What is Enhanced Due Diligence (EDD)?

The objective of CDD is to develop a risk profile for each customer and to detect unusual or potentially suspicious behavior. The United States has implemented a series of regulations aimed at formalizing the Customer Due Diligence (CDD) process. The regulations in question encompass the Customer Identification Program (CIP) rules, as delineated in Section 326 of the USA PATRIOT Act USA PATRIOT Act.³ This legislation served to expand the scope of the Bank Secrecy Act (BSA), thereby mandating the verification of identities when individuals open new accounts.

Enhanced Due Diligence (EDD) is mandatory in instances where a customer is classified as a high-risk entity and, as a consequence, subjected to enhanced scrutiny. In practice, EDD signifies a more profound and meticulous examination of the customer's background, financial resources, and ongoing activities. The necessity for EDD arises in circumstances where a customer's risk profile signifies an elevated probability of engagement in illicit activities. Such involvement may be attributed to various factors, including

• geographical location
• occupational sector or
• political exposure.

EDD often includes obtaining additional information such as detailed beneficial ownership, source of wealth, and source of funds, more frequent and detailed monitoring of transactions, and senior management approvals for establishing or continuing the business relationship.

Enhanced scrutiny is not required for every customer or transaction. U.S. regulations and guidance employ a risk-based approach, which means Enhanced Due Diligence (EDD) is designated for circumstances that regulators and industry practice identify as elevated risk for money laundering or terrorist financing. The following list contains specific scenarios in which EDD is required or expected in the U.S. AML context.

• When a U.S. bank maintains a correspondent account for a foreign financial institution, especially one in an offshore jurisdiction or high-risk country, EDD measures are mandated by Section 312 (USA PATRIOT ACT). For certain foreign banks (e.g., those with offshore banking licenses or from countries designated as non-cooperative or of primary money laundering concern), U.S. banks must perform heightened scrutiny.⁴ EDD steps include reviewing the foreign bank’s AML program, understanding its ownership and management, monitoring the flow of funds through the account in detail, and ensuring the account is not used indirectly by other high-risk foreign banks. The rationale is that foreign correspondent accounts can be a gateway for illicit funds to enter the U.S., so U.S. banks must “guard at the gate” by knowing their foreign respondent well and watching the account closely.

• Customers who are Politically Exposed Persons⁵ inherently carry heightened corruption and money laundering risks. U.S. banks are expected to identify PEPs as part of their due diligence and apply EDD. In fact, foreign PEPs in private banking accounts are specifically addressed⁶ by law. The expectation is that banks will take reasonable measures to determine if a customer is a PEP and then apply these safeguards. For example, a bank that discovers a new client is a senior foreign government official should subject that client’s account to EDD:

  • gather information on how the client accumulated their wealth,
  • closely watch transaction patterns (for instance, large wire transfers to personal accounts might be a red flag),
  • and require higher-level sign-off within the bank to ensure the relationship is in line with the bank’s risk appetite.

  U.S. regulatory guidance underscores that banks should have risk-based procedures for PEPs and be alert to indicia of corruption or misuse of public funds in these relationships.

• Accounts or transactions involving countries that are high-risk for money laundering or terror finance warrant enhanced measures. The Financial Crimes Enforcement Network (FinCEN) and federal regulators expect banks to consider geographic risk factors in their AML programs. For example, if a customer has significant business in or ties to a country on the FATF “black list”⁷ or subject to a FinCEN finding under Section 311⁸, the bank should apply greater scrutiny. This could mean requiring additional documentation and information about the customer’s activities in that country, more intensive transaction monitoring, and more frequent reviews of the relationship. U.S. regulators periodically issue advisories about jurisdictions of concern (for instance, FinCEN advisories on jurisdictions with strategic AML deficiencies). While not a specific law like Section 312, these advisories effectively signal that transactions associated with certain regions should be treated as high risk. Thus, a bank might implement EDD for any customer known to operate in a country under strict sanctions or identified for systemic money laundering issues. EDD in this context overlaps with sanctions compliance and requires banks to really understand why funds are moving to or from these areas and to verify the legitimacy of such activities.

• Certain types of customers or services are more susceptible to money laundering and can trigger an EDD process. For example, customers that are themselves financial institutions like money services businesses (MSBs), casinos, or cryptocurrency exchanges are generally higher risk and require enhanced due diligence by their banking partners. A bank that provides accounts to an MSB must not only perform regular KYC on the MSB itself but also understand the MSB’s AML controls and customer base, because the bank is indirectly exposed to the MSB’s customers. This is sometimes called “institutional EDD” which means performing due diligence on a customer’s compliance program. Similarly, private investment companies, trust accounts, cash-intensive businesses, and other high-risk entities demand more in-depth review. The EDD may encompass site visits, independent background verifications, or the requirement of periodic compliance reports from the customer.

• Apart from inherent risk factors at onboarding, certain events can trigger EDD on an existing customer. For instance, a customer who was initially low risk might start executing large complex transfers or gets negative news (e.g., implicated in a corruption scandal). In such cases, the bank should escalate the due diligence level, essentially moving the customer into the high-risk category and applying EDD measures (re-verifying information, asking for explanations of source of funds, and increasing monitoring). The risk assessment rating and EDD must be updated on a continuous basis, ensuring that the dynamic application of EDD is executed in accordance with the evolving risk profile.

In all the above scenarios, the guiding principle is a risk-based approach. U.S. AML rules do not list every instance of EDD, but they set minimum cases and expect financial institutions to proactively identify other high-risk situations and apply commensurate EDD controls.

Regulators have not hesitated to punish institutions that fail to carry out appropriate EDD. In fact, many of the largest AML enforcement penalties in U.S. history involve situations where the bank’s lack of EDD on high-risk customers or foreign transactions allowed money laundering to occur unchecked. Failure to implement EDD is often cited as a violation of the BSA’s program requirements or specific regulations like the Section 312 rules. The consequences can include hefty fines, regulatory cease-and-desist orders, remediation mandates, and even criminal charges or loss of banking charters in extreme cases.

In 2021, Capital One was fined $390 million after admitting to willful violations of the Bank Secrecy Act and Anti-Money Laundering (BSA/AML) regulations, as identified by FinCEN⁹. A significant aspect of that case was Capital One’s failure to implement an effective AML program in a high-risk business unit – specifically, its Check Cashing Group, which serviced dozens of check-cashing businesses. Capital One did not conduct proper EDD or monitoring on these high-risk clients, resulting in thousands of suspicious transactions going unreported over years. FinCEN found the bank had ignored red flags and failed to file thousands of Suspicious Activity Reports (SARs) and Currency Transaction Reports, despite obvious signs of money laundering through those check cashers. In FinCEN’s words, Capital One willfully failed to implement and maintain an effective AML program as required by law. This implies that simply having a paper policy on EDD is not enough. The institution must actually dedicate sufficient resources and attention to high-risk areas.