Enhanced Due Diligence (EDD): When to Apply It and What It Requires

June 18, 2026• 9 min readenhanced due diligenceEDDPEPhigh-risk customers

When standard CDD is not enough — the triggers for enhanced due diligence, the measures it requires (source of funds and wealth, senior approval, enhanced monitoring), and how to document EDD so it survives an inspection.

Enhanced Due Diligence (EDD): When to Apply It and What It Requires

Most customers a bank or SACCO onboards never need more than the standard checks. You confirm who they are, understand what they intend to do with the account, and move on. But a minority of relationships carry risk that standard checks cannot contain — a politically exposed director, a company whose ownership disappears into a chain of offshore vehicles, a customer whose transactions look nothing like the profile they gave you. For those relationships, doing the ordinary thing is not enough. Enhanced due diligence is the heightened scrutiny you apply when the risk is high enough that you need to know more before you are comfortable carrying the relationship.

Enhanced due diligence is also where AML programmes most often fail an inspection. Not because institutions never do the deeper work, but because the work is inconsistent, undocumented, or done so late that the examiner can see it was reactive rather than designed. This guide sets out what separates customer due diligence from enhanced due diligence, the triggers that should push a relationship into EDD, the measures EDD actually requires, and — the part that decides whether your effort survives an inspection — how to document it. It is one capability within the wider programme described in the complete AML platform guide, and it depends on the controls around it working together.

CDD versus EDD: a difference of degree, applied by risk

Customer due diligence (CDD) is the baseline you apply to every customer. You identify the customer and verify that identity from reliable sources, identify any beneficial owner and take reasonable steps to verify them, understand the intended nature and purpose of the relationship, and then monitor the relationship over its life. CDD is not optional and it is not light — it is the floor below which no relationship sits.

Enhanced due diligence (EDD) is the same idea taken further. It is not a different category of check so much as a heightened intensity of the same checks, applied where standard CDD does not give you enough comfort. Where CDD asks who is this customer and what do they intend to do, EDD asks where does their money actually come from, who really stands behind them, and does their activity match the story they told us — and it asks those questions with more evidence, more senior sign-off, and closer ongoing attention than a standard relationship receives.

The risk-based approach is what connects the two. You do not apply EDD to everyone — that would waste scrutiny that high-risk relationships need and bury your analysts in low-value work. You apply it where risk is genuinely elevated. The discipline, then, is twofold: knowing precisely when a relationship crosses into EDD territory, and applying a consistent, documented set of measures once it does. Get the trigger wrong and you either over-scrutinise or, far more dangerously, miss the relationships that needed the deeper look.

What triggers enhanced due diligence

EDD should never be a matter of an analyst's mood on a given day. The triggers should be defined, written down, and applied the same way to every customer. In practice they fall into a handful of recognisable categories.

A high customer risk rating

The most systematic trigger is the customer's own risk score. A well-built customer risk assessment combines several dimensions of risk into a single band, and a high band is the cleanest, most defensible signal that a relationship warrants enhanced scrutiny. Rather than asking each analyst to decide ad hoc whether a customer "feels" high-risk, you let the model decide who enters EDD — consistently, and on evidence you can reproduce. How that score is built, weighted, and banded is the subject of the risk score that decides who enters EDD; for the purposes of EDD, the high band is simply the trigger.

High-risk geography

A connection to a high-risk jurisdiction — a country under FATF or ESAAMLG scrutiny, a sanctioned territory, or a corridor your own institution treats as elevated — is a long-standing EDD trigger. It applies to where the customer is based, where they were born or incorporated, and where their funds flow to and from. A customer whose money routes through a high-risk corridor warrants the deeper look even if everything else about them looks ordinary.

Politically exposed persons

A politically exposed person (PEP) — someone entrusted with a prominent public function, along with their close family and known associates — is a standard EDD trigger almost everywhere. The concern is not that a PEP is presumed guilty, but that their position creates a heightened risk of bribery, corruption, and the laundering of proceeds, and that the consequences of getting it wrong are severe. PEP status reliably pushes a relationship into enhanced due diligence and brings with it the senior-approval requirement discussed below.

Complex or opaque ownership

When you cannot readily see who ultimately owns or controls a customer — layered corporate structures, nominee arrangements, ownership chains that cross several jurisdictions — that opacity is itself a risk signal. The whole point of EDD here is to cut through the structure and establish the real beneficial owner, because money laundering frequently hides behind exactly this kind of complexity. Doing that well is a discipline in its own right; unpicking complex ownership during EDD is where entity resolution and a beneficial-ownership graph earn their place.

Unusual or unexpected behaviour

Finally, behaviour can trigger EDD after onboarding. A customer whose transactions do not match the profile they gave you, a sudden change in the volume or pattern of activity, or a transaction monitoring alert that does not resolve cleanly can all justify escalating an existing relationship into enhanced scrutiny. EDD is not only an onboarding decision — it is something a live relationship can fall into when its behaviour stops making sense.

What enhanced due diligence requires

Identifying that a relationship needs EDD is only the start. The measures themselves are what regulators expect to see, and four recur across jurisdictions.

Source of funds and source of wealth

The cornerstone of EDD is establishing where the money comes from. There are two distinct questions here, and both matter:

Source of funds — the origin of the specific money flowing through the account or funding a particular transaction. Where did this money come from?
Source of wealth — the origin of the customer's overall financial position. How did they come to have the assets they hold in the first place?

For a high-risk customer, asserting these is not enough; you are expected to corroborate them with evidence — pay records, sale agreements, dividend or business records, audited accounts — proportionate to the risk and the amounts involved. This is the single most common gap an examiner finds: a file that records what the customer said their source of wealth was, with nothing to show anyone tested it.

Senior management approval

For higher-risk relationships, and PEPs in particular, the decision to enter or continue the relationship should not rest with the onboarding analyst alone. Senior management approval is a standard EDD requirement: a named, accountable individual signs off on taking the customer on, having seen the risk and the EDD findings. This does two things. It puts the decision at a level of the organisation that carries real accountability, and it leaves a record that the institution made a conscious, informed choice rather than letting a high-risk relationship through on autopilot.

Enhanced ongoing monitoring

EDD does not end at onboarding. A high-risk relationship warrants more sensitive, more frequent ongoing monitoring than a standard one — tighter transaction-monitoring thresholds, closer attention to activity against the expected profile, and faster follow-up when something looks off. The relationship that justified enhanced scrutiny at the start continues to justify it for as long as the risk persists.

More frequent periodic review

Because risk changes over time, EDD relationships should be re-examined more often than standard ones. The review cadence should follow the risk band rather than a single calendar applied to everyone, so that high-risk customers come back round for reassessment sooner. Each review revisits the risk rating, the source-of-funds picture, screening results, and whether the relationship still behaves as expected — and either confirms the relationship or escalates it.

Documentation and four-eyes: making EDD survive an inspection

The hardest truth about enhanced due diligence is that doing it is not the same as being able to prove you did it. An examiner does not watch you work; they read your files. If the EDD analysis lives in an analyst's head, in a scatter of emails, or in a document nobody can locate two years later, then for inspection purposes it may as well not exist. Two principles turn EDD from effort into evidence.

The first is evidence-first documentation. Every consequential EDD decision should carry its supporting evidence one click away — the source-of-funds corroboration, the screening results that were reviewed, the ownership picture that was established, the reasoning that led to accepting or escalating the relationship. The file should let a reviewer reconstruct not just what was decided but why, from the same evidence the decision-maker saw.

The second is four-eyes approval on the consequential steps. A single analyst should not be able to clear a high-risk relationship unilaterally. One person proposes, another authorises, and both the proposal and the approval are recorded with a reason. Applied to the senior-management sign-off, to a risk-score override, or to the decision to exit a relationship, four-eyes turns a judgement call into a dual-controlled, auditable decision — exactly what an examiner wants to see behind a high-risk customer.

Underneath both sits an append-only, immutable audit log. Who gathered which evidence, who approved what and when, what the customer's risk band was at each point — recorded in a trail that cannot be quietly altered after the fact. That log is what lets you answer the examiner's defining question about any high-risk relationship: show me how you handled this, and prove it.

Running EDD as a case in Creodata

In the Creodata AML Platform, enhanced due diligence is not a separate spreadsheet bolted onto the side of the programme — it is a workflow inside Case Management, fed by the rest of the platform. The customer risk assessment service produces the six-factor score and band; a high band is what routes the relationship into the EDD workflow in the first place. Because these are services within one integrated platform rather than separate tools, the band that triggers EDD is the same value screening and monitoring read, logged in a single audit trail rather than copied between systems.

Inside Case Management, the EDD workflow gives the analyst a structured place to gather source-of-funds and source-of-wealth evidence, to review screening results and the linked entities behind a customer, and to record the analysis and decision. The platform's entity-resolution tooling — the resolved entities, links, clusters, and beneficial-ownership graph — is embedded in the case UI, so unpicking opaque ownership happens where the rest of the investigation lives rather than in a separate exercise. Senior approvals and overrides run through four-eyes; every consequential decision shows its evidence one click away; and the whole sequence lands in the immutable audit log. How that case lifecycle works end to end — alert assignment, the request-for-information cycle, SLA handling, escalation — is the subject of running EDD as a case workflow. Where EDD surfaces activity that needs to be reported, the case hands off to the reporting lifecycle and, in turn, to the goAML Reporting Platform.

Frequently asked questions

What is the difference between CDD and EDD?

Customer due diligence (CDD) is the baseline you apply to every customer: identify and verify them, identify any beneficial owner, understand the purpose of the relationship, and monitor it over time. Enhanced due diligence (EDD) is the same set of checks applied with greater intensity — corroborated source of funds and wealth, senior approval, and closer ongoing monitoring — reserved for relationships where standard CDD does not give you enough comfort. EDD is a difference of degree, applied by risk, not a separate category of check.

When must we apply enhanced due diligence?

Apply EDD wherever risk is genuinely elevated. The common triggers are a high customer risk rating, a connection to a high-risk jurisdiction or corridor, politically exposed person (PEP) status, complex or opaque ownership you cannot easily see through, and unusual or unexpected behaviour on a live relationship. The triggers should be defined and written down so they are applied consistently rather than left to an individual analyst's discretion.

Is source of funds the same as source of wealth?

No, and conflating them is a common gap. Source of funds is the origin of the specific money moving through the account or funding a transaction. Source of wealth is the origin of the customer's overall financial position — how they came to hold their assets at all. For a high-risk customer you are expected to corroborate both with evidence proportionate to the risk, not simply record what the customer asserted.

How do we prove we did EDD if a regulator asks?

By documenting it as you go, in one place, with the evidence attached. Each consequential decision should carry its supporting evidence one click away, the senior-approval and override steps should run through four-eyes so they are dual-controlled, and the whole sequence should land in an append-only audit log that cannot be altered afterwards. In Creodata, the EDD workflow inside Case Management captures exactly this, so the file an examiner reads reconstructs both what was decided and why.

Enhanced due diligence only protects you when the trigger, the measures, and the documentation all live in one auditable system rather than scattered across spreadsheets and inboxes. To see how Creodata's AML Platform runs EDD as a case workflow — fed by the six-factor risk score, backed by entity resolution, and protected by four-eyes and an immutable audit log — book a demo. If you would value help defining your EDD triggers and measures to fit your institution's risk profile, our financial crime compliance advisory team can work through it with you.

Adverse Media Screening: Catching the Risk Sanctions Lists Miss
Sanctions and PEP lists only show known, designated risk. Adverse media screening surfaces the rest — how negative-news screening works, how to filter for relevance and recency, and where it fits in onboarding, EDD and periodic review.
Audit-Ready AML: Evidence-First Investigations and the Four-Eyes Principle
When an examiner asks you to walk through a single decision, can you? How an append-only audit trail, evidence-first design and the four-eyes principle make every AML decision reconstructable — and inspections far less painful.
AML Case Management: From Alert to Disposition Without Losing the Audit Trail
A walk through the AML case lifecycle — queue assignment, the RFI cycle, SLA management, linked-case investigation, EDD, escalation, and the decision to file or close — built so every step leaves an audit trail.
Why AML Detection Fails Without Data Quality: Ingestion, Mapping, and DQ Rules
No monitoring rule can catch what bad data hides. How disciplined ingestion, field mapping, source certification and data-quality rules give your AML platform the clean, complete data it needs to detect and report accurately.