CDD vs. EDD: Differences and Applications in Fintech Compliance

Fintech companies are innovating rapidly, introducing new products and services that expand financial access and efficiency. These innovations also bring heightened compliance responsibilities, especially when it comes to managing compliance and keeping bad actors out of the financial system. 

If you work in fintech, you've probably heard a lot about KYC (Know Your Customer) requirements, which include customer due diligence (CDD) and its more detailed counterpart, enhanced due diligence (EDD).

Now, both CDD and EDD are trying to accomplish the same basic thing: figuring out who your customers really are and whether they pose any risks. But here's the thing: they're not the same process, and knowing when to use which one can make or break your compliance program. Let's break down what makes them different, when you actually need to use each one, and how you can build them into your compliance strategy.

What Is Customer Due Diligence (CDD)?

Customer due diligence is like a background check on new customers. When someone wants to use your financial services, you need to verify who they are and figure out what kind of risk they might pose. This means gathering their basic info, double-checking that it's legit, and running them through various watchlists to see if they're on any sanctions lists or happen to be a politically exposed person (PEP)—that's someone in a prominent government position or connected to one.

CDD also requires building a risk profile that guides how the relationship is monitored over time. For fintech companies, it acts as the foundation for more advanced compliance measures when higher risk is identified.

Regly assists with this process by automating data collection, verification, and risk screening, allowing teams to build CDD into their onboarding workflows without manual bottlenecks.

When Does CDD Apply?

CDD applies at the start of any customer relationship involving regulated financial services. That includes opening an account, onboarding a legal entity, or initiating a one-time transaction that meets certain thresholds.  

Beyond onboarding, CDD may be re-triggered if the customer’s risk profile changes. This could result from updated information, adverse media hits, new sanctions exposure, or unusual transaction patterns that require reassessment. 

What Does CDD Involve?

CDD starts with collecting identity information and verifying it through trusted sources. For individuals, this includes name, date of birth, address, and a government-issued ID. If you're dealing with a business rather than an individual, you'll also need to determine how the company is structured and who owns and controls (the beneficial owners).

After you've confirmed someone's identity, the next step is running them through your risk screening process. This is where you check if they show up on any sanctions lists, other watchlists, or if they qualify as a PEP.

Core components of CDD include:

• Identity verification using reliable data or documentation

• Sanctions and PEP screening to assess exposure to financial crime risk

• Beneficial ownership identification for legal entities

• Risk profiling based on customer type, geography, and intended use

• Recordkeeping to support internal decisions and regulatory audits

What you end up with is a risk profile that informs how the customer is monitored over time. Automation can speed up the checks, but compliance teams are still responsible for policy design and oversight.

What Is Enhanced Due Diligence (EDD)?

So, that’s CDD. Enhanced due diligence, on the other hand, is a structured process used to assess customers or transactions that have a higher risk of money laundering, fraud, or other financial crimes. Here, you’re collecting more information, verifying it through trusted sources, and keeping a closer eye on them for as long as they’re your customer.

The whole point of enhanced due diligence is to really get to know who your customer is, how their business works, and whether their financial transactions make sense for what they're supposed to be doing. EDD helps you make smarter decisions about risk, especially when standard background checks just aren't cutting it and you need to dig deeper.

Regly FinCrime allows compliance teams to evaluate EDD triggers, such as PEP status or high-risk countries, and escalate cases for enhanced review.

When Is EDD Required?

EDD is required when a customer or transaction presents a level of risk that goes beyond what a standard due diligence process can reasonably address. This typically happens when certain risk indicators emerge during onboarding or monitoring, prompting a need for closer review.

The decision to apply EDD is part of a firm’s risk-based approach. It reflects a judgment that more information is needed to fully understand the nature of the relationship and to manage potential exposure to financial crime.

What Does EDD Involve?

The steps taken during EDD depend on the specific risks identified, but generally go beyond basic identity checks.

Key components often include:

• Verifying source of funds and, in some cases, source of wealth

• Conducting enhanced background checks, including adverse media and litigation history

• Reviewing business activities in more detail, especially for legal entities

• Evaluating the customer’s ownership structure and affiliated entities

• Applying more frequent or detailed transaction monitoring

• Requiring senior-level approval before account opening or continuation

These measures are designed to develop a more complete view of who the customer is and how they interact with the financial system. The findings must be well documented and factored into how the relationship is monitored going forward.

Regulatory Triggers for EDD

Regulators expect EDD to be applied in specific high-risk scenarios, regardless of a firm’s internal risk scoring. These requirements are established under US regulatory frameworks such as the Bank Secrecy Act (BSA) and FinCEN guidance, and align with international standards, including FATF recommendations. They are also supported by regulations issued by agencies like the SEC, OCC, and other supervisory bodies.

Key regulatory triggers include:

• Foreign PEPs and their close associates

• Correspondent banking relationships with foreign financial institutions

• Private banking relationships involving non-US persons

• Business relationships involving high-risk jurisdictions, such as those identified by FATF or subject to US sanctions

• Customers with complex or opaque ownership structures, especially when beneficial ownership is difficult to verify

In the US, Section 312 of the USA PATRIOT Act mandates EDD in certain cross-border relationships. FinCEN advisories and the FFIEC Manual also emphasize that institutions must apply enhanced measures when facing known risk factors tied to geography, industry, or customer type.  

CDD vs. EDD: What’s the Difference?

While both customer due diligence and enhanced due diligence are part of a risk-based approach to compliance, they serve different purposes and apply at different levels of scrutiny. 

The distinction matters because it affects how much information is collected, how often reviews occur, and how resources are allocated. The following sections break down the key differences across core areas of compliance practice.

Risk Levels and Triggers

The decision to apply CDD or EDD begins with risk assessment. CDD is applied universally, so it’s required for every customer, regardless of risk level. Its purpose is to establish identity, screen for obvious red flags, and create a baseline risk profile. It assumes the customer is a low-to-moderate risk unless indicators suggest otherwise.

EDD, on the other hand, is triggered by specific risk factors. These may surface during onboarding or emerge later through monitoring. Common examples include political exposure, ties to high-risk jurisdictions, complex corporate structures, or patterns of activity that fall outside the customer’s expected profile.

The trigger point for EDD isn’t always a single factor. Often, it’s the combination of multiple moderate-risk indicators that raises the overall risk to a level requiring enhanced review. That’s why a documented, well-calibrated risk scoring system is essential. It creates consistency across cases and gives compliance teams a structured way to escalate when needed.

Regly helps automate this escalation process by embedding risk models into your monitoring workflows. When risk thresholds are exceeded, the profile is flagged and routed for enhanced due diligence.

Depth of Investigation

With CDD, you're mainly focused on confirming someone's identity and doing your basic risk checks. Once you've verified who they are and nothing suspicious pops up, you can move them into your regular monitoring routine.

EDD is a whole different ballgame because you're going much deeper. This means collecting way more information to understand their financial background, who they do business with, and why they want to use your services. You might need to verify where their money is coming from, take a closer look at how their company is structured, or dig into their past activities and connections that could signal hidden risks.

The key with EDD is that how deep you go should match the level of risk you've identified. If someone's a politically exposed person, you might need them to document where their wealth came from. If it's a business operating in a sketchy industry, you could end up reviewing their internal controls or looking at who they're partnered with. The whole idea is to go way beyond just checking IDs and really understand what kind of risk this customer actually presents.

Documentation and Evidence

CDD typically requires standard documentation: a government-issued ID, proof of address, and verification through trusted data sources. These records are collected, reviewed, and stored to support regulatory obligations and internal audits.

EDD demands a higher standard of documentation. This includes not just identity documents, but also evidence that supports the customer’s legitimacy and financial background. Examples include bank statements, corporate records, tax filings, or contracts that explain the origin of funds or business activity.

What sets EDD apart is the expectation of independent verification. When sources of wealth or ownership structures are involved, regulators expect firms to validate claims using objective, third-party materials. All supporting documents must be recorded, tied to the risk assessment, and made available for review upon request.

Monitoring and Review Frequency

Both CDD and EDD require ongoing monitoring, but the frequency and intensity differ significantly. Under CDD, monitoring is typically event-driven. Reviews may occur periodically or when a trigger event, such as a change in ownership or a flagged transaction, requires attention. For low-risk customers, these reviews are often infrequent and straightforward.

EDD requires a more proactive and structured approach. High-risk customers are subject to more frequent reviews, sometimes on a fixed schedule such as every six or twelve months. The thresholds for transaction alerts are also tighter. Activity that might pass unnoticed in a standard profile could prompt immediate follow-up in a high-risk context.

This difference impacts workflow. Fintech compliance teams, therefore, need systems that can segment customers by risk level and apply the right cadence of reviews. Manual processes alone are not scalable here. Automated monitoring and task management tools can help surface the right alerts at the right time, but the responsibility for timely review still falls on the compliance function.

Customer Experience and Operational Burden

The shift from CDD to EDD affects more than just compliance procedures. It also impacts how customers experience onboarding and how much time and effort internal teams must dedicate to each case.

With CDD, most customers move through onboarding quickly. The data requirements are limited, the checks are often automated, and the friction is minimal. For fintechs competing on speed and ease of use, this keeps conversion rates high and operational costs low.

EDD introduces more complexity. Customers may be asked to provide supporting documents, explain the source of funds, or answer additional questions. These steps can delay onboarding and lead to drop-off if not handled carefully. From the operations side, EDD cases take more time to process, require deeper investigation, and often involve multiple team members.

When to Use CDD vs. EDD in a Risk-Based Program

A risk-based program uses defined criteria to determine when basic due diligence is sufficient and when an enhanced review is necessary. CDD applies by default. EDD is used only when certain thresholds are met.

Key distinctions in when to apply each include:

• Risk profile: Use CDD for customers assessed as low or moderate risk. Escalate to EDD when a customer’s profile shows indicators such as foreign political exposure, high-risk industries, or unclear source of funds.
  
  

• Geography: CDD is appropriate for customers in standard jurisdictions. EDD is typically required when a customer is based in or connected to a country flagged for AML deficiencies or subject to sanctions.
  
  

• Customer type: Standard CDD applies to most individuals and simple business entities. EDD is appropriate for legal structures involving trusts, layered ownership, or nominee arrangements.
  
  

• Activity patterns: Normal transaction behavior may remain under CDD monitoring. EDD may be triggered if behavior deviates significantly from the customer’s expected activity or involves unusual transaction types.
  
  

• Information gaps: If identity or beneficial ownership cannot be verified using standard methods, or if the customer is unwilling to provide required documentation, escalation to EDD is appropriate.

The goal is not to over-apply EDD but to use it where it adds value, specifically, where additional scrutiny is needed to manage risk effectively.

With Regly, these criteria are built into configurable rules. Escalations happen automatically when thresholds are met, eliminating guesswork and standardizing risk decisions across the team.

Key Regulators and Rules That Govern CDD and EDD

Several laws and regulatory frameworks define how CDD and EDD must be applied in financial services. The most relevant are outlined below.

FinCEN and the CDD Rule

The Financial Crimes Enforcement Network (FinCEN) is the primary agency responsible for enforcing anti-money laundering regulations in the United States. In 2016, FinCEN issued the Customer Due Diligence (CDD) Rule, which formalized and clarified expectations around identifying and verifying customers.

The CDD Rule applies to covered financial institutions, including banks, broker-dealers, mutual funds, and certain fintech companies that qualify as money services businesses (MSBs). It requires four key elements: identifying customers, verifying their identities, identifying beneficial owners of legal entities, and developing an understanding of the nature and purpose of customer relationships to support ongoing monitoring.

Fintech companies subject to these rules must integrate CDD into their onboarding and compliance workflows. This includes verifying the individuals behind business accounts, maintaining up-to-date customer information, and monitoring for unusual activity over time. While the rule does not prescribe exactly how to apply these processes, it does expect institutions to document and implement risk-based procedures tailored to their customer base and business model.

Section 312 of the USA PATRIOT Act

Section 312 of the USA PATRIOT Act requires US financial institutions to apply EDD to certain types of high-risk foreign relationships. This includes correspondent accounts maintained for foreign financial institutions and private banking accounts for non-US persons.

The rule is specific in its scope. For correspondent accounts, institutions must assess the AML practices of the foreign bank, identify the owners of the institution if necessary, and monitor account activity for suspicious patterns. For private banking accounts, EDD must include identifying the nominal and beneficial owners, understanding the source of funds, and conducting ongoing scrutiny of transactions.

This section is one of the few instances where EDD is not discretionary but mandatory. Even fintech firms that don't directly offer correspondent or private banking services should be aware of it.  

FATF Recommendations

The Financial Action Task Force (FATF) is an intergovernmental body that sets global standards for anti-money laundering and counter-terrorist financing. While FATF does not create laws, its recommendations strongly influence national regulations, including those in the US.

FATF’s framework outlines when and how due diligence should be applied based on customer risk. Recommendation 10 requires financial institutions to conduct CDD as part of a standard onboarding process. Recommendation 12 mandates EDD for politically exposed persons, while Recommendation 19 calls for enhanced measures when dealing with higher-risk countries.

For fintech companies operating across jurisdictions or dealing with international customers, FATF guidance often serves as the baseline for building a globally credible compliance program. Regulators in many countries look to FATF standards when assessing the strength of a firm’s due diligence policies, especially in areas like beneficial ownership transparency, risk profiling, and escalation practices.

Beneficial Ownership Information (BOI) Reporting

The Anti-Money Laundering Act of 2020 (AMLA) introduced a federal beneficial ownership reporting regime through the Corporate Transparency Act (CTA). While this originally applied to most US and foreign legal entities, the Treasury Department under the Trump administration significantly narrowed its scope in 2025. Under a FinCEN interim final rule, only foreign-owned entities are subject to beneficial ownership reporting. Domestic US companies are currently exempt, though financial institutions may still be affected by future regulatory updates to the CDD Rule. 

Right now, the reporting requirement only covers foreign-owned entities, but this framework still matters for financial institutions. FinCEN has signaled that it plans to update the CDD Rule so it works better with the beneficial ownership database. If that happens, institutions might eventually get access to ownership data that's already been verified by the government.

This would be a significant improvement because you wouldn't have to rely as much on what customers tell you about themselves, and your due diligence would be more accurate during both onboarding and ongoing reviews.

Companies should keep an eye on how these changes develop and think about how having access to verified ownership information could strengthen their due diligence work, particularly when they're dealing with complicated ownership structures or customers who provide inconsistent documentation.

KYC vs. CDD vs. EDD: What's the Difference?

The terms KYC, CDD, and EDD are often used interchangeably, but they refer to different parts of the compliance process. Understanding how they relate helps clarify roles, streamline operations, and align your program with regulatory expectations.

Know Your Customer is the broad framework. It refers to the full set of procedures a financial institution uses to identify customers, assess risk, and monitor for suspicious activity. KYC is not a single step but a collection of practices designed to prevent financial crime.

Customer Due Diligence is a core part of KYC. It covers the baseline checks applied to every customer. This includes identity verification, sanctions screening, and risk profiling. CDD establishes who the customer is and how their relationship with the platform should be monitored.

Enhanced Due Diligence is a specialized process within KYC that applies to high-risk customers. It adds deeper investigation, more documentation, and more frequent monitoring. EDD is used when standard due diligence is not enough to manage exposure.

In short, KYC is the umbrella. CDD is the default standard under that umbrella, and EDD is the deeper layer applied when risk demands more. 

Clear separation of these terms matters. It helps teams set the right controls, allocate resources effectively, and build systems that scale without cutting corners.

—

CDD and EDD are core components of a functional, risk-based compliance program. CDD establishes the foundation by verifying identity and assessing baseline risk. EDD builds on that when higher risk requires more scrutiny, documentation, and monitoring.

For fintech companies, the challenge is applying these processes consistently without overcomplicating operations. That means clearly defining risk thresholds, documenting escalation criteria, and building workflows that adapt as customer risk changes.