Scoreplex
    Back to Blog
    EDD

    How to Conduct Enhanced Due Diligence (EDD) on a Company: 8-Step Guide (2026)

    To conduct Enhanced Due Diligence (EDD) on a company, follow 8 steps: (1) confirm the EDD trigger, (2) verify entity identity across jurisdictions, (3) map UBO structure and beneficial ownership, (4) establish source of funds and source of wealth, (5) screen against sanctions and PEP lists, (6) run adverse media analysis, (7) compile findings in an audit-ready narrative, and (8) set ongoing monitoring frequency. Each step is required under FATF Recommendation 10 and mirrored in EU AMLD6, UK MLRs

    Scoreplex

    May 21, 2026 · 25 min read

    Disclaimer

    This information is for general purposes only and does not constitute legal or compliance advice. Consult a qualified professional for specific guidance.

    To conduct Enhanced Due Diligence (EDD) on a company, follow 8 steps: (1) confirm the EDD trigger, (2) verify entity identity across jurisdictions, (3) map UBO structure and beneficial ownership, (4) establish source of funds and source of wealth, (5) screen against sanctions and PEP lists, (6) run adverse media analysis, (7) compile findings in an audit-ready narrative, and (8) set ongoing monitoring frequency. Each step is required under FATF Recommendation 10 and mirrored in EU AMLD6, UK MLRs, and the US CDD Rule.

    Enhanced Due Diligence (EDD) applies when standard Customer Due Diligence no longer provides adequate confidence about a business relationship. For corporate counterparties, the threshold is crossed regularly: a company with a complex ownership structure, directors in high-risk jurisdictions, or prior regulatory enforcement triggers EDD under any major AML framework. Standard CDD confirms that an entity exists. EDD answers the harder questions — who actually controls it, where the money comes from, and whether the risk profile can be substantiated with evidence a regulator would accept.

    For compliance teams, conducting Enhanced Due Diligence (EDD) on a company is a structured investigation, not an escalated form-fill. The process typically runs across eight discrete steps, each producing documentation that feeds into a final audit-ready case file. Done manually, a single EDD case takes between 30 and 240 minutes of analyst time and costs $10–80 per case. Done with AI-assisted tooling, the same workflow runs in 5–30 minutes at $2–5 per case — a gap that becomes material at any meaningful volume.

    This guide covers each step of the enhanced due diligence process for corporate entities: what to verify, what documentation to collect, and where the process most commonly breaks down. For a broader overview of EDD as a regulatory framework — including when it applies to individuals and PEPs — see the Enhanced Due Diligence complete guide. For the distinction between CDD and EDD at the process level, see EDD vs CDD: 7 Key Differences.

    Step 1: Confirm the Enhanced Due Diligence (EDD) Trigger

    The first step in the enhanced due diligence process is not data collection — it is a deliberate decision: does this counterparty require EDD, and on what regulatory basis?

    EDD is not discretionary. Under FATF Recommendation 10, financial institutions must apply enhanced measures whenever a business relationship presents higher risk. EU AMLD6 Articles 18–24 enumerate mandatory EDD scenarios; UK MLRs Regulation 33 and the US BSA CDD Final Rule (31 CFR Part 1010) follow the same risk-based logic. Skipping formal trigger confirmation is the compliance failure regulators cite most frequently in enforcement actions — not because firms failed to conduct EDD, but because they could not demonstrate why they escalated a case when they did, or why they did not escalate when the risk indicators were present.

    Enhanced Due Diligence (EDD) triggers for corporate counterparties include:

    • The company is incorporated or operates in a jurisdiction on the FATF grey list or EU high-risk third country list
    • Ownership structure involves shell companies, nominees, or multi-layer offshore entities that obscure the beneficial owner
    • One or more directors, shareholders, or UBOs are Politically Exposed Persons
    • The onboarding file contains adverse media hits, prior regulatory enforcement, or unresolved sanctions matches
    • The declared business activity is inconsistent with the company's transaction profile or sector risk classification
    • The relationship involves unusually large transactions, complex structures, or activity patterns with no clear commercial rationale
    • The company operates in a high-risk sector: cryptocurrency, arms dealing, gaming, or private banking

    The outcome of Step 1 is a documented escalation decision — a written record that identifies the specific trigger, references the applicable regulatory provision, and assigns the case to an analyst with EDD authority. Without this record, the rest of the EDD process lacks a defensible starting point.

    Regulatory anchor: FATF Recommendation 10 establishes the risk-based obligation. For a full breakdown of how EU AMLD6, UK MLRs, and US BSA diverge on specific trigger thresholds, see EDD Regulatory Requirements: EU AMLD6, UK MLRs, US BSA Compared.

    Step 2: Verify Entity Identity Across Jurisdictions

    Corporate identity verification under EDD goes substantially further than confirming that a company name appears in a registry. The objective is to establish a verified, multi-source picture of the legal entity: its current standing, registered details, filing history, authorised signatories, and any discrepancies between what the counterparty has declared and what official records show.

    What to verify from official registries:

    • Legal name and any trading names or former names
    • Registration number and date of incorporation
    • Current status: active, dissolved, dormant, or under administration
    • Legal form: limited company, LLC, partnership, branch, trust
    • Registered address and any mismatch with operational address
    • Directors and company secretary: names, appointment dates, any disqualifications
    • Filing history: confirmation statements, annual returns, accounts — gaps or persistent late filings are a risk indicator
    • Industry codes (SIC/NACE/ISIC) — cross-reference against declared business activity

    For domestic entities, a single official registry pull is usually sufficient as a starting point. For cross-border cases, the challenge is structural: registry standards differ significantly across jurisdictions. Some registers are real-time and machine-readable; others require manual requests, charge access fees, or publish data with multi-month delays. A company incorporated in a jurisdiction with low registry transparency demands a higher evidence threshold elsewhere in the EDD file.

    Documents to collect at this stage:

    • Certificate of incorporation or equivalent formation document
    • Articles of association or constitutional documents
    • Most recent confirmation statement or annual return
    • Proof of registered address (utility bills, lease agreements, or official correspondence)
    • Any licences or regulatory authorisations relevant to the declared business activity

    The EBA Guidelines on ML/TF Risk Factors (2021) explicitly require that enhanced identity verification for higher-risk entities go beyond registry data alone — corroborating sources, including regulatory filings and licensed databases, should be used where registry information is incomplete or unreliable.

    One practical failure point at this step is over-reliance on counterparty-supplied documents. Under EDD, the standard is independent verification: what can be confirmed from sources the counterparty does not control? For companies operating across multiple jurisdictions, this means pulling registry data from each relevant jurisdiction, not just the country of incorporation.

    Scoreplex retrieves real-time corporate registry data from 140+ business jurisdictions automatically, cross-references details across sources, and flags discrepancies between declared and registry information — eliminating the manual lookup cycle that typically accounts for 30–40% of total EDD analyst time per case.

    Next step: Once the entity's legal identity is confirmed, the process moves to mapping who actually controls it — which is where EDD on companies diverges most sharply from individual due diligence. See Step 3 below.

    Step 3: Map UBO Structure and Beneficial Ownership

    Beneficial ownership mapping is the step where most EDD cases on companies become genuinely complex. The legal entity verified in Step 2 is the counterparty of record. The Ultimate Beneficial Owner — the natural person who ultimately owns or controls that entity — is who the EDD process is actually assessing. In high-risk cases, the gap between the two can span multiple jurisdictions, several corporate layers, and deliberate structural opacity.

    Regulatory thresholds for UBO identification

    The standard threshold across major jurisdictions is 25% direct or indirect ownership or control. The FinCEN CDD Final Rule (31 CFR Part 1010.230) requires identification of any natural person owning 25% or more of a legal entity customer, plus one control person regardless of ownership stake. EU AMLD6 applies the same 25% threshold, with a fallback obligation to identify senior managing officials where no natural person meets the threshold or where ownership is deliberately obscured. UK MLRs mirror this structure.

    Under EDD, the threshold is a floor, not a ceiling. Where risk indicators are present, firms are expected to look beyond the 25% threshold and identify any person exercising significant control — including through contractual arrangements, voting agreements, or nominee structures.

    Mapping the ownership chain

    For straightforward structures — a company with two individual shareholders holding 60% and 40% respectively — UBO identification is a documentation exercise. For complex structures, it is an investigation. Common patterns that require deeper mapping include:

    • Multi-layer holding structures: Company A is owned by Company B, which is owned by Company C in a third jurisdiction. Each layer must be traced until natural persons are identified.
    • Nominee shareholders: Registered shareholders holding shares on behalf of an undisclosed beneficial owner. Nominee arrangements are legal in many jurisdictions but require disclosure and documentary evidence of the underlying principal.
    • Trust structures: Where a trust sits in the ownership chain, the relevant parties are the settlor, trustees, protector (if any), and beneficiaries — not the trust entity itself.
    • Bearer shares: Largely phased out under FATF pressure but still encountered in older corporate structures. Their presence is itself a risk indicator.

    Documentation to collect:

    • Shareholder register, current and historical
    • UBO declaration signed by an authorised officer
    • Documentary evidence for each ownership tier: certificates of incorporation, shareholder agreements, trust deeds where applicable
    • Corporate structure chart showing the full ownership chain to natural persons, with percentage holdings at each level
    • For nominee arrangements: written confirmation of the nominee relationship and identity of the principal

    The EDD file must demonstrate that the UBO mapping reflects the actual control structure — not simply what is declared. Where the ownership chain passes through a high-risk or low-transparency jurisdiction, independent verification from that jurisdiction's registry or a licensed third-party data source is required.

    Unresolved beneficial ownership is one of the most common findings in regulatory enforcement actions. If the ownership chain cannot be fully traced and documented, the risk assessment at Step 7 must reflect that gap explicitly — it cannot simply be left open.

    Cross-border structures: Where the ownership chain spans multiple jurisdictions with low registry transparency, the mapping process can take days manually. For how AI handles multi-jurisdiction UBO tracing automatically, see Cross-Border EDD: How to Conduct Due Diligence Across 140+ Jurisdictions.

    Step 4: Establish Source of Funds and Source of Wealth

    Source of funds and source of wealth verification is one of the most evidence-intensive steps in the EDD process — and the one where compliance teams most frequently receive pushback from counterparties. Understanding the distinction between the two is essential before requesting documentation.

    Source of funds (SoF) refers to the origin of the specific funds involved in the business relationship or transaction: the account from which payments are made, the revenue stream that generates inflows, the loan facility used to capitalise an investment. SoF is transactional — it answers where this money came from.

    Source of wealth (SoW) refers to the origin of the entity's or UBO's total wealth: how the business was built, how shareholding value was accumulated, how assets were acquired over time. SoW is biographical and structural — it answers how this wealth was generated overall.

    Under EU AMLD6 (EUR-Lex, Directive 2024/1640), EDD for higher-risk business relationships requires verification of both, not just one. UK MLRs Regulation 33 and FATF Recommendation 10 carry the same dual requirement. In practice, many compliance teams document SoF adequately but treat SoW as a secondary concern — a position regulators have consistently challenged in enforcement actions. Global AML/KYC fines totalled $6.6 billion in 2023, with inadequate source-of-funds documentation cited as a recurring deficiency across multiple major enforcement cases.

    Documents to request for source of funds:

    • Audited financial statements for the most recent two to three years
    • Management accounts where audited accounts are not yet available
    • Bank statements showing the specific accounts involved in the relationship
    • Loan or credit agreements where debt financing is involved
    • Investment or shareholder agreements where equity contributions are the source
    • Tax returns confirming declared revenues align with financial statements

    Documents to request for source of wealth:

    • Corporate history: founding documents, original investment records, evidence of business growth over time
    • Asset registers or property records where wealth is held in physical assets
    • Evidence of prior business disposals, inheritance, or other wealth-generating events
    • UBO-level SoW documentation where the beneficial owner's personal wealth is directly relevant to the relationship

    Red flags at this stage

    Inconsistencies between declared revenue and transaction volumes are the primary red flag. A company declaring modest annual turnover but transacting at multiples of that figure has an unexplained SoF gap. Other indicators include: inability or unwillingness to produce audited accounts, use of multiple intermediary accounts with no clear commercial rationale, and SoW narratives that cannot be corroborated by independent sources.

    According to LexisNexis, financial institutions globally spend over $100 billion annually on financial crime compliance — a significant portion of which is attributable to manual document review and evidence-chasing at exactly this step. Where documentation is incomplete or inconsistent, the EDD file must explicitly record what was requested, what was received, what gaps remain, and how those gaps affect the overall risk rating at Step 7.

    Regulatory reference: EU AMLD6 text via EUR-Lex establishes the dual SoF/SoW obligation for high-risk relationships. FATF Recommendation 10 commentary provides the risk-based framework for determining the depth of verification required in proportion to the risk presented.

    Step 5: Screen Against Sanctions, PEP Lists, and Watchlists

    Sanctions and PEP screening at the EDD stage differs from standard onboarding screening in one critical respect: the scope. Standard CDD screening typically covers the named counterparty and its directors. EDD screening must cover the full ownership chain mapped in Step 3 — every UBO, every intermediate holding entity, every key controller identified in the beneficial ownership analysis. A clean result at the entity level means nothing if a 30% UBO is on the OFAC SDN list.

    What to screen and against which lists

    For each natural person and legal entity identified in the ownership structure, screening must cover:

    • OFAC SDN and Sectoral Sanctions lists — US Treasury, mandatory for any USD-clearing institution and broadly applied as a global standard
    • UN Security Council Consolidated List — international multilateral sanctions
    • EU Consolidated Financial Sanctions List — mandatory for EU-regulated firms; updated in real time during active sanctions programmes
    • HMT (His Majesty's Treasury) Financial Sanctions List — UK-specific, maintained post-Brexit independently of EU lists
    • FATF grey list and black list — jurisdictions under increased monitoring or subject to countermeasures; relevant for entity-level risk scoring
    • National regulatory and law enforcement lists — FinCEN, FCA, BaFin, and equivalent authorities
    • 325+ additional watchlists — including Interpol notices, domestic enforcement databases, debarment registers, and sector-specific exclusion lists

    PEP screening for corporate counterparties

    PEP exposure in a corporate EDD case is rarely direct — it typically surfaces in the ownership structure. A director holding a government appointment, a UBO who is a former head of state, a shareholder who is the spouse of a senior public official: these are the patterns that trigger enhanced scrutiny under FATF Recommendation 12 and EU AMLD6 Chapter III.

    For EDD on a company, PEP screening must be applied to:

    • All directors and company secretaries
    • All UBOs identified in Step 3, regardless of ownership percentage under EDD conditions
    • Key signatories and authorised representatives
    • Any individuals identified in the broader control analysis — those exercising effective control without formal ownership stakes

    Where a PEP connection is confirmed, the EDD requirements escalate further: senior management approval is required before establishing or continuing the relationship, source of wealth verification deepens, and ongoing monitoring frequency increases. For a full breakdown of EDD requirements specific to PEP relationships, see EDD for PEPs: Enhanced Due Diligence for Politically Exposed Persons.

    The matching problem

    Sanctions and PEP screening against real-world data is not a binary lookup. Names appear in multiple transliterations, dates of birth are frequently inconsistent across sources, and common names generate large volumes of potential matches that must be individually assessed. Manual screening against 325+ lists for a corporate structure with five or six individuals in the ownership chain can take several hours per case — and still produce inconclusive results where name variants have not been systematically checked.

    The specific challenge is fuzzy matching: determining whether "Mohamed Al-Hassan" in a registry is the same individual as "Mohammed Hassan Al-Hassan" on a sanctions list requires systematic disambiguation, not just a string comparison. Without structured entity resolution, analysts default to either over-flagging — generating false positives that slow the process — or under-flagging, which creates regulatory exposure.

    Scoreplex screens across 325+ global watchlists and applies AI-driven entity resolution to reduce false positive rates by up to 85%, matching name variants, transliterations, and alternative date formats automatically rather than requiring manual adjudication for each potential hit.

    What to document at this step:

    • Date and scope of each screening run
    • Lists screened, with version or date of last update
    • All potential matches identified, with disposition: confirmed match, false positive with rationale, or unresolved pending further review
    • For confirmed PEP matches: senior management notification and approval record
    • For confirmed sanctions matches: immediate escalation to compliance officer and legal, with transaction freeze where required

    Step 6: Run Adverse Media Analysis

    Adverse media analysis is the step in the EDD process most frequently underestimated in scope and most frequently cited as deficient in regulatory reviews. It is not a Google search. It is a structured investigation across multiple source types, in multiple languages, designed to surface reputational, legal, and regulatory risk that does not appear in official registries or sanctions lists.

    What adverse media covers

    The scope of adverse media review under EDD encompasses any credible negative information about the counterparty, its directors, UBOs, or associated entities that is relevant to financial crime risk. This includes:

    • Criminal proceedings: fraud, money laundering, bribery, corruption, tax evasion, market manipulation
    • Regulatory enforcement: fines, licence revocations, supervisory warnings, debarment from public contracts
    • Civil litigation: large-scale disputes, asset freezing orders, judgments indicating financial misconduct
    • Investigative journalism and leaked documents: Panama Papers, Pandora Papers, and equivalent disclosures frequently surface ownership and conduct information not available through official channels
    • Reputational risk: associations with sanctioned individuals or entities, business relationships in high-risk sectors or jurisdictions, controversies that fall below the threshold of formal enforcement but indicate elevated risk

    The false positive problem

    Manual adverse media searches return up to 90% irrelevant results. A search on a company name in a major financial centre will return thousands of results: name collisions with unrelated entities, syndicated news articles duplicated across hundreds of outlets, historical allegations that were subsequently resolved, and results in languages the analyst cannot read. According to McKinsey, compliance teams spend up to 85% of their time on manual review tasks — and adverse media is one of the primary drivers of that figure.

    The noise problem is structural, not incidental. Common name collisions — particularly for companies incorporating generic terms like "Global", "Capital", or "Holdings" — generate false positive rates that make manual triage genuinely unworkable at scale. A compliance team conducting 500 EDD cases per month cannot manually adjudicate thousands of adverse media hits per case without either significantly extending review timelines or accepting systematic blind spots.

    AI-powered adverse media screening addresses this by clustering results by event rather than by mention, deduplicating syndicated content, ranking results by compliance relevance, and filtering by entity resolution — confirming whether a given result actually refers to the counterparty under review or to a different entity with a similar name. Scoreplex reduces adverse media false positives by up to 85% through this approach, covering sources in 200+ languages automatically. For a detailed breakdown of how false positives accumulate in manual EDD workflows and how AI eliminates them, see False Positives in EDD: How AI Reduces Adverse Media Noise by 85%.

    Source categories to cover:

    • Global and regional news databases: LexisNexis, Factiva, and equivalent licensed databases covering national and international press
    • Regulatory and enforcement databases: FCA, SEC, FINRA, BaFin, ECB, and equivalent supervisory authority enforcement registers
    • Court records: where accessible, civil and criminal court filings provide primary-source evidence of proceedings that news coverage may report incompletely or inaccurately
    • Structured data sources: ICIJ Offshore Leaks database, OpenSanctions, and other curated datasets aggregating disclosed financial crime information
    • Local language sources: for counterparties operating in non-English-speaking markets, adverse media in the local language frequently predates any English-language coverage by months or years — a gap that manual English-only searches systematically miss

    Assessing and recording adverse media findings

    Not all adverse media carries the same compliance weight. An unverified allegation in a tabloid from twelve years ago is categorically different from a current regulatory enforcement action. The EDD file must record:

    • Source, date, and nature of each adverse media finding
    • Relevance assessment: does this finding relate to the entity under review, or to a different entity?
    • Materiality assessment: does this finding indicate financial crime risk, or reputational risk that falls outside the AML/KYC scope?
    • Disposition: how the finding affects the overall risk rating, whether additional verification steps were triggered, and whether senior management was notified

    Where adverse media findings are unresolved — credible allegations that cannot be confirmed or definitively ruled out — the EDD file must reflect that uncertainty explicitly. A documented inconclusive finding is defensible. An undocumented finding that later surfaces in an enforcement investigation is not.

    Regulatory anchor: EBA Guidelines on ML/TF Risk Factors (2021), Section 4.3, address adverse media as a core component of the enhanced customer due diligence framework for higher-risk relationships. The guidelines are available as an official PDF at eba.europa.eu.

    Step 7: Compile Findings in an Audit-Ready Narrative

    The first six steps of the EDD process generate evidence. Step 7 converts that evidence into a decision. The audit-ready narrative is the document that ties together every verification result, every screening outcome, every adverse media finding, and every gap or unresolved flag into a single, coherent risk assessment that a compliance officer, senior manager, or regulator can read and evaluate without reference to any other source.

    This is the step that most clearly separates adequate EDD from defensible EDD. Regulators do not assess compliance quality by counting how many documents were collected. They assess it by reading the narrative: does this file demonstrate that the institution understood the risk, investigated it proportionately, reached a reasoned conclusion, and documented its reasoning in a way that can be scrutinised after the fact?

    Structure of an Enhanced Due Diligence (EDD) narrative report

    A well-constructed EDD narrative for a corporate counterparty covers the following in sequence:

    • Case header: entity name, jurisdiction of incorporation, date of EDD trigger, assigned analyst, review date, case reference number
    • Trigger summary: the specific risk indicator or indicators that escalated this case to EDD, with reference to the applicable regulatory provision
    • Entity verification summary: key findings from Step 2 — registration status, filing history, any discrepancies between declared and registry information
    • UBO structure summary: the full ownership chain as mapped in Step 3, with a chart or diagram, identification of all natural persons, and notation of any unresolved ownership gaps
    • Source of funds and wealth summary: key findings from Step 4, documents received, any inconsistencies identified, and how they were resolved or why they remain open
    • Screening results: outcome of all sanctions, PEP, and watchlist screening from Step 5 — confirmed matches with disposition, false positives with rationale, any pending items
    • Adverse media findings: material findings from Step 6, relevance and materiality assessments, and their effect on the overall risk rating
    • Overall risk rating: high, medium, or low, with explicit justification referencing the findings above — not a checkbox, a reasoned conclusion
    • Unresolved flags: a dedicated section listing any items that could not be resolved, with a description of what further action would be required to close them
    • Recommendation: approve, decline, or escalate for further review — with a clear statement of the business rationale for the recommendation
    • Senior management approval record: where required by policy or regulation, documented sign-off from a named senior manager, with date

    When senior management approval is required

    Under EU AMLD6 and FATF Recommendation 12, senior management approval is mandatory before establishing or continuing a business relationship with a PEP. Most institutional risk policies extend this requirement to any case rated high-risk, regardless of whether PEP exposure is the trigger. The approval record must be dated, attributed to a named individual with the appropriate authority, and preserved in the case file — a generic compliance sign-off without a named approver does not satisfy the regulatory requirement.

    Common deficiencies regulators identify in Enhanced Due Diligence (EDD) narratives

    Global AML/KYC fines reached $6.6 billion in 2023 and $4.6 billion in 2024. Across major enforcement actions in both years, regulators consistently cited the same narrative deficiencies: risk ratings without supporting rationale, unresolved flags left undocumented, screening results recorded without disposition, and senior management approvals missing or undated. The EDD file needs to answer the question a regulator would ask eighteen months after onboarding: "On what basis did this institution decide this relationship was acceptable?"

    The audit trail standard

    The EBA Guidelines on ML/TF Risk Factors (2021) require that EDD documentation be sufficient to demonstrate to competent authorities that the measures taken were proportionate to the risk identified. That standard has a practical implication: every finding must be traceable to a source, every source must be linked or referenced, and every decision must be explained rather than simply stated.

    Manual EDD processes typically produce audit trails consisting of emails, screenshots, and PDF attachments assembled in a case management system with inconsistent structure across analysts and regions. The resulting documentation is technically present but practically difficult to review — a problem that compounds at scale. McKinsey estimates that compliance teams spend up to 85% of their time on manual review tasks, with documentation assembly and formatting accounting for a disproportionate share of that time.

    A structured EDD narrative, produced to a consistent template with evidence links embedded throughout, reduces the time regulators spend reconstructing the decision trail — and reduces the risk that a legitimate, well-reasoned decision is misread as inadequate because the documentation does not clearly support it.

    For a full breakdown of what regulators specifically check in EDD documentation during inspections — document formats, retention periods, and audit trail standards — see EDD Documentation Requirements: What to Collect, Store, and Show Regulators.

    Step 8: Set Ongoing Monitoring Frequency

    Completing Steps 1 through 7 produces a defensible onboarding decision. Step 8 determines how long that decision remains valid. EDD is not a one-time exercise — it is the beginning of an enhanced monitoring relationship. The risk profile established at onboarding will change: ownership structures evolve, directors are appointed or removed, sanctions lists are updated, and adverse media emerges in real time. The monitoring framework set at Step 8 is what ensures the EDD file reflects the current risk picture, not a snapshot from eighteen months ago.

    Under FATF Recommendation 10 and EU AMLD6 Article 18, enhanced ongoing monitoring is a mandatory component of EDD — not an optional extension. The standard is explicit: for higher-risk relationships, monitoring must be more frequent and more thorough than for standard CDD customers. What "more frequent and more thorough" means in practice is left to the institution's risk-based judgement, documented in its monitoring policy.

    Setting the monitoring schedule

    Monitoring frequency should be calibrated to the risk rating established in Step 7, not applied uniformly across all EDD cases. A workable framework:

    • High-risk: full periodic review every six to twelve months, with continuous automated screening for sanctions and adverse media alerts between reviews
    • Medium-high risk: full periodic review annually, with automated screening running continuously
    • Medium risk escalated to EDD: full periodic review every twelve to twenty-four months, automated screening for material changes

    The monitoring schedule must be documented in the EDD case file at the point of onboarding — not assigned retrospectively when a review falls due. Regulators expect to see a named review date, a named responsible analyst or team, and a defined trigger list for out-of-cycle reviews.

    Trigger-based re-review

    Beyond scheduled periodic reviews, specific events must trigger an immediate EDD re-review regardless of where the counterparty sits in the monitoring cycle:

    • Ownership or directorship changes: any new UBO, director appointment, or structural reorganisation requires re-verification of the affected parties
    • Adverse media alerts: credible new reporting on the entity, its directors, or its UBOs requires assessment within a defined response window — typically 48 to 72 hours for material findings
    • Sanctions list updates: a new designation affecting any person in the ownership structure requires immediate escalation and transaction freeze assessment
    • Transaction anomalies: activity patterns that deviate materially from the profile established at onboarding — volume spikes, new counterparties in high-risk jurisdictions, unusual payment structures — require re-review under most institutional risk policies
    • Customer-initiated changes: new products, new jurisdictions, significant changes in declared business activity

    What the monitoring log must contain

    Each review cycle — whether periodic or trigger-based — generates a monitoring record that is appended to the original EDD case file:

    • Review date and trigger type: scheduled or event-driven
    • Scope of review: which elements were re-verified and which were carried forward from the prior review
    • Findings: any material changes to the risk profile, new adverse media, screening updates
    • Updated risk rating: if the rating has changed, with rationale
    • Next review date: reset from the date of this review, not from the original onboarding date
    • Approvals: senior management sign-off where the updated risk rating or a new finding requires it

    The monitoring gap problem

    Manual monitoring at EDD frequency is operationally demanding. A compliance team managing 500 high-risk corporate relationships on annual reviews must conduct approximately ten full EDD reviews per week — each requiring registry re-checks, sanctions re-screening, adverse media re-analysis, and documentation updates. Between scheduled reviews, continuous monitoring depends on manual processes: periodic list downloads, ad hoc news searches, and transaction surveillance that is rarely integrated with the EDD case file.

    The result, across most institutions running manual EDD workflows, is a monitoring programme that is formally compliant on paper — review dates are set, periodic reviews are conducted — but operationally fragmented. Trigger-based monitoring in particular tends to fail: adverse media that emerges between reviews is not systematically captured, and ownership changes notified by the counterparty are not automatically cross-referenced against the existing EDD file.

    Automated continuous monitoring closes this gap by running sanctions, PEP, and adverse media screening in real time against every active EDD relationship, surfacing material changes as alerts rather than waiting for a scheduled review cycle to catch them. At 500 cases per month, the direct cost saving of AI-assisted EDD — including monitoring — exceeds $219,000 annually compared to manual workflows.

    From onboarding to monitoring in a single workflow: For a full breakdown of how AI compresses the entire EDD timeline — from trigger confirmation to ongoing monitoring — see How Long Does Enhanced Due Diligence Take? Manual vs AI Timelines.

    How AI Changes the Enhanced Due Diligence (EDD) Process: Manual vs Automated

    The eight-step EDD process described above is fixed by regulatory requirement. What varies significantly is the time, cost, and consistency with which each step is executed — and that variance is determined almost entirely by whether the workflow is manual or AI-assisted.

    Manual EDD on a corporate counterparty costs between $10 and $80 per case in direct analyst time, depending on the complexity of the ownership structure, the number of jurisdictions involved, and the volume of adverse media results requiring triage. A full corporate onboarding — from EDD trigger to approved case file — consumes an average of 51 hours of manual labour end-to-end. At any meaningful volume, that figure becomes a structural bottleneck: compliance teams either slow onboarding to maintain quality, or compress review time and accept the documentation gaps that follow.

    AI-native EDD platforms reduce per-case cost to $2–5 and per-case processing time to 5–30 minutes by automating the most time-intensive steps: registry verification across 140+ jurisdictions, UBO chain mapping, sanctions and PEP screening across 325+ watchlists, adverse media analysis across 200+ languages, and structured narrative generation. The analyst's role shifts from data collection to decision review — assessing a pre-populated, evidence-linked case file rather than assembling one from scratch.

    Manual Enhanced Due Diligence (EDD) vs AI-Assisted EDD: Step-by-Step Comparison

    EDD Step
    Manual Workflow
    AI-Assisted with Scoreplex
    Step 1: Trigger confirmation
    Manual risk flag review and policy lookup.
    Automated risk scoring against a configurable trigger matrix.
    Step 2: Entity identity verification
    Manual registry lookups by jurisdiction and request.
    Real-time data from 140+ business jurisdictions with automatic cross-referencing.
    Step 3: UBO mapping
    Manual ownership-chain tracing and spreadsheet-based structure charts.
    Automated multi-layer ownership mapping with discrepancy detection.
    Step 4: Source of funds and wealth
    Manual document review and email-based RFI loops.
    AI document analysis with cross-referencing against available case and financial evidence.
    Step 5: Sanctions and PEP screening
    Batch screening and manual fuzzy-match adjudication.
    Screening across 325+ watchlists with AI-assisted entity resolution and up to 85% fewer false positives.
    Step 6: Adverse media
    High false-positive workload and limited multilingual source coverage.
    200+ language coverage, event clustering, and up to 85% adverse-media noise reduction.
    Step 7: Audit-ready narrative
    Manual report writing with inconsistent formatting across analysts.
    Structured narrative generated automatically with evidence linked throughout the case file.
    Step 8: Ongoing monitoring
    Scheduled manual reviews with limited visibility between review cycles.
    Continuous automated screening and trigger-based alerts.
    Total per-case cost
    $10–$80 · 30–240 minutes
    $2–$5 · 5–30 minutes

    The cost differential compounds at volume. At 500 EDD cases per month, the direct saving from AI-assisted workflows exceeds $219,000 annually — before accounting for the revenue impact of faster onboarding and the regulatory risk reduction from more consistent documentation. For a full cost model across three volume scenarios, see EDD Cost Breakdown: What Manual Reviews Actually Cost vs AI Automation.

    Where AI has the highest practical impact on the Enhanced Due Diligence (EDD) process

    The steps where AI delivers the largest time reduction are not necessarily the most complex ones. Registry verification (Step 2) and adverse media triage (Step 6) together account for the majority of manual EDD time in most workflows — not because they require sophisticated judgement, but because they involve large volumes of structured and unstructured data that humans process slowly and inconsistently. AI handles both at a speed and consistency that manual workflows cannot match at any scale.

    UBO mapping (Step 3) benefits from AI differently: the time saving is smaller for simple structures, but the coverage improvement is significant for cross-border cases. A manually-traced ownership chain through three jurisdictions might miss a nominee layer or fail to cross-reference a dissolved intermediate entity. AI-assisted mapping applies the same thoroughness regardless of chain length or jurisdictional complexity.

    The narrative report (Step 7) is where AI eliminates the largest source of inter-analyst inconsistency. Manual EDD narratives vary in structure, depth, and evidence linkage depending on who wrote them and under what time pressure. A structured AI-generated narrative applies a consistent template across every case, with evidence references embedded and unresolved flags explicitly flagged — reducing both documentation quality variance and the time senior reviewers spend reformatting before sign-off.

    For a detailed breakdown of how an AI agent handles each step of the EDD workflow end-to-end, see EDD AI Agent: What It Is, How It Works, and What It Replaces.

    About Scoreplex

    Scoreplex is a AI-coworker that automates customer due diligence, minimizes false positives, streamlines document verification, and generates comprehensive narrative reports.

    How it works:From a single company input, it produces a complete business risk profile, including::

    • Official registry checks with UBO identification and full ownership chains
    • Global sanctions and PEP screening
    • Real-time adverse media monitoring with structured events and source attribution
    • Automated document verification (incorporation records, address validation)
    • Website analysis and cross-checks of company details, products, contacts, and locations
    • Product and customer review analysis (Trustpilot, G2, Google Reviews)
    • Social media analysis of corporate accounts and profiles of founders and directors
    • High-risk country exposure assessment based on aggregated signals
    • A structured risk summary highlighting red flags, rationale, and direct source links

    Built for Faster, Smarter EDD Decisions:

    • 10× faster reviews through end-to-end automation
    • Up to 10× lower costs compared to traditional service providers
    • Significantly fewer false positives driven by registry-first matching and transparent risk signals

    Book a Demo

    Frequently Asked Questions About Conducting Enhanced Due Diligence (EDD) on a Company

    What triggers Enhanced Due Diligence (EDD) on a company?

    Enhanced due diligence on a company is triggered when the business relationship presents elevated risk that standard CDD measures cannot adequately address. Common triggers include: incorporation or operations in a FATF grey-listed or EU high-risk jurisdiction, complex or opaque ownership structures involving shell companies or nominees, UBOs or directors who are Politically Exposed Persons, adverse media or prior regulatory enforcement, unusual transaction patterns inconsistent with declared business activity, and involvement in high-risk sectors such as cryptocurrency, gaming, or private banking. Under FATF Recommendation 10, EU AMLD6, and UK MLRs Regulation 33, the trigger determination must be documented with reference to the specific risk indicator identified.

    What are the steps of the Enhanced Due Diligence (EDD) process for a company?

    The enhanced due diligence process for a corporate counterparty follows eight steps: (1) confirm the EDD trigger and document the regulatory basis; (2) verify entity identity across relevant jurisdictions using official registries; (3) map the UBO structure and trace the ownership chain to natural persons; (4) establish source of funds and source of wealth with supporting documentation; (5) screen all individuals and entities in the ownership structure against sanctions lists, PEP databases, and 325+ global watchlists; (6) conduct adverse media analysis across multiple source types and languages; (7) compile all findings into an audit-ready narrative with a documented risk rating and senior management approval where required; (8) set ongoing monitoring frequency calibrated to the risk rating. Each step produces documentation that feeds into the final case file.

    How long does the Enhanced Due Diligence (EDD) process take for a company?

    Manual EDD on a company takes between 30 and 240 minutes of direct analyst time per case, depending on ownership structure complexity and the number of jurisdictions involved. A full corporate onboarding — from trigger confirmation to approved case file — typically consumes 51 hours of manual labour end-to-end across all steps, including document collection, registry lookups, screening, and narrative writing. AI-assisted EDD reduces per-case processing time to 5–30 minutes by automating the most time-intensive steps.

    What documents are required for Enhanced Due Diligence (EDD) on a company?

    EDD documentation requirements for a corporate counterparty typically include: certificate of incorporation and constitutional documents, current shareholder register and UBO declaration, corporate structure chart tracing ownership to natural persons, audited financial statements and bank statements for source of funds verification, sanctions and PEP screening records with disposition notes for all matches, adverse media review records with source references, and the final EDD narrative with overall risk rating and senior management approval where applicable.

    Who is responsible for conducting Enhanced Due Diligence (EDD) in a financial institution?

    Responsibility for conducting EDD sits with the compliance function, but the specific assignment depends on institutional structure. Frontline KYB or onboarding analysts typically perform the data collection and verification steps. Compliance officers or MLROs review findings, assess the overall risk rating, and make the approval or escalation decision. Senior management approval is required for high-risk relationships and mandatory for PEP relationships under FATF Recommendation 12 and EU AMLD6. The EDD case file must record the name and role of each individual involved at each stage — an anonymous approval record does not satisfy regulatory requirements.

    How does AI change the Enhanced Due Diligence (EDD) process for compliance teams?

    AI changes the EDD process by automating the data collection, screening, and documentation steps that currently consume the majority of analyst time — without replacing the compliance judgement that sits at the end of the process. Specifically, AI handles real-time registry verification across 140+ jurisdictions, multi-layer UBO chain mapping, sanctions and PEP screening across 325+ watchlists with entity resolution that reduces false positives by up to 85%, adverse media analysis across 200+ languages with event clustering and noise reduction, and structured narrative generation from verified evidence. The result is a per-case cost reduction from $10–80 to $2–5 and a processing time reduction from 30–240 minutes to 5–30 minutes. Analysts review a pre-populated, evidence-linked case file rather than assembling one from scratch.