By Stuart Watkins, CEO, Zenoo
Every compliance team screens for Politically Exposed Persons. It is one of the most fundamental requirements of any AML programme. And yet, in our experience working with compliance teams across the UK and EU, PEP screening is also one of the most poorly implemented areas of compliance. Not because firms are not screening. They are. But because the screening itself has become the goal, when it should be the starting point.
The question is not "did we identify this person as a PEP?" The question is "having identified them, did we apply proportionate, risk-based enhanced due diligence that reflects the actual risk this specific person presents?" For most firms, the honest answer is no.
The PEP checkbox problem
Here is what PEP screening looks like at most financial institutions. A customer applies for an account. The screening system runs their name against a PEP database. A match is generated. An analyst reviews the match, confirms it is a true positive, and flags the customer as a PEP. Enhanced Due Diligence is applied, which typically means: source of wealth documented, source of funds documented, senior management sign-off obtained. Done.
The problem is that this process treats all PEPs the same. A sitting head of state and a local council member in a low-corruption jurisdiction go through the same EDD process. A foreign PEP from a jurisdiction with systemic corruption risks receives the same treatment as a domestic PEP from a country with strong governance institutions. The checkbox has been ticked, but the risk-based approach that regulators expect has not been applied.
"We had a compliance review where the regulator asked why our EDD for a PEP who was a minor local government official in Sweden was identical to our EDD for a PEP connected to a jurisdiction on the FATF grey list. We did not have a good answer. Our process was the same for both, because our system only had one PEP category."
Risk-based PEP assessment means differentiation
FATF Recommendation 12 and its interpretive note are clear: the requirement is not simply to identify PEPs. It is to apply risk-based enhanced due diligence that reflects the specific risks associated with the PEP relationship. The level of enhanced measures should be proportionate to the risks identified.
In practice, this means your PEP framework needs to differentiate based on several factors.
Jurisdiction risk. A PEP from a jurisdiction with high corruption indicators presents a different risk profile from a PEP in a jurisdiction with strong anti-corruption institutions. Your EDD should reflect this. The depth of source of wealth investigation, the frequency of ongoing review, and the level of senior management oversight should all be calibrated to jurisdictional risk.
Level of political exposure. Not all PEP functions carry the same risk. A head of state, a senior military officer, or a board member of a state-owned enterprise presents different risks from a member of a local assembly. Your framework should categorise PEP functions by risk tier and apply proportionate EDD to each tier.
Proximity to the PEP. Close associates and family members of PEPs are in scope, but the risk they present varies significantly depending on the nature and closeness of their relationship to the PEP. A spouse of a sitting minister presents different risks from a distant business associate of a former local official.
Nature of the business relationship. A PEP opening a basic current account presents different risks from a PEP establishing a complex corporate structure with multiple layers of ownership. The product and service being accessed should influence the EDD approach.
The data quality problem
Risk-based PEP screening requires risk-based PEP data. And this is where many firms hit a wall. Commercial PEP databases vary enormously in quality, coverage, and categorisation.
Some providers classify PEPs into broad categories (foreign PEP, domestic PEP, international organisation PEP) without further granularity. Others provide detailed function descriptions but inconsistent jurisdiction coverage. A few offer risk-tiered PEP classifications, but the methodology behind the tiering is often opaque.
We benchmarked four major PEP data providers against a sample of 500 known PEPs across 30 jurisdictions. The overlap was surprisingly low. Provider A and Provider B agreed on the PEP status of only 72% of the sample. For domestic PEPs in smaller EU jurisdictions, agreement dropped to 58%. This means your PEP screening results depend heavily on which provider you use, and if you use only one, you are almost certainly missing people.
"We switched PEP providers last year and our PEP identification rate went up by 30%. Same customer base. Same screening process. Different data. That told us everything we needed to know about how much we had been missing with the previous provider."
Former PEPs: the de-risking trap
One of the most common compliance failures we see relates to former PEPs. The FATF guidance is that a person who is no longer politically exposed should not automatically be treated as a current PEP, but should continue to be subject to risk-based measures until they are assessed as no longer presenting PEP-specific risks. In practice, this means a cooling-off period with continued monitoring.
Many firms take a binary approach: either you are a PEP or you are not. When a person leaves office, their PEP flag is removed and they revert to standard due diligence. This fails to account for the residual risk that the influence and connections built during political office do not evaporate on the day someone leaves their position.
The opposite failure is equally problematic. Some firms maintain PEP-level EDD indefinitely, treating former PEPs the same as current PEPs regardless of how long ago they left office or the nature of their political exposure. This is disproportionate, burdens the compliance team with unnecessary reviews, and can contribute to de-risking (refusing to bank PEPs at all rather than managing the risk proportionately).
A risk-based approach requires a documented methodology for transitioning former PEPs, including a defined cooling-off period (typically 12 to 24 months, though this should be risk-calibrated), ongoing monitoring during the transition, and a documented risk assessment at the point of de-escalation.
Ongoing monitoring: not just re-screening
PEP-related ongoing monitoring is more than just periodic re-screening against updated PEP lists. It should include monitoring for changes in the PEP's political status (promotion, demotion, change of role, leaving office), changes in jurisdictional risk (a jurisdiction being placed on or removed from a FATF monitoring list), and changes in the customer's transaction patterns that might indicate the PEP risk has materialised.
Most firms do the first part reasonably well (re-screening catches status changes), but very few integrate jurisdictional risk monitoring or transaction pattern analysis into their PEP ongoing monitoring process. These are the gaps that regulators are increasingly probing.
Practical step: Review your PEP ongoing monitoring process. Does it capture changes beyond PEP status? Does it trigger reviews when a jurisdiction's risk profile changes? If your PEP monitoring is limited to periodic re-screening, you have a gap.
Building a genuinely risk-based PEP framework
Here is a practical framework for moving beyond the checkbox.
Step 1: Tier your PEP functions. Create a categorisation of PEP functions by risk level. Tier 1 (highest risk): heads of state, senior government ministers, central bank governors, senior judicial officials. Tier 2: members of parliament, senior military officers, board members of state-owned enterprises. Tier 3: regional and local government officials, minor diplomatic functions. Each tier should have a defined EDD standard.
Step 2: Overlay jurisdictional risk. Cross-reference PEP tier with jurisdictional risk indicators (Transparency International CPI, FATF mutual evaluations, Basel AML Index). A Tier 3 PEP from a high-risk jurisdiction may warrant more intensive EDD than a Tier 2 PEP from a low-risk jurisdiction.
Step 3: Calibrate your EDD. Define specific EDD measures for each combination of PEP tier and jurisdictional risk. Source of wealth requirements, source of funds requirements, review frequency, and approval level should all vary based on the assessed risk.
Step 4: Document the methodology. Write down your PEP risk assessment methodology, including the rationale for your tier definitions and jurisdictional risk weightings. This is what you will show a regulator. It should demonstrate genuine risk-based thinking, not a one-size-fits-all process.
Step 5: Review and recalibrate annually. PEP risk is not static. Jurisdictional risk changes, political landscapes shift, and your customer base evolves. Your PEP framework should be reviewed at least annually and updated to reflect current conditions.
