Enhanced due diligence is a key element in managing financial crime risk. It goes beyond standard checks to offer a comprehensive view of high-risk customers and transactions. For regulated firms, EDD isn't optional; it's a regulatory expectation.
In this article, we define what enhanced due diligence is, explain when and why it applies, and walk you through practical examples. You'll also learn how it compares to standard customer due diligence, the components of an effective EDD process, and common mistakes to avoid.
What Is Enhanced Due Diligence (EDD)?
Enhanced due diligence is a deeper level of scrutiny used to assess customers or transactions that pose a higher risk of money laundering, terrorist financing, or other financial crimes. It is a core requirement under global AML regulations and applies when standard due diligence is not sufficient to understand the risk involved.
EDD involves collecting more detailed information, verifying it through reliable sources, and maintaining a higher level of ongoing monitoring. This may include identifying the source of funds, understanding the purpose of the business relationship, and evaluating the customer’s ownership structure.
The goal is not just to gather more data, but to develop a clear, risk-based understanding of the customer. This allows firms to detect potential red flags early and take appropriate action.
Enhanced Due Diligence and Anti-Money Laundering (AML) Compliance
Here’s how EDD strengthens AML compliance:
Identifies gaps missed by standard due diligence: While customer due diligence (CDD) is designed for low to medium-risk customers, it often fails to capture the complexity of higher-risk scenarios. EDD digs deeper into ownership structures, offshore entities, and unusual transaction patterns to uncover hidden risks.
Builds a comprehensive risk profile: EDD collects and verifies additional data, including the source of wealth, source of funds, and detailed information about the customer’s business activities. This helps firms understand not just who the customer is, but also why they might pose a risk.
Aligns with regulatory expectations for risk-based approaches: AML regulations globally require firms to assess and respond to risk levels appropriately. EDD is how firms demonstrate that they are taking enhanced steps where the risk justifies it, showing regulators a clear, documented process.
Protects the business from penalties and reputational harm: Failing to apply EDD where it’s needed can lead to significant fines, sanctions, and damaged trust. An effective EDD program helps prevent these outcomes by flagging issues early and supporting defensible compliance decisions.
Supports continuous monitoring and reassessment: EDD is not a one-time activity. High-risk relationships require ongoing attention, with periodic reviews and alerts for changes in behavior or risk factors. This keeps compliance programs adaptive and responsive.
EDD vs. Customer Due Diligence (CDD)
CDD is the baseline for understanding who a customer is and assessing their risk. However, when risk levels exceed acceptable thresholds, EDD becomes necessary.
EDD builds on the foundation of CDD by adding further layers of scrutiny to help better understand and manage higher-risk situations. Here’s a deeper look at how they differ:
Depth of Information Collected: CDD focuses on collecting essential identifying information such as full name, address, date of birth, and government-issued ID. EDD goes much further by requiring detailed insights into the customer's financial background. This includes understanding the source of funds, the source of wealth, and the nature of the customer's business relationships. In some cases, it may also involve reviewing media coverage, legal records, or other public information.
Level of Verification: In CDD, standard documentation is often sufficient for identity verification. For EDD, firms are expected to go beyond this by cross-checking information with independent and reliable sources. This might include verifying income claims through tax documents, confirming business activities through corporate filings, or consulting third-party intelligence databases to identify adverse information or sanctions exposure.
Purpose and Risk Focus: CDD is typically used for individuals and businesses with straightforward profiles and limited red flags. EDD is specifically designed for customers who present elevated risks: operating in high-risk sectors, using complex offshore structures, or located in jurisdictions with weak AML controls. The goal is to promote a clear understanding of these risks and to support the implementation of appropriate mitigation measures before proceeding with the relationship.
Monitoring Intensity: Under CDD, monitoring usually involves periodic reviews and transaction alerts based on preset thresholds. With EDD, the expectation is for more proactive and frequent monitoring. Firms may apply stricter thresholds for triggering reviews, monitor transactions in real time, or conduct enhanced periodic reviews that revisit the customer's risk profile and update the underlying documentation.
Documentation and Audit Trail: While CDD records are important, EDD requires a more detailed audit trail. Every step of the enhanced due diligence process must be documented, including the rationale for classifying a customer as high-risk, the sources consulted during verification, and the decisions made based on the findings. This level of documentation is essential for internal accountability and demonstrating compliance during regulatory inspections.
Understanding when to escalate from CDD to EDD is critical. It supports a risk-based approach that remains proportionate and effective while meeting compliance standards.
When to Apply Enhanced Due Diligence
EDD is not necessary for every customer. It is applied selectively, based on the level of risk identified during the initial customer assessment. Knowing when to trigger EDD helps maintain a proportionate and effective compliance program.
Here are the most common scenarios that warrant enhanced due diligence:
High-risk customer profiles: Customers involved in industries known for elevated money laundering risk, like private gambling, real estate, or cryptocurrency. It also applies to clients with unclear or complex ownership structures, especially those using shell companies or operating across multiple jurisdictions.
Politically exposed persons (PEPs): Individuals who hold or have held prominent public positions, along with their immediate family members and close associates, are considered higher risk due to the potential for corruption. These relationships require additional scrutiny and ongoing monitoring.
Customers from high-risk jurisdictions: If a customer is based in or connected to a country with weak AML regulations, high levels of corruption, or a sanctions risk, EDD should be applied. This includes countries flagged by FATF or other international bodies.
Unusual or large transactions: Transactions that are inconsistent with a customer’s profile, especially large or complex transfers without a clear business purpose, should trigger enhanced checks. This is true whether the activity occurs during onboarding or later in the relationship.
Negative media or adverse information: If a customer is associated with investigations, legal issues, or reputational concerns reported by credible sources, it is essential to conduct a deeper review before proceeding.
Cross-border relationships involving opaque structures: Customers operating through offshore entities or using nominee directors and layered ownership structures require additional due diligence to promote transparency and regulatory compliance.
Key Components of an EDD Program
Building a robust enhanced due diligence program requires an integrated approach that adapts to evolving risks, fosters consistency across teams, and facilitates real-time decision-making. Each component must work together to provide a complete and accurate picture of high-risk customers.
Here are the key building blocks of an effective EDD framework:
Comprehensive Customer Risk Assessment
An effective EDD process begins with accurately identifying high-risk customers. This requires a structured risk assessment framework that evaluates factors such as customer type, business activity, geographic exposure, transaction patterns, and ownership structure. To be reliable, risk scoring must be data-driven, consistently applied, and responsive to change.
Regly’s risk scoring solution helps streamline this process by automating assessments, applying customizable thresholds, and aligning risk models with both business needs and evolving regulatory standards.
In-Depth Identity and Background Verification
Standard ID checks are not enough for high-risk customers. Firms must build a complete risk profile that includes verifying the source of wealth and source of funds, identifying ultimate beneficial ownership, and uncovering past legal issues, regulatory actions, or reputational risks. This process often involves cross-referencing multiple data sources, reviewing corporate structures, and assessing political exposure or media presence.
Regly’s KYC solution simplifies this complexity by enabling efficient, structured data collection and verification. Combined with Regly’s AML screening tools, firms can continuously monitor global watchlists, sanctions lists, and negative media, helping compliance teams detect red flags both at onboarding and throughout the customer lifecycle.
Ongoing Monitoring of Customer Activity
Monitoring should not stop after onboarding. For high-risk customers, continuous monitoring is necessary to detect changes in behavior, transaction patterns, or external risk factors that may indicate potential financial crime. This includes tracking for activity that falls outside expected behavior, spikes in volume or frequency, unusual counterparties, or transactions involving high-risk jurisdictions.
Regly’s AML transaction monitoring solution supports this process by analyzing transactional data in real time or near real time. It applies rule-based logic and behavioral models to identify anomalies, escalate alerts, and provide investigators with the context needed to act quickly. This allows firms to respond to risks as they emerge and maintain effective EDD controls across the customer lifecycle.
Internal Governance and Employee Oversight
Effective EDD is not just about systems and frameworks. It also depends on the people implementing them. Without proper oversight, even the most robust procedures can be undermined by inconsistent application, oversight gaps, or lack of awareness.
Financial institutions should establish robust internal governance structures to help staff understand and correctly execute EDD requirements across all stages of the customer lifecycle. This includes clearly defined responsibilities, documented workflows, regular training, and mechanisms to monitor compliance at the employee level.
Regly’s employee compliance tools help streamline this oversight by tracking forms and attestations. This mitigates operational risk and promotes consistent adherence to internal policies and regulatory expectations.
Vendor and Third-Party Due Diligence
Third-party relationships can introduce significant risk, especially when vendors handle customer data, process transactions, or support core operations. As part of a complete EDD program, firms must conduct thorough assessments of external partners to evaluate their reliability, regulatory posture, and data security practices.
This process should include structured risk questionnaires, document verification, and ongoing monitoring. Regular reviews help identify changes in risk exposure and confirm that vendors continue to meet compliance standards throughout the relationship.
Regly’s vendor management system supports this by helping firms verify and monitor third parties. It also maintains a clear audit trail of all due diligence steps, thereby helping firms stay organized and ready for regulatory scrutiny.
EDD Requirements for High-Risk Customers
High-risk customers increase exposure to money laundering, fraud, and regulatory violations. Regulators expect firms to apply enhanced due diligence measures to these relationships and document their decisions clearly.
Here are the core EDD requirements for managing high-risk customers:
Detailed identity verification: Basic identity checks are not enough. Firms must verify not only who the customer is, but also who owns or controls the entity. This often involves identifying the ultimate beneficial owner (UBO) and confirming their legitimacy through reliable, independent sources.
Source of funds and source of wealth analysis: Firms need to understand both how customers earn their wealth and where the funds for specific transactions originate. This includes gathering supporting documents such as financial statements, tax records, or legal contracts, and ensuring the sources are lawful and consistent with the customer’s profile.
Enhanced background screening: High-risk customers must be screened against sanctions lists, watchlists, and adverse media. This goes beyond one-time checks and requires continuous monitoring to capture new risks as they emerge. Screening should also extend to related parties and beneficial owners.
Understanding the purpose of the relationship: Firms are expected to assess why customers are engaging with their services. This includes identifying the expected nature of transactions, geographic reach, and how the relationship fits within the customer’s overall business or personal activities.
Ongoing monitoring and periodic reviews: EDD does not stop at onboarding. High-risk customers require more frequent reviews and closer transaction monitoring. Firms should have a documented schedule for these reviews and a clear process for escalating concerns when new risks appear.
Documented decision-making and audit trail: Every step in the EDD process must be recorded, including risk assessments, verification outcomes, and the rationale for accepting or rejecting the customer. This audit trail is essential for regulatory reviews and internal accountability.
EDD for Politically Exposed Persons (PEPs)
Politically exposed persons (PEPs) are individuals who hold or have held prominent public positions. Due to their influence and access to public funds, they are considered high-risk for corruption, bribery, and other financial crimes. As a result, enhanced due diligence is mandatory when dealing with PEPs, even if they show no signs of suspicious activity.
Here’s how EDD should be applied to PEPs:
Identification and classification: Firms must determine whether a customer is a PEP, a PEP family member, or a close associate. This includes domestic and foreign officials, as well as individuals working for international organizations. The classification should be clearly documented and regularly updated.
Independent verification: PEP status should not rely solely on customer declarations. Firms are expected to use independent sources, such as government registries, global PEP databases, or third-party screening tools, to confirm the individual’s status and track changes over time.
Understanding the nature of the relationship: It is essential to understand why the PEP is engaging with your firm, what services they are using, and how those services could potentially be misused. This context helps determine the level of risk and identify the necessary controls.
Source of wealth and funds scrutiny: For PEPs, it is not enough to know where the money is coming from. Firms must assess whether the source is legitimate, proportionate to the PEP’s known income, and free from any political or state-affiliated conflicts of interest. Supporting documentation must be collected and validated.
Senior management approval: Onboarding or continuing a relationship with a PEP typically requires sign-off from senior compliance or executive leadership. This step provides visibility at the highest level and is supported by a thorough risk assessment.
Ongoing monitoring and periodic reviews: PEPs require heightened monitoring throughout the relationship's lifecycle. This includes frequent transaction reviews, updated background checks, and alerts for any changes in status, behavior, or affiliations.
EDD in Cross-Border Transactions
Cross-border transactions often involve multiple jurisdictions, varied regulatory standards, and limited transparency. These factors increase the risk of money laundering, tax evasion, and sanctions breaches, making enhanced due diligence essential when international activity is involved.
Here are key EDD practices for managing cross-border risks:
Jurisdictional risk assessment: Firms must evaluate the AML risk of each country involved in the transaction. This includes reviewing FATF lists, assessing corruption indices, and understanding the local regulatory environment. Countries with weak enforcement or known financial secrecy practices warrant closer scrutiny.
Verification of counterparties: When funds are moving across borders, it is critical to verify all parties involved in the transaction chain. This includes the sender, receiver, and any intermediaries. Enhanced checks should confirm the legitimacy of each party’s role and relationship to the customer.
Review of transaction purpose and economic rationale: EDD requires firms to understand the purpose of the transaction, whether it aligns with the customer’s known profile, and whether the amount and frequency are justified. Unusual patterns or circular fund flows should raise red flags and trigger further investigation.
Sanctions screening and compliance: Every cross-border transaction must be screened against international sanctions lists. This includes both the countries involved and the individuals or entities participating. Regly’s AML screening tools support this by automatically flagging risks based on the latest data.
Ongoing monitoring of international activity: Firms should implement rules or behavioral models that track cross-border activity over time. Spikes in volume, changes in destination countries, or use of high-risk intermediaries should be reviewed promptly. Regly’s transaction monitoring platform helps compliance teams stay alert to changes in risk across global payment flows.
Cross-border transactions can present hidden risks, even when the customer appears low risk at first glance. With the right tools and workflows, firms can maintain visibility across borders and apply EDD proportionately and effectively.
Real-World Enhanced Due Diligence Examples
These three real-world cases highlight the consequences of poor EDD practices and illustrate how deeper scrutiny could have helped identify serious risks before they escalated.
1. Bank Implicated in International Corruption Scheme
In a widely publicized case, a Swiss private bank was fined over $79 million by US authorities for its role in laundering bribes related to the FIFA corruption scandal. The bank had processed over $36 million in illicit payments to FIFA officials, many of whom qualified as Politically Exposed Persons.
Despite identifying these individuals as high risk, the bank failed to apply proper EDD measures. Compliance teams overlooked red flags, and internal alerts were ignored or dismissed without sufficient investigation. Regulators later found that the bank’s internal controls were ineffective and that senior management failed to enforce basic compliance protocols.
This case serves as a potent reminder that recognizing someone as a PEP is not enough. Firms must follow through with rigorous checks, independent verification, and documented risk-based decisions.
2. Payment Institution Loses License Over Compliance Failures
In June 2023, a bank revoked the license of a payment institution operating in Europe. The revocation followed repeated violations of AML and CTF requirements.
Regulators found that the institution failed to properly monitor its clients, particularly in identifying and managing PEPs and other high-risk entities. It lacked an effective EDD framework, resulting in poor screening, inadequate documentation, and limited transaction oversight.
This case illustrates how regulatory bodies are increasingly holding fintech firms accountable for systemic weaknesses in their compliance programs. Even smaller firms are expected to demonstrate robust, documented EDD procedures.
3. Financial Services Firm Penalized for Cross-Border Oversight Gaps
A financial services firm came under investigation for failures in its wealth management division, particularly concerning international clients. It reportedly allowed clients from high-risk countries, including Venezuela and Russia, to open accounts and move large sums of money without applying adequate due diligence.
In one case, a customer allegedly linked to terrorist financing was able to withdraw funds without undergoing enhanced scrutiny. The failure stemmed from insufficient risk assessments, weak internal controls, and a lack of effective EDD in cross-border transactions.
This situation underscores the importance of a strong, jurisdiction-aware EDD process, particularly when working with complex international client networks. Firms must evaluate the risk associated with each geography, transaction purpose, and participant to help minimize the likelihood of facilitating illicit activity.
EDD Challenges and Common Pitfalls
Enhanced due diligence often requires coordination across systems, teams, and data sources. As regulatory expectations grow, many firms struggle to keep pace, especially when high-risk cases require rapid, accurate decisions.
Below are some of the most common EDD challenges, along with how Regly helps solve them through its integrated compliance platform:
Inconsistent risk classification: Without a clear and objective framework, risk assessments can vary from one analyst to another. This leads to uneven treatment of customers and potential blind spots in high-risk onboarding. Relying on subjective judgment increases the chance of regulatory findings. Regly’s risk scoring tool allows firms to define and automate risk models that accurately reflect their unique exposure, promoting classifications that are consistent, transparent, and traceable.
Manual and fragmented processes: EDD often involves collecting documents, verifying data, tracking approvals, and following up on findings, all while coordinating across departments. When these steps happen in isolation or through email and spreadsheets, delays and errors are common. Regly brings these steps into a centralized platform, enabling teams to automate key workflows, assign tasks, and keep a complete, time-stamped record of every action taken.
Gaps in screening for sanctions, PEPs, and adverse media: Screening is only effective if it’s continuous, comprehensive, and up-to-date. Many firms rely on periodic checks or limited data sets, exposing them to undetected risks, especially for PEPs or individuals linked to financial crime. With Regly’s AML screening, firms can monitor customers and their networks in real time against sanctions, watchlists, and media sources, with alerts that update as new risks emerge.
Poor documentation and audit trails: Regulators expect a comprehensive audit trail for every high-risk decision, including the rationale for onboarding, the documents reviewed, and the individuals who approved each step. Disorganized records or undocumented decisions are among the most common reasons firms face enforcement. Regly’s policy and documentation tools help capture and organize every piece of evidence, making it easier for teams to demonstrate compliance and support internal reviews.
Lack of visibility across platforms: If KYC, transaction monitoring, and employee compliance tools do not communicate, risk signals can be missed. For example, a flagged transaction might go unnoticed if it isn’t tied to a customer’s risk profile or past behavior. Regly integrates KYC, transaction monitoring, employee compliance, and other core functions to provide teams with a unified view of customer risk, offering a centralized view that enhances awareness of key risk indicators.
By resolving these pain points, Regly enables compliance teams to focus on meaningful analysis rather than administrative tasks. This leads to faster reviews, fewer errors, and a stronger, more defensible EDD program.
—
Enhanced due diligence is a critical layer of protection for firms that are exposed to financial crime risk. Whether you are onboarding a high-risk customer, dealing with politically exposed persons, or managing complex cross-border activity, EDD provides the clarity and control needed to make informed, defensible decisions.
Regly brings together all the tools needed to streamline enhanced due diligence, from risk scoring and PEP screening to transaction monitoring and policy management. By centralizing these capabilities, Regly can help firms build EDD programs that are scalable and efficient.
Ready to Get Started?
Schedule a demo today and find out how Regly can help your business.