PEPs and Sanctions Screening: A Practical Guide for UK Accountants (2026) 

PEP and sanctions screening is part of a UK accountancy firm’s risk-based AML controls. It involves checking clients, beneficial owners, and connected parties for political exposure and against the UK Sanctions List, so the firm can assess risk, apply enhanced due diligence where needed, and identify relationships that may need to be refused or escalated. 

PEP screening and sanctions screening are operationally and legally distinct controls. PEP obligations sit under the Money Laundering Regulations 2017 (regulation 35), enforced by the firm’s accountancy AML supervisor. Sanctions obligations sit under the Sanctions and Anti-Money Laundering Act 2018, enforced by the Office of Financial Sanctions Implementation (OFSI) on a strict-liability basis. The two checks address different risks, follow different sources, and trigger different responses. Treating them as a single control — or attributing sanctions obligations to the MLRs — is one of the most consequential AML process errors in accountancy practice. 

This guide explains each control separately, covers the practical workflow from onboarding through ongoing monitoring, and shows how software can support consistent, auditable controls without overstating what technology alone can achieve. Screening reduces risk; the firm’s governance, judgement, and records determine whether that risk reduction is adequate. 

The Definitive Guide to UK Accountancy Practice Compliance (2026/27)

AML Compliance for Accountants: A Practical Guide for UK Practices

Sources: Money Laundering Regulations 2017 (as amended); Sanctions and Anti-Money Laundering Act 2018; FCA FG25/3 — Treatment of politically exposed persons (PEPs) (July 2025); CCAB AML Guidance for the Accountancy Sector (January 2026); HM Treasury / Home Office National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA 2025) — in which the accountancy sector continues to be rated high risk for money laundering; OFSI guidance and the UK Sanctions List at gov.uk/government/publications/the-uk-sanctions-list. 

What Is a Politically Exposed Person in the UK? 

A politically exposed person (PEP) is, in the words of regulation 35(12)(a) of the Money Laundering Regulations 2017, “an individual who is, or has been, entrusted with a prominent public function.” PEP status is not a criminal designation; it is a risk indicator. The heightened scrutiny exists because individuals in positions of public trust have a greater capacity to be involved in bribery, corruption, or the misuse of public funds. 

Under the Regulations, there are three PEP categories, plus the category of family members and known close associates. The FCA’s revised finalised guidance on the treatment of PEPs for AML purposes, FG25/3 (July 2025), provides the current authoritative position on proportionate treatment, particularly the differentiated risk approach between domestic and foreign PEPs. While FG25/3 is FCA guidance directed at FCA-regulated firms, its principles are widely referenced by accountancy supervisors as a benchmark for what proportionate risk-based PEP treatment looks like in practice. 

The three PEP categories 

Foreign PEPs are individuals who hold or have held a prominent public function in a country outside the UK. This includes heads of state and government, senior ministers, members of parliaments and equivalent legislative bodies, members of supreme courts or equivalent judicial bodies, members of courts of auditors or central banks, ambassadors and high-ranking military officers, directors of state-owned enterprises, and members of the governing bodies of international organisations. Foreign PEPs are treated as inherently higher risk than domestic PEPs. 

Domestic PEPs are individuals who hold or have held equivalent positions within the UK. Following the December 2023 amendment to the Money Laundering Regulations (effective 10 January 2024), UK domestic PEPs are treated as inherently lower risk than foreign PEPs in the absence of other risk factors. FCA FG25/3 (July 2025) confirms the proportionality principle: enhanced due diligence for domestic PEPs should reflect the actual risk presented, not a uniform application of the same scrutiny that would apply to a high-risk foreign PEP. The obligation to identify PEP status and apply enhanced scrutiny is not removed; the level of that scrutiny is calibrated accordingly. 

International organisation PEPs hold or have held a prominent function in an international organisation — for example, a major role at the United Nations, the International Monetary Fund, or the World Bank. These are assessed on a risk-based basis, considering the organisation’s nature and the individual’s role and current influence. 

Family members and known close associates 

The Regulations extend PEP-related scrutiny to two connected categories. Family members include the PEP’s spouse or civil partner, the PEP’s children and their spouses or partners, and the PEP’s parents. Known close associates (RCAs) include persons known to have joint beneficial ownership of a legal entity or arrangement with the PEP, known to be in a close business relationship with the PEP, and persons known to be the sole beneficial owner of an entity that was established for the benefit of the PEP. 

In practice, identifying RCAs requires active enquiry. A beneficial ownership structure that places control in the hands of a business partner who is an RCA of a foreign PEP may not be self-evident from the initial onboarding information. Firms should treat beneficial ownership verification and PEP screening as interconnected, not sequential, controls. 

How long does PEP status remain relevant? 

Regulation 35(12)(a) defines a PEP as a person who “is, or has been, entrusted with a prominent public function.” There is no statutory time limit. The previous version of this guide referenced a 12-month period after the individual leaves office; that framing was incorrect and has been removed. The Regulations contain no such limit. 

The correct position is that PEP status, once acquired, remains a relevant risk consideration on a risk-based assessment for as long as the individual continues to present an elevated risk profile by reason of their former public function. The assessment must be specific to the individual: their seniority, the nature of the role they held, their continuing influence, their connections, and the jurisdiction in which they served are all relevant factors. A senior minister of a high-risk jurisdiction who left office five years ago may still warrant enhanced scrutiny. A junior official from a low-risk jurisdiction who left office two years ago may not. 

What the firm must do is document the risk decision. Where the firm concludes that the individual no longer warrants treatment as a PEP, that conclusion should be supported by a written risk assessment that explains the reasoning. A mechanical exit rule, applied to all former public-function holders after a uniform period, is not a risk-based approach and will not survive supervisory scrutiny. 

✅  Correction note 

Regulation 35(12)(a) MLR 2017 places no time limit on PEP status. The phrase “is, or has been, entrusted with a prominent public function” is open-ended. Firms must assess on an ongoing risk-based basis, with documented reasoning where they conclude that former PEP status is no longer relevant. Any guidance — internal or external — that suggests a fixed 12-month or other uniform cut-off should be updated. 

How Sanctions Screening Differs from PEP Screening 

PEP screening and sanctions screening address different risks under different legal frameworks. They are not variants of the same control. Conflating them — in policy documentation, in software workflow design, or in staff training — produces both over-escalation of PEP alerts and under-escalation of sanctions matches. Each error has its own consequence; the second is potentially criminal. 

A client can be a PEP without being sanctioned. A client can be sanctioned without being a PEP. In some cases, the same individual may appear on both. In that situation the sanctions position takes precedence in determining whether the firm can act. Firms should not assume that passing a PEP check means there is no sanctions exposure, or vice versa. 

The consequences of proceeding with a sanctioned client are materially more serious than the consequences of proceeding with a PEP without adequate enhanced due diligence. OFSI operates a strict-liability framework: the firm does not need to have known about the designation to be in breach. The civil monetary penalty regime applies to the firm and, in serious cases, to individuals. Criminal prosecution is available for the most serious breaches. Failure to apply EDD to a PEP, by contrast, is a breach of the MLRs that is enforced by the firm’s accountancy AML supervisor, with consequences ranging from supervisory observations and sanctions through to fines or, in the most serious cases, removal of practising privileges. 

UK Sanctions Lists Accountants Should Screen Against 

The UK Sanctions List is the consolidated list of all individuals, entities, and ships subject to financial sanctions under UK law. Published by OFSI on GOV.UK, it is the sole authoritative source for UK sanctions screening. 

⚠️  Important update: the OFSI Consolidated List closed on 28 January 2026 

Until early 2026, OFSI maintained the Consolidated List of Financial Sanctions Targets as a separate resource. That list was closed on 28 January 2026. The UK Sanctions List is now the sole authoritative source for UK financial sanctions designations. Firms whose screening configuration or vendor data feed still references the Consolidated List should update to the UK Sanctions List immediately. Policy documentation, staff training, and audit-trail templates should be reviewed to remove any residual references to the Consolidated List by name. 

In addition to the UK Sanctions List, the following sources are relevant to a UK accountancy firm’s screening: 

• The UN Security Council sanctions lists: the UK implements UN Security Council sanctions as a matter of international law. Most UN designations are reflected in the UK Sanctions List, but screening against the UN list directly provides additional assurance and supports international engagement scenarios. 
• Other lists relevant to the firm’s client base and risk profile: firms with clients who have connections to specific jurisdictions, sectors, or international counterparties should assess whether additional screening sources are warranted given their specific risk profile. This is a risk-based decision, not a universal requirement. 
• A specific note on OFAC: the Office of Foreign Assets Control is a US government agency that administers and enforces US economic and trade sanctions. OFAC designations are not UK legal requirements. However, they are relevant where a firm has clients, counterparties, or business arrangements with a US nexus — for example, where a transaction involves US-dollar payments, US entities, or clients operating in the US market. Presenting OFAC screening as a universal obligation for all UK accountancy firms would be inaccurate; it is a consideration only where the firm’s client profile creates genuine US exposure. 

Sanctions designations change frequently. The UK Sanctions List is updated as designation decisions, delistings, and amendments are made. Firms should ensure that their screening tools or vendor configurations are reading the live UK Sanctions List feed and should have a process for identifying when a previously clear client becomes designated between screening cycles. 

What Should Be Screened? 

One of the most common weaknesses in accountancy firm screening processes is screening only the named client and treating that as a complete check. The Money Laundering Regulations require firms to identify and verify beneficial ownership, which means the screening obligation extends to the individuals and entities that control or benefit from the client, not just the client itself. 

The population that should be screened as part of a complete check includes: 

• New clients at onboarding — before the engagement begins and before the client receives any services
• Existing clients on a periodic basis — proportionate to risk; higher-risk clients more frequently 
• Beneficial owners — individuals who own or control more than 25% of an entity, or who otherwise exercise effective control 
• Directors and officers — where they form part of the control structure or are relevant to the risk assessment
• Trustees and partners — where the engagement involves a trust or partnership structure 
• Authorised signatories — particularly where they are not the same as the beneficial owner
• Known close associates and family members — where PEP exposure has been identified in the client structure 
• Clients or entities affected by ownership, control, or role changes — where a change in circumstances creates new screening obligations 

The scope of screening should also reflect the engagement type. A firm providing company formation services has a higher inherent risk profile than one preparing annual accounts for a low-complexity sole trader. The NRA 2025 continues to rate the accountancy sector as high risk for money laundering, with company formation and trust services among the activities of particular concern. The risk-based approach requires the firm to calibrate both the breadth of screening and the frequency of rescreening to the risk level of each client relationship. 

The Ultimate Client Due Diligence (CDD) Checklist for UK Accountants — for the full structured CDD workflow, including verification steps for beneficial ownership

The Workflow: When and How to Screen 

At onboarding 

Screening should be completed before the firm accepts the engagement, not after the first piece of work has been delivered. The purpose is to inform three interconnected decisions: whether the firm can act for this client at all, what level of due diligence the relationship requires, and whether enhanced checks apply before the engagement begins. 

The sequence at onboarding should be: 

1. Identify all individuals and entities requiring screening — named client, beneficial owners, directors, trustees, authorised signatories. 
2. Screen against the UK Sanctions List — before proceeding with any element of the engagement. UN Security Council list and other risk-based sources screened as required. 
3. Screen against PEP databases — to identify political exposure in the client group. 
4. Assess the risk profile — in the context of the client’s jurisdiction, business activity, and the services being provided. 
5. Determine the due diligence level — standard, enhanced (per regulation 35 for PEPs), or simplified where criteria are met. 
6. Document the outcomes — including the screening sources used, the date of the checks, the results, and any decisions made on the basis of those results. 

During the engagement 

Screening is not a one-time exercise at onboarding. The obligation to monitor the client relationship on an ongoing basis includes a requirement to rescreen when circumstances change and to conduct periodic rescreening based on the firm’s risk-based assessment of how frequently each client category should be checked. 

Trigger-based rescreening should occur when: 

• Ownership or control of the client entity changes 
• New beneficial owners or directors are identified 
• The client’s geographic footprint changes, particularly into higher-risk jurisdictions 
• The nature of the instructions changes materially, suggesting a different risk profile 
• Adverse information is identified through media monitoring or client interaction 
• An existing client’s role or public function changes in a way that may create PEP status 

Periodic rescreening intervals should be set proportionately: higher-risk clients may require quarterly rescreening; lower-risk clients may need an annual review. The intervals should be documented in the firm’s business-wide risk assessment and applied consistently across the client portfolio. An approach that rescreens clients inconsistently, or that relies on fee-earner memory to identify changes, will produce gaps that a supervisory visit or file review will identify. 

When a match appears 

A screening alert is not the same as a confirmed match. Most screening systems produce false positives, particularly for common names or names that share characteristics with designated individuals. The alert management process is operationally critical: too many escalations of false positives overwhelm the MLRO and create fatigue that reduces the quality of genuine match assessments; too many dismissed alerts create compliance risk. 

The process when a match appears should follow this sequence: 

7. Review the alert carefully before dismissing or escalating. Compare available identifiers: full name (including transliteration variants for non-Latin-script names), date of birth, nationality, address history, role or function, and entity structure. 
8. Check for clear differentiators that confirm a false positive: a different date of birth, a different nationality, a confirmed different role, or an entity structure that does not match the designated party. Document the basis for the false positive decision explicitly. 
9. Where the match cannot be clearly resolved as a false positive, escalate to the MLRO or the designated senior reviewer. Do not proceed with the engagement or continue client contact while the assessment is in progress. 
10. For confirmed or probable PEP matches, initiate enhanced due diligence. Obtain senior management approval. Do not treat the PEP identification as a reason for automatic refusal. 
11. For confirmed or probable sanctions matches, do not proceed. Seek legal advice where appropriate. Consider whether the circumstances require a Suspicious Activity Report to the NCA and/or a report to OFSI. 
12. Apply tipping-off restrictions — see the dedicated section below. Once a SAR has been filed, or once the firm has formed a suspicion that should lead to a SAR, communicating that fact to the client creates separate criminal exposure. 
13. Document all decisions — false positive dismissals and confirmed matches alike, the steps taken, the individuals involved in the decision, and the outcome. This record is the firm’s defence in any subsequent review. 

Tipping off: a separate criminal offence 

Where a firm forms a suspicion that should lead to a Suspicious Activity Report, or has filed a SAR with the National Crime Agency, communicating that fact to the client creates a separate criminal offence under section 333A of the Proceeds of Crime Act 2002. The offence is committed where a person in the regulated sector discloses information that is likely to prejudice an investigation that is or may be conducted following the SAR. The maximum penalty on conviction on indictment is two years’ imprisonment, a fine, or both. 

In practice this means that when a sanctions or PEP screening process surfaces a match serious enough to trigger SAR consideration, the firm cannot: 

• Tell the client that a SAR has been filed, or that one is being considered
• Explain to the client why the engagement is being delayed, declined, or terminated, where the explanation would disclose the existence of a suspicion or investigation 
• Suggest to the client that they seek services elsewhere in terms that could constitute a disclosure of the suspicion 
• Discuss the SAR or its content outside the narrow set of permitted disclosures under POCA 2002 

The narrow exceptions to the tipping-off offence include disclosures to the firm’s supervisor, to the NCA, to legal advisers in connection with related legal advice, and within the firm where the disclosure is for the purposes of preventing money laundering. Communicating with the affected client is not within those exceptions. Firms whose escalation playbook does not include tipping-off awareness for fee-earners and partners are exposed every time a match is escalated. 

🚫  Tipping off in plain terms 

• Section 333A POCA 2002 makes it a criminal offence to disclose to a client that a  SAR has been or is being considered, where that disclosure may prejudice an investigation. 
• Maximum sentence on indictment: two years’ imprisonment, a fine, or both. 
• The offence applies to individuals, not just firms. Fee-earners and partners are personally exposed. 
• Train every member of staff who can have direct client contact — not just the MLRO. 

What Enhanced Due Diligence Looks Like 

Enhanced due diligence is not a fixed checklist. Regulation 35 requires EDD measures to be proportionate to the specific risks presented by the individual or situation. Where a domestic PEP with no other risk factors is identified, a proportionately lighter EDD approach may be justifiable under the December 2023 amendment and the principles articulated in FCA FG25/3. Where a foreign PEP with complex offshore ownership and high-risk jurisdiction connections is identified, comprehensive EDD is required. The firm must be able to explain why the level of scrutiny applied was appropriate to the specific risk. 

The practical measures expected as part of EDD for a PEP or elevated risk relationship include: 

• Senior management approval: written approval from a partner, director, or MLRO before the relationship is accepted or continued. The approver should be senior enough that the approval is meaningful, not a formality. 
• Source of wealth verification: enquiry into how the individual has accumulated their overall wealth, with supporting documentation where appropriate. A self-certified statement from the client is generally insufficient on its own for a higher-risk relationship. 
• Source of funds checks: verification of the origin of the specific funds or assets involved in the engagement or transaction, proportionate to the services being provided. 
• Enhanced ongoing monitoring: more frequent rescreening, more detailed review of transactions and instructions, and active attention to changes in the client’s circumstances. 
• Documented risk rationale: a clear written record of why the firm accepted the relationship, what risk mitigants were identified, what conditions or restrictions apply to the engagement, and what monitoring arrangements are in place. 

A PEP relationship that is accepted without documentation of the risk decision is, from a supervisory perspective, the same as a PEP relationship accepted without any EDD at all. The documentation is not a separate compliance step; it is the evidence that the EDD was genuinely applied. If a supervisor cannot see it in the file, the supervisor’s working assumption will be that it did not happen. 

Important: a PEP is not automatically a refused client 

PEP status indicates higher risk, not prohibited activity. The Regulations require enhanced scrutiny, senior approval, and documented decision-making — not automatic refusal. Treating every PEP as a declined engagement is not a compliant risk-based approach. It is an over-cautious response that may itself attract supervisory attention if it produces a consistent pattern of de-risking without risk assessment. FCA FG25/3 (July 2025) addresses this point directly: proportionate treatment is the standard, not blanket refusal. 

Common Screening Mistakes 

The following failures appear regularly in supervisory file picks and AML compliance reviews. Each is identifiable in practice and each is preventable with structured controls. 

• Screening only the named client and not beneficial owners or controllers: the most widespread gap. Where a corporate client is screened but its 40% beneficial owner is not, the check is structurally incomplete regardless of its technical accuracy. 
• Failing to detect transliteration name variants: designated individuals from non-Latin-script jurisdictions (Russian, Arabic, Mandarin) frequently appear with multiple acceptable transliterations of the same name. A screening system that only matches against one Latin-script rendering will miss valid sanctions matches. This is not theoretical: it has been the cause of recent OFSI enforcement action. 
• Failing to distinguish PEP matches from sanctions matches: treating both as the same type of alert, and applying the same response, means firms either over-escalate PEP alerts (creating unnecessary work) or under-escalate sanctions alerts (creating legal risk under SAMLA 2018). 
• Relying on outdated screening sources or referencing the closed OFSI Consolidated List: the UK Sanctions List is now the sole source. Firms still configured against the Consolidated List, or relying on a vendor feed that has not migrated, are screening against a source that is no longer authoritative. 
• Not rescreening after ownership or role changes: a client who was clean at onboarding may have become a PEP or been sanctioned since. Periodic rescreening and trigger-based rescreening are separate requirements; firms often apply one without the other. 
• Poor record-keeping on false positive dismissals: dismissing an alert without documenting the basis creates a compliance gap. If the same match appears again, or if the supervisory body requests to see how alerts were handled, an undocumented dismissal is indistinguishable from a missed alert. 
• Treating every PEP as an automatic refusal: as noted above, auto-declining PEP clients is not a compliant approach. It substitutes a de-risking rule for a risk assessment, which supervisors will challenge. 
• PEP review not escalated to the MLRO: a fee-earner or onboarding administrator clearing an alert without MLRO review, particularly for borderline or complex matches, leaves the firm without the senior oversight the regulations require. 
• Using a manual process that cannot scale or sustain consistency: a screening process that works for ten clients will fail for a hundred. As the client portfolio grows, the error rate in manual processes tends to increase while the time available per client decreases. Structural inconsistency is itself a compliance risk. 

A Practical Example 

Two scenarios illustrate how the screening process works in practice. The first is a structured worked example; the second is a recent real-world enforcement case that shows what can go wrong. 

Worked example: new corporate client with a domestic PEP beneficial owner 

Scenario walkthrough 

Step 1 — Onboarding identification: 

A UK accountancy firm receives an instruction to provide tax advisory services to a newly incorporated UK limited company. As part of CDD, the firm identifies all beneficial owners holding more than 25% of shares. One beneficial owner is identified as a recently retired local authority chief executive. 

Step 2 — PEP screening: 

The beneficial owner is screened against the firm’s PEP database. A match is returned. The individual is confirmed as a UK domestic PEP under regulation 35 MLR 2017. 

Step 3 — Sanctions screening: 

The beneficial owner, the company, and other directors are screened against the UK Sanctions List and the UN Security Council lists. No match is found. 

Step 4 — Risk assessment: 

The individual is a domestic PEP. Under the December 2023 amendment to MLR 2017, and consistent with FCA FG25/3 (July 2025), domestic PEPs are treated as inherently lower risk than foreign PEPs in the absence of other risk factors. No adverse media is identified. The individual’s role was in local government with no connection to the proposed advisory engagement. Risk is assessed as elevated but manageable. 

Step 5 — Enhanced due diligence: 

The firm requests and obtains information on the beneficial owner’s source of wealth. Documentation is reviewed and retained on file. Senior partner approval is obtained in writing before the engagement is accepted. 

Step 6 — Acceptance with monitoring conditions: 

The relationship is accepted. A six-monthly rescreening schedule is set for the beneficial owner. The file records the PEP identification, the risk assessment rationale, the EDD steps taken, the approval obtained, and the monitoring schedule. Outcome: the firm has applied a proportionate, documented, risk-based approach. The relationship is accepted with appropriate controls, not refused by default. 

Real-world reference: Bank of Scotland (OFSI penalty, January 2026) 

In January 2026, OFSI imposed a £160,000 monetary penalty on Bank of Scotland for sanctions screening and PEP review failures. The case illustrates two specific weaknesses that recur in screening processes across regulated sectors and that are directly relevant to accountancy practices despite the case involving a banking institution. 

The first failure was the screening system’s inability to detect transliteration variants of names from non-Latin-script jurisdictions. A designated individual whose name could be rendered in multiple Latin-script transliterations passed through the screening process because the firm’s configuration matched only against one transliteration. This is a configuration and vendor-feed issue that any UK firm screening clients from Russian, Arabic, or other non-Latin-script-origin jurisdictions should review against its own systems. 

The second failure was that a PEP-related review was not escalated to the appropriate decision-maker. The alert was generated, but the escalation pathway broke down, and the engagement proceeded without the senior review that the firm’s policy required. This is an operational governance issue rather than a system issue — and is a failure mode that supervisory bodies look for specifically in file reviews. 

For accountancy practices, the takeaways are concrete: 

• Confirm that the firm’s screening configuration includes transliteration variants for clients connected to non-Latin-script jurisdictions, and that the vendor feed supports this capability 
• Map the escalation pathway for PEP and sanctions matches, document it in the AML procedures manual, and test it with the team responsible 
• Audit a sample of recent screening events to verify that escalation actually occurred in the cases where the policy required it 
• Ensure that the MLRO has visibility of escalation completion rates, not just escalations initiated, so that gaps between alert and decision are identified in time 

How Software Supports Screening 

The operational burden of maintaining consistent PEP and sanctions screening across an active client portfolio is significant. Onboarding new clients, rescreening existing ones on a risk-based schedule, managing alerts, documenting decisions, and maintaining a retrievable audit trail for each client relationship requires a workflow that manual processes cannot sustain reliably at scale. 

Software does not make compliance decisions. The risk assessment, the EDD steps, and the decision to accept or decline a relationship remain the firm’s responsibility. What well-configured software does is reduce the gap between policy and practice: it applies screening consistently, it surfaces matches that manual review might miss or delay, and it creates the record that demonstrates to a supervisor that the process was followed. 

IRIS Elements supports PEP and sanctions screening workflows in the following specific ways: 

• Consistent screening at onboarding: the onboarding workflow enforces the completion of screening checks before the client record can be moved to an active status, removing the risk that a fee-earner skips or defers a check in a busy period.
• Rescreening support and monitoring schedules: the platform supports the configuration of periodic rescreening intervals by risk category, surfacing clients due for review and maintaining a record of when each screening cycle was completed.
• Alert management and documented decisions: when a match is returned, the platform provides a structured workflow for reviewing, assessing, and documenting the outcome. False positive dismissals are recorded with the identifiers that support the decision; confirmed matches are escalated with a timestamped record. 
• Escalation visibility: the platform tracks alerts from initiation through to senior review and decision, allowing the MLRO to identify alerts that have been raised but not closed — the specific governance gap exposed in the Bank of Scotland case. 
• Audit trail for supervisory review: every screening event, alert decision, EDD step, and approval is recorded in the client record in a format that can be retrieved and exported for a supervisory visit, file pick, or compliance self-assessment. 
• Integration with the wider CDD workflow: screening records sit within the client’s full CDD file in IRIS Elements, alongside beneficial ownership verification, risk ratings, and ongoing monitoring notes, rather than in a separate system that must be cross-referenced manually. 
• Firms evaluating software for AML workflow support should assess not only what the screening tool does but whether it integrates with the practice’s existing CDD and onboarding process. A screening tool that operates in isolation from the broader client record creates exactly the kind of fragmented audit trail that supervisors are most likely to find inadequate. 

The 2026 Enforcement Landscape 

Two regulatory developments in early 2026 have changed the consequence profile of sanctions and PEP compliance failures. 

On 9 February 2026, OFSI published updated enforcement guidance setting out a new penalty framework and a settlement scheme. Under the new framework, the proposed maximum civil monetary penalty for a sanctions breach is doubling to £2 million or 100% of the value of the breach, whichever is higher. The settlement scheme provides a structured route for firms that engage cooperatively with OFSI to resolve enforcement matters on agreed terms, with discount mechanisms recognising the quality of the firm’s cooperation and remediation. Firms should treat the updated guidance as the current OFSI position and review their sanctions controls against it. 

Separately, the National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA 2025), published jointly by HM Treasury and the Home Office, continues to rate the accountancy sector as high risk for money laundering. The NRA identifies company formation services, trust and company services, and complex international structuring as areas of particular concern. For accountancy practices, the NRA’s sector risk rating is the baseline against which supervisory expectations and the firm’s own business-wide risk assessment are calibrated. 

Taken together, these developments signal that the enforcement environment is becoming more proactive and the consequences of failure are increasing. This is not the moment for accountancy practices to be running screening on processes that worked acceptably two years ago. 

PEPs & Sanctions Screening: Frequently Asked Questions 

How long does someone remain a PEP? 

There is no statutory time limit on PEP status. Regulation 35(12)(a) of the Money Laundering Regulations 2017 defines a PEP as “an individual who is, or has been, entrusted with a prominent public function.” That phrasing is open-ended. There is no automatic point at which PEP status expires. 

The correct approach is risk-based, ongoing assessment. A firm should consider how senior the individual’s former role was, how long ago they left it, whether they retain influence or connections from that role, and the risk profile of the jurisdiction in which they served. Where the firm concludes that PEP status is no longer relevant, that conclusion must be supported by a documented risk assessment explaining the reasoning. A mechanical exit rule applied uniformly to all former public-function holders is not a risk-based approach. 

What is the difference between a PEP and a sanctioned individual? 

PEP and sanctions screening operate under different legal frameworks and produce different responses. PEP obligations sit under regulation 35 of the Money Laundering Regulations 2017 and are enforced by the firm’s accountancy AML supervisor. PEP status indicates higher risk; it triggers enhanced due diligence but does not prohibit the firm from acting. The firm must assess the risk, apply proportionate EDD, obtain senior management approval, and document the decision. 

Sanctions obligations sit under the Sanctions and Anti-Money Laundering Act 2018 and are enforced by OFSI on a strict-liability basis. A sanctions designation typically restricts or prohibits the firm from dealing with the designated individual or entity. Proceeding with a sanctioned client in a way that breaches the applicable restriction is a criminal offence under SAMLA 2018, with civil monetary penalties and potential criminal prosecution available to OFSI. The two checks address different risks, require different sources, and require different responses when a match is found. 

Do I need to screen existing clients as well as new ones? 

Yes. The obligation to conduct ongoing monitoring of business relationships under the Money Laundering Regulations includes maintaining up-to-date knowledge of the client’s status, ownership, and risk profile. This encompasses rescreening existing clients on a periodic basis, proportionate to their risk level, and trigger-based rescreening when something material changes — such as a change in ownership, a change in the client’s public role, adverse media, or a change in the nature of the instructions. 

Firms that screen thoroughly at onboarding but apply no structured rescreening process to existing clients will accumulate stale files over time. A client who was screened and cleared two years ago may have since become a PEP, been designated under a sanctions regime, or changed their beneficial ownership structure. The supervisory view is that compliance is assessed at the time of the review, not at the point of original onboarding. 

What should I do if my software flags a false positive? 

Review the alert carefully before dismissing it. Compare the available identifiers: full name (including transliteration variants where the name originates in a non-Latin script), date of birth, nationality, address or location history, and role or function. A false positive can be confirmed where there are clear and unambiguous differentiators that establish the match is a different individual from the designated party. Common differentiators include a different date of birth, a confirmed different nationality, or a clearly documented different role. 

Document the basis for the false positive decision explicitly in the client record. The documentation should record which identifiers were compared, what the distinguishing information was, who made the assessment, and when. An undocumented false positive dismissal is indistinguishable from a missed alert in a subsequent supervisory review. Where the identifiers are insufficient to confirm a false positive with confidence, escalate to the MLRO for a more detailed assessment rather than dismissing the alert on the basis of an incomplete review. 

Can I act for a PEP client? 

Yes. PEP status is not a prohibition on acting. It is a risk indicator that triggers a more demanding compliance process, not an automatic ground for refusal. The Money Laundering Regulations require firms to apply enhanced due diligence, obtain senior management approval, understand the source of wealth and source of funds where relevant to the engagement, and conduct enhanced ongoing monitoring. All of these steps must be documented. 

Treating PEPs as automatically declined clients is not a compliant risk-based approach. The obligation is to assess the specific risk, apply proportionate EDD, make a defensible documented decision, and monitor the relationship appropriately. FCA FG25/3 (July 2025) explicitly addresses this point, confirming that proportionate treatment is the standard and that blanket refusal of PEPs is inconsistent with the risk-based approach the regulations require. A practice that refuses all PEP engagements without individual risk assessment may find that approach difficult to justify to a supervisory body, particularly where the refusals involve domestic PEPs who are treated as inherently lower risk than foreign PEPs in the absence of additional risk factors.