Enhanced Due Diligence (EDD): Definition and Use in Compliance

What is Enhanced Due Diligence (EDD)?

EDD is the set of additional identity, ownership, and behavioral checks a financial institution must apply when a customer or transaction presents elevated money laundering or terrorism financing risk. Standard Customer Due Diligence (CDD) confirms who a customer is. EDD asks where their money came from, who ultimately controls the entity, and why they need this specific banking relationship.

The practical scope is wide. Politically Exposed Persons (PEPs) and their close associates trigger EDD automatically in most jurisdictions. So do customers from countries on the FATF's high-risk list: Iran, North Korea, and Myanmar are current examples as of the 2024 update. Correspondent banking relationships, private banking accounts above certain thresholds, and corporate structures with opaque ownership chains all fall under EDD requirements.

The distinction from standard CDD is depth of documentation and level of internal sign-off. Most national AML frameworks require senior management approval before a high-risk relationship can be established. In practice, that means an MLRO or Deputy MLRO reviewing the completed EDD file before onboarding proceeds. Some institutions require two signatories for the highest-risk cases.

Regulators in the UK, EU, and US don't prescribe a single EDD checklist. Instead, they require a documented, proportionate process with clear evidence that the institution understood the risk. The FCA's Financial Crime Guide describes EDD as requiring "additional checks on the customer, its business and its anticipated account activity," but leaves institutions to define the precise steps based on their risk assessment.

What matters to an examiner isn't whether an institution followed a specific form. It's whether the file contains enough documented evidence to show the institution made an informed judgment, asked the right questions, and escalated appropriately when the answers weren't satisfactory.

How is Enhanced Due Diligence (EDD) used in practice?

EDD workflows typically start with a risk score at onboarding. Most institutions combine customer-provided data, sanctions screening results, PEP database matches, and adverse media checks into a composite score. When that score crosses a defined threshold, the case routes to an EDD queue.

From there, the assigned analyst works through a structured checklist. For a corporate customer, this covers certified incorporation and constitutional documents, source of wealth declarations from each Ultimate Beneficial Owner (UBO), evidence of primary business activities including audited accounts, an explanation of why this specific institution was chosen, and a broader adverse media search, often covering ten years rather than the standard three.

For individual customers, the analyst distinguishes between two questions that are easy to conflate. Source of funds asks where the money for this particular transaction or account opening came from. Source of wealth asks how the customer accumulated their total net worth. A PEP who received a large wire transfer might have clean source of funds documentation but weak source of wealth explanation. Both need to be resolved.

Approved accounts enter EDD monitoring parameters: tighter transaction alert thresholds, defined review intervals (typically annual rather than the two or three-year cycle for standard accounts), and a flagging protocol for any material change in the customer's profile or jurisdiction.

We've seen banks where the EDD population is 8% of the customer base but accounts for 35% of all investigation hours. That ratio is sustainable only if alert thresholds are tuned separately for the high-risk segment. Applying the same thresholds across all customers produces either excessive false positives on EDD accounts or an under-alerting problem on the standard population. Neither outcome helps during an examination.

A mid-size bank that built pre-structured document request templates for each high-risk category cut EDD onboarding time from 14 days to 6 and reduced customer back-and-forth by 40%. Analysts spent less time improvising the checklist and more time evaluating whether the answers made sense.

Enhanced Due Diligence (EDD) in regulatory context

EDD requirements appear in every major AML framework, with consistent core obligations and meaningful differences in scope and prescription.

FATF Recommendations

FATF Recommendation 10 requires institutions to apply enhanced measures for higher-risk customers. Recommendations 12 and 13 specifically address PEPs and correspondent banking, the two categories where EDD is mandatory rather than discretionary. FATF's guidance is adopted by over 200 jurisdictions, making EDD a near-universal obligation for licensed financial institutions worldwide.

EU Anti-Money Laundering Directives

The Fourth AMLD (2015/849/EU) and Fifth AMLD codified EDD in EU law, requiring member states to apply enhanced measures for customers from high-risk third countries, PEPs, and complex transactions with no apparent economic purpose. The forthcoming EU AML Authority (AMLA) is expected to issue binding regulatory technical standards for EDD by 2026, replacing the current patchwork of national guidance with a single framework across member states.

FinCEN Customer Due Diligence Rule

In the US, FinCEN's CDD Rule (31 CFR Part 1010) requires covered financial institutions to identify and verify beneficial owners of legal entity customers and to apply risk-based EDD for higher-risk customers. The rule names no fixed list of EDD measures. It requires institutions to understand the nature and purpose of customer relationships to the degree necessary to develop a customer risk profile.

Cross-border complexity

A US bank with EU operations must satisfy both FinCEN and AMLD requirements simultaneously. Where the two differ, the stricter standard typically applies. This is most acute for correspondent banking. Under Recommendation 13, the correspondent must gather enough information about the respondent bank's AML controls to decide whether the relationship increases the correspondent's overall risk exposure.

When EDD reviews surface activity that can't be satisfactorily explained, the downstream result is often a Suspicious Transaction Report (STR) or SAR filing. The EDD file provides the documented basis for that decision.

Common challenges and how to address them

The biggest operational challenge with EDD is document collection. High-risk customers have more complex structures, and getting a verified source of wealth declaration from a PEP's spouse, or certified incorporation documents from a holding company in a jurisdiction with limited public registries, can take weeks.

Three approaches reduce that friction.

First, build tiered document request templates before you need them. One template per high-risk category (PEP, high-risk jurisdiction, complex corporate, correspondent bank) tells analysts exactly what to request and in what format. This cuts average collection time and reduces the back-and-forth that frustrates customers and inflates operational cost.

Second, automate the parts of the file that don't require judgment. Ownership registry checks, sanctions screening, and adverse media pulls can be handled programmatically. This shifts analyst effort toward the tasks that actually require human assessment: evaluating whether a source of wealth explanation is plausible, deciding whether a business justification holds up under scrutiny, and determining when to escalate.

Third, document the reasoning, not just the conclusion. "I'm not comfortable with this customer" is not an audit trail. "Customer could not provide source of wealth evidence for GBP 2.3m transfer from offshore account after two documented requests; escalating to MLRO for SAR consideration" is. Files that contain specific documented reasoning hold up to regulatory scrutiny. Files that contain only checkbox outputs don't.

Ongoing monitoring creates a second pressure point. An institution with 10,000 EDD customers on a 12-month review cycle has roughly 830 files due each month. Without automated scheduling and prioritization, reviews accumulate. The consequences range from regulatory criticism in an examination to enforcement action when a missed review coincides with suspicious activity.

A third, less visible problem is scope creep in EDD trigger criteria. When risk appetite documents aren't updated regularly, EDD sometimes applies to customers who don't warrant it. Auditing the EDD population annually against the current risk appetite catches miscategorizations before they inflate operational costs or create inconsistency findings in an exam.

Related terms and concepts

EDD sits within a tiered due diligence framework. At the lower end, Simplified Due Diligence (SDD) applies to customers whose risk profile is demonstrably low: certain regulated financial institutions, listed companies on recognized exchanges, and financial products with limited money laundering potential. Standard CDD covers the majority of customers. EDD sits at the top of the spectrum, reserved for relationships where the standard process identifies material risk that requires additional controls.

Know Your Customer (KYC) is the umbrella framework. EDD is one component of KYC, applied when the baseline process identifies elevated risk. For legal entity customers, Know Your Business extends the same logic to verifying company ownership, control structures, and business purpose at the entity level.

Identifying the beneficial owner is central to EDD for corporate customers. Complex ownership chains, often involving holding companies in multiple jurisdictions, are used to obscure the identity of the individual who ultimately controls or benefits from an account. EDD requires tracing those chains to the natural person at the top regardless of structural complexity. Jurisdictions differ on the ownership threshold that triggers disclosure, typically 10%, 20%, or 25% depending on the national framework.

On the reporting side, EDD reviews that surface unexplained activity typically result in a SAR filing. The connection between EDD and SAR is direct: a thorough EDD file either closes the concern with evidence or documents the basis for a suspicious activity report. Regulators look at both the filing and the file that preceded it.

A Currency Transaction Report filing obligation may run in parallel for EDD customers in the US who conduct large cash transactions. Two separate compliance obligations apply simultaneously, and the outputs (the CTR and the EDD file) should cross-reference each other in the case record.

Understanding where EDD starts and standard CDD ends matters for building a defensible program. Regulators don't just examine whether EDD was applied. They look at whether the decision to apply it, or not apply it, was documented and proportionate to the risk identified at the time.