Scoreplex
    Back to Blog
    EDD

    When Is Enhanced Due Diligence (EDD) Required? 8 EDD Triggers

    Last updated: April 2026 Enhanced Due Diligence (EDD) is required when a customer, relationship, or transaction presents elevated AML/CFT risk that standard CDD cannot mitigate. The eight mandatory triggers are: PEPs and their associates, high-risk jurisdictions, complex ownership structures, correspondent banking, high-risk industries (crypto, gambling, real estate), unusual transaction patterns, operational exposure to high-risk geographies, and adverse media signals. Each trigger is grounded

    Scoreplex

    April 17, 2026 · 34 min read

    Disclaimer

    This information is for general purposes only and does not constitute legal or compliance advice. Consult a qualified professional for specific guidance.

    Last updated: April 2026

    Enhanced Due Diligence (EDD) is required when a customer, relationship, or transaction presents elevated AML/CFT risk that standard CDD cannot mitigate. The eight mandatory triggers are: PEPs and their associates, high-risk jurisdictions, complex ownership structures, correspondent banking, high-risk industries (crypto, gambling, real estate), unusual transaction patterns, operational exposure to high-risk geographies, and adverse media signals. Each trigger is grounded in FATF Recommendations and codified in EU AML Directives, FinCEN rules, and national frameworks.

    Enhanced Due Diligence (EDD) is required whenever a customer, business relationship, or transaction presents a level of money laundering, terrorist financing, or financial crime risk that standard Customer Due Diligence cannot adequately address. It is not a discretionary upgrade — it is a regulatory obligation triggered by specific risk factors defined in global AML frameworks.

    In practice, EDD means collecting more information, verifying it through additional sources, and maintaining stronger ongoing monitoring than Customer Due Diligence (CDD) requires. The decision to apply EDD must be documented and defensible: regulators expect institutions to show not just that they conducted EDD, but why it was warranted and what it found.

    For corporate clients, the stakes are higher than for individuals. A business entity adds layers of complexity — ownership structures, multiple jurisdictions, beneficial owners who may themselves be PEPs or sanctions targets. This is why KYB onboarding, where EDD is most commonly triggered, still takes weeks or months at most institutions: the evidence has to cover the company and the people behind it, across every relevant level of the corporate hierarchy.

    This article maps the specific conditions that require EDD, the regulatory frameworks that mandate it, and what compliance teams need to apply it consistently.

    The Regulatory Basis for Enhanced Due Diligence (EDD)

    EDD is not a best practice or internal policy choice. It is a legal requirement codified in the major AML frameworks that govern financial institutions globally. The triggering conditions are broadly consistent across jurisdictions, though specific language and thresholds vary.

    Framework Key provision When EDD applies
    FATF Recommendations Rec. 10, 12, 19 PEPs, correspondent banking, high-risk third countries
    EU 4AMLD / 5AMLD Articles 18–20 High-risk third countries (Art. 18), PEPs (Art. 20), correspondent relationships
    EU 6AMLD / AMLA Strengthened Art. 18 obligations Expanded high-risk country list, stricter UBO verification
    FinCEN / BSA (US) 31 CFR Part 1010, CDD Rule High-risk customers, beneficial ownership, unusual transaction patterns
    FCA / MLR 2017 (UK) Regulation 33–35 PEPs, high-risk third countries, correspondent banking, specific customer and product risk factors
    MAS (Singapore) MAS Notice 626 High-risk customers and jurisdictions, PEPs, complex ownership structures

    The underlying logic is the same across all of these: EDD is required when a risk-based assessment identifies factors that standard verification cannot adequately mitigate. Institutions must be able to demonstrate that the decision — whether to apply EDD or not — was deliberate, proportionate, and documented.

    Two regulatory principles recur across frameworks and are worth stating explicitly.

    Risk-based approach. EDD is proportionate, not binary. FATF explicitly endorses a risk-based approach (RBA): institutions allocate more scrutiny where risk is higher, and less where it is lower. Applying the same level of due diligence to every customer regardless of risk profile is neither required nor efficient.

    Explainability requirement. Regulators increasingly expect audit-ready evidence behind EDD decisions. It is not sufficient to run a check — institutions must be able to show which risk factors triggered EDD, what was found, and what conclusion was reached. This is particularly relevant in KYB contexts, where the evidence trail spans company registries, UBO documentation, adverse media, and digital footprint across multiple jurisdictions.

    When Is Enhanced Due Diligence (EDD) Required: The Core Triggers

    The triggers below are drawn from FATF guidanceEU AML Directives, and national regulatory frameworks. They represent the baseline that every regulated institution must cover — institutions may define additional triggers based on their own risk appetite, but they cannot apply fewer.

    1. Politically Exposed Persons (PEPs) and their associates

    Regulatory basis: FATF Recommendation 12EU 4AMLD Article 20FCA MLR 2017 Regulation 35

    EDD is mandatory whenever a customer is identified as a PEP — an individual who holds or has held a prominent public function — or is a close family member or known associate of a PEP (Relatives and Close Associates, RCAs). FATF Recommendation 12 makes no distinction between domestic and foreign PEPs for risk assessment purposes, though many jurisdictions historically applied lighter scrutiny to domestic PEPs. The EU 5AMLD, effective since January 2020, closed this gap by requiring equivalent EDD treatment for both.

    The risk logic is well-established: prominent public positions create structural opportunities for corruption, bribery, and the diversion of public funds into the financial system. The FATF Guidance on PEPs notes that the risk does not disappear when an individual leaves office — a reasonable EDD period must continue after the end of the public role, with many institutions applying a 12–18 month minimum and others maintaining enhanced monitoring indefinitely for high-profile cases.

    In a KYB context: The PEP trigger frequently surfaces not at the company level but at the UBO or director level — and this is where many compliance teams are caught out. A manufacturing company registered in Germany may clear all standard registry checks cleanly: active status, no adverse filings, clean incorporation documents. But one of its 30% beneficial owners may be a former minister of a Central Asian government who left office 18 months ago. Under FATF guidance, that individual still qualifies as a PEP. The EDD obligation attaches to the entire business relationship, not just to the individual personally.

    The complexity increases with multi-layered ownership. If the same former minister holds his stake through a holding company registered in a different jurisdiction, identifying the PEP connection requires tracing the ownership chain — not just checking the direct shareholders listed in the registry. This is precisely why KYB EDD cannot stop at the first layer of corporate ownership.

    What EDD adds: Source of wealth verification, deeper adverse media review specifically covering the PEP's period in office and post-office activity, independent verification of the stated business purpose of the relationship, enhanced ongoing transaction monitoring, and — under most national frameworks — written approval from senior management before the relationship is established or continued.

    2. High-risk jurisdictions

    Regulatory basis: FATF Recommendation 19EU 4AMLD Article 18FinCEN Geographic Targeting Orders

    EDD is required when a customer, beneficial owner, or transaction has a material connection to a jurisdiction identified as high-risk for money laundering or terrorist financing. The primary reference lists used by compliance teams are:

    • FATF grey and black lists — the grey list identifies jurisdictions under increased monitoring due to strategic AML/CFT deficiencies; the black list (Jurisdictions Subject to a Call for Action) identifies those requiring countermeasures
    • EU high-risk third countries — published by the European Commission; institutions subject to EU AML Directives must automatically apply EDD to customers and transactions connected to listed countries
    • Basel AML Index — an independent composite risk score published annually by the Basel Institute on Governance, aggregating 17 indicators across five domains including rule of law, corruption, financial transparency, and AML framework effectiveness; widely used for internal risk tiering beyond the mandatory lists

    The jurisdictional connection triggering EDD does not need to be the company's country of incorporation. Any of the following can independently trigger the requirement: a UBO who is a national or resident of a grey-listed jurisdiction; payment flows routed through a high-risk country; a registered address or branch in a listed territory; or declared customers and suppliers concentrated in high-risk markets.

    In a KYB context: Cross-border onboarding is where jurisdictional risk triggers EDD most frequently, and where it is most often missed. Consider a payments platform incorporated in the Netherlands — a low-risk jurisdiction — applying to open a business account with a bank. The Dutch incorporation clears standard registry checks. But on closer review, 60% of the platform's declared customer base is in a country currently on the FATF grey list, and two of its three UBOs hold passports from a high-risk third country listed by the EU Commission.

    Neither of these facts would surface in a standard CDD registry check. They require active investigation of the business's operational footprint — something standard CDD processes often do not include. Under EU AML rules, both connections independently require EDD. The bank cannot rely on the Dutch incorporation as a proxy for low risk when the operational reality points elsewhere.

    A further complication: the FATF grey list is updated three times per year. A jurisdiction that was clean at onboarding may be added to the list later. This is one of the primary reasons why ongoing monitoring — not just onboarding-stage EDD — is a regulatory requirement.

    What EDD adds: Verification of the specific nature and business rationale for the jurisdictional connection; corroboration of declared customer and supplier geography against observable digital footprint and transaction patterns; calibration of ongoing transaction monitoring to the specific jurisdiction risk profile.

    3. Complex or opaque ownership structures

    Regulatory basis: FATF Recommendation 24 (transparency of legal persons); EU 5AMLD Articles 30–31FinCEN Beneficial Ownership Rule, 31 CFR Part 1010.230

    EDD is required when the beneficial ownership structure of a legal entity is unusually complex, difficult to verify, or structured in a way that materially obscures who ultimately owns or controls the business.

    FATF Guidance on Transparency and Beneficial Ownership identifies specific structural indicators that elevate risk: companies that issue bearer shares; arrangements using nominee shareholders or nominee directors to conceal the real principals; multi-layered holding structures spanning multiple jurisdictions where each layer adds opacity without apparent business rationale; and structures where the stated ownership in registry filings does not align with the economic reality of who receives distributions and exercises control.

    Complexity alone is not the trigger — large international businesses legitimately operate through multi-jurisdiction holding structures. The trigger is opacity: when the structure makes it materially difficult to answer the fundamental question of who ultimately owns and controls the entity. The FATF 2023 report on Misuse of Corporate Vehicles identifies complex ownership structures as one of the primary methods used to layer illicit funds through the financial system.

    In a KYB context: This is the single most common EDD trigger in corporate onboarding, and the one that most frequently causes delays. A typical scenario: a fintech applies to integrate with a payment infrastructure provider. The fintech is incorporated in Ireland, which passes standard jurisdiction checks. The Irish entity is 100% owned by a holding company in Luxembourg. The Luxembourg holding is 75% owned by a fund registered in the Cayman Islands and 25% by a Singapore-incorporated entity. The Cayman fund lists a nominee director as its registered officer; the Singapore entity's directors are two individuals whose names appear in no other publicly accessible registry.

    At this point, the payment infrastructure provider cannot identify the ultimate beneficial owner. That inability to identify the UBO is itself a regulatory red flag — and a direct trigger for EDD. Proceeding without resolving the ownership structure would expose the provider to regulatory liability.

    The EDD process in this scenario involves: requesting incorporation documents and shareholder registers from each layer; cross-referencing filings across jurisdictions; verifying that the stated UBOs match observable economic activity; and — if the structure cannot be resolved to a natural person — escalating to senior management and potentially declining the relationship.

    What EDD adds: Extended UBO tracing across the full corporate hierarchy; cross-jurisdictional registry cross-referencing; verification that declared ownership aligns with observable business activity, financial flows, and digital footprint; escalation protocols when UBO identification fails.

    4. Correspondent banking relationships

    Regulatory basis: FATF Recommendation 13EU 4AMLD Article 19Federal Reserve SR Letter 97-19

    Correspondent banking receives its own mandatory EDD category because the risk profile is structurally distinct from standard customer relationships. When a financial institution provides banking services to another financial institution — clearing, settlement, custody, or account services — the correspondent bank is effectively extending access to the financial system not just to the respondent institution but, indirectly, to all of the respondent's customers.

    FATF Recommendation 13 specifies the minimum requirements: the correspondent must gather sufficient information about the respondent to understand the nature of its business and assess its AML/CTF controls; obtain senior management approval before establishing the relationship; and document the respective AML/CTF responsibilities of each party. For payable-through accounts — where the respondent's customers can directly access the correspondent's services — the obligations are stricter still.

    The Wolfsberg Group Correspondent Banking Due Diligence Questionnaire (CBDDQ) has become the de facto industry standard for structuring correspondent banking EDD. Most large financial institutions now require CBDDQ completion as part of the onboarding process for correspondent relationships.

    5. High-risk industries and business activities

    Regulatory basis: FATF Risk-Based Approach Guidance for the Banking SectorEU 5AMLD Recitals 30–32FinCEN Guidance FIN-2012-G002

    Certain industries carry structurally elevated money laundering risk. EDD is typically required when onboarding businesses operating in these sectors, regardless of whether other individual risk factors are present:

    • Virtual Asset Service Providers (VASPs) and crypto infrastructure — the combination of transaction speed, pseudonymity, and cross-border reach creates structural layering risk; FATF Recommendation 15 now explicitly covers VASPs with CDD and EDD obligations equivalent to those applied to traditional financial institutions
    • Gambling and gaming operators — high cash volumes, complex prize structures, and cross-border customer bases; particularly elevated for online gambling operations serving customers in multiple jurisdictions
    • Money or Value Transfer Services (MVTS) and money service businesses — remittance operators and currency exchange businesses handle large cash volumes and often serve populations with limited access to formal banking
    • Real estate agents, developers, and property intermediaries — real estate remains one of the primary channels for large-scale money laundering; FATF's 2022 report on money laundering through the real estate sector identifies property transactions as a consistent vulnerability globally
    • Dealers in precious metals, stones, and luxury goods — high-value, portable assets that can be used to transfer value across borders with limited documentation
    • Cash-intensive retail businesses — restaurants, car washes, parking operators, and similar businesses where cash revenues are difficult to independently verify
    • Trade finance and import-export intermediaries — Trade-Based Money Laundering (TBML) involves manipulating trade transactions to disguise the movement of value; FATF identifies this as one of the most significant and underaddressed ML vulnerabilities

    In a KYB context: The sector trigger applies to the business being onboarded, not just the individuals behind it. Consider a neobank evaluating a fintech platform that offers both fiat payment processing and crypto-to-fiat conversion services. Even if all three UBOs are clean — no PEP connections, no adverse media, no jurisdictional risk — the business model itself requires EDD because it operates in a sector FATF has designated as structurally high-risk.

    The practical implication is that sector-risk EDD cannot be resolved purely through ownership tracing and sanctions screening. It requires verification that the business's declared activity matches its operational reality: Does the platform hold the required VASP licences in the jurisdictions where it operates? Does its web presence reflect the stated business model? Are there regulatory enforcement actions against the platform or its predecessors? Does its transaction volume and customer geography align with what a legitimately operating platform of its size and age would show?

    What EDD adds: Verification that the declared business activity matches observable operational reality across registries, licences, web presence, and transaction patterns; sector-specific adverse media review covering regulatory enforcement actions; enhanced ongoing transaction monitoring calibrated to the specific risk profile of the industry.

    6. Unusual or unexplained transaction patterns

    Regulatory basis: FATF Recommendation 20 (Suspicious Transaction Reporting); EU 4AMLD Article 35FinCEN SAR regulations, 31 CFR Part 1020.320

    Unlike the triggers above — which are assessed primarily at onboarding — unusual transaction patterns are a reactive EDD trigger that arises during an ongoing relationship. Transaction monitoring identifies behaviour inconsistent with the customer's declared risk profile, and that inconsistency requires escalation to EDD or a review of the existing EDD assessment.

    Common patterns that trigger this escalation include: transaction volumes that significantly exceed the stated business purpose without a documented commercial explanation; payments structured just below reporting thresholds across multiple transactions (structuring or smurfing); funds routed through jurisdictions with no apparent connection to the declared business activity; rapid movement of funds through the account with no apparent commercial purpose (layering behaviour); and cash-intensive transaction flows from a business not expected to handle significant cash volumes.

    In a KYB context: A logistics company with a standard CDD profile — incorporated in Poland, two clean UBOs, no adverse media — begins routing payments through a correspondent account in a jurisdiction currently on the FATF grey list, at volumes three times higher than its baseline. The transaction pattern does not match the declared business of domestic freight forwarding. This discrepancy is a direct trigger for an EDD escalation: the compliance team must obtain a satisfactory business explanation, verify the source of funds, and update the risk assessment. If no satisfactory explanation is forthcoming, it triggers a Suspicious Activity Report (SAR).

    The FATF Guidance on Transaction Monitoring emphasises that the threshold for escalation to EDD is not proof of wrongdoing — it is the presence of an unexplained inconsistency that cannot be resolved through standard monitoring.

    What EDD adds: Formal transaction pattern analysis with documented findings; re-verification of source of funds and source of wealth; updated adverse media and sanctions screening; reassessment of the overall customer risk rating; and — where the pattern cannot be satisfactorily explained — escalation to SAR filing.

    7. Operational exposure to high-risk geographies

    Regulatory basis: FATF Recommendation 10 (ongoing CDD); EU 4AMLD Article 13FATF Guidance on the Risk-Based Approach for the Banking Sector

    A business incorporated in a low-risk jurisdiction may conduct substantial commercial activity in high-risk markets. This operational geographic exposure is an independent EDD trigger, distinct from the country of incorporation or the nationality of the UBO — and one of the most frequently missed triggers in standard KYB processes that rely heavily on registry data.

    Observable indicators of high-risk geographic operational exposure include: the business's declared customer base or supplier network concentrated in FATF grey-listed or EU high-risk countries; website content, language settings, or marketing materials targeting high-risk markets; payment flows to or from high-risk jurisdictions; physical offices, warehouses, or subsidiaries in high-risk territories; and operational partners or agents based in those markets.

    In a KYB context: A software company incorporated in Estonia — a well-regulated EU member state — applies to open a payment processing account. Registry checks are clean, UBOs are two Estonian nationals with no adverse media, incorporation documents are in order. Standard CDD would likely pass this customer without escalation.

    But the company's website, reviewed during a web presence check, reveals that its primary product is marketed exclusively in Arabic and Russian, its pricing page references three currencies — including one from a country currently on the FATF grey list — and its customer testimonials reference clients from two jurisdictions listed as EU high-risk third countries. The operational geography of the business is entirely different from what the Estonian incorporation suggests.

    Under FATF Recommendation 10 and EU AML framework obligations, the institution must understand the purpose and intended nature of the business relationship. A web presence check that reveals operational concentration in high-risk markets is a direct trigger for EDD — even when registry data showed no obvious flags. This is one of the clearest examples of why digital footprint analysis has become a standard component of KYB EDD.

    What EDD adds: Verification of the stated business rationale for operating in high-risk markets; cross-referencing declared customer and supplier geography against observable digital footprint, website content, and transaction geography; enhanced monitoring calibrated to the specific operational risk profile.

    8. Adverse media and negative public signals

    Regulatory basis: FATF Recommendation 10EU 4AMLD Article 13(1)(d)FCA Financial Crime Guide, Chapter 2

    When standard CDD — or an initial adverse media scan — surfaces credible negative information about a customer, their directors, or their beneficial owners, this constitutes a trigger for EDD or an escalation of an existing EDD review. Adverse media is relevant not because a news report constitutes proof of wrongdoing, but because it may indicate risk factors that official data sources — registries, sanctions lists, PEP databases — have not yet captured.

    Relevant adverse media categories include: credible reporting of financial crime, fraud, bribery, or corruption; regulatory enforcement actions or licence revocations in any jurisdiction; civil or criminal litigation with financial crime elements; and credible investigative journalism alleging financial misconduct, even where no formal action has followed.

    The operational challenge is scale and noise. Research cited by Thomson Reuters estimates that manual adverse media searches can generate hundreds to thousands of hits per name, with false positive rates exceeding 90% in practice. Common sources of noise include name collisions, duplicate syndication of the same original article, outdated coverage of resolved allegations, and transliteration variants.

    In a KYB context: A compliance analyst reviewing a mid-sized trading company runs an adverse media search on the company's primary director. The search returns 847 results. Most hits are name collisions — the director shares a common name with a politician who has been the subject of significant negative coverage. Three hits, however, are credible: a civil fraud claim against the director's previous company; a regulatory notice noting that a business the director co-founded had its licence revoked; and an investigative piece noting the director's association with a company that appeared in a leaked financial database.

    None of these individually may be disqualifying. But together, they constitute a pattern that requires EDD: direct engagement with the customer to obtain explanations, verification of the stated business rationale, and a documented risk conclusion that addresses each finding.

    What EDD adds: Structured adverse media review with source attribution and deduplication; disambiguation of name collisions against the specific subject; risk-labelled summary of material findings distinguishing credible risk from noise; documented rationale for the risk conclusion addressing each material finding; and — where findings cannot be satisfactorily resolved — escalation to senior management or relationship termination.

    From Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD): How to Decide When the Threshold Is Crossed

    Understanding which factors trigger EDD is necessary but not sufficient. Compliance teams also need a clear decision framework for the moment of assessment — how to determine, in practice, that a specific customer or relationship has crossed the threshold from standard CDD into EDD territory.

    The risk-based approach is not a checklist

    A common misconception is that EDD is triggered automatically whenever one of the listed risk factors is present. In reality, FATF's risk-based approach requires proportionality: the depth and scope of EDD should correspond to the level of risk identified, not simply to the presence of a category. A domestic PEP who is a mid-level local government official presents a different risk profile from a foreign head of state. A company incorporated in a FATF grey-listed jurisdiction but operating entirely in the EU with transparent ownership and a decade of audited accounts presents a different profile from a newly registered shell with nominee directors in the same jurisdiction.

    This proportionality has a practical implication: EDD is not a binary switch between two fixed states. It is a calibrated response. Institutions that treat it as binary — either standard CDD or a fixed-scope EDD package — tend to over-escalate low-risk cases and under-investigate genuinely complex ones. Both outcomes carry regulatory and operational costs.

    The FCA's Financial Crime Guide is explicit on this point: institutions must be able to demonstrate not just that they conducted EDD on high-risk customers, but that they made a deliberate, reasoned decision about the level of scrutiny applied and why. A compliance team that cannot explain why a particular customer received standard CDD rather than EDD is in a weaker position than one that applied standard CDD and documented the reasoning.

    Two moments when the Enhanced Due Diligence (EDD) decision arises

    The decision to apply EDD arises at two distinct points in the customer lifecycle.

    At onboarding. During initial CDD, risk factors are identified and the compliance team must decide whether the identified factors, individually or in combination, require EDD before the relationship can proceed. If one or more mandatory EDD triggers are present (PEP, high-risk third country, correspondent banking), EDD is required regardless of other mitigating factors. If the trigger is discretionary — unusual structure, high-risk industry exposure, ambiguous adverse media — the decision requires documented judgment.

    In a KYB context, the onboarding EDD decision is complicated by the fact that risk factors often emerge progressively. A company may clear initial registry and sanctions checks, but the UBO tracing that follows reveals a complex ownership chain, and the web presence check that follows that reveals operational exposure to a high-risk geography. The EDD decision point is not always a single moment — it may be a series of escalating findings that collectively cross the threshold.

    During the relationship. EDD can also be triggered after onboarding, by changes in the customer's risk profile or by transaction monitoring anomalies. EU 4AMLD Article 13(1) requires institutions to apply CDD measures not only at account opening but on an ongoing basis, including when there is a material change in circumstances. A customer correctly assessed as standard CDD at onboarding may require EDD escalation if a director becomes a PEP, if the company expands into a high-risk market, or if transaction monitoring identifies patterns inconsistent with the original risk profile.

    McKinsey research on compliance operations notes that reactive re-assessment triggered by events during the relationship is one of the most common sources of compliance gaps — not because institutions lack policies, but because the data flows required to detect trigger events reliably are often fragmented across legacy systems.

    The documentation requirement

    Whatever the decision — apply EDD, defer it pending further information, or proceed with standard CDD — the reasoning must be documented. In the event of a regulatory examination or enforcement action, the quality of the documentation is often as important as the decision itself. Regulators assess whether the institution had a coherent, evidence-based process — not just whether the ultimate outcome was correct.

    For KYB specifically, the documentation requirement is more demanding than for individual customers, because the risk assessment spans multiple subjects: the legal entity, its directors, its beneficial owners, and — in some cases — its key counterparties and suppliers. A defensible KYB EDD file needs to show that each layer of the corporate structure was considered, that identified risk factors were addressed rather than noted and set aside, and that the final risk conclusion is supported by the evidence collected.

    A practical decision framework

    When assessing whether EDD is required for a corporate customer, the following sequence is consistent with FATF's risk-based approach and EU AML framework requirements:

    Step 1 — Mandatory trigger check. Does the customer, any UBO, director, or key counterparty present a mandatory EDD trigger? PEP status, connection to a FATF grey or black-listed jurisdiction, or correspondent banking relationship each require EDD regardless of other factors. If yes: EDD is required. Document which trigger was identified and proceed.

    Step 2 — Discretionary risk factor assessment. In the absence of a mandatory trigger, are there discretionary risk factors that, individually or in combination, elevate the risk profile above the standard CDD threshold? High-risk industry, complex ownership structure, adverse media, operational exposure to high-risk geographies, and unusual transaction patterns each warrant assessment. If the combination of factors produces a risk rating that exceeds the institution's defined threshold: EDD is required. Document the specific factors and the risk conclusion.

    Step 3 — Proportionality calibration. Given the specific risk factors identified, what scope of EDD is proportionate? A domestic PEP with a simple ownership structure and ten years of clean transaction history warrants a different EDD scope than a newly incorporated company with nominee directors and VASP exposure in multiple jurisdictions. Document the scope decision and the rationale.

    Step 4 — Ongoing review trigger. At what point will the EDD assessment be reviewed? The review schedule should be calibrated to the risk level: high-risk customers typically require at least annual review; any material change in circumstances — new director, change of ownership, expansion into a new market — should trigger an immediate reassessment regardless of the scheduled review date.

    Enhanced Due Diligence (EDD) Is Not a One-Time Event: Ongoing Monitoring Requirements

    A common gap in KYB compliance programmes is treating EDD as an onboarding activity — a set of checks performed before a relationship begins, filed, and then revisited only at a fixed periodic review. Regulatory frameworks are explicit that this approach is insufficient. EDD is a continuous obligation, not a point-in-time exercise.

    The regulatory basis for ongoing monitoring

    FATF Recommendation 10 requires institutions to conduct ongoing due diligence on the business relationship and to scrutinise transactions throughout the course of the relationship to ensure they are consistent with the institution's knowledge of the customer, their business, and risk profile. It further requires that documents, data, and information collected under the CDD process are kept up to date and relevant, with the frequency of updates calibrated to risk: high-risk customers require more frequent review than standard CDD customers.

    EU 4AMLD Article 13(1)(d) operationalises this as a formal ongoing monitoring requirement, covering both transaction monitoring and periodic review of the customer's overall risk profile and the documentation supporting it.

    The FCA's Financial Crime Guide Section 2.2 specifies that firms must have systems and controls that enable them to identify when existing customers' risk profiles change, and to apply EDD where a change in profile brings a customer into EDD territory.

    What ongoing monitoring covers for Enhanced Due Diligence (EDD) customers

    For customers subject to EDD, ongoing monitoring covers four areas:

    Transaction monitoring. EDD customers should be subject to enhanced transaction monitoring rules — lower thresholds for flagging unusual activity, more frequent review of flagged alerts, and calibration of monitoring rules to the specific risk profile of the customer. A VASP customer warrants different monitoring parameters than a real estate developer, even if both are classified as high-risk.

    Periodic risk profile review. The risk assessment supporting the EDD decision must be reviewed at defined intervals. For high-risk customers, FCA MLR 2017 Regulation 28 and EU 5AMLD guidance imply at least annual review, with many institutions applying six-monthly cycles for the highest-risk relationships. The review must assess whether the factors that triggered EDD remain present, whether new risk factors have emerged, and whether the scope of EDD remains proportionate.

    Sanctions and adverse media monitoring. EDD customers require ongoing screening against sanctions lists and adverse media sources — not just a check at onboarding. OFAC, the EU consolidated sanctions list, and UN sanctions are updated continuously; a customer who was clean at onboarding can appear on a list the following week. Adverse media monitoring serves a similar function: significant negative coverage that emerges after onboarding is a trigger for re-assessment.

    Event-driven triggers. Beyond scheduled reviews, certain events should trigger an immediate re-assessment regardless of the scheduled review date. For corporate customers, the most common event-driven triggers are: a change of director or UBO; an acquisition or merger that changes the ownership structure; expansion into a new market or business line, particularly one in a high-risk sector or jurisdiction; a material adverse media event; and any appearance on a sanctions or watchlist.

    The KYB-specific ongoing monitoring challenge

    Ongoing monitoring for corporate customers is structurally more demanding than for individual customers — and this is the part of the KYB compliance lifecycle that most frequently generates backlogs.

    For an individual customer, the primary ongoing monitoring questions are: Has their sanctions or PEP status changed? Have there been material adverse media events? Are their transactions consistent with their declared profile?

    For a corporate customer subject to EDD, the same questions apply — but multiplied across the entire ownership structure. A company with three UBOs, two directors, and a holding company intermediate requires ongoing monitoring not just of the company but of each individual and each entity in the chain. A new director who joins after onboarding brings their own risk profile that must be assessed. A UBO who acquires a stake in a government-linked enterprise after onboarding may have become a PEP.

    The LexisNexis True Cost of Financial Crime report estimates that 85% of compliance team time is spent on manual review activities. Ongoing monitoring for corporate EDD customers is a significant contributor to that figure — because each periodic review for a complex corporate structure can require rebuilding substantial parts of the original EDD case from scratch, pulling updated data from registries, running new adverse media searches, and reassessing risk conclusions in light of any changes.

    This is why automation has become central to ongoing KYB monitoring in practice — not as a replacement for human judgment on risk conclusions, but as a mechanism for keeping the underlying data current and flagging changes that require analyst attention.

    What Enhanced Due Diligence (EDD) Includes: The Core Components

    EDD is not a single check — it is a structured investigative process that combines multiple data sources, verification methods, and analytical outputs into a single, defensible case file. The specific scope varies by customer risk profile and institutional policy, but the components below represent the baseline that most regulatory frameworks expect to see documented for high-risk corporate relationships.

    A full treatment of each component — methodology, data sources, and implementation considerations — is covered in our Enhanced Due Diligence: Complete Guide for Compliance Teams. This section provides a structured overview to orient the EDD decision against the process it initiates.

    Source of funds and source of wealth verification

    Source of funds refers to the origin of the money used in a specific transaction or business relationship. Source of wealth refers to the broader question of how the customer accumulated their overall assets. Both are required for EDD; for PEPs and high-net-worth individuals, source of wealth verification is often the most analytically demanding component.

    For corporate customers, source of funds verification means understanding the commercial activity that generates the revenue flowing through the relationship — corroborated against observable evidence: audited accounts, tax filings, contracts, and transaction patterns consistent with the stated business model. The FATF Guidance on Transparency and Beneficial Ownership is explicit that source of wealth verification for beneficial owners must trace back to the natural persons who ultimately own or control the entity.

    Beneficial ownership mapping and UBO verification

    EDD requires full mapping of the ownership and control structure of the legal entity, tracing through all intermediate layers to the ultimate beneficial owners — the natural persons who ultimately own or control the business, typically defined as those holding more than 25% of shares or voting rights, or exercising equivalent control through other means.

    For complex corporate structures, this process involves: cross-referencing registry filings across multiple jurisdictions; requesting and verifying shareholder registers, trust deeds, and nominee agreements; and confirming that the declared ownership structure matches the economic reality of who receives distributions and exercises operational control. EU 5AMLD Articles 30–31 require institutions to cross-reference their findings against central beneficial ownership registers as part of EDD. Discrepancies between declared ownership and register entries are themselves an EDD red flag requiring resolution.

    Sanctions, PEP, and watchlist screening

    All individuals identified in the ownership and control structure — directors, UBOs, authorised signatories, and key counterparties — must be screened against sanctions lists and PEP databases. For EDD customers, this requires fuzzy matching to catch transliteration variants and name changes, review of associated entities and relatives, and explicit documentation of how hits were assessed and resolved.

    Key screening sources include: OFAC SDN listEU consolidated sanctions listUN Security Council sanctions, and HM Treasury financial sanctions list, supplemented by comprehensive PEP databases covering national and international categories across all relevant jurisdictions.

    Adverse media analysis

    Adverse media screening for EDD must go beyond a basic web search. It requires systematic collection across news sources, regulatory databases, court records, and public filings; deduplication to eliminate syndicated copies of the same article; disambiguation to separate hits that relate to the actual subject from name collisions; and structured presentation of findings with source attribution and risk labelling.

    The output should distinguish between material findings that require direct engagement with the customer, findings that are noted and monitored but do not block the relationship, and noise — hits that do not relate to the subject or that relate to resolved matters with no ongoing risk relevance. Scoreplex's Adverse Media AI Agent automates the collection, deduplication, and risk-labelling steps, reducing the time analysts spend on this component from hours to minutes.

    Web presence and digital footprint analysis

    Web presence analysis verifies that the business's observable online activity is consistent with its declared profile. It covers: website availability, domain age and ownership history, official social media channels, third-party business profiles and review platforms, and signals of operational legitimacy. For EDD, FATF Recommendation 10 requires institutions to understand the purpose and intended nature of the business relationship — and web presence analysis is one of the few areas where the intended nature of the business can be assessed through externally observable evidence rather than self-declared information.

    Document verification

    EDD typically requires collection and verification of a broader set of documents than standard CDD: incorporation certificates, memoranda and articles of association, shareholder registers, UBO declarations, proof of address for the legal entity and its beneficial owners, director identification, and — for higher-risk relationships — financial statements and audited accounts. Document verification involves checking authenticity indicators, validating dates and completeness, cross-referencing stated information against registry data, and identifying inconsistencies. Documents submitted across different jurisdictions and languages add operational complexity.

    Due diligence narrative and audit trail

    The output of an EDD process is a documented risk conclusion. The EDD case file must include a narrative that synthesises findings across all components, explains the risk conclusion, identifies any outstanding concerns and how they were resolved, and provides a clear audit trail linking every claim to its source evidence.

    This narrative serves two functions: it is the document a compliance officer uses to make the final onboarding or escalation decision, and it is the document a regulator examines to assess whether the institution's EDD process was adequate. For a detailed breakdown of each EDD component, see our EDD Complete Guide for Compliance Teams.

    The Cost of Getting Enhanced Due Diligence (EDD) Wrong

    EDD failures carry consequences at three levels: regulatory penalties, reputational damage, and operational remediation costs. Each is significant in its own right; together, they represent a risk that materially outweighs the cost of maintaining a robust EDD programme.

    Regulatory penalties: the enforcement picture

    Global AML and KYC enforcement has intensified consistently over the past decade. According to data cited in the Scoreplex whitepaper on AI in Compliance Operations, global AML and KYC fines totalled $6.6 billion in 2023, $4.6 billion in 2024, and $3.8 billion in 2025. The aggregate figures fluctuated, but the supervisory approach became more structural: regulators increasingly used criminal resolutions, independent compliance monitors, remediation programmes, and growth restrictions alongside financial penalties.

    EDD failures are a recurring theme in enforcement actions. The pattern is consistent: inadequate due diligence on high-risk customers, failure to identify PEP connections in corporate ownership structures, insufficient source of funds verification for high-risk relationships, and — most commonly — adequate policies that were not actually applied to specific cases.

    Several enforcement actions illustrate the exposure specifically in KYB contexts:

    Westpac (2020) — AUSTRAC imposed a AUD 1.3 billion penalty, at the time the largest in Australian corporate history, including findings related to failures in correspondent banking EDD and inadequate monitoring of high-risk relationships. The enforcement action noted that the failures were not primarily policy failures — the institution had EDD policies — but implementation failures: the policies were not consistently applied to specific relationships.

    Deutsche Bank (2023) — The US Department of Justice and regulators in multiple jurisdictions took action relating to, among other matters, failures to apply adequate EDD to high-risk customers and to maintain effective ongoing monitoring for relationships that had been identified as elevated-risk at onboarding. The remediation programme ran for several years and involved substantial operational restructuring of the compliance function.

    Binance (2023) — The US Department of Justice secured a $4.3 billion resolution with the world's largest cryptocurrency exchange, with findings including systemic failures in KYB processes, inadequate EDD on high-risk business customers, and failure to file Suspicious Activity Reports for transactions with customers in sanctioned jurisdictions. The case is a direct illustration of the sector risk trigger described above: the business model itself created structural EDD obligations that were not systematically met.

    These cases share a common thread that regulators have made explicit: the existence of a written EDD policy provides limited protection if the policy is not demonstrably applied to specific relationships. The FCA's approach to AML supervision consistently emphasises that it assesses the quality and consistency of implementation, not just the adequacy of policies on paper.

    Reputational consequences

    Beyond direct penalties, EDD failures carry reputational costs that are harder to quantify but often more enduring. Association with financial crime — even as a facilitating institution rather than a direct participant — damages client relationships, triggers correspondent banking de-risking, and creates friction in regulatory relationships that can persist for years after the underlying failures are remediated.

    The reputational damage from a major AML enforcement action typically manifests in three ways: loss of existing clients who reassess their counterparty risk; difficulty acquiring new clients in regulated segments where counterparty AML standards are themselves a compliance requirement; and increased scrutiny from regulators in subsequent examinations. Refinitiv research on the cost of financial crime compliance has found that large companies can spend over £100 million annually on remediation activity following a major compliance failure.

    Operational remediation costs

    When EDD failures result in a formal enforcement action or a regulatory requirement to remediate, the operational costs extend far beyond any financial penalty. Remediation programmes typically require: a comprehensive lookback review of historical relationships; re-screening of the existing customer book against current risk standards; enhanced monitoring programmes for relationships that are continued; restructuring of compliance processes and technology; and — in many cases — the appointment of an independent compliance monitor.

    McKinsey analysis of compliance remediation costs estimates that the total cost of a major AML remediation programme — including staff, technology, external advisors, and opportunity cost of management attention — frequently exceeds the original financial penalty by a factor of three to five. The cost argument for maintaining a robust EDD programme is therefore not primarily about avoiding fines: it is about avoiding the far larger operational and reputational costs that follow when the programme fails.

    Why Manual Enhanced Due Diligence (EDD) Doesn't Scale — and What Changes With Automation

    The regulatory obligations described in this article are demanding by design. EDD exists because high-risk relationships require genuine investigative effort — not a form-filling exercise, but a real attempt to understand who a customer is, what their business does, and whether the relationship presents risk the institution can manage responsibly.

    The problem is not with the standard. The problem is operational: the tools and processes most compliance teams use to meet that standard were not built for the volume, complexity, or cross-border scope of modern KYB.

    The manual Enhanced Due Diligence (EDD) bottleneck in numbers

    The scale of the problem is well-documented. According to the LexisNexis True Cost of Financial Crime report, manual compliance review costs the financial services industry over $100 billion annually in labour costs alone. McKinsey research found that 85% of compliance team time is spent on manual review activities — data gathering, formatting, and assembly — rather than on the risk judgments that actually require human expertise.

    For corporate onboarding specifically, Corporate Compliance Insights estimates that completing a single corporate KYC review costs institutions an average of over $2,500 and takes approximately 95 days. Encompass Corporation research puts corporate onboarding at 90 to 120 days end-to-end, consuming approximately 51 hours of manual labour per case. According to data cited in the Scoreplex AI in Compliance Operations whitepaper, 83% of KYB and EDD processes are still conducted manually.

    These figures describe an operational model that is both expensive and fragile. Manual EDD does not scale with business growth — adding volume means adding headcount. It produces inconsistent outcomes because individual analysts make different judgments about the same evidence. And it creates audit trail gaps because the assembly of evidence across multiple tools and sources is difficult to document systematically.

    Three specific places where manual Enhanced Due Diligence (EDD) breaks down

    Adverse media at scale. Manual adverse media searches can return hundreds to thousands of hits per name. Thomson Reuters compliance research estimates false positive rates exceeding 90% in practice. An analyst reviewing 800 hits for a single director — most of which are name collisions or syndicated duplicates — is spending the majority of their time on noise rather than risk. Multiply this across all the individuals in a complex corporate structure, and adverse media alone can consume a full working day per EDD case.

    Document verification across jurisdictions. A single corporate EDD case may involve incorporation documents from three different countries, in two or three languages, using jurisdiction-specific formats that do not map cleanly onto each other. Manual document handling at this level of complexity is slow, error-prone, and difficult to standardise across a compliance team — which means EDD output quality varies systematically by analyst rather than by risk level.

    Web presence and digital footprint analysis. Verifying that a company's operational reality matches its declared profile — checking website content, domain history, social media activity, third-party business profiles, and geographic signals — requires pulling information from multiple unstructured sources. Done manually, this takes 30 to 90 minutes per case and produces output that is difficult to document consistently. Yet as illustrated throughout this article, digital footprint analysis is often the component that surfaces the most important risk signals.

    What AI agents change — and what they do not

    AI agents for KYB compliance address the operational bottleneck by automating the evidence-gathering and structuring steps of the EDD process — the parts that consume the majority of analyst time without requiring expert judgment.

    Specifically, well-designed AI agents can: pull registry data and map ownership structures across multiple jurisdictions in minutes rather than hours; collect and deduplicate adverse media across thousands of sources, disambiguate name collisions, and present ranked, risk-labelled findings rather than raw hit lists; analyse web presence signals systematically and flag inconsistencies between declared and observable business activity; extract and cross-reference key fields from documents across languages and jurisdictions using OCR and NLP; run sanctions and PEP screening with fuzzy matching across transliteration variants; and assemble the collected evidence into a structured, source-linked case file with a draft compliance narrative.

    The Encompass Corporation analysis of automation in corporate onboarding found an average 32% reduction in processing time after implementing digital identity automation — and that figure reflects only the web presence and registry components, not the full EDD workflow.

    What AI agents do not change — and should not change — is the final risk judgment. The decision to proceed with a high-risk relationship, to escalate to senior management, to request additional documentation, or to decline the relationship is a human compliance decision. FATF guidance on the use of technology for AML/CFT explicitly supports technology-assisted due diligence while emphasising that institutions remain responsible for the quality and adequacy of their customer due diligence regardless of the tools used.

    The practical result of well-implemented automation is that compliance teams spend less time gathering and reformatting data — the 85% McKinsey identifies as manual overhead — and more time on the judgments that actually require their expertise: assessing complex risk pictures, engaging with customers to resolve ambiguities, and making defensible decisions on difficult cases.

    Scoreplex's AI Agent automates the evidence-gathering, structuring, and narrative-drafting steps of the EDD workflow, producing a single audit-ready case file that covers the legal entity, its ownership structure, and the individuals behind it — with every conclusion linked to its source evidence. If you want to see how this works in practice, book a demo.

    Conclusion

    Enhanced Due Diligence is required when a customer, relationship, or transaction presents a level of risk that standard Customer Due Diligence cannot adequately address. That threshold is crossed by specific, well-defined triggers — PEP connections, high-risk jurisdictions, complex or opaque ownership structures, high-risk industries, unusual transaction patterns, operational geographic exposure, adverse media, and correspondent banking relationships — each grounded in FATF recommendations and codified in national AML frameworks across jurisdictions.

    For corporate customers, EDD is structurally more demanding than for individuals because the risk assessment must cover the full ownership chain — not just the legal entity, but every UBO, director, and intermediate holding structure. A company that clears registry checks cleanly can still require EDD because of who owns it, where it operates, or what its business model entails. This is why KYB remains one of the most challenging areas of compliance operations, and why institutions that rely on registry data alone consistently miss the risk factors that surface in ownership tracing, digital footprint analysis, and adverse media review.

    EDD is also not a one-time event. Regulatory frameworks require ongoing monitoring calibrated to the risk level of each relationship — which means that the operational demands of EDD extend well beyond the onboarding stage. For high-risk corporate customers, maintaining current, defensible EDD documentation is a continuous obligation.

    Getting this wrong carries real consequences: $6.6 billion in global AML fines in 2023 alone, enforcement actions that impose remediation costs far exceeding the original penalties, and reputational damage that compounds over years. The cost argument for robust EDD is not primarily about avoiding fines — it is about avoiding the far larger operational and institutional costs that follow when the programme fails.

    About Scoreplex

    Scoreplex is an AI Enhanced Due Diligence (EDD) platform that automates customer due diligence, minimizes false positives, streamlines document verification, and generates comprehensive narrative reports.

    How it works:From a single company input, it produces a complete business risk profile, including::

    • Official registry checks with UBO identification and full ownership chains
    • Global sanctions and PEP screening
    • Real-time adverse media monitoring with structured events and source attribution
    • Automated document verification (incorporation records, address validation)
    • Website analysis and cross-checks of company details, products, contacts, and locations
    • Product and customer review analysis (Trustpilot, G2, Google Reviews)
    • Social media analysis of corporate accounts and profiles of founders and directors
    • High-risk country exposure assessment based on aggregated signals
    • A structured risk summary highlighting red flags, rationale, and direct source links

    Built for Faster, Smarter Decisions:

    • 10× faster reviews through end-to-end automation
    • Up to 10× lower costs compared to traditional service providers
    • Significantly fewer false positives driven by registry-first matching and transparent risk signals

    BOOK A DEMO

    Frequently Asked Questions

    Is Enhanced Due Diligence (EDD) required for all customers?

    No. EDD is required only for customers, relationships, or transactions that present elevated risk factors — such as PEP connections, links to high-risk jurisdictions, complex ownership structures, or high-risk industries. Standard customers who do not present these risk factors are subject to Customer Due Diligence (CDD), which involves less intensive verification. The decision to apply EDD is governed by a risk-based approach: institutions must assess each customer's specific risk profile and apply EDD proportionately where the risk exceeds the standard CDD threshold.

    What is the difference between Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)?

    CDD is the baseline verification process applied to all customers: identity verification, basic risk assessment, and understanding the purpose of the business relationship. EDD is an elevated process applied to high-risk customers — it involves collecting more information, verifying it through additional independent sources, and maintaining stronger ongoing monitoring. EDD typically adds source of funds and source of wealth verification, deeper adverse media analysis, full beneficial ownership mapping, and enhanced transaction monitoring. The key difference is depth, scope, and the ongoing obligations that follow initial onboarding. A full breakdown is available in our EDD Complete Guide.

    When is Enhanced Due Diligence (EDD) required for businesses (KYB)?

    EDD is required for a business customer when the company itself, its beneficial owners, directors, or the nature of its operations present elevated risk factors. Common KYB-specific triggers include: a UBO or director identified as a PEP; the company or its UBOs connected to a high-risk jurisdiction; a complex or opaque ownership structure that makes it difficult to identify the ultimate beneficial owner; operation in a high-risk industry such as crypto, gambling, or real estate; operational exposure to high-risk geographies even when incorporated in a low-risk jurisdiction; and adverse media concerning the company or its principals. For corporate customers, EDD must cover the full ownership chain — not just the legal entity.

    How often should Enhanced Due Diligence (EDD) be reviewed for existing customers?

    Review frequency should be calibrated to risk level. For high-risk customers, FCA MLR 2017 Regulation 28 and EU 5AMLD guidance imply at least annual review, with many institutions applying six-monthly cycles for the highest-risk relationships. Beyond scheduled reviews, certain events should trigger an immediate reassessment: a change of director or UBO, a change in ownership structure, expansion into a new market or high-risk sector, a material adverse media event, or any appearance on a sanctions or watchlist.

    Can Enhanced Due Diligence (EDD) be automated?

    The evidence-gathering, structuring, and initial analysis components of EDD can be substantially automated. AI agents can handle registry data collection and ownership mapping, adverse media collection and deduplication, sanctions and PEP screening with fuzzy matching, web presence analysis, document extraction and cross-referencing, and assembly of a structured, evidence-linked case file. What cannot and should not be automated is the final risk judgment: the decision to proceed, escalate, or decline a relationship must remain with a human compliance officer. This human-in-the-loop model is consistent with FATF guidance on the use of technology for AML/CFT compliance. For a detailed look at how AI agents work in EDD practice, see our article on What Is an EDD AI Agent.