Introduction
PEP screening is a regulatory-mandated process used by financial institutions to identify customers who hold — or have held — prominent public positions, and assess the money laundering and corruption risk they present. Under global AML frameworks anchored in FATF Recommendations 12 and 22, it is a non-negotiable component of any KYC and AML program.
The stakes are concrete. In October 2024, the FCA fined Starling Bank £28,959,426 for financial crime systems and controls failings — including opening 54,359 accounts for 49,183 high or higher-risk customers despite a voluntary requirement to the contrary. That fine reflects what happens when screening controls fail to keep pace with business growth.
The Starling case reflects a pattern that runs across regulated industries: compliance teams treat screening as an onboarding checkbox rather than an ongoing risk management function. This article covers how PEP screening actually works, what determines its accuracy, and where most programs fall short.
TL;DR
- PEP screening identifies individuals entrusted with prominent public functions, triggering EDD requirements under FATF Recommendations 12 and 22
- PEP status is not grounds for automatic rejection — it requires risk assessment, source-of-wealth verification, and senior management approval
- Screening must start at onboarding and continue throughout the entire customer relationship
- Accurate screening requires fuzzy name matching, alias capture, RCA coverage, and adverse media — not just a single list check
- The most common failures are point-in-time screening, incomplete databases, and no declassification protocol
What Is PEP Screening?
PEP screening is the structured process by which regulated entities identify individuals who are, or have been, entrusted with a prominent public function — and determine what level of due diligence the business relationship requires. FATF's foundational guidance defines three PEP categories: foreign PEPs, domestic PEPs, and persons entrusted with prominent functions by international organizations. Recommendations 12 and 22 set out the corresponding obligations for financial institutions and designated non-financial businesses and professions (DNFBPs).
The purpose is to prevent financial systems from being misused by individuals who, due to political power or access to state resources, carry elevated exposure to bribery, corruption, and money laundering. PEP status is a risk signal that requires additional scrutiny. It is not grounds for automatic exclusion.
PEP Screening vs. Sanctions Screening
These two processes are frequently conflated, but they have different legal objectives:
| PEP Screening | Sanctions Screening | |
|---|---|---|
| Purpose | Identify elevated-risk individuals | Identify prohibited parties |
| Outcome | Enhanced due diligence | Transaction blocked outright |
| Legal status of subject | May legally do business | Legally prohibited |
| Regulatory basis | FATF Rec. 12/22, MLR 2017, EU AMLR | OFAC, HM Treasury, EU sanctions lists |
PEP obligations also extend beyond the named individual. FATF explicitly requires that Recommendation 12 measures apply to relatives and close associates (RCAs) across all PEP types — a coverage gap found in many commercial screening tools.
Why PEP Screening Is Required
The Regulatory Mandate
FATF Recommendation 12 requires financial institutions to apply mandatory EDD to foreign PEPs, including senior management approval, source-of-wealth and source-of-funds measures, and enhanced ongoing monitoring. For domestic PEPs and international organization PEPs, a risk-based approach applies — EDD is required where the relationship is assessed as higher risk.
Recommendation 22 extends equivalent obligations to DNFBPs: real estate agents, lawyers, accountants, and dealers in precious metals and stones.
National frameworks translate these into enforceable law:
- UK: Money Laundering Regulations 2017, Regulation 35 — requires risk-management systems, senior management approval, source-of-wealth/funds measures, and enhanced ongoing monitoring
- EU: 5AMLD requires Member States to publish prominent public function lists; EU Regulation 2024/1624 contains current PEP provisions for obliged entities
- US: FinCEN's 2020 joint agency statement confirms PEPs are handled under risk-based BSA/AML due diligence — there is no standalone PEP classification requirement, but risk-based CDD and ongoing monitoring obligations apply
Who Is Obligated
PEP screening obligations apply across a wide range of entity types:
- Banks, credit institutions, and neobanks
- Fintech companies and payment service providers
- Crypto firms and virtual asset service providers (VASPs)
- Investment managers and fund administrators
- Real estate professionals, lawyers, and accountants
Each regulatory update has pulled more entity types into scope. Jurisdiction-specific guidance must be consulted to determine precise obligations.
The Cost of Getting It Wrong
Beyond regulatory fines, inadequate PEP screening creates downstream institutional risk. Fitch revised TD Bank's credit rating outlook to "negative" in May 2024 citing AML-related business risks. By August 2024, TD posted its first quarterly loss in over two decades after setting aside an additional USD $2.6 billion tied to its US AML probe. Enforcement exposure belongs in capital planning discussions, not just compliance reviews.
How the PEP Screening Process Works
PEP screening is an end-to-end workflow, not a single event. It begins at onboarding, continues through the customer lifecycle, and applies to new customers, existing customers who acquire PEP status mid-relationship, and beneficial owners — not named account holders alone.
Step 1: Data Collection and Identity Verification
The process starts with collecting complete identity data. Under UK MLR Regulation 28, institutions must identify and verify customer identity using reliable and independent sources. Minimum fields for downstream match accuracy include:
- Full legal name, including aliases and previous names
- Date of birth
- Nationality and jurisdiction of residence
- Current address
- Government-issued identification documents
Transliteration differences across languages mean the same individual can appear under multiple name variants in different databases. Alias capture is therefore one of the highest-impact fields in the data collection stage — incomplete or inconsistently formatted input is one of the primary sources of false negatives.
Complete, well-structured identity data is what makes accurate screening possible in the next phase.
Step 2: Database Screening and Match Assessment
Customer data is screened against PEP databases using name-matching algorithms that account for phonetic variants, transliterations, and aliases. This goes beyond simple exact-name lookups. OFAC's own Sanctions List Search uses fuzzy logic for potential name matches. ACAMS defines fuzzy logic as a screening technique used specifically to improve effectiveness when data are flawed or incomplete.
Secondary identifiers (date of birth, nationality, gender) are used to assess potential matches and separate true positives from false positives. Effective PEP databases must cover:
- All three FATF PEP categories (foreign, domestic, international organization)
- Relatives and close associates (RCAs)
- Regular updates to reflect appointments, resignations, and deaths
RCA coverage is where many commercial tools fall short. Corruption risk is frequently routed through associates rather than the PEP directly — a pattern documented extensively in the Petrobras/Operation Car Wash cases, where financial institutions including Credit Suisse faced FINMA enforcement action for AML deficiencies connected to PEP-related relationships.
Once true matches are confirmed, the workflow moves into risk scoring and the determination of appropriate due diligence.
Step 3: Risk Scoring, EDD Determination, and Ongoing Monitoring
Confirmed PEP matches are risk-scored based on multiple factors:
- PEP tier — seniority and scope of public function
- Jurisdiction risk — FATF grey/black list status, Transparency International CPI ranking
- Adverse media — legal proceedings, politically sensitive associations, reputational red flags
- Nature of the business relationship — transaction types, volumes, and stated purpose
The due diligence response is tiered:
- Standard CDD — lower-risk domestic PEPs in lower-risk jurisdictions, with documented rationale
- EDD — foreign PEPs and higher-risk domestic PEPs; requires documented source-of-wealth verification, source-of-funds documentation for specific transactions, enhanced ongoing monitoring, and senior management approval before establishing or continuing the relationship
This is not a one-time determination. UK MLR Regulation 35 explicitly requires enhanced ongoing monitoring for PEP relationships: scrutiny of transactions to ensure consistency with the institution's knowledge of the customer and their risk profile.
A customer who was not a PEP at onboarding may acquire that status during the relationship, requiring immediate reassessment.
Best Practices for Your PEP Screening Program
Invest in High-Quality, Continuously Updated Data
Static databases and ad-hoc internet searches introduce transliteration errors, missed aliases, and coverage gaps that regulators treat as control failures — not operational inconveniences. Screening tools should offer:
- Fuzzy name matching and alias detection
- Regular database updates reflecting status changes
- Coverage across all FATF PEP tiers and RCAs
- Adverse media integration as a supplementary layer
Apply a Risk-Based, Tiered Approach
Not all PEPs present the same risk. FATF makes EDD mandatory for foreign PEPs; domestic PEPs may be assessed proportionately based on:
- Role seniority and current position
- Jurisdiction risk rating
- Adverse media findings
Compliance programs should define clear tiers and calibrate due diligence requirements accordingly, concentrating resources where actual risk is greatest rather than applying blanket treatment across all PEP matches.
Run Adverse Media Checks Alongside Database Screening
Formal PEP lists capture status, not conduct. Adverse media screening surfaces legal proceedings, corruption allegations, and politically sensitive associations that structured databases will not reflect. This is especially important for RCA screening — the Petrobras case demonstrated that financial flows through associates can be substantial and sustained before appearing in formal records.
Implement Automated Ongoing Monitoring
PEP status can change at any time. Compliance programs need automated re-screening protocols that trigger reassessment when a customer's status changes — not periodic batch reviews that may miss mid-cycle appointments or resignations. Transaction monitoring should be calibrated to each PEP relationship's known income profile, with alerts configured for behavioral patterns inconsistent with stated purpose.
Develop a Clear Declassification Protocol
The "once a PEP, always a PEP" principle is widely cited but frequently misapplied as a permanent designation. UK MLR Regulation 35 requires firms to continue PEP measures for at least 12 months after a person ceases to hold a prominent public function where risk remains relevant.
Risk is not static. Organizations should document the basis for any risk rating reduction, drawing on elapsed time since leaving office, evidence of reduced influence, and a clean adverse media record.
For fintech companies and startups building these programs from the ground up, the design decisions made early — database selection, risk-scoring methodology, escalation workflows, declassification criteria — are precisely what regulators examine first. Experienced compliance leadership, whether in-house or through a fractional CCO or BSA Officer, closes the program design gaps that draw enforcement attention.
Common Issues and Misconceptions in PEP Screening
Treating Screening as a One-Time Check
The most common operational failure: a PEP check is completed at KYC onboarding and the obligation is considered fulfilled. It isn't. Regulatory frameworks in the UK, EU, and under FATF guidance explicitly require ongoing monitoring — and status changes mid-relationship represent a material exposure point that point-in-time screening cannot address.
Assuming PEP Status Means Automatic Rejection
FATF guidance does not require blanket de-risking of PEPs. Institutions that refuse PEP relationships without a documented risk rationale face their own regulatory exposure.
The FCA's 2023 review of domestic PEP treatment — triggered in part by the Nigel Farage/Coutts debanking controversy — found that firms were applying disproportionate treatment to UK PEPs and their family members without adequate justification. What's required is documented risk scrutiny and proportionate Enhanced Due Diligence, not a blanket exit policy.
Relying on Incomplete Database Coverage
Many compliance programs screen only against high-tier PEPs — heads of state, cabinet ministers — and miss officials at lower tiers. FATF's own definition excludes middle-ranking or junior officials, but national frameworks and risk-based analysis often extend obligations further.
The coverage gap has real consequences. In the Odebrecht/Braskem case, the DOJ secured at least $3.5 billion in global penalties for bribery spanning government officials and political parties across multiple jurisdictions — a network that cut across different tiers of public office. Database coverage gaps to watch for include:
- State and provincial officials missed by databases focused on federal-level positions
- Legislative and judicial officials excluded from executive-branch-only lists
- Regulatory agency heads and SOE leadership not classified as PEPs in some vendor datasets
- Former officials within the cooling-off window (typically 12 months under FATF; longer under some national rules)
Frequently Asked Questions
What is PEP screening?
PEP screening is the process of identifying whether a customer or beneficial owner holds or has held a prominent public function, and applying enhanced due diligence accordingly. It is required under global AML frameworks including FATF Recommendations 12 and 22 and their national implementations.
When should PEP screening take place?
PEP screening must occur at customer onboarding and continue throughout the entire relationship. Institutions must also re-screen existing customers who may acquire PEP status after being onboarded — ongoing monitoring is a core regulatory requirement.
How long does a person remain a PEP?
Individuals generally retain PEP status for a period after leaving public office. Under UK MLR Regulation 35, firms must apply PEP measures for at least 12 months after a person ceases to hold a prominent public function — and many institutions extend that window based on the individual's prior role and influence.
Are PEPs considered high risk?
PEPs are inherently considered higher risk under global AML frameworks due to their access to political power and state resources. Foreign PEPs require mandatory EDD under FATF standards; domestic PEPs may be assessed proportionately based on role seniority, jurisdiction, and adverse media.
What is the difference between PEP screening and sanctions screening?
Sanctions screening identifies individuals or entities legally prohibited from doing business — and blocks those transactions outright. PEP screening identifies elevated-risk individuals who may legally transact but require documented enhanced due diligence. A person can be a PEP without being sanctioned, and vice versa.
What is enhanced due diligence (EDD) for PEPs?
EDD for PEPs requires documented verification across several areas, as set out in FATF Recommendation 12 and UK MLR Regulation 35:
- Source-of-wealth verification
- Source-of-funds documentation for specific transactions
- Enhanced ongoing monitoring of the relationship
- Senior management approval before establishing or continuing a high-risk PEP relationship
