Scoreplex
    Back to Blog
    EDD

    Enhanced Due Diligence (EDD) regulatory requirements: EU AMLD6, UK MLRs, and US BSA — comparison by jurisdiction

    Enhanced due diligence requirements differ significantly across the EU, UK, and US — even though all three regimes build on the same FATF Recommendation 10 baseline. Under EU AMLD6, EDD is a rule-based obligation triggered by defined high-risk categories; UK MLRs apply a similar structure but diverge on PEP scope and supervisory architecture post-Brexit; the US BSA relies on a risk-based approach under the FinCEN CDD Final Rule, with no prescriptive trigger list. For compliance teams operating a

    Scoreplex

    April 30, 2026 · 16 min read

    Disclaimer

    This information is for general purposes only and does not constitute legal or compliance advice. Consult a qualified professional for specific guidance.

    Enhanced due diligence requirements differ significantly across the EU, UK, and US — even though all three regimes build on the same FATF Recommendation 10 baseline. Under EU AMLD6, EDD is a rule-based obligation triggered by defined high-risk categories; UK MLRs apply a similar structure but diverge on PEP scope and supervisory architecture post-Brexit; the US BSA relies on a risk-based approach under the FinCEN CDD Final Rule, with no prescriptive trigger list. For compliance teams operating across jurisdictions, these differences directly affect documentation standards, customer risk thresholds, and regulatory exposure.

    Why jurisdiction matters for Enhanced Due Diligence (EDD) — and what compliance teams get wrong

    Most compliance frameworks treat EDD as a universal concept: identify high-risk customers, apply enhanced measures, document the outcome. In practice, what "enhanced" means — and what regulators will accept as evidence — varies substantially depending on where an institution is licensed and where its customers operate.

    The EU, UK, and US all derive their EDD frameworks from FATF Recommendation 10, but each has translated that baseline into distinct legal obligations. The differences are not cosmetic. They affect which entities are in scope, which customer categories trigger EDD, what documentation satisfies the standard, and what penalties apply when it falls short. A process that meets FCA expectations may leave gaps under FinCEN's CDD Final Rule, and vice versa.

    The cost of getting this wrong is measurable. Global AML and KYC fines totalled $6.6 billion in 2023. Enforcement actions consistently cite failures in EDD specifically — inadequate source of funds verification, missing beneficial ownership documentation, and insufficient ongoing monitoring. For institutions with cross-border customer books, the risk is multiplied: regulators in each jurisdiction assess compliance against their own standard, not a consolidated one.

    This article maps EDD requirements across all three regimes side by side — what each requires, where they diverge, and what that means for teams managing compliance across more than one jurisdiction. The FATF baseline: what Recommendation 10 requires from all three

    Before mapping the differences, it helps to establish what EU, UK, and US frameworks share. All three are built on FATF Recommendation 10, which sets the international standard for customer due diligence and defines when enhanced measures are required.

    Under Recommendation 10, EDD applies when a business relationship or transaction presents a higher risk of money laundering or terrorist financing. The measures FATF prescribes go beyond standard CDD in three specific ways: obtaining additional information on the customer and beneficial owner, applying enhanced scrutiny to the source of funds and source of wealth, and increasing the frequency and depth of ongoing monitoring.

    Recommendation 12 adds a parallel obligation for politically exposed persons (PEPs): senior management approval before establishing the relationship, verification of source of wealth and funds, and enhanced ongoing monitoring for the duration of the relationship.

    These two recommendations form the floor. What the EU, UK, and US have built above that floor — in terms of trigger lists, documentation standards, supervisory architecture, and penalties — is where material differences emerge. The sections below cover each regime in turn.

    EU: Enhanced Due Diligence (EDD) requirements under AMLD and what changes with AMLD6

    The EU AML framework has gone through five iterations since 1991. The current operative regime combines AMLD4 (2015) and AMLD5 (2018). AMLD6 (Directive (EU) 2024/1640) was adopted in May 2024. Member states must transpose the main provisions by 10 July 2027, at which point AMLD4 and AMLD5 will be repealed. A companion regulation, the AML Regulation (AMLR, Regulation (EU) 2024/1624), will apply directly in all member states from the same date without requiring national transposition. A parallel regulation establishing the EU Anti-Money Laundering Authority (AMLA) makes that body operational from 2026, with direct supervisory powers over the highest-risk obliged entities from 2027–2028.

    Which entities must apply Enhanced Due Diligence (EDD)

    Under EU law, EDD obligations apply to a defined list of obliged entities: credit institutions, payment institutions, e-money institutions, investment firms, insurance companies, crypto-asset service providers (added under AMLD5), real estate agents, lawyers, accountants, notaries, and trust and company service providers. AMLD6 and the AMLR extend this list further, adding crowdfunding platforms and — for transactions above defined thresholds — football clubs and agents.

    When Enhanced Due Diligence (EDD) is mandatory under EU law

    EU law specifies categories where EDD is automatically required, rather than leaving the trigger entirely to institutional risk assessment. Mandatory EDD situations under AMLD4/5 and AMLD6 include:

    • Business relationships or transactions involving customers or counterparties established in high-risk third countries as designated by the European Commission
    • Correspondent banking relationships with institutions outside the EU
    • Transactions or relationships involving politically exposed persons (PEPs)
    • Any situation where the institution identifies a higher risk through its own risk assessment

    The EBA Guidelines on ML/TF Risk Factors (2021) provide detailed sector-specific guidance on what risk factors should escalate a relationship to EDD. These are applied as the practical standard during supervisory inspections across member states.

    What EU Enhanced Due Diligence (EDD) must include

    The EU framework prescribes specific measures that must be applied once EDD is triggered:

    • Gathering additional information on the customer, the beneficial owner, and the intended nature of the business relationship
    • Verifying source of funds and source of wealth — both are required, not one or the other
    • Obtaining senior management approval before establishing or continuing the relationship in PEP cases
    • Conducting enhanced ongoing monitoring, with increased frequency and scrutiny of transactions
    • For high-risk third country relationships: applying at least one additional measure from a prescribed list, which includes enhanced document verification, requiring the first payment through an account in the customer's name, and obtaining additional third-party confirmation

    The UBO identification threshold under EU law is 25% of shares or voting rights. Where a corporate structure obscures the beneficial owner, the senior managing official must be recorded as a fallback.

    Enforcement and penalties

    Administrative sanctions under EU law must include at minimum: public statements identifying the responsible entity and breach, orders to cease conduct, temporary prohibition of management from exercising functions, and financial penalties of at least €5 million or 10% of total annual turnover for legal persons — whichever is higher. AMLD6 harmonises minimum criminal penalties across the EU for the first time, including custodial sentences for serious AML offences. From 2027–2028, AMLA will have direct supervisory and investigative powers over selected obliged entities, replacing the current patchwork of national supervisory approaches.

    UK: Enhanced Due Diligence (EDD) under the Money Laundering Regulations 2017 (as amended)

    The UK's primary AML framework is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), amended in 2019 and 2022. Since Brexit, the UK no longer automatically adopts EU AML directives. AMLD6 will not apply in the UK. The FCA, HMRC, and the Solicitors Regulation Authority (SRA) are the primary supervisors depending on sector.

    This divergence matters in practice. The UK has developed its own high-risk country list, its own PEP guidance, and its own supervisory expectations — which increasingly differ from the EU baseline in ways that catch cross-border compliance teams off guard.

    When Enhanced Due Diligence (EDD) is mandatory under UK law

    The MLRs 2017 specify four categories where EDD is automatically required:

    • Business relationships or transactions involving customers established or residing in high-risk third countries as designated by HM Treasury — the UK maintains its own list, updated independently of the EU's
    • Correspondent banking relationships with credit or financial institutions from outside the European Economic Area
    • Any transaction or business relationship involving a PEP, their family members, or known close associates
    • Any other situation where the firm's risk assessment identifies a higher risk of money laundering or terrorist financing

    The domestic PEP question: a UK-specific obligation

    One of the most operationally significant differences between the UK and EU regimes is the treatment of domestic PEPs. The UK definition of a PEP includes individuals who hold or have held prominent public functions in the UK itself — members of parliament, senior civil servants, senior judiciary, and military officers — not just foreign officials.

    In 2023, the FCA published specific guidance clarifying that domestic PEPs should generally be treated as lower risk than foreign PEPs, but EDD obligations still apply. Firms must assess domestic PEPs individually rather than applying blanket enhanced measures — or blanket exemptions. The practical implication is that UK firms onboarding domestic public figures need documented risk assessments for each case, not a default policy in either direction.

    What UK Enhanced Due Diligence (EDD) documentation must include

    The MLRs 2017 require firms to obtain, as a minimum:

    • Additional information on the customer and beneficial owner, beyond standard CDD
    • Source of funds — the origin of the money used in the specific transaction or relationship
    • Source of wealth — the origin of the customer's total wealth, not just the funds in use
    • Senior management approval before establishing or continuing a high-risk relationship; MLRO sign-off for elevated cases
    • Enhanced ongoing monitoring, with increased frequency relative to the customer's risk profile

    Both source of funds and source of wealth are required under UK law — the same dual requirement as the EU. The UBO identification threshold is 25%, consistent with the EU standard.

    Enforcement

    The FCA has civil penalty powers with no statutory upper limit — penalties are calculated proportionate to the benefit gained or harm caused by the breach. The Office of Financial Sanctions Implementation (OFSI) handles sanctions-specific enforcement separately. Criminal prosecution under the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 remains available for serious failures. Recent FCA enforcement has focused specifically on EDD gaps: inadequate PEP procedures, missing source of wealth documentation, and ongoing monitoring that existed on paper but was not applied in practice.

    US: Enhanced Due Diligence (EDD) under the Bank Secrecy Act and the FinCEN CDD Final Rule

    The US AML framework operates differently from the EU and UK in one fundamental respect: there is no prescriptive list of situations that automatically trigger EDD. Instead, the Bank Secrecy Act (BSA) and the FinCEN Customer Due Diligence Final Rule (31 CFR Part 1010, effective May 2018) establish a risk-based obligation — institutions must apply enhanced measures proportionate to the risk a customer presents, but the threshold for what constitutes "high risk" is determined by the institution's own risk assessment, not by a regulatory trigger list.

    This structural difference has significant operational implications. US compliance teams have more flexibility in defining their EDD criteria, but they also carry greater responsibility for demonstrating that their risk assessment methodology is sound and consistently applied.

    The regulatory framework: BSA, CDD Final Rule, and AMLA 2020

    The CDD Final Rule established the "fifth pillar" of AML compliance, adding beneficial ownership identification to the existing four pillars of customer identification, customer due diligence, ongoing monitoring, and suspicious activity reporting. The rule applies to banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities.

    The Anti-Money Laundering Act of 2020 (AMLA 2020) introduced risk-based priorities for AML programmes and directed FinCEN to publish national AML/CFT priorities — which it did in June 2021, identifying corruption, cybercrime, domestic and foreign terrorist financing, fraud, human trafficking, drug trafficking, and proliferation financing as the areas of highest concern.

    Enhanced Due Diligence (EDD) triggers under US law

    While there is no mandatory trigger list equivalent to the EU's, FinCEN guidance and examination procedures consistently identify categories requiring enhanced scrutiny:

    • Foreign financial institutions and correspondent banking relationships
    • Customers from jurisdictions identified as high risk by FATF, the State Department, or FinCEN
    • Shell companies, complex ownership structures, and entities with nominee arrangements
    • Cash-intensive businesses, money services businesses (MSBs), and virtual asset service providers (VASPs)
    • Non-governmental organisations operating in high-risk jurisdictions
    • Customers whose transaction activity is inconsistent with their stated business profile

    PEPs represent a notable gap in US mandatory requirements. Unlike the EU and UK, the US has no statutory obligation to apply EDD specifically to domestic PEPs. Foreign senior political figures attract enhanced scrutiny under FinCEN guidance, but the obligation is less prescriptive than in either EU or UK law.

    Beneficial ownership: the Corporate Transparency Act

    The most significant recent development in US EDD is the Corporate Transparency Act (CTA), enacted as part of AMLA 2020. FinCEN's Beneficial Ownership Information (BOI) Final Rule took effect January 2024, requiring most US legal entities to report their beneficial owners — defined using the same 25% ownership threshold as EU and UK standards — directly to FinCEN. Institutions can now cross-reference customer-provided ownership information against FinCEN's BOI database, strengthening the evidentiary basis for beneficial ownership verification. CTA enforcement has faced legal challenges in 2024–2025, but the underlying framework remains in place.

    What US Enhanced Due Diligence (EDD) documentation must include

    Under the CDD Final Rule and BSA examination procedures, EDD documentation for high-risk customers must address:

    • The nature and purpose of the customer relationship, with sufficient specificity to detect anomalies
    • Source of funds for the transactions or relationship in scope
    • Beneficial ownership — identity and verification of natural persons owning 25% or more, plus one controlling person
    • An updated customer risk profile reflecting any material changes in the relationship
    • A record of the enhanced monitoring applied and any decisions made as a result

    Suspicious Activity Reports (SARs) function as the primary regulatory output of EDD in the US system. The quality of EDD documentation directly determines whether a SAR filing is defensible under examination.

    Enforcement

    FinCEN civil money penalties for BSA violations are assessed per violation per day, with no statutory cap. The Department of Justice pursues criminal prosecution for wilful violations. Federal banking regulators — OCC, Federal Reserve, FDIC — issue consent orders and cease-and-desist orders for systemic AML programme failures. Recent enforcement actions have consistently identified the same failure pattern: EDD policies that existed in writing but were not applied consistently to the customers who triggered them.

    Enhanced Due Diligence (EDD) requirements by jurisdiction: EU, UK, and US compared

    The table below maps the key parameters of each regime side by side. Where requirements appear similar on the surface — the 25% UBO threshold, for example — the underlying documentation standards and supervisory expectations still differ. Use this as a reference point, not a compliance checklist: each cell reflects the general standard; sector-specific rules and national transpositions introduce additional variation.

    Parameter EU (AMLD4/5 + AMLD6/AMLR from July 2027) UK (MLRs 2017, amended 2019 & 2022) US (BSA / FinCEN CDD Final Rule / AMLA 2020)
    Legal basis AMLD4 (2015), AMLD5 (2018), AMLD6 & AMLR (2024, full application July 2027) Money Laundering Regulations 2017 (SI 2017/692), amended 2019 & 2022 Bank Secrecy Act; FinCEN CDD Final Rule (31 CFR Part 1010, 2018); AMLA 2020
    Primary regulator National competent authorities; AMLA (operational from 2026, direct supervision from 2027–2028) FCA (financial sector); HMRC (other sectors); SRA (legal sector) FinCEN; OCC; Federal Reserve; FDIC; SEC (sector-dependent)
    Obliged entities scope Credit institutions, payment institutions, VASPs, real estate agents, lawyers, accountants, notaries, TCSPs; expanded under AMLD6/AMLR (crowdfunding platforms, football clubs) Banks, payment institutions, e-money firms, credit firms, estate agents, accountants, legal professionals, TCSPs, and others Banks, broker-dealers, mutual funds, futures commission merchants, introducing brokers; MSBs
    EDD trigger approach Prescriptive list + risk-based supplement Prescriptive list + risk-based supplement Risk-based only — no mandatory trigger list
    Mandatory EDD triggers High-risk third countries (EC list); correspondent banking; PEPs; institution-identified high risk High-risk third countries (HM Treasury list); correspondent banking outside EEA; PEPs and associates; institution-identified high risk No statutory list; FinCEN guidance identifies foreign correspondent banking, shell companies, cash-intensive businesses, MSBs, VASPs, and high-risk jurisdictions
    PEP definition Foreign + domestic PEPs; family members and known close associates; 12-month cooling-off after leaving office Foreign + domestic PEPs (UK-specific); family members and close associates; FCA 2023 guidance requires individual risk assessment for domestic PEPs Foreign senior political figures; no statutory domestic PEP obligation; foreign PEPs addressed through FinCEN guidance
    UBO / beneficial ownership threshold 25% ownership or voting rights; senior managing official as fallback 25% ownership or voting rights; senior managing official as fallback 25% ownership (CDD Final Rule); one controlling person regardless of ownership %; BOI reporting to FinCEN under CTA 2024
    Source of funds / wealth Both source of funds AND source of wealth required Both source of funds AND source of wealth required Source of funds required; source of wealth not explicitly mandated but expected in high-risk cases under examination
    Senior management approval Required before establishing or continuing PEP relationships Required before establishing or continuing high-risk relationships; MLRO sign-off for elevated cases Not explicitly mandated; expected as part of sound EDD governance under examination procedures
    Ongoing monitoring Enhanced frequency and scrutiny; specific to relationship risk level Enhanced frequency relative to customer risk profile; documented review schedule Enhanced monitoring required for high-risk customers; frequency and depth determined by institution's risk assessment
    Maximum administrative penalty €5M or 10% of annual turnover (whichever is higher) for legal persons; criminal penalties harmonised under AMLD6 No statutory cap; proportionate to benefit gained or harm caused (FCA); criminal prosecution under POCA 2002 No statutory cap; per-violation-per-day civil penalties (FinCEN); criminal prosecution for wilful violations (DOJ)
    Primary reporting output Suspicious Transaction Reports (STRs) to national FIUs Suspicious Activity Reports (SARs) to the National Crime Agency (NCA) Suspicious Activity Reports (SARs) to FinCEN

    What cross-border operations must navigate: overlapping obligations

    For compliance teams operating across EU, UK, and US simultaneously, the practical question is not which regime applies — it is how to build a single EDD process that satisfies all three without tripling the workload.

    The default principle is straightforward: apply the strictest standard that applies to the relationship in question. In practice, this means the EU and UK dual requirement for both source of funds and source of wealth sets the documentation floor for any customer that touches either jurisdiction — even if US rules would formally accept source of funds alone. Similarly, the EU and UK obligation to apply EDD to domestic PEPs means that institutions licensed in those jurisdictions cannot rely on the narrower US approach for their entire customer book.

    Three specific points of divergence create the most operational friction:

    PEP scope. The EU and UK both require EDD for domestic PEPs. The US does not impose an equivalent statutory obligation. A UK-licensed institution onboarding a US senator as a business customer must apply EDD under MLRs 2017; a US-only institution onboarding the same customer faces no equivalent mandatory trigger — though sound risk management would likely produce the same outcome.

    BOI documentation. All three jurisdictions use a 25% ownership threshold for beneficial ownership identification. But the evidentiary requirements differ: the EU requires cross-referencing against national UBO registers; the UK requires verification against Companies House and equivalent sources; the US CDD Final Rule requires customer-provided certification, with the FinCEN BOI database available as a supplementary check since 2024. A single ownership verification process needs to satisfy all three standards simultaneously for cross-border customers.

    Trigger logic. EU and UK frameworks give compliance teams a defined list of mandatory EDD situations, which simplifies policy design. The US risk-based approach requires institutions to document their own rationale for when EDD applies — which means cross-border institutions cannot simply export their EU or UK trigger list to their US operations. The US programme needs its own risk assessment methodology, documented separately.

    How AI-assisted Enhanced Due Diligence (EDD) handles multi-jurisdiction requirements

    Managing EDD across EU, UK, and US manually means maintaining parallel workflows, separate documentation standards, and different escalation paths for what is often the same underlying customer. The consolidation problem — assembling a single, audit-ready case file that satisfies three regulatory frameworks — is where manual processes break down fastest.

    Scoreplex addresses this structurally. Coverage across 140+ business jurisdictions and screening against 325+ global watchlists — including OFAC, UN, EU, and HM Treasury sanctions lists simultaneously — means a single workflow captures the data required under all three regimes. The standardised case file includes source of funds and source of wealth documentation, UBO mapping with cross-jurisdictional registry verification, and an evidence-linked audit trail that meets the documentation standard of the strictest applicable regime by default. False positive rates in sanctions and PEP screening are reduced by up to 85%, which matters most in cross-border cases where name-matching noise across transliterated names and multi-language registries is highest.

    BOOK A DEMO

    For teams currently running separate EDD processes for EU, UK, and US customers, the consolidation alone — from 30–240 minutes per case manually to 5–30 minutes with AI assistance — represents a structural change in what the compliance function can handle at volume. See how this compares in our guide to EDD AI agents.

    Conclusion

    EU AMLD6, UK MLRs, and the US BSA converge on the same FATF baseline but diverge in ways that matter operationally: trigger logic, PEP scope, documentation standards, and supervisory architecture each follow different rules in each jurisdiction. For compliance teams managing cross-border customer books, the practical standard is the strictest applicable requirement across all active jurisdictions — which in most cases means EU and UK documentation depth applied consistently, with a separately documented risk-based rationale for US operations. Getting the comparison right before an inspection is considerably less costly than explaining the gap during one.

    Frequently asked questions

    What is the main difference between Enhanced Due Diligence (EDD) under EU AMLD6 and the US BSA?

    The primary structural difference is in how EDD is triggered. EU AMLD6 uses a prescriptive list of mandatory EDD situations — high-risk third countries, PEPs, correspondent banking — supplemented by a risk-based approach. The US BSA and FinCEN CDD Final Rule rely entirely on a risk-based approach, with no equivalent mandatory trigger list. This means EU institutions have less discretion over when EDD applies, while US institutions carry greater responsibility for documenting and defending their own risk threshold decisions.

    Does the UK still follow EU AML directives after Brexit?

    No. Since Brexit, the UK no longer automatically transposes EU AML directives. AMLD6, adopted by the EU in May 2024, will not apply in the UK. The UK operates under the Money Laundering Regulations 2017 (as amended in 2019 and 2022), which the government updates independently. In practice, the UK and EU frameworks remain broadly aligned on core requirements — UBO thresholds, source of funds and source of wealth documentation, PEP obligations — but diverge on supervisory architecture, high-risk country lists, and the treatment of domestic PEPs.

    When is Enhanced Due Diligence (EDD) mandatory under the FinCEN CDD Final Rule?

    The FinCEN CDD Final Rule does not specify mandatory EDD triggers by category. Instead, it requires financial institutions to apply enhanced scrutiny proportionate to the risk a customer presents, as determined by the institution's own risk assessment. In practice, FinCEN examination procedures consistently identify foreign correspondent banking relationships, shell companies, cash-intensive businesses, money services businesses, virtual asset service providers, and customers from high-risk jurisdictions as categories that warrant enhanced measures. The institution must document its rationale for the level of due diligence applied in each case.

    What is the UBO threshold for Enhanced Due Diligence (EDD) in the EU, UK, and US?

    All three jurisdictions use a 25% ownership or voting rights threshold for beneficial ownership identification. Where no individual meets that threshold, the EU and UK require recording the senior managing official as the beneficial owner of last resort. The US CDD Final Rule adds a separate requirement to identify one controlling person regardless of ownership percentage. Under the US Corporate Transparency Act (2024), most legal entities must also report their beneficial owners directly to FinCEN's BOI database — a reporting obligation separate from, but complementary to, financial institution CDD requirements.

    What documents are required for Enhanced Due Diligence (EDD) in all three jurisdictions?

    Across EU, UK, and US frameworks, EDD documentation must include: verification of the customer's identity and beneficial ownership structure, evidence of source of funds (the origin of money used in the specific transaction or relationship), an assessment of the nature and purpose of the business relationship, and records of enhanced ongoing monitoring. The EU and UK additionally require source of wealth documentation — the origin of the customer's total assets — as an explicit obligation. In the US, source of wealth is not formally mandated but is expected by examiners in high-risk cases. All three regimes require the documentation to be sufficient to reconstruct the compliance decision during a regulatory inspection.

    How does AMLD6 change Enhanced Due Diligence (EDD) requirements compared to AMLD5?

    AMLD6 introduces several changes relevant to EDD. It expands the list of obliged entities — bringing in additional categories including certain sports organisations and crowdfunding platforms above defined thresholds. It harmonises criminal penalties across EU member states for the first time, establishing minimum custodial sentences for serious AML offences. Most significantly, it establishes the EU Anti-Money Laundering Authority (AMLA), which will have direct supervisory powers over the highest-risk obliged entities from 2026–2027, replacing the current model where national supervisors apply EU rules with varying consistency. Member states must transpose AMLD6 by 10 July 2027.