Enhanced Due Diligence (EDD): Complete BSA/AML Compliance Guide for US Financial Institutions

Enhanced Due Diligence (EDD) is the elevated level of customer verification that US financial institutions must apply when a business relationship or transaction presents heightened money laundering, terrorist financing, or other illicit finance risk. Under the Bank Secrecy Act (BSA), 31 U.S.C. §5311 et seq., the FinCEN Customer Due Diligence Final Rule (31 CFR Part 1010.230), and the FFIEC BSA/AML Examination Manual (updated 2024), EDD goes beyond standard Customer Due Diligence by requiring source of funds verification, beneficial ownership mapping, senior management approval for certain high-risk customers, and intensified ongoing monitoring. Willful violations of BSA obligations can result in FinCEN civil penalties of up to $25,000 per day per violation or the amount of the transaction, whichever is greater; the OCC can impose civil money penalties of up to $1 million per day for systemic compliance failures.

For a broader introduction to the US AML compliance framework, see our document compliance guide.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified compliance professional for guidance specific to your institution's circumstances.

What Is Enhanced Due Diligence (EDD) Under BSA/AML Rules?

EDD is the highest tier in the risk-based customer due diligence framework required by the BSA and implemented through FinCEN rules and interagency guidance. The FFIEC BSA/AML Examination Manual describes three levels of due diligence:

• Simplified due diligence: for lower-risk customer categories with demonstrably reduced risk, such as certain regulated financial institutions subject to robust AML oversight
• Standard Customer Due Diligence (CDD): the baseline verification required for all customers under 31 CFR Part 1010.230, covering customer identification, beneficial ownership certification, and ongoing monitoring
• Enhanced Due Diligence (EDD): additional, documented measures applied when a risk assessment identifies elevated risk — whether from defined high-risk categories or from the institution's own analysis

A question frequently raised by compliance officers is whether EDD is limited to the named statutory categories — Politically Exposed Persons, correspondent banking, private banking for non-US persons — or whether it applies to any elevated-risk customer. Under the FinCEN CDD Rule and the FFIEC Examination Manual, EDD is required in any situation where the institution's risk assessment identifies heightened risk, not only in the named categories. Named categories trigger EDD automatically; they do not exhaust the EDD obligation. A financial institution that limits EDD to PEPs and correspondent accounts while ignoring other identified high-risk customers has an inadequate AML program.

It is also worth clarifying from the outset the distinction between source of funds (SOF) and source of wealth (SOW), two concepts that are frequently conflated but address different questions:

• SOF: Where did the specific funds involved in the transaction or account originate? (e.g., proceeds from a real estate sale, a business loan, salary deposits)
• SOW: How has the customer accumulated their overall net worth over time? (e.g., decades of business ownership, inheritance, investment returns)

Both are required for a complete EDD file. A customer may have a documented SOF for a specific transaction but an unexplained SOW — in which case the EDD file is incomplete regardless of the transaction-level documentation.

When Is EDD Required for US Financial Institutions?

The BSA, FinCEN CDD Rule, USA PATRIOT Act, and FFIEC guidance define the primary triggers for EDD. The FFIEC BSA/AML Examination Manual consolidates these expectations across federal banking regulators.

FinCEN Geographic Targeting Orders impose mandatory EDD requirements on cash transactions in the real estate sector in specific metropolitan areas. Active GTOs for 2024–2026 cover several major US markets and require title insurance companies to identify natural persons behind legal entity purchasers in all-cash real estate transactions above specified thresholds. Compliance teams at institutions active in covered markets should monitor FinCEN's GTO notices for current coverage areas and thresholds.

The EDD Process: 7 Key Steps for BSA Compliance

A defensible EDD process follows seven sequential steps. Deficiencies in any one of these are among the most common findings in FFIEC examination reports and FinCEN enforcement actions.

Step 1 – Enhanced Customer Identification

Beyond the standard Customer Identification Program (CIP) requirements under 31 CFR 1020.220 (name, date of birth, address, taxpayer identification number for US persons), EDD requires additional identifying information: a second independent identity document, verification against official records (state records, federal databases where accessible), third-party confirmation, or professional references. For legal entities, certified organizational documents, state registration records, and confirmation of authorized signatories are required.

Step 2 – Beneficial Ownership Verification

EDD requires going beyond the beneficial ownership certification form. Under the CTA 2021 and FinCEN's Beneficial Ownership Information (BOI) reporting rule, most US corporations and LLCs must report beneficial owners — individuals who own or control at least 25% of the entity, or who exercise substantial control — to FinCEN's BOI registry (effective January 1, 2024). Institutions should cross-reference the customer's self-certification against the FinCEN BOI registry and, for foreign entities, against equivalent foreign registries. Full ownership chains should be mapped to identify all natural persons with ultimate control or economic benefit.

Step 3 – Source of Funds (SOF) Documentation

Documentary evidence of the origin of the specific funds involved in the account or transaction is required: bank statements tracing funds to a known source, sale proceeds documentation (settlement statements, wire confirmation), loan agreements, payroll records, business revenue documentation. A bank statement alone — without evidence explaining how those funds came to be in the account — does not satisfy EDD documentation standards under the FFIEC Manual.

Step 4 – Source of Wealth (SOW) Documentation

For PEPs, private banking customers, and other high-risk customers, SOW documentation addresses how the customer's overall wealth was accumulated. This may include multi-year federal tax returns (Form 1040 or business returns), business valuations, investment account histories, inheritance records, or property transaction records. For senior foreign political figures, public source research (official biographies, government declarations of assets where available, press records) should supplement self-provided documentation.

Step 5 – Senior Management Approval

For high-risk customer relationships — particularly PEPs and correspondent banking — senior management approval is expected before establishing or continuing the relationship. Under 31 U.S.C. §5318(i)(2), private banking accounts for senior foreign political figures specifically require senior management approval. This approval must be documented, attributed to a named senior officer with appropriate authority, dated, and retained in the customer file.

Step 6 – Enhanced Ongoing Monitoring

EDD relationships require more intensive transaction monitoring than standard CDD accounts: lower alert thresholds calibrated to the customer's risk profile, more frequent periodic review cycles, and immediate review triggered by material changes. For PEP-designated accounts, profile reviews should occur at least every six months. Any material change — new political appointment, corporate restructuring, new sanctions designation, change of primary country of residence — must trigger an immediate review regardless of the scheduled review interval.

Step 7 – Documentation and Record Retention

Under 31 CFR 1010.430, records must be retained for five years from the date of the transaction or the date the account is closed. EDD generates substantially more documentation than standard CDD; the institution must maintain records in a form that allows prompt retrieval during an FFIEC examination or in response to a FinCEN Section 314(a) request. Audit trails of approvals, decisions, and review actions are essential.

EDD Documentation: What US Banks Must Collect

The table below sets out the documentation typically required by customer category under US BSA/AML standards. This is a baseline guide; the risk-based approach requires adaptation to each institution's specific circumstances and risk appetite.

For a sector-by-sector due diligence checklist, see our customer due diligence checklist by sector.

CDD vs EDD: Key Differences Under the FinCEN Rule

Ongoing Monitoring and SAR Filing Under EDD

Ongoing monitoring is not a one-time formality — it is a continuous obligation under the FinCEN CDD Rule and the FFIEC BSA/AML Examination Manual. For EDD-designated accounts, this means:

• Scheduled periodic reviews: at minimum every six months for PEP-designated accounts; at least annually (and more frequently where risk warrants) for other EDD accounts
• Real-time transaction monitoring: automated detection of transactions that deviate from the established customer risk profile, with human review of flagged activity before SAR decisions are made
• Event-triggered reviews: any material development — new political appointment, corporate acquisition, sanctions designation, regulatory action against the customer — must trigger an immediate EDD file review, independent of the scheduled review cycle
• Suspicious Activity Report (SAR) filing: when monitoring identifies a transaction involving at least $5,000 where there is a basis to suspect money laundering, BSA violations, or other financial crimes, the institution must file a SAR with FinCEN within 30 calendar days of the date of initial detection (31 CFR 1020.320). EDD accounts carry a heightened likelihood of SAR-filing obligations given their elevated risk profile. FinCEN received approximately 4.6 million SARs in fiscal year 2024 (FinCEN Annual Report 2024), underscoring the central role of ongoing monitoring in the US AML architecture.

The FFIEC Examination Manual notes that EDD for correspondent banking accounts requires annual recertification at minimum — a standard that many institutions adopt more broadly for all EDD-designated relationships as a matter of best practice.

Does the Corporate Transparency Act Change EDD Obligations?

Compliance professionals frequently ask whether the Corporate Transparency Act (CTA) 2021 — and FinCEN's BOI reporting rule, effective January 1, 2024 — changes the EDD obligations of financial institutions. The short answer: the CTA changes the information available for EDD without eliminating the independent EDD obligation.

Under the CTA, most US companies must report beneficial owners to FinCEN's BOI registry (individuals who own or control 25% or more of the entity, or who exercise substantial control). Financial institutions may access this registry to verify customer-provided beneficial ownership information. However, three important limitations apply:

1. FinCEN BOI access is restricted: Financial institutions may access the BOI registry only under specific authorized-access protocols established by FinCEN, with written customer consent. The registry is not publicly searchable.

2. The CTA does not replace CDD beneficial ownership requirements: The FinCEN CDD Rule (31 CFR 1010.230) still requires covered financial institutions to collect and certify beneficial ownership at the time of account opening. The BOI registry supplements but does not replace this certification requirement. FinCEN has confirmed in guidance that institutions must continue to collect beneficial ownership certifications from customers independent of the registry.

3. EDD still requires independent verification beyond self-certification: For EDD-designated customers, the BOI registry — if the institution has access — provides a useful cross-reference. But EDD demands going further: verifying ownership chains through state business registries, foreign company registries, and other independent sources where the risk warrants it.

In practice, the CTA most significantly affects EDD for shell companies and complex legal entity structures, where the registry's beneficial ownership data provides a baseline that institutions can then supplement with the additional independent verification that EDD requires.

Automating EDD with CheckFile

Manual EDD processes are resource-intensive, prone to inconsistency, and difficult to scale. Collecting supporting documents, verifying their authenticity, cross-referencing PEP and sanctions lists, mapping beneficial ownership chains, and maintaining five-year retention with retrieval capability: each step creates operational risk when managed through disconnected workflows. FFIEC examiners expect systems and controls that are proportionate to the institution's risk exposure — a standard that disconnected manual processes frequently fail to meet, even when staff effort is substantial.

CheckFile automates the critical steps of the EDD workflow:

• Document authenticity verification across more than 3,200 document types in 32 jurisdictions, with deepfake detection, tamper analysis, and metadata validation
• Structured data extraction (OCR and semantic validation) that feeds directly into customer records and EDD files, eliminating manual re-keying and transcription errors
• Cross-document consistency checks — automated verification that names, dates, addresses, SSNs/EINs, and reference numbers are consistent across every document in the EDD file (government ID, proof of address, bank statements, business registration documents)
• Compliant archiving with a complete, timestamped audit trail of actions, decisions, and approvals, retained for the five-year period required by 31 CFR 1010.430

The platform integrates via API with document management systems, PEP and sanctions screening tools, and existing CRM and core banking infrastructure. Explore our solutions for banking and KYC, our approach to security, and our pricing.

To learn more about how CheckFile supports EDD programs at US financial institutions, visit CheckFile.ai.

Frequently Asked Questions

Does EDD apply only to PEPs and correspondent banking, or to any elevated-risk customer? EDD applies to any situation where the institution identifies heightened risk — not only to the named statutory categories. The FFIEC BSA/AML Examination Manual is explicit: an adequate AML program requires the institution to apply enhanced procedures to any customer or relationship that its risk assessment identifies as high-risk. Named categories (PEPs, correspondent banking, private banking for non-US persons) trigger EDD automatically; they do not exhaust the obligation. An institution that limits EDD to these categories while overlooking other high-risk customers has an inadequate program.

What is the difference between source of funds (SOF) and source of wealth (SOW) for EDD purposes? Source of funds (SOF) addresses where the specific money involved in the account or transaction came from — the origin of the particular funds. Source of wealth (SOW) addresses how the customer has accumulated their overall net worth over time. Both are required for a complete EDD file on a PEP or high-risk customer. A customer may have a well-documented SOF for a specific deposit (sale of a business unit) but an unexplained SOW (inconsistent with their career history and compensation level) — in that case, the EDD file is incomplete until both are documented.

How does the Corporate Transparency Act (CTA) affect EDD obligations at financial institutions? The CTA 2021 and FinCEN's BOI reporting rule (effective January 1, 2024) give financial institutions an additional cross-reference tool — the FinCEN BOI registry — for verifying beneficial ownership information. However, the CTA does not replace the FinCEN CDD Rule's requirement to collect beneficial ownership certifications at account opening. For EDD accounts, institutions must still conduct independent verification beyond the registry, tracing ownership chains through state business registries and other sources as the risk profile requires. The CTA is most consequential for shell companies and complex entity structures, where the registry provides a baseline the institution can then supplement.

When does senior management approval need to be obtained for PEPs in the US context? 31 U.S.C. §5318(i)(2) expressly requires senior management approval for private banking accounts held by or for senior foreign political figures. Beyond this statutory requirement, FFIEC examiners expect documented senior management approval before establishing or continuing any high-risk customer relationship — a standard that most robust BSA programs apply to all PEP-designated accounts, not only private banking. The approval must be documented, attributed to a named officer with appropriate authority, dated, and retained in the customer file for the required five-year period.

How frequently must EDD customer profiles be reviewed? The FFIEC Examination Manual requires annual recertification at minimum for correspondent banking EDD accounts; the same standard is a practical baseline for other EDD-designated relationships. For PEP accounts and other highest-risk customers, best practice supported by FFIEC guidance calls for reviews at least every six months. In all cases, any material change in the customer's risk profile must trigger an immediate review independent of the scheduled interval.

What are the penalties for EDD failures under the BSA? FinCEN can assess civil money penalties of up to $25,000 per day per violation or the amount of the transaction involved, whichever is greater, for willful BSA violations. For systemic program failures, the OCC has authority to impose civil money penalties of up to $1 million per day. Criminal BSA violations carry penalties of up to $250,000 and five years' imprisonment (10 years if part of a pattern of illegal activity). Beyond FinCEN and bank regulator penalties, DOJ can pursue separate criminal charges under 18 U.S.C. §1956 (money laundering) where deficient EDD enabled criminal proceeds to pass through the institution.

---

Regulatory References and Sources

• Bank Secrecy Act (BSA), 31 U.S.C. §§5311–5336 — Congress.gov
• FinCEN Customer Due Diligence Final Rule, 31 CFR Part 1010.230 — fincen.gov
• FFIEC BSA/AML Examination Manual (updated 2024) — bsaaml.ffiec.gov
• FinCEN Beneficial Ownership Information Reporting — fincen.gov
• Anti-Money Laundering Act of 2020 (AMLA 2020) — Congress.gov
• FinCEN Geographic Targeting Orders — fincen.gov
• FinCEN Annual Report 2024 — fincen.gov
• ACFE — Report to the Nations 2024