PEP Screening: The Ultimate Guide

PEP screening is the process of identifying individuals classified as Politically Exposed Persons (PEPs) and assessing the risks they may pose to various institutions, primarily, in Banking, Crypto, and other finance-related industries. As such, it usually means comparing customer information against databases of known PEPs, their associates, and related entities.

PEPs have access to many resources, decision-making power, and insider knowledge that make them targets for corruption. Having these powers, they can exploit international financial systems, disguising illicit gains through complex networks of accounts, shell companies, and trusts. Money laundering, bribery, embezzlement, and misappropriation of public funds are some of the most common examples. Naturally, these activities require prevention.

Not all PEPs carry the same level of risk, nor do they operate within the same context. Traditionally, all PEPs are divided into three major categories: domestic PEPs, foreign PEPs, and international organization PEPs.

Domestic PEPs are individuals who hold (or have held) prominent positions within their home country. These could be: 

• Heads of state.

• Senior government officials.

• Top-ranking military officers.

• High-level judicial officials.

• Executives of state-owned enterprises.

• Key political party leaders.

The risks posed by domestic PEPs are massively influenced by how widespread corruption is in their home country. In nations with strong legal frameworks and transparent systems, they may be moderate. However, in countries plagued by corruption, weak institutions, or autocratic regimes, domestic PEPs often pose a much higher risk.

Foreign PEPs are individuals who hold significant public roles but in countries other than the one in which the financial institution operates:

• Heads of foreign governments.

• Foreign ministers.

• Ambassadors.

• Members of foreign legislatures (senators, congress members, or other parliamentarians).

• Foreign military leaders.

• Foreign judges.

• Overseas state-enterprise executives.

This category is particularly important for international organizations and cross-border businesses.

Foreign PEPs are automatically categorized as higher risk under the Financial Action Task Force (FATF) guidelines. This is because different international jurisdictions may have different transparency levels, not to mention the complex nature of cross-border interactions themselves.

For example, a foreign ambassador might have access to some diplomatic privileges, including immunity from certain legal processes. This can create opportunities for misuse like smuggling or laundering funds.

PEPs from sanctioned countries

This is a subtype of foreign PEPs who are citizens of countries that are sanctioned by other countries or international bodies. These people tend to be even more thoroughly screened, with their profiles being checked against a wider variety of databases, including lists of sanctioned individuals.

These are individuals who hold senior roles in prominent international organizations, which include but are not limited to:

• Senior UN officials: UN Secretary-General, under-secretaries, or ambassadors to the UN.

• World Bank executives: President, managing directors, or heads of regional offices.

• IMF leadership: Managing director, deputy directors, and executive board members.

• European Union officials: European Commissioners, heads of EU institutions.

• NATO leadership: Supreme Allied Commander, defense ministers within NATO.

• Officials in entities like the WHO, WTO, ICC, and others.

While they already operate under the scrutiny of international frameworks, they are still high-risk due to their access to large-scale funding. Common examples of misuse here are mismanagement or misappropriation of international aid.

A PEP check is incomplete without factoring in the activities of family members and close associates. That is because these individuals can act as enablers of financial crimes, either willingly or unknowingly.

Some common examples are:

• Spouses.

• Children.

• Siblings.

• In-laws.

• Business partners.

• Advisors.

• Financiers.

While the PEP screening process may vary depending on the organization that conducts it, the procedure typically includes the following steps:

The first step in a PEP check involves gathering accurate customer information and identifying the customer.

Key data points to collect:

• Full name: The name must be recorded accurately, including middle names, variations, and alternative spellings.

• Date of birth: This can be helpful when distinguishing between individuals with similar names.

• Country of political activity: Knowing where the individual has held office or influence will help risk assessment.

• Dates of office: Documenting the start and end dates of political roles lets you know if the individual is a current PEP or has transitioned to a former PEP status.

Along with the collection of data, the institution must confirm the customer's identity. For that purpose, they use a combination of biometric authentication, liveness detection, and ID document examination.

Once the identity is confirmed, the next step is cross-referencing it against reputable sources such as:

• Regulatory databases: The FATF, OFAC (), and other global bodies maintain lists of individuals under heightened scrutiny.

• Commercial PEP screening tools: Some organizations like to use third-party platforms that aggregate PEP data from multiple sources.

• Media archives: Global and local news outlets can also give information on PEPs that are not cataloged in formal lists.

If the customer’s identity matches a profile in one of the above sources, this is the time to determine the level of risk this customer presents. 

Some of the factors that influence risk are:

• Geographic risk: Those linked to countries with high corruption indices or conflict zones are typically at higher risk.

• Sectoral exposure: Here, high-risk sectors include defense, energy, and infrastructure procurement.

• Transactional behavior: Over time, the risk level can be reassessed if there are unusual transactional patterns like frequent large transactions or transfers to offshore accounts.

If a customer is deemed high-risk (but not too high-risk for a denial), an institution typically applies enhanced due diligence measures. These can be:

• Verifying the source of funds and wealth through independent audits.

• Conducting background checks on family members and close associates.

• Reviewing past allegations or investigations related to corruption.

If the PEP passes all screening and due diligence checks, the institution proceeds with onboarding. As a precaution, organizations may set transaction limits and establish special monitoring protocols, if necessary.

Conversely, if the risks outweigh the potential benefits, the application may be denied. In this case, institutions must carefully communicate their decision; otherwise, they may face reputational backlash.

One of the most important things to understand about the PEP status is that it is fluid. An individual’s risk profile may change based on their current role, emerging news, or shifting geopolitical circumstances. 

That is why institutions tend to adopt an ongoing monitoring framework, which includes:

• Transactional activity: Sudden large deposits or transfers to high-risk jurisdictions would warrant immediate scrutiny.

• Changes in status: A current PEP may become a former PEP after leaving office, potentially changing the risk assessment.

• Inclusion/exclusion on new sanctions lists: Updated databases and regulatory notices must be cross-referenced with the customer base.

While most countries align with recommendations from bodies like the FATF, there are a lot of specifics to consider. Let’s take a look at the PEP screening differences in the US, EU and UK.

The United States, as a massive financial hub, has one of the most stringent PEP screening requirements in the world. 

That said, it does not define “politically exposed persons” in statute (more so relying on FATF guidance), which can make the interpretation of the term ambiguous. Making this even more complicated is the fact that financial institutions also must often deal with overlapping state and federal requirements.

Some key regulations and agencies include:

• FinCEN (Financial Crimes Enforcement Network): Mandates customer due diligence (CDD) rules, requiring financial institutions to identify PEPs.

• OFAC (Office of Foreign Assets Control): Oversees sanctions compliance and includes PEPs in its Specially Designated Nationals (SDN) list.

• Bank Secrecy Act (BSA): Provides the legal foundation for PEP screening.

The European Union harmonizes their PEP screening requirements through the 4th AML Directive and 6th AML Directive:

• Mandatory identification: Both domestic and foreign PEPs must be identified and subjected to enhanced due diligence (EDD).

• Uniform definitions: The EU defines PEPs broadly, including senior political figures, their families, and close associates.

• Risk-based focus: Institutions are encouraged to classify PEPs based on risk levels rather than assuming uniform high-risk categorization.

The United Kingdom, though no longer part of the EU, has retained and expanded on AML regulations from its EU membership days:

• Money Laundering Regulations (MLR) 2017: Requires the identification of PEPs and their close associates.

• National Crime Agency (NCA): Acts as the primary enforcement body for PEP-related investigations.

The UK places a lot of focus on ongoing monitoring, requiring institutions to review PEP status periodically even after onboarding. Post-Brexit, the UK has been more proactive in updating its sanctions lists, especially in response to various geopolitical events.

Now let’s explore some common issues that institutions experience with the PEP screening process.

One of the most persistent issues in any PEP check is the false positives—instances where a system flags individuals incorrectly due to name or data similarities. This can cause a number of problems: it can overwhelm compliance teams with repeat checks, waste money on unnecessary work, and make customers dissatisfied. 

However, an arguably bigger problem is the false negatives, where genuine risks slip through undetected.

In many cases, detailed and verifiable information about PEPs is not readily available. Certain regions lack transparency in public records, and reliance on incomplete databases can leave gaps in your screening efforts. 

This is particularly problematic for smaller institutions that might not have access to premium PEP databases.

PEPs can sometimes attempt to cheat the screening system by using fake ID documents. Also, since such PEPs also tend to have connections with the criminal world, they can produce a fake that looks very convincing to the naked eye.

PEPs can gain or lose their political status overnight, and this makes keeping databases current a hefty task. A database that isn’t updated risks providing obsolete information, leading to compliance failures or the aforementioned false positives and negatives.

Institutions can sometimes display negligent behavior during a PEP check—the staff may not go beyond the basics and let a potential red flag slip through the cracks. 

Alternatively, in the event of someone being flagged, the staff may not be too responsive in addressing appeals. This particular issue is known to cause weeks or even months of waiting for unjustly flagged individuals, who are meanwhile unable to open an account or perform a transaction.

The most difficult part is identifying indirect connections, such as those involving close associates, business ties, or some form of beneficial ownership. These relationships are not always evident and often need extensive due diligence.

Finally, let’s get into some recommendations for the most effective and efficient PEP screening process.

While it can hardly be eradicated, a lot of false positives can be avoided by a more careful analysis of a person’s identity. For example, it’s not uncommon for a non-PEP to be flagged if they share the same surname with an unrelated PEP. On top of that, even if the surnames are different, but the difference is very small (e.g., one letter), a non-PEP can still be subject to a false positive. 

You can also reduce false results to a minimum by making your screening algorithms more sophisticated. One way to do it is to improve accuracy by cross-referencing as much data as possible, be it geographic location or known affiliations.

Additionally, you can make use of feedback from previous screenings to improve your long-term results.

PEPs carry different levels of risk, but risk levels can also change. Your screening strategy needs to account for both of these facts.

So make sure to:

• Categorize risks by customer type, transactional behavior, and geographic exposure.

• Assign weights to different risk factors to prioritize high-risk cases.

• Regularly update the risk profiles of PEPs and your risk assessment framework as a whole.

Many reputable financial institutions tend to use a combination of various tools for their PEP screening procedure—a practice that is fully justified. Even the more powerful tools can suffer from imperfect screening algorithms or delays in their database updates.

Regulators often scrutinize the documentation and processes behind PEP and sanction screening activities. That’s why you need to maintain comprehensive logs of all screening activities, including flagged individuals, investigations conducted, and final outcomes.

Make use of robust technological KYC solutions that make the PEP screening process simpler and more accurate. For instance, ID verification and face biometrics with liveness checks can be carried out by solutions like Regula Document Reader SDK and Regula Face SDK.

Document Reader SDK processes images of documents and verifies their real presence and authenticity. The software extracts all the necessary information, and then determines whether the document is genuine or fake.

At the same time, Regula Face SDK conducts instant facial recognition and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks. It can also perform face matching against PEP databases to find discrepancies that are visible to the naked eye.

Additionally, Regula’s solutions help you automate the collection of personal data from scanned documents, which can later be used for efficient cross-referencing with PEP databases.