Zenoo
Risk operations

Most PEP screening setups flag the wrong people

Most PEP screening setups flag the wrong people
Zenoo's Editorial Team8 min read
Share

A wealth manager onboarded a new client last spring. The name matched a former deputy minister in a country three time zones away. Their screening tool flagged it, an analyst spent the better part of a day chasing the match, and it turned out to be a different person entirely. Same name, different continent, no political exposure at all. That single false positive cost most of a working day. Multiply it across a book of clients and you start to see why PEP screening has a reputation problem.

The frustrating part is that the screening wasn't wrong to flag the name. It was wrong about almost everything else. No date of birth match, no jurisdiction logic, no record of why the alert was raised or how it was cleared. The analyst did the work a properly configured system should have done in seconds. We see variations of this every week, and it's almost never a technology gap. It's an orchestration and data quality gap.

What PEP screening actually is

PEP screening is the process of checking customers and their associates against lists of politically exposed persons to identify and manage the heightened money laundering and corruption risk those individuals carry. A politically exposed person is someone entrusted with a prominent public function, such as a head of state, senior politician, senior government official, judicial or military figure, or senior executive of a state-owned enterprise. The category extends to their family members and known close associates, because the risk often flows through relationships rather than the individual alone.

The Financial Action Task Force (FATF) sets the baseline here. Recommendation 12 requires financial institutions to put in place appropriate risk management systems to determine whether a customer or beneficial owner is a PEP, and to apply enhanced due diligence where they are. The full text sits on the FATF website at fatf-gafi.org. This is not optional guidance. It is the global standard that national regimes are built on.

In the UK, that obligation lands in the Money Laundering Regulations 2017 (MLRs 2017), which require firms to apply enhanced customer due diligence to any business relationship with a PEP, a family member of a PEP, or a known close associate. The FCA's guidance is clear that domestic PEPs should generally be treated as lower risk than foreign ones unless other risk factors apply. That nuance matters, and a screening setup that treats every PEP as maximum risk is the same setup that drowns your analysts in noise.

Across the EU, the Sixth Anti-Money Laundering Directive (AMLD6) tightens the framework further, harmonising definitions and raising the bar on accountability. The new EU Anti-Money Laundering Authority (AMLA), which began operating in 2025 and is headquartered in Frankfurt, will supervise high-risk cross-border institutions directly and push for more consistent application of these rules across member states. If your screening logic differs market by market with no central audit trail, AMLA's direction of travel is a problem you want to get ahead of.

Why manual PEP screening breaks down

Manual screening is where most of the cost hides. A name comes in, an analyst runs it against one or more lists, scrolls through possible matches, makes a judgement, and writes up a note. On a quiet day that works. The trouble is that PEP screening generates an enormous volume of partial matches, and partial matches are where the work lives.

Three things go wrong, again and again.

The first is false positive overload. Common names match dozens of entries. Without secondary identifiers like date of birth, nationality, or jurisdiction to narrow the field, an analyst has to inspect each one by hand. Most of those alerts clear. You are paying experienced people to confirm that nothing is wrong, which is the most expensive way to be safe.

The second is disparate data sources. PEP data, sanctions lists, adverse media, and corporate registries often live in separate tools with separate logins and separate refresh cycles. Stitching a complete picture of a customer together by hand, across four or five screens, is slow and error-prone. The deputy-minister example earlier failed precisely because the matching data and the disambiguating data never met in one place.

The third is audit trail gaps. When a regulator asks why you cleared an alert eighteen months ago, "the analyst was confident" is not an answer. Manual processes scatter the evidence across emails, spreadsheets, and memory. Reconstructing a defensible decision after the fact is painful, and sometimes impossible.

A Head of Financial Crime at a European wealth manager put it to us plainly: "Our analysts are good. The problem was never their judgement. The problem was that they spent eighty per cent of their time clearing matches that a machine should have cleared, and the remaining twenty per cent rushing the ones that actually mattered."

This is exactly the workflow gap Zenoo was built to close. If you are running PEP and sanctions checks across three or more sources by hand, it is worth seeing how orchestration changes the maths. Book a demo to run it with your own data.

How automated PEP screening should work

Automation does not mean removing the analyst. It means giving the analyst only the cases that need a human, with all the context already assembled. Good automated PEP screening does four things well.

It matches intelligently. Rather than flagging every name that looks similar, it uses secondary identifiers to score and rank matches, so an exact name with no date of birth or jurisdiction match is treated very differently from a strong multi-attribute match. This is the single biggest lever on false positive volume.

It brings sources together. PEP lists, sanctions data, and adverse media are screened in parallel and presented as one consolidated view, rather than four separate searches an analyst has to run and reconcile.

It applies risk-based logic. A domestic PEP with no other risk factors and a foreign PEP from a high-risk jurisdiction should not generate identical workflows. The MLRs 2017 and FATF Recommendation 12 both assume a risk-based approach. Your screening should encode that distinction rather than forcing analysts to apply it manually every time.

It records everything. Every alert, every match score, every decision, and every reviewer is logged automatically, so the audit trail builds itself. When the regulator asks, the answer is already written.

What good looks like

Good PEP screening is measured by what reaches a human and how defensible the outcome is, not by how many alerts the system produces. A setup that flags everything is not thorough. It is lazy, because it pushes the disambiguation work onto people.

The markers of a strong setup are consistent. False positives are filtered before they reach an analyst, using identity attributes rather than name alone. Screening is continuous, not a one-off at onboarding, because political exposure changes over time and the MLRs 2017 require ongoing monitoring of business relationships. Risk-based logic is configurable, so your team can tune thresholds for domestic versus foreign PEPs without writing code or waiting on an engineering queue. And the audit trail is automatic and complete, capturing the why behind every clear and every escalation.

This is the model Zenoo's Compliance Hub and Studio are built around. Screening runs across PEP, sanctions, and adverse media in one orchestrated flow, matching logic uses secondary identifiers to cut noise, and every decision is logged for the audit trail without anyone having to assemble it by hand. The point is not to replace your analysts. It is to stop wasting them on matches a properly configured system should have cleared.

Practical guidance for compliance teams

If you are reviewing your PEP screening, start with where the time goes. Pull a sample of cleared alerts from the last quarter and ask how many were obvious false positives that an attribute match would have killed. If the number is high, your matching logic is the place to fix first, not your headcount.

Next, check whether your sources are consolidated. If analysts log into separate tools for PEP, sanctions, and adverse media, you are paying for reconciliation time that a single orchestrated view removes.

Then test your audit trail. Pick a cleared alert at random and try to reconstruct why it was cleared, who cleared it, and what the match score was. If that takes more than a minute, you have an evidence gap that a regulator will eventually find.

Finally, confirm your risk-based logic is actually encoded somewhere other than your analysts' heads. The MLRs 2017, FATF Recommendation 12, and AMLD6 all assume a documented, risk-based approach. If yours lives in tribal knowledge, it will not survive a change of staff or an inspection.

Frequently asked questions

What is PEP screening?

PEP screening is the process of checking customers, beneficial owners, and their associates against lists of politically exposed persons to identify heightened money laundering and corruption risk, and to apply enhanced due diligence where a match is confirmed. It is required under FATF Recommendation 12 and, in the UK, the Money Laundering Regulations 2017.

Who counts as a politically exposed person?

A PEP is someone entrusted with a prominent public function, including heads of state, senior politicians, senior government, judicial or military officials, and senior executives of state-owned enterprises. The definition extends to their immediate family members and known close associates, because risk often flows through relationships.

Are domestic PEPs treated the same as foreign PEPs?

No. Under FCA guidance on the MLRs 2017, domestic PEPs should generally be treated as lower risk than foreign PEPs unless other risk factors are present. A screening setup that applies identical enhanced due diligence to every PEP regardless of jurisdiction generates unnecessary work and ignores the risk-based approach the regulations expect.

How often should PEP screening be carried out?

PEP screening should not be a one-off check at onboarding. Political exposure changes over time, and the MLRs 2017 require ongoing monitoring of business relationships, so screening should run continuously or on a defined periodic cycle, with re-screening triggered by changes in customer circumstances or list updates.

What should I look for in PEP screening software in 2026?

Look for intelligent match scoring that uses secondary identifiers to cut false positives, consolidated screening across PEP, sanctions, and adverse media in one view, configurable risk-based logic you can tune without engineering, and an automatic audit trail that records every decision. These four capabilities are what separate a setup that helps your analysts from one that buries them.

Key takeaways

  • PEP screening exists to identify and manage the heightened risk that politically exposed persons carry, as required by FATF Recommendation 12, the UK MLRs 2017, and EU AMLD6.
  • Manual screening breaks down through false positive overload, disparate data sources, and audit trail gaps, all of which cost analyst time without improving outcomes.
  • Good automated screening uses secondary identifiers to score matches, consolidates sources, encodes risk-based logic, and builds the audit trail automatically.
  • Domestic and foreign PEPs should not generate identical workflows; the regulations assume a documented, risk-based approach.
  • The aim of automation is not to remove analysts but to send them only the cases that genuinely need a human, with full context already assembled.

If your team is clearing alerts a machine should be clearing, it is worth seeing what orchestrated PEP screening does to your false positive rate. Visit zenoo.com and book a demo. 30 minutes. Your data. No slides.

Was this useful?
Share
Z

Published by

Zenoo's Editorial Team

Practical, unbiased content on KYC, AML, and compliance operations. Written by the team building tools to make compliance work better.

The compliance intelligence you actually need

Weekly insights on KYC, AML, and compliance operations. No vendor spin. No gated whitepapers. Just honest, useful guidance.

More from Zenoo Insights

22 hours per alert is too long. Cut it to 12 minutes.

One platform. 10 AI agents. 240+ check types. Live in weeks, not months.

30 minutes. Your data. No slides.