PEP Screening: What It Is, What Regulators Expect, and What Gets You Cited

What is PEP Screening?

PEP Screening is a Know Your Customer (KYC) control that checks customers and their beneficial owners against databases of politically exposed persons to identify individuals whose public positions, family relationships, or business associations create an elevated risk of bribery, corruption, or money laundering.

A politically exposed person is someone who holds, or has held within the past 12 to 24 months, a prominent public function. That includes heads of state, senior government ministers, senior judicial and military officials, executives of state-owned enterprises, and senior leaders of major political parties. The definition extends to immediate family members and known close associates. Most jurisdictions classify PEPs as foreign, domestic, or international organisation PEPs, with different default risk weightings for each category.

The screening process checks customer names, plus the names of beneficial owners, directors, and authorized signatories, against PEP databases at onboarding and on a continuing basis thereafter. A match triggers a review, not an automatic rejection. The institution must confirm whether the match is genuine, assess the degree of risk, and decide whether to apply Enhanced Due Diligence (EDD).

PEP Screening sits within the broader Customer Due Diligence framework. It differs from Sanctions Screening in a critical way: PEP status creates a heightened risk flag, not a legal prohibition. In practice, both controls often run on the same name at onboarding. A confirmed PEP requires additional scrutiny: source of funds verification, source of wealth documentation, and senior management approval before onboarding or continuing the relationship.

Why is PEP Screening required?

The primary mandate is FATF Recommendation 12, which requires financial institutions to apply Enhanced Due Diligence to all foreign PEPs and risk-based EDD to domestic PEPs and international organisation PEPs. Recommendation 12 also covers immediate family members and known close associates. FATF's mutual evaluation process scores jurisdictions on whether their financial sectors implement this in practice. Deficient countries face grey-listing, which triggers correspondent banking pullback, higher transaction costs, and restricted market access.

In the European Union, the Fourth and Fifth Anti-Money Laundering Directives transposed Recommendation 12 into binding law. 5AMLD, effective from January 2020, extended PEP obligations to domestic PEPs and new sector participants including crypto-asset service providers and electronic money institutions. EU supervisors, including the FCA, BaFin, and Luxembourg's CSSF, publish supervisory expectations that go well beyond the minimum directive text.

In the United States, FinCEN's Customer Due Diligence Rule (31 CFR Part 1020) requires written procedures covering risk-based assessment of high-risk customers. FinCEN's guidance document FIN-2008-G005 directly addresses foreign PEP risk, and examiners treat PEP screening capability as a baseline expectation for institutions with cross-border activity.

The Wolfsberg Group's AML Principles for Correspondent Banking make PEP screening status an explicit line item in correspondent bank due diligence questionnaires. Any institution that can't demonstrate the capability will struggle to maintain those relationships.

The Danske Bank 2018 enforcement action is the clearest modern illustration of what happens when PEP and high-risk customer controls break down at scale: approximately €200 billion in suspicious flows through a single branch, with systemic failures in the Customer Due Diligence process of which PEP Screening is a central part.

What do regulators expect to see?

Examiners assess PEP Screening at three levels: policy, process, and evidence.

At the policy level, they want a written PEP definition that aligns with local regulation, clear rules for who qualifies as a family member or close associate, a stated risk differentiation between foreign and domestic PEPs, and documented approval requirements for onboarding or continuing PEP relationships. Policies must be reviewed and approved at minimum annually, with version history retained.

At the process level, examiners check that screening runs at onboarding, at periodic refresh (at minimum annually for standard risk, more frequently for higher-risk PEPs), and in response to trigger events such as a customer taking a new public position. They check whether screening covers beneficial owners and authorized signatories, not only the named account holder.

The evidence checklist on exam day includes:

• Screening logs: timestamps, data sources used, match outcomes, and documented false-positive dispositions
• Alert disposition records: written rationale for clearing or escalating every alert, including the analyst name and date of decision
• EDD files: for confirmed PEPs, a complete file with source of funds documentation, source of wealth narrative, relationship risk assessment, and dated senior management approval
• Calibration records: documentation showing how matching thresholds are set, how often they're reviewed, and the results of periodic testing against known PEP names
• MI and governance reporting: regular management information covering screening volumes, alert backlog, false-positive rates, and the count of active PEP relationships by risk tier, presented to the compliance committee or board on a defined schedule

Under FATF Recommendation 11, institutions must retain PEP screening records for at least five years and must be able to retrieve them promptly on request. Examiners have cited institutions specifically for records that exist but can't be produced within 24 hours.

What does good PEP Screening look like?

Good PEP Screening is continuous, calibrated, and documented. The FATF's 2013 Guidance on Politically Exposed Persons and the Wolfsberg Group's AML Principles consistently describe a set of better-practice indicators. Where the process can be expressed as steps, it looks like this:

1. Use multiple PEP data sources. A single vendor database isn't comprehensive. FATF guidance notes that PEPs often appear in government gazettes, local news archives, and regulatory registers well before they're captured in commercial databases. Cross-referencing two or more sources reduces coverage gaps.

2. Screen beneficial owners, not only account holders. Sophisticated placement often runs through corporate structures where the PEP is the beneficial owner, not the named director or signatory. Screening must extend to all beneficial owners above the applicable threshold, typically 10-25% depending on jurisdiction.

3. Set and document matching thresholds explicitly. Exact-name matching misses transliterations, aliases, and name changes after marriage or divorce. Fuzzy matching with a defined similarity threshold, typically 80-90%, catches more genuine matches. The threshold must be recorded, tested periodically, and adjusted based on results, with the rationale documented.

4. Run re-screening at trigger events. Customers don't remain PEPs forever, and they can become PEPs after onboarding. Re-screening must run at defined intervals and whenever a trigger event occurs: appointment to office, adverse media coverage, or a known association with a newly designated individual.

5. Require complete EDD files, not EDD intent. Many institutions log that a customer is a PEP and mark EDD as required. The failure is that no completed EDD file exists. Good practice means a file with source of funds documentation, a source of wealth narrative, and dated senior management approval, reviewed on a schedule proportionate to risk.

6. Maintain a PEP register with current risk ratings. A central register of confirmed PEP relationships, with current risk tiers and upcoming review dates, is standard practice in well-run institutions and a natural source of MI reporting.

The FCA's Financial Crime Guide makes clear that automated screening alone is insufficient without adequate human review of alerts. The guide specifically flags firms that screen but fail to document the rationale for alert dispositions.

Common audit findings and exam citations

Most exam citations in this area fall into five categories.

Incomplete customer scope. Institutions screen the named account holder but miss beneficial owners, authorized signatories, and directors. The FCA's 2011 action against Habib Bank AG Zurich cited failure to apply PEP screening to the beneficial owners of corporate accounts. When a PEP routes funds through a corporate structure and the bank screens only the named entity, the control fails exactly when it matters most.

Stale screening. Onboarding checks without periodic re-screening create a false sense of coverage. The Danske Bank 2018 enforcement action documented customers who were never re-screened despite holding accounts for years. Some became PEPs after onboarding without triggering any review.

Alert backlogs. A high false-positive rate creates volume. When queues build and teams can't clear them within SLA, genuine PEP matches sit undisposed. The OCC's examination findings from the HSBC 2012 enforcement action described alert backlogs reaching tens of thousands of undisposed items, a direct consequence of miscalibrated thresholds combined with inadequate staffing.

Absent EDD documentation. Regulators consistently find that institutions know a customer is a PEP but can't produce a complete EDD file. Source of funds documentation is missing, source of wealth is unverified, or senior management approval was given verbally and never recorded. Under FATF Recommendation 11, records must be retained for five years and must be retrievable promptly on request.

Governance gaps. Management information on PEP screening performance is either absent or fails to reach the board. Examiners want MI packs showing screening volumes, match rates, false-positive rates, and active PEP relationship counts, presented at regular compliance committee meetings with documented action points.

The Standard Chartered 2019 enforcement action highlighted a recurring pattern: controls that look adequate on paper but lack the governance infrastructure to ensure they run as designed in practice. A written policy with no evidence of operation is not a control.

Metrics and KPIs

Measuring PEP Screening control health requires a set of operational and risk indicators. These are the metrics compliance teams and internal audit should track, and that examiners expect to see in regular MI reporting.

Alert volume and throughput rate. Total PEP alerts generated per month, segmented by screening type: onboarding, periodic refresh, and trigger event. Throughput rate measures the percentage disposed within the defined SLA, typically three to five business days for standard matches and one to two days for high-risk PEP alerts.

False-positive rate. The percentage of alerts confirmed as non-matches after review. Industry benchmarks vary, but false-positive rates consistently above 95% indicate miscalibrated thresholds. Reducing false positives without increasing false negatives requires documented threshold reviews at minimum quarterly.

Coverage rate. The percentage of the customer population screened against the current PEP database version, including beneficial owners. Any coverage gap is a direct regulatory exposure.

Re-screening completion rate. For periodic re-screening cycles, the percentage completed on schedule. Slippage here often signals resource constraints before it signals a process failure, and it should prompt a staffing or tooling review, not just a catch-up sprint.

Active PEP relationship count and risk tier distribution. A current count of confirmed PEP relationships segmented by risk tier (low, medium, high), tracked over time. Sudden changes in count may indicate a data quality issue or a shift in the customer population.

EDD file completion rate. For confirmed PEP matches, the percentage with complete EDD files: source of funds verification, source of wealth documentation, and documented senior management approval. Institutions that track alert disposition but not EDD completion regularly discover EDD files that exist in name only.

Average age of open alerts. Simple but revealing. An increasing average age signals backlog build before it shows up in overall volumes. Any alert open beyond ten business days without documented justification is an automatic flag for internal audit.

How PEP Screening connects to other controls

PEP Screening is one node in a broader KYC and risk management network. It rarely operates in isolation.

The most direct connection is with Enhanced Due Diligence (EDD). PEP status is one of the primary triggers for EDD. The process flow is: CDD identifies the customer and their beneficial owners, PEP Screening checks those identities against PEP databases, and a confirmed match escalates to EDD. Weak beneficial ownership identification in the CDD process will defeat PEP Screening downstream.

Adverse Media Screening complements PEP Screening directly. PEP databases contain structured data: names, positions, appointment dates. Adverse media catches the unstructured signal: news articles, court filings, regulatory notices, and investigative journalism that may predate a formal PEP designation or reveal associated concerns that structured lists don't capture.

Transaction Monitoring provides the ongoing behavioral layer. A confirmed PEP whose transaction patterns don't match their stated source of wealth or business profile should generate SAR (Suspicious Activity Report) consideration. PEP Screening identifies the risk category; Transaction Monitoring watches what that customer actually does over time.

Sanctions Screening often runs on the same name at the same time, particularly for foreign PEPs from higher-risk jurisdictions. The controls are legally distinct but operationally linked.

From a typology perspective, PEP Screening is the primary control against corruption-related money laundering. This activity typically involves Layering through multiple accounts, jurisdictions, and corporate structures before funds reach the legitimate economy. Catching the PEP at onboarding prevents the placement stage from ever beginning.

How FluxForce supports PEP Screening

FluxForce's AI agents run continuous PEP and adverse media screening across the full customer portfolio, including beneficial owners and authorized signatories. Nova Sentinel monitors for trigger events that require immediate re-screening: new public appointments, adverse news alerts, and changes in ownership structure. The platform captures evidence for every alert disposition and produces audit-ready documentation automatically. Compliance teams get real-time dashboards covering screening coverage, alert throughput, and EDD file completion rates. Senior management reporting is generated on a configurable schedule. To see it in action, request a demo.