Enhanced Due Diligence (EDD) is a higher level of customer due diligence required when a customer, transaction or business relationship presents an increased risk of money laundering or terrorist financing. In the UK, EDD commonly applies to politically exposed persons (PEPs), customers linked to high-risk third countries, complex ownership structures and unusual transaction activity. A complete EDD process records the trigger, evidence collected, risk assessment, approvals and ongoing monitoring so every decision can be justified during a regulatory review.
What is EDD?
Enhanced Due Diligence is a set of additional checks, evidence collection, and senior approvals applied when a customer or relationship presents higher risk of money laundering (ML) or terrorist financing (TF). It goes beyond standard Customer Due Diligence (CDD) by requiring deeper evidence, documented rationale, and ongoing monitoring at defined intervals.
What triggers EDD in the UK?
In the UK, EDD is typically triggered by higher-risk factors such as PEP connections, exposure to high-risk third countries, unusually large or complex activity, opaque ownership structures, or other indicators that increase ML/TF risk. Your process must define triggers, thresholds, and required evidence up front.
What must an audit trail prove?
A defensible EDD audit trail must capture: the trigger that escalated CDD to EDD, the evidence collected, the risk assessment and rationale, every approval or override, and an immutable record of who did what, when, and under which internal policy.
How should UK firms apply Enhanced Due Diligence in 2026?
Regulators expect firms to explain why Enhanced Due Diligence was applied, not simply confirm that it was. A documented risk process should show which trigger was identified, why it increased money laundering risk and what evidence was collected before approval.
The 2023 amendment to the Money Laundering and Terrorist Financing Regulations introduced an operationally significant change that every MLRO needs to reflect in their 2026 risk model. It established that domestic PEPs are treated as lower risk than non-domestic PEPs, unless enhanced risk factors are present. The regulations establish that domestic Politically Exposed Persons (PEPs) should generally be treated as presenting a lower level of risk than non-domestic PEPs, unless other higher-risk factors are identified.
Example: A UK bank onboards a senior UK government official who qualifies as a domestic PEP. The firm does not automatically apply the same level of EDD as it would for a foreign PEP. Instead, it assesses additional factors such as whether the individual has unexplained wealth, links to high-risk jurisdictions, involvement in corruption-sensitive sectors, unusual account activity, or complex ownership arrangements. If none are present, the firm may apply a proportionate lower-risk approach while maintaining appropriate monitoring.
Similarly, the 2026 amendment to the UK regulations changes how firms should approach enhanced due diligence (EDD) by referring to transactions that are “unusually complex or unusually large in each case given the nature of the transaction.” This change affects how firms assess potentially unusual activity and reinforces the need to consider the specific context in which a transaction takes place.
Example: A business customer normally makes monthly payments of around £50,000 to UK suppliers but suddenly initiates a £5 million transfer involving several international counterparties. The firm should not treat the size alone as automatically suspicious. It should assess whether the transaction is unusual compared with the customer’s normal activity, request evidence such as contracts, invoices, source of funds information, and business rationale, and document why further due diligence was or was not required.
CDD vs EDD vs ongoing monitoring
| Comparison | Customer Due Diligence (CDD) | Enhanced Due Diligence (EDD) | Ongoing monitoring |
|---|---|---|---|
| Purpose | Verify a customer’s identity and establish their initial risk profile. | Carry out additional checks and collect supporting evidence for higher-risk customers or relationships. | Identify changes in customer behaviour or risk after onboarding. |
| Typical Triggers | New customer onboarding, periodic KYC reviews and standard customer refreshes. | Politically Exposed Person (PEP) matches, high-risk third-country connections, complex ownership structures, unusual transaction activity or other high-risk indicators. | Monitoring alerts, sanctions or PEP re-screening matches, changes to ownership, scheduled reviews or new risk events. |
| Evidence Required | Identity verification, sanctions screening, basic customer information and the purpose of the relationship. | Source of Funds (SoF), Source of Wealth (SoW), adverse media checks, Ultimate Beneficial Owner (UBO) verification, enhanced sanctions screening and documented risk assessments. | Updated customer information, refreshed screening results, transaction analysis and revised risk assessments. |
| Approvals | Analyst review or automated approval where appropriate. | Senior compliance analyst approval, with MLRO approval where required by policy. | Analyst review of monitoring alerts, with escalation to the MLRO if new risks are identified. |
| Review Frequency | According to the firm’s policy, typically every 3–5 years for lower-risk customers. | According to the firm’s policy, commonly every 6–12 months for higher-risk customers. | Continuous monitoring, ongoing sanctions and PEP screening, plus scheduled periodic reviews. |
EDD triggers checklist for the UK
PEP and sanctions-related triggers
A PEP match (see PEP meaning for the full definition) should always trigger EDD, with the domestic/non-domestic classification determining the intensity of the response. Sanctions and watchlist matches require immediate escalation and a block on the relationship until the match is cleared. Both trigger types should fire automatically through your screening system, with every match logged as an audit event.
Jurisdiction risk triggers
Customers or beneficial owners linked to high-risk third countries should trigger EDD based on your country risk classification.
Definition. A high-risk third country is a jurisdiction identified as requiring increased monitoring (commonly via FATF lists), and relationships linked to these jurisdictions require enhanced customer due diligence and enhanced ongoing monitoring.
Behavioural and transactional anomalies
Complex, unusually large, or inconsistent activity compared to the customer’s stated purpose should trigger Enhanced Due Diligence. These triggers typically require analyst confirmation rather than full automation, as context matters. Set clear thresholds: define “unusually large” as a specific multiple of expected activity, define “complex” by the number of parties or jurisdictions involved. Require the analyst to document both the anomaly and their explanation before the case can be approved.
Ownership complexity
Opaque or layered corporate structures, nominee arrangements, and frequent changes in beneficial ownership all signal higher risk. Triggers in this category often require manual review of corporate registry data, trust deeds, or shareholder agreements. Log the UBO mapping process and record any gaps or inconsistencies as risk factors.
Delivery channel risk
Non-face-to-face onboarding carries inherent identity risk. Reliance on third-party introducers, unusual device or network signals, and geographic mismatches between the customer’s stated location and their actual connection point are all valid EDD triggers. Treat these as inputs to your risk scoring and log them alongside the identity verification results.
Triggers are only useful if they are measurable: define what “complex”, “unusual”, and “high-risk” mean for your business, then require your system to log which trigger fired and which rule set applied.
Why choose ID-Pal for UK EDD automation?
ID-Pal is built for exactly this use case: mobile-first identity verification with configurable workflows and audit-ready outputs. UK compliance teams using ID-Pal get AML compliance tools that produce exportable audit packs, support EDD escalation from within the mobile flow, and log every event from trigger to decision. The platform covers document checks, liveness testing, biometric matching, PEP and sanctions screening, and address verification in a single integrated system. That removes the need to stitch together multiple vendors and reconcile fragmented audit trails.
Frequently Asked Questions about EDD
What is Enhanced Due Diligence (EDD) in the UK?
Enhanced Due Diligence (EDD) is a risk-based set of additional checks and evidence used for higher-risk customers or situations, and it must be documented so the firm can prove what it did and why. EDD differs from standard CDD by requiring deeper evidence (such as source of funds and source of wealth), senior approvals, and enhanced ongoing monitoring. See the decision tree section above for the full escalation path from CDD to EDD.
What triggers EDD checks?
EDD is triggered when defined risk factors, such as PEP exposure, high-risk third-country links, unusually complex or large activity, or opaque ownership, raise ML/TF risk beyond your standard CDD threshold. The 2023 amendment clarified the domestic/non-domestic PEP distinction, which directly affects how trigger intensity is applied. Your process must define and document each trigger before it is needed.
Are domestic PEPs always high risk?
No. UK rules set a starting assumption that domestic PEPs present lower risk than non-domestic PEPs unless enhanced risk factors are present. Your workflow should record whether the PEP is domestic or non-domestic and document the specific risk factors that justified any escalation, as required by the Money Laundering and Terrorist Financing (Amendment) Regulations 2023.
Ready to simplify your Enhanced Due Diligence process?