{"id":5501,"date":"2026-06-08T11:02:23","date_gmt":"2026-06-08T09:02:23","guid":{"rendered":"https:\/\/relycomply.com\/?p=5501"},"modified":"2026-06-08T11:02:28","modified_gmt":"2026-06-08T09:02:28","slug":"enhanced-due-diligence-requirements-uk","status":"publish","type":"post","link":"https:\/\/relycomply.com\/en-gb\/enhanced-due-diligence-requirements-uk\/","title":{"rendered":"Enhanced Due Diligence (EDD): When It Triggers, What an EDD File Must Contain, and How to Scale It"},"content":{"rendered":"\n<p>Enhanced due diligence (EDD) is a more intensive form of Customer Due Diligence (CDD), applied under the UK&#8217;s risk-based approach to anti-money laundering when a customer, transaction, or business relationship presents a higher risk. For compliance teams asking \u201cwhat is enhanced due diligence\u201d in practical terms: it is the point at which standard identity verification and risk assessment is no longer sufficient, and the firm must investigate further, obtain additional evidence, and secure senior management approval before proceeding. In the UK, enhanced due diligence is a legal obligation under the <a href=\"https:\/\/www.legislation.gov.uk\/uksi\/2017\/692\/contents\" target=\"_blank\" rel=\"noreferrer noopener\">Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs 2017)<\/a> and sits within the broader framework of the <a href=\"https:\/\/www.legislation.gov.uk\/ukpga\/2002\/29\/contents\" target=\"_blank\" rel=\"noreferrer noopener\">Proceeds of Crime Act 2002<\/a>, not a discretionary best-practice measure.<\/p>\n\n\n\n<p><br>Most AML programmes can describe what enhanced due diligence is. Far fewer can describe, with any precision, when enhanced due diligence must trigger, what evidence an enhanced due diligence file must contain to satisfy a regulator, and how to run it at volume without grinding onboarding to a halt. That gap, between knowing the rule and operating the rule, is where most enforcement findings sit.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#why-are-enhanced-due-diligence-requirements-necessary-in-the-uk\">Why are enhanced due diligence requirements necessary in the UK?<\/a><\/li><li><a href=\"#which-regulated-firms-must-apply-enhanced-due-diligence\">Which regulated firms must apply enhanced due diligence?<\/a><\/li><li><a href=\"#when-does-enhanced-due-diligence-trigger-the-triggers-compliance-teams-underestimate\">When does enhanced due diligence trigger? The triggers compliance teams underestimate<\/a><ul><li><a href=\"#the-mandatory-triggers-regulation-33\">The mandatory triggers (Regulation 33)<\/a><\/li><li><a href=\"#the-triggers-that-catch-firms-out\">The triggers that catch firms out<\/a><\/li><\/ul><\/li><li><a href=\"#what-an-enhanced-due-diligence-file-must-actually-contain\">What an enhanced due diligence file must actually contain<\/a><ul><li><a href=\"#the-seven-components-of-a-defensible-enhanced-due-diligence-file\">The seven components of a defensible enhanced due diligence file<\/a><\/li><\/ul><\/li><li><a href=\"#what-fca-enforcement-teaches-us-about-enhanced-due-diligence-failures\">What FCA enforcement teaches us about enhanced due diligence failures<\/a><\/li><li><a href=\"#building-audit-ready-enhanced-due-diligence-what-reviewers-actually-look-for\">Building audit-ready enhanced due diligence: what reviewers actually look for<\/a><ul><li><a href=\"#the-five-questions-every-enhanced-due-diligence-file-must-answer\">The five questions every enhanced due diligence file must answer<\/a><\/li><li><a href=\"#the-artefacts-that-signal-maturity\">The artefacts that signal maturity<\/a><\/li><\/ul><\/li><li><a href=\"#scaling-enhanced-due-diligence-without-breaking-onboarding\">Scaling enhanced due diligence without breaking onboarding<\/a><ul><li><a href=\"#failure-1-manual-file-assembly\">Failure 1: Manual file assembly<\/a><\/li><li><a href=\"#failure-2-trigger-detection-that-depends-on-the-analyst\">Failure 2: Trigger detection that depends on the analyst<\/a><\/li><li><a href=\"#failure-3-ongoing-monitoring-that-is-defined-but-not-executed\">Failure 3: Ongoing monitoring that is defined but not executed<\/a><\/li><\/ul><\/li><li><a href=\"#edd-vs-cdd-the-distinction-that-matters-operationally\">EDD vs CDD: the distinction that matters operationally<\/a><\/li><li><a href=\"#how-rely-comply-structures-edd-operations\">How RelyComply structures EDD operations<\/a><\/li><li><a href=\"#frequently-asked-questions-about-enhanced-due-diligence\">Frequently asked questions about Enhanced Due Diligence<\/a><ul><li><a href=\"#faq-question-1780906555501\">What is the difference between CDD and EDD?<\/a><\/li><li><a href=\"#faq-question-1780906609770\">When is EDD legally required in the UK?<\/a><\/li><li><a href=\"#faq-question-1780906624904\">What documents are required for EDD?<\/a><\/li><li><a href=\"#faq-question-1780906717652\">How often should EDD be reviewed?<\/a><\/li><li><a href=\"#faq-question-1780906739736\">Is the source of funds the same as the source of wealth?<\/a><\/li><li><a href=\"#faq-question-1780906762253\">Who approves an EDD relationship?<\/a><\/li><li><a href=\"#faq-question-1780906800602\">Can EDD be automated?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-are-enhanced-due-diligence-requirements-necessary-in-the-uk\"><strong>Why are enhanced due diligence requirements necessary in the UK?<\/strong><\/h2>\n\n\n\n<p>Enhanced due diligence is a legal requirement under the MLRs 2017, not a discretionary measure. Firms that do not apply it where required are not compliant with UK AML laws.<\/p>\n\n\n\n<p>The UK is one of the world&#8217;s largest financial centres and, by extension, one of the most attractive destinations for <a href=\"https:\/\/relycomply.com\/en-gb\/3-stages-in-money-laundering-explained\/\">illicit finance<\/a>. According to the <a href=\"https:\/\/www.nationalcrimeagency.gov.uk\/news\/nca-and-fca-publish-priorities-to-combat-biggest-economic-crime-threats\" target=\"_blank\" rel=\"noreferrer noopener\">NCA&#8217;s National Economic Crime Centre<\/a>, <a href=\"https:\/\/www.gov.uk\/government\/news\/rogue-insiders-and-dirty-money-targeted-in-corruption-crackdown\" target=\"_blank\" rel=\"noopener\">over \u00a3100 billion is laundered through or within the UK each year<\/a>, primarily consisting of the proceeds of drugs, fraud, and trafficking. That figure covers only what can be estimated. The actual scale of illicit financial flows passing through UK-regulated firms, property markets, and corporate structures is widely understood to be higher.<\/p>\n\n\n\n<p>The UK&#8217;s response to that exposure is a risk-based framework, not a one-size-fits-all approach. Standard CDD applies to most customers and relationships. Where higher risk is present, the MLRs 2017 require something more. That something more is enhanced due diligence: a deeper, evidence-driven investigation into the customer, their funds, and the nature of the relationship, with senior management accountability for the outcome.<\/p>\n\n\n\n<p>Enhanced due diligence requirements exist because the risk-based approach only functions if the escalation mechanism has teeth. A framework that treats a domestic retail customer and a PEP with cross-border corporate structures identically is not risk-based. It is uniform, and uniform controls are exploitable.<\/p>\n\n\n\n<p>The MLRs 2017 specify the circumstances in which enhanced due diligence is required, setting out those customers and circumstances where a higher standard of scrutiny must be applied. The JMLSG guidance, which carries ministerial approval and is the primary operational reference for UK anti-money laundering compliance, is explicit that the risk-based approach requires firms to apply enhanced measures where risk warrants it, and that the decision and its rationale must be documented.<\/p>\n\n\n\n<p>Enhanced due diligence is the point where the UK&#8217;s anti-money laundering regulations move from process to judgment. The obligation is to investigate, evidence, and decide, not simply to collect more documents.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"which-regulated-firms-must-apply-enhanced-due-diligence\"><strong>Which regulated firms must apply enhanced due diligence?<\/strong><\/h2>\n\n\n\n<p>Enhanced due diligence requirements apply to all firms within the scope of the MLRs 2017. <a href=\"https:\/\/www.legislation.gov.uk\/uksi\/2017\/692\/regulation\/8\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 8<\/a> sets out the complete list of relevant persons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credit institutions:<\/strong> banks, building societies, and credit unions operating in the UK.<\/li>\n\n\n\n<li><strong>Financial institutions: <\/strong>payment institutions, money service businesses (including money remitters and currency exchange providers), electronic money institutions, investment firms, insurance companies carrying out life insurance activities, and consumer credit firms.<\/li>\n\n\n\n<li><strong>Auditors, insolvency practitioners, external accountants, and tax advisers:<\/strong> firms and sole practitioners providing accountancy, audit, tax, or insolvency services by way of business.<\/li>\n\n\n\n<li><strong>Independent legal professionals:<\/strong> solicitors and other legal professionals when carrying out certain financial or real property transactions, such as conveyancing or corporate finance work.<\/li>\n\n\n\n<li><strong>Trust or company service providers (TCSPs): <\/strong>firms that form companies, provide registered office addresses, or act as nominee directors or shareholders.<\/li>\n\n\n\n<li><strong>Estate agents and letting agents:<\/strong> estate agents for all property sales transactions; letting agents where the monthly rent is <a href=\"https:\/\/www.legislation.gov.uk\/ukdsi\/2026\/9780348281743\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a310,000<\/a> or more, and the tenancy term is one month or longer.<\/li>\n\n\n\n<li><strong>High-value dealers:<\/strong> businesses accepting cash payments of \u00a310,000 or more, whether in a single transaction or a series of linked transactions.<\/li>\n\n\n\n<li><strong>Art market participants and auction platforms:<\/strong> galleries, dealers, and intermediaries acting in the sale or purchase of works of art where the transaction or series of linked transactions amounts to \u00a310,000 or more. Auction platforms are relevant persons for certain provisions of the MLRs under Regulation 8(3).<\/li>\n\n\n\n<li><strong>Casinos:<\/strong> in scope as a standalone category under Regulation 8(2)(h).<\/li>\n\n\n\n<li><strong>Cryptoasset exchange providers and custodian wallet providers:<\/strong> firms registered with the FCA under <a href=\"https:\/\/www.fca.org.uk\/firms\/cryptoassets-aml-ctf-regime\/cryptoassets-who-needs-register\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 14A of the MLRs 2017<\/a>, sitting in their own category separate from financial institutions.<\/li>\n<\/ul>\n\n\n\n<p>If your firm falls within any of these categories, enhanced due diligence applies where the MLRs 2017 require it. The obligation is not discretionary and cannot be contracted out of or delegated away.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"when-does-enhanced-due-diligence-trigger-the-triggers-compliance-teams-underestimate\"><strong>When does enhanced due diligence trigger? The triggers compliance teams underestimate<\/strong><\/h2>\n\n\n\n<p>Regulation 33 of the MLRs 2017 sets out the mandatory enhanced due diligence triggers. Most policies list them. Far fewer policies handle the ambiguous middle ground; the triggers that are matters of risk-based judgement, where firms are routinely caught short in supervisory reviews.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-mandatory-triggers-regulation-33\"><strong>The mandatory triggers (Regulation 33)<\/strong><\/h3>\n\n\n\n<p>Enhanced due diligence is mandatory where any of the following apply:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The customer or counterparty is established in a <a href=\"https:\/\/relycomply.com\/en-gb\/high-risk-countries-enhanced-due-diligence\/\">high-risk third country<\/a> as designated by HM Treasury or the FATF<\/li>\n\n\n\n<li>The customer or beneficial owner is a Politically Exposed Person (PEP), a family member, or a known close associate<\/li>\n\n\n\n<li>The transaction is complex, unusually large, follows an unusual pattern, or has no apparent economic or lawful purpose<\/li>\n\n\n\n<li>The customer has provided false or stolen identification documentation, or there is reason to doubt the veracity of the documents provided<\/li>\n\n\n\n<li>The business relationship is conducted in unusual circumstances, including where there has been a significant and unexplained change in the customer&#8217;s transaction profile<\/li>\n\n\n\n<li>Correspondent banking relationships with third-country credit or financial institutions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-triggers-that-catch-firms-out\"><strong>The triggers that catch firms out<\/strong><\/h3>\n\n\n\n<p>In FCA Final Notices over the last three years, the enhanced due diligence failures cited almost never stem from missing the obvious triggers. They stem from missing the <strong>inferential triggers<\/strong>; situations where higher risk should have been identified through the firm&#8217;s own risk assessment framework, but wasn&#8217;t. Examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Geographic risk by transaction flow, not customer domicile.<\/strong> A UK-resident customer transacting heavily into a high-risk jurisdiction triggers EDD even though their KYC profile looks domestic.<\/li>\n\n\n\n<li><strong>Sector risk inherited from beneficial ownership.<\/strong> A low-risk operating company whose UBO sits at the top of a cash-intensive or sanctions-adjacent structure inherits that risk.<\/li>\n\n\n\n<li><strong>Adverse media that does not yet meet the threshold for SAR filing.<\/strong> Reputational red flags from credible sources are EDD triggers even when they do not amount to suspicion of money laundering.<\/li>\n\n\n\n<li><strong>Material changes in customer behaviour.<\/strong> A long-standing low-risk customer whose monthly transaction profile suddenly triples, or who introduces new counterparties in higher-risk corridors, must be re-risked; and the re-risking outcome must be recorded.<\/li>\n\n\n\n<li><strong>Source of wealth ambiguity for high-net-worth customers.<\/strong> Where source of funds is documented but source of wealth is unverified or inconsistent with the customer&#8217;s stated background.<\/li>\n<\/ul>\n\n\n\n<p><strong><em>Operational test: if your trigger framework cannot answer the question &#8216;what would have caused us to escalate this file to EDD?&#8217; for a closed case, your framework is incomplete. Auditors and the FCA reconstruct decisions backwards from outcome to trigger; your file must do the same forwards.<\/em><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-an-enhanced-due-diligence-file-must-actually-contain\"><strong>What an enhanced due diligence file must actually contain<\/strong><\/h2>\n\n\n\n<p>This is where most operational gaps sit. Policies describe the enhanced due diligence process in narrative terms; supervisory reviews and external audits assess the EDD <em>file<\/em>, the artefact left behind. A defensible EDD file is structured, evidenced, and decision-traceable. It is not a longer CDD file with more documents stapled to it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"819\" height=\"1024\" src=\"https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-819x1024.jpg\" alt=\"The seven components of a defensible enhanced due diligence file\" class=\"wp-image-5502\" srcset=\"https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-819x1024.jpg 819w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-240x300.jpg 240w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-768x960.jpg 768w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-1229x1536.jpg 1229w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-1638x2048.jpg 1638w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-1-1-scaled.jpg 2048w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-seven-components-of-a-defensible-enhanced-due-diligence-file\"><strong>The seven components of a defensible enhanced due diligence file<\/strong><\/h3>\n\n\n\n<p><strong>1. The trigger record.<\/strong><\/p>\n\n\n\n<p>Which specific trigger fired, when, by whom (or which system), and the supporting data. This is the audit anchor. Without it, every downstream decision is undocumented in its causation.<\/p>\n\n\n\n<p><strong>2. Refreshed and verified customer profile data.<\/strong><\/p>\n\n\n\n<p>Standard CDD data items (identity, address, nature and purpose of relationship) re-verified rather than reused. Stale CDD evidence is one of the most cited findings in JMLSG-aligned reviews.<\/p>\n\n\n\n<p><strong>3. Source of funds (SoF) and source of wealth (SoW) documentation.<\/strong><\/p>\n\n\n\n<p>These are not the same thing. SoF documents the origin of the specific funds being transacted (payslips, sale agreements, dividend records, loan agreements). SoW documents the customer&#8217;s accumulated wealth across their financial history (employment history, asset ownership, inheritance, business sale proceeds). For PEPs and high-risk customers, both are required, and both must be evidenced, not asserted by the customer.<\/p>\n\n\n\n<p><strong>4. Beneficial ownership verification, including hidden structures.<\/strong><\/p>\n\n\n\n<p>For corporate customers, enhanced due diligence requires verification of UBOs beyond the basic 25% ownership threshold check. Layered structures, nominee arrangements, and trusts must be unpacked to identify the natural persons exercising ultimate control. Where structures are deliberately opaque, that opacity itself must be documented and explained.<\/p>\n\n\n\n<p><strong>5. Screening output, contemporaneous to the EDD review.<\/strong><\/p>\n\n\n\n<p>Sanctions, PEP, and adverse media screening must be re-run at the point of enhanced due diligence escalation, not relied on from initial onboarding. Screening logs must show the lists used, the matching algorithm, the date and time of the run, and the disposition decision for each hit.<\/p>\n\n\n\n<p><strong>6. Risk rationale and senior management approval.<\/strong><\/p>\n\n\n\n<p>Regulation 35 requires senior management approval to establish or continue a business relationship with a PEP. For other enhanced due diligence cases, internal policy should require equivalent committee or MLRO sign-off. The file must contain the named approver, the date of approval, the rationale supporting approval, and any conditions attached.<\/p>\n\n\n\n<p><strong>7. Ongoing monitoring plan.<\/strong><\/p>\n\n\n\n<p>Enhanced due diligence is not a one-time event. The file must specify the enhanced monitoring regime that follows, transaction thresholds, review cadence, escalation rules, and evidence that the regime has actually been applied since the EDD decision was made.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-fca-enforcement-teaches-us-about-enhanced-due-diligence-failures\"><strong>What FCA enforcement teaches us about enhanced due diligence failures<\/strong><\/h2>\n\n\n\n<p>FCA Final Notices are the most concrete training material available to compliance teams. The <a href=\"https:\/\/relycomply.com\/en-gb\/anti-money-laundering-fines-uk-and-sa\/\">fines<\/a> themselves matter less than the <a href=\"https:\/\/relycomply.com\/en-gb\/the-fca-compliance-shift\/\">operational failures<\/a> they describe;\u00a0those failures are the playbook for what to fix.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.fca.org.uk\/news\/press-releases\/fca-fines-starling-bank-failings-financial-crime-systems-and-controls\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a329 million fine against Starling Bank in October 2024<\/a> centred on systems and controls weaknesses,\u00a0 including inadequate screening against the full sanctions list and onboarding controls that did not scale with growth. The lesson for EDD operators is that controls that function at one volume cease to function at the next, and the absence of periodic re-validation against actual transaction volumes is itself a finding.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.fca.org.uk\/news\/press-releases\/fca-fines-hsbc-bank-plc-deficient-transaction-monitoring-controls\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a364 million fine against HSBC in December 2021<\/a> included findings on transaction monitoring scenarios that had not been calibrated to actual risk, and EDD reviews that were completed without verifying the rationale for unusual activity. The takeaway: an EDD file that documents the activity but not the verified explanation for it is operationally incomplete.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.fca.org.uk\/news\/press-releases\/natwest-fined-264.8million-anti-money-laundering-failures\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a3107.7 million fine against NatWest in December 2021<\/a>, the first criminal AML prosecution of a UK bank, turned on the fact that the firm&#8217;s <a href=\"https:\/\/relycomply.com\/en-gb\/aml-transaction-monitoring\/\">automated transaction monitoring<\/a> did not detect or escalate cash deposits that were clearly inconsistent with the customer profile. Enhanced due diligence frameworks that depend on customers self-declaring change in activity, rather than systems detecting it, are structurally exposed.<\/p>\n\n\n\n<p><strong><em>Common thread across these cases: the failure is not in policy. The failure is in the gap between policy and operational execution at scale. EDD frameworks that work for 50 high-risk reviews a year fall apart at 500.<\/em><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"building-audit-ready-enhanced-due-diligence-what-reviewers-actually-look-for\"><strong>Building audit-ready enhanced due diligence: what reviewers actually look for<\/strong><\/h2>\n\n\n\n<p>Whether the reviewer is an internal auditor, an external assurance firm, a Section 166 skilled person, or the FCA itself, the questions asked of enhanced due diligence files are remarkably consistent. Building for these questions is more effective than building for the policy document alone.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-five-questions-every-enhanced-due-diligence-file-must-answer\"><strong>The five questions every enhanced due diligence file must answer<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Why was this customer escalated to EDD?<\/strong> The trigger must be identifiable, dated, and tied to a specific data point or event; not a generalised &#8216;high-risk customer&#8217; label.<\/li>\n\n\n\n<li><strong>What additional information was obtained, and from where?<\/strong> The file must distinguish between customer-provided information and independently verified information. Reviewers test the chain of evidence.<\/li>\n\n\n\n<li><strong>Who approved the relationship, and on what basis?<\/strong> Named approver, dated approval, documented rationale, and conditions. &#8216;Approved&#8217; as a status flag is not approval.<\/li>\n\n\n\n<li><strong>How has the relationship been monitored since escalation?<\/strong> Evidence of executed monitoring ( alerts reviewed, transactions analysed, periodic reviews completed), not just monitoring rules defined.<\/li>\n\n\n\n<li><strong>When will this EDD decision be reviewed?<\/strong> Review cadence must be defined, scheduled, and traceable to actual review events. Lapsed reviews are findings in their own right.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-artefacts-that-signal-maturity\"><strong>The artefacts that signal maturity<\/strong><\/h3>\n\n\n\n<p>Beyond the basic file contents, the artefacts that distinguish mature enhanced due diligence programmes from compliant-on-paper programmes are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Decision logs that pre-date outcomes.<\/strong> Approval committees should record their reasoning at the point of decision, not after the customer becomes a problem.<\/li>\n\n\n\n<li><strong>Dissent recorded.<\/strong> Where committee members disagreed, the disagreement and its resolution must be in the record. Unanimous approval boilerplate is a red flag in itself.<\/li>\n\n\n\n<li><strong>Negative findings retained.<\/strong> Searches that returned no results, screening runs that produced no hits; the file must show the searches were run, not just that they produced clean outcomes.<\/li>\n\n\n\n<li><strong>Linkage to suspicious activity reporting.<\/strong> Where enhanced due diligence review uncovers reportable activity, the SAR reference, filing date, and continuing relationship rationale must be in the EDD file.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"scaling-enhanced-due-diligence-without-breaking-onboarding\"><strong>Scaling enhanced due diligence without breaking onboarding<\/strong><\/h2>\n\n\n\n<p>The hardest operational problem in modern AML programmes is not whether to perform enhanced due diligence. It is how to perform EDD at the volumes regulated firms now process;&nbsp; particularly for payments firms, building societies, and digital-first banks where customer growth and risk profile change quarterly.<\/p>\n\n\n\n<p>Three structural failures cause enhanced due diligence programmes to break at scale:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"536\" src=\"https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-1024x536.jpg\" alt=\"The 3 structural failures that cause enhanced due diligence programmes to break at scale\" class=\"wp-image-5504\" srcset=\"https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-1024x536.jpg 1024w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-300x157.jpg 300w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-768x402.jpg 768w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-1536x804.jpg 1536w, https:\/\/relycomply.com\/wp-content\/uploads\/2026\/06\/IN-ARTICLE-IMAGE-2-1-2048x1072.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"failure-1-manual-file-assembly\"><strong>Failure 1: Manual file assembly<\/strong><\/h3>\n\n\n\n<p>Where EDD files are assembled from scratch in shared drives, by analysts copying from multiple systems, the file becomes a function of the analyst&#8217;s diligence rather than the policy&#8217;s design. Files become inconsistent, evidence becomes uncited, and audit-readiness becomes a remediation project rather than an output.<\/p>\n\n\n\n<p>The fix is structural: <a href=\"https:\/\/relycomply.com\/en-gb\/aml-case-management\/\">Enhanced due diligence files should be assembled by the system from systems-of-record<\/a>, not by analysts from screenshots. Manual analyst input should be confined to judgement and approval, not document gathering.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"failure-2-trigger-detection-that-depends-on-the-analyst\"><strong>Failure 2: Trigger detection that depends on the analyst<\/strong><\/h3>\n\n\n\n<p>Where enhanced due diligence triggers depend on an analyst noticing (during review, during onboarding, during periodic refresh) that a higher-risk indicator is present, the system has externalised regulatory responsibility to individual judgement. This is the structural exposure NatWest was fined for. Risk triggers must be detected by rules and models, with analysts confirming and adjudicating, not detecting from cold.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"failure-3-ongoing-monitoring-that-is-defined-but-not-executed\"><strong>Failure 3: Ongoing monitoring that is defined but not executed<\/strong><\/h3>\n\n\n\n<p>Enhanced monitoring regimes are written into EDD outcomes routinely. They are executed unevenly. When a customer&#8217;s EDD review specifies &#8216;monthly transaction monitoring with 50% threshold reduction&#8217;, the file must show, twelve months later, that twelve monitoring reviews actually took place. The gap between defined regime and executed regime is where firms lose enforcement defences.<\/p>\n\n\n\n<p><strong><em>Scaling enhanced due diligence is a tooling problem, not a headcount problem. Firms that respond to volume by adding analysts produce more files of varying quality. Firms that respond by structuring the file assembly process produce consistent files regardless of volume.<\/em><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"edd-vs-cdd-the-distinction-that-matters-operationally\"><strong>EDD vs CDD: the distinction that matters operationally<\/strong><\/h2>\n\n\n\n<p>Many internal training materials treat EDD as &#8216;CDD plus more documents&#8217;. Operationally, the distinction is sharper than that.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CDD verifies identity and assesses risk.<\/strong> The default state for the customer relationship.<\/li>\n\n\n\n<li><strong>EDD investigates, mitigates, and authorises.<\/strong> A specific intervention triggered by elevated risk, requiring senior management approval and producing enhanced ongoing monitoring.<\/li>\n<\/ul>\n\n\n\n<p>A useful mental model: CDD is the customer&#8217;s file. EDD is the firm&#8217;s documented decision to accept and manage risk that exceeds the firm&#8217;s baseline risk appetite. The two have different audiences. The CDD file answers &#8216;who is the customer?&#8217; The EDD file answers \u2018Why is the firm comfortable holding this relationship despite the risk it carries?&#8217;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-rely-comply-structures-edd-operations\"><strong>How RelyComply structures EDD operations<\/strong><\/h2>\n\n\n\n<p>RelyComply&#8217;s <a href=\"https:\/\/relycomply.com\/en-gb\/aml-compliance-solutions-2\/\">AML platform<\/a> is built around the operational reality that EDD is where compliance programmes fail under pressure. The platform structures EDD as a workflow rather than a status, with system-detected triggers, evidence-driven file assembly, and structured approval routing; so the file produced is consistent regardless of analyst or volume.<\/p>\n\n\n\n<p>Specifically, the platform addresses the three failure modes described above: triggers fire from rules and models rather than analyst observation; files are assembled from systems-of-record, so evidence is sourced rather than re-captured; and enhanced monitoring regimes defined in the EDD outcome are scheduled, executed, and traceable in the same system.<\/p>\n\n\n\n<p>To explore how RelyComply supports operational EDD at scale, <a href=\"https:\/\/relycomply.com\/en-gb\/arrange-a-demo\/\">book a platform walkthrough<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"frequently-asked-questions-about-enhanced-due-diligence\"><strong>Frequently asked questions about Enhanced Due Diligence<\/strong><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1780906555501\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>What is the difference between CDD and EDD?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p><a href=\"https:\/\/relycomply.com\/en-gb\/kyc-and-kyb\/\">CDD (Customer Due Diligence) is the baseline identity verification <\/a>and risk assessment performed for all customers. EDD (Enhanced Due Diligence) is the heightened set of measures applied where standard CDD has identified higher risk; particularly for PEPs, customers from high-risk jurisdictions, complex or unusually large transactions, or relationships conducted in unusual circumstances. EDD requires senior management approval and enhanced ongoing monitoring.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906609770\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>When is EDD legally required in the UK?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Regulation 33 of the <a href=\"https:\/\/www.legislation.gov.uk\/uksi\/2017\/692\/contents\" target=\"_blank\" rel=\"noopener\">MLRs 2017<\/a> sets out the mandatory triggers: business relationships or transactions involving high-risk third countries, PEPs (and family members or close associates), complex or unusually large transactions with no apparent economic purpose, customers with false or stolen identification, and correspondent banking relationships with third-country institutions. Firms must also apply EDD where their own risk assessment indicates higher risk, even outside these specific categories.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906624904\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">What documents are required for EDD?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>An EDD file should contain: the trigger record, refreshed customer identification, source of funds and source of wealth documentation, beneficial ownership verification (including for layered structures), contemporaneous screening output, named senior management approval with rationale, and a defined enhanced ongoing monitoring plan. The file must be a decision artefact, not just a collection of documents.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906717652\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">How often should EDD be reviewed?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>There is no fixed regulatory cadence, but EDD relationships are typically reviewed annually as a minimum, with higher-risk relationships (PEPs, high-risk jurisdictions) reviewed every six months. The review cadence should be specified in the EDD outcome itself, scheduled, and evidenced in the file. Lapsed reviews are themselves a regulatory finding.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906739736\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Is the source of funds the same as the source of wealth?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>No. Source of funds documents the origin of the specific funds being transacted (a payslip, a sale agreement, a loan). Source of wealth documents how the customer accumulated their overall wealth across their financial history. For PEPs and high-risk customers, both are required, and both must be independently evidenced rather than relying on customer self-declaration.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906762253\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Who approves an EDD relationship?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Under Regulation 35 of the <a href=\"https:\/\/www.legislation.gov.uk\/uksi\/2017\/692\/contents\" target=\"_blank\" rel=\"noopener\">MLRs 2017<\/a>, senior management approval is mandatory for PEP relationships. For other EDD cases, firms should require equivalent committee-level or MLRO sign-off as a matter of internal policy. The approver must be named, the approval dated, the rationale documented, and any conditions attached recorded in the file.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1780906800602\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \">Can EDD be automated?<\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Parts of it. Trigger detection, evidence gathering from systems-of-record, screening, monitoring rule execution, and audit trail generation can be automated and should be. Risk judgement, decision approval, and the rationale for accepting elevated risk remain human responsibilities. The goal of automation is to make the file consistent and complete, not to remove judgment from the process.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Enhanced due diligence (EDD) is a more intensive form of Customer Due Diligence (CDD), applied under the UK&#8217;s risk-based approach to anti-money laundering when a customer, transaction, or business relationship presents a higher risk. For compliance teams asking \u201cwhat is enhanced due diligence\u201d in practical terms: it is the point at which standard identity verification &hellip; <a href=\"https:\/\/relycomply.com\/en-gb\/enhanced-due-diligence-requirements-uk\/\">Continued<\/a><\/p>\n","protected":false},"author":14,"featured_media":5503,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[53],"tags":[],"class_list":["post-5501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-en-gb"],"acf":[],"_links":{"self":[{"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/posts\/5501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/comments?post=5501"}],"version-history":[{"count":3,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/posts\/5501\/revisions"}],"predecessor-version":[{"id":5509,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/posts\/5501\/revisions\/5509"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/media\/5503"}],"wp:attachment":[{"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/media?parent=5501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/categories?post=5501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/relycomply.com\/en-gb\/wp-json\/wp\/v2\/tags?post=5501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}