- EDD is mandatory for PEPs, high-risk countries, complex ownership structures and unusual transaction patterns
- It goes beyond CDD: source of wealth, enhanced monitoring, senior management approval
- Failing EDD is one of the most common triggers for AML enforcement actions
- Automation and structured workflows reduce EDD workload by 60–80%
Enhanced Due Diligence (EDD) is the deeper layer of customer investigation triggered when standard Customer Due Diligence (CDD) is insufficient to manage a high-risk relationship. It is mandated under the EU Anti-Money Laundering Directives, FATF Recommendations, and national regulations across Europe.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
When is EDD required?
EDD is triggered automatically in specific circumstances under EU 5AMLD:
- PEPs and their close associates — always requires EDD
- High-risk third countries on the EU Commission or FATF list
- Non-face-to-face onboarding above defined thresholds
- Complex or opaque ownership structures with multiple layers
- Unusual or high transaction volumes inconsistent with the client profile
- Correspondent banking relationships
- Any client your risk assessment scores as high risk
Regulator expectation: EDD is not a one-time exercise. Regulators expect ongoing enhanced monitoring throughout the relationship, not just at onboarding.
What EDD actually involves
Source of Wealth (SoW) verification
You must establish not just that a client has money, but how they accumulated it. Collecting SoW statements without corroborating evidence is insufficient. Supporting documents include: business ownership records, salary history, inheritance documents, investment statements, property sale proceeds.
Source of Funds (SoF) verification
For specific transactions, verify the origin of the funds being used. This is distinct from SoW — you may understand a client's overall wealth while still needing to verify that a specific transfer originates from a stated transaction.
Senior management approval
Establishing or continuing a high-risk relationship must be approved by a senior manager. This requirement is frequently tested in regulatory inspections. “Approvals” via email that are not saved to the client record do not satisfy this requirement.
Enhanced ongoing monitoring
Transactions must be monitored at higher frequency and scrutiny. Periodic EDD reviews must run at defined intervals — typically annually for the highest-risk clients.
Adverse media screening
Beyond sanctions and PEP databases, EDD requires searching news archives, court records, company registries and other open sources for negative information that structured databases may not capture.
Common EDD mistakes that lead to enforcement
- Treating PEP status as automatic rejection rather than a trigger for EDD
- Collecting SoW statements without corroborating evidence
- Conducting EDD at onboarding then treating the client as standard thereafter
- Failing to re-trigger EDD when the risk profile changes mid-relationship
See also: PEP Screening Guide — AML Red Flags — AML Risk Assessment Template
Frequently Asked Questions
CDD is the baseline: verify identity, understand the business relationship, establish beneficial ownership. EDD adds source of wealth verification, senior management approval, enhanced monitoring, and deeper adverse media checks. EDD is triggered by specific risk factors; CDD applies to all customers.
Under EU AML directives, EDD is mandatory for all PEPs, clients from FATF high-risk countries, non-face-to-face relationships above thresholds, and correspondent banking. Your own risk-based approach may add further triggers.
Minimum five years after the end of the business relationship under AMLD. Some jurisdictions extend to ten years. All supporting documents, decisions and approvals must be retained and retrievable for regulatory inspection.
Regulators expect corroborated documentation, not just client statements: audited business accounts, company sale agreements, property deeds, inheritance documentation, or salary records. The bar rises with risk level and amounts involved.
Yes, and it must be. Ongoing monitoring must trigger EDD reviews when the risk profile changes: a client who becomes a PEP, starts transacting with high-risk countries, or whose transaction patterns change materially requires EDD even after passing standard CDD at onboarding.
HubSecure automates EDD triggers based on your risk rules, guides analysts through required steps with structured checklists, enforces senior approval gates, integrates real-time PEP/sanctions screening, and maintains a complete audit trail for every EDD case.
See HubSecure in action
Join compliance teams across Europe replacing spreadsheets with a platform built for regulated work.
See also: Legal & Advisory solution pack · Financial Services pack
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.