals are well-documented, English-language profiles appear in most commercial databases, and screening coverage is generally reliable. Level 2 includes members of parliament, senior executives of government-owned enterprises, and senior judicial appointments, still well-covered by mainstream providers.

Level 3 and Level 4 are where most programs face limitations. Level 3 encompasses mayors, provincial officials, regional procurement officers, and mid-tier judicial roles. In many jurisdictions, mayors and municipal officials are often classified as domestic PEPs because of procurement and budget authority, though treatment varies by jurisdiction and risk exposure.

Level 4 covers city councilors, local government executives, and equivalent roles at the municipal level. These profiles are harder to source: data is often in local languages, roles change more frequently, and coverage requires active research infrastructure rather than passive aggregation.

The compliance significance is real. Operation Car Wash, the Brazilian anti-corruption investigation that began in 2014, exposed hundreds of millions in bribes routed through Petrobras contracts, implicating officials at multiple levels of government: state secretaries, municipal inspectors, and procurement directors. These cases involved mid and lower-tier officials such as municipal and procurement-level actors whose exposure often falls into lower-tier risk classifications in commercial screening models. Level 3 and 4 gaps are where enforcement failures actually occur.

Relatives and Close Associates—The Risk Beyond the PEP

PEPs rarely conduct illicit transactions in their own name. The operational pattern is that wealth is routed through family members, business partners, lawyers, and nominee structures. Relatives and Close Associates (RCAs) are the conduits, not the principals.

EU 5AMLD requires financial institutions to consider family members and close associates as part of PEP-related risk assessment, with risk-based treatment applied depending on jurisdiction and exposure. Spouses, children, parents, and known business partners fall within the RCA scope under FATF guidance and in most major jurisdictions.

The practical challenge is that RCA mapping cannot be resolved solely through name matching. It requires network analysis: understanding corporate structures, beneficial ownership chains, and documented associations. A PEP who holds no accounts but whose adult children control shell companies in separate jurisdictions requires a different data approach than standard customer screening. This is why adverse media screening and international leaks data become critical complements to direct PEP checks in any credible EDD program.

How Does PEP Screening Work?

The PEP screening process begins at onboarding and continues throughout the customer lifecycle. Here is how it runs in practice.

Identity Data Collection: Name, date of birth, nationality, address, and known aliases are captured at onboarding. Quality here determines match accuracy downstream.

Database Screening: Customer data is screened against PEP databases using name-matching algorithms that handle phonetic variants, transliterations, and aliases. Coverage should span all four FATF PEP levels plus RCA profiles.

Match Assessment: Results are evaluated using secondary identifiers, DOB, nationality, and gender to separate true matches from false positives.

Risk Scoring: Confirmed PEP matches are assessed by PEP level, jurisdiction, role seniority, and adverse media presence to determine the appropriate due diligence tier.

Due Diligence Application: Standard Customer Due Diligence (CDD) applies to lower-risk PEP matches. EDD is generally required for foreign PEPs under FATF Recommendation 12, with implementation subject to national risk-based frameworks.

Senior Management Approval: FATF Recommendation 12 requires sign-off from senior management before high-risk PEP relationships are onboarded or continued.

Ongoing Monitoring: Institutions must continuously monitor status changes, appointments, departures, and adverse media. Ongoing monitoring is a core requirement of FATF Recommendation 12 and the UK MLR 2017.

FATF and national AML frameworks expect institutions to conduct ongoing screening throughout the customer lifecycle. Firms often automate rescreening, while lower-risk environments may conduct periodic reviews based on risk classification.

From Standard to Enhanced PEP Due Diligence

PEP risk assessment determines which due diligence tier applies.Not every PEP match requires the same response. The level of investigation should align with the actual exposure level.

Not all PEPs automatically require the same level of enhanced due diligence. FATF Recommendation 12 mandates EDD for foreign PEPs, while domestic PEPs and international organization PEPs may be assessed using a risk-based approach depending on jurisdiction, seniority, transactional behavior, and adverse media exposure. Lower-risk domestic PEPs may remain under standard monitoring controls if the institution documents a justified risk assessment.

Standard CDD is appropriate for lower-tier domestic PEPs in low-risk jurisdictions with no adverse media presence. EDD is triggered by higher-risk indicators: foreign PEP status, Level 1 or 2 seniority, adverse media hits, complex beneficial ownership structures, or transaction patterns inconsistent with stated business profile.

EDD in a PEP context means documented source of wealth verification, source of funds documentation for specific transactions, transaction monitoring calibrated to the PEP’s known income profile, and senior management sign-off. Foreign PEPs generally require mandatory EDD under FATF standards, while domestic PEPs are treated using a risk-based approach depending on jurisdiction. The audit record should show which data were reviewed, what conclusions were reached, and who approved the relationship.

Financial institutions are not prohibited from doing business with PEPs solely because of their status. FATF guidance does not require blanket de-risking of politically exposed persons. However, institutions may refuse or exit relationships where the corruption risk cannot be adequately managed, the source of wealth cannot be verified, adverse media exposure remains unresolved, or the customer falls outside the institution’s documented risk appetite.

PEP Screening Across Sectors, Who Needs It and Why

PEP screening requirements extend well beyond banking, and the regulatory scope has broadened considerably under FATF Recommendation 22 and its jurisdictional implementations.

Banking faces the most granular regulatory requirements. The Nigel Farage debanking controversy in the UK (2023) illustrated the tension between robust EDD and financial inclusion: PEP screening conducted without proportionality judgments creates a reputational and regulatory risk of its own.

FinTech and neobanks face the challenge of scaling PEP screening without scaling compliance headcount. API-based screening with automated risk scoring is the operational requirement; manual review is not viable at volume.

Crypto and VASPs are subject to FATF’s Travel Rule (Recommendation 16), which requires the transmission of originator and beneficiary information for transfers above a threshold. PEP screening intersects directly here, as VASP counterparties may be PEP-linked.

DNFBPs, real estate agents, lawyers, accountants, and dealers in high-value goods carry mandatory PEP screening obligations under FATF Recommendation 22. Real estate is a documented vehicle for PEP-linked wealth placement; legal and accounting intermediaries are frequent RCA conduits.

When PEP Screening Fails, Real-World Enforcement Cases

Enforcement cases reveal where PEP screening programs fail operationally, not just where institutions get caught.

HSBC Private Bank (Suisse) FINMA enforcement (2015):

FINMA found that HSBC Suisse had failed to adequately identify and scrutinize PEP relationships, including accounts linked to Lebanese political figures involving transactions exceeding $300 million. The failure was not missing data; it was inadequate monitoring of known high-risk relationships.

Riggs Bank (US), 2004:

The Office of the Comptroller of the Currency imposed a $16 million civil money penalty after Riggs maintained accounts for foreign heads of state, including Augusto Pinochet and the Obiang family of Equatorial Guinea, without applying the required EDD. The case established the regulatory benchmark for PEP due diligence failure.

Starling Bank (UK), FCA fine, November 2024:

The FCA imposed a £28.96 million penalty after finding that Starling’s financial crime controls had not kept pace with its rapid growth. The regulator’s finding was direct: Starling had onboarded high-risk customers without adequate PEP and sanctions screening in place.

TD Bank (US/Canada), DOJ/FinCEN penalties October 2024:

TD Bank pleaded guilty to Bank Secrecy Act violations and paid $3.1 billion, the largest AML penalty in US history at the time. Regulators concluded that systemic weaknesses in AML controls and customer risk management contributed to the enforcement action.

What to Look for in a PEP Screening Platform

Compliance teams evaluating screening providers should assess against these criteria, not marketing materials.

Data coverage is the foundational question. Does the provider cover all four FATF PEP levels, or only Levels 1 and 2? Does coverage include RCA mapping with alias and AKA handling? Are contested regions, territories with disputed sovereignty or limited official data included?

Update frequency determines whether a PEP status change is reflected before a risk-relevant event occurs. Batch updates (daily or weekly) create exposure windows. Frequent update cycles reduce exposure to delayed PEP status changes.

The quality of the matching algorithm affects both false-positive rates and false-negative risk. Phonetic matching, transliteration support, fuzzy logic, and alias coverage are core capabilities for any system screening multilingual global data.

False positive management is operationally critical. At the 90% industry average, screening without intelligent resolution creates more analyst burden than it relieves. Automated risk scoring and structured disposition workflows are necessary at any meaningful scale.

Integration, audit trail, and reporting close the evaluation. API integration with ongoing monitoring hooks, structured case records, and exportable audit logs are minimum requirements for a defensible compliance program.