Table of contents
A politically exposed person (PEP) is an individual who holds or has held a prominent public function, such as a head of state, senior politician, judge, military officer, or executive of a state-owned enterprise, along with their close family members and associates. Because their position gives them access to public funds and influence, PEPs carry a higher risk of involvement in bribery, corruption, and money laundering, and regulated firms must apply enhanced due diligence when serving them.
What is a politically exposed person (PEP)?
The PEP concept exists because public power creates laundering opportunities that ordinary customers don't have: control over state budgets, procurement, licensing, and judicial outcomes. FATF Recommendation 12 sets the global standard, requiring financial institutions to identify whether a customer or beneficial owner is a PEP and, for higher-risk cases, to apply additional controls before and during the relationship. The EU embeds the same obligations in its anti-money laundering directives, carried forward under the new AMLA single rulebook, and in the US, FinCEN expects banks to address PEP risk within their risk-based AML programs.
Being a PEP is not an accusation. The overwhelming majority of public officials never launder a cent. PEP status is a risk signal that obliges a firm to look more closely, not a reason to refuse service. Both FATF and EU guidance explicitly warn against blanket de-risking of PEPs.
PEP meaning and the three categories
Regulators group PEPs into three categories, and the risk treatment differs by category and jurisdiction.
Domestic, foreign and international organisation PEPs
Foreign PEPs hold prominent functions in another country: heads of state, ministers, supreme court judges, generals, central bankers, senior party officials. FATF treats foreign PEPs as inherently higher risk, with enhanced due diligence mandatory. Domestic PEPs hold equivalent functions in the firm's own country; here FATF allows a risk-based approach, with enhanced measures applied when the relationship is higher risk. International organisation PEPs are senior figures in bodies like the UN, IMF, or NATO. Each category extends to relatives and close associates (often abbreviated RCAs): spouses, parents, children, and business partners who could act as fronts.
Why are PEPs higher risk?
Three reasons recur in enforcement cases. Access: PEPs can divert public money or extract bribes through the powers of their office. Concealment: they rarely move funds in their own name, using family members, associates, shell companies, and professional enablers instead. Leverage: their influence can deter local scrutiny, which is why corruption proceeds so often surface in foreign banks. Grand corruption cases investigated over the past two decades follow the same arc: a public official, a network of relatives and shells, and a financial institution that didn't ask enough questions.
PEP screening runs alongside sanctions checks against lists such as OFAC's SDN List, and it sits inside the broader anti-money laundering (AML) framework.
How does PEP screening work?
PEP screening checks customers and beneficial owners against databases of public officials, their relatives, and close associates. It runs at onboarding and then continuously, because PEP status changes with every election, appointment, and resignation. Screening engines use fuzzy matching to handle name variants, transliterations, and partial dates of birth, then route potential matches to analysts for adjudication. False positives are the operational headache: common names generate large alert volumes, and tuning match thresholds against data quality is where most programs succeed or fail. Screening is typically delivered as part of broader AML software alongside sanctions and adverse media checks.
Enhanced due diligence for PEPs
When a customer is confirmed as a higher-risk PEP, FATF Recommendation 12 requires four things: senior management approval to establish or continue the relationship, reasonable measures to establish the source of wealth and source of funds, enhanced ongoing monitoring of transactions, and documentation of all of it. In practice this means more questions at onboarding, lower monitoring thresholds, and periodic relationship reviews.
How long does someone stay a PEP?
Leaving office doesn't immediately end PEP status. FATF guidance says firms should consider the continuing risk rather than apply a fixed cut-off: a former minister who still wields informal influence may stay high risk for years, while a junior official who left office a decade ago may not. The EU's framework similarly requires firms to apply risk-sensitive measures for at least 12 months after a PEP leaves office, and longer where risk persists. Family members and associates generally shed the classification when the underlying PEP does, subject to the same risk judgment.
How does PEP screening work in Web3 and crypto?
The features that make Web3 and cryptocurrency attractive—pseudonymity, permissionless access, cross-border operation, and irreversible transactions—also make PEP screening structurally difficult. Traditional compliance models assume centralized intermediaries with full visibility into user identity and transaction flows. Decentralized systems distribute control, obscure relationships, and operate across jurisdictions simultaneously.
Cryptocurrency exchanges, DeFi protocols, NFT marketplaces, and wallet providers face heightened regulatory scrutiny. Exchanges must implement comprehensive KYC for fiat onramps and offramps. DeFi protocols increasingly add permissioned access layers to satisfy AML requirements. NFT platforms screen for sanctioned addresses and monitor for wash trading. Wallet providers offering custodial services operate under money services business (MSB) regulations.
Blockchain transparency creates both opportunities and challenges. On-chain analytics firms like Chainalysis and Elliptic trace fund flows, identify mixing services, and flag sanctioned addresses. This transparency aids compliance but conflicts with privacy expectations. Privacy coins like Monero and Zcash obscure transaction details, creating regulatory tension between financial privacy and law enforcement visibility.
Decentralized identity offers a path forward. Verifiable credentials, decentralized identifiers (DIDs), and zero-knowledge proofs (ZKPs) enable privacy-preserving compliance. Users prove identity attributes (age, jurisdiction, accredited investor status) without revealing underlying PII. Credentials remain under user control in encrypted vaults rather than centralized databases vulnerable to breaches. This architecture satisfies regulatory requirements while protecting users from data exposure.
PEP screening without building a data honeypot
PEP compliance forces firms to collect deeply sensitive information: identity documents, family relationships, wealth sources. Centralising all of that in a vendor's database creates exactly the kind of target that has produced major identity-data breaches. The screening obligation is real, but warehousing raw PII isn't the only way to meet it. Zyphe's approach pairs screening with zero-knowledge identity verification: the check happens, the audit trail exists, and the proof is retained, while the underlying documents stay with the user instead of accumulating in a breachable store. Firms get defensible PEP compliance without becoming custodians of a database of public officials' personal files.