Enhanced Due Diligence (EDD): When It's Required and How to Apply It
Enhanced Due Diligence is the deeper level of customer scrutiny that regulated firms must apply to higher-risk customers and relationships. This guide explains the triggers that mandate EDD, how it differs from standard CDD, what source-of-funds and source-of-wealth investigation looks like in practice, and how to evidence EDD to a regulator.
The risk-based approach to AML rests on the principle that compliance effort should scale with risk. Standard customer due diligence is appropriate for ordinary customers in ordinary relationships. EDD is what the regime requires when the relationship is anything but ordinary — when the customer's profile, geography, or product use creates an elevated risk that the relationship may be misused for financial crime.
Most enforcement actions involving CDD failures are, on closer reading, EDD failures. The firm performed standard onboarding on a customer who should have been subject to enhanced scrutiny — and the elevated risk that should have been investigated never was. Getting EDD right is therefore one of the highest-leverage activities in any compliance programme.
What Triggers EDD
Some EDD triggers are mandated by regulation — the firm has no discretion to skip EDD when these conditions are present. Others are discretionary, driven by the firm's own risk assessment and the customer's specific circumstances. A well-designed compliance programme makes the mandatory triggers automatic and provides clear decision criteria for the discretionary ones.
The mandatory EDD triggers under most major AML regimes:
- Politically Exposed Persons (PEPs) — domestic and foreign PEPs, their family members, and known close associates. See our PEP screening guide for the full definition.
- Customers from FATF high-risk or monitored jurisdictions — the FATF "black list" (call for action) and "grey list" (jurisdictions under increased monitoring), updated three times a year.
- Correspondent banking relationships with respondent banks in foreign jurisdictions.
- Customers identified by the firm's risk assessment as high-risk on customer, geography, product, or channel grounds.
- Complex or unusual transactions with no apparent economic or lawful purpose.
- Non-face-to-face onboarding in jurisdictions where this is treated as inherently higher-risk.
Discretionary EDD is appropriate for any relationship where the firm has reason to believe the standard CDD level is insufficient — for example, a customer whose declared business model is unusual for their profile, whose transaction patterns deviate sharply from baseline, or whose corporate structure is more complex than commercially necessary.
What EDD Actually Requires
Enhanced Due Diligence is not standard CDD with more paperwork. It is a substantively different, deeper, evidence-driven process whose components are individually testable.
Senior Management Approval
EDD relationships must be approved by senior management before onboarding (or before the relationship continues, if the trigger arises later). "Senior" means an individual with the authority to refuse the relationship and the seniority to be accountable for the decision. The approval must be documented, dated, and tied to the EDD findings the manager reviewed.
Source of Funds and Source of Wealth Investigation
Two distinct concepts that regulators expect firms to investigate separately. Source of funds is the origin of the specific money being placed into the account — salary, business revenue, sale of an asset. Source of wealth is the origin of the customer's overall accumulated wealth — career history, inheritance, investment gains, business sale. For high-risk customers, both must be investigated, and the explanations must be supported by independent documentation: payslips, audited accounts, sale-and-purchase agreements, tax returns. Self-declaration alone is not sufficient.
Enhanced Identity Verification
Where standard CDD might rely on a single identity document and a basic address check, EDD typically requires multiple independent identity sources, certified copies where originals are not provided, biometric verification, and verification of the customer's actual physical presence at the declared address. For corporate customers, full UBO unwrapping with independent registry verification is required regardless of structure complexity.
Adverse Media and Open-Source Investigation
EDD requires structured adverse media research — searching news, regulatory enforcement records, court records, and corporate filings for information about the customer that is not in the application. Negative findings do not automatically disqualify the customer, but they must be investigated, addressed, and documented. Failing to identify a customer's prior regulatory history when it was visible in a basic Google search is a recurring enforcement-action finding.
Tighter Ongoing Monitoring
EDD relationships are subject to more sensitive transaction monitoring thresholds, more frequent periodic reviews (typically annual rather than the three- to five-year cycle for standard customers), and immediate review on any material change in customer circumstances. Lower alert thresholds for EDD customers are not a bug — they are a feature.
Source of Funds vs Source of Wealth: The Distinction Regulators Test
The single most-tested element of EDD adequacy is the firm's investigation of source of funds and source of wealth. Regulators routinely sample EDD files, read the SoF/SoW documentation, and challenge whether the firm reached a defensible conclusion based on independent evidence.
A common failure pattern: the customer declares "business income" as the source of funds, the firm records that declaration in the file, and no further investigation occurs. This is not EDD — it is a self-declaration with a stamp. Genuine SoF investigation establishes which business, the financial profile of that business (audited accounts, tax filings), the typical revenue and margin profile that would support the funds being deposited, and any inconsistencies between the declared profile and the observed flows.
Source of wealth is the harder question for high-net-worth customers. A 45-year-old client with $20 million in liquid assets must have accumulated that wealth somehow — and the firm must be able to articulate the path. "Inheritance from family business" is not source of wealth; "sale of family business X to buyer Y in 2018, sale price $Z, after-tax proceeds $W, of which $V was the customer's share as documented in the share-sale agreement" is.
EDD on PEPs Specifically
PEP relationships are the archetypal EDD case. Every major regime mandates EDD on every PEP — domestic, foreign, international organisation officials, and their family members and known close associates. The reason is concrete: PEPs are exposed to bribery and corruption risk in a way ordinary customers are not, and the financial system has historically been the route through which the proceeds of corruption are laundered.
EDD on a PEP customer requires senior management approval before onboarding (most firms require board-level or equivalent sign-off), documented source-of-wealth investigation (with particular scrutiny of any wealth that cannot be tied to declared earnings or assets), enhanced ongoing transaction monitoring, and annual relationship review. See the PEP screening guide for the full PEP framework.
PEPs do not need to be exited — many are entirely legitimate customers. But the EDD process must establish that legitimacy through evidence, not through assumption.
Building EDD Into Your Compliance Operating Model
EDD that exists only on paper — a written policy with no operational implementation — is one of the most common findings in regulator inspections. Building genuine EDD into the operating model requires three practical steps.
First, the customer risk rating must be the first thing the system computes after data capture, and high-risk classification must automatically gate the workflow into the EDD path. See our guide on customer risk rating for the rating framework.
Second, the EDD case file must be a structured artefact, not a free-text note. Standard fields for SoF, SoW, adverse media findings, senior management approval, and rationale; standard documentary attachments; standard escalation paths. Structure is what makes EDD defensible to a regulator.
Third, EDD outcomes must feed back into the risk model. A customer for whom EDD surfaced significant adverse findings is not the same customer the standard risk model classified before EDD ran. Update the rating, update the monitoring sensitivity, update the review cadence — and document each update. A modern compliance portal automates this loop.
EDD That Works the Way Regulators Expect
One Constellation's compliance portal automates EDD triggering, structures source-of-funds and source-of-wealth case files, captures senior management approval, and feeds outcomes back into the risk model — with a complete audit trail.
