Politically exposed persons represent one of the most operationally complex compliance categories for corporate service providers. The regulatory obligation is clear: apply enhanced due diligence to PEPs and their immediate family members and close associates. The operational reality is considerably murkier — definitions vary by jurisdiction, screening databases produce high false-positive rates, genuine PEP status changes over time, and the business decision of whether to accept a PEP-linked client involves judgement calls that no algorithm can fully automate.
This guide covers the complete PEP compliance lifecycle for CSPs: definition and identification, risk stratification, EDD requirements, senior management approval, ongoing monitoring, and the systems and processes that make the whole framework sustainable at scale.
Understanding PEP Definitions Across Jurisdictions
The FATF definition of a PEP focuses on individuals entrusted with prominent public functions: heads of state, senior politicians, senior government officials, judicial officials, senior military officials, senior executives of state-owned enterprises, and senior officials of international or supranational organisations. Jurisdictions then layer their own definitions on top of this baseline.
Key jurisdictional variations that CSPs must navigate:
- Jersey and Guernsey: Follow FATF closely, with specific guidance on what constitutes "senior" at each category level. Former PEPs retain enhanced scrutiny for at least 12 months post-departure, with risk-based extension thereafter.
- BVI and Cayman: FATF-aligned but with domestic PEP provisions extending to local government roles that may not be captured in global screening databases.
- UAE (DIFC/ADGM): PEP definitions include senior roles in federal and emirate-level government, military, and judiciary — important for CSPs with Gulf client bases.
- Malta: EU 4AMLD/5AMLD framework, which expands the associate category and requires ongoing monitoring of family relationship status.
The practical implication for CSPs operating across multiple jurisdictions is that a single PEP policy applied uniformly will either over-screen in some jurisdictions or under-screen in others. Jurisdiction-specific policy modules, even if they share a common framework, are essential.
The Screening Challenge: False Positives and Database Limitations
Commercial PEP databases are indispensable but imperfect. Understanding their limitations is central to building a workable screening process.
False positive rates in PEP screening are genuinely high — typically 40–80% of initial matches are false positives when matching against common names in large entity portfolios. The name "Wang Wei" or "Mohammed Al-Rashid" will generate numerous matches across major databases against individuals who are entirely unrelated to your client. Processing these matches manually at each screening cycle is time-consuming and demoralising, and there is a real risk of alert fatigue causing staff to clear matches too quickly.
Database coverage and currency vary significantly. Tier-1 providers (Refinitiv World-Check, LexisNexis RiskView, Dow Jones Risk & Compliance) have comprehensive global coverage but lag on local and regional PEP appointments. Tier-2 providers may have better coverage in specific regions. Most CSPs use a primary database supplemented by targeted searches for high-risk jurisdictions.
"The discipline is not just having a PEP database subscription — it is having a documented, auditable process for how you handle each match result, whether positive or negative. Regulators look at the process, not just the output."
— Senior compliance consultant, JFSC supervised firm
Former PEPs present a particular challenge. Most databases flag individuals for a period after leaving public office, but coverage of departure dates is uneven. Your policy must specify how you determine when "former PEP" enhanced scrutiny can be reduced to standard CDD, and how you document that decision.
Risk Stratification: Not All PEPs Are Equal
PEP status triggers enhanced due diligence, but the level and nature of EDD should be calibrated to the actual risk. A retired local councillor from a stable democracy and a sitting minister from a jurisdiction rated high-risk for corruption by Transparency International both technically qualify as PEPs — but the risk is categorically different.
A practical PEP risk stratification framework for CSPs operates on three dimensions:
Position level: Tier A — Head of state, senior minister, supreme court, central bank governor (highest EDD). Tier B — Senior civil servant, military general, state enterprise CEO (standard EDD). Tier C — Local/regional official, international organisation mid-tier (enhanced baseline CDD plus EDD lite).
Jurisdiction risk: Apply Transparency International CPI scores, FATF ratings, and your own jurisdiction risk assessments. A Tier B PEP from a high-corruption jurisdiction may warrant more scrutiny than a Tier A PEP from a clean government tradition.
Relationship type: Direct PEP (the individual is your client) requires the highest scrutiny. Family member of PEP (spouse, children, parents, siblings) requires EDD proportionate to the family relationship and the nature of the PEP's influence. Close associate of PEP requires documented rationale for the association and risk-based EDD.
Enhanced Due Diligence Requirements for PEP-Linked Clients
Once a PEP connection is confirmed, your EDD process needs to address six core areas:
1. Source of wealth: Document and verify the origin of the individual's overall wealth accumulation — not just source of funds for a specific transaction. For a serving minister, this means understanding their career trajectory, legitimate income sources (salary history, directorships, investments), and the plausibility of their declared wealth relative to public sector remuneration. Unexplained wealth disproportionate to legitimate income is a red flag regardless of PEP status; for PEPs it is disqualifying without a satisfactory explanation.
2. Source of funds: The specific funds used for the structure you are administering should be documented separately from overall source of wealth. Bank reference letters, investment exit confirmations, inheritance documentation — each structure will have its own source-of-funds profile.
3. Purpose of structure: Document what the structure is for. Legitimate wealth management, estate planning, business holding, and investment holding are all defensible purposes. Structures with obscure or constantly-shifting stated purposes warrant heightened scrutiny.
4. Beneficial ownership: Confirm and document beneficial ownership with greater rigour than standard CDD. For PEPs, the JFSC and GFSC expect documentary evidence, not just self-certification, for beneficial ownership claims.
5. Ongoing adverse media: PEP files should be subject to regular adverse media screening — not just at onboarding. Media monitoring for PEP clients should be at least quarterly, with automated news alerts for significant individuals.
6. Senior management approval: Most jurisdictions require approval at senior management or board level for accepting PEP relationships. Document who approved, when, and on what basis. If the approver changes or if there is a material change in the PEP's circumstances, re-approval should be triggered.
Ongoing Monitoring and Review Triggers
PEP compliance is not a one-time onboarding exercise. The regulatory expectation — and the risk reality — requires ongoing monitoring that responds to changes in both the client's circumstances and the risk environment.
Events that should trigger a PEP file review:
- The PEP leaves or is removed from their public position
- A family member of the PEP takes on a public role
- Adverse media identifying the PEP in connection with investigations, corruption allegations, or asset seizures
- Sanctions listings involving the PEP, their jurisdiction, or associated entities
- Material change in the structure administered — new beneficial owners, new purpose, significant asset movement
- Change in the jurisdiction risk profile of the PEP's country of origin or professional function
- Annual review cycle (at minimum) regardless of trigger events
The documentation requirements for PEP ongoing monitoring are high. Regulators expect to see not just that screening was conducted, but that results were reviewed by a qualified person, match decisions were documented with rationale, and any elevated risk findings were escalated appropriately.
Operationalising PEP Compliance at Scale
For CSPs managing 200 or more entities, manual PEP compliance becomes genuinely unsustainable. The volume of initial screenings, ongoing monitoring cycles, match disposals, review documentation, and senior management approval workflows exceeds what a small compliance team can reliably handle without systematic support.
Technology-assisted PEP compliance works through three integrated layers: automated screening via database API integration (triggering on onboarding and on defined monitoring cycles), intelligent match management (risk-scoring matches to prioritise staff review, storing disposal rationale, tracking approval workflows), and portfolio dashboards (surfacing PEP-linked entities across the book, identifying overdue reviews, flagging status changes).
The human judgement in PEP compliance — deciding whether a match is genuine, assessing whether source of wealth is credible, determining whether a structure's purpose makes sense — cannot be automated away. But the mechanical work of screening, tracking, documenting, and scheduling can be, and must be if compliance quality is to be maintained as entity volumes grow.