We specialize in compliance consultancy, due diligence, and audit services to help businesses meet regulatory standards with confidence. Our experienced team provides tailored solutions to identify and manage risks, ensuring you operate responsibly and securely in today’s complex landscape. We are committed to integrity, excellence, and empowering our clients with the insights they need for sustainable growth.
When a prospective client looks commercially attractive but trips your high-risk flags, the real question is not whether you can onboard them. It is whether you can defend the decision six months later – to your auditor, your board, and your regulator – with a clear narrative and evidence trail.
Enhanced Due Diligence (EDD) is where many programmes wobble. Not because teams do nothing, but because they do “more” in an inconsistent way: extra documents collected without a clear purpose, open-source checks saved as screenshots with no context, or risk rationales that do not connect to the firm’s Business Risk Assessment (BRA) and controls.
This practical guide sets out an enhanced due diligence checklist that is designed for defensibility: risk-based, proportionate, and usable across financial services, fintech, payment businesses, corporate service providers, and other subject persons.
What “enhanced” should mean in practice
EDD is not a bigger pile of KYC. It is a deeper test of whether the risk you have identified is understood, mitigated, and acceptable within your risk appetite.
That means your EDD should do three things. First, confirm identity and beneficial ownership where complexity or opacity is present. Second, establish source of wealth and source of funds to a standard that matches the risk. Third, produce a documented rationale for your go/no-go decision, including the specific controls you will rely on after onboarding.
There is a trade-off. Over-collecting information slows onboarding and frustrates legitimate clients. Under-collecting increases the chance of accepting proceeds of crime, missing sanctions exposure, or failing to detect an undisclosed PEP link. The aim is not perfection, but proportionality with evidence.
When to trigger EDD (so it is consistent)
Most firms list triggers such as PEPs, high-risk jurisdictions, complex structures, cash-intensive businesses, and adverse media. The operational gap is that triggers are applied differently by different teams or channels.
To make EDD consistent, define triggers in your policy in a way that can be tested. For example, “complex structure” should be tied to objective indicators (multi-layer ownership, nominee arrangements, trusts with unclear controllers, frequent changes in ownership). “Adverse media” should specify materiality (credible allegations of financial crime, corruption, sanctions evasion, fraud, organised crime links) and recency.
It also depends on your product and delivery model. A low-value, low-velocity product may justify narrower EDD even with a risk flag, whereas private wealth, cross-border payments, or corporate formation will often justify deeper EDD at a lower threshold. Your BRA is the anchor point for that calibration.
Enhanced due diligence checklist (risk-based)
The checklist below is best used as a structured case file. You do not need every element for every case, but you should be able to show why each step was included or not.
1) Confirm the trigger and scope
Start the EDD file with a short statement of what triggered EDD and what you are trying to validate. This avoids drifting into irrelevant data collection.
Document the initial risk rating, the factors driving it (geography, product, delivery channel, client type, transaction profile), and the specific hypotheses you need to test. For example: “Confirm whether beneficial ownership is genuine and whether declared wealth is consistent with known business activities.”
2) Identity and ownership – go beyond the basics
For individuals, verify identity using reliable, independent sources, and check for inconsistencies across documents, addresses, and digital footprint.
For legal persons, the EDD step is to evidence control, not just legal ownership. Capture the full ownership chain to natural persons, including intermediate entities, and document where information comes from (register extracts, constitutional documents, shareholder registers, trust deeds).
Where there are trusts, nominees, foundations, or partnerships, explicitly identify settlor(s), trustee(s), protector(s), beneficiaries, and any other person exercising control. If you cannot establish controllers clearly, that is not an “EDD pending” note – it is a decision point.
3) Purpose and intended nature – make it testable
Ask for a clear explanation of why the relationship exists and what “normal” looks like. The objective is to create a baseline for ongoing monitoring.
Record expected activity in plain terms: typical counterparties, expected jurisdictions, anticipated volumes and frequency, and any use of third parties. Where a client’s stated purpose is vague (“investment”, “consultancy”, “trading”), challenge it until you can map it to observable activity.
4) Source of funds (SoF) – transaction-level credibility
SoF is about the money used for the specific relationship or transaction. Evidence should be recent and linkable.
Depending on the scenario, SoF evidence might include bank statements showing accumulation, sale agreements, dividend vouchers, loan agreements (with lender due diligence where relevant), or completion statements for asset sales. The key is to connect the dots: the document should show origin, ownership, and movement of funds.
If funds come from a third party, treat that as a separate risk event. Identify the third party, establish the relationship and rationale, and consider whether you are effectively onboarding an additional party.
5) Source of wealth (SoW) – overall plausibility
SoW explains how the client became wealthy over time. It is inherently broader and often more judgement-based than SoF.
For higher-risk clients, SoW should be supported by independent evidence such as audited financial statements, company sale documentation, public appointments and remuneration records (where applicable), verifiable business ownership history, or reputable reporting on legitimate business activity. Where wealth is said to come from high-risk sectors or jurisdictions, raise the evidential bar.
Beware of “circular” narratives: wealth explained by a company that you cannot substantiate, or by “investments” with no clear origin. If the story cannot be evidenced at a level proportionate to the risk, record that as a constraint and reassess whether the relationship fits your risk appetite.
6) PEP, sanctions, and adverse media – quality over volume
EDD should include screening that is fit for purpose, but the differentiator is how you assess results.
For PEPs, record the role, seniority, jurisdiction, influence, and proximity (direct PEP, family member, close associate). Then tie it to corruption risk, procurement exposure, and expected transaction types. Apply senior management approval where required, and set specific monitoring expectations.
For sanctions, document exact matches vs false positives, including identifiers used (date of birth, nationality, address). Do not rely on a single spelling.
For adverse media, prioritise credibility and relevance. Capture the allegation, source, date, and whether it relates to financial crime or predicate offences. Then document your assessment: what was corroborated, what remains unverified, and what mitigating controls you can realistically apply.
7) Jurisdiction and delivery channel risk – explain the impact
If the client is connected to higher-risk jurisdictions, record the connection type (residency, incorporation, operations, counterparties, funds flow). A country flag alone is not a conclusion.
For non-face-to-face onboarding, document how you addressed impersonation risk and document fraud. This might include enhanced biometric checks, liveness tests, additional corroboration of address, or verification of company representatives through independent contact points.
8) Behavioural and consistency checks – find contradictions early
EDD should include a structured consistency review. Compare what the client says across onboarding forms, supporting documents, and external checks.
Look for mismatches in ownership percentages, dates, director histories, address timelines, and the logic of the transaction. One inconsistency may be explainable. Multiple small inconsistencies often point to a broader integrity issue.
9) Controls and conditions – decide how you will manage the risk
A defensible EDD file does not stop at “risk noted”. It sets out what will happen next.
If you onboard, specify conditions such as transaction limits, restricted corridors, additional approval gates, periodic SoW refreshes, tighter alert thresholds, or review cycles aligned to risk. If certain mitigations are not feasible operationally, say so and adjust the decision.
If you decline or exit, document the reason in risk terms, not commercial terms. Ensure the file makes sense to an independent reviewer.
10) Approval, record keeping, and audit trail
EDD lives or dies on its audit trail. Ensure the case file includes who performed the review, who approved it, when decisions were made, and what evidence was relied upon.
Senior management approval should be meaningful. Give approvers a short decision pack: trigger, key risks, evidence highlights, open issues, and proposed mitigations. If approvers routinely sign without challenge, regulators will see it as a control failure.
Common failure points regulators and auditors pick up
Most issues are not about missing one document. They are about weak reasoning.
A frequent gap is “SoW/SoF collected” with no assessment of plausibility. Another is heavy reliance on client-provided documents without independent corroboration, particularly where structures are complex or jurisdictions are higher risk.
Teams also struggle with adverse media – either ignoring it, or treating any negative article as disqualifying without analysis. The defensible approach is to show that you assessed credibility, relevance, and mitigations, and that you escalated where appropriate.
Finally, EDD often fails to translate into ongoing monitoring. If a client is high risk at onboarding, it is not logical to monitor them like everyone else.
Making the checklist operational (without slowing the business)
To keep EDD proportionate, separate “core EDD” from “case-dependent EDD”. Core EDD is what you do every time the trigger is met. Case-dependent EDD is chosen based on the risk hypothesis you need to test.
It also helps to standardise write-ups. A good EDD narrative is short, specific, and evidence-led. It states what you found, what you could not verify, what you did about it, and why the residual risk is acceptable or not.
If you need an external perspective to tune triggers, strengthen SoW/SoF assessments, or pressure-test case files before an audit, Complipal supports firms with due diligence reviews, compliance programme improvements, and internal control testing designed to stand up to scrutiny.
A useful discipline is to ask, before you onboard: if this relationship goes wrong, what will the file show that you knew at the time, and what will it show that you reasonably did about it? Build your EDD so the answer is clear, calm, and evidence-backed.
Enhanced Due Diligence Checklist That Holds Up
When a prospective client looks commercially attractive but trips your high-risk flags, the real question is not whether you can onboard them. It is whether you can defend the decision six months later – to your auditor, your board, and your regulator – with a clear narrative and evidence trail.
Enhanced Due Diligence (EDD) is where many programmes wobble. Not because teams do nothing, but because they do “more” in an inconsistent way: extra documents collected without a clear purpose, open-source checks saved as screenshots with no context, or risk rationales that do not connect to the firm’s Business Risk Assessment (BRA) and controls.
This practical guide sets out an enhanced due diligence checklist that is designed for defensibility: risk-based, proportionate, and usable across financial services, fintech, payment businesses, corporate service providers, and other subject persons.
What “enhanced” should mean in practice
EDD is not a bigger pile of KYC. It is a deeper test of whether the risk you have identified is understood, mitigated, and acceptable within your risk appetite.
That means your EDD should do three things. First, confirm identity and beneficial ownership where complexity or opacity is present. Second, establish source of wealth and source of funds to a standard that matches the risk. Third, produce a documented rationale for your go/no-go decision, including the specific controls you will rely on after onboarding.
There is a trade-off. Over-collecting information slows onboarding and frustrates legitimate clients. Under-collecting increases the chance of accepting proceeds of crime, missing sanctions exposure, or failing to detect an undisclosed PEP link. The aim is not perfection, but proportionality with evidence.
When to trigger EDD (so it is consistent)
Most firms list triggers such as PEPs, high-risk jurisdictions, complex structures, cash-intensive businesses, and adverse media. The operational gap is that triggers are applied differently by different teams or channels.
To make EDD consistent, define triggers in your policy in a way that can be tested. For example, “complex structure” should be tied to objective indicators (multi-layer ownership, nominee arrangements, trusts with unclear controllers, frequent changes in ownership). “Adverse media” should specify materiality (credible allegations of financial crime, corruption, sanctions evasion, fraud, organised crime links) and recency.
It also depends on your product and delivery model. A low-value, low-velocity product may justify narrower EDD even with a risk flag, whereas private wealth, cross-border payments, or corporate formation will often justify deeper EDD at a lower threshold. Your BRA is the anchor point for that calibration.
Enhanced due diligence checklist (risk-based)
The checklist below is best used as a structured case file. You do not need every element for every case, but you should be able to show why each step was included or not.
1) Confirm the trigger and scope
Start the EDD file with a short statement of what triggered EDD and what you are trying to validate. This avoids drifting into irrelevant data collection.
Document the initial risk rating, the factors driving it (geography, product, delivery channel, client type, transaction profile), and the specific hypotheses you need to test. For example: “Confirm whether beneficial ownership is genuine and whether declared wealth is consistent with known business activities.”
2) Identity and ownership – go beyond the basics
For individuals, verify identity using reliable, independent sources, and check for inconsistencies across documents, addresses, and digital footprint.
For legal persons, the EDD step is to evidence control, not just legal ownership. Capture the full ownership chain to natural persons, including intermediate entities, and document where information comes from (register extracts, constitutional documents, shareholder registers, trust deeds).
Where there are trusts, nominees, foundations, or partnerships, explicitly identify settlor(s), trustee(s), protector(s), beneficiaries, and any other person exercising control. If you cannot establish controllers clearly, that is not an “EDD pending” note – it is a decision point.
3) Purpose and intended nature – make it testable
Ask for a clear explanation of why the relationship exists and what “normal” looks like. The objective is to create a baseline for ongoing monitoring.
Record expected activity in plain terms: typical counterparties, expected jurisdictions, anticipated volumes and frequency, and any use of third parties. Where a client’s stated purpose is vague (“investment”, “consultancy”, “trading”), challenge it until you can map it to observable activity.
4) Source of funds (SoF) – transaction-level credibility
SoF is about the money used for the specific relationship or transaction. Evidence should be recent and linkable.
Depending on the scenario, SoF evidence might include bank statements showing accumulation, sale agreements, dividend vouchers, loan agreements (with lender due diligence where relevant), or completion statements for asset sales. The key is to connect the dots: the document should show origin, ownership, and movement of funds.
If funds come from a third party, treat that as a separate risk event. Identify the third party, establish the relationship and rationale, and consider whether you are effectively onboarding an additional party.
5) Source of wealth (SoW) – overall plausibility
SoW explains how the client became wealthy over time. It is inherently broader and often more judgement-based than SoF.
For higher-risk clients, SoW should be supported by independent evidence such as audited financial statements, company sale documentation, public appointments and remuneration records (where applicable), verifiable business ownership history, or reputable reporting on legitimate business activity. Where wealth is said to come from high-risk sectors or jurisdictions, raise the evidential bar.
Beware of “circular” narratives: wealth explained by a company that you cannot substantiate, or by “investments” with no clear origin. If the story cannot be evidenced at a level proportionate to the risk, record that as a constraint and reassess whether the relationship fits your risk appetite.
6) PEP, sanctions, and adverse media – quality over volume
EDD should include screening that is fit for purpose, but the differentiator is how you assess results.
For PEPs, record the role, seniority, jurisdiction, influence, and proximity (direct PEP, family member, close associate). Then tie it to corruption risk, procurement exposure, and expected transaction types. Apply senior management approval where required, and set specific monitoring expectations.
For sanctions, document exact matches vs false positives, including identifiers used (date of birth, nationality, address). Do not rely on a single spelling.
For adverse media, prioritise credibility and relevance. Capture the allegation, source, date, and whether it relates to financial crime or predicate offences. Then document your assessment: what was corroborated, what remains unverified, and what mitigating controls you can realistically apply.
7) Jurisdiction and delivery channel risk – explain the impact
If the client is connected to higher-risk jurisdictions, record the connection type (residency, incorporation, operations, counterparties, funds flow). A country flag alone is not a conclusion.
For non-face-to-face onboarding, document how you addressed impersonation risk and document fraud. This might include enhanced biometric checks, liveness tests, additional corroboration of address, or verification of company representatives through independent contact points.
8) Behavioural and consistency checks – find contradictions early
EDD should include a structured consistency review. Compare what the client says across onboarding forms, supporting documents, and external checks.
Look for mismatches in ownership percentages, dates, director histories, address timelines, and the logic of the transaction. One inconsistency may be explainable. Multiple small inconsistencies often point to a broader integrity issue.
9) Controls and conditions – decide how you will manage the risk
A defensible EDD file does not stop at “risk noted”. It sets out what will happen next.
If you onboard, specify conditions such as transaction limits, restricted corridors, additional approval gates, periodic SoW refreshes, tighter alert thresholds, or review cycles aligned to risk. If certain mitigations are not feasible operationally, say so and adjust the decision.
If you decline or exit, document the reason in risk terms, not commercial terms. Ensure the file makes sense to an independent reviewer.
10) Approval, record keeping, and audit trail
EDD lives or dies on its audit trail. Ensure the case file includes who performed the review, who approved it, when decisions were made, and what evidence was relied upon.
Senior management approval should be meaningful. Give approvers a short decision pack: trigger, key risks, evidence highlights, open issues, and proposed mitigations. If approvers routinely sign without challenge, regulators will see it as a control failure.
Common failure points regulators and auditors pick up
Most issues are not about missing one document. They are about weak reasoning.
A frequent gap is “SoW/SoF collected” with no assessment of plausibility. Another is heavy reliance on client-provided documents without independent corroboration, particularly where structures are complex or jurisdictions are higher risk.
Teams also struggle with adverse media – either ignoring it, or treating any negative article as disqualifying without analysis. The defensible approach is to show that you assessed credibility, relevance, and mitigations, and that you escalated where appropriate.
Finally, EDD often fails to translate into ongoing monitoring. If a client is high risk at onboarding, it is not logical to monitor them like everyone else.
Making the checklist operational (without slowing the business)
To keep EDD proportionate, separate “core EDD” from “case-dependent EDD”. Core EDD is what you do every time the trigger is met. Case-dependent EDD is chosen based on the risk hypothesis you need to test.
It also helps to standardise write-ups. A good EDD narrative is short, specific, and evidence-led. It states what you found, what you could not verify, what you did about it, and why the residual risk is acceptable or not.
If you need an external perspective to tune triggers, strengthen SoW/SoF assessments, or pressure-test case files before an audit, Complipal supports firms with due diligence reviews, compliance programme improvements, and internal control testing designed to stand up to scrutiny.
A useful discipline is to ask, before you onboard: if this relationship goes wrong, what will the file show that you knew at the time, and what will it show that you reasonably did about it? Build your EDD so the answer is clear, calm, and evidence-backed.
Recent Post
Enhanced Due Diligence Checklist That Holds Up
February 11, 2026A Practical AML Business Risk Assessment Template
February 7, 2026Write a Business Risk Assessment That Holds
February 6, 2026Categories