Enhanced Due Diligence (EDD) Checklist: A Complete Framework for High-Risk Customer Assessment

Enhanced due diligence (EDD) is a deeper level of customer due diligence applied to high-risk individuals, PEPs, and complex corporate structures. Under UK Regulation 33 of the Money Laundering Regulations 2017 and FATF Recommendation 10, EDD is legally required in specific circumstances.

This enhanced due diligence checklist covers all 9 stages of a compliant EDD assessment, from identity verification to ongoing monitoring.

Jump to a section: What is EDD? | When is EDD required? | EDD vs CDD vs SDD | The 9-Section Checklist | Sector-specific EDD | Regulatory framework | Red flags | Download EDD Checklist PDF

What is an Enhanced Due Diligence Checklist?

An enhanced due diligence checklist is a structured set of verification steps used to assess high-risk customers, counterparties, or third parties. It goes beyond standard customer due diligence (CDD) by requiring source of funds verification, beneficial ownership (UBO) mapping, adverse media research, and enhanced ongoing monitoring.
It is legally required under UK MLR 2017 Regulation 33, FATF Recommendation 10, and the US Bank Secrecy Act FinCEN CDD Rule for specific categories of customer.

The EDD checklist covers key areas such as customer identification, risk assessment, source of funds verification, transaction monitoring, and ongoing compliance measures.

By following an EDD checklist, businesses and financial institutions can systematically navigate through the various elements involved in the due diligence process, ultimately enhancing the effectiveness and integrity of risk assessments.

What does EDD stand for?

EDD stands for Enhanced Due Diligence. It refers to the heightened scrutiny a regulated firm applies to customer relationships assessed as high risk, either by the firm’s own risk assessment or by a specific regulatory trigger such as PEP status or involvement of a high-risk jurisdiction.

Who uses an EDD checklist?

An EDD checklist is used by:

• Compliance Officers and Money Laundering Reporting Officers (MLROs)
• AML Analysts and Financial Crime Teams
• KYC Specialists in banking and financial services
• Risk Managers conducting third-party and vendor due diligence
• Legal and accounting professionals subject to MLR 2017
• Corporate TPRM teams assessing high-risk suppliers or business partners

When is Enhanced Due Diligence Required?

EDD is required under UK Regulation 33(1) of MLR 2017 and equivalent international frameworks when specific risk conditions are present. It is not optional in these circumstances – it is a legal obligation for regulated firms.

The primary triggers are:

• Politically Exposed Persons (PEPs): The customer, or their beneficial owner, is a current or former PEP, family member, or known close associate
• High-risk third countries: The transaction or business relationship involves a country on the FATF grey or black list, or a jurisdiction identified as high risk by HM Treasury (UK) or FinCEN (US)
• Unusually large or complex transactions: Any transaction that is structurally complex or has no apparent economic or legal purpose
• Firm-identified high risk: The regulated entity’s own risk assessment determines there is an elevated risk of money laundering or terrorist financing
• Correspondent banking relationships: Financial institutions maintaining accounts for other financial institutions require EDD under FATF Recommendation 13
• Opaque ownership structures: Customers using shell companies, nominee arrangements, or multi-layer corporate structures where the beneficial owner is unclear
• Negative media associations: Customers publicly linked to financial crime, corruption, sanctions breaches, or regulatory enforcement

Business relationships requiring EDD

EDD applies across the full lifecycle of a high-risk relationship. That includes onboarding, periodic review, and any triggered reassessment. The obligation continues for as long as the relationship is active and for 12 months after a PEP leaves public function, under UK MLR 2017 Regulation 35.

Transaction-level EDD triggers

At the transaction level, EDD is triggered by: large cash movements above AML reporting thresholds, wire transfers to or from sanctioned jurisdictions, transactions inconsistent with a customer’s declared business profile, and unusual structuring patterns such as multiple near-threshold transactions.

The Enhanced Due Diligence checklist serves as a streamlined roadmap through the due diligence process. By offering a systematic approach, it enhances efficiency and reduces the likelihood of errors or omissions. This organised method proves especially crucial when dealing with intricate transactions or partnerships that involve multifaceted considerations.

EDD vs CDD vs SDD: What is the Difference?

When EDD is required, it does not replace CDD. It adds to it. A compliance officer running EDD on a PEP must first complete all standard CDD steps, then apply the additional EDD measures above.

Read more on Simplified Due Diligence, Customer Due Diligence Requirements, and EDD for High Risk Customers

The Complete Enhanced Due Diligence Checklist

The checklist below covers 9 stages of a complete EDD assessment. Each section maps to specific regulatory obligations under UK MLR 2017, FATF Recommendations, and the US Bank Secrecy Act. Use it as a working reference for client onboarding, periodic review, or triggered reassessment.

1. Pre-Assessment Risk Scoping

Before any verification begins, define the scope and risk parameters of the assessment.

• Subject type: individual, corporate entity, trust, or fund
• Business relationship purpose: onboarding, investment, acquisition, or vendor approval
• Initial risk rating: low / medium / high, based on jurisdiction, sector, and ownership structure
• Countries of incorporation and operation (flag FATF grey and black list countries)
• Applicable regulatory framework: UK MLR 2017, FCA rules, Bribery Act 2010, US BSA, GDPR / UK GDPR
• Senior management approval: required under Regulation 33(5) for PEPs and high-risk third country relationships
• EDD level determination: standard EDD or heightened EDD for very high-risk subjects

2. Identity and Beneficial Ownership Verification

• Full legal name, aliases, and trading names
• Date of birth (individual) or date of incorporation (corporate entity)
• Registered address and principal operating address
• Government-issued photo ID verification for individuals
• UBO identification: all beneficial owners above the applicable threshold (10% per FATF Recommendation 10; 25% under UK MLR 2017 for standard CDD, lower thresholds recommended for EDD)
• Corporate registry cross-check for all countries of incorporation
• Nominee director and shareholder screening
• Trust structure mapping where applicable
• Third-country shell company identification

Regulatory note: Beneficial ownership verification requirements were strengthened in the UK by the Economic Crime and Corporate Transparency Act 2023, which introduced identity verification requirements at Companies House. In the US, the Corporate Transparency Act 2024 (CTA) introduced new beneficial ownership reporting obligations to FinCEN.

3. PEP and Sanctions Screening

• Current PEP status across all jurisdictions of relevance
• Former PEP status: under UK MLR 2017 Regulation 35, enhanced monitoring continues for a minimum of 12 months after a PEP leaves public function
• Close associates and immediate family members of current and former PEPs
• Sanctions list screening: HM Treasury Consolidated List (UK), OFAC SDN List (US), UN Security Council Consolidated List, EU Consolidated Sanctions List
• Adverse media screening: minimum 10-year lookback, in the subject’s native language where material
• Regulatory enforcement databases: FCA Register, FinCEN enforcement actions, OFSI civil penalties (UK)
• Interpol notices and international law enforcement databases where applicable

4. Source of Funds and Source of Wealth Verification

• Documentation of primary income and revenue streams
• Verification of asset ownership against declared wealth
• Audited accounts and tax filings for corporate subjects
• Cross-referencing declared source of funds with third-party data sources
• Offshore account identification and assessment
• Cryptocurrency exposure: wallet history, exchange relationships, and tracing to fiat conversion points
• Evidence of unusual wealth accumulation relative to the subject’s declared profession or business activity

5. Business Activity and Transaction Profile

• Detailed description of business model and revenue streams
• Assessment against high-risk sector indicators: gambling, cryptocurrency, precious metals, cash-intensive businesses, arms trade, money service businesses
• Geographic transaction patterns and correspondent banking relationships
• Transaction volume and frequency benchmarked against sector norms
• Unusual transaction pattern flags: structuring, round-dollar amounts, irregular timing, layering indicators

6. Adverse Media and Reputational Screening

• Structured adverse media search: minimum 10-year lookback, in native language where material
• Litigation and regulatory enforcement history across all relevant jurisdictions
• ESG-related risks: modern slavery, environmental crime, human rights abuses, conflict minerals
• Anti-bribery and corruption risk assessed against the UK Bribery Act 2010 and US Foreign Corrupt Practices Act (FCPA)
• Political associations beyond declared PEP status
• Negative judicial outcomes: civil judgments, criminal convictions, director disqualifications

7. Corporate Structure and Ownership Analysis

• Full corporate ownership map to the ultimate beneficial owner level
• Subsidiary and parent company review across all jurisdictions
• Cross-border holding structure analysis
• Identification of opaque ownership arrangements and nominee structures
• UBO declaration verified against corporate registry data
• Assessment of whether the ownership structure has a legitimate commercial rationale or appears designed to obscure control

8. Regulatory and Compliance Posture

• Regulatory registration and licensing verification: FCA Financial Services Register (UK), SEC / FINRA registration (US), equivalent international registers
• AML and compliance programme assessment
• Sanctions and export control compliance review
• Data protection compliance: UK GDPR / EU GDPR, US CCPA
• Evidence of past regulatory breaches, FCA enforcement actions, FinCEN penalties, or OFAC designations
• FATF grey / black list country exposure across the corporate group

9. Ongoing Monitoring Plan

• Adverse media and sanctions re-screening frequency: minimum quarterly for high-risk subjects, continuous for PEPs
• Trigger-based review events: leadership or ownership change, acquisition announcement, regulatory investigation, financial distress, jurisdiction change
• Annual KYC refresh schedule with documented rationale for the assigned risk rating
• Centralised audit log of all EDD activities, decisions, and escalation records
• Continuous monitoring integration: where an automated EDD or TPRM platform is in use, document the monitoring protocol and alert thresholds

Download the complete EDD checklist as a printable PDF.

Structured for use in client files and regulatory audit trails. Covers all 9 sections above with checkboxes, regulatory references, and a risk narrative template.

Download Enhanced Due Diligence Template

How to Use This EDD Checklist

Running EDD is not a linear tick-box exercise. Each step informs the next. Start with scope, let the risk rating guide your depth, and document every decision.

Step 1: Define the risk scope before you start any checks

Set the parameters first. Who is the subject? What is the relationship purpose? What jurisdictions are involved?

Assign a preliminary risk rating: low / medium / high. This determines which checklist sections need the most rigour and whether senior management sign-off is required before you proceed.

Key actions:

• Confirm subject type: individual, corporate, trust, or fund
• Flag any FATF grey or black list jurisdictions
• Check whether Regulation 33(5) (UK) or PATRIOT Act Section 312 (US) applies
• Obtain MLRO or senior management approval if required

Step 2: Gather identity and ownership data from primary sources

Work through Sections 2 and 3 of the checklist. Cross-check every key fact across at least 2 independent sources. Document where information is consistent and where it is not.

Reliable sources include: Companies House, FinCEN BOSS system, corporate registries in relevant jurisdictions, government-issued ID, OFAC, HM Treasury Consolidated List, UN Consolidated List.

Watch for: Information that differs between sources, nominee arrangements with no commercial rationale, ownership chains that terminate in unverifiable entities.

Step 3: Trace source of funds, then source of wealth

Source of funds tells you where the money for this transaction came from. Source of wealth tells you how the subject built their overall assets. Both are required for a complete EDD file.

Obtain documentary evidence: audited accounts, sale agreements, tax records, inheritance documents. Cross-reference against the subject’s declared profile.

For corporate subjects, map the full ownership structure to UBO level before drawing conclusions. Multiple holding layers across jurisdictions without clear commercial logic is a red flag, not just a complexity.

Step 4: Configure ongoing transaction monitoring before sign-off

Do not set generic monitoring thresholds. Calibrate alert parameters to the specific risk profile of this customer: sector, geography, expected transaction volume, and declared business purpose.

Document: the monitoring configuration, the review frequency, and who is responsible for triage.

Where automated alerts fire, a trained analyst must review them. Both the alert and the review decision need an audit trail.

Step 5: Run structured adverse media screening

Search on: full legal name, known aliases, associated entities, and key individuals. Cover a minimum 10-year lookback. For subjects with operations in non-English-speaking markets, search in the relevant native language.

When a finding appears, assess two things: relevance and credibility. A resolved civil matter from 12 years ago is not the same as a live regulatory investigation. Document your assessment either way.

If a finding is material and cannot be resolved: escalate to the MLRO before proceeding.

Step 6: Conduct an on-site visit for high-risk entities

Remote verification has limits. For relationships assessed as high risk, an on-site visit confirms that the business exists, operates as declared, and that the people controlling it are who they say they are.

Document: attendees, premises inspected, documents reviewed, and any observations inconsistent with the declared business profile. The on-site record is part of the EDD file and may be reviewed by a regulator.

This step is standard practice for high-value correspondent banking relationships, complex corporate structures, and any case where remote checks have left material gaps.

Step 7: Write the report and lock in the monitoring schedule

The EDD report is a legal document. It may be reviewed by the FCA, FinCEN, an auditor, or a court.

Every report must cover:

• Subject and scope of the assessment
• Methodology and sources used
• Key findings across all checklist sections
• Risk rating assigned and the reasoning behind it
• Any unresolved issues, escalation decisions, or SAR referrals
• Ongoing monitoring plan: frequencies, trigger events, next review date

Write conclusions that are supported by evidence in the file. Where a judgment call was made, explain the reasoning. Sign it off before the relationship proceeds.

EDD for corporate and third-party risk management (TPRM)

EDD principles apply directly to corporate vendor and supplier risk programmes. High-risk third parties – those operating in sanctioned jurisdictions, holding government contracts, or acting as intermediaries in regulated industries – warrant EDD-equivalent checks as part of any TPRM framework.

UK companies are subject to Section 7 of the Bribery Act 2010, which requires adequate procedures to prevent bribery by associated persons. The UK Modern Slavery Act 2015 and the EU Corporate Sustainability Due Diligence Directive (CSDDD) extend due diligence obligations into supply chains. EDD supports compliance with all three.

EDD for private equity, investment, and M&A

In investment contexts, EDD is applied to target companies, management teams, and co-investors. The focus shifts from AML compliance to reputational risk, undisclosed litigation, UBO verification, and anti-bribery exposure in emerging markets. EDD conducted before deal close reduces post-acquisition liability and supports warranty and indemnity insurance underwriting.

EDD for professional services firms

Legal, accounting, and consulting firms subject to UK MLR 2017 must apply EDD when establishing client relationships involving high-risk factors. The ICAEW and Law Society publish AML guidance that specifies EDD triggers and documentation standards for their respective professions. Client file opening procedures must reflect these standards.

Regulatory Framework: When EDD is Legally Required

UK: Money Laundering Regulations 2017 (MLR 2017)

Under Regulation 33(1) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, enhanced due diligence and enhanced ongoing monitoring are legally required when:

• The customer or beneficial owner is a PEP, family member, or close associate
• The transaction or business relationship involves a high-risk third country identified by HM Treasury
• Any transaction is unusually large, complex, or has no apparent economic or legal purpose
• The regulated entity identifies a high risk of money laundering or terrorist financing through its own risk assessment

Regulation 33(5) additionally requires senior management approval before establishing or continuing a business relationship with a PEP or a customer from a high-risk third country.

Full regulatory text is available from the UK government: The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 – Regulation 33

FATF Recommendations: the international standard

The Financial Action Task Force (FATF) sets the international standard for AML and counter-terrorist financing. The key Recommendations for EDD are:

• Recommendation 10: Requires financial institutions to understand the nature and purpose of customer relationships and conduct continuous due diligence, with enhanced measures for higher-risk situations
• Recommendation 12: Specifies EDD measures for Politically Exposed Persons, including source of funds verification and senior management approval
• Recommendation 13: Requires EDD for all correspondent banking relationships, including respondent institution assessment and prohibition on shell bank relationships
• Recommendation 19: Requires enhanced measures for transactions and relationships involving FATF-monitored jurisdictions (grey and black lists)

FATF Recommendations are available at: https://www.fatf-gafi.org/en/topics/fatf-recommendations.html

US: Bank Secrecy Act and FinCEN CDD Rule

Under the Bank Secrecy Act and FinCEN’s Customer Due Diligence Rule (31 CFR 1010.230), covered financial institutions must:

• Verify the identity of beneficial owners of legal entity customers
• Understand the nature and purpose of customer relationships
• Conduct ongoing monitoring for suspicious activity
• Apply enhanced scrutiny under USA PATRIOT Act Section 312 for foreign correspondent and private banking accounts

FinCEN’s CDD Rule requires identification of beneficial owners holding 25% or more of equity and one individual with significant control. EDD applies where risk assessments identify elevated exposure.

FinCEN CDD Rule guidance: https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule

EU: 6th Anti-Money Laundering Directive (6AMLD) and AMLA

The EU’s 6th Anti-Money Laundering Directive aligns materially with UK MLR 2017 obligations. The forthcoming EU Anti-Money Laundering Authority (AMLA), expected to become operational in 2027, will introduce a unified AML supervisory framework across EU member states with additional cross-border EDD provisions for high-risk entities.

EDD Red Flags and Escalation Triggers

The following indicators require an immediate EDD review or escalation to the MLRO for SAR consideration under UK POCA 2002.

Customer-level red flags

• Reluctance or refusal to provide identity documentation or source of funds information
• Inconsistency between declared income, lifestyle, and transaction behaviour
• Beneficial ownership structure that appears designed to obscure true control
• Prior adverse media findings inconsistent with the customer’s explanation
• Undisclosed political connections or relationships with sanctioned individuals or entities
• Significant discrepancy between declared business activity and actual transaction patterns

Transaction-level red flags

• Cash transactions above AML reporting thresholds without clear economic rationale
• Wire transfers to or from FATF grey or black list jurisdictions without documented business purpose
• Round-dollar transactions or structuring patterns that suggest deliberate threshold avoidance
• Payment methods inconsistent with the customer’s stated business profile
• Rapid movement of funds across multiple accounts or jurisdictions (layering indicators)

Business relationship red flags

• Corporate structure with excessive layers relative to the size and nature of the business
• Nominee arrangements with no legitimate commercial justification
• Requests for unusual payment routes, currencies, or payment intermediaries
• Unwillingness to accept standard contractual compliance terms
• Significant unexplained changes in transaction volume or business activity

Escalation rule: Where 3 or more of these red flags apply to a single customer, an immediate EDD review and MLRO consultation is warranted. Where the review identifies known, suspected, or reasonably suspected money laundering, a Suspicious Activity Report (SAR) must be submitted to the National Crime Agency (UK) or FinCEN (US) before proceeding.

Ongoing Monitoring: Turning EDD from a Point-in-Time Check into a Continuous Control

Ongoing monitoring is not optional. It is a legal requirement under UK MLR 2017 Regulation 28(11) and Regulation 33(1)(c). The frequency and depth of monitoring must be proportionate to the assigned risk rating and updated when circumstances change.

Monitoring frequencies by risk level

Trigger-based review events

Regardless of the scheduled review cycle, an immediate reassessment is required when:

• A key director, UBO, or controlling person changes
• The customer announces or completes a merger or acquisition
• A regulatory investigation or enforcement action is reported in any relevant jurisdiction
• A significant adverse media finding is identified that is inconsistent with the prior risk rating
• The customer moves operations to or from a FATF-monitored jurisdiction
• Significant changes in transaction volume, pattern, or counterparty profile occur

About Neotas Enhanced Due Diligence