PEP Management: Policies, Procedures, and Practical Challenges

Politically Exposed Persons (PEPs) represent one of the most nuanced compliance challenges in AML programme management. The regulatory logic is sound: individuals who hold or have recently held prominent public positions have both the opportunity and the potential motive to exploit their position for corrupt gain, and proceeds of corruption are a major source of laundered funds. But the implementation of PEP controls has been fraught — with firms frequently applying disproportionate restrictions, treating legitimate customers as criminals because of their profession, and creating significant access problems for individuals whose association with a PEP is remote or historical. The FCA's 2023 thematic review and subsequent guidance represents a significant recalibration of how PEP management should work in practice.

Who Is a PEP? The Legal Definition

Under Regulation 35 of MLR 2017 (implementing 4AMLD Article 3(9)), a PEP is a natural person who is, or has been, entrusted with a prominent public function. The categories include: heads of state, heads of government, ministers and deputy or assistant ministers; members of parliament or of similar legislative bodies; members of the governing bodies of political parties; members of supreme courts, constitutional courts, or other high-level judicial bodies whose decisions are not subject to further appeal; members of courts of auditors or the boards of central banks; ambassadors, chargés d'affaires, and high-ranking officers in the armed forces; members of the administrative, management, or supervisory bodies of state-owned enterprises; and directors, deputy directors, and members of the boards of international organisations.

Critically, the definition applies retroactively: a person who has ceased to hold a prominent public function remains a PEP for the purposes of the enhanced due diligence requirement until the risk associated with the previous position is no longer significant — a period generally assessed as at least 12 months but often longer depending on the level of office held.

Foreign PEPs vs Domestic PEPs

A fundamental distinction that drives significant compliance variation is between foreign PEPs (those entrusted with prominent public functions in other countries) and domestic PEPs (those with functions in the UK). Under MLR 2017 Regulation 33(1)(a), enhanced due diligence is mandatory for foreign PEPs without any further risk assessment — the regulation treats foreign PEP status as inherently high-risk. For domestic PEPs and international organisation PEPs, however, the regulation requires a risk assessment to determine whether EDD is appropriate.

The FCA's 2023 thematic review found that many firms were applying foreign PEP-level EDD to domestic PEPs without any risk assessment — treating a UK Member of Parliament the same as a minister from a high-corruption-risk country. The FCA's guidance makes clear that this is disproportionate: the risk of a UK domestic PEP exploiting their position for corrupt gain is materially lower (though not zero) than the equivalent risk for a PEP from a jurisdiction with endemic corruption. Risk assessment for domestic PEPs must be genuine rather than formulaic.

Family Members and Close Associates

The PEP definition extends to immediate family members (spouses, partners, children, parents, siblings) and known close associates of PEPs. The "known close associate" category requires particular attention: it covers individuals known to be close business associates of the PEP, known to have joint beneficial ownership of a legal entity or legal arrangement with a PEP, or who are the sole beneficial owner of a legal entity or legal arrangement set up for the benefit of a PEP.

The "known" qualifier matters here. Firms are not required to investigate whether every customer is associated with a PEP — they are required to identify associations that are known from information in their possession or that emerges from their CDD. Where CDD or ongoing monitoring identifies a potential PEP association, it must be investigated. Where a customer discloses a family relationship with a named PEP, EDD applies. Where an adversemedia check identifies a business relationship between a customer and a PEP, this should trigger a review.

PEP database providers — including World-Check, Dow Jones, and ComplyAdvantage — typically include family members and associates in their PEP datasets, though coverage varies. Firms should understand the coverage limitations of their screening system and supplement commercial database screening with manual review where the customer's profile suggests PEP connections that may not be captured in databases.

EDD for PEPs: What Is Required

Where EDD is required for a PEP (or family member/associate), Regulation 33(5) of MLR 2017 mandates: obtaining senior management approval to establish or continue the relationship; taking adequate measures to establish the source of wealth and source of funds; conducting enhanced ongoing monitoring of the relationship.

Source of wealth (SOW) assessment for PEPs requires understanding how the individual accumulated their wealth — their career history, business interests, inheritance, and other wealth-generating activities. This must be corroborated against available evidence: public disclosures, register of interests, property ownership records, company directorships, and published salary information for public positions. Unexplained wealth — where the value of assets substantially exceeds what can be explained by the PEP's legitimate career earnings and business activities — is a significant red flag that should trigger enhanced scrutiny and potentially a SAR.

De-PEPing: When Can PEP Status Be Removed

De-PEPing — removing a customer's PEP classification once they have left public office — is one of the most practically contested areas of PEP compliance. The regulations do not specify a fixed time period after which PEP status automatically expires; instead, they require that EDD continue to be applied until the risk associated with the previous position is no longer significant.

The FCA's 2023 guidance provided important clarification: for most domestic PEPs, a period of 12–18 months after leaving prominent public functions is likely to be sufficient before EDD can be reduced to standard CDD, assuming no adverse information and no ongoing financial or political relationships arising from the previous position. For PEPs from high-risk jurisdictions, the de-PEPing period should be longer, potentially several years, given the risk that corrupt relationships established during office continue to generate financial benefits after leaving.

The de-PEPing decision must be documented with the reasoning: when the position was vacated, what risk factors remain from the previous position, and why the residual risk is now sufficiently low to justify standard monitoring. This documentation is important both for regulatory examination and for any future review prompted by adverse media.

The Debanking Problem for PEPs

The Farage/NatWest debanking case in 2023 brought the relationship between PEP status and financial access to mainstream public attention. While the NatWest matter involved a different basis for the account closure (values-based rather than purely AML-related), it catalysed a broader conversation about the disproportionate treatment of PEPs by financial institutions. The subsequent FCA thematic review found evidence of systematic over-compliance: firms applying blanket high-risk treatment to all PEPs regardless of individual risk, imposing intrusive and disproportionate information requests, and declining relationships on PEP grounds where the actual risk was low.

The FCA's message was unambiguous: PEP status is a risk indicator, not a basis for automatic refusal. The risk-based approach requires individual assessment, and a domestic PEP — a sitting MP, a senior civil servant, a local authority officer — has a legitimate expectation of access to financial services. Firms that apply blanket exclusions risk being found non-compliant with the risk-based approach, not compliant with it.