AML and Enhanced Due Diligence for High-Risk Business Clients

Enhanced Due Diligence (EDD) is the intensified customer due diligence process that regulated financial institutions apply when standard KYC is insufficient to manage the identified AML risk of a customer relationship. It is one of the most consequential concepts in the financial crime compliance landscape for businesses in the iGaming, crypto, and offshore corporate sectors — because it is EDD requirements, rather than KYC requirements per se, that cause the extended onboarding timelines, extensive document requests, and ultimate relationship refusals that define the banking experience of higher-risk businesses. Understanding what EDD requires, why it is triggered, and how to navigate it effectively is essential knowledge for any business in these sectors.

The Legal Framework for EDD

The EDD obligation in the UK arises from the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which implement the EU's Fourth Anti-Money Laundering Directive (4AMLD) in UK domestic law (retained post-Brexit). Regulation 33 of the MLR 2017 requires relevant persons (including banks, payment institutions, and EMIs) to apply EDD in circumstances where there is a higher risk of money laundering or terrorist financing. The regulations specify mandatory EDD triggers and permit firms to apply additional risk-based EDD triggers through their own risk appetite.

Mandatory EDD triggers under MLR 2017 Regulation 33 include: customers established or resident in a high-risk third country (defined by reference to FATF and EU/UK designated lists), transactions involving high-risk third countries, Politically Exposed Persons (PEPs) and their family members and associates, and correspondent banking relationships. In addition, Regulation 33(4) requires EDD "in any case where there are high risk factors", leaving it to the regulated firm's risk assessment to identify what constitutes high risk. JMLSG Guidance (issued by the Joint Money Laundering Steering Group under HM Treasury approval) provides sector-specific guidance on risk factors, including specific guidance for gambling, digital assets, and complex corporate structures.

What Triggers EDD for Business Clients

For the business sectors CCYFX typically serves, the specific EDD triggers most commonly encountered are:

Gambling and iGaming operators: The JMLSG Guidance identifies gaming businesses as requiring enhanced scrutiny due to the cash-intensive nature of gaming revenue, the potential for player fund co-mingling, and the historically higher incidence of money laundering in gaming. UK-licensed Gambling Commission operators are subject to the Gambling Commission's own AML requirements under the Proceeds of Crime Act 2002; offshore-licensed operators (MGA, Gibraltar, Curaçao) are assessed as higher risk because their host licensing regimes vary in AML rigour. The EDD process for an iGaming operator will typically require: evidence of the gaming licence, detailed description of the player money flow (how players fund accounts, how withdrawals are processed, segregation of player funds), the operator's own AML framework documentation, and source of funds for the business itself.

Crypto and digital asset businesses: Crypto exchanges, wallet providers, and OTC desks are designated as Virtual Asset Service Providers (VASPs) under FATF recommendations and are subject to the UK FCA's cryptoasset registration regime under the MLR 2017 (Schedule 1, Part 1, paragraph 19A). Registered VASPs have demonstrated compliance with AML requirements; unregistered businesses operating in a grey area are significantly higher risk. EDD for crypto businesses focuses on: the VASP registration status, the types of digital assets handled (higher risk for privacy coins, DeFi), the KYT (Know Your Transaction) tools in use, the volume and counterparty profile of crypto transactions, and the off-ramping process.

Offshore holding structures: BVI, Cayman, and similar offshore vehicles are on the radar of compliance teams because offshore jurisdictions have historically been associated with opacity around beneficial ownership. The BVI Economic Substance Act 2018 and the Cayman ESA 2019 have improved this position, but offshore entities still generate more EDD scrutiny than onshore companies. EDD focuses on: beneficial ownership clarity to the ultimate natural person, purpose and economic rationale for the offshore structure, source of wealth of ultimate beneficial owners, and whether the structure has documented economic substance in the stated jurisdiction.

What EDD Actually Requires: The Document Checklist

EDD is not simply "more KYC documents." It requires the institution to form a positive view that it understands the risk and that the risk is acceptable. The document requirements vary by institution but typically include for a high-risk business client:

• Corporate documents: Certificate of incorporation, Memorandum and Articles of Association, certificate of good standing (dated within 12 months), register of directors and register of shareholders/members
• Beneficial ownership: Complete beneficial ownership chain to natural person UBOs above the institution's threshold (typically 10–25%), with identity verification documents (passport, proof of address) for each UBO
• Business verification: Business licence or regulatory authorisation documents, website evidence, sample contracts or invoices demonstrating the business model
• Source of funds: Financial statements (audited preferred), bank statements showing revenue flow, explanation of the origin of initial capital
• AML framework: For businesses in regulated sectors — the entity's own AML policy, evidence of regulatory filings, results of most recent AML audit or examination
• Purpose of account: Detailed description of expected account usage, expected transaction volumes, currencies, counterparty types, and geographic footprint

The completeness and quality of this documentation at the outset materially affects onboarding timelines. Incomplete submissions generate information requests; each request cycle typically adds 2–4 weeks to the process.

Ongoing EDD: Transaction Monitoring and Periodic Review

EDD is not a one-time event at onboarding; it is an ongoing obligation. MLR 2017 Regulation 28 requires relevant persons to conduct ongoing monitoring of business relationships including scrutiny of transactions to ensure consistency with knowledge of the customer, source of funds, and risk profile. For high-risk customers, this means: transaction monitoring alerts are set at lower thresholds, unusual patterns are reviewed more promptly, and the risk profile itself is reviewed at a frequency appropriate to the risk level (typically annually for high-risk clients versus every 2–3 years for lower-risk clients).

At CCYFX, our MLRO function (led by GP) maintains a risk-proportionate ongoing monitoring programme that meets the MLR 2017 requirements while avoiding the false-positive heavy approach that makes banking relationships unnecessarily burdensome for legitimate high-risk businesses. Our transaction monitoring is calibrated to the specific risk profile of each client segment — the monitoring rules appropriate for an iGaming operator differ structurally from those appropriate for an FX broker or a crypto on/off-ramp business. Contact us to discuss how we approach EDD for your specific business type.