White and black lists, also called positive and negative lists, are used for binary categorizations. Examples are spam filters against unwanted e-mails, but also proscription lists in the Roman Empire with the names of unpopular political opponents to be murdered. More recent are the lists published by the American President George Bush after the terrorist attacks on September 11, 2001. White and black lists can be combined in different ways: All positives but without negatives and all negatives but without the positives. In compliance, whitelisting is often used when periodically checking a customer base.

Despite its apparent simplicity, it is a complex matter to define the criteria that must be fulfilled to whitelist a customer. From FINMA publications, it is evident that a relationship between the customer and an executive director of the bank is not recommended as a whitelisting criterion (see section 4.2.2 case E in “Sorgfaltspflichten der Schweizer Banken im Umgang mit Vermögenswerten von politisch exponierten Personen”, November 10, 2011). Furthermore, the policy “once whitelisted, always whitelisted” is not recommended either. The customer’s status may change, sanctions and PEP roles are change all the time, and last but not least, the matching criteria may change.