EDD Checklist for High-Risk Customers

What is the EDD Checklist for High-Risk Customers?

Enhanced due diligence is the additional verification layer financial institutions must apply when a customer presents elevated money laundering, terrorist financing, or financial crime risk. Standard CDD confirms who someone is. EDD goes further: it requires documented evidence of how wealth was accumulated, validation of business purpose and expected transactions, confirmation of complex ownership structures, and formal approval by senior management before the relationship proceeds.

The obligation exists across multiple frameworks. FATF Recommendation 10 establishes the CDD requirements that trigger enhanced measures and specifies when those measures apply. FinCEN's Customer Due Diligence Final Rule (31 CFR § 1010.230) codifies EDD for covered US financial institutions. The EU's Fifth Anti-Money Laundering Directive mandates enhanced measures for PEPs, customers from high-risk third countries, and complex or unusually large transactions.

What examiners find during audits isn't always missing controls. It's missing documentation. An institution might have screened a customer against every required list and obtained beneficial ownership documents, but if it can't produce a coherent, dated record showing all of that happened and who approved it, the exam outcome is the same as if it hadn't done the work.

The typical triggers for EDD include PEP status, connections to high-risk jurisdictions, cash-intensive business models, complex or opaque ownership structures, and adverse media relating to financial crime. An institution's EDD framework must document clear standards for each category. This checklist provides the structure.

It connects customer due diligence obligations to a reproducible, defensible paper trail. Each section maps to a specific examiner expectation, making it possible to demonstrate that the enhanced review was proportionate to the risk identified.

Who needs the EDD Checklist for High-Risk Customers?

The primary users are compliance analysts and MLROs at banks, credit unions, broker-dealers, and money services businesses. BSA officers at community and mid-size banks rely on it most. They often don't have dedicated EDD teams, and a structured checklist prevents the common pattern of completing most required checks while missing two or three that matter to examiners.

PEP screening teams apply it every time a customer is identified as a politically exposed person or as a relative or close associate of one. The checklist structures the additional steps those matches require: source of wealth documentation, enhanced adverse media review, senior management approval, and a defined monitoring cadence.

Fraud leads and risk analysts reach for it at pivot points in a customer relationship: when transaction behavior shifts unexpectedly, when an adverse media hit surfaces, or when a previously low-risk account gets reclassified. The trigger differs, but the documentation requirement is the same.

Correspondent banking relationship managers use it during respondent due diligence reviews. The checklist's structure aligns with the verification requirements under FATF Rec 13 for correspondent banking relationships, which covers the assessment of respondent AML controls and ownership transparency.

Second-line compliance teams, internal auditors, and model risk reviewers pull completed EDD checklists as sampling inputs during thematic reviews. They're checking whether front-line analysts applied the institution's high-risk framework consistently. A well-structured checklist makes that review faster and the findings defensible.

What's inside the EDD Checklist for High-Risk Customers?

The document follows the decision sequence a compliance analyst works through during an enhanced review. It's not a generic onboarding form. Each section has a defined purpose tied to a specific regulatory expectation.

Customer Risk Classification

• Risk trigger identified: PEP connection, high-risk jurisdiction, cash-intensive business type, adverse media hit, or complex ownership structure
• Risk tier or score assigned per the institution's risk-rating matrix
• Date of classification, analyst name, and case reference number

Identity and Beneficial Ownership Verification

• Legal name, registered address, and incorporation documents (for entities)
• Beneficial owners identified at the 25% ownership threshold, or lower per internal policy
• Verification method and document reference for each owner
• UBO declaration or confirmation letter

Source of Wealth and Source of Funds

• Documented explanation of how wealth was accumulated over time
• Source of funds specific to this business relationship
• Supporting evidence obtained: tax filings, audited accounts, asset documentation, employment records
• Analyst assessment of plausibility, with the reasoning written out (not just a conclusion)

PEP, Sanctions, and Adverse Media Screening

• Sanctions screening result, date, and screening tool used
• PEP screening result, including relatives and close associates (RCAs), with the PEP's role and jurisdiction noted
• Adverse media screening results with source references and dates
• Disposition of each hit: cleared, escalated, or declined, with written reasoning in each case

Ongoing Monitoring Parameters

• Monitoring frequency assigned (a 90-day review cycle is standard for highest-risk accounts)
• Expected transaction volumes and channels, documented at relationship establishment
• Alert thresholds applied within the transaction monitoring system for this customer
• CRM or case management reference for the customer's monitoring profile

Senior Management Approval

• Approving officer name and title
• Date of approval
• Any conditions attached to the relationship
• Next scheduled EDD review date

Record Retention

• Document storage location and file reference ID
• Retention period applied, per internal policy and the five-year minimum under FATF Rec 11

How to use the EDD Checklist for High-Risk Customers

1. Start with the trigger, before opening the checklist. Write down the specific reason this customer requires enhanced review: the PEP match, the high-risk jurisdiction, the suspicious activity alert, or whatever flag initiated the process. Examiners want to see why EDD was triggered, not just that it was completed. This step is frequently absent in exam findings.

2. Assign it and set a deadline. Route the checklist to the responsible analyst and establish a completion date. Most AML policies require EDD to be finished within 30 to 45 days for new relationships, and sooner for existing accounts with sudden risk changes. Files that age without completion create regulatory exposure.

3. Work through each section in sequence. The order matters. Identity and ownership verification precedes source of wealth assessment. Screening results precede the approval decision. Skipping ahead creates gaps that are hard to reconstruct when an examiner asks later.

4. Write the reasoning, not just the outcome. For every judgment call (whether a source of wealth claim is plausible, whether an adverse media hit warrants escalation), add a sentence explaining the thinking. Unexplained conclusions are a recurring deficiency in enhanced due diligence reviews, especially for PEP files and high-risk jurisdiction cases.

5. Get senior management sign-off before the relationship proceeds. The checklist has a dedicated approval section. The signature must come before onboarding or continuation. Backdated approvals are a material exam finding and, in enforcement actions, a sign the approval process wasn't functioning as designed.

6. Index the file correctly. Store the completed checklist in the customer's CRM or case management record with a clear reference ID. Teams that build exam-readiness workflows around consistently indexed files can pull the full EDD population in minutes. Teams that don't spend those minutes in front of examiners answering questions about why documents can't be located.

7. Schedule the next review. EDD is a periodic obligation. Risk profiles change. Log the next review date in your monitoring system before closing the file.

Common mistakes to avoid

Treating source of wealth as a declaration. "Self-employed, stated income $200,000" is not documented source of wealth. That's a claim. Examiners want evidence supporting it: tax filings, business accounts, property records, audited financials. If supporting evidence isn't available, document why and describe what compensating analysis was performed.

Treating a cleared screening hit as a closed matter. When a sanctions or adverse media match is cleared, the file needs to show the reasoning: why the analyst concluded it was a false positive, a name collision, or an acceptable risk. "No match" with no explanation is a documentation gap, not a cleared hit.

Missing relatives and close associates on PEP reviews. FATF Rec 12 explicitly covers RCAs. Screening the named PEP but not their spouse, children, or known business partners is a gap examiners look for specifically. The checklist prompts for RCA coverage. Use it.

Filing the checklist without supporting documents. The checklist references source documents. If those documents aren't attached or cross-referenced to a retrievable location, the checklist is functionally useless in an exam. Attach everything, or record precise document references for each item.

Skipping the periodic re-review. EDD at onboarding is not a permanent clearance. Failing to complete the periodic re-review is one of the most consistent findings in AML enforcement actions. The approval granted at relationship establishment applies to the circumstances at that point in time.

Letting the form substitute for judgment. A checklist with every box ticked but no substantive analysis in the reasoning fields is what examiners call paper compliance. The form works when analysts write real assessments, not just record outcomes.

How FluxForce automates this

FluxForce reduces the manual work this checklist represents. Its AI agents run continuous sanctions screening and PEP monitoring across your full customer population, surface matches immediately, and log disposition notes in real time. Adverse media monitoring runs around the clock. When a high-risk flag triggers, the platform records it, timestamps each verification step, and produces audit-ready evidence for every decision point. Senior management approval workflows and periodic re-review schedules are tracked automatically. To see how that reduces the EDD burden in practice, request a demo.