PEP Screening Best Practices: Tiering, RCA & Refresh
PEP screening is required by FATF Recommendation 12 and every major AML regime — and is the control regulators inspect most closely after sanctions screening. The execution problem is not identifying PEPs; modern databases handle that. The problem is classifying them correctly, mapping their Relatives and Close Associates, refreshing status on the right cadence, and managing false positives without quietly under-screening. This guide covers the practices that distinguish a defensible PEP programme from a fragile one.
Every modern AML regime requires enhanced due diligence on politically exposed persons. The principle is simple: customers with public-function influence carry elevated bribery, corruption and sanctions evasion risk. The execution is anything but simple — PEP definitions vary by regulator, the source data quality varies dramatically across countries, and status decays over time but not at the same rate everywhere.
Where PEP programmes fail in inspection findings, the failure is almost never about missing the PEP entirely. The PEP database matched. The match was reviewed. The status was confirmed. What broke down was what happened next — the level of due diligence applied, the source-of-funds documentation gathered, the senior management approval secured, the periodic refresh executed. The workflow following identification matters as much as the identification itself.
Why PEP Definitions Differ Across Regulators
FATF Recommendation 12 provides the baseline definition: a PEP is a natural person entrusted with prominent public functions, either domestically or by a foreign country, plus their family members and close associates. The Recommendation distinguishes foreign PEPs (always high-risk) from domestic PEPs (risk-based approach permitted).
National implementations diverge from there. MAS's Notice 626 treats domestic and foreign PEPs as broadly equivalent in scope, with the EDD obligation triggered at the same threshold. The FCA applies a risk-based approach where domestic PEPs are not automatically high-risk but require documented risk assessment. FinCEN's Customer Due Diligence Rule is narrower than FATF — it focuses specifically on senior foreign political figures rather than the broader PEP universe. EU 6AMLD aligns closely with FATF but adds explicit reference to RCAs within the directive text rather than supporting guidance.
The practical consequence: a customer who is a tier-3 domestic municipal official may require EDD in Singapore (MAS) but not automatically in the US (FinCEN). A firm operating across both jurisdictions must apply the more conservative standard or risk a defensibility gap in the stricter regime. Jurisdictional regulation pages document the specific obligations per regulator.
The Four PEP Tiers Explained
Most production PEP programmes classify identified PEPs into four tiers reflecting the elevation of risk. The tiers drive EDD intensity — what documentation is required, what approval is needed, what monitoring intensity applies.
Tier 1: Foreign Heads of State and Senior Politicians
Heads of state and government, senior political party officials, central bank governors, supreme court justices, defence ministers, and equivalent. Tier-1 PEPs are universally treated as high-risk regardless of regulator. EDD typically requires senior management approval, full Source of Funds and Source of Wealth documentation, ongoing enhanced monitoring with shortened periodic review cycles, and explicit treatment in board-level risk reporting.
Tier 2: Senior Government Officials
Senior officials of major government departments, ambassadors, senior military officers, senior judiciary below the supreme court, senior officials of major state-owned enterprises. EDD requirements are typically similar to tier 1 but with the option of risk-based modification — for example, a foreign tier-2 PEP from a low-risk jurisdiction may not require the same intensity as a foreign tier-1 PEP from a higher-risk jurisdiction.
Tier 3: Middle-Rank Officials and Sub-National Politicians
Middle-rank political officials, sub-national elected officials (state governors, regional council leaders), senior diplomats below ambassador rank, mid-rank officials of state-owned enterprises and international organisations. Tier-3 PEPs are typically treated under risk-based EDD — the obligation level reflects the underlying corruption risk of the role, the jurisdiction and the customer's specific profile.
Tier 4: State-Owned Enterprise Management and International Organisation Officials
Senior management of state-owned enterprises (where the state holds significant influence over operational decisions), senior officials of major international organisations (UN agencies, multilateral development banks, regional bodies). Tier-4 status often triggers risk-based EDD without automatically classifying the customer as high-risk — the determination depends on the specific role and the firm's risk appetite.
Relatives, Close Associates and the Indirect PEP
FATF and every major regulator extend PEP obligations to family members and close associates. The structural reason: bribery and corruption proceeds rarely sit in the PEP's own name. A typical pattern is for assets and accounts to be held by spouses, adult children, parents-in-law or known business associates — making RCA screening as material as direct PEP screening.
Family members typically include spouse or partner, children, parents, siblings, parents-in-law, and children-in-law. Some regulators extend further (grandparents, grandchildren, half-siblings) but the core five relationships are universal.
Close associates are less precisely defined. The FATF guidance covers individuals known to have close business relationships with the PEP, individuals named as joint beneficial owners with the PEP of legal entities, and individuals named as sole beneficial owners of legal entities clearly used by the PEP. Operational PEP databases identify close associates through public records, corporate filings, news coverage and structured intelligence — quality varies dramatically between providers.
The RCA discovery problem compounds the PEP discovery problem. A clean PEP database surfaces the politically exposed person directly; surfacing their cousins, in-laws and undisclosed business partners requires aggregated data that many firms do not have in-house. Where the RCA database is weak, the firm's PEP programme is weak — even if the named PEP screening looks clean on paper. Tools like One Constellation's PEP screening platform maintain the RCA linkage as a structured attribute of the underlying PEP, surfacing relationship type and confidence level on every match.
Building a Defensible PEP Database
PEP databases vary materially in quality across providers and across jurisdictions. The firm's reliance on its chosen database is itself an inspection point — the supervisor will ask which database is used, what coverage it claims, and what evidence supports the claim.
Three quality dimensions matter most:
- Coverage breadth. Total PEP profile count is a weak proxy; what matters is whether the database covers the jurisdictions and tiers relevant to the firm's customer base. A database with strong North American and European coverage but thin coverage of Central Asia is a liability for a firm operating in those markets.
- Update cadence. Political appointments and exits happen daily. A database refreshed weekly is screening against stale data for at least half its lifecycle. Production-grade providers publish daily updates with material events typically reflected within 24 hours of public confirmation.
- Source transparency and provenance. When a customer disputes a PEP match, the firm needs to produce the underlying source — the public record, news source or government release that justifies the designation. Databases that surface match confidence and source provenance materially outperform black-box providers under dispute.
Multi-source approaches typically outperform single-source. A firm using both a commercial aggregator and an authoritative public-records feed can cross-reference matches and reduce both false positives and missed PEPs. The cost is operational complexity, which a structured platform reduces by handling source reconciliation in the background.
Status Decay: When Does PEP Status End?
PEP status is not permanent. FATF guidance and most national regimes treat former PEPs differently from current PEPs — typically applying a lookback window during which the former PEP retains heightened status, and after which standard risk-based assessment applies.
The default lookback period is 12 months following the end of the public function, aligned to FATF guidance and reflected in MAS, FCA, EU 6AMLD and most other major regimes. Some regulators permit indefinite retention of PEP status where the residual risk justifies it — a former head of state typically retains significant influence post-office, and the operational standard is to maintain heightened due diligence beyond the 12-month default.
The operational mechanism is rules-based status decay. The PEP record holds the entry date into public function, the exit date, and the configured decay period. After the decay window expires, the customer record reverts to standard PEP-screening (a future re-entry to public office triggers re-classification) but the historic PEP evidence remains in the audit trail.
Programmes that fail on decay typically fail in one of two ways: either they treat all former PEPs as expired the day the public function ends (under-screening), or they retain all PEP status indefinitely regardless of regulator guidance (over-screening, false positives, customer friction). Configurable decay rules per regulator and customer risk profile resolve both failure modes.
Managing PEP False Positives Without Under-Screening
Common names produce high false-positive volumes in PEP screening. A customer named "John Smith" will match many PEPs of that name across multiple jurisdictions — the screening hit is real but the customer is unlikely to be any of them. False positives consume analyst time and, at high volumes, lead programmes to quietly raise match thresholds beyond what the regulator would consider defensible.
The right reduction approach uses biographical context, not threshold elevation. Date of birth, nationality, occupation, known business affiliations and address all contribute to disambiguation. A match scoring engine that weighs these factors produces materially fewer false positives without reducing match sensitivity for the underlying name comparison.
- DOB matching — exact or close DOB match should weight heavily; absence of DOB on either record should reduce score modestly rather than dismiss the match entirely.
- Nationality and country alignment — a Spanish customer matching a Costa Rican PEP of the same name warrants lower confidence than the same name match within the same nationality.
- Occupation and role context — a 30-year-old construction worker matching a former finance minister is a likely false positive; the same name match where the customer occupation is "consultant" is materially less dismissable.
- Linguistic and transliteration variants — non-Latin scripts and common transliteration variants should be handled at the matching layer, not relied upon for false-positive reduction.
The disposition of every false positive should be recorded with reasoning. Patterns of dismissals to the same source PEP should trigger periodic review — the database may be wrong, or the customer profile may have changed.
Common PEP Programme Failure Modes
Six failure patterns appear repeatedly in regulatory findings:
- Identification without EDD. The customer is correctly identified as a PEP; the EDD workflow is not executed or is executed without rigour. The audit finding writes itself: "the firm identified the PEP risk but did not apply the heightened due diligence its policy required."
- No RCA coverage. The PEP themselves is screened but the spouse, parent-in-law and known business associates are not — leaving the structural majority of PEP-linked accounts unscreened.
- No periodic refresh. PEP status is checked at onboarding and never re-checked. A customer onboarded as a non-PEP who is subsequently appointed minister remains classified as non-PEP in the firm's records.
- Decay rules absent or inconsistent. Former PEPs retain heightened status indefinitely without documented justification, producing customer friction without compliance benefit — or decay immediately at function-end, producing under-screening.
- Foreign vs domestic confusion. A US-based firm applying the broader FATF/MAS definition to domestic US PEPs without documented reason creates over-screening; the inverse produces under-screening.
- Database reliance without source verification. A match is dismissed because "the analyst checked the database" without preserving the underlying source. When the regulator asks why the dismissal was justified, the evidence is not retrievable.
PEP Screening, Wired Into Workflow
One Constellation's PEP screening covers 240+ jurisdictions with four-tier classification, RCA mapping, configurable decay rules and EDD workflow triggers — across the customer lifecycle.
