FCA’s Updated PEP Guidance: Act Now or Risk Falling Behind 

The FCA has published FG25/3 - updated guidance on how regulated firms should treat Politically Exposed Persons (PEPs). While the 2017 guidance (FG17/6) remains largely relevant, this new version reflects updates to the Money Laundering Regulations (MLRs) and other amendments (explored below). 

The FCA consulted with firms and conducted a multi-firm review before finalising this guidance. They’ve seen what’s working—and what isn’t. And we expect that they will be checking in with firms to see whether they can demonstrate that they’ve taken this seriously. 

This isn’t a gentle nudge. It’s a regulatory expectation. And if your firm hasn’t already aligned its PEP framework to this guidance, the time to act is now. 

Key Updates from FG25/3 – And Why You Can’t Ignore Them

1. Domestic PEPs: Apply EDD, but make it proportionate 
The guidance aligns to the updated MLRs, referencing that domestic PEPs should be treated as lower risk than non-domestic PEPs - unless other risk factors apply. 

We still see firms applying the same level of EDD to all PEPs. That’s no longer defensible. If you don’t reflect a proportionate (and differentiated) approach, expect to be challenged by the FCA. The FCA is likely to ask you how you demonstrate your risk-based approach, the extent to which you assess PEP risk and scenarios where you perceive a lower PEP risk versus a higher PEP risk. 

2. PEP sign-off: Flexibility, but not a free pass 
FG25/3 confirms that “senior management” doesn’t have to mean the MLRO. 

Let’s be clear; if someone else is signing off PEP relationships, they must understand your firm’s financial crime risks, have the authority to act and be subject to a sufficient level of training. If this is the case, the FCA will be keen to understand how the MLRO maintains oversight. We’ve helped firms implement measures like documenting how frequently and in what capacity the MLRO participates in financial crime and governance committees, while also ensuring they receive clear Management Information. If you can’t clearly demonstrate this level of oversight, your governance model won’t withstand scrutiny. 

3. UK rules for UK firms: Regardless of your overseas exposure
The FCA won’t interpret foreign laws. If you’re operating in the UK, you must comply with UK MLRs. 

We’ve worked with firms trying to balance MLR requirements with conflicting international requirements. The FCA have made it very clear that your UK-facing controls must stand on their own. Typically we have supported firms to develop consistent global standards, overlayed with UK specific addenda / policies which mandate these requirements for all UK operations. 

4. Non-executive board members of civil service departments are not PEPs 
A helpful clarification that removes ambiguity around certain public sector roles. Further, there has been updated guidance to the definition of similar legislative bodies (when referencing members of parliament), which now includes devolved legislatures in the UK (such as the Northern Ireland Assembly). 

Many firms’ policies will still reference the former list. Updating this will provide further clarity to your internal teams, systems and processes and will help you to maintain compliance with the new updated guidance 

What We’re Seeing in the Market 

From our recent work with firms across the industry, here are some common gaps—and what needs to change:

• PEPs remain PEPs for 12 months after leaving office - but their family members don’t 
  This nuance is often missed. If your systems and controls don’t reflect this, you may be over-engineering your controls. You would be expected to justify any approach that does not align to this practice. The FCA highlighted this in a recent event that we attended, so it’s worth reviewing our gap analysis on this. 

• Being a beneficial owner doesn’t automatically make a legal entity a PEP 
  We’ve seen firms apply a blanket approach here. That’s not what the guidance says. Context matters—and your framework needs to reflect that. 

• Oversight of high-risk relationships is patchy 
  Some firms have implemented procedures for onboarding high-risk customers, including PEPs—but haven’t clearly documented who can approve them or how those decisions are tracked. If your governance isn’t watertight, you’re exposed .

Final Word: This Is Not Optional 

FG25/3 is not a suggestion. It’s a clear signal from the FCA that firms must take a proportionate, risk-based approach to PEPs - and be able to defend and evidence it. 

If your firm hasn’t reviewed its PEP framework considering this guidance, now is the time to do it.  

If your documentation is vague, inconsistent, or outdated, it needs to be refreshed.  

If your governance model relies too heavily on one individual, it’s time to enhance it. 

As ever, if you need our help reach out at contact@avyse.co.uk