What Is Enhanced Due Diligence (EDD)? Requirements for Fintechs

Standard Know Your Customer procedures work for most customers. But for customers who present elevated money laundering or financial crime risk, standard due diligence is not enough — and regulators do not treat it as enough either.

Enhanced Due Diligence is the deeper level of scrutiny that covered financial institutions must apply to high-risk customers. It is a formal requirement under FinCEN's CDD Rule and the Bank Secrecy Act, not a best practice or optional enhancement.

This article explains what EDD requires, which customers trigger it, what the process looks like in practice, and how fintechs build a compliant EDD program.

What Is Enhanced Due Diligence?

Enhanced Due Diligence is an elevated customer review process applied to individuals and businesses that present a higher risk of money laundering, financial crime, or regulatory violation. It goes beyond the standard Customer Identification Program and Customer Due Diligence requirements by collecting additional information, applying greater scrutiny to account activity, requiring more frequent reviews, and in many cases requiring senior management approval before the relationship proceeds.

EDD is not a separate program from CDD. It is a higher tier within your CDD framework — applied selectively to customers whose risk profile warrants it.

Which Customers Trigger EDD?

Politically Exposed Persons

Politically Exposed Persons — commonly called PEPs — are foreign government officials, senior political figures, members of royal families, senior military officials, and their immediate family members and known close associates. PEPs present elevated risk of corruption-related money laundering regardless of expected transaction volume. PEP status must be identified through screening at onboarding and triggers EDD automatically.

High-Risk Geographies

Customers whose country of origin, residence, or primary business operation is on the FATF grey or black list, subject to OFAC comprehensive sanctions, or identified as high-risk in your AML risk assessment require EDD. Geography alone can be sufficient to trigger enhanced review.

High-Risk Industries

Customers operating in industries associated with elevated financial crime risk require EDD. Common high-risk industry triggers include money services businesses, cryptocurrency exchanges, cannabis companies, gambling operators, adult entertainment businesses, arms dealers, and precious metals dealers.

Complex or Opaque Ownership Structures

Business customers with multiple layers of corporate ownership, offshore holding companies, trust structures as owners, nominee shareholders, or any arrangement that makes beneficial ownership difficult to establish clearly trigger EDD before the relationship can proceed.

Customers with Unusual Transaction Patterns

Customers whose monitored activity deviates significantly and repeatedly from their established expected behavior profile — even if individual transactions are not individually suspicious — may be escalated to EDD based on monitoring data.

High Net Worth Customers with Unclear Source of Wealth

Customers seeking to transact in large amounts whose source of wealth cannot be readily explained or verified through standard documentation trigger EDD focused on source of funds and source of wealth verification.

What EDD Actually Involves

Additional Documentation

EDD requires collecting documentation beyond what standard CDD requires. Depending on the specific risk trigger, this may include source of funds documentation showing where the funds originated, source of wealth documentation showing how the customer accumulated their overall wealth, corporate structure charts for business customers with complex ownership, audited financial statements for business customers, and reference letters or third-party verification where appropriate.

Senior Management Approval

For the highest-risk customer categories — PEPs in particular — EDD typically requires that a senior compliance officer or senior management member approve the onboarding decision before the account is opened. This approval must be documented.

More Intensive Ongoing Monitoring

EDD customers receive more intensive transaction monitoring — typically through lower alert thresholds, more frequent review triggers, and closer analyst attention on flagged activity.

More Frequent Periodic Reviews

While standard CDD reviews may occur every 18 to 24 months for medium-risk customers, EDD customers are reviewed much more frequently — typically at least annually for high-risk customers and sometimes quarterly or semi-annually for the highest-risk relationships.

Ongoing Source of Funds Awareness

For EDD customers, ongoing monitoring must include awareness of whether transaction activity remains consistent with the documented source of funds. Significant deviations trigger additional review.

Building EDD Into Your CDD Program

EDD is not a separate standalone process — it must be integrated into your CDD program structure. Your written CDD policy must define the specific criteria that trigger EDD for your institution, the specific additional documentation required for each EDD trigger category, the approval process for high-risk onboarding decisions, the ongoing monitoring parameters applied to EDD customers, and the periodic review frequency for EDD-categorized accounts.

The criteria must be objective and consistently applied. Two customers with the same risk profile must receive the same EDD treatment. Inconsistent application of EDD triggers is one of the most common examination findings in KYC program reviews.

EDD and the Customer Experience

EDD creates friction. Asking customers for source of wealth documentation, corporate structure charts, and additional identification is not a seamless onboarding experience. The key is being transparent with customers about why additional information is needed and having efficient processes for collecting and reviewing it.

Most customers who trigger EDD — including PEPs and complex business structures — are accustomed to enhanced compliance review from regulated financial institutions. A professional, efficient EDD process is rarely a relationship-ending experience. An unclear or disorganized one is.

Frequently Asked Questions

Is EDD required for all high-risk customers or only some?

EDD must be applied to all customers who meet your defined EDD trigger criteria without exception. Selective application based on individual analyst judgment rather than defined criteria is a compliance failure. Your CDD policy must define the triggers objectively so they are applied consistently to every customer meeting those criteria.

Can a fintech onboard a PEP customer?

Yes. Being a PEP does not automatically disqualify a customer from being onboarded. What it does is trigger mandatory EDD — senior management approval, additional documentation, source of funds verification, intensive ongoing monitoring, and more frequent periodic review. The decision to onboard a PEP must be made deliberately by qualified personnel with full awareness of the elevated risk.

How long must EDD records be retained?

EDD documentation must be retained consistent with BSA recordkeeping requirements — generally five years from the date of the record or the closing of the account.

What happens if a customer refuses to provide EDD documentation?

If a customer required to undergo EDD refuses to provide required additional documentation, the institution should not proceed with onboarding or should consider exiting an existing relationship. Proceeding without required EDD documentation is a BSA compliance failure regardless of the customer's stated reason for refusal.

How ComplyOne Helps

ComplyOne helps fintechs design and implement EDD programs that satisfy FinCEN requirements, apply consistently to all qualifying customers, and integrate seamlessly with their broader CDD and onboarding operations — through advisory services, compliance technology, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.