Enhanced Due Diligence for PEPs: What It Means and What Regulators Expect

With the advent of financial crime compliance, the times of static risk management have passed. For many years, the identification of a Politically Exposed Person (PEP) was frequently handled as a binary event: a standard set of paperwork was filed away, a box was checked, and a name appeared on a list. That strategy is now a regulatory liability.

The worldwide mandate has turned toward proportionality as the FATF continues to hone its position on Recommendation 12 and the EU's Anti-Money Laundering Authority (AMLA) enters its first full year of operational control. Regulators require dynamic network mapping for their RCAs and a graduated methodology that differentiates between a local domestic administrator and a high-ranking foreign official.

EDD has evolved from a tedious task to a complex investigation procedure for the contemporary compliance officer. Knowing a customer's identity is not enough. It necessitates demonstrating how they amassed their affluence and confirming that their current financial conduct is consistent with their public persona. The quality of the story you can create, the senior management accountability you can record, and the technology tools you employ to close the gap between screening and genuine comprehension are what characterize reasonable measures.

This article offers thorough information for understanding this relatively unfamiliar terrain. We will dissect the fundamental prerequisites, shed light on the enduring ambiguity surrounding wealth and finances, and offer the useful resources required to withstand the scrutiny of contemporary regulatory details and evaluation.

The following topics are going to be covered in this article;

• What Is Enhanced Due Diligence (EDD)?
• What FATF Requires for PEP EDD (Recommendation 12)
• Senior Management Approval: Who, When, and How
• Source of Wealth vs Source of Funds: The Distinction Most Firms Get Wrong
• Enhanced Ongoing Monitoring: What 'Enhanced' Actually Means
• The Complete PEP EDD Checklist
• What Examiners Look For During PEP Reviews

1. What Is Enhanced Due Diligence (EDD)?

Enhanced Due Diligence (EDD) is a version of customer due diligence (CDD) but it does not take the place of regular onboarding process. Within AML and KYC settings, EDD serves as a stricter refinement of standard due diligence. It entails a more thorough risk assessment of specific clients. CDD is the fundamental layer that establishes a person's identity. EDD is a lens that assists to identify possible threats with the help of high resılution nature. It is meant to protect companies against financial wrongdoing, legal infractions, and harm to their reputation. For high-risk or high-net-worth clients, and unusual or large-scale transactions which carry high risks, EDD is crucial. Businesses trying to stop money laundering and terrorism financing (ML/TF) need to understand their customers, and EDD is a comprehensive know-your-customer (KYC) process that may help.

Standard CDD is covered by the Recommendation 10, which is the foundation in the process. Recommendation 10 mandates to ascertain the client's identity, confirm it with trustworthy documentation, and comprehend the essence of their enterprise.

The enhanced layer, Recommendation 12, focuses on Politically Exposed Persons (PEPs). Regular procedures of Recommendation 10 should be applied naturally earlier. More invasive measures are required to reduce the inherent risk of corruption or bribery for every client who has been recognized as a PEP. EDD cannot be carried out without first concluding CDD. The standard method is not being abandoned.

The key point is, EDD is proportional to risk. A high-risk consumer profile, complicated ownership arrangements, transaction behavior, jurisdictional exposure, or delivery channel risk are some of the variables that cause enhanced due diligence. Your EDD cannot be the same as all PEPs aren’t. Proportionality is the foundation in today's regulatory expectation. A foreign head of state requires more intensive EDD than a domestic municipal council member. The risk to a foreign head of state is extremely high. Required regular surveillance as in monthly or quarterly, ten or more years of wealth history, and in-depth forensic investigation of worldwide assets. Standard SoW verification, senior management approval, and yearly or event-driven reviews are necessary for domestic municipal council members, where the risk is lower or moderate. Both require more than standard CDD, while EDD is not necessary for standard retail customers with low risk, and standard CDD is enough. An ordinary citizen is not subject to the same amount of examination, like a source of wealth verification, as even a low-risk domestic PEP. This implies that your investigation's intensity and the person's amount of exposure must coincide.

EDD is more than just gathering more records. It calls for an alternative method of analysis. Institutions must assess the coherence, credibility, and justifying nature of a customer's persona, monetary conduct, ownership scheme, and general societal image. Eliminating ambiguity is not the goal of EDD. The goal is to lower ambiguity to a level that can be explained to regulators if necessary and defended within the organization's level of risk tolerance.

2. What FATF Requires for PEP EDD (Recommendation 12)

The Financial Action Task Force (FATF) Recommendation 12 is the global gold standard, although nations legislation differ. It sets the minimal standard that all compliance initiatives must adhere to. The FATF recommendations are the floor, not the ceiling, of your PEP plan.

In addition to carrying out standard customer due diligence procedures, financial institutions should be obliged to have suitable risk-management systems to ascertain whether the customer or the beneficial owner is a politically exposed person. Recommendation 12 states that you must, at the very least, take the following three particular actions if a customer is classified as a PEP:

• Senior Management Approval: Without the approval of someone with enough seniority and authority to comprehend the firm's risk exposure, you cannot start or maintain a business connection with a PEP. Obtain senior management approval for establishing, or continuing such business relationships for existing customers.

• Source of Wealth (SoW) & Source of Funds (SoF): You must take reasonable measures to determine where the customer's whole fortune (SoW) and the particular funds used in the transaction (SoF) came from.

• Enhanced Ongoing Monitoring: To make sure the PEP's transactions stay in line with their established profile, you need to conduct more thorough and frequent assessments. Conduct enhanced ongoing monitoring of the business relationship and spot transaction patterns that call for closer examination.

Financial institutions have to be obliged to take reasonable steps to ascertain if a beneficial owner or customer is a domestic PEP or someone who has been given a significant role by an international organization. Financial institutions ought to be obliged to implement the three strategies mentioned above when they have a higher-risk business relationship with such individuals. Family members or close associates of PEPs of any kind should be subject to the same regulations. These improved CDD metrics include, but are not restricted to, gathering more details on the client, as in the intended nature of the business relationship and the motivations behind planned or completed transactions.

As with all higher risk customers as outlined in Recommendation 10, foreign PEPs are always regarded as high risk and necessitate the application of enhanced due diligence measures. Recommendation 12 mandates that the decision to engage or maintain a business relationship with the foreign PEP customer be made at the level of senior management rather than the regular level of the hierarchy. This should also result in more proactive measures, including increased monitoring of the business connection to ascertain whether those transactions or activities seem out of the ordinary or suspicious. Financial institutions and DNFBPs must also take reasonable steps to determine the source of funds and wealth, according to Recommendation 12.

3. Senior Management Approval: Who, When, and How

Senior management is defined under the regulations as "an officer or employee with sufficient knowledge of the money laundering, terrorist financing, and proliferation financing risk exposure and of sufficient authority to take decisions affecting its risk exposure." A company should make sure that employees who are onboarding customers are trained on requesting this approval, and it should clearly document in its policies, procedures, and internal controls who is deemed to meet this definition as well as any delegations of authority by those individuals, in accordance with the size and nature of the business. Some regulations anticipate that in lower-risk scenarios, sign-off may occur at a lower level of seniority within a company, but there should still be adequate power to approve these decisions, and they should be recorded.

Senior management approval is mentioned as an ambiguous requirement in many compliance publications. The relationship can be deemed unapproved if you are unable to demonstrate who approved it and why. Regulators seek authority and autonomy rather than a list of names. Senior management is typically MLRO, Chief Compliance Officer, or Designated Senior Officer :

• The most frequent approvers are the Chief Compliance Officer and MLRO. They are qualified to determine whether the EDD is adequate.
• Designated senior officers are another possible qualified title . In larger companies, this could be a board member or a regional head.
• Businesses can now employ a graduated sign-of strategy in accordance with recent FCA (FG 25/3) and AMLA amendments. A low-risk domestic PEP, for instance, might be approved by a lower-level senior management, but a high-ranking overseas PEP needs to be forwarded to the C-Suite or a dedicated Risk Committee.

Approval is the documented review of PEP risk assessment, sign-off that EDD has been completed, acknowledgment of risk accepted. It is a lifecycle requirement rather than a one-time occurrence:

• While onboarding, prior to opening an account or making the first transaction.
• When status changes, as in a current client becomes a PEP. The client winning an election or having their spouse appointed to a cabinet position.
• Periodic reviews every 12 months at the very least. The best practice for higher-risk PEPs would be quarterly or semi-annual re-approvals.
• Event-driven, the permission to continue the connection needs to be explicitly reevaluated if adverse media appears or transaction patterns drastically alter.

A basic signature is insufficient for approval. Approval to an examiner denotes a formal recognition of risk. The approver needs to attest to having examined:

• The distinctive function and impact of the PEP.
• The confirmed source of funds and wealth.
• Any negative media that was discovered and the extent to which it was suppressed.
• The explanation for why this particular person is permitted under the firm's willingness to take risks.

Businesses are shifting to digital PEP registrations and documentation. Examiners specifically check for this documentation. The following covers the main aspects that should be included in your documentation, which should be kept in the client file with:

• The date and time of approval are represented by the digital timestamp.
• The approver's full name and title of employment.
• The risk assessment and the decision rationale that was reviewed. The justification for the decision can be provided with a brief paragraph. It can be mentioned that it was approved despite some adverse media coverage of the earlier year tax controversy as the matter was settled and an impartial audit confirmed the source of wealth.
• Link to the evidence, a clear allusion to the SoW/SoF records that the manager examined. Rubber-stamping, approving without review, raises serious concerns.

4. Source of Wealth vs Source of Funds: The Distinction Most Firms Get Wrong

There is a critical distinction and a genuine content gap in this topic. Source of Wealth is the answer to how did this person accumulate their total wealth over their lifetime. The answer is the collection of inheritance, government salary, business ventures, investments, and family wealth.

Source of Wealth (SoW) verification is the procedure by which a financial institution determines how a client amassed their total net worth using independent confirmation and documented evidence to make sure the wealth comes from legal activities and conforms with international AML/CFT regulations. How did this PEP make millions of dollars, does the PEPs way of living align with the known past, are questions that can be asked in search of SoW. SoW documentation needs long-view proof, which includes public registration filings, records of asset ownership, audited corporate accounts,grants of probate for inheritance, or tax returns spanning several years.

Source of Funds(SoF) is the answer of the questions where specifically is the money for this particular transaction or this relationship coming from. The source can be sale of property, salary payment, or investment proceeds. Where did this wire's $500,000 come from, is it possible to witness the transfer of funds from the source to our bank, are the questions suitable while in search of SoF.

SoF Documentation needs point-in-time proof, as in a particular dividend voucher, a single bank statement demonstrating the incoming wire transfer, or a sales contract. Contracts for the sale of real estate, loan agreements, or investment redemption notices are examples of SoF documentation.

Evidence mismatch occurs when a company requests SoW yet considers a bank statement to be proof. A bank statement does not demonstrate how the money was obtained (SoW), but it does demonstrate its existence (SoF). In order to appease an examiner, you have to present a corroborated narrative. A record of the 2018 company sale, rather than just the current savings account amount, must be included in the filing if the PEP claims to be affluent due to the sale.

Source of Funds (SoF) can simply be described as a single step or a snapshot of a particular financial movement, but Source of Wealth (SoW) is the entire map or the story of a person's financial life. The single step cannot be reliably verified without first determining whether it makes sense inside the complete map. The source of funds for opening a particular account can be proceeds from selling family property in France. They both have to be asked different questions, different verification methods, and different documentation.

Financial institutions are particularly required by FATF to take reasonable measures to establish both for foreign PEPs. Many compliance officers conflate them. Reasonable is interpreted as independent corroboration. It is currently regarded as a red flag to rely only on a PEP's self-declaration for SoW. The financial institution becomes involved in legitimizing the proceeds of illicit activity, fraudulent transactions, and misconduct when there is insufficient SoW verification. Regulators are becoming more clear that this is an issue of institutional integrity rather than just a technical compliance issue.

Conducting a plausibility test is the final step in separating the two. Let's say you are onboarding a foreign Minister of Infrastructure who wants to open a private bank account and deposit $5 million. Before entering politics, the Minister worked as a civil engineer for two decades in the private sector according to the narrative. His late father also left him a sizable portfolio of commercial real estate. Obtaining a copy of his father's probate or will and a historical overview of his prior income from the engineering firm constitutes SoW verification.

The sale of a family-owned apartment in Spain is the exact source of the €5 million being placed today. Obtaining the notarized sale agreement and the completion statement from the Spanish attorneys, which demonstrate the money moving from the sale to the new account, is the process of SoF verification.

A PEP's SoF declaration for a $5 million property purchase can be personal savings. But if their SoW is only a modest government wage, then the transaction, which is SoF, is not supported by the story, which is SoW.

5. Enhanced Ongoing Monitoring: What 'Enhanced' Actually Means

Ongoing Monitoring is frequently the point in the compliance lifecycle where the momentum is dropped or interrupted. Monitoring is usually an inactive, rule-based approach for regular consumers.

Regulators anticipate active monitoring of PEPs which is centered around fresh data analysis and intelligence. Enhanced monitoring is a full body thermal imaging system, compared to ordinary monitoring, which would be a smoke detector metaphorically. It is intended to detect not only suspicious conduct but also the subtle shifts in status that take place in politics, as it is an unstable realm.

Sanction Scanner keeps an eye on all of your customers' transactions in order to identify any suspicious ones. If the software finds a questionable transaction, it halts the transaction and records it for further examination. Sanction Scanner is simple to incorporate into your app via an API. See alarms before you call it a day. Depending on your rules and scenarios, you can view suspicious alarms based on their one to five risk levels.

Standard monitoring is transaction monitoring against rules and thresholds. The following components are essential features which maps to Sanction Scanner monitoring product features, must be part of your enhanced monitoring framework:

• More frequent periodic reviews: A low-risk regular client may be able to avoid a file refresh for three years with standard risk ratings. The review cycle is shortened for PEPs. At least once every 12 months, a thorough evaluation of the PEP's profile is anticipated. To automate rescreening and remind analysts to perform yearly manual updates, use the Sanction Scanner Ongoing Monitoring function.

• Reduce the thresholds for transaction monitoring: Due to PEPs' special access to public monies, even small odd transactions may raise suspicions of minor bribes or structuring. It is anticipated that PEP thresholds will be 30–50% lower than those of regular consumers in order to detect micro-layering. Using the Sanction Scanner Transaction Monitoring tool, you can decrease thresholds and establish particular risk-based criteria for segments marked as PEP.

• Geographic monitoring : Regulators search for high-risk corridors. Money may flow from a PEP's personal account to their home nation or recognized tax havens. A high-priority warning should be triggered by any cross-border activity involving the PEP's jurisdiction of influence. Identify transactions with governments with strategic AML shortcomings by utilizing the Sanction Scanner Real-Time Global AML Data which covers 220+ countries.

• Monitoring Relationships (changes in RCAs & UBOs): Rarely does a PEP's risk move in their own name. It passes through close associates and relatives (RCAs). You have to keep an eye out for any changes in the PEP's network, such as a child joining a new organization as a director. Your profile is instantly updated when a relative's status changes with Sanction Scanner PEP & RCA Screening module's automatic filtering for related parties.

• Sentiment Analysis & Adverse Media: A PEP may not receive approval, but they may be the focus of a local newspaper's corruption investigation. The technique of examining vast amounts of text to ascertain whether it conveys a good, negative, or neutral attitude is known as sentiment analysis, or opinion mining. Continuous adverse media screening is the expectation. Regulators anticipate that you will uncover these stories before they lead to an indictment. By searching international news for keywords related to financial crime, judicial processes, and corruption, the Adverse Media Screening program generates automated alerts about sentiment shifts. With Sanction Scanner Adverse Media software, you may execute Adverse Media controls via the web, batch files, or APIs. navigating the media maze with more than 800 companies and identifying threats before they materialize. You may recognize and defend yourself against financial crimes including money laundering, terrorist financing, corruption, bribery, fraud, human trafficking, smuggling, or tax evasion by using Adverse Media Screening and Monitoring. Transition from calendar-based reviews to event-based triggers are necessary. Instead of waiting for the next yearly review, your monitoring system should alert you when a PEP loses an election, as their risk profile should change immediately.

6. The Complete PEP EDD Checklist

Enhanced Due Diligence now refers to improved risk-based information rather than more paperwork in the present regulatory environment. Both national and international systems reflect EDD objectives. Organizations like the Financial Action Task Force (FATF) and domestic regimes like the US Financial Crimes Enforcement Network (FinCEN) and Canada's FINTRAC require businesses to provide documentation that can be promptly retrieved in the event of a challenge. For instance, PEPs trying to transfer government salary into unhosted virtual asset wallets as a workaround, known as shell-to-crypto, is a red flag. The Circular RCA problem is another red flag in onboarding processes, where PEP relatives who appear out of nowhere as consultants for state-owned businesses without any prior work experience. With the help of this checklist, your company can make sure that each Politically Exposed Person has a narrative that is both risk-rated and defensible, going beyond mere identification.

The risk assessment and the justification for escalation are crucial components for EDD. The risk factors that were found, the customer's score or tiering, and the reason the outcome exceeded your internal EDD threshold should all be included in the files. Instead of a high-risk designation, regulators will want a succinct explanation that connects the choice to your policy and risk tolerance.

The list that is structured as an implementable checklist is as follows:

• PEP identification confirmed with category, as foreign/domestic/int'l org PEP. Verify whether the person is a "de-pepped" official during a transition time, which is usually five years in Canada or twelve months in the UK/EU.
• PEP risk assessment completed, the risk score is assigned. Based on their job title and role, as in executive/ceremonial, and the corruption index of their home nation, assign a risk score.
• Senior management approval obtained and documented. Make that a timestamp is included in the approval documentation. If the policy is formalized, permission for lower-risk domestic PEPs can be given to a suitably senior person instead of the C-suite or MLRO in some jurisdictions.
• Source of wealth verified and documented.
• Source of funds verified and documented.
• Purpose and intended nature of relationship established. Examine current partnerships for the relationships review to give more context or draw attention to any concerns you might have overlooked.
• Expected account activity profile documented. Examine previous transactions to see if they match expected behavior. Establish a baseline for expected transactions. Calculate average transaction sizes, monthly volumes, and the frequency of counterparty jurisdictions. Identify the transactions that are large, erratic, or frequent. Transactions that involve high-risk jurisdictions ought to be reported.
• Enhanced monitoring parameters configured. Set up transaction monitoring in real time. Set warnings and thresholds for questionable activity. Update consumer risk profiles on a regular basis. Notify regulatory agencies of any questionable activity.
• Periodic review schedule set as annual minimum. After onboarding, the relationship continues. Keep regular review logs, document the investigation's steps and results, and identify event-driven triggers. These can be ownership changes, adverse media updates, and unexpected financial activities.
• All documentation stored in customer file. Keep thorough records at every stage of the due diligence process. Verify adherence to that jurisdiction's data protection regulations. Consider the security of storing customer files while keeping them for audits.

This is the asset that gets downloaded, printed, and taped to compliance analysts' monitors. Insufficient justifications, lacking verification evidence, unproven source-of-funds claims, absent approvals , dispersed collection of information and a lackluster, not enhanced monitoring strategy are all a ticket to an EDD collapse. Systems that utilize AI and machine learning bring speed to analyze large data sets, detect the anomalies, and find patterns. Automation also reduces human error and comes with uniform and more accurate performance.

7. What Examiners Look For During PEP Reviews

Whether you are under the lens of the FFIEC (US), the FCA (UK), or the newly operational AMLA (EU) in Frankfurt, examiners are looking for Rationale, Real-time data, and Relevance. Examiner focus areas from FFIEC BSA Manual and FCA/ECB supervisory approaches are as follows. These questions provide compliance teams with exam preparation framework:

• Does the firm have a PEP policy? → Next question is if it's being followed. Make sure your written policy corresponds with the staff training records and system settings.

• How are PEPs identified? → Automated, daily screening against reputable databases with data integrity.
• Is senior management actually approving (not rubber-stamping)? → The next thing to ask would be, if the file is being reviewed by high management. The challenger notes may be checked for proof or questions that the approver sends back to the analyst. Lack of genuine oversight may be the decision, if each PEP is accepted in less than 60 seconds with no remarks.

• Is the source of wealth documented (not just source of funds)? → Acceptance of one bank statement as evidence of source of wealth(SoW). The expectation is a simple and clarified, corroborated narrative with proper documentation. The document is insufficient if it doesn't explain how a very young official became a multimillionaire. If a single $1 million transfer can't be explained, the case is the same(SoF).

• How often are PEP relationships reviewed? → Event-driven reviews are desired. ıt is anticipated that you will have reported a PEP by the day after, if it was referenced in a significant corruption report. Waiting for the annual review is not accepted.

• Are monitoring parameters actually enhanced vs standard? → Concrete proof of distinction of a PEP and regular client. Does the review take place every year? Are transaction alert thresholds for the PEP set lower ? Are you keeping an eye on transactions that go directly to the PEP's nation of origin?

• Are decisions documented with rationale? → Reasonable conclusion. If you have recorded your inquiry and determined that the risk is manageable, it is acceptable to retain a PEP as a customer despite negative media coverage. A clean, time-stamped digital trail is required.

Examiners in the US are renowned for their risk-focused testing. A sample of PEP accounts will be chosen, and they will search for a distinct Customer Risk Profile (CRP). With effect from February 1, 2026, the US Office of the Comptroller of the Currency (OCC) has revised its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) evaluation processes for community banks. By concentrating on risk-based, customized evaluations of smaller financial institutions, these processes seek lower regulatory burdens. For higher-risk profiles, FFIEC investigators especially look for additional information obtained by the firm. It is an automatic discovery if you have a foreign PEP and have not recorded their Source of Wealth.

FCA's finalized guidelines in 2025 focus on proportionality and transparency for handling domestic PEPs. The guideline helps lessen compliance uncertainty and provides useful tools to manage regulatory expectations, even though there are still some issues with interpretation at the firm level. Blanket high-risk ratings are now penalized by the FCA. It is required to demonstrate that you can distinguish between a domestic official in the UK and a foreign head of state. Examiners will determine if siblings are included in your screening logic or whether you are excluding the close associates. The FCA annual work program outlines the deliverables for their strategic targets in 2025–2026. A more intelligent, effective and efficient regulator by promoting growth and development, assisting customers in managing their finances, and combating financial crime.

The European Central Bank (ECB) has changed its focus as the new Anti-Money Laundering Authority (AMLA) starts to centralize control. Geopolitical Risk Integration is required. PEP evaluations are now expected to be connected to geopolitical instability by EU examiners. If a PEP is the subject of this category, the EDD needs to be substantially more rigorous. The priorities demonstrate a strong emphasis on the precautionary framework while boosting technological innovation and digital functional resilience. This strategic objective necessitates that institutions in the Euro area integrate core prudential requirements more closely with improved digital operational resilience. Digital Operational Resilience (DORA) is a major concern for European regulators. They anticipate that your EDD and PEP screening records will be kept in an easily accessible manner. The ECB anticipates graduated senior management sign-off in accordance with the Supervisory Review and Evaluation Process (SREP) criteria.

Compliance is a data-driven narrative, not a protective barrier. You go beyond simple compliance and into the domain of strategic risk management by coordinating your PEP program with the particular requirements of the FFIEC, FCA, and AMLA. The companies that pass reviews are not always the ones with the thickest policy manuals; rather, they are the ones that can cite a single client file and demonstrate how their risk is being tracked in real time and why that person's wealth is legitimate.

Judi Tero

Senior Content Writer

View full profile →