Enhanced Due Diligence (EDD): The Complete Guide for 2026
In 2024, global financial regulators issued more than $6.6 billion in AML-related fines, a stark reminder that compliance failures carry consequences well beyond legal fees. At the heart of many of these enforcement actions lies a common thread: inadequate enhanced due diligence.
Enhanced due diligence (EDD) is the deeper, more rigorous layer of customer investigation that financial institutions and regulated businesses must apply when standard checks aren’t enough.
Whether you’re onboarding a politically exposed person, processing transactions from a high-risk jurisdiction, or managing a client with an opaque ownership structure, EDD is the mechanism that separates compliant organizations from those that end up in headlines.
This guide covers everything you need to know about EDD: from its regulatory foundations and the enhanced due diligence process to real-world failures, enhanced due diligence AML requirements, and how technology is transforming compliance operations. Whether you’re implementing enhanced due diligence KYC checks for the first time or refining an existing program, this is a comprehensive resource.
What Is Enhanced Due Diligence (EDD)?
Enhanced due diligence is a set of additional verification and investigation measures applied to customers, transactions, or business relationships that present a higher risk of money laundering, terrorist financing, or other financial crimes. It goes beyond standard customer due diligence (CDD) by requiring deeper investigation into a customer’s identity, business activities, source of funds, and the nature of the relationship.
Understanding enhanced due diligence requirements is critical because EDD is not optional. It is mandated by multiple regulatory frameworks worldwide, including the Financial Action Task Force (FATF) Recommendations (specifically Recommendations 10 and 19), the EU’s Anti-Money Laundering Directives (currently AMLD6, with the AML Regulation taking effect in 2027), the U.S. Bank Secrecy Act (BSA) and FinCEN’s Customer Due Diligence Rule, and the UK’s Money Laundering Regulations 2017 (as amended).
The core principle behind EDD is a risk-based approach: not every customer requires the same level of scrutiny, but when risk indicators are present, institutions must dig deeper. Failing to apply EDD where it’s warranted is itself a regulatory violation, and one that auditors and examiners are specifically trained to identify.
CDD vs. EDD vs. SDD: Understanding the Three Tiers of Due Diligence
Most regulatory frameworks recognize three tiers of due diligence, each calibrated to a different level of risk. Understanding the distinctions is essential for building a proportionate compliance program.
What Is Customer Due Diligence (CDD)?
Customer due diligence is the baseline level of checks applied to all customers during onboarding and throughout the business relationship. CDD involves verifying the customer’s identity using reliable documents or data, identifying and verifying beneficial owners (anyone holding 25% or more ownership, or 10% in some jurisdictions), understanding the purpose and intended nature of the business relationship, and conducting ongoing monitoring of transactions to ensure they align with what’s expected.
CDD is the default — every customer goes through it.
What Is Simplified Due Diligence (SDD)?
Simplified due diligence applies when the risk of money laundering or terrorist financing is demonstrably low. This might include publicly listed companies on regulated exchanges, government institutions in low-risk jurisdictions, or low-value, low-frequency transactions below defined thresholds.
SDD reduces the depth of checks but does not eliminate them entirely. The institution must still be able to justify why the lower risk assessment is appropriate.
What Is Enhanced Due Diligence (EDD)?
Enhanced due diligence applies when risk factors indicate a higher-than-normal likelihood of financial crime. EDD involves all standard CDD measures plus additional investigation, such as identifying the source of wealth and source of funds, conducting deeper adverse media and sanctions screening, increasing the frequency and intensity of ongoing monitoring, and obtaining senior management approval before establishing or continuing the relationship.
Comparison of CDD vs. EDD vs. SDD
Attribute | SDD (Low Risk) | CDD (Standard) | EDD (High Risk) |
When applied | Demonstrably low-risk customers | All customers (default) | High-risk indicators present |
Identity verification | Basic checks, may defer | Full verification required | Enhanced verification + additional documents |
Beneficial ownership | Standard identification | Identify & verify UBOs | Deep UBO investigation + source of wealth |
Source of funds | Not typically required | May be requested | Mandatory, with corroborating evidence |
Ongoing monitoring | Reduced frequency | Standard monitoring | Intensified, higher-frequency monitoring |
Senior mgmt approval | Not required | Not required | Required for relationship establishment |
Adverse media | Basic or deferred | Standard screening | Deep screening across multiple sources |
Regulatory basis | FATF Rec. 10; AMLD Art. 15 | FATF Rec. 10; AMLD Art. 13 | FATF Rec. 19; AMLD Art. 18 |
When Is Enhanced Due Diligence Required?
EDD triggers fall into three broad categories: customer risk factors, geographic risk factors, and product or transaction risk factors. Most regulations don’t provide an exhaustive list: instead, they expect institutions to assess risk holistically using a combination of indicators.
High-Risk Customer Triggers
The most common customer-related triggers include politically exposed persons (PEPs) and their family members or close associates, customers with complex or opaque ownership structures where beneficial ownership is difficult to determine, customers flagged through adverse media screening for connections to financial crime, corruption, or fraud, shell companies or legal entities with no clear commercial rationale, and customers who have been the subject of suspicious activity reports (SARs) filed by other institutions.
High-Risk Geographic Factors
Geography plays a significant role in EDD triggers. Jurisdictions on the FATF’s list of high-risk or non-cooperative countries, countries subject to international sanctions (OFAC, EU, UN), jurisdictions with weak AML regulatory frameworks or known as tax havens, and conflict zones or countries with high levels of corruption (as measured by Transparency International’s CPI) are all geographic factors that may trigger EDD requirements.
Product, Transaction, and Channel Risk Factors
Certain products and transaction types inherently carry higher risk: private banking and wealth management services, correspondent banking relationships, cash-intensive businesses such as money services businesses, casinos, or precious metals dealers, cryptocurrency and virtual asset services (particularly involving privacy coins, mixers, or unhosted wallets), trade finance involving complex, multi-jurisdictional supply chains, and unusually large or complex transactions that don’t match the customer’s profile.
Industry-Specific Triggers
Different industries face different EDD landscapes. In banking, the focus is on correspondent banking, PEPs, and cross-border wire transfers. In fintech and payments, it’s cryptocurrency transactions, e-wallet funding sources, and merchant onboarding.
In real estate, it’s high-value property transactions, especially by foreign buyers or through legal entities. For professional services (law firms, accountants), the priority is trust and company service providers, client account management, and large cash transactions.
The Enhanced Due Diligence Process: A Step-by-Step Guide
While specific procedures vary by institution and jurisdiction, the EDD process generally follows a structured sequence of investigative steps.
Step 1: Collect Additional Identification and Verify Identity
Beyond standard CDD identity checks, EDD requires collecting additional identification documents from multiple independent sources. This might include certified copies of passports or national ID, proof of address from multiple utilities, corporate registration documents, board resolutions, or partnership agreements. The goal is to establish identity with a higher degree of certainty than CDD provides.
Step 2: Establish Source of Funds and Beneficial Ownership
This is often the most critical and time-consuming step. EDD requires understanding not just who the customer is, but where their money comes from (source of funds), how they accumulated their wealth (source of wealth), and who ultimately controls or benefits from the business relationship (beneficial ownership). For corporate entities, this means tracing ownership chains through multiple layers — including trusts, nominee arrangements, and offshore structures — until the ultimate beneficial owner(s) are identified.
Step 3: Conduct Adverse Media and Sanctions Screening
EDD demands more thorough screening than standard CDD. This includes searching across multiple adverse media databases and news sources (not just a single provider), screening against all relevant sanctions lists (OFAC SDN, EU Consolidated, UN, OFSI), checking PEP databases and watchlists, and reviewing court records, regulatory enforcement actions, and corporate filings. Screening should cover the customer, all beneficial owners, directors, and key controllers.
Step 4: Analyze Transaction Patterns and Behavior
For existing relationships, or during periodic EDD reviews, transaction analysis is essential. Compliance teams should look for transactions inconsistent with the stated purpose of the account, sudden changes in transaction volume, frequency, or geography, round-number transfers or structuring patterns that suggest attempts to avoid reporting thresholds, and fund flows involving high-risk jurisdictions or known shell company networks.
Step 5: Document Findings and Produce an EDD Report
Every EDD review must be thoroughly documented. The report should include a summary of all information gathered, the risk assessment methodology used and the risk rating assigned, a clear rationale for the decision to onboard, continue, or terminate the relationship, any conditions or restrictions applied (transaction limits, enhanced monitoring), and senior management approval (where required). This documentation serves as the institution’s evidence of compliance if questioned by regulators or auditors.
Enhanced Due Diligence Checklist: Key Attributes to Monitor
A structured enhanced due diligence checklist ensures consistency across your compliance team. Use the following as a baseline for your EDD reviews:
Identity and Ownership:
Verified identity through multiple independent sources
Beneficial ownership traced to the ultimate level
Corporate structure mapped and documented
Directors, signatories, and key controllers identified
Financial Profile:
Source of funds identified and corroborated with documentary evidence
Source of wealth established
Expected transaction profile documented
Initial deposit or transaction aligned with stated purpose
Screening and Intelligence:
PEP screening completed (customer + all UBOs)
Sanctions screening across all relevant lists
Adverse media screening across multiple sources and languages
Law enforcement or regulatory action checks
Risk Assessment:
Overall risk rating assigned and justified
Monitoring frequency and intensity defined
Senior management approval obtained (where applicable)
Next review date scheduled
Real-World EDD Failures: Case Studies and Enforcement Actions
Understanding how EDD failures play out in practice is the best way to appreciate why these processes matter. Here are three high-profile cases that illustrate the consequences.
Case 1: Credit Suisse and the Mozambique Scandal
In 2021, Credit Suisse agreed to pay approximately $475 million to settle charges related to a fraudulent loan scheme in Mozambique. The bank had arranged over $1 billion in loans to Mozambican state-owned enterprises, but failed to conduct adequate due diligence on the borrowers or the intended use of funds. Significant portions of the money were diverted through bribes and kickbacks. Regulators found that Credit Suisse’s EDD procedures failed to identify red flags that should have been obvious — including the involvement of intermediaries with known corruption risks and loan structures that lacked economic justification.
Case 2: Danske Bank Estonia
The Danske Bank money laundering scandal remains one of the largest in history. Between 2007 and 2015, approximately $230 billion in suspicious transactions flowed through the bank’s Estonian branch, much of it originating from Russia and other former Soviet states. Investigations revealed that the branch had virtually no effective EDD processes — customers were onboarded with minimal documentation, beneficial ownership was not investigated, and transaction monitoring was either absent or routinely overridden. The bank has since faced billions in fines and settlements across multiple jurisdictions, and the case triggered a complete overhaul of EU anti-money laundering regulation.
Case 3: TD Bank and FinCEN (2024)
In October 2024, TD Bank agreed to pay over $3 billion — the largest penalty ever imposed under the Bank Secrecy Act — to resolve charges of widespread AML failures. Regulators found that the bank had systematically underinvested in its compliance infrastructure, resulting in failures to monitor trillions of dollars in transactions and to file timely suspicious activity reports. The case highlighted that EDD failures aren’t just about individual customer reviews — they reflect systemic underinvestment in the people, processes, and technology that make compliance possible.
The common thread across these cases is clear: EDD failures are never isolated. They reflect broader institutional weaknesses in risk culture, compliance investment, and management oversight.
Ongoing Monitoring and Risk-Based EDD Reviews
EDD is not a one-time exercise. Regulatory frameworks universally require ongoing monitoring — the continuous or periodic review of customer activity to ensure it remains consistent with the institution’s understanding of the customer and their risk profile.
Effective ongoing monitoring for high-risk customers includes transaction monitoring with lower thresholds and higher sensitivity than standard-risk accounts, periodic re-screening against sanctions, PEP, and adverse media databases (quarterly or more frequently for the highest-risk customers), trigger-based reviews when specific events occur — such as a customer being newly designated as a PEP, a jurisdiction being added to the FATF grey list, or a significant change in transaction behavior, and scheduled full EDD reviews, typically annually for high-risk customers, though the frequency should be proportionate to the risk level.
When ongoing monitoring identifies new concerns, the institution must be prepared to escalate — whether that means filing a SAR, imposing additional restrictions, or ultimately exiting the relationship.
How AI and Technology Are Transforming EDD
Traditional EDD processes are resource-intensive. A single EDD review can take days or even weeks when performed manually, involving extensive document review, multi-source screening, and analyst judgment calls. As regulatory expectations increase and customer volumes grow, manual processes become a bottleneck, and a source of inconsistency.
Modern enhanced due diligence software is changing this equation in several important ways. AI-powered risk scoring uses machine learning models that analyze hundreds of data points simultaneously to generate more accurate and consistent risk assessments, reducing reliance on rule-based systems that produce high false-positive rates.
Automated adverse media screening employs natural language processing (NLP) to scan news sources, court records, and regulatory databases in real time and across multiple languages, surfacing relevant negative information faster than human analysts can.
Digital identity verification leverages biometric verification, document authentication, and database cross-referencing to complete identity checks in minutes rather than days, while maintaining or improving accuracy.
Continuous transaction monitoring uses real-time monitoring systems that detect anomalies as they occur, rather than in batch-processing cycles, enabling faster response to suspicious activity. API-driven data aggregation pulls information from multiple sources such as: corporate registries, sanctions databases, PEP lists, credit bureaus combines them into a single investigation workflow, eliminating the manual tab-switching that slows traditional EDD.
The goal isn’t to remove human judgment from EDD, it’s to ensure that analysts spend their time on genuine risk assessment rather than data gathering. The most effective compliance programs combine automated data collection and screening with experienced human review for the final risk determination.
Best Practices for Building an Effective EDD Program
Based on regulatory guidance and industry experience, five practices consistently distinguish effective EDD programs from those that struggle.
Adopt a genuinely risk-based approach. Don’t apply a one-size-fits-all EDD template. Calibrate the depth and scope of your investigation to the specific risk factors present. A PEP from a low-risk jurisdiction with transparent wealth requires different handling than an opaque corporate entity in a sanctioned country.
Invest in staff training and expertise. EDD is only as good as the people performing it. Compliance analysts need regular training on emerging typologies, new regulatory requirements, and the specific red flags relevant to your institution’s products and customer base.
Maintain rigorous documentation standards. If it isn’t documented, it didn’t happen — at least as far as regulators are concerned. Ensure every EDD review produces a clear, auditable record of what was investigated, what was found, and why the decision was made.
Integrate technology without losing oversight. Technology should accelerate and standardize EDD, not replace accountability. Ensure that automated systems are regularly validated, that their outputs are reviewed by qualified staff, and that the institution can explain its risk decisions to regulators.
Align your program with regulatory expectations. Monitor regulatory developments, enforcement trends, and supervisory guidance. EDD expectations are not static — they evolve with the threat landscape, and institutions are expected to evolve with them.
Frequently Asked Questions
What is the main difference between CDD and EDD?
When should EDD be applied?
What are the 4 P’s of due diligence?
Is EDD required for all PEPs?
How long does an EDD review typically take?
