A practical overview of CDD requirements, EDD requirements, KYC requirements, and how AML checks actually operate in a compliance framework.
What Customer Due Diligence (CDD) Means in Practice
Customer Due Diligence (CDD) is the baseline AML/CTF requirement. It focuses on verifying who the customer is, understanding the nature and purpose of the relationship, and assigning an ML/TF risk level.
CDD includes:
-
Identity verification (full name, DOB, POA, tax residency - standard KYC requirements).
-
Sanctions screening, PEP screening, watchlist checks, and adverse media.
-
Understanding the customer’s activity and expected transaction behaviour.
-
For corporates: verifying beneficial owners (UBOs), governance structure, and legal form.
CDD should give a reporting entity reasonable certainty that it knows who it is dealing with and how the service could be misused.
What Simplified Due Diligence (SDD) Actually Is
SDD is only permitted when the ML/TF risk is inherently low and recognised as low by law or regulatory guidance.
Examples include:
-
Government bodies
-
Listed entities with adequate disclosure
-
Local financial institutions from jurisdictions with strong AML supervision
SDD is the exception, not the rule. Most AML-regulated businesses will rarely apply SDD in practice.
What Enhanced Due Diligence (EDD / ECDD) Means
Enhanced Due Diligence (EDD) applies when the ML/TF risk is higher or when a trigger event elevates the risk.
EDD requirements include:
-
Higher KYC verification standards beyond normal CDD
-
Source of Wealth (SOW) verification
-
Source of Funds (SOF) verification for specific transactions
-
Additional identity checks and documentary evidence
-
More detailed understanding of the customer’s structure and activity
-
Ongoing monitoring at a higher frequency and depth
EDD is not optional — once triggered, it must be completed before the relationship continues.
When EDD Is Required (Common Global Triggers)
Typical EDD triggers across most AML/CTF regimes include:
-
Customer or UBO located in a high-risk jurisdiction
-
Customer involved in a cash-intensive or anonymity-enabling business
-
Positive PEP status
-
Adverse media or known criminal exposure
-
Complex ownership structures with opacity or nominee arrangements
-
Large, complex, unusual or inconsistent transactions
-
Material changes in customer behaviour or profile
-
A submitted STR/SAR (in many jurisdictions, mandatory EDD follows)
Existing customers may also move into EDD territory over time — especially following risk level changes or alerts raised by ongoing monitoring systems.
Difference Between Due Diligence and Enhanced Due Diligence
The distinction is simple:
-
CDD = identify the customer + understand the relationship + assess ML/TF risk.
-
EDD = apply more intrusive, more document-heavy, higher-certainty verification where the risk is not adequately mitigated by standard CDD.
EDD is deeper, broader, and ongoing — and must be handled by qualified AML personnel.
Source of Wealth (SOW) and Source of Funds (SOF) in EDD
This is the primary operational difference between CDD and EDD.
EDD frequently requires documentary proof showing:
-
How the customer accumulated wealth (SOW), and
-
Where specific funds used in a transaction originated (SOF).
Examples of SOW/SOF evidence include:
-
Bank statements
-
Payslips
-
Investment statements
-
Sale agreements (paired with evidence of funds received)
-
Tax returns
-
Audited financials
-
Probate/wills
-
Corporate records showing dividends or retained earnings
EDD is tailored to the scenario - there is no universal checklist.
How to Conduct EDD Effectively (Operational View)
A clean, practical EDD workflow looks like this:
-
Identify the trigger event (high-risk customer, unusual transaction, PEP status, etc.).
-
Escalate internally immediately — no delays.
-
Collect additional KYC information and supporting documents.
-
Verify SOW and/or SOF using reliable, independent sources.
-
Reassess ML/TF risk level based on new information.
-
Determine whether the relationship can continue under law.
-
Document decisions and rationale for audit/regulator review.
AML/CTF laws generally prohibit continuing a regulated relationship when due diligence cannot be completed.
