🏆 Neotas Named Chartis FCC50 Market Disruptor Winner – Know Your Third Party & Supply Chain Excellence Award Read More →
🏆 Chartis Best-of-Breed Winner 2026 – Adverse Media Monitoring
FaSQUAL: The BSIA-led Vetting Passport for the UK Security Industry Powered by Neotas Read More →
Neotas Logo
SCHEDULE A CALL
Neotas Logo
due-diligence-types-process-checklist-risk-teams

Due Diligence: Types, Process, Checklist & Tools for Risk Teams

Due diligence Meaning:
Due Diligence is the process of investigating a person, company, or transaction before making a business decision. It gathers verified intelligence to identify risks, confirm facts, and ensure decisions are based on evidence rather than assumption. Neotas conducts due diligence across 600 billion archived web pages, 1.8 billion court records, and 40,000 media sources to give risk teams defensible, verifiable intelligence that standard database checks miss.

In this guide:

 

What is due diligence?

Due diligence is a structured investigation carried out before committing to a business relationship, transaction, or decision. The term covers a wide range of investigative activities: verifying identities, checking financial records, screening for sanctions and adverse media, assessing ESG exposure, and investigating key individuals.

Which checks apply depends on the subject, the relationship, and the risk level.

In financial services, due diligence is a regulatory requirement. In M&A, it is a commercial standard. In third-party and vendor relationships, it is increasingly a board-level governance obligation and one that regulators in the UK, EU, and US are scrutinising more closely each year.

The phrase comes from the legal principle that a party acting in good faith must exercise reasonable care before entering into a commitment. In practice, it means doing the work to know who you are dealing with before you are exposed to their risk.

Why due diligence matters in 2026?

The case for rigorous due diligence is not theoretical. The data is specific.

Third-party involvement in breaches doubled to 30% in 2025, up from 15% the year before, according to the Verizon 2025 Data Breach Investigations Report. Supply chain compromise is now one of the most expensive breach categories, costing an average of $4.91 million per incident and taking the longest to resolve – 267 days, according to the IBM Cost of a Data Breach Report 2025.

Regulatory pressure is moving in the same direction:

  • The EU Corporate Sustainability Due Diligence Directive (CSDDD) entered into force on 25 July 2024. It requires large EU and non-EU companies operating in Europe to conduct mandatory human rights and environmental due diligence across their full value chains. Phased application starts from July 2027.
  • The NIST Cybersecurity Framework 2.0 introduced a new Govern function that elevates cyber supply chain risk management (C-SCRM) to board-level responsibility.
  • The FCA’s Financial Crime Guide (updated April 2025) sets detailed expectations on third-party due diligence, vendor management, and ongoing monitoring for UK-regulated firms.
  • New global sanctions designations increased by 50% between 2022 and 2024. Screening that was adequate three years ago may not be adequate today.

The organisations that treat due diligence as a one-time onboarding exercise are the ones generating the breach statistics above.

The Cost of Inadequate Due Diligence in 2026

The Cost of Inadequate Due Diligence in 2026
Image: The Cost Of Inadequate Due Diligence In 2026

 

10 types of due diligence

Due diligence is not a single activity. The type of investigation depends on the transaction, the counterparty, and the risk level. The 10 main categories are below.

Financial due diligence

  • What it is: Review of financial statements, cash flow, liabilities, revenue quality, and forecasts before a transaction.
  • Who uses it: Investors, acquirers, lenders, and private equity firms assessing a target company.
  • Key focus areas: Earnings quality, working capital, debt obligations, off-balance-sheet liabilities, tax exposure, and consistency between management accounts and statutory filings.

Legal due diligence

  • What it is: Assessment of legal risks covering contracts, litigation history, IP ownership, regulatory compliance, and corporate structure.
  • Who uses it: Legal counsel, M&A teams, and compliance departments ahead of transactions or new relationships.
  • Key focus areas: Pending and historical litigation, contractual obligations and exit clauses, data protection compliance, intellectual property ownership, and regulatory licences.

Operational due diligence

  • What it is: Review of a company’s processes, systems, supply chains, and management capacity to assess whether it can deliver on its projections.
  • Who uses it: Investors and acquirers who need to understand what they are actually buying beyond the numbers.
  • Key focus areas: Key person dependencies, operational resilience, IT infrastructure, process documentation, and third-party supplier concentration risk.

Enhanced due diligence (EDD)

  • What it is: A deeper level of investigation applied to high-risk customers, counterparties, or transactions. Mandatory under the Money Laundering Regulations 2017 (UK) for specific risk categories.
  • Who uses it: Banks, financial institutions, law firms, professional services firms, and any entity handling high-risk relationships.
  • Key focus areas: Source of wealth, source of funds, beneficial ownership verification, adverse media across multiple languages, PEP and sanctions screening, network analysis, ongoing monitoring.

If you’re conducting enhanced due diligence (EDD) on high-risk vendors or third parties, a structured checklist is critical to avoid blind spots.

👉 Download the EDD Checklist to standardise your EDD process and reduce risk exposure.

Customer due diligence (CDD / KYC)

  • What it is: The baseline identity and risk verification process applied to customers in regulated industries. Part of Know Your Customer (KYC) obligations.
  • Who uses it: Banks, fintechs, insurers, payment institutions, law firms, and accountants – all entities subject to the Money Laundering Regulations 2017.
  • Key focus areas: Identity verification, sanctions and PEP screening, source of funds, risk categorisation, and ongoing transaction monitoring.

👉  Download the Customer Due Diligence (CDD) Checklist (Operational, Compliance-Ready)

Designed for AML teams, compliance officers, and financial institutions managing customer onboarding and verification.

  • Covers identity verification, risk profiling, and documentation checks
  • Aligns with AML/KYC regulatory expectations
  • Built for consistent, audit-ready onboarding workflows

 

Vendor due diligence (VDD)

  • What it is: Investigation of third-party suppliers and partners before entering a commercial relationship. Assesses financial stability, reputational risk, compliance posture, and operational reliability.
  • Who uses it: Procurement, compliance, and risk teams across financial services, professional services, and regulated industries.
  • Key focus areas: Financial health, sanctions exposure, adverse media, ESG risks, data security practices, and contractual protections.

👉  Download the Vendor Due Diligence (VDD) Checklist (Procurement + Risk Aligned)

Built for procurement teams, risk managers, and compliance leaders evaluating third-party vendors and suppliers.

  • Covers financial, operational, legal, and reputational risk checks
  • Aligns with third-party risk management (TPRM) frameworks
  • Structured for consistent vendor onboarding and periodic reviews

Third-party risk due diligence

  • What it is: A broader category covering all external entities in a company’s value chain, including suppliers, distributors, agents, contractors, and joint venture partners. The investigative foundation of any third-party risk management (TPRM) programme.
  • Who uses it: Risk and compliance teams running structured TPRM programmes.
  • Key focus areas: Risk tiering, ongoing monitoring, contractual controls, regulatory compliance, and concentration risk.

👉  Download the Third-Party Risk Management (TPRM) Framework (End-to-End Risk Control System)

A structured framework to identify, assess, mitigate, and continuously monitor risks across vendors, suppliers, and external partners.

  • Covers financial, operational, cybersecurity, and compliance risks
  • Aligns with global standards like ISO 27001, GDPR, NIST, SOC 2
  • Built for full lifecycle risk management, not just onboarding

Management due diligence (IDD)

  • What it is: Investigation of key individuals: directors, senior managers, beneficial owners, and counterparty executives. Assesses character, professional track record, and undisclosed associations. Also called Individual Due Diligence (IDD).
  • Who uses it: Private equity firms, boards, financial institutions, and organisations appointing senior personnel.
  • Key focus areas: Career history verification, adverse media, litigation, regulatory sanctions, social media conduct, and network analysis to identify undisclosed relationships

Strong management due diligence helps investors and organisations validate leadership integrity, not just financial performance.

👉 Explore more on Management Due Diligence to assess leadership risk before critical decisions.

ESG due diligence

  • What it is: Assessment of environmental, social, and governance risks across a company or its supply chain. Required by LPs, regulators, and institutional investors – and now mandated for large companies under the CSDDD.
  • Who uses it: PE firms, asset managers, corporates with ESG mandates, and compliance teams.
  • Key focus areas: Environmental violations, modern slavery, labour practices, governance failures, greenwashing indicators, and supply chain transparency.

👉 Download the ESG Due Diligence Checklist (Sustainability + Risk Integrated)

A structured roadmap to assess environmental, social, and governance risks across investments, vendors, and business operations.

  • Covers environmental impact, social responsibility, and governance controls
  • Aligns with global ESG regulations and compliance expectations
  • Built for risk identification, reporting, and decision-making

Investment due diligence

  • What it is: Pre-investment investigation covering financial, legal, operational, and reputational dimensions. Standard practice in private equity, venture capital, and M&A.
  • Who uses it: PE firms, VCs, family offices, and M&A advisers.
  • Key focus areas: Deal-specific risks, regulatory exposure, management track record, market position, and exit risk.

👉  Download the Investment Due Diligence Checklist (Capital Protection + Risk Validation)

A structured framework to evaluate investment opportunities across financial, operational, legal, and strategic risk dimensions before committing capital.

  • Covers financial health, valuation assumptions, and risk exposure
  • Includes management, market, and operational assessments
  • Designed for M&A, private equity, venture, and strategic investments

Working on private equity deals specifically?

Private equity due diligence goes deeper into deal structuring, leverage, exit modelling, and portfolio risk concentration.

👉 Download the Private Equity Due Diligence Checklist

 

Types of Due Diligence
Image: Types Of Due Diligence

“Neotas conducts due diligence across 600 billion archived web pages, 1.8 billion court records, and 40,000 media sources. We find what standard database checks miss.”

👉 See how it works

 

Free due diligence checklists

Each checklist below is practitioner-grade. They cover the specific questions, data sources, and red flags relevant to each due diligence type.

Checklist Use case
Due Diligence Checklist (DD) Establish a baseline framework to assess financial, legal, operational, and compliance risks across entities
Enhanced Due Diligence Checklist (EDD) Investigate high-risk customers, PEPs, and complex entities to uncover hidden risk and regulatory exposure
Customer Due Diligence Checklist (CDD) Verify customer identity, assess risk, and ensure compliant onboarding within AML/KYC frameworks
Vendor Due Diligence Checklist (VDD) Evaluate third-party vendors to identify financial, operational, and reputational risks before engagement
Third-Party Risk Management Checklist (TPRM)

Third-Party Risk Management Framework

 Build and assess a full lifecycle programme to identify, monitor, and mitigate third-party risk
ESG Due Diligence Checklist (ESG) Assess environmental, social, and governance risks to support sustainable and compliant decision-making
Investment Due Diligence Checklist (IDD) Validate investment opportunities by analysing financials, market position, and strategic risk before capital deployment
Private Equity Due Diligence Checklist (PE DD) Analyse deal structure, leverage, exit strategy, and portfolio risk to support private equity investment decisions
AML Compliance Checklist (AML) Review anti-money laundering controls to detect gaps and ensure regulatory compliance
Risk-Based Approach Checklist (RBA) Apply a risk-based methodology to prioritise due diligence efforts based on customer or entity risk level
Vendor Risk Assessment Template (VRA) Standardise vendor onboarding using structured questionnaires and risk scoring criteria
Vendor Due Diligence Questionnaire (VDDQ) Collect detailed vendor data across compliance, security, and operations to support risk assessment
Enhanced Due Diligence for High-Risk Customers (EDD – High Risk) Conduct deep investigations into high-risk profiles to identify sanctions, adverse media, and hidden ownership risks
Third-Party Risk Management Checklist for Healthcare (TPRM – Healthcare) Assess third-party risks in healthcare environments with focus on data privacy, compliance, and patient safety
Vendor Due Diligence Checklist for Healthcare (VDD – Healthcare) Evaluate healthcare vendors against regulatory, operational, and data protection requirements before onboarding

 

The due diligence process

Phase 1: Scope and risk classification

Define what type of due diligence applies and at what depth. Classify the subject by risk tier: standard, high, or enhanced. For third parties, this means tiering vendors by their access to sensitive data, financial exposure, and regulatory environment. This classification determines everything that follows.

Phase 2: Information gathering

Collect structured data from primary and secondary sources. This includes: company registry filings, court records, sanctions databases, financial statements, regulatory records, and adverse media. For individuals, it includes professional history, directorship records, and open-source intelligence (OSINT).

Standard database checks query structured, indexed data. They miss content that exists only in archived sources, non-English media, or closed web environments. Neotas searches across 600 billion archived web pages and 40,000 active media sources to cover the full information landscape, not just what standard databases index.

Phase 3: Analysis and verification

Review collected information for accuracy, consistency, and red flags. Cross-reference findings across multiple data sources. Identify undisclosed relationships, discrepancies in financial history, or patterns of adverse conduct across time. Network analysis is particularly useful here: it maps connections between individuals and entities that would not be visible from a single-source check.

Phase 4: Reporting

Produce a structured due diligence report documenting: the scope of the investigation, methodology, sources consulted, findings, and risk rating with supporting evidence. The report is a formal legal document and must be defensible to regulators and auditors.

Phase 5: Ongoing monitoring

Due diligence at onboarding is a point-in-time check. Risks change after onboarding. Sanctions designations, adverse media, insolvency, and regulatory actions can emerge weeks or years into a relationship. Continuous monitoring is now expected by regulators and is standard practice in high-risk relationships. See our ongoing monitoring service.

The due diligence process
The Due Diligence Process

A comprehensive due diligence checklist helps standardise risk assessment and ensures no critical verification step is missed across transactions, onboarding, or partnerships.

👉 Download the Due Diligence Checklist to build a consistent, audit-ready due diligence process.

Enhanced due diligence: when standard DD is not enough

Enhanced due diligence (EDD) applies when the standard check is not proportionate to the risk.

EDD is required under the Money Laundering Regulations 2017 for:

  • Politically exposed persons (PEPs) and their close associates and family members
  • Customers or counterparties from high-risk third countries on the FATF list
  • Transactions with no clear economic rationale
  • Beneficial owners who are difficult to identify or verify
  • Any relationship flagged as high-risk during standard CDD

What EDD adds over standard CDD:

  • Source of wealth and source of funds investigation
  • Adverse media screening across international sources and non-English language content
  • Network analysis to identify undisclosed associations and related-party risk
  • Senior management approval for onboarding
  • Enhanced ongoing monitoring with more frequent reviews
  • Deeper corporate structure analysis for complex beneficial ownership

The FCA’s Financial Crime Guide provides practical guidance on what constitutes adequate EDD for UK-regulated firms. The April 2025 update specifically strengthened expectations on dynamic customer risk profiling and the use of advanced controls for high-risk cases.

 

Vendor and third-party due diligence

Most TPRM programmes have a structural problem: they assess too few of their active vendors. Third-party relationships now represent one of the largest sources of unexamined organisational exposure.

Third-party involvement in data breaches doubled to 30% in 2025, according to the Verizon DBIR 2025. Supply chain breaches cost an average of $4.91 million per incident and take 267 days to contain, according to the IBM Cost of a Data Breach Report 2025. The average cost does not include regulatory fines, which in the UK and EU can add multiples of that figure.

What a vendor due diligence review covers:

  • Company verification and beneficial ownership
  • Financial stability and credit risk assessment
  • Sanctions, PEP, and adverse media screening
  • Data security and cyber risk posture
  • Regulatory compliance (UK GDPR, Modern Slavery Act, Bribery Act 2010, anti-bribery)
  • ESG risk and supply chain transparency
  • Contractual protections and exit provisions

The VDD Checklist sets out the specific questions for each stage. For organisations running a full TPRM programme, vendor due diligence should be embedded across the entire lifecycle: onboarding, periodic review, contract renewal, and exit.

Due diligence red flags

Experienced investigators look for patterns rather than isolated facts. These are the 9 most consequential red flags in practice.

1. Discrepancies between stated and registered information A director’s career history does not match Companies House records. Registered addresses do not match operational premises. These do not always indicate fraud, but they require explanation before you proceed.

2. Complex or opaque ownership structures with no commercial rationale Layers of holding companies across multiple jurisdictions are not inherently suspicious – many legitimate businesses have complex structures. The red flag is when the structure has no discernible commercial purpose and no one can explain it clearly.

3. Adverse media that contradicts the official narrative Regulatory sanctions, litigation, or media coverage that conflicts with what the counterparty disclosed at onboarding. Neotas screens across 40,000 media sources including non-English language and archived content from sources that standard databases do not index.

4. Undisclosed PEP connections Family members, close associates, or business partners with political exposure that were not mentioned in onboarding documentation. This is one of the most common findings in enhanced due diligence.

5. Source of wealth that cannot be traced Significant personal wealth whose origin is unclear or implausible given the subject’s professional background. A senior official from a low-income jurisdiction holding assets worth tens of millions requires explanation.

6. Prior insolvency or a pattern of failed companies Multiple dissolved companies with unpaid creditors, or directorship of successive companies that failed within a short period, is a risk indicator even when no fraud is alleged.

7. Jurisdiction risk Counterparties domiciled in FATF greylisted countries, or in jurisdictions with weak beneficial ownership transparency requirements, attract enhanced scrutiny by default. The FATF high-risk jurisdictions list is updated regularly.

8. Inconsistent financial statements Revenue figures inconsistent with industry benchmarks, unexplained cash flow patterns, or auditors not registered with recognised professional bodies.

9. Sudden behavioural changes in existing relationships A long-standing customer or supplier who changes payment patterns, restructures their business unexpectedly, or withdraws from routine communication. Ongoing monitoring exists to detect exactly this.

2026 regulatory updates

Last reviewed: May 2026

The regulatory framework for due diligence changed significantly in 2024 and 2025. These are the developments that affect UK and EU risk teams now.

EU Corporate Sustainability Due Diligence Directive (CSDDD)

The CSDDD (Directive 2024/1760) entered into force on 25 July 2024. It requires large EU companies and non-EU companies with significant EU presence to conduct mandatory human rights and environmental due diligence across their full value chains – not just their direct suppliers.

Phased application:

  • From 26 July 2027: EU companies with over 5,000 employees and €1.5 billion turnover; non-EU companies with €1.5 billion EU turnover
  • From 26 July 2028: EU companies with over 3,000 employees and €900 million turnover
  • From 26 July 2029: all remaining in-scope companies (over 1,000 employees, €450 million turnover)

Non-compliance carries fines of up to 5% of global net turnover in EU Member States that set that level. In April 2025, Directive (EU) 2025/794 delayed some transposition timelines – Member States now have until 26 July 2027 to implement national law.

NIST Cybersecurity Framework 2.0

NIST CSF 2.0, published February 2024, added a new Govern function as the sixth core function. It explicitly elevates cyber supply chain risk management (C-SCRM) to board-level governance. For organisations managing third-party technology vendors, this means due diligence on cyber risk posture is now a governance obligation, not a technical one.

FCA Financial Crime Guide (April 2025 update)

The FCA’s updated Financial Crime Guide (April 2025) strengthened guidance on: dynamic customer risk profiling, controls for high-risk cases including PEPs, AI-driven screening tools, third-party due diligence and vendor management, and documentation of risk-based decisions. UK-regulated firms should review their EDD and ongoing monitoring processes against the updated self-assessment questions in the guide.

UK Companies House reform

The Economic Crime and Corporate Transparency Act 2023 introduced mandatory identity verification for all UK company directors and People with Significant Control (PSC). Phased rollout began in 2024. This increases the reliability of Companies House data for beneficial ownership checks – but it does not replace OSINT-based verification for high-risk subjects.

UK Modern Slavery Act

The Home Office has increased enforcement of Modern Slavery Act reporting requirements. Supply chain due diligence now needs to specifically address forced labour and trafficking risks, particularly in offshore manufacturing and logistics. Vague statements of compliance are no longer sufficient.

 

📌 Download the Due Diligence Report That Protects You from Hidden Risks

Use this editable due diligence report template to uncover red flags, validate ownership, and meet compliance expectations with ease.


 

 

How Neotas approaches due diligence

Standard due diligence draws on structured databases: sanctions lists, PEP registries, Companies House, court records. Those sources are necessary. They cover what has been formally recorded and indexed.

What they do not cover is the rest of the information landscape.

In a 2024 case, a standard CDD check on a new counterparty returned no adverse findings. Neotas found a network of dissolved companies linked to the same beneficial owner across three jurisdictions. The connections were visible only in archived web content and Mandarin-language media from 2019. None of that information appeared in any sanctions list or company registry. The relationship was not taken forward.

This is the gap. The intelligence that changes a decision most often sits in archived sources, non-indexed content, non-English media, and the connections between entities rather than within any single entity’s record. Neotas searches across 600 billion archived web pages, 1.8 billion court records, and 40,000 active media sources in multiple languages – at scale, and with human analyst review.

“Neotas searches go deeper than traditional due diligence checks. The level of detail in the reporting gives us confidence to make decisions that a standard database check would not support.”

Neotas is:

  • A Chartis FCC50 Market Disruptor (Financial Crime and Compliance)
  • A RegTech100 company for 2026 (Fintech Global)
  • Shortlisted for Specialist Due Diligence Provider of the Year at Real Deals PE Awards 2026

Schedule a call with Neotas | Request a demo

 

Frequently asked questions

What does due diligence mean?

Due diligence means conducting a structured investigation of a person, company, or transaction before making a business decision. The goal is to verify facts, identify risks, and confirm that the decision is based on reliable information rather than assumptions. In regulated industries it is a legal requirement. In commercial transactions it is standard practice.

What is a due diligence checklist?

A due diligence checklist is a structured document that sets out the specific areas to investigate, questions to ask, and evidence to collect for a given type of due diligence. Checklists are scoped by context: a vendor due diligence checklist looks different from an EDD checklist or an investment due diligence checklist.
👉 Download the Due Diligence Checklist to build a consistent, audit-ready due diligence process.

What are the main types of due diligence?

The main types are financial, legal, operational, enhanced (EDD), customer (CDD), vendor (VDD), third-party, management (IDD), ESG, and investment due diligence. The type required depends on the transaction, the counterparty, and the assessed risk level. Most complex transactions require more than one type running in parallel.

What is enhanced due diligence (EDD)?

Enhanced due diligence is a deeper level of investigation required under the Money Laundering Regulations 2017 for high-risk customers, PEPs, and counterparties from high-risk jurisdictions. It goes beyond standard CDD to include source of wealth analysis, adverse media screening across multiple languages and archived sources, network analysis, senior management sign-off, and enhanced ongoing monitoring.

What does CDD mean in banking?

CDD stands for Customer Due Diligence. It is the process of verifying a customer’s identity, understanding the nature of their business relationship, and assessing money laundering and financial crime risk before and during onboarding. CDD is a legal obligation for UK-regulated financial institutions under the Money Laundering Regulations 2017.

What are the 4 requirements of customer due diligence?

The 4 core CDD requirements under the UK Money Laundering Regulations 2017 are:
(1) identifying the customer and verifying their identity using reliable, independent sources;
(2) identifying the beneficial owner and verifying their identity where applicable;
(3) understanding the purpose and intended nature of the business relationship; and
(4) conducting ongoing monitoring to ensure information remains current and consistent with actual activity.

What is the difference between due diligence and enhanced due diligence?

Standard due diligence covers identity verification, sanctions screening, and basic business verification. Enhanced due diligence applies to high-risk subjects and adds source of wealth analysis, deeper adverse media screening across international and archived sources, beneficial ownership investigation, senior management sign-off, and more frequent ongoing monitoring. The trigger for EDD is either regulatory (PEPs, high-risk third countries) or your own risk-based assessment.

What is the difference between CDD and EDD?

CDD is the baseline check applied to all customers in regulated industries. EDD is the elevated investigation required when a customer, transaction, or counterparty presents a higher risk. EDD adds source of wealth verification, more extensive adverse media coverage, network analysis, and senior management approval. Both are set out in the Money Laundering Regulations 2017.

What is simplified due diligence?

Simplified due diligence (SDD) is a reduced level of CDD applied to demonstrably low-risk customers or products. Under the UK Money Laundering Regulations 2017, SDD does not exempt firms from all ongoing monitoring obligations. Firms must document the risk assessment that justifies the decision to apply SDD. See our full simplified due diligence guide.

What is vendor due diligence and why does it matter?

Vendor due diligence is the process of investigating a third-party supplier or partner before entering a business relationship.

It matters because risk now sits outside your perimeter. Vendors handle data, run critical services, and can expose you to regulatory, financial, and reputational damage if they fail.

  • Security risk: Third parties are a common entry point for breaches. Weak controls on the vendor side become your incident.
  • Regulatory exposure: Data protection, AML, and sector rules hold you accountable for vendor failures. Penalties and audit findings land on you.
  • Operational continuity: Vendor outages, poor SLAs, or dependency concentration can halt business operations.
  • Financial impact: Insolvent or unstable vendors disrupt delivery and create recovery costs.
  • Reputational damage: Misconduct, fraud, or negative media tied to a vendor reflects on your brand.

In practice, vendor due diligence answers three questions:

  1. Can they deliver reliably? (capability, track record, SLAs)
  2. Can they be trusted? (compliance, governance, integrity signals)
  3. What happens if they fail? (contingency plans, concentration risk)

Done properly, it reduces surprises, supports defensible decisions, and gives you a clear basis for onboarding, contract terms, and ongoing monitoring.

Download the Neotas Vendor Due Diligence Questionnaire (VDDQ) – Collect structured vendor data across compliance, security, financials, and operations to support consistent third-party risk assessment.

What is due diligence in AML?

In AML (Anti-Money Laundering), due diligence refers to the process of verifying customer identities, assessing their financial crime risk, and monitoring transactions to detect money laundering and terrorist financing. It covers three levels: simplified due diligence (SDD) for low-risk customers, standard CDD for most customers, and enhanced due diligence (EDD) for high-risk individuals including PEPs. These obligations are set out in the Money Laundering Regulations 2017 for UK-regulated firms.

What are the standard, simplified and enhanced levels of due diligence?

There are three due diligence levels under the UK Money Laundering Regulations 2017. Simplified due diligence (SDD) applies where risk is demonstrably low, such as listed companies or regulated financial institutions. Standard CDD applies to most customer relationships. Enhanced due diligence (EDD) applies to high-risk subjects including PEPs, high-risk third-country counterparties, and relationships where the standard checks are not proportionate to the risk level.

What is standard due diligence?

Standard due diligence is the baseline level of investigation applied to most business relationships. It covers identity verification, sanctions and PEP screening, company verification, and an initial adverse media check. It is contrasted with EDD, which applies to higher-risk subjects, and SDD, which applies to demonstrably low-risk relationships. In commercial contexts, standard due diligence also covers financial, legal, and operational review appropriate to the scale of the decision.

What happens after due diligence?

After due diligence is completed, the findings go to decision-makers who determine whether to proceed, renegotiate terms, request additional information, or walk away. In regulated industries, the due diligence report becomes part of the compliance record and must be retained. For ongoing relationships, due diligence does not end at onboarding: continuous monitoring flags new risks that emerge after the initial check is complete.

What are the 4 P’s of due diligence?

The 4 P’s of due diligence are People, Processes, Products, and Profits. People covers key personnel, management track records, and beneficial ownership. Processes examines operational systems and controls. Products reviews what the entity delivers and how. Profits covers financial performance, cash flow, and earnings quality. In compliance and TPRM contexts, a fifth P is sometimes added: Provenance, covering source of wealth and source of funds.

What is the difference between due diligence and an audit?

Due diligence is a forward-looking investigation conducted before a decision, designed to identify risks and verify facts about a specific subject. An audit is a backward-looking review of records and controls, conducted for regulatory, financial, or governance purposes against a standardised framework. Both involve examining records, but due diligence is scoped by the commercial decision at hand. An audit produces an opinion against defined criteria; due diligence produces a risk assessment and recommendation.

About Neotas Enhanced Due Diligence

Neotas Platform covers 600Bn+ archived web pages, 1.8Bn+ court records, 198M+ corporate records, global social media platforms, and 40,000+ Media sources from over 100 countries to help you build a comprehensive picture of the team. It’s a world-first, searching beyond Google. Neotas’ diligence uncovers illicit activities, reducing financial and reputational risk.

Enhanced Due Diligence Solutions:

Enhanced Due Diligence Case Studies:

Share:

Picture of Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.

📂 New Whitepaper and Checklist

A detailed guide to TPRM and a downloadable checklist to implement the TPRM Framework in 2026

Third-Party Risk Management Framework
DOWNLOAD NOW ⟶

Book a Demo

Explore Neotas Enhanced Due Diligence

Related Blog Posts