What is a PEP and why do they matter?

The full answer

A politically exposed person (PEP) is an individual who holds or has held a prominent public function. The FATF Glossary, which underpins most national AML frameworks, identifies four categories:

• Foreign PEPs: heads of state, senior politicians, military commanders, senior judiciary, senior executives of state-owned enterprises, and senior political party officials from outside the institution's home country.
• Domestic PEPs: the same roles within the home jurisdiction. The EU 5AMLD originally applied stricter rules to foreign PEPs, but the FCA's FG17/6 guidance confirmed that UK firms must treat domestic and foreign PEPs equivalently.
• International organization PEPs: directors and senior management of bodies such as the IMF, World Bank, BIS, and UN.
• Relatives and close associates (RCAs): immediate family members (spouse, children, parents, siblings), known business partners, and individuals widely known to be close associates of any PEP.

RCAs are where most compliance programs break down. A finance minister's adult son who runs a private equity firm is an RCA. The minister's personal attorney who controls a holding company on her behalf is an RCA. Screening only the named official and missing the network around them is a recurring finding in regulatory examinations.

PEP status is time-limited, but not by a fixed rule. FATF Recommendation 12 requires enhanced measures for "at least 12 months" after someone leaves public office. Risk-based assessments should extend beyond that minimum for high-corruption jurisdictions or individuals who held particularly powerful positions. Most institutions set internal de-listing policies between 12 and 60 months, with mandatory senior sign-off to remove someone from PEP status.

FinCEN's Customer Due Diligence rule at 31 CFR 1010.230 uses the term "senior foreign political figures" rather than PEP, but the requirements are substantively identical: identify them, assess their risk, and apply scrutiny proportional to that risk.

Why this matters

PEPs are the most consistently scrutinized customer category in AML examinations. When regulators from the FCA, FinCEN, or the ECB review a bank's KYC program, PEP handling is standard scope. Three failure patterns repeat across enforcement actions.

Incomplete identification. Screening tools that run only at onboarding miss PEPs who acquire status after account opening. A customer who becomes a minister three years into the relationship needs to be caught by continuous screening, not the initial check. Perpetual KYC approaches address this by monitoring signals continuously rather than relying on periodic refresh cycles.

Shallow source-of-wealth documentation. Asking a customer to self-certify their wealth origin isn't enhanced due diligence. EDD means independently verifiable documentation: corporate registry filings, land registry searches, media reporting, and cross-referencing against known public salary data. A senator earning $174,000 a year in declared income doesn't explain an eight-figure real estate portfolio without a documented source.

Inadequate ongoing monitoring. Once an account is approved, many institutions reduce scrutiny to standard CDD cycles. PEPs warrant more frequent risk rating reviews than ordinary customers, particularly when a customer's political position changes, an election produces a government transition, or a public inquiry is announced.

The 1999 US Senate Subcommittee report on Citibank's private banking arm showed what inadequate PEP controls look like: approximately $90-100 million moved for Raul Salinas de Gortari through shell companies, with no meaningful verification of source of wealth. Goldman Sachs's 2020 resolution related to 1MDB, which totaled $2.9 billion across global authorities, is a more recent illustration: senior Malaysian government officials used their positions to direct sovereign fund money through a network of intermediaries that multiple banks failed to scrutinize adequately.

AI-driven transaction monitoring has improved PEP detection accuracy. Behavior-based models can flag transactions inconsistent with a public official's expected income profile, and continuous name matching reduces the window between status acquisition and identification. But no model replaces the analyst judgment on source-of-wealth plausibility.

PEPs often intersect with beneficial ownership questions. A PEP who controls a company through a layered holding structure is both a UBO disclosure issue and a PEP EDD issue. The two analyses need to be connected; siloing them in separate teams produces gaps.

Foreign PEPs from high-risk jurisdictions compound with FATF Grey List country risk. A PEP from a country under increased monitoring carries a combined risk profile that many institutions address with automatic senior approval requirements, regardless of the individual's assessed score.

Whether PEP account activity crosses into territory requiring a suspicious activity report has no bright-line answer. EDD identifies the elevated risk. Transaction monitoring flags the anomaly. The analyst decides if the combination is reportable. Most PEP accounts never generate a SAR. The ones that do involve transaction patterns inconsistent with declared wealth or sudden large transfers to high-risk jurisdictions.

Related questions

• What is the difference between CDD and EDD?
• How often should customer risk ratings be refreshed?
• What is perpetual KYC?
• What is a beneficial owner?
• How does FinCEN define suspicious activity?

Related concepts and regulations

• What is the FATF Grey List?
• Can AI be used for AML transaction monitoring?
• What happens when a bank fails an AML exam?
• What triggers a regulatory exam?