Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Compliance8 min read

PEP Screening: Identify PEPs

Complete guide to PEP screening: definition, AUSTRAC obligations, identification process

CheckFile Team
CheckFile Teamยท
Illustration for PEP Screening: Identify PEPs โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

PEP screening is a mandatory component of any AML/KYC programme: it is the process of determining whether a customer, partner or beneficial owner holds โ€” or has held โ€” a prominent public position, and of applying proportionate enhanced due diligence accordingly. In Australia, failures in AML/CTF compliance โ€” including inadequate PEP controls โ€” have attracted record-breaking penalties from AUSTRAC, including AUD 1.3 billion against Westpac and AUD 700 million against Commonwealth Bank.

This guide covers the regulatory definition of PEPs, the Australian framework under the AML/CTF Act 2006 and AUSTRAC guidance, the screening process, and practical steps for compliance in 2026.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for specific compliance questions.

What is PEP screening?

PEP screening is the structured process of checking individuals against databases of politically exposed persons to assess their money laundering risk. A politically exposed person (PEP) is someone who holds or has held a prominent public function โ€” making them potentially more susceptible to bribery, corruption, and the laundering of illicit funds through their access to public resources or decision-making power.

The AML/CTF Act 2006 and AML/CTF Rules require reporting entities to apply enhanced customer due diligence to customers identified as PEPs (AML/CTF Act 2006). AUSTRAC's guidance on PEP identification and management provides the operational framework.

The FATF Recommendations 12 and 22 provide the international baseline: firms must apply enhanced due diligence (EDD) to business relationships involving PEPs โ€” but the FATF is explicit that PEP measures are preventive, not punitive (FATF Recommendations 12 & 22).

Who qualifies as a PEP? Three categories

The AML/CTF Rules define PEPs by reference to the functions they hold. Understanding these categories is essential for building a proportionate screening programme.

Category Examples of functions
Domestic PEPs (Australian) Federal and state MPs, senators, senior judges, senior public servants, military officers of general rank, heads of government agencies
Foreign PEPs Foreign heads of state, government ministers, members of parliament, central bank governors, senior military officials, ambassadors
International organisation PEPs Directors, deputy directors and board members of international bodies (UN, IMF, World Bank, FATF)

The screening obligation extends to close family members (spouse, children, parents, siblings) and known close associates of PEPs.

AUSTRAC guidance on PEP screening

AUSTRAC's guidance on identifying and managing PEP relationships requires a risk-based approach. Key principles:

  • Domestic PEPs are lower risk than foreign PEPs as a starting point, but this does not eliminate the requirement for appropriate due diligence.
  • Case-by-case assessment: Risk must be evaluated individually, not applied uniformly by PEP category.
  • Enhanced customer due diligence: Source of wealth verification and source of funds checks are required where the risk assessment warrants them.
  • Senior management approval: Required when onboarding any PEP, with documented rationale for the risk assessment.
  • No automatic refusal: Reporting entities should not decline business relationships purely because a customer is a PEP.

The PEP screening process: five steps

A compliant PEP screening programme follows a consistent, documented workflow from initial onboarding through ongoing monitoring.

Step 1: Data collection and normalisation

Effective screening begins with accurate identity data: full legal name, date of birth, nationality, country of residence, and โ€” where available โ€” Tax File Number or other identification numbers. Name variations, transliterations (particularly for non-Latin scripts), and compound names must be handled through fuzzy matching algorithms to minimise false negatives.

Step 2: Database screening

PEP lists are not maintained by a single public authority in Australia. Firms typically use commercial databases โ€” Refinitiv World-Check, LexisNexis Bridger, Dow Jones Risk & Compliance โ€” which aggregate data from government sources, legislative registers, court records, and adverse media. The DFAT Consolidated Sanctions List is the primary Australian government sanctions source that PEP screening should incorporate alongside PEP databases. Using a single database is insufficient: AUSTRAC's guidance on customer identification expects reporting entities to apply a risk-based approach that accounts for the limitations of any single source.

No commercial PEP database covers 100% of global political figures: firms in sectors with higher PEP exposure โ€” private banking, wealth management, correspondent banking โ€” typically combine two or more independent data providers.

Step 3: Risk scoring and decision

A match triggers a risk assessment. Factors considered include: the nature of the public function held, the country of origin (with heightened scrutiny for FATF high-risk jurisdictions), the recency of the mandate, the value and nature of the proposed relationship, and any adverse media. The output is a risk tier โ€” standard monitoring, ECDD, or relationship refusal โ€” with documented rationale.

Step 4: Enhanced Customer Due Diligence measures

Where ECDD is warranted, it comprises: obtaining and verifying the source of wealth (documented evidence of how the PEP accumulated their assets), verifying the source of funds for each significant transaction, and securing senior management approval before onboarding or continuing the relationship. ECDD records must be maintained for at least seven years after the end of the business relationship.

Step 5: Ongoing monitoring and status updates

PEP status is not static. Customers can become PEPs after initial onboarding (elections, appointments) or cease to be PEPs (end of term, resignation). AUSTRAC expects reporting entities to monitor status changes as part of ongoing customer due diligence, and to update risk classifications promptly.

Common questions from compliance teams on PEP screening

Can we automatically close accounts of existing PEP customers? No. AUSTRAC expects that reporting entities assess each case individually. Closure is only justified where the individual risk assessment concludes the relationship poses an unacceptable risk.

How long must we treat a former PEP as a PEP? Under the AML/CTF Rules, reporting entities must apply a risk-based approach to assessing former PEPs. As a practical benchmark, the FATF recommends treating former PEPs as higher risk for at least 12 months after they leave office, with the period extending where residual risk factors persist.

What constitutes "source of wealth" evidence for a PEP? Source of wealth evidence should document how the PEP accumulated their overall asset base โ€” salary records, property ownership documents, investment portfolios, inheritance records, or business ownership documentation. It is distinct from source of funds (the origin of a specific transaction). Both may be required for high-risk PEPs.

Automation in PEP screening programmes

Manual PEP screening is viable only at very low client volumes. For reporting entities processing hundreds or thousands of onboardings, automated screening integrated into the KYC workflow is now standard โ€” and expected by AUSTRAC in its supervisory assessments.

CheckFile's document verification platform integrates identity data extraction with automated screening against PEP and sanctions databases, generating audit-ready case records. For firms managing complex onboarding, our solutions for financial services provide sector-specific workflows.

PEP screening does not operate in isolation. It sits alongside sanctions screening โ€” our guide to sanctions screening: OFAC, EU lists and compliance covers the complementary obligations. The complete AML compliance guide provides the broader framework within which PEP controls sit.

The KYC 2026 requirements guide details the full due diligence programme that PEP screening supports.

For an overview of our pricing for compliance automation tools, see our pricing page. For the broader compliance documentation framework, see the document compliance guide. Our platform processes over 180,000 compliance documents per month with a 94.8% fraud detection rate and an average verification time of 4.2 seconds.

FAQ

What is PEP screening in AML?

PEP screening in AML is the process of identifying whether a customer or counterparty holds or has held a prominent public position (a "politically exposed person"), assessing the money laundering risk this poses, and applying enhanced due diligence where required. It is mandatory under the AML/CTF Act 2006 and aligned with FATF Recommendations 12 and 22.

What is PEP screening in KYC?

In a KYC programme, PEP screening is the step that follows identity verification โ€” once you know who the customer is, you check whether they appear on PEP databases. A positive match triggers enhanced customer due diligence, senior management approval, and ongoing monitoring obligations, distinguishing PEP checks from standard customer due diligence.

Is PEP screening mandatory in Australia?

Yes. The AML/CTF Act 2006 and AML/CTF Rules require all reporting entities to apply enhanced customer due diligence to customers identified as PEPs or their close family members and associates. AUSTRAC's guidance provides detailed requirements on applying a proportionate, risk-based approach.

How often should PEP screening be repeated?

AUSTRAC expects ongoing monitoring, not a single check at onboarding. In practice, many firms perform automated rescreening daily or weekly against updated PEP databases, with a full case review triggered whenever a customer's status changes. Perpetual KYC (pKYC) approaches automate this continuous monitoring.

Can a PEP be refused banking services?

Reporting entities should not refuse business relationships based solely on PEP status. Each case must be assessed individually. Refusal is permitted โ€” and may be required โ€” where the specific risk assessment concludes the relationship poses unacceptable ML/TF risk, but automatic blanket refusals are inconsistent with AUSTRAC's risk-based approach.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Compliance9 min

SOC 2 Compliance for SaaS in Australia: Document Security, Controls and Audit Readiness

Complete guide to SOC 2 compliance for Australian SaaS companies: AICPA SSAE 18, AUSTRAC, ASIC, AML/CTF Act 2006, Privacy Act 1988 and Australian Privacy Principles. Document security and Type II audit preparation.

Read
Compliance17 min

How to Choose an AML Solution: Evaluation Criteria and Checklist

AML solution evaluation guide: 12 essential criteria, selection checklist and scoring framework for businesses choosing anti-money laundering software.

Read
Compliance10 min

Vendor Compliance Certificate Verification

How to verify vendor compliance certificates in the Australian supply chain: legal obligations, ATO checks, WHS accreditation, Modern Slavery Act

Read