What is the difference between CDD and EDD?
Quick answer
CDD is the baseline due diligence every customer receives: verify identity, identify beneficial owners, and understand the relationship. EDD applies to high-risk customers (PEPs, correspondent banks) and adds source-of-wealth verification and senior management approval. FATF Recommendations 10, 12, and 13 govern both. ---
The full answer
Customer Due Diligence (CDD) is the floor of Know Your Customer (KYC) obligations. Every customer at every regulated financial institution gets it. No exceptions based on how low-risk the customer looks.
Under FATF Recommendation 10, CDD has four core requirements:
- Identify and verify the customer's identity using reliable, independent source documents
- Identify the beneficial owner and take reasonable measures to verify their identity
- Understand the nature and purpose of the business relationship
- Conduct ongoing monitoring of transactions and keep documentation current
In the US, the FinCEN CDD Final Rule (31 CFR Part 1010.230, effective May 2018) formalized beneficial ownership requirements for legal entity customers at a 25% ownership threshold plus a mandatory control-prong individual. For corporate customers, this means identifying the Ultimate Beneficial Owner (UBO) before the account opens.
Enhanced Due Diligence (EDD) applies when the risk level is elevated. It doesn't restart the process; it goes deeper on what CDD already collected, adding:
- Source-of-wealth verification (how the customer built their overall net worth, biographical not transactional)
- Source-of-funds corroboration (more rigorously evidenced than at standard CDD level)
- Senior management sign-off before establishing or continuing the relationship
- More frequent reviews (at least annually for high-risk customers, versus the 3-5 year cycle for standard CDD)
- Enhanced ongoing monitoring with lower transaction alert thresholds, additional adverse media sweeps, and documented rationale for risk acceptance
Some EDD triggers are mandatory. FATF Recommendation 12 requires EDD for all Politically Exposed Persons (PEPs), their family members, and close associates, with no materiality threshold. FATF Recommendation 13 requires it for every correspondent banking relationship. For those two categories, a bank's own risk assessment doesn't factor in. EDD is mandatory.
Beyond mandatory triggers, the FATF risk-based approach requires banks to apply EDD wherever internal assessment flags elevated exposure. Common risk-based EDD triggers include:
- Customers from FATF grey-listed or high-risk jurisdictions
- Non-face-to-face onboarding
- Complex or layered corporate ownership structures
- High-risk business types: money service businesses, virtual asset service providers, casinos, arms dealers
- Unusually large or complex transactions with no apparent business purpose
Source of funds vs. source of wealth
This distinction is the single most common EDD failure cited in examinations.
Source of funds is transactional. This $3 million wire originated from the settlement of a commercial property sale on a specific date, confirmed by the settlement statement and the wire confirmation from the closing attorney. Straightforward to document.
Source of wealth is biographical. How did this individual accumulate $30 million in assets? Through a business they built over 15 years? An inheritance? A series of property investments? EDD requires you to document and corroborate the answer, not just accept the customer's self-reported narrative. Tax returns, audited accounts, sale agreements, probate records: the documentation has to match the claimed wealth history.
A bank that traces every wire correctly but accepts "successful entrepreneur" as source-of-wealth documentation has an incomplete EDD file. That's the gap examiners test.
Why this matters
The gap between CDD and EDD is one of the most frequently cited deficiencies in BSA/AML enforcement.
In October 2024, TD Bank pleaded guilty to Bank Secrecy Act violations and agreed to pay more than $3 billion to the DOJ, FinCEN, and OCC. The consent orders specifically cited the bank's failure to apply adequate EDD to high-risk customers, including customers whose transaction patterns had already been flagged internally. It was the largest bank AML enforcement action in US history.
Banks typically handle mandatory EDD triggers adequately. PEP screening runs. Correspondent banking checklists exist. The gap is in risk-based EDD: the customer who runs a cash-intensive business in a high-risk jurisdiction, has a complex ownership structure, and recently opened accounts at three different institutions, without tripping any single mandatory rule. Banks relying only on bright-line triggers miss this category entirely.
Ongoing monitoring creates a second gap. EDD isn't a one-time file. A customer can be correctly onboarded with standard CDD and become EDD-eligible 18 months later because they took a government role, moved to a grey-listed jurisdiction, or their transaction volumes changed dramatically. Monitoring systems that can't flag changes in customer risk profile will leave EDD gaps in the portfolio even when initial onboarding was done right.
For institutions using AI-based transaction monitoring, EDD customer segmentation directly affects model calibration. Poorly defined risk tiers inflate false positive rates. A well-defined EDD population lets monitoring rules be tuned appropriately to that segment's expected behavior.
When EDD failures allow suspicious activity to go undetected, the downstream obligation is SAR filing. How long banks have to file a SAR after detecting suspicious activity is a separate obligation, but EDD gaps and SAR gaps tend to appear together in the same enforcement actions.
Examiners notice patterns. A systemic EDD deficiency is precisely the kind of finding that turns a routine exam into a targeted review. Understanding what triggers a regulatory exam is part of understanding why getting EDD right matters beyond individual account-level compliance.
Related questions
- What is a beneficial owner?
- Can AI be used for AML transaction monitoring?
- What percentage of AML alerts are false positives?
- How long do banks have to file a SAR?
- What triggers a regulatory exam?
Related concepts and regulations
- Customer Due Diligence (CDD)
- Enhanced Due Diligence (EDD)
- Know Your Customer (KYC)
- FATF Recommendation 10: Customer Due Diligence
- FATF Recommendation 12: Politically Exposed Persons