Customer Due Diligence vs Enhanced Due Diligence: When Each Applies and What Documentation Is Required

The distinction between standard Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) is one of the most practically important in the MLR 2017 framework. Applied correctly, the risk-based differentiation between CDD and EDD allows payment firms to onboard lower-risk customers efficiently while applying proportionate scrutiny to higher-risk relationships. Applied incorrectly — either by applying CDD to relationships that warrant EDD, or by blanket-applying EDD in a way that makes no meaningful distinction — the framework fails both regulatorily and commercially.

Standard CDD: The Baseline

Regulation 27 of MLR 2017 sets out the standard CDD measures applicable to all business relationships and occasional transactions above the relevant threshold. These are: identifying the customer and verifying their identity on the basis of documents, data, or information obtained from a reliable and independent source; identifying the beneficial owner where the customer is a legal person, and taking reasonable measures to verify their identity; obtaining information on the purpose and intended nature of the business relationship; and conducting ongoing monitoring of the relationship.

For a corporate client, standard CDD requires: certificate of incorporation; latest filed accounts or equivalent; evidence of registered office address; identification of all UBOs (persons with 25%+ direct or indirect ownership); and verification of identity for UBOs (passport copies, proof of address). The FCA accepts reliance on Companies House data for UK-incorporated entities in certain circumstances, but for payment firms serving complex or high-risk corporate structures, reliance on public registers alone is rarely sufficient.

When EDD Is Mandatory

Regulation 33 of MLR 2017 specifies circumstances in which EDD must be applied. These are not discretionary — they represent mandatory triggers regardless of the overall risk assessment of the customer. The specified EDD circumstances are:

• High-risk third countries: Where the customer is established or resident in, or the transaction relates to, a country on the FCA's or HM Treasury's list of high-risk third countries (broadly corresponding to the FATF and EU high-risk lists)
• Politically Exposed Persons: Where the customer or beneficial owner is a PEP, or a family member or close associate of a PEP
• Non-face-to-face business: Where the business relationship is entered into or the transaction is conducted without physical presence of the customer
• Correspondent relationships: For payment firms providing correspondent banking-type services to other regulated firms
• Circumstances identified in the firm's risk assessment: Any high-risk scenario specifically identified in the firm's AML risk assessment under Regulation 18

What EDD Actually Requires

The MLR 2017 does not prescribe a specific documentary checklist for EDD — it requires the firm to apply measures that are adequate for the level of risk. However, it specifies minimum elements that must be present where EDD is triggered:

High-Risk Country or PEP EDD

At minimum: senior management approval for establishing or continuing the relationship; adequate measures to establish source of wealth and source of funds; and enhanced ongoing monitoring of the relationship. In practice, "adequate measures" for source of wealth verification means more than asking the customer to self-certify — it means obtaining documentary evidence (tax declarations, audited accounts, company valuations, inheritance documentation) and corroborating it against publicly available information.

Non-Face-to-Face

For non-face-to-face customer identification — which applies to virtually all digital payment firm onboarding — the EDD requirement is met through additional verification measures. These typically include: electronic identity verification using a reputable digital KYC provider (Jumio, Onfido, IDnow, Sumsub) that provides a level of assurance comparable to physical document inspection; liveness checks to confirm the person presenting the document is physically present; and database checks against adverse media, sanctions, and PEP lists.

Simplified Due Diligence

The counterpart of EDD is Simplified Due Diligence (SDD). Under Regulation 37, firms may apply simplified measures where the risk associated with a business relationship or transaction is demonstrably lower. SDD allows firms to reduce the frequency and depth of monitoring, accept less detailed identification evidence, and streamline the onboarding process. However, SDD is not zero due diligence — the firm must still conduct CDD, and must document its basis for concluding that the relationship justifies simplified measures.

Common SDD scenarios for a payment firm include: regulated financial institutions as clients (where the regulated status provides a degree of assurance about AML compliance); publicly listed companies in regulated markets; and government or public sector entities. The firm's AML policy should explicitly define its SDD criteria and any additional restrictions on applying SDD to customers whose characteristics would otherwise make SDD inappropriate.

Documentation and Record-Keeping

MLR 2017 requires that CDD documentation be retained for five years from the end of the business relationship. The firm must be able to produce, at the FCA's request, evidence of the due diligence conducted for any current or recent client. For EDD cases, the documentation must demonstrate the additional steps taken and the rationale for the specific measures applied. The MLRO should periodically review a sample of EDD files to ensure they meet the required standard — a file review programme is a standard internal audit activity and an area the FCA specifically assesses during supervisory visits.