PEP screening in practice: dealing with false positives at scale

PEP screening generates more false positives than almost any other component of a regulated firm’s customer due diligence process. A common name, a partial name match, an incorrectly configured screening threshold — each of these can flood the alert queue with matches that have no connection to political exposure whatsoever. The operational consequence is significant: compliance teams spend substantial time reviewing and clearing alerts that do not represent genuine risk, and the volume of false positives creates two related problems. The first is operational — the cost and time of clearing alerts. The second is regulatory — a firm that is drowning in false positives may clear genuine ones too quickly, under time pressure and alert fatigue.

Managing PEP screening effectively at scale is therefore not primarily a technical question about which screening vendor to use. It is a risk management question about how to configure the screening process to identify genuine PEPs accurately while minimising the operational burden of false positives — and how to document that approach in a way that satisfies FCA scrutiny.

What the regulations require

The Money Laundering Regulations 2017 require regulated firms to identify customers who are PEPs, family members of PEPs, and known close associates of PEPs. The definition of a PEP under the regulations applies to individuals who are or have been entrusted with a prominent public function — heads of state, members of parliament, senior government officials, senior executives of state-owned enterprises, senior figures in international organisations, and similar. The definition extends to family members and known close associates of such individuals, though the close associate category presents its own identification challenges.

For domestic PEPs — those holding public functions in the UK — the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 introduced a risk-based approach that distinguished between UK PEPs and foreign PEPs. The regulations made clear that the risk associated with UK domestic PEPs should be assessed as lower than that associated with foreign PEPs, unless specific factors indicate higher risk. This was reinforced by FCA guidance in 2023 and the subsequent Dear CEO letter to retail banks about the treatment of domestic PEPs — a communication prompted in part by high-profile cases in which UK political figures had complained about being denied banking services based on their PEP status.

The practical effect of this guidance is that regulated firms should not apply the same level of enhanced due diligence to a UK MP as they would to a senior official of a higher-risk foreign government. Both require identification and assessment. The proportionate response to that identification is different.

Why false positives occur at scale

False positives in PEP screening have three main causes. The first is name matching methodology. Screening systems that match on partial names or phonetic equivalents will generate matches for common surnames and given names. A firm that screens all customers against PEP databases using fuzzy matching at a 70% threshold will generate substantial volumes of matches for any customer whose name has even a loose resemblance to a listed PEP. The challenge is that reducing the matching threshold increases the risk of missing genuine PEPs. The appropriate configuration depends on the firm’s customer base, business model, and risk appetite — and it requires ongoing calibration rather than a one-time setting.

The second cause is database scope. Most commercial PEP databases include not just current PEPs but former PEPs, family members, and close associates. The further these individuals are from the original PEP, the lower the regulatory risk they represent in most cases — but the screening system will generate matches regardless. A firm whose screening vendor includes distant relatives of former government officials in its PEP database will generate alerts for individuals who represent no meaningful enhanced risk, and managing those alerts consumes compliance resources.

The third cause is inadequate risk stratification in the post-alert review process. Even where the initial match is genuine — where the alert correctly identifies a customer who is or is related to a PEP — the question of what to do with that identification depends on the risk assessment. A UK local councillor is a PEP. A former head of state of a country with high corruption risk is a PEP. The same alert process should not be applied to both.

A risk-based approach to reducing false positives

Calibrate the matching threshold by customer segment

The appropriate matching threshold is not the same for every customer. For higher-risk customer segments — where the consequences of missing a genuine PEP are most significant — a lower threshold (generating more alerts, including more false positives) is appropriate. For lower-risk customer segments — domestic retail customers with straightforward profiles — a higher threshold reduces alert volume without materially increasing the risk of missing genuine PEPs.

This segmented approach needs to be documented. The firm’s AML risk assessment should explain why different thresholds apply to different segments, and the calibration decision should be reviewed periodically — particularly when the customer base composition changes or when typology trends suggest that PEP-related risk in particular segments is changing.

Establish tiered alert disposition processes

Not all PEP alerts warrant the same investigation depth. A tiered disposition process — where alerts are stratified by risk profile immediately after they are generated, and the level of investigation proportionate to that stratification — reduces the time spent on low-risk false positives and focuses enhanced scrutiny where it is most needed.

A typical tiering approach might distinguish between alerts that are clearly false positives (name match only, no other matching data, domestic low-risk profile), alerts that require basic review (some matching characteristics but low-risk jurisdiction and position), and alerts that require full enhanced due diligence (genuine PEP match, higher-risk jurisdiction, complex source of wealth). The parameters of this tiering need to be documented and reviewed by the MLRO.

Use negative screening data systematically

Many false positives can be cleared efficiently if the firm maintains and uses a negative screening list — a documented record of individuals who have been reviewed, determined not to be genuine PEPs, and cleared. Re-screening the same individual repeatedly without reference to previous review decisions generates unnecessary alert volume and review burden.

The negative screening record should be maintained with the date of the review, the reason for the clearance, and the reviewer’s name. It should be subject to periodic refresh — an individual who was correctly cleared three years ago may have since taken on a prominent public function — but for most individuals the refresh cycle can be extended beyond the standard screening frequency without material risk.

Review database scope with your vendor

Commercial PEP database providers offer different configurations of who is included in their datasets. Some include former PEPs indefinitely; others apply a time decay — reducing the risk score of individuals who left prominent public functions some years ago. Some include close associates defined broadly; others take a narrower approach. Working with your screening vendor to configure the database scope appropriate to your firm’s business model and customer base — rather than accepting a default configuration — can materially reduce alert volume without compromising the effectiveness of the screening programme.

MLRO accountability for PEP screening quality

Under SMCR, the MLRO (SMF17) holds personal accountability for the adequacy of the firm’s AML framework, including the PEP screening process. This means the MLRO cannot treat false positive management as a purely operational matter delegated to the compliance team. The MLRO needs to satisfy themselves that the screening configuration is appropriate, that the threshold and tiering decisions are documented and defensible, that the alert disposition process is consistently applied, and that the volume and nature of PEP alerts is reported to them with sufficient frequency to identify emerging issues.

In an FCA supervisory review, the MLRO will be expected to explain the firm’s PEP screening methodology, including the threshold calibration decisions and the rationale for them. A firm that has not documented these decisions — where the threshold is whatever the vendor defaulted to and no one can explain why — is in a materially weaker position than one where the MLRO can demonstrate that the screening configuration is a deliberate risk management decision.

FD Capital places MLROs and financial crime specialists in FCA-regulated firms across all sectors. Where the MLRO role requires specific expertise in transaction monitoring, PEP screening, or the design of AML frameworks, we understand the technical requirements and can identify candidates with the relevant experience.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment
• SMCR Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• KYC: A Complete Guide for UK Regulated Firms
• Politically Exposed Persons: FCA Guide