Enhanced Due Diligence (EDD): Complete Compliance Guide
Enhanced Due Diligence (EDD) under MLR 2017: mandatory triggers, 7-step process, documentation requirements, CDD vs EDD comparison, and automation tools for UK regulated firms.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokEnhanced Due Diligence (EDD) is the heightened level of customer verification required when a business relationship presents an elevated risk of money laundering or terrorist financing. It goes beyond standard Customer Due Diligence (CDD) by mandating source of funds verification, senior management approval, and intensified ongoing monitoring. Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), EDD is not discretionary โ specific triggers make it a legal obligation for UK regulated firms.
For a broader overview of the AML compliance framework, see our document compliance guide.
This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
What Is Enhanced Due Diligence (EDD)?
EDD is the third and most intensive tier of the customer due diligence framework established by the Financial Action Task Force (FATF) and implemented in UK law through MLR 2017. The three tiers are:
- Simplified Due Diligence (SDD): applicable only where risk is demonstrably low, for specific customer categories defined in legislation (MLR 2017, Reg. 37)
- Standard Customer Due Diligence (CDD): the baseline verification required for the majority of business relationships (MLR 2017, Reg. 28)
- Enhanced Due Diligence (EDD): mandatory additional measures where higher risk is identified (MLR 2017, Reg. 33 and 35)
A point frequently raised by compliance professionals โ including on forums such as r/compliance โ is whether EDD applies to all high-risk customers or only to specific defined categories. The answer matters operationally. Under MLR 2017 Regulation 33, EDD applies in all higher-risk situations, not only to the named categories (PEPs, correspondent banking, high-risk third countries). The named categories trigger EDD automatically, but the risk-based approach requires firms to apply EDD whenever their own risk assessment identifies elevated risk, even if none of the statutory categories is present. This is a meaningful distinction: a firm cannot confine EDD solely to PEPs and assume all other customers are adequately covered by CDD.
FATF Recommendation 10 requires ongoing due diligence throughout the business relationship, and Recommendation 12 mandates EDD specifically for Politically Exposed Persons.
When Is EDD Required? Mandatory Triggers
MLR 2017 Regulation 33 sets out the situations where EDD is specifically mandated. The FCA's Financial Crime Guide (FCG 3.2) provides supervisory guidance on how these triggers are assessed in practice.
| Trigger | Regulatory basis | Practical examples |
|---|---|---|
| Politically Exposed Persons (PEPs) โ domestic and foreign | MLR 2017 Reg. 35; FATF Rec. 12 | Ministers, parliamentarians, senior judiciary, state-owned enterprise executives, their family members and known close associates |
| Correspondent banking relationships | MLR 2017 Reg. 33(3); FATF Rec. 13 | Relationships with correspondent institutions outside the EEA where the respondent's AML controls are less certain |
| High-risk third country transactions | MLR 2017 Reg. 33(1)(b); Schedule 3ZA | Transactions involving countries on the UK's high-risk third country list, FATF black or grey list |
| Complex ownership structures | MLR 2017 Reg. 33(1)(c) | Trusts, complex multi-layered corporate structures, nominee arrangements that obscure beneficial ownership |
| Non-face-to-face higher-risk relationships | MLR 2017 Reg. 33(1)(a) | Remote onboarding where additional risk indicators are present beyond mere distance |
| Unusual or suspicious transactions | MLR 2017 Reg. 28(3) | Transactions lacking apparent economic rationale, inconsistent with the customer's profile |
| Sector-specific high-risk activity | MLR 2017 Reg. 33(6) | Virtual asset service providers (VASPs), high-value dealers, casinos and gambling operators |
The UK's high-risk third country list is maintained under Schedule 3ZA of MLR 2017, amended periodically by statutory instrument. It largely mirrors the FATF grey and black lists but is determined independently following Brexit. Firms must check the current Schedule 3ZA list directly rather than relying solely on FATF publications.
The EDD Process: 7 Key Steps
A defensible EDD process follows seven sequential steps. Gaps in any of these are a primary focus of FCA supervisory visits and enforcement investigations.
Step 1 โ Enhanced identity verification Standard CDD identification must be supplemented with additional sources: a second independent identity document, verification against official registers, third-party confirmation, or professional references. For legal persons, certified constitutional documents, official registry extracts, and confirmation of authorised signatories are required.
Step 2 โ Beneficial ownership verification EDD requires going beyond the customer's self-declaration. This means cross-referencing with Companies House, the Register of Overseas Entities, or equivalent foreign registries, and mapping full ownership chains to identify all beneficial owners. Where structures are deliberately opaque, this process should be documented even where a complete picture cannot be obtained.
Step 3 โ Source of funds (SOF) verification Source of funds refers to the origin of the specific money involved in the transaction or relationship. Documentary evidence is required: bank statements, sale proceeds documentation, loan agreements, payroll records. A bank statement alone, without evidence explaining why those funds are present, is insufficient for EDD purposes.
Step 4 โ Source of wealth (SOW) verification Source of wealth is distinct from source of funds: it concerns how the customer has accumulated their overall wealth over time. For PEPs and high-net-worth customers, this requires salary history, business valuations, inheritance documentation, or multi-year tax returns. Firms often conflate SOF and SOW โ this is a recurring audit finding. Both are required for a complete EDD file.
Step 5 โ Senior management approval MLR 2017 Regulation 35(5) requires senior management approval before establishing a business relationship with a PEP, and for continuing a relationship where a customer subsequently becomes a PEP. This approval must be documented, attributed to a named senior manager, dated, and retained on file.
Step 6 โ Enhanced ongoing monitoring EDD relationships require more intensive transaction monitoring: lower alert thresholds, more frequent review cycles, and scrutiny of any deviation from the established customer profile. For PEPs, profile updates should occur at least every six months. Any material change in risk profile โ new political appointment, corporate restructuring, change of country โ should trigger an immediate review.
Step 7 โ Documentation and record-keeping MLR 2017 Regulation 40 requires records to be kept for five years from the end of the business relationship or the date of the transaction. EDD generates significantly more documentation than standard CDD; robust document management infrastructure is essential for retrieval during FCA supervisory reviews or DAML request responses.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotEDD Documentation Requirements
The following table sets out the documentation typically required by category of customer. This is a baseline guide; the risk-based approach requires adaptation to specific circumstances.
| Document category | Natural persons | Legal persons | PEPs |
|---|---|---|---|
| Primary identity | Valid passport or driving licence | Certificate of incorporation + memorandum and articles | Passport + second independent identity document |
| Proof of address | Utility bill or bank statement < 3 months | Registered office + principal place of business | As natural persons + declaration of primary residence |
| Beneficial ownership | Declaration + Companies House check | Full UBO mapping + ownership chart | Declaration + independent verification of any related entities |
| Source of funds (SOF) | Bank statements, sale proceeds, payroll | Audited accounts, contracts, loan agreements | As natural persons + formal salary/benefit schedule |
| Source of wealth (SOW) | Not always required at standard EDD | Not always required | Mandatory: multi-year tax returns, business valuation, inheritance documents |
| Senior management approval | Not required | Not required | Mandatory, named approver, dated |
| Purpose of relationship | Client declaration | Declaration + supporting commercial documents | Enhanced declaration + corroborating documentation |
For a sector-by-sector due diligence checklist, see our customer due diligence checklist by sector.
CDD vs EDD: Key Differences
| Dimension | Standard CDD | Enhanced Due Diligence (EDD) |
|---|---|---|
| Trigger | Default for all customers | Elevated risk identified (PEP, high-risk country, complex structure, risk assessment) |
| Identity verification | One official identity document | Primary document + additional independent sources |
| Beneficial ownership | Declaration + registry check | Full chain mapping, independent cross-referencing |
| Source of funds | Not systematically required | Mandatory documentary evidence |
| Source of wealth | Not required | Mandatory for PEPs and elevated-risk customers |
| Senior management approval | Not required | Mandatory before engaging a PEP |
| Review frequency | Annual to triennial depending on risk | At least every 6 months for PEPs |
| Transaction monitoring | Standard thresholds and alerts | Enhanced monitoring, lower thresholds, event-driven reviews |
| Record keeping | 5 years from end of relationship | 5 years, with significantly more extensive documentation |
| Penalty exposure | Up to unlimited fine + potential criminal liability | Same framework, with aggravated treatment for intentional or systematic breach |
Ongoing Monitoring Under EDD
Ongoing monitoring is not a periodic formality โ it is a continuous obligation under MLR 2017 Regulation 28(11). For EDD customers, this means:
- Scheduled periodic reviews: at minimum every six months for PEPs, at least annually for other EDD-designated customers
- Real-time transaction monitoring: automated detection of transactions that deviate from the established customer profile, with human review of flagged activity
- Event-triggered reviews: any material change โ political appointment, corporate restructuring, sanctions designation, change of address to a high-risk jurisdiction โ must prompt immediate reassessment
- Suspicious activity reporting: where monitoring identifies suspicious transactions, a Suspicious Activity Report (SAR) must be submitted to the National Crime Agency (NCA) without tipping off the customer
The scale of enforcement risk is substantial. UK firms faced approximately ยฃ1.8 billion in AML-related fines across 2022 and 2023 (FCA enforcement data). The FCA's Financial Crime Guide at FCG 3.2 sets out specific expectations for EDD in correspondent banking and PEP contexts. According to the ACFE 2024 Report to the Nations, only 37% of fraud cases are detected through manual controls โ a figure that illustrates the limitations of purely manual monitoring programmes.
For a full picture of AML obligations, see our anti-money laundering compliance guide.
Automating EDD with CheckFile
Manual EDD processes are resource-intensive, inconsistent, and error-prone. The collection of supporting documents, verification of their authenticity, cross-referencing with PEP and sanctions lists, beneficial ownership mapping, and five-year archiving: each step creates operational risk if handled through disconnected workflows. The FCA expects firms to have systems and controls proportionate to their risk exposure under FCA SYSC 6.3.
CheckFile automates the critical steps of the EDD workflow:
- Document authenticity verification across more than 3,200 document types in 32 jurisdictions, with deepfake detection and tamper analysis
- Structured data extraction (OCR and semantic validation) that feeds directly into customer records, eliminating manual re-keying
- Cross-document consistency checks โ verifying that names, dates, addresses, and reference numbers are coherent across all documents in the EDD file
- Compliant archiving with full audit trails of actions and decisions, retained for the legally required five-year period
The platform integrates via API with document management systems, PEP and sanctions screening tools, and existing CRM infrastructure. Explore our solutions for banking and KYC, our approach to security, and our pricing.
To learn more about how CheckFile supports EDD programmes, visit CheckFile.ai.
Frequently Asked Questions
Does EDD apply only to PEPs and high-risk countries, or to any elevated-risk customer? EDD applies to any higher-risk situation, not exclusively to the named statutory categories. MLR 2017 Regulation 33 is clear: EDD is required for all cases where a firm identifies higher risk through its own risk assessment, in addition to the specific triggers (PEPs, correspondent banking, high-risk third countries). Firms that limit EDD to named categories while overlooking other elevated-risk customers are non-compliant with the risk-based approach, regardless of whether those other customers happen to fit a statutory category.
What is the difference between source of funds (SOF) and source of wealth (SOW)? Source of funds (SOF) addresses the specific money involved in the transaction or business relationship: where did this particular capital originate? Source of wealth (SOW) addresses the customer's overall financial position: how was their total wealth accumulated over time? Both are required for a complete EDD file. A customer may have a legitimate SOF (sale proceeds from a recent property transaction) but an unclear SOW (unexplained historic wealth accumulation) โ in which case the EDD file is incomplete without documenting both.
When does senior management approval need to be obtained for PEPs? MLR 2017 Regulation 35(5) requires senior management approval before establishing a business relationship with a PEP. Where an existing customer is subsequently identified as a PEP โ for example following a political appointment โ approval should be obtained promptly and the EDD file updated before continuing the relationship. The approval must be documented, attributed to a named individual with appropriate seniority and authority, and retained for the five-year period.
How frequently must EDD customer profiles be reviewed? There is no single statutory interval for all EDD customers. For PEPs, best practice โ supported by FCA guidance โ calls for reviews at least every six months. For other EDD-designated customers, the interval should be determined by the firm's risk assessment, with annual reviews as a typical baseline. In all cases, material changes in the customer's risk profile must trigger an immediate review regardless of the scheduled interval.
What are the penalties for EDD failures in the UK? Under MLR 2017, HMRC can impose unlimited civil penalties for AML non-compliance on the firms it supervises (accountants, estate agents, high-value dealers). The FCA can impose financial penalties with no statutory maximum, cancel or restrict a firm's authorisation, and pursue criminal prosecution in serious cases. The Proceeds of Crime Act 2002 also creates personal criminal liability for nominated officers who fail to submit SARs. AMLD6 (Directive 2024/1640), which sets an EU-wide maximum of EUR 10 million or 10% of annual turnover, is not directly applicable in the UK post-Brexit, but the FCA has signalled that its enforcement approach will maintain equivalent standards.
Regulatory references and sources
- Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) โ legislation.gov.uk
- MLR 2017 Schedule 3ZA โ High-risk third country list โ legislation.gov.uk
- FATF Recommendations 10, 12 and 13 โ FATF
- FCA Financial Crime Guide (FCG 3.2) โ FCA
- FCA SYSC 6.3 โ Systems and controls for financial crime โ FCA
- Directive (EU) 2024/1640 (AMLD6) โ EUR-Lex
- ACFE Report to the Nations 2024
- NCA โ Money Laundering and Illicit Finance
Stay informed
Get our compliance insights and practical guides delivered to your inbox.