On 8 July 2025, the FCA finally released its long-awaited final guidance on how firms should handle Politically Exposed Persons (PEPs), their family members, and close associates under the UK’s anti-money laundering (AML) regime. Long in the making, the guidance clarifies several grey areas, reflects recent changes to the Money Laundering Regulations, and signals a shift toward a more proportionate approach, especially for domestic PEPs.
But as recent enforcement shows, relaxing controls without proper oversight can lead to serious compliance failures. Just ask Monzo.
Remember Monzo? Ignoring red flags can cost millions
In July 2025, the FCA fined Monzo £21.1 million after it allowed thousands of customers to open accounts with blatantly fake or implausible addresses, including Buckingham Palace, 10 Downing Street, and even Monzo’s own office.
Why? Because Monzo disabled address verification, weakened onboarding checks, and still managed to onboard 34,000 high-risk customers after the FCA had explicitly restricted them from doing so.
It’s a perfect cautionary tale: when firms treat AML controls as admin rather than risk management, even the most obvious red flags can be missed, or ignored. That’s exactly the danger critics are pointing to in the FCA’s new PEP guidance.
What’s actually changed?
The finalised guidance doesn’t overhaul the rules, but it introduces several important clarifications and adjustments firms need to act on:
- UK PEPs = Lower risk by default
Firms are now expected to treat domestic PEPs as lower risk than foreign ones, unless other risk factors apply. Critics argue this could create blind spots, especially in high-influence roles. - Senior management sign-off, not just MLROs
Approving a PEP relationship no longer needs MLRO involvement, so long as a suitably senior person handles it and oversight is maintained. Flexibility? Yes. But also a governance risk. - Non-execs on government boards exempted
The FCA has clarified that non-executive board members of UK civil service departments should not automatically be treated as PEPs. This should cut down unnecessary due diligence but may also open loopholes if not carefully applied. - Alignment with MLR updates
Reflects changes made to the Money Laundering Regulations in 2024, especially around proportionality and targeted EDD for PEPs and their associates.
Proportionality or political pressure?
Critics have not held back. Several AML professionals and commentators suggest the new guidance is more about appeasing political pressure than improving compliance outcomes. Financial crime advisor Abdulquddus Gbadamosi noted that “the guidance leans toward accessibility over robustness… True risk-based approaches require more transparency — not streamlined exemptions.”
Others point out that many UK PEPs pose real risk, especially when influence intersects with opaque networks, fast-tracked procurement (as seen during Covid), or lobbying pressure.
The risk is clear: treating all domestic PEPs as “low risk” might seem administratively easier, but it could encourage firms to ignore real warning signs, just as Monzo did.
What should firms do now?
- Recalibrate PEP risk models
Update your systems to treat domestic PEPs as lower risk only when no other factors indicate heightened exposure. Document the rationale. - Update governance around sign-offs
If the MLRO won’t be the one signing off PEP relationships, define who will, and how they’ll stay accountable. - Train approvers and onboarding teams
Everyone involved in client onboarding or PEP approval should understand the new expectations, including how to spot risks beyond formal titles. - Audit current PEP files
Reassess whether EDD on existing UK PEPs is still warranted. If not, downgrade appropriately, but record the justification. - Avoid the ‘Buckingham Palace’ mistake
Review your controls for verifying client identity and address data. If someone tries to onboard as the King, it shouldn’t make it past your first line of defence.
Turn guidance into action
This isn’t a relaxation of standards — it’s a challenge to apply them more intelligently. Risk-based doesn’t mean risk-free. The FCA wants firms to show judgement, not just tick boxes. But judgement requires training, oversight, and evidence.
In 2025, firms will be judged not just by whether they followed the rules, but whether they knew when not to rely on defaults.
Now’s the time to:
-
- Update risk frameworks
- Rethink sign-off and governance
- Retrain staff
- Document your new approach
Because “a risk-based approach” only works if you apply it well, and consistently.
Monzo missed the obvious. You can’t afford to.
