Know When to Double-Check: The Triggers for Enhanced Due Diligence

Enhanced due diligence (EDD) is a type of customer due diligence (CDD) that specifically targets high-risk customers or transactions. As such, it involves a more thorough investigation into the customer's identity and financial background to uncover potential connections to money laundering or other criminal activities.

The importance of such scrutiny has been underscored many times over the recent years. One of the most notable examples of EDD being neglected (which paved the way for a global-scale money laundering operation) is the 1MDB case. 

This Malaysia-based strategic development company was the centerpiece of a $4.5 billion fraudulent scheme involving misappropriation of funds by then-Prime Minister, Najib Razak.

Customer due diligence is a broader term: it refers to the routine procedure of confirming a client's identity and evaluating the risks involved. The procedure demands that institutions gather and verify identification documents (such as official government IDs) and perform preliminary checks for possible red flags, like ties to sanctioned individuals or politically exposed persons (PEPs).

In general, CDD is often sufficient for clients with low to moderate risk and is the baseline for compliance with anti-money laundering (AML) laws.

Enhanced due diligence, on the other hand, is meant for customers that pose a greater risk. It normally applies to PEPs, customers from high-risk jurisdictions, cash-intensive businesses, or when there are unexplained discrepancies in documentation.

EDD forces institutions to learn more about the client's history, where their money comes from, and whether they have any links to financial crime.

And if they only perform standard customer due diligence on high-risk customers, they run the risk of fines, harm to their reputation, and even criminal liability. At the same time, imposing enhanced due diligence procedures on low-risk customers will simply be inefficient and will erode customer trust.

The answer depends on a combination of regulatory guidelines and results of risk assessments, as EDD is not a blanket requirement. The following categories of individuals and entities usually warrant more scrutiny:

PEPs are individuals who are current or former government officials, judges, military leaders, and executives of state-owned enterprises. They pose great risks to many institutions due to their influence and access to public funds.

What risks exactly? Money laundering, bribery, embezzlement, and misappropriation of public funds are some of the most common examples.

One recent case had Bangladesh’s former Land Minister Saifuzzaman Chowdhury spending more than $500 million on real estate abroad in a fraudulent scheme involving undeclared income. In this case, EDD should have been applied to find discrepancies in Chowdhury’s statements, but the scheme was left unnoticed until a special undercover investigation took place.

Jurisdictions with weak AML regulations or a high prevalence of corruption are also a trigger for enhanced due diligence. 

Common examples include:

• Countries on the Financial Action Task Force (FATF) blacklist or greylist.

• States subject to international sanctions or embargoes.

• Nations with significant offshore banking activities and limited regulatory oversight.

Another target for EDD is customers who perform transactions that deviate from their normal behavior. 

In this case, the conversation is mostly about customers who have already been onboarded and have some activity history with the institution. For example, a small company with no prior history of significant activity suddenly deposits millions into its account over a short period. 

Possible triggers for EDD are:

• Frequent high-value international wire transfers with little documentation.

• A sudden spike in account activity with no clear explanation.

• Transactions involving industries prone to money laundering, such as precious metals or art.

Institutions are also expected to assess the validity and relevance of negative press coverage about the customer. That is because such reports can point to criminal activity or financial misconduct.

What’s more, organized crime isn’t the only red flag—allegations of environmental violations or unethical practices against corporate clients are also enough to warrant EDD.

Companies or trusts with convoluted ownership hierarchies can obscure the identity of beneficial owners, which is a tactic often exploited for illicit activities. In such cases, EDD is simply necessary so that institutions can break these structures down and identify any hidden risks.

Some common traits of complex entities are:

• Shell companies registered in offshore jurisdictions.

• Ownership shared among multiple entities, making tracing the ultimate owner difficult.

• Discrepancies in registration documents, such as mismatched addresses or unverifiable shareholders.

What is EDD composed of? Let’s dissect the process into its critical stages, from risk assessment to ongoing document retention:

First, an institution needs to understand who or what may constitute a risk. This risk assessment could take place during customer onboarding, or if an anomaly is detected in the activity of a current customer.

In the former case, institutions rely on a number of screening tools to cross-check customers and transactions against sanctions lists, adverse media reports, and databases of PEPs. Some common red flags in this case would be customers with unexplained wealth, cash-intensive operations, or connections to jurisdictions under international sanctions.

In the latter case, one or more suspicious transactions made by already onboarded customers could be a cause for concern and a reason for further investigation.

If a customer is assigned a high risk rating, enhanced due diligence fully springs into action. At this stage, institutions use different ways to obtain information that goes beyond standard customer due diligence. They often reach out directly to the customer or, if necessary, the ultimate beneficial owner (UBO).

This extended information includes but is not limited to:

• Source of funds and wealth: Institutions may demand tax returns, investment records, or contracts to confirm the origin of a customer's funds.

• Beneficial ownership analysis: In cases where customers operate through shell companies or trusts, institutions must unravel the ownership structure to identify the UBO.

• Customer intent: Institutions can ask for a detailed explanation of the purpose of transactions or the nature of a business relationship.

In some cases, an institution may commission external due diligence reports to verify the integrity of a customer’s claims. On top of that, for certain high-risk customers, even physical site visits may be required to verify information.

If the enhanced due diligence process uncovers foul play, institutions are obligated to deliver their findings to the relevant authorities by filing a Suspicious Activity Report (SAR).

Conversely, if the customer passes all due diligence checks, the institution proceeds with onboarding.

Once customer onboarding is complete, high-risk clients and transactions must be continuously tracked to identify any suspicious behavior or changes in risk profiles.

For this purpose, institutions often use transaction monitoring software that flags unusual patterns, such as rapid fund movements or deviations from expected activity. Additionally, they perform regular risk reassessment of their client profiles so that they stay on top of new threats.

Lastly, another one of the enhanced due diligence requirements is to keep records of all related activities for several years (five years in the case of the US and EU). 

What you should retain:

• Copies of all identification documents, including passports, tax IDs, and business licenses.

• Evidence supporting source of funds and beneficial ownership claims.

• Records of monitoring activities, flagged transactions, and follow-up actions.

Such record-keeping is not only intended for regular audits, but will also help future investigations if financial crime concerns arise.

Many institutions struggle with the following hurdles when performing enhanced due diligence: 

• Accessing reliable information: Public records, government databases, and even proprietary tools may have some gaps, especially for jurisdictions with limited transparency.

• Balancing compliance and customer experience: EDD procedures, while critical for compliance, can frustrate legitimate clients, particularly in industries that prioritize convenience and speed, such as Fintech or retail Banking.

• Analyzing complex ownership structures: Financial crime networks can be quite sophisticated, as they rely on complex legal structures to hide beneficial owners and illicit activity. Breaking these down requires specialized expertise and tools, which can be costly and time-consuming.

• Handling high volumes of data: Important red flags may simply go unnoticed in cases of severe data overload. Institutions often struggle to manage and interpret massive datasets, especially if they don’t have the support of robust technology.

• Dealing with changing risk profiles: If risk profile updates are rare, emerging threats from supposedly low-risk customers can catch institutions off guard. Ongoing monitoring and timely updates are essential to mitigate this risk.

• Costs and resource constraints: Enhanced due diligence procedures are resource-intensive, often needing a lot of investment in both personnel and technology.

Our core recommendation for tackling all of the above challenges is centered around clever usage of modern technology. 

There are many powerful tools available on the market to tackle each aspect of EDD individually, from data gathering to KYC checks. Collectively, they will be able to make your processes smarter, faster, more efficient and reliable.

But first…

Make sure your transaction monitoring system is configured well enough to identify specific red flags. Above all, this means looking for unusually large or structured transactions (smurfing) designed to evade reporting thresholds.

And don’t forget to update the parameters of the system regularly based on recent case studies or emerging typologies. For example, if your business deals with cryptocurrencies, adjust your thresholds to be able to detect rapid, repeated movements between wallets.

Instead of manually searching multiple databases for sanctions or PEPs, use tools that automate data collection. For instance, platforms like Dow Jones Risk & Compliance or Refinitiv World-Check can help you pull this data, allowing you to focus on deep analysis rather than tedious work.

You can also set up automatic alerts in your chosen software so that when a client’s risk status changes (e.g., they appear on a new sanctions list), you’re immediately notified.

You can also make use of free or low-cost OSINT tools to map out networks of connections, domains, or suspicious patterns tied to a high-risk entity.

These tools are great for systemizing publicly available information (e.g., social media activity, property records, and corporate registries) to supplement your formal risk assessments.

Ultimately, your enhanced due diligence process can benefit from robust KYC solutions that make it simple, secure, and compliant with regulations. For instance, ID verification and face biometrics with liveness checks can be carried out by solutions like Regula Document Reader SDK and Regula Face SDK.

 These IDV solutions for due diligence easily integrate with your existing mobile or web applications. Document Reader SDK processes images of documents and verifies their real presence (liveness) and authenticity. The software identifies the document type, extracts all the necessary information, and confirms whether the document is genuine. 

At the same time, Regula Face SDK conducts instant facial recognition and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks.