PEP screening — checking whether a customer or their close associates hold politically exposed positions — is one of the clearest examples of a control that compliance programs treat as a checkbox at onboarding and then largely forget about. The problem is that PEP status is not static. A customer who was a private citizen when they opened their account can become a PEP when a family member is elected to public office, when they themselves join a state agency, or when a business associate is appointed to a regulatory body. Without ongoing monitoring, your program has a growing blind spot with each passing quarter.
What Counts as a PEP — and Why the Definition Matters
The US does not have a single statutory definition of "politically exposed person" equivalent to the EU's 4AMLD definition. FinCEN guidance and the FFIEC BSA/AML Examination Manual frame PEP risk within the broader EDD obligation: financial institutions are expected to apply enhanced scrutiny to customers who present higher corruption risk, including foreign government officials, senior executives of state-owned enterprises, and their immediate family members and close associates.
The scope is broader than many compliance teams initially assume. It includes not just current heads of state and cabinet ministers, but also senior officials at regional and local government levels in high-corruption-risk jurisdictions, senior executives and board members of foreign state-owned enterprises, and close family and business associates of any of the above. The "close associate" category is where coverage gets genuinely difficult — the connection may not be publicly visible, and the relationship may develop after account opening.
For consumer-focused US neobanks primarily serving domestic customers, the practical PEP risk is lower than for institutions with significant customer populations in Latin America, Sub-Saharan Africa, Southeast Asia, or Eastern Europe. But it is not zero. US-resident foreign nationals, business owners with cross-border relationships, and customers who develop PEP-adjacent connections domestically are all live risk categories.
The Onboarding-Only Gap
Most neobank PEP programs screen at account opening: the customer's name and date of birth go through a third-party PEP database, results are reviewed, and a CDD determination is made. That moment of screening is typically well-documented. What happens next is often not.
Industry PEP databases are updated on varying schedules — some update daily for the most prominent entries, some update weekly or monthly for deeper layers of the database. A customer who was screened clean in January of one year may be a PEP entry in the same database by June of the following year. Without a re-screening cadence, the institution's records still show a clean PEP screen from the account opening date — which is technically accurate and operationally useless for the current risk picture.
We're not saying every institution needs daily full-database re-screening. The risk-based approach — screening frequency calibrated to the institution's PEP risk profile, customer geographic mix, and program tier — is defensible if it is documented. What is not defensible is having no re-screening cadence at all and calling it a risk-based decision.
Adverse Media Monitoring: The Parallel Control
Adverse media monitoring — scanning news sources, regulatory enforcement databases, and open-source reporting for negative information about customers — is closely related to PEP monitoring but operationally distinct. A customer who is not a PEP may generate adverse media through fraud allegations, regulatory sanctions, court filings, or criminal charges. Conversely, a PEP who is clean in the formal PEP databases may have adverse media coverage that substantially affects their risk profile.
Examiners reviewing a BSA program increasingly treat adverse media as a component of a complete ongoing monitoring program, particularly at the EDD tier. The FFIEC Examination Manual's EDD section references "negative news screening" as an element of enhanced customer due diligence. Institutions that have PEP screening but no adverse media monitoring for high-risk customers have a partial program.
The practical challenge with adverse media monitoring is noise management. A broad-coverage news feed approach that ingests every article mentioning a customer's name will generate enormous false-positive volume on common names. Effective adverse media programs narrow the search to relevant adverse categories — criminal proceedings, regulatory enforcement, fraud and AML allegations, sanctions-adjacent associations — and apply name disambiguation logic to reduce false hits from common name coincidences.
EDD Triggers and Documentation Requirements
When a customer triggers EDD — whether due to PEP status identification, adverse media, or other risk factors — the documentation requirements are specific. The institution must record what triggered the EDD review, what additional information was collected, how that information was evaluated, and what risk determination resulted from the review.
EDD documentation that simply says "customer reviewed, no concerns identified" does not meet the standard. Examiners want to see what information was gathered, who reviewed it, and what reasoning led to the risk determination. For a PEP-identified customer, the minimum expected documentation includes: nature and source of the PEP status, the customer's reported source of funds and wealth, a reasonableness assessment of transaction activity against the stated source of funds, and a periodic review frequency that reflects the risk level.
Building a Sustainable Ongoing Monitoring Program
A PEP and adverse media program that can hold up under examination has three operational components working together. First, a data sourcing layer: access to at least one regularly-updated PEP database with meaningful coverage of the institution's relevant geographic risk populations, plus an adverse media feed with configurable alert categories. Second, a re-screening cadence: documented periodic re-screening of the full customer base at a frequency calibrated to risk — quarterly for high-risk customers, semi-annually for medium-risk, annually for standard-risk. Third, a case management layer: when a screening hit is generated, a workflow that captures the review, the documentation, and the disposition with auditable timestamps.
The technology requirements aren't extraordinary. What is extraordinary is the frequency with which growing digital banks discover, during their first examination, that their PEP program has one of these three components and not the other two. The data sourcing is in place because a vendor was procured. The re-screening cadence was never implemented because it required operational process design that wasn't done at launch. The case management is a spreadsheet that can't be audited as an immutable record.
Getting the program right before the first examination is a matter of treating ongoing monitoring as an operational process, not a vendor subscription.
