Enhanced Due Diligence (EDD) vs Customer Due Diligence (CDD): Key Differences Explained

Customer Due Diligence, or CDD, is the baseline level of due diligence used to identify a customer, verify key facts, understand the business relationship, and assess standard risk. Enhanced Due Diligence, or EDD, is the deeper review applied when the risk is higher. That higher risk may come from a complex ownership structure, a high-risk jurisdiction, politically exposed persons, adverse media, sanctions exposure, unusual business activity, or weak transparency around the customer. The differ

The difference between CDD and EDD is practical. CDD helps a compliance team confirm who the customer is and whether the relationship looks acceptable at a standard level of risk. EDD is used when those baseline checks do not give enough confidence. It requires broader evidence, deeper ownership analysis, stronger source validation, tighter documentation, and closer ongoing monitoring.

In business onboarding, this distinction matters because many higher-risk cases look ordinary at first glance. A company may pass basic verification while still raising serious concerns once its controllers, operating footprint, counterparties, media record, or real business activity are examined in more detail. That is where CDD ends and EDD begins.

Customer Due Diligence (CDD) vs Enhanced Due Diligence (EDD) at a glance

CDD is the baseline due diligence layer used to identify the customer, verify core facts, understand the relationship, and maintain risk-based ongoing monitoring. EDD is the deeper review applied when the risk is higher or when a relationship falls into categories that require stronger scrutiny under a risk-based framework.

Dimension	CDD	EDD
Primary purpose	Establish baseline trust and confirm the customer profile.	Resolve elevated risk and test whether the relationship is defensible.
Typical risk level	Standard or lower-risk cases.	Higher-risk cases.
When it applies	Routine onboarding and standard reviews.	When risk triggers appear or the case requires deeper scrutiny.
Identity verification	Confirms core identity details.	Confirms identity and probes inconsistencies or gaps more aggressively.
Ownership review	Basic beneficial ownership review where relevant.	Deeper ownership and control analysis, including layered or opaque structures.
Source checks	Usually limited to the core profile and business rationale.	Broader validation of source of funds and, where relevant, source of wealth.
Screening intensity	Standard sanctions, PEP, and adverse media checks.	More detailed review of matches, context, severity, and related parties.
Documentation	Sufficient to support baseline onboarding.	Stronger evidence set and clearer rationale for audit and escalation.
Approval path	Standard review flow.	Often requires senior review or additional escalation.
Monitoring after onboarding	Risk-based ongoing monitoring at a normal cadence.	Closer monitoring, more frequent review, and stronger update expectations.
Typical outcome	The customer appears acceptable at a baseline risk level.	The customer is either cleared with stronger justification or escalated further.

The simplest way to think about it is this: CDD asks whether the customer can be understood and onboarded at a standard risk level. EDD asks whether the case still holds up after deeper testing of ownership, activity, reputation, and exposure.

What is Customer Due Diligence (CDD)?

Customer Due Diligence, or CDD, is the baseline process used to identify a customer, verify key facts, understand the purpose of the relationship, and assess whether the risk appears acceptable at onboarding. It is the standard layer of due diligence applied before a case is treated as higher risk.

In practice, CDD is designed to answer a simple question: do we know who this customer is, what they do, and whether there are any clear reasons not to proceed?

For an individual, that usually means verifying identity and checking whether the person presents sanctions, PEP, fraud, or reputational concerns. For a business, CDD usually includes verifying the legal entity, reviewing core registration details, identifying beneficial owners where required, understanding the nature of the company’s activity, and screening the business and relevant associated persons.

CDD typically includes:

identity and verification checks
basic understanding of the customer’s activity or purpose
beneficial ownership review where relevant
sanctions, PEP, and adverse media screening at a standard level
initial risk classification
ongoing monitoring based on the customer’s risk profile

That does not make CDD a light or optional exercise. Done properly, it is the foundation of a risk-based compliance program. It helps teams create a documented baseline, apply controls consistently, and decide whether a case can move through a standard onboarding path.

The limit of CDD is also its purpose. It is built to establish baseline trust, not to fully investigate every possible risk angle. If ownership is unclear, the jurisdiction is sensitive, the business model looks unusual, or screening results raise broader concerns, standard CDD stops being enough.

What is Enhanced Due Diligence (EDD)?

Enhanced Due Diligence, or EDD, is the deeper level of review used when standard due diligence does not provide enough confidence. It applies when a customer, business relationship, ownership structure, geography, or activity presents elevated risk and requires stronger scrutiny before a decision is made.

In simple terms, CDD confirms the baseline. EDD tests whether that baseline still holds up once the case is examined in more depth.

For an individual, EDD may involve a closer review of sanctions and PEP exposure, adverse media, source of funds, source of wealth, and broader reputational risk. For a business, it usually means going further into ownership and control, related parties, jurisdictional exposure, business model credibility, public footprint, and the consistency of the customer’s declared profile with what can actually be verified.

EDD usually includes:

deeper ownership and control analysis
expanded sanctions, PEP, and adverse media review
closer examination of high-risk geographies and sectors
stronger validation of source of funds and, where relevant, source of wealth
review of inconsistencies, missing information, and unusual patterns
a more explicit evidence trail for internal review and audit
tighter monitoring and reassessment after onboarding

The point of EDD is not to collect more paperwork for its own sake. The point is to reduce uncertainty in cases where the standard process leaves too many open questions. A customer may look acceptable at first glance, yet still create serious compliance exposure once layered ownership, hidden controllers, negative media, sanctions proximity, or weak operational substance are examined properly.

That is why EDD should be treated as a risk-resolution process, not just a longer checklist. It is used when the team needs a clearer, more defensible view of who is behind the customer, how the relationship makes sense, and whether the case can be approved with confidence.

7 key differences between Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

The clearest way to separate CDD from EDD is to look at what each process is trying to achieve. CDD establishes the customer’s baseline profile and supports standard risk-based monitoring. EDD is used when that baseline is not enough and the relationship requires deeper scrutiny because the risk is higher or the uncertainty is greater. Under a risk-based framework, the distinction is not cosmetic. It affects how deeply the case is investigated, what evidence is required, and how closely the relationship is monitored over time.

1. Risk threshold

CDD is built for standard-risk relationships. It helps a team identify the customer, understand the nature and purpose of the relationship, and assign an initial risk profile. EDD begins when that standard level of review no longer provides enough confidence. In other words, CDD handles the ordinary case. EDD is the escalation layer for higher-risk cases.

2. Depth of investigation

CDD verifies core facts. EDD pressure-tests them. A standard CDD workflow may confirm that a company exists, that basic ownership information is available, and that there are no obvious red flags at first pass. EDD goes further by asking whether the declared profile actually makes sense once the structure, activity, counterparties, and external signals are examined in more detail. The move from CDD to EDD is really a move from baseline verification to deeper risk resolution.

3. Ownership and control analysis

CDD usually includes beneficial ownership review where relevant. EDD goes deeper into ownership and control, especially when the structure is layered, cross-border, opaque, or hard to reconcile. That matters because higher-risk business relationships often hide their real exposure in intermediate entities, indirect controllers, nominee arrangements, or weak transparency across jurisdictions. For legal entities, this is one of the most important practical differences between the two levels of review.

4. Source validation

CDD typically focuses on whether the customer profile and relationship purpose are understandable at a baseline level. EDD often requires stronger source validation, especially around source of funds and, where relevant, source of wealth. This is where teams move beyond identity and registration data and start testing whether the economic story behind the customer is credible and consistent with the available evidence. That deeper validation is one of the clearest signals that a case has moved into EDD territory.

5. Screening and adverse media intensity

CDD usually involves standard sanctions, PEP, and adverse media checks. EDD requires a more serious review of what those results actually mean. A name hit, a reputational concern, or a jurisdictional signal is rarely useful on its own. In EDD, the analyst has to assess context, relevance, severity, recency, related parties, and whether the issue changes the overall risk view. The difference is not just more screening. It is more interpretation and stronger judgment around the screening output.

6. Documentation and defensibility

CDD needs documentation that supports onboarding and routine monitoring. EDD needs a stronger evidence trail and a clearer explanation of why the relationship can or cannot be justified. That usually means more explicit reasoning, more structured evidence, and a more defensible case file for internal escalation, audit, or regulatory review. This is where weak compliance programs often fail: they perform extra checks but do not document the logic behind the final decision well enough.

7. Monitoring after onboarding

CDD does not stop at onboarding. It includes ongoing monitoring and periodic updates based on the customer’s risk profile. EDD raises that standard. Higher-risk relationships usually require closer monitoring, more frequent reassessment, and stronger expectations for refreshing information when the risk picture changes. So the difference between CDD and EDD is not limited to onboarding. It continues through the life of the relationship.

A simple way to summarize the distinction is this: CDD establishes whether the customer can be understood and handled through the standard due diligence path. EDD is used when the team needs deeper evidence and stronger reasoning before it can be comfortable with the risk. That is why EDD should be treated as a different operating mode, not just a longer checklist.

When should a team escalate from Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD)?

A team should escalate from CDD to EDD when the baseline review no longer provides enough confidence about who the customer is, how the relationship makes sense, or whether the risk can be understood through standard controls. That is the core logic of a risk-based approach: standard due diligence for standard risk, enhanced due diligence when the case presents higher risk or greater uncertainty.

In practice, escalation usually starts when the facts are technically present but still not convincing. A company may be registered, yet its ownership chain is hard to reconcile. A customer may pass screening, yet the surrounding media context raises unanswered questions. A business model may be legal on paper, yet look inconsistent with the customer’s footprint, counterparties, geography, or expected activity. That is the point where standard verification stops being enough and deeper risk resolution becomes necessary.

Common escalation triggers include:

politically exposed persons or close associates
exposure to high-risk jurisdictions or weak AML controls
complex, layered, cross-border, or opaque ownership structures
unusual source of funds or source of wealth questions
significant adverse media, sanctions ambiguity, or reputational concerns
customer activity that does not match the declared profile

A useful operating rule is this: if the customer can be identified but the risk story is still unclear, the case probably needs EDD. Escalation should not depend on analyst instinct alone. It should be tied to clear triggers, stronger evidence requirements, and a more defensible review path. Recent FCA findings reinforce that weak CDD and EDD processes often fail not because firms collect no data, but because escalation, judgment, and ongoing due diligence are applied inconsistently.s

Customer Due Diligence (CDD) vs Enhanced Due Diligence (EDD) in business onboarding and KYB

The difference between CDD and EDD becomes more visible in business onboarding than in simple retail onboarding. With an individual customer, the baseline review is often more straightforward. With a legal entity, the team has to understand the company itself, the people behind it, the ownership chain, the control structure, the purpose of the relationship, and whether the declared business profile matches what can actually be verified. That is why KYB often exposes the limits of standard CDD faster than other onboarding flows. FFIEC’s legal-entity guidance and FATF’s beneficial ownership work both reinforce the same point: for businesses, beneficial ownership and control are central to risk-based due diligence.

In a low-complexity case, CDD may be enough. A domestic company with clear registration data, transparent ownership, understandable activity, and no meaningful screening concerns can usually move through a standard review path. The problem is that many business customers do not look like that. A company may exist in the registry and still present elevated risk because the ownership chain is layered, foreign entities sit in the structure, the declared activity is vague, or the real controllers are difficult to identify with confidence. FATF’s updated guidance on legal persons explicitly highlights the need for adequate, accurate, and up-to-date beneficial ownership information, especially where foreign companies and cross-border exposure increase risk.

This is where EDD in KYB becomes materially different from baseline CDD. The review often has to go beyond registry data and move into ownership mapping, related-party screening, adverse media context, jurisdictional exposure, and deeper checks on whether the company shows real operational substance. For a more practical look at how teams extend KYB beyond formal registry records, check AI enrichment for KYB.

In practice, EDD is often triggered when the legal entity can be identified, but the business still cannot be understood well enough through standard controls alone. FFIEC’s risk-based approach says the level and type of CDD should be commensurate with the risks presented by the customer relationship. In business onboarding, that usually means more scrutiny when the structure is harder to explain or the risk signals do not line up cleanly. This also connects naturally to a deeper explanation of business analysis in KYB workflows.

A common failure pattern is that the team verifies that the company exists, but never gets to a clear view of the real risk behind it. That gap is often exactly where CDD ends and EDD begins.

Common mistakes teams make when separating Customer Due Diligence (CDD) from Enhanced Due Diligence (EDD)

The biggest CDD vs EDD mistakes usually come from process design, not from missing data. Teams often collect enough information to spot elevated risk, but fail to escalate properly, investigate deeply enough, or document the final judgment clearly.

1. Treating Enhanced Due Diligence (EDD) as a longer version of Customer Due Diligence (CDD)

This is the most basic mistake. EDD is not standard CDD plus a few extra checks. It is a different review mode used when the baseline process does not resolve the risk.

That distinction matters because a team can complete more tasks without actually answering the key question: is this relationship acceptable once the higher-risk factors are examined properly?

2. Using vague escalation criteria

Many firms say they apply a risk-based approach, but the real escalation logic is weak. Analysts are left to decide case by case what counts as “higher risk,” which creates inconsistent outcomes.

The result is predictable: some risky customers stay in a standard CDD path for too long, while low-value noise gets escalated into unnecessary EDD work.

3. Collecting more data without resolving the risk

This is where many EDD workflows become busy but useless. The team gathers more documents, runs more searches, and adds more screenshots, but the final risk picture is still unclear.

EDD is supposed to reduce uncertainty. If the review produces more material without producing a clearer conclusion, the process is failing.

4. Stopping too early in ownership analysis

In business onboarding, this is one of the most expensive mistakes. The team verifies the company, identifies a direct shareholder, and stops. But in higher-risk KYB cases, the real exposure often sits deeper in the structure.

Indirect ownership, foreign entities, nominee patterns, hidden controllers, and hard-to-verify beneficial owners are exactly the issues that separate CDD from EDD in practice.

5. Documenting checks, but not the reasoning

A case file can contain plenty of evidence and still be weak. The problem appears when the file shows what was collected, but not why the case was approved, escalated, or rejected.

That creates two problems at once: weak audit defensibility and weak internal continuity. The next reviewer sees the inputs, but not the logic.

6. Forgetting that Enhanced Due Diligence (EDD) continues after onboarding

Some teams treat EDD as a one-time onboarding exercise. That is wrong. Higher-risk relationships usually require enhanced ongoing due diligence as well.

If a case needed deeper review at onboarding, it often also needs tighter monitoring, more frequent refreshes, and stronger expectations around updated information.

What this means in practice

Most CDD vs EDD failures come down to five things: weak escalation rules, shallow ownership review, data collection without risk resolution, poor documentation, and weak follow-through after onboarding.

If a team wants to separate CDD from EDD properly, it needs a clear trigger model, a deeper review path for ownership and source questions, and a case file that explains the decision, not just the checks.

How AI changes the Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD) workflow

AI does not change the core rule behind CDD and EDD. The risk level still determines the depth of review. What AI changes is the operating model around that decision: how quickly a team collects evidence, how consistently escalation triggers are applied, and how much analyst time is spent on repetitive research and documentation. FATF has been explicit that new technologies, including AI and machine learning, can improve ongoing due diligence, customer risk assessment, and monitoring when used inside a proper control framework.

1. AI makes escalation from Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD) faster

In a manual workflow, the team often loses time before EDD even starts. Analysts have to gather registry data, review ownership records, check sanctions and PEP results, search for adverse media, and compare the findings against the declared customer profile. AI can compress that front-end work by surfacing inconsistencies earlier and making escalation triggers easier to spot. In practice, that means the team reaches the real question faster: is this still a standard CDD case, or does it need enhanced review? A more detailed look at that model is covered in Scoreplex’s article on an enhanced due diligence AI agent.

2. AI makes Enhanced Due Diligence (EDD) more consistent

One of the biggest weaknesses in manual compliance work is inconsistency. Two analysts can look at similar facts and escalate them differently. AI helps by standardizing the collection and presentation of evidence across cases. It does not eliminate judgment, but it reduces random variation in how obvious risk signals are surfaced, grouped, and documented. The FCA’s current AI position is supportive of adoption, but explicitly framed around safe and responsible use. That is the right lens here: AI is valuable when it improves discipline, not when it becomes an uncontrolled decision-maker.

3. AI is especially useful in research-heavy KYB and Enhanced Due Diligence (EDD) work

The value of AI gets clearer as the case becomes more complex. In business onboarding, EDD often means deeper ownership mapping, related-party review, screening interpretation, and broader open-source research. That is exactly where manual workflows become slow and fragmented. AI is useful here because it can structure large volumes of evidence faster than a human can, especially when the data is spread across registries, documents, websites, media sources, and public records. This is also why the operational impact of AI in enhanced due diligence is best understood through real workflow bottlenecks, which Scoreplex explores in this article.

4. AI should support judgment, not replace it

This is the line that matters most. AI can accelerate evidence collection, summarization, and case preparation. It can help analysts move from raw inputs to a structured review faster. But it should not be treated as the final owner of the risk decision. In regulated workflows, the defensible model is still human-led judgment supported by stronger tooling. That is fully aligned with the FCA’s emphasis on responsible adoption and with FATF’s broader framing of technology as a way to strengthen risk-based controls, not bypass them.

What changes in practice

AI helps most in four places: earlier escalation, faster evidence gathering, more consistent case handling, and stronger documentation. It does not remove the need for CDD. It does not make EDD optional. It makes the transition between them less manual, less fragmented, and easier to defend.

Conclusion: Customer Due Diligence (CDD) is the baseline, Enhanced Due Diligence (EDD) is the escalation layer

CDD and EDD should not be treated as interchangeable labels. CDD is the baseline review used to identify the customer, verify core facts, and support standard-risk onboarding. EDD begins when that baseline no longer gives enough confidence. That usually happens when ownership is harder to understand, the jurisdiction is more sensitive, the business model raises questions, or the surrounding risk signals do not line up cleanly.

The practical difference is straightforward. CDD is designed to establish a credible starting point. EDD is designed to resolve uncertainty in higher-risk cases. That is why the shift from CDD to EDD is not just a matter of doing more checks. It changes the depth of investigation, the level of evidence required, the quality of documentation expected, and the intensity of ongoing monitoring.

For compliance teams, the real challenge is not defining CDD and EDD in theory. It is building a workflow that can distinguish them consistently in practice. That means clear escalation rules, deeper ownership and source analysis where needed, and case files that explain the decision, not just the checks.

About Scoreplex

Scoreplex is an AI Enhanced Due Diligence (EDD) platform that automates customer due diligence, minimizes false positives, streamlines document verification, and generates comprehensive narrative reports.

How it works: From a single company input, it produces a complete business risk profile, including::

Official registry checks with UBO identification and full ownership chains
Global sanctions and PEP screening
Real-time adverse media monitoring with structured events and source attribution
Automated document verification (incorporation records, address validation)
Website analysis and cross-checks of company details, products, contacts, and locations
Product and customer review analysis (Trustpilot, G2, Google Reviews)
Social media analysis of corporate accounts and profiles of founders and directors
High-risk country exposure assessment based on aggregated signals
A structured risk summary highlighting red flags, rationale, and direct source links

Built for Faster, Smarter Decisions:

10× faster reviews through end-to-end automation
Up to 10× lower costs compared to traditional service providers
Significantly fewer false positives driven by registry-first matching and transparent risk signals

BOOK A DEMO

Frequently asked questions about Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

Is Enhanced Due Diligence (EDD) required for every customer?

No. EDD is not required for every customer. Under a risk-based approach, the level and type of due diligence should be proportionate to the risk presented by the customer relationship. Standard-risk cases can usually be handled through CDD. EDD is used when the customer, structure, geography, activity, or relationship creates higher risk or greater uncertainty.

What usually triggers enhanced due diligence?

Typical EDD triggers include PEP exposure, high-risk jurisdictions, complex or opaque ownership structures, source-of-funds or source-of-wealth questions, significant adverse media, sanctions ambiguity, and business activity that does not fit the declared customer profile. The core idea is simple: if baseline checks identify the customer but do not resolve the risk, the case usually needs EDD.

Is Enhanced Due Diligence (EDD) part of Customer Due Diligence (CDD) or separate from it?

EDD is best understood as an enhanced layer within the broader due diligence framework, not as a completely separate universe. CDD establishes the baseline customer profile and risk understanding. EDD applies additional measures when that baseline is not enough. In practice, EDD builds on CDD and deepens it.

What is the difference between Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) in KYB?

In KYB, the difference usually shows up in ownership depth, control analysis, related-party review, and the amount of evidence needed to understand whether the company presents acceptable risk. CDD may confirm that the legal entity exists and that basic ownership information is available. EDD goes further when the structure is layered, cross-border, opaque, or difficult to reconcile.

Can a customer move from Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD) later?

Yes. A customer does not have to start as an EDD case to become one later. Ongoing due diligence is supposed to be commensurate with the customer’s risk profile, which means new information, unusual activity, ownership changes, sanctions developments, or adverse media can justify escalation after onboarding.

Does Enhanced Due Diligence (EDD) always require source of funds or source of wealth checks?

Not in every case, but source of funds and source of wealth are classic EDD measures in higher-risk relationships, especially where PEP exposure or other elevated-risk factors are involved. FATF’s PEP guidance is very clear that enhanced measures can include reasonable steps to establish both.

Is Enhanced Due Diligence (EDD) only relevant for banks?

No. The logic of enhanced due diligence is broader than banks alone. It is relevant anywhere a business has to assess higher-risk customers, counterparties, merchants, legal entities, or business relationships under a risk-based compliance model. Banks are the most documented example, but the operating logic applies much more widely across regulated and risk-sensitive onboarding environments.

One-line takeaway

CDD is the baseline. EDD is the escalation layer used when baseline checks do not produce enough confidence to justify the relationship on a standard-risk basis.