Enhanced Due Diligence: When Standard KYC Isn't Enough

Standard Customer Due Diligence — verifying identity, understanding the nature of the business relationship, and applying ongoing monitoring — is the baseline for AML compliance. But for a significant proportion of customers in specialist financial services, standard CDD is not enough. Enhanced Due Diligence (EDD) is the mandatory response to elevated money laundering risk, and applying it correctly is one of the clearest tests of whether a firm's risk-based approach is operational rather than theoretical.

The legal basis for EDD in the UK is Regulation 33 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which specifies the circumstances in which EDD must be applied and what it must include. The EU equivalent is Article 18 of the Fourth Anti-Money Laundering Directive (4AMLD), as amended by 5AMLD and now being superseded by the directly applicable AMLR. Both frameworks share the same underlying logic: where there is higher risk, there must be commensurately deeper scrutiny.

EDD Triggers: Mandatory and Discretionary

Some EDD triggers are mandatory under legislation — they require EDD regardless of any other risk assessment. Others are discretionary, arising from the firm's own risk-based analysis. Understanding the distinction matters because regulatory examinations will specifically test whether firms have applied EDD in mandatory scenarios and whether their discretionary triggers are calibrated appropriately.

Mandatory EDD Triggers

• Politically Exposed Persons (PEPs): Foreign PEPs always require EDD under MLR 2017 Regulation 33(1)(a). Domestic PEPs and international organisation PEPs require a risk assessment to determine whether EDD is needed — but given the FCA's 2023 PEP guidance and subsequent Dear CEO letters, the threshold for applying full EDD to domestic PEPs has effectively been lowered by supervisory expectation.
• High-risk third countries: Business relationships or transactions involving countries on the FATF grey or black lists, or countries specified in the European Commission's high-risk third country list, require EDD under Regulation 33(1)(b). Since Brexit, the UK maintains its own list of high-risk third countries, which does not automatically mirror the EU list.
• Complex or unusually large transactions: Where there is no apparent economic or lawful purpose, MLR 2017 Regulation 33(6) requires firms to examine the background and purpose of the transaction and document their findings. This is a distinct EDD obligation from the relationship-level requirements.
• Correspondent relationships: Payment institutions providing correspondent-style services to other payment institutions or financial institutions are subject to specific EDD requirements under Regulation 34, including assessment of the respondent's AML programme.

Discretionary EDD Triggers

Beyond the mandatory cases, firms must apply EDD whenever their risk assessment identifies that a customer poses a higher risk of money laundering or terrorist financing. Common discretionary triggers include:

• Customers in high-risk business sectors (cannabis-related businesses, adult entertainment, gambling, virtual asset services, remittance to high-risk corridors)
• Complex or opaque corporate structures, including multiple layers of holding companies or structures involving nominee directors
• Customers whose source of wealth or funds cannot be easily verified from standard documentation
• Customers based in jurisdictions with weak AML frameworks, even if not on a formal list
• Transaction patterns that are inconsistent with the declared business activity or customer profile
• Customers seeking to make unusually large cash deposits or requesting unusual payment routing

What EDD Must Include

Regulation 33 of MLR 2017 specifies that EDD must involve obtaining additional information about the customer and their beneficial owners, obtaining additional information to understand the intended nature of the business relationship, obtaining information on the source of funds and source of wealth, and obtaining senior management approval for establishing or continuing the relationship where required.

Source of Wealth vs Source of Funds

A critical distinction — and one that compliance teams frequently conflate — is between source of wealth (SOW) and source of funds (SOF). Source of funds refers to the origin of the specific money being used in the transaction or relationship (e.g., proceeds from a property sale, salary payments). Source of wealth refers to the totality of how the customer has accumulated their overall net worth (e.g., successful business ownership, inheritance, professional career). For high-net-worth individuals and PEPs, both are required. For most business EDD, source of funds in the context of the business relationship is the primary focus, though for significant beneficial owners a SOW assessment is also expected.

Critically, EDD is not simply asking the customer to explain where their money comes from and accepting the answer. It requires corroboration: evidence to support the claimed SOW/SOF narrative. This might include audited accounts, tax returns, company ownership documentation, published sale records for property transactions, or independent third-party confirmation. Unverified self-attestation is not EDD.

Senior Management Approval

For PEPs and for business relationships involving high-risk third countries, Regulation 33(5) requires senior management approval before the relationship is established or continued. Firms need a clear documented process for this: who constitutes "senior management" (typically the MLRO, CEO, or a designated Risk Committee), what information they are provided with, and how their approval is recorded. Supervisory examinations regularly look for evidence that these approvals are substantive rather than formulaic.

Ongoing EDD Monitoring

EDD is not a one-time event at onboarding. MLR 2017 Regulation 28(11) requires that CDD — and by extension EDD — be applied on an ongoing basis and kept up to date. For EDD customers, this means more frequent review cycles (typically annually rather than the three-to-five-year cycles applicable to standard CDD customers), real-time transaction monitoring calibrated to detect deviations from the established profile, and active review whenever adverse information is identified through media monitoring or adverse news screening.

The practical implications for EDD-level customers are significant: more frequent outreach to verify continued accuracy of documentation, more granular transaction monitoring alert thresholds, and lower investigator escalation thresholds when anomalies are identified.

Third-Party EDD Providers

For firms managing large volumes of EDD customers, outsourcing EDD data gathering and research to specialist third-party providers — such as Refinitiv World-Check, Dow Jones Risk & Compliance, Kroll Due Diligence, or K2 Integrity — is common. These providers can deliver structured due diligence reports covering corporate registry searches, adverse media screening, litigation checks, and sanctions screening across multiple jurisdictions.

However, the use of third-party providers does not transfer regulatory responsibility. Under MLR 2017 Regulation 39, where a firm relies on a third party to conduct CDD, the firm remains ultimately responsible for compliance. This means EDD reports from third-party providers must be critically reviewed — not simply filed — and the firm must make its own risk assessment rather than accepting the third party's conclusions uncritically.

Documentation Standards

Documentation of EDD is as important as the EDD itself. The evidential standard required to defend a supervisory examination or regulatory investigation is high: you must be able to show what information was obtained, when, from what source, what it established, and what conclusion was reached — including the basis for any decision to proceed despite risk factors that were identified.

• All EDD documentation should be stored in the customer's compliance file with clear audit trails.
• Every decision to onboard or continue a high-risk relationship should include a written rationale, even if brief.
• Senior management approvals should be documented in writing with a date stamp — verbal approvals are not auditable.
• EDD refresh reviews should be documented each time they are conducted, even where no material changes are identified.
• Where EDD raises concerns that do not meet the threshold for a SAR but warrant monitoring, this should be noted explicitly in the file.

EDD done well is resource-intensive. But the alternative — supervisory action for inadequate AML processes, or facilitating financial crime through insufficient scrutiny — carries far greater costs. For firms serving specialist or high-risk industries, EDD is not an exception process; it is a core operational competency.