What is a PEP and why do they matter?

The full answer

A Politically Exposed Person (PEP) is an individual who holds, or has held within the past 12 to 24 months, a prominent public function. The category covers heads of state, senior politicians and government ministers, senior judicial and military officials, and executive officers of state-owned enterprises. Immediate family members and known close associates fall into the same risk tier.

FATF Recommendation 12 splits PEPs into three types:

• Foreign PEPs: Individuals holding prominent public functions in another country. Mandatory high-risk; EDD is always required.
• Domestic PEPs: Individuals holding prominent functions in the bank's home jurisdiction. EDD applies when the institution's risk assessment determines the relationship is higher risk.
• International organization PEPs: Senior management of bodies like the IMF, World Bank, or UN. Same risk-based approach as domestic PEPs.

The cooling-off period matters. FATF guidance expects institutions to apply EDD for at least 12 months after a person leaves a prominent function. Most supervisors push for longer in practice. Former senior officials often retain influence, network access, and wealth whose source has never been adequately explained.

Under the EU 5th Anti-Money Laundering Directive (AMLD5), the obligations are specific: senior management approval before onboarding or continuing a PEP relationship, source of wealth and source of funds established, and enhanced ongoing monitoring applied throughout. The US Bank Secrecy Act is more principles-based, but FinCEN's 2004 advisory on PEP accounts and subsequent examination guidance make PEP identification a standard CDD review element. OCC and Federal Reserve examiners regularly test PEP screening coverage and EDD quality.

Why this matters

The 1MDB case is the clearest illustration. Najib Razak, Malaysia's Prime Minister from 2009 to 2018, was convicted in 2020 of misappropriating funds from a state investment vehicle. Those funds moved through Goldman Sachs accounts and others. The US Department of Justice settlement with Goldman exceeded $2.9 billion. Goldman's failure was partly a failure of PEP controls on accounts connected to a sitting head of government.

Gulnara Karimova, daughter of Uzbekistan's President Islam Karimov, extracted over $800 million in bribes from European telecom operators in exchange for market access. That money moved through Swiss, Latvian, and other accounts before investigators froze it. Multiple institutions faced regulatory action for failing to apply adequate controls to a direct family member of a foreign PEP.

Both cases follow the same pattern: screening missed the family member or associate, or EDD was conducted at onboarding and then dropped. The FATF Guidance on PEPs (2013) specifically warned against both failure modes.

The operational implication is that PEP status can't be a checkbox at onboarding. A customer who was a regional official when they first opened an account may become a cabinet minister two years later. Someone currently classified as a PEP may leave office and push to have their risk rating reduced. Customer risk ratings must reflect these changes in real time rather than waiting for the annual review cycle. This connects directly to how often customer risk ratings should be refreshed and why perpetual KYC approaches are gaining ground: event-driven triggers (election results, government appointments, adverse media) automatically flag affected customers for review.

Understanding the difference between CDD and EDD is central here. Standard Customer Due Diligence covers identity verification and basic risk assessment. EDD for PEPs goes further: source of wealth, source of funds, the purpose and nature of the relationship, and senior management sign-off. It's an ongoing posture, not a one-time exercise.

When PEP-linked activity crosses into suspicious territory, a SAR is required. The MLRO or compliance officer filing the SAR faces the same 30-day filing deadline that applies to any high-risk customer.

PEP deficiencies are a frequent finding in regulatory exams. Examiners pull PEP samples, test whether EDD was applied and maintained, and check for continuous monitoring since onboarding. Banks with serious PEP-related gaps have faced formal monitorships. The FCA's FG17/6 guidance found that firms commonly failed in one of two directions: over-restricting domestic PEPs without individual risk assessment, or missing PEP exposure entirely through beneficial ownership structures.

Beneficial owner identification is where PEP screening most often breaks down in practice. A corporate structure can obscure that the ultimate beneficial owner is a foreign PEP. Standard name-screening against the account holder misses the actual risk.

AI-driven transaction monitoring is being applied to PEP oversight at two points: screening at onboarding and during the relationship, and behavioral monitoring to detect activity inconsistent with the customer's stated wealth level and relationship purpose. The false-positive rate on PEP alerts tends to be lower than on general AML screening because the base risk is higher, but volume and complexity still create real operational burden. This adds latency to the review queue, but the accuracy gain in targeted PEP monitoring is worth it.

Related questions

• What is the difference between CDD and EDD?
• How often should customer risk ratings be refreshed?
• What is perpetual KYC?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What is a beneficial owner?
• How does sanctions screening work?
• How does FinCEN define suspicious activity?
• What is the FATF Grey List?