PEP Screening: What It Is, How It Works and Why It Matters (2026): A practical guide to PEP (Politically Exposed Person) screening for law firms, fintechs and regulated businesses — what it is, who counts as a PEP, and…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
PEP screening is one of the least understood requirements in AML compliance. Most compliance teams know they need to do it. Far fewer have a process that would survive regulatory scrutiny — and even fewer can demonstrate continuous monitoring rather than a one-time check at onboarding.
This guide covers everything: what a PEP is, who qualifies, why regulators care so much, and how to build a screening programme that is both efficient and defensible.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
What is a Politically Exposed Person (PEP)?
A Politically Exposed Person is an individual who holds or has held a prominent public function. The rationale is straightforward: people in positions of public power have greater opportunity and means to engage in bribery, corruption and financial crime. They therefore represent an elevated money-laundering risk, regardless of any suspicion of actual wrongdoing.
Under the EU's Fourth Anti-Money Laundering Directive (4AMLD) and its national implementations, PEPs include:
- Domestic PEPs — heads of state, government ministers, members of parliament, supreme court judges, senior military officials, board members of state-owned enterprises, senior central bank officials
- Foreign PEPs — equivalent positions in any foreign government
- International organisation PEPs — senior executives of international organisations such as the UN, EU, NATO, IMF or World Bank
- Close associates — business partners, known close associates and immediate family members (spouses, children, parents, siblings) of any PEP
Important: PEP status does not expire quickly. Most jurisdictions require treating a former PEP as a PEP for at least 12 months — and in practice many compliance programmes maintain enhanced due diligence for significantly longer. The risk associated with access to public power does not disappear the day someone leaves office.
Why regulators focus so intensely on PEPs
Corruption and bribery generate enormous illicit proceeds that need to be laundered. High-profile enforcement cases — from Luanda Leaks to the Panama Papers — repeatedly show that PEPs and their associates are disproportionately involved in money-laundering typologies involving real estate, legal services, wealth management and company structures. Regulators have responded by requiring enhanced scrutiny of these relationships.
Failing to identify a PEP relationship at onboarding — or failing to apply Enhanced Due Diligence (EDD) when one is identified — is consistently cited in enforcement actions and fines. In the UK, the FCA has fined firms millions for inadequate PEP screening. The Norwegian Finanstilsynet and other Nordic regulators have issued similar findings. This is not a theoretical risk.
What obliged entities must do for PEPs
When a client is identified as a PEP, close associate, or family member of a PEP, obliged entities must apply Enhanced Due Diligence (EDD). This means:
- Senior management approval before establishing (or continuing) the business relationship
- Establishing the source of wealth and source of funds
- Applying enhanced ongoing monitoring throughout the relationship
- Documenting all of the above in the client file with timestamps and decision records
For standard clients who are later discovered to be PEPs — for example following an election — the enhanced due diligence obligations are triggered retroactively. Ongoing monitoring is not optional.
The problem with manual PEP screening
Most smaller firms still rely on manual searches of public databases, Google News, government websites and purchased PDF lists. This approach fails in four critical ways:
- Coverage: No single free database covers all jurisdictions, family members and close associates. Lists go out of date faster than manual processes can track.
- Consistency: Manual searches are not repeatable. Two compliance officers searching for the same person may find different results — and regulators look for consistency.
- Auditability: A Google search leaves no audit trail. Regulators require evidence that checks were performed, when, by whom, and what was found.
- Ongoing monitoring: Manual screening at onboarding does not satisfy the requirement for continuous monitoring. A client who becomes a PEP after onboarding — by winning an election, being appointed to a board, or marrying a PEP — may be missed entirely.
What good PEP screening looks like in practice
A defensible PEP screening programme has four components working together:
1. Real-time screening against comprehensive databases
Automated screening against structured PEP databases that cover domestic and foreign PEPs across all jurisdictions, including close associates and family members. Lists should be updated continuously — not monthly or quarterly.
2. Risk-scored matches with documented decisions
Every potential match should generate a risk score and require a documented decision — clear or escalate. False positives are common in PEP screening (names like "Mohammed Ali" or "Maria Garcia" create significant noise), so workflows need to support rapid false-positive clearance without compromising genuine matches.
3. Enhanced Due Diligence workflows for confirmed PEPs
When a PEP is confirmed, the system should trigger an EDD workflow: source of wealth questions, senior management approval request, enhanced monitoring flag and document collection. These steps should be logged with timestamps.
4. Continuous re-screening on all active clients
PEP status changes. People enter and leave public office. Associates change. Ongoing monitoring means re-running PEP checks on your entire client base regularly — not just at onboarding. Automated systems handle this in the background; manual processes cannot scale to do it reliably.
HubSecure's AML module runs PEP screening against continuously updated global databases, scores matches, routes confirmed PEPs into EDD workflows and logs every decision with full audit trail. Re-screening of active clients runs automatically. See how it works →
Common PEP screening mistakes to avoid
- Screening only the named client, not beneficial owners: If the UBO of a corporate client is a PEP, the same enhanced obligations apply.
- Treating screening as a one-time event: The requirement is for ongoing monitoring, not a check at onboarding only.
- Applying EDD inconsistently: Not all PEPs carry the same risk. A serving head of state is not the same as a retired local councillor. Risk-based approaches should document why the level of EDD applied is proportionate.
- Not reviewing the PEP programme itself: Regulators expect you to periodically review whether your screening programme is working — which lists you use, what coverage they provide and how false positives are handled.
Frequently asked questions
Does a former politician still count as a PEP?
Yes. Most regulations require at least 12 months of continued PEP treatment after leaving a qualifying position. Many firms apply enhanced monitoring for significantly longer depending on the nature of the role and jurisdiction.
Do close associates need to be screened even if I don't know who they are?
Yes. Obliged entities are required to take reasonable steps to identify close associates. This typically means asking clients directly during onboarding and using PEP databases that include associate and family member data.
What happens if a client becomes a PEP after I onboarded them?
Enhanced Due Diligence obligations are triggered immediately. Continuous re-screening is the mechanism that catches this — manual screening at onboarding alone will not detect status changes.
Can I rely on the client telling me if they are a PEP?
Self-declaration is one element of onboarding but it is not sufficient on its own. Obliged entities are required to take independent steps to verify — you cannot simply take a client's word for it.
Get compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on AML, GDPR, and security regulation — no noise, unsubscribe anytime.
See HubSecure in action
AML/KYC screening, GDPR-compliant CRM, encrypted mail and AI automation — all in one platform built for regulated businesses.
Book a 20-minute demo →