A name comes back as a match against a politically exposed person list. The compliance analyst opens a separate tab, checks the screening vendor's portal, reads the hit details, and decides whether to escalate. Meanwhile, the loan application sits in a different system, waiting. The credit analyst doesn't know why it stalled. The borrower doesn't either.
This is how PEP screening works at most lenders: bolted on, disconnected from the credit decision, and applied inconsistently depending on who reviews the hit. It doesn't have to be this way. But before we get to the fix, let's get the fundamentals right.
What Is a Politically Exposed Person?
The Financial Action Task Force (FATF) defines a politically exposed person as an individual who holds, or has held, a prominent public function. The logic is straightforward: people in positions of political power have more opportunity to engage in corruption, bribery, and money laundering. That elevated opportunity translates into elevated risk for any financial institution that lends to them or handles their money.
FATF breaks PEPs into three categories:
- Foreign PEPs: individuals who hold or have held a prominent public function in a foreign country. Heads of state, senior government officials, senior judicial or military officers, senior executives of state-owned corporations, important political party officials. This is the original FATF category and the one most jurisdictions implemented first.
- Domestic PEPs: same types of roles, but within the lender's own country. FATF extended the definition in its 2012 Recommendations. A domestic PEP carries the same corruption risk; the only difference is jurisdiction.
- International-organization PEPs: senior figures at bodies like the United Nations, World Bank, IMF, or regional development banks. Directors, deputy directors, board members, and equivalent functions.
The definition doesn't stop at the individual. FATF also requires lenders to treat family members (spouses, children, parents, siblings, in-laws) and close associates, sometimes called Related or Close Associates (RCAs), as carrying elevated risk. An RCA could be a business partner, a co-signatory on legal entities, or anyone known to have a close personal or professional relationship with the PEP.
One point regulators stress repeatedly: PEP status is a risk indicator, not an accusation. Most politically exposed persons have done nothing wrong. The obligation is to apply enhanced scrutiny, not to refuse service.
Why Lenders Must Screen: AML/CFT Obligations and the Risk-Based Approach
PEP screening is a core requirement under virtually every anti-money laundering and counter-terrorism financing (AML/CFT) framework globally. FATF Recommendations 12 and 22 set the baseline. National regulators build on it: the EU's Anti-Money Laundering Directives (most recently AMLD6), the U.S. Bank Secrecy Act and FinCEN guidance, the UK's Money Laundering Regulations, the Monetary Authority of Singapore's Notice 626, the Bangko Sentral ng Pilipinas Circular 706, and dozens more.
The regulatory expectation everywhere is a risk-based approach. That means:
- Identify whether the applicant, beneficial owner, or related party is a PEP.
- Assess the risk that the relationship poses. Not all PEP hits carry the same risk. A former mid-level municipal official is different from a sitting finance minister.
- Apply proportionate measures. Higher-risk PEPs require enhanced due diligence (EDD). Lower-risk PEPs may proceed with documented rationale and periodic monitoring.
This is critical: a PEP hit is not an automatic rejection. Regulators explicitly expect proportionate treatment. Blanket de-risking (refusing all PEPs) is itself a regulatory concern, because it drives financial exclusion and pushes activity into unmonitored channels. The expectation is that you assess, document, and decide, not that you run from the risk.
For lenders specifically, the stakes are direct. A loan is a financial relationship. If a PEP uses a loan to launder proceeds of corruption, the lender faces regulatory enforcement, fines, reputational damage, and potential criminal liability for officers. PEP screening in banking and lending isn't optional compliance theater. It's a legal obligation with real consequences.
When to Screen: Three Points in the Loan Lifecycle
Most lenders think of PEP screening as an onboarding step. That's necessary but not sufficient. There are three points where screening matters.
1. At Application and Onboarding
This is the obvious one. Before you enter a financial relationship, you check the applicant (and any co-borrowers, guarantors, or beneficial owners of a corporate borrower) against PEP and sanctions lists. The PEP check runs as part of Know Your Customer (KYC) and Customer Due Diligence (CDD). If there's a hit, you apply EDD before proceeding.
2. Periodic Re-screening of the Existing Book
People become PEPs after you've already lent to them. A borrower wins an election, gets appointed to a regulatory body, or marries into a political family. If you only screened at onboarding, you won't know. Regulators expect ongoing monitoring. The frequency should be risk-based: higher-risk segments re-screened more often, the full book at least annually.
3. Before Disbursement on Long-Running Approvals
In some lending products, weeks or months pass between approval and disbursement. Construction loans, project finance, staged drawdowns. If the borrower's status changed between approval and disbursement, and you didn't re-check, you've disbursed funds into a relationship you should have reassessed. A pre-disbursement screen closes that gap.
How PEP Screening Actually Works
The mechanics of a PEP check are simple in concept and messy in practice. Here's what happens under the hood.
Screening Data: Lists and Providers
There is no single global PEP list. PEP data is compiled by specialized screening data providers: Dow Jones Risk & Compliance, Refinitiv World-Check, Bureau van Dijk (Moody's), ComplyAdvantage, LexisNexis, and others. These providers aggregate information from government gazettes, official registers, corporate filings, media monitoring, and proprietary research to build and maintain databases of PEPs, their family members, and associates.
Sanctions lists (OFAC SDN, UN, EU, UK) are separate but almost always screened alongside PEP lists. PEP and sanctions screening typically runs as a single check against a combined dataset from the provider.
Fuzzy Name Matching and the False-Positive Problem
Screening works by matching the applicant's name (and sometimes date of birth, nationality, and other identifiers) against the database. The challenge is that names aren't unique. Transliterations vary. Spellings change across documents. Middle names appear in one system and not another.
Screening engines use fuzzy matching algorithms (phonetic matching, edit-distance calculations, token-based matching) to catch variations. The tradeoff is direct: set the matching threshold too tight, and you miss real PEPs. Set it too loose, and your compliance team drowns in false positives.
False-positive rates in PEP screening are notoriously high. Industry estimates range from 90% to 98% of all alerts being false positives, depending on the market, the quality of the applicant data, and the tuning of the matching engine. In markets where a small number of surnames dominate (Korea, Vietnam, the Philippines), the problem is worse. Every "Kim" or "Nguyen" generates hits.
Managing false positives is where most of the operational cost sits. Not in the screening itself, but in the review of results.
What a Hit-Review Workflow Looks Like
When a screening alert fires, here's what a well-run process involves:
- Initial triage: Is this a true match or a false positive? Compare identifiers: full name, date of birth, nationality, photograph if available. Many alerts can be dismissed at this stage with basic data comparison.
- If true match, risk assessment: What type of PEP? Current or former? What level of political exposure? Which jurisdiction? What's the nature of the lending relationship and the amount involved?
- Enhanced due diligence: Source-of-wealth and source-of-funds checks. Adverse media screening. Understanding the purpose of the loan. Documenting the rationale.
- Senior management sign-off: FATF and most national regulations require that PEP relationships be approved by senior management, not just a line compliance officer. This is a control designed to ensure accountability.
- Ongoing monitoring: If the relationship is approved, it enters a higher monitoring tier with more frequent re-screening and transaction monitoring.
Each of these steps requires documentation. If a regulator or auditor asks why a PEP was approved, the lender needs to produce the assessment, the EDD, the sign-off, and the monitoring plan.
PEP Screening Requirements Vary by Jurisdiction, but the Core Is Universal
The specifics differ. Some jurisdictions mandate screening against a government-published domestic PEP list. Others leave it to the institution to determine how to identify PEPs. Some require a specific look-back period after a PEP leaves office (the EU's AMLD requires continued treatment for at least 12 months after the person ceases to hold the function). Others are less prescriptive.
But the core PEP screening requirements are consistent everywhere FATF's recommendations have been adopted, which is most of the world:
- You must have a system to identify PEPs.
- You must apply enhanced due diligence to PEP relationships.
- You must obtain senior management approval.
- You must conduct ongoing monitoring.
- You must document everything.
The risk for lenders isn't ambiguity about what to do. It's the gap between knowing what to do and actually doing it consistently, across every application, every analyst, every branch.
The Operational Problem: Screening That Lives Outside the Decision
Here's where most lenders' processes break down. Not in policy, but in execution.
PEP screening typically lives in a separate system from the credit decision. The compliance team runs the check in the screening vendor's portal. The result (clear, hit, or pending review) gets communicated back to the credit team through email, a shared spreadsheet, or a note in the LMS. The credit analyst waits. Or doesn't wait, and approves the loan before the screening result comes back.
And at many lenders, there is no screening system at all. The check is an analyst with a search engine: google the applicant's name, scan the first page of results, maybe check the local news. Whether that counts as screening depends on who ran it, what they typed, and how long the queue was that day. It produces no record a regulator can inspect, and two analysts can reach different conclusions about the same name in the same week.
The consequences are predictable:
- Applications stall. The PEP check becomes a bottleneck, not because screening is slow (most checks return in seconds), but because the handoff between systems is manual.
- Treatment is inconsistent. One analyst escalates a low-risk former municipal official. Another waves through a higher-risk match because the queue is long. There's no written policy governing the decision, or if there is, it's a PDF that different people interpret differently.
- Audit trails are fragmented. The screening result lives in one system. The credit decision lives in another. The EDD documentation lives in a third (often a shared drive). When the regulator asks for the full picture on a specific application, someone has to reconstruct it manually.
- Re-screening falls through the cracks. Periodic re-screening requires someone to pull the borrower list, upload it to the screening tool, review the results, and update records. It's a project, not a process. It gets delayed.
None of this is a technology problem in isolation. It's a workflow problem. The PEP check and the credit decision are two halves of the same assessment, but they run on different rails.
Embedding PEP Screening Inside the Decision Workflow
The fix is architectural: the PEP check belongs inside the decision workflow, not beside it. When screening runs as a step in the same automated flow that evaluates income, debt ratios, and credit bureau data, the handoff problem disappears. The result feeds directly into the policy logic. The treatment is determined by rules, not by whoever happens to review the queue that day.
This is how we've built it on Floowed. PEP and sanctions screening runs as a step in the Decision Engine workflow, through integrations with KYC and AML data providers. Floowed orchestrates the screening call, receives the result, and the written credit policy evaluates it, the same way it evaluates any other data point in the application.
What that looks like in practice:
| Scenario | Typical Manual Process | Inside Floowed's Decision Workflow |
|---|---|---|
| Clear result (no PEP match) | Compliance emails credit team; analyst resumes review | Application continues through policy automatically; no human delay |
| Hit: low-risk former PEP | Compliance analyst makes a judgment call; treatment varies | Policy rule evaluates PEP type and risk tier; routes to appropriate EDD path with documented rationale |
| Hit: high-risk current PEP | Escalated to senior compliance, but process and timeline depend on who's available | A hard gate routes the application to manual review; it cannot be auto-approved no matter how strong the rest of the file, and the decision record shows exactly which gate fired |
| Regulatory audit | Team reconstructs the trail from screening portal, LMS, email, shared drive | Full version history and audit trail in one place: which rule fired, what data it evaluated, what decision it produced |
The policy you write is the policy that runs. Same policy. Every application. Every time. No exceptions. A PEP hit on application #47 gets the same treatment as a PEP hit on application #4,700, because the rule is written once and enforced automatically, not reinterpreted by each analyst.
One important distinction: Floowed does not maintain PEP or sanctions lists and is not itself a KYC data vendor. We orchestrate screening through integration partners who specialize in maintaining and updating those databases. The lender chooses their screening provider. Floowed calls the API, ingests the result, and runs the policy on it.
This matters for re-screening too. Periodic re-screening of the existing book can be triggered on a schedule within the workflow, with the same policy logic applied to returning results. It becomes a process that runs, not a project that gets planned and delayed.
What Good Looks Like
Lenders who get PEP screening right share a few traits. They treat it as a credit-decision input, not a compliance side quest. They write explicit rules for how different PEP categories and risk tiers should be treated, and they enforce those rules consistently. They keep the full trail (screening result, risk assessment, EDD documentation, sign-off) in one auditable record. And they re-screen the book on a schedule, not when someone remembers.
The lenders who struggle aren't missing knowledge. They know what PEP screening requires. They're missing the connective tissue between the screening check and the credit decision, the part that turns a policy document into an executed process. That's the gap worth closing, and the lenders closing it fastest are the ones whose compliance and credit workflows run on the same rails.