What’s the difference between CDD and EDD blog image

Customer due diligence (CDD) and enhanced due diligence (EDD) are different tiers of know your customer (KYC) processes completed by businesses on their customers. They’re mandated by regulatory organizations for many different industries, but are most prevalent across financial services. Regulation varies both depending on where in the world you are and in which industry you operate – and you should always seek local advice depending on your specific circumstances – but there are some broad similarities regardless of geography and industry.

Businesses must comply with CDD and EDD requirements or face AML fines or regulatory penalties, like license suspensions or revocations. According to Fenergo regulators issued $5.37 billion of AML fines in 2021. But what’s the difference between CDD and EDD, and when should businesses use one, versus the other? Let’s dive into the differences.


CDD and EDD are types of KYC processes. CDD involves identifying the customer by checking provided data against databases, or solutions such as document and biometric check. This is typically required at account opening and to enable high-risk transactions.

If a customer is judged to be low risk, they might also only be subject to simplified customer due diligence, where the only requirement is to identify the customer, but not verify their identity.  

EDD is required as an additional type of step-up KYC process for customers who are deemed to be high-risk. A customer may be deemed high-risk due to their location, profession or political exposure. The requirements for completing EDD vary based on local regulation, but it is commonly required if entering into a business relationship with a politically exposed person (PEP), if the transaction involves a person from a high-risk or sanctioned country, or any other situation where there is increased risk of money laundering.

What is enhanced due diligence (EDD)?

Enhanced due diligence is like a second layer of customer due diligence. In simple terms, EDD typically involves a few basic steps:

  1. Identifying specific customers or users to investigate more thoroughly, based on a risk-based approach.
  2. Collecting additional documentation and/or performing additional KYC and AML checks to further verify the user.
  3. Determining next steps to protect the company, its customers, and its data and other assets from unauthorized transactions or other forms of fraud.

When is EDD needed?

The threshold for needing to conduct EDD varies depending on industry and geography. For financial services, the FATF (Financial Action Task Force) has outlined recommendations that seek to standardize the international response to prevent money-laundering and terrorist financing.

One particular provision from the FATF is that politically exposed persons (PEPs) are classed as high-risk because they are at disproportionate risk of being abused for the purposes of money laundering. This means that institutions are required to verify their source of funds (SOF), and possibly ongoing checks to continue to monitor for suspicious activity that may indicate illegal activity. One such check is transaction monitoring, paying particular attention to any discrepancies between the projected value of goods and services,  and the amount actually paid – which may indicate suspicious activity. Additional types of transaction monitoring are velocity rules that monitor whether spending is within an expected pattern, and screening for high-risk merchants. 

Businesses may also be required to undertake adverse media checks, so they are aware of any established links to organized crime or previous links to financial crime. 

Institutions are also required to keep records to remain compliant, but the time they need to be kept for, and level of detail that needs to be retained is dependent on local regulation.

How to navigate EDD?

There are a number of ways to comply with EDD requirements which are dependent on specific circumstances. But, a favored approach is risk scoring – whereby a business assesses and scores the risk of a potential customer by looking at different risk factors, which might be customer or geography based.

Example customer risk factors:

  • Do they operate a cash intensive business?
  • Are they politically exposed? 

Example geographical risk factors – are they located in:

  • Countries without sufficient AML (anti-money laundering) and combating the finance of terrorism (CFT) regulation
  • Non-FATF member country
  • Countries facing sanctions and embargoes
  • Countries with a reputation for extensive levels of corruption
  • Countries blacklisted for financing or supporting terrorist activities

If a customer is then judged to require EDD checks, a business may look at:

  • Background information
  • Source of funds
  • Source and structure of wealth
  • Adverse media screening

Why are CDD and EDD necessary? 

CDD and EDD checks are mandated by global and local regulation. At their heart CDD and EDD checks are designed to disrupt criminal activity by preventing illegal activities such as fraud, money laundering and terrorist financing.

How does Onfido fit into your regtech stack?

We specialize in remote customer identity verification – ensuring that a potential customer is who they say they are. Our suite of identity checks enables businesses to verify customer identity using ID recordproof of addressidentity document and biometric checks. We also provide watchlist checks on an immediate and ongoing basis – so businesses can identify politically exposed persons (PEPs) and persons subject to sanctions. We continually refresh and index our data sources at minimum every 24 hours, so businesses are kept up to date if they need to conduct ongoing monitoring. We help over 1,500 businesses worldwide navigate regulatory requirements, grow into new markets, prevent fraud and offer users a smooth, fast experience.

Interested in learning more about how identity verification enables effective CDD and EDD?

Our compliance manager's guide features a rundown of the global regulatory landscape, best practices for due diligence workflows, and what to look for in a technology partner.

Read the guide