What is Enhanced Due Diligence and How It Actually Works

Enhanced due diligence (EDD) is a deeper, more intensive level of customer scrutiny applied to individuals or entities that present a higher risk of financial crime. Think of it as the upgraded version of standard customer due diligence (CDD). Where CDD covers the basics, like verifying who someone is and understanding the general nature of the relationship, EDD goes much further.

So, what is enhanced due diligence actually asking? At its core, it asks: where does this person's money come from, who do they really answer to, and does everything add up?

The FFIEC BSA/AML Examination Manual is pretty clear on this. When customers pose higher money laundering or terrorist financing risks, standard due diligence is no longer sufficient. Collecting additional information about those customers, referred to directly as enhanced due diligence, becomes part of an effective program. The extra scrutiny might include verifying the source of funds and wealth, reviewing financial statements, understanding business operations, and identifying ownership structures that might otherwise be opaque.

EDD isn't a one-time event. It's an ongoing commitment. If a customer's behavior changes or new red flags emerge, the bank or institution must revisit and deepen its review.

Who actually requires enhanced due diligence?

EDD requirements apply broadly, and the list of obligated entities is longer than most realize. In the US, FinCEN's Customer Due Diligence Final Rule covers banks, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities. These institutions must establish written policies including ongoing risk monitoring and, where appropriate, enhanced due diligence for high-risk customers.

Beyond those core financial institutions, the EU's 4th Anti-Money Laundering Directive (4AMLD) expanded the scope significantly. Under EU law, EDD obligations extend to credit and financial institutions, auditors, accountants, tax advisors, notaries, lawyers in certain situations, real estate agents, art dealers, traders in high-value goods, and gambling service providers. Essentially, anyone operating in a space where large sums of money can move with limited oversight.

Crypto-asset service providers have also been pulled into the fold. Regulation (EU) 2023/1113 amended the 4AMLD to explicitly require crypto-asset service providers to apply enhanced due diligence measures, particularly when dealing with transfers involving self-hosted addresses or correspondent relationships with entities outside the EU.

In the US, FINRA Rule 2090 also requires institutions to identify and retain information about every customer with reasonable diligence. The USA PATRIOT Act reinforced this by mandating Customer Identification Programs and heightened scrutiny for high-risk and foreign accounts.

The point is: if you handle money in any significant way, EDD is probably part of your compliance landscape.

Attributes of a high-risk customer

This is where things get practical. Not every customer triggers enhanced due diligence, but certain profiles almost always do. Here's what tends to raise red flags.

• Politically Exposed Persons (PEPs): These are current or former government officials, heads of state, senior executives of state-owned enterprises, and their close associates. PEPs are not inherently criminals, but their access to public resources and potential exposure to corruption make them a higher-risk category by default.
• Customers from high-risk jurisdictions: If someone is based in, or conducting business through, a country with weak AML controls or that appears on the FATF grey list or blacklist, that automatically elevates their risk profile. The EU maintains its own list of high-risk third countries for the same reason.
• Complex or opaque ownership structures: Shell companies, layered corporate structures, trusts with unclear beneficial ownership, and offshore entities with vague organizational details are all warning signs. The harder it is to identify who ultimately owns or controls an entity, the more scrutiny it warrants.
• Unusual transaction activity: Sudden large transfers, activity inconsistent with a customer's stated business, transactions that lack an obvious commercial rationale, or significant cash movements that don't match the customer's profile can all be indicators.
• Negative media exposure: If a customer appears in news reports linked to financial crime, corruption, or fraud, that information should factor into the risk assessment.
• Foreign correspondent banking relationships: Banks operating across borders with respondent institutions in less-regulated markets face elevated scrutiny, particularly around payable-through accounts and private banking services.
• Money services businesses (MSBs): These entities transmit money, exchange currencies, or issue money orders. Money services businesses are historically considered higher risk because of the volume and nature of their transactions.

No single indicator is automatically determinative. Risk assessment has to be holistic. But if several of these attributes apply to the same customer, EDD is almost certainly warranted.

The countries taking EDD most seriously

EDD requirements aren't uniform worldwide, but there are jurisdictions leading the charge.

• United States: The Bank Secrecy Act, the USA PATRIOT Act, and FinCEN's CDD Final Rule together create a robust EDD framework. FinCEN has made it explicit that financial institutions must maintain and update customer risk profiles and apply greater scrutiny to accounts that present elevated risk.
• European Union: The EU's AML Directive series, from 4AMLD through 6AMLD, has progressively tightened EDD requirements across all member states. The 6AMLD in particular broadened the scope of money laundering offenses and increased institutional liability. A first EU list of high-risk third countries was adopted in 2016 and has been updated multiple times since.
• United Kingdom: The Money Laundering Regulations 2017, enforced by the FCA, require UK businesses to apply enhanced due diligence for high-risk customers. UK guidance from the Joint Money Laundering Steering Group further clarifies expectations.
• Canada: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) governs EDD obligations, with FINTRAC overseeing enforcement.
• India and South Korea: These countries have their own frameworks built around domestic financial intelligence units. South Korea's Act on Reporting and Use of Certain Financial Transaction Information lays down CDD and EDD expectations for financial institutions.

The common thread across all these jurisdictions? They take high-risk customers seriously. And the penalties for getting it wrong are steep.

Enhanced due diligence procedures: what actually happens

So what do enhanced due diligence procedures look like in practice? It is more nuanced than people expect. EDD isn't a checklist you run through once. It's a dynamic, risk-calibrated process.

1. Collect additional customer information: Beyond standard identity verification, EDD requires institutions to gather documentation on the source of wealth and the source of funds. Where did this person's money come from? Is that explanation consistent with what the institution knows about them?
2. Verify beneficial ownership: For legal entities, institutions need to drill down to the natural persons who ultimately own or control the business. FinCEN's CDD Final Rule requires identifying anyone who owns 25% or more of a legal entity, and whoever controls it. For higher-risk customers, this analysis goes deeper.
3. Conduct adverse media and negative news screening: Institutions should run searches for any publicly available information linking the customer to financial crime, fraud, corruption, or other concerning activity.
4. Screen against sanctions and PEP lists: Screening against global watchlists, including OFAC, UN sanctions lists, and databases of politically exposed persons, is part of any thorough EDD process.
5. Senior management sign-off: For the highest-risk customers and relationships, EDD often requires approval or review from senior management or a compliance officer before the relationship proceeds.
6. Set up enhanced ongoing monitoring: EDD doesn't stop at onboarding. High-risk customers require more frequent reviews of their account activity and profile. Institutions should track changes in employment, business operations, ownership structure, and transaction behavior over time.
7. Review and update the customer risk profile: If a customer's circumstances change, for instance, if they're appointed to a government position or if unusual transactions start occurring, the risk profile has to be reassessed accordingly.

Information provided by higher-risk profile customers should be reviewed more closely at account opening and more frequently throughout the relationship.

An enhanced due diligence example worth walking through

Let's say a private bank is approached by a new client who is a mid-level government official from a country with known corruption risks. He wants to open a private banking account and deposit a significant amount. His stated source of funds is a combination of salary income and proceeds from selling a property.

Standard CDD would verify his identity and get some basic information. But because he is a PEP operating in a high-risk jurisdiction, this situation calls for an enhanced due diligence example response:

• The financial institution would request documentation substantiating the property sale, including sale contracts and evidence of prior ownership.
• They would request proof of salary income, such as pay stubs or official government documents.
• They would run adverse media searches and screen against PEP and sanctions databases.
• They would review whether the transaction volume matches a government official's expected financial profile.
• Senior management must approve the relationship before it proceeds.
• Ongoing monitoring would be more frequent, with any unexplained transaction activity triggering an immediate review.

An offshore company with vague ownership and unusually large transfers would trigger a similar process, verifying the source of funds at each step and escalating to compliance officers for manual review if anything doesn't add up.

Does Acquire.fi conduct enhanced due diligence?

Acquire.fi is a marketplace focused on Web3 M&A, connecting buyers and sellers of crypto and blockchain businesses. And this is worth being direct about: Acquire.fi is not a licensed crypto-asset service provider under EU regulation.

That said, we offer due diligence services as part of our premium Web3 consultation packages, including due diligence on potential buyers to validate their financial capability, acquisition intent, and credibility. That's a form of business-level due diligence in the M&A context, which is different from the AML-focused EDD we've been discussing.

The EDD obligations described in this article apply to regulated financial institutions and other covered entities under relevant laws like the BSA, the EU's AMLD series, or FATF guidance. As of now, Acquire.fi operates as an intermediary marketplace rather than a regulated entity, so the formal EDD framework doesn't apply to us in the same way it applies to a bank or a licensed crypto exchange.

If that changes, for instance, if the EU's expanded crypto-asset regulations under MiCA bring additional compliance obligations to platforms like Acquire.fi, that picture could shift. But for now, users of the platform should understand that they are conducting their own due diligence independently.

If you're a buyer or seller on a platform like Acquire.fi and you want to transact responsibly, bringing in your own EDD process is a smart move. Verify who you're dealing with, and understand the source of funds on both sides.