The Financial Action Task Force (FATF) sets the global standard for how countries and businesses should handle money laundering and terrorist financing risks, and few areas attract as much regulatory scrutiny as dealings with Politically Exposed Persons. The FATF PEP guidance outlines specific expectations for identifying, risk-assessing, and applying enhanced due diligence to individuals who hold (or have held) prominent public functions, along with their family members and close associates.
Getting PEP screening wrong carries real consequences. Regulatory penalties, reputational damage, and in Australia, increasing obligations under the AML/CTF Act mean that regulated businesses, accountants, lawyers, financial services firms, need a clear understanding of what the FATF actually requires and how those requirements translate into day-to-day compliance workflows. The challenge isn’t just knowing the rules; it’s applying them consistently across every client you onboard, without letting manual processes introduce gaps or errors.
That’s the problem StackGo’s IdentityCheck was built to solve. By embedding identity verification and screening, including PEP and sanctions checks, directly into your existing CRM, you can meet these obligations without switching between platforms or relying on patchwork solutions. But before you optimise the process, you need to understand the framework behind it. This article breaks down the FATF’s PEP guidance in full: the definitions, the risk categories, the due diligence requirements, and what they mean in practice for your business.
Why FATF PEP guidance matters in AML and CTF
The FATF PEP guidance exists because public officials sit at the intersection of political power and financial access, a combination that creates well-documented opportunities for bribery, corruption, and the laundering of illicit funds. When someone controls government contracts, regulatory decisions, or public finances, the risk that those positions will be abused, and that money will flow through legitimate financial channels to conceal that abuse, is materially higher than for a standard retail customer. That elevated risk is precisely why PEPs receive separate treatment under the global AML/CTF framework, rather than being assessed under ordinary customer due diligence procedures.
The global framework behind the rules
The FATF is an inter-governmental body that sets internationally agreed standards for combating money laundering, terrorist financing, and proliferation financing. Its Recommendations, particularly Recommendation 12, which deals specifically with PEPs, carry significant weight because over 200 countries and jurisdictions have committed to implementing them. When a country adopts FATF standards, its domestic legislation and regulatory guidance must reflect those requirements, which means the rules your business follows in Australia ultimately trace back to what FATF has defined.
FATF mutual evaluations create direct accountability: countries that fail to implement the standards face grey-listing or black-listing, which carries serious economic and reputational consequences at the national level.
This global alignment matters for your business because clients and transactions rarely stay within one jurisdiction. A foreign PEP onboarded by an Australian accounting firm may have financial interests spread across multiple countries. The FATF framework ensures that the same core risk logic applies across borders, so the due diligence standard your firm applies is consistent with what regulators in other jurisdictions expect.
PEPs as a recognised high-risk category
FATF does not treat PEP status as evidence of wrongdoing. What it does do is recognise that the position creates structural risk that justifies enhanced scrutiny. A person holding a senior government role has access to levers of power that most individuals do not, and that access makes them a more attractive target for corrupt approaches and gives them greater capability to obscure financial flows if they choose to abuse their position.
For regulated businesses, this means you cannot apply standard customer due diligence to a PEP and consider your obligations met. Enhanced due diligence (EDD) is the baseline, not an optional extra. The specific steps involved, including senior management approval, source of wealth verification, and ongoing monitoring, are covered in detail later in this article.
Why the stakes are high for regulated businesses
Regulators in Australia take FATF alignment seriously. AUSTRAC, which oversees AML/CTF compliance for reporting entities, assesses businesses against the risk-based approach that FATF promotes. If your PEP screening process has gaps, whether in identification, documentation, or escalation, those gaps are exactly what a regulatory audit or examination will surface.
Beyond financial penalties, the reputational consequences of being linked to a high-profile case involving a PEP can be far more damaging than any fine. There is also the operational reality that manual or inconsistent PEP screening creates unpredictable workloads and unreliable records, both of which undermine your ability to demonstrate compliance when you need to. Getting the process right from the start, rather than retrofitting it after a regulatory finding, is what the FATF framework is ultimately pushing you to do.
What FATF means by a politically exposed person
The FATF defines a PEP as an individual who is, or has been, entrusted with a prominent public function. This definition is deliberately broad. It captures a wide range of roles across government, the military, the judiciary, and state-owned enterprises, because the risk FATF is targeting is tied to the position itself rather than to any evidence of wrongdoing by the individual holding it. Understanding exactly who qualifies matters because it determines which clients trigger your enhanced due diligence obligations from the moment of onboarding.
The core definition under Recommendation 12
FATF Recommendation 12 sets out the specific categories of individuals who qualify as PEPs. At its core, the definition focuses on people who hold, or have held, senior roles within a government or public institution where that role gives them meaningful influence over policy, public finances, or regulatory decisions. The FATF identifies several categories of roles that typically qualify:
- Heads of state or government
- Senior politicians and ministers
- Senior government, judicial, or military officials
- Senior executives of state-owned enterprises
- Important political party officials
The key word in the FATF definition is "prominent": not every public servant qualifies as a PEP, only those whose position carries significant influence or decision-making authority.
Why "former" PEPs still require enhanced scrutiny
One aspect that often catches businesses off guard is that PEP status does not end when someone leaves office. The FATF PEP guidance is explicit that enhanced due diligence obligations continue after a person has left a prominent public role, for a period determined by your own risk assessment. The rationale is straightforward: the corrupt proceeds or illicit financial arrangements that PEP status may have facilitated do not disappear the moment a person retires or loses an election.
Your risk-based approach needs to account for the fact that a former minister or retired senior official may still carry elevated risk, particularly if they left office recently or if the nature of their role involved significant financial oversight. Most regulators, including AUSTRAC, expect you to apply a minimum monitoring period after a PEP leaves their position rather than immediately downgrading them to standard due diligence. The exact length sits within your firm’s documented risk appetite, but it must be justifiable and consistently applied.
PEP types: foreign, domestic and international roles
Not all PEPs carry the same risk profile, and the FATF PEP guidance draws a clear distinction between three categories: foreign PEPs, domestic PEPs, and individuals connected to international organisations. Understanding which category applies to your client shapes both the level of due diligence required and the internal approval processes you need to follow before establishing or continuing the relationship.
Foreign PEPs
A foreign PEP is someone who holds, or has held, a prominent public function in another country. This category historically attracted the strictest treatment under FATF standards because foreign officials are harder to verify through domestic sources and their financial activity is less visible to local regulators. Under Recommendation 12, foreign PEPs require mandatory enhanced due diligence: you must obtain senior management approval before onboarding them, and you must take reasonable steps to verify their source of wealth and source of funds before the relationship proceeds.
Foreign PEPs carry the highest baseline risk rating under FATF standards, and that designation applies regardless of whether the country the person comes from is considered low-risk overall.
The rationale is that corruption and illicit fund flows often move across borders precisely because they are harder to trace internationally. A foreign official routing funds through an Australian accounting firm or financial institution relies on that distance to obscure the origin of their wealth.
Domestic PEPs
Domestic PEPs are individuals who hold prominent public functions within your own country. In Australia, this includes senior federal or state politicians, high-ranking judicial officers, senior military officials, and executives of government-owned enterprises. The FATF framework originally gave jurisdictions more flexibility in how they treated domestic PEPs compared to foreign ones, but Australian regulatory expectations have moved toward risk-based equivalence: if the role carries significant public influence, the enhanced scrutiny requirements apply regardless of whether the individual is local or foreign.
International organisation roles
The third category covers senior officials of international organisations, including executives and board members of bodies such as the United Nations, the International Monetary Fund, or regional development banks. These individuals control significant institutional resources and carry influence that extends across multiple jurisdictions, which creates a distinct risk profile that sits separately from both foreign and domestic classifications. Your screening process needs to capture this category explicitly, since many standard PEP databases include international organisation roles as a distinct flag rather than grouping them under foreign or domestic PEPs.
Who else counts: family members and close associates
The FATF PEP guidance extends enhanced due diligence obligations beyond the PEP themselves. Family members and close associates of a PEP are considered higher risk because they provide a practical mechanism for a corrupt official to move or conceal funds at arm’s length. Limiting your screening to the named individual while ignoring their immediate circle creates a significant compliance gap that regulators expect you to close.
Family members
Under FATF standards, the family members you need to screen include a PEP’s spouse or civil partner, children and their spouses or partners, and parents. The logic is that these individuals are the most natural and trusted recipients of funds that a PEP might wish to place at a distance from their own name. A spouse opening a business account or a child purchasing property can serve as a conduit for funds that originate from corrupt activity, even where the family member has no direct involvement in the misconduct.
The FATF does not require evidence that family members have acted wrongly; their relationship to the PEP is sufficient to trigger enhanced scrutiny.
Your screening process needs to capture these relationships at onboarding, which means asking clients directly whether they have a family member who holds or has held a prominent public function. This question is easy to skip in a manual workflow, which is why embedding it into a structured onboarding process reduces the risk of it being missed under time pressure.
Close associates
Close associates are individuals who share a significant business or personal relationship with a PEP. This category includes business partners, co-directors of companies the PEP controls, and individuals who are publicly known to be in a close personal relationship with the PEP outside a family context. The FATF is deliberate about the breadth of this category because financial arrangements between a PEP and a trusted associate are one of the most commonly identified typologies in corruption and money laundering cases.
Applying this category in practice requires a degree of judgment. Your firm needs to document the basis for each assessment when you conclude that an individual does or does not qualify as a close associate, because that reasoning forms part of your audit trail. Inconsistent or undocumented assessments are a recurring finding in regulatory reviews, and they are difficult to defend after the fact.
Core FATF requirements for PEP due diligence
The FATF PEP guidance sets out four non-negotiable requirements that apply once you have identified a client as a PEP or as a PEP-connected individual. These requirements sit on top of standard customer due diligence, not as a replacement for it. Your enhanced due diligence process must include senior management approval, source of wealth and source of funds verification, and enhanced ongoing monitoring, and you need to be able to demonstrate each of these steps through documented records.
Senior management approval before onboarding
Before you establish a business relationship with a PEP, the decision to proceed must be approved by a senior member of your management team. This is not an administrative formality. The requirement exists because the person approving the relationship takes on accountability for the risk assessment and the rationale behind accepting that client. A compliance officer rubber-stamping approvals at scale does not satisfy this requirement; the approver must have genuine seniority and genuine awareness of the risk factors in play.
Your internal process needs to define what "senior management" means in your organisational context and document that definition consistently. Firms that rely on informal verbal sign-offs or undated approval records create audit vulnerabilities that are difficult to resolve when a regulator asks for evidence.
Source of wealth and source of funds verification
Source of wealth refers to how a PEP accumulated their overall asset base, while source of funds refers to the specific origin of the money involved in the transaction or relationship. These are distinct concepts, and the FATF requires you to verify both. Asking a client to self-declare their wealth origin without corroborating evidence does not meet the standard; you need documentary evidence or credible independent corroboration to support the assessment.
Treating source of wealth and source of funds as interchangeable is one of the most common gaps regulators identify during AML/CTF audits of PEP-related files.
Practical verification sources include publicly available information about the PEP’s career history, salary ranges for their former roles, disclosed asset registers where they exist, and third-party database checks. Documenting your verification steps is just as important as the verification itself.
Enhanced ongoing monitoring
PEP relationships do not become lower risk simply because you completed due diligence at onboarding. The FATF requires you to conduct enhanced ongoing monitoring of PEP relationships, which means reviewing transactions for patterns inconsistent with the client’s stated profile and revisiting the overall risk assessment when relevant events occur. Trigger events, such as a PEP taking on a new public role, being named in a regulatory investigation, or significantly changing their transaction behaviour, require prompt reassessment rather than waiting for a scheduled periodic review.
How to run PEP screening at onboarding
Running PEP screening effectively means treating it as a structured step in your onboarding workflow, not a check you complete after the client relationship is already underway. The FATF PEP guidance is explicit that you need to identify PEP status before or at the point of establishing a business relationship, not retrospectively when a concern arises. If your process relies on a compliance officer remembering to ask the right questions, you are building an avoidable gap into every new client file.
Build PEP questions into your intake process
Your onboarding questionnaire needs to ask clients directly whether they hold or have held a prominent public function, and whether any immediate family members or close associates do. A general question about occupation will not capture a retired politician or the spouse of a sitting official. Structured, written intake questions also create a documented record of what the client declared at onboarding, which forms part of your audit trail if the relationship is ever reviewed.
Frame the PEP question in plain language clients can understand without legal background. Asking whether someone has held a senior role in government, the military, the judiciary, or a state-owned enterprise gives enough context for an accurate answer. Where your onboarding is digital, making this a mandatory field prevents it from being skipped under time pressure.
Screen against a reliable PEP database
Client self-declaration alone does not satisfy your obligations. You need to cross-reference client information against a recognised PEP screening database that is regularly updated and covers the jurisdictions relevant to your client base. A database capturing foreign, domestic, and international organisation roles gives you the breadth the framework expects.
Running a name-only search without including date of birth, nationality, or known aliases significantly increases your false positive rate and your risk of missing a genuine match.
Your screening process should also capture PEP-connected individuals, not just the named PEP. Most reputable databases flag known family members and close associates alongside the primary record, and your workflow needs to act on those flags with the same rigour as a direct hit.
Document the outcome before the relationship starts
Every screening result, whether positive, negative, or inconclusive, needs to be recorded in the client file before you proceed. A clean result is not just the absence of a problem; it is evidence that you ran the check at the right time against the right data. Undated or incomplete records are consistently flagged in regulatory audits as indicators of a process that exists on paper but does not operate in practice.
How to verify source of funds and source of wealth
The FATF PEP guidance draws a firm line between two concepts that firms regularly conflate. Source of wealth describes how a PEP built their overall asset base over time, while source of funds refers to the specific origin of money flowing through a particular transaction or relationship. You need to verify both, separately, and you need documented evidence to support each assessment before the relationship proceeds.
Gathering evidence for source of wealth
Verifying source of wealth for a PEP requires more than accepting a client’s written declaration. You need to corroborate their stated asset history against credible, independent sources. A politician who claims their wealth comes from a prior career in property development needs evidence that supports the timeline, the scale, and the plausibility of that claim relative to their declared public salary.
Practical sources you can draw on include publicly available career histories, declared asset registers where a jurisdiction requires them, corporate registry records, and reputable media coverage. Where the PEP has held roles with publicly known remuneration ranges, those figures give you a benchmark for assessing whether the stated wealth is consistent with legitimate earnings. Any gap between the declared asset base and what the role could plausibly have generated warrants further inquiry and clear documentation of how you resolved that gap.
If you cannot produce a coherent, evidence-backed explanation for how a PEP accumulated their wealth, you do not have sufficient basis to proceed with the relationship.
Verifying source of funds for each transaction
Source of funds verification focuses on the specific money entering the relationship: where it came from immediately before it arrived, and whether that origin is consistent with the PEP’s profile. Bank statements, transfer records, and supporting transaction documentation are the most direct forms of evidence. You are looking for a clean, traceable chain from a legitimate identified source to the funds you are dealing with.
Where a PEP’s funds originate from a jurisdiction with weaker AML controls, or where the transaction structure is complex without an obvious commercial rationale, your documentation burden increases. You should record not only what evidence you obtained, but also the reasoning behind your assessment of that evidence. Regulators reviewing a PEP file will look for a clear line of logic connecting the evidence to your risk conclusion, and gaps in that reasoning are treated as gaps in your process.
Ongoing monitoring and event-driven reviews
The FATF PEP guidance makes clear that completing due diligence at onboarding does not close your obligations. A PEP relationship carries elevated risk for as long as it continues, and your monitoring process needs to reflect that. Periodic reviews and event-driven reassessments are both required, and neither replaces the other. A scheduled annual review will not catch a risk that emerges in the months between review cycles unless you also have a mechanism for acting on new information as it surfaces.
Setting a monitoring frequency that fits the risk
Your risk-based approach should determine how frequently you review each PEP relationship, with higher-risk clients reviewed more often than those whose profile is more straightforward. A foreign PEP in an active senior role warrants more frequent attention than a former local government official who left office several years ago and has limited ongoing transaction activity. Documenting your rationale for each assigned frequency is important because regulators expect your monitoring cadence to reflect the actual risk level, not a one-size-fits-all schedule applied uniformly across your PEP population.
During each scheduled review, you should reassess the client’s current role and public profile, review transaction activity against their stated source of funds, and confirm that your original risk assessment still holds. Where anything has changed, even a change that appears to reduce risk, update your file with a clear record of what you found, what you assessed, and what you decided.
Trigger events that require immediate review
Scheduled reviews are not sufficient on their own. Certain events require you to reassess a PEP relationship outside your normal review cycle as soon as you become aware of them. You should treat the following as triggers for an immediate reassessment:
- The PEP takes on a new or more senior public role
- The PEP is named in a regulatory investigation, public inquiry, or adverse media report
- A significant or unexplained change in transaction volume or behaviour occurs
- The PEP’s source of funds changes materially from what they declared at onboarding
- A family member or close associate is identified as subject to sanctions or adverse findings
Waiting for a scheduled review after a trigger event has occurred is one of the most common gaps that regulators identify in PEP monitoring programmes.
Your process needs a clear pathway for staff to flag and escalate trigger events without delay. If the mechanism for raising a concern is unclear or cumbersome, staff will default to waiting for the next scheduled review, which creates the exact gap you are trying to prevent.
Managing hits, false positives and escalation
A PEP screening result is rarely a clean yes or no. Most screening tools return a range of potential matches, some of which will be genuine hits and many of which will be false positives triggered by common names, incomplete data, or name variations. How you handle each category matters as much as the screening itself, because your documented response to a hit forms part of your compliance record just as much as the initial check does. The FATF PEP guidance does not prescribe a specific resolution process, but it does expect you to demonstrate a consistent, risk-based approach to every result your screening produces.
Assessing a potential match
When your screening returns a potential match, your first step is to confirm whether the hit relates to your client rather than to a different individual who shares similar identifying details. You do this by cross-referencing the match against all available identifiers: full legal name, date of birth, nationality, and any known aliases. A hit based on surname alone, without corroborating identifiers, is unlikely to represent the same person, but that conclusion needs to be recorded in writing with clear reasoning rather than dismissed informally.
Undocumented match assessments are treated by regulators as if no assessment took place at all, regardless of how obvious the false positive appears.
Where the match appears credible but is not conclusive, you should gather additional information from the client directly. Asking for clarification is legitimate and expected; what is not acceptable is proceeding without resolving the uncertainty.
Handling false positives without creating gaps
A false positive still requires a documented closure. Your file needs to record what the hit flagged, what evidence you reviewed, and why you concluded it did not relate to your client. A process that discards false positives without documentation creates gaps that are indistinguishable from missed checks during a regulatory audit.
Build a consistent false positive assessment template into your workflow. This does not need to be lengthy, but it must capture the key identifiers compared, the outcome, and the name of the staff member who made the decision.
Escalation pathways for confirmed hits
When a hit is confirmed as a genuine PEP match, your escalation pathway needs to activate immediately. Senior management approval is required before the relationship proceeds, as covered earlier in this article. Beyond approval, the confirmed hit triggers your full enhanced due diligence obligations: source of wealth and source of funds verification, documentation, and the assignment of an appropriate monitoring frequency. Your escalation process should define who receives the referral, what information must accompany it, and what the maximum turnaround time is for a decision, so that every confirmed hit moves through the same structured pathway without delay.
How to apply FATF guidance in Australia
Australia implements FATF standards through the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which AUSTRAC administers. The FATF PEP guidance flows directly into your obligations as a reporting entity: if your business falls under the AML/CTF regime, you must apply enhanced due diligence to PEP relationships in a way that is consistent with the FATF framework. The practical starting point is ensuring your AML/CTF program documents how you identify, assess, and manage PEP risk, not just in general terms, but with enough specificity that any staff member can follow the process without interpretation.
What AUSTRAC expects from your AML/CTF program
AUSTRAC expects your program to reflect a risk-based approach to PEP screening that aligns with FATF standards. This means your Part A program (the overarching risk assessment) and your Part B program (your customer due diligence procedures) must explicitly address how you identify PEPs, what enhanced due diligence steps you apply, and how you document those steps. Vague or templated program language that does not reflect your actual client population will not satisfy an AUSTRAC examination.
A program that describes your PEP process in theory but does not translate into consistent operational practice is treated by AUSTRAC as a program failure, not a paperwork issue.
Accounting firms and the expanding AML/CTF scope
Australian accounting firms face specific and growing obligations under the AML/CTF framework. The Australian government’s tranche 2 reforms are extending AML/CTF requirements to professional services including accounting, legal, and real estate businesses. If your firm is not yet a reporting entity, these reforms mean you need to build PEP screening capability now, rather than implementing it under a compliance deadline with limited preparation time. The firms that reach that deadline in the strongest position will be those that have already tested their identification, documentation, and escalation processes against real client scenarios.
Aligning your program with FATF and AUSTRAC requirements
Your internal process needs to connect each element of the FATF framework to a documented procedure within your AML/CTF program. That means your program should specify who approves PEP relationships, what evidence you collect for source of wealth and source of funds, how often you review PEP files, and what your escalation pathway looks like for confirmed hits. Connecting FATF requirements to named roles and documented steps in your own business transforms the framework from an abstract standard into an auditable operational process that holds up under regulatory scrutiny.
Next steps
The FATF PEP guidance establishes a clear framework: identify PEPs early, apply enhanced due diligence, verify source of wealth and funds, and monitor continuously. Getting each step right requires more than knowing the rules; it requires a structured, repeatable process that your team follows consistently across every client, every time.
If your business is preparing for AUSTRAC’s expanding AML/CTF obligations, or you are already a reporting entity looking to close gaps in your PEP screening workflow, the next practical step is evaluating whether your current tools can carry the load. Manual processes and disconnected systems create the exact documentation and consistency gaps that regulators focus on during examinations.
StackGo’s IdentityCheck embeds PEP and sanctions screening directly into your existing CRM, removing the need to switch platforms or maintain separate records. See how IdentityCheck supports AUSTRAC Tranche 2 compliance and find out whether it fits your workflow.
