Enhanced due diligence for high-risk customers is the deeper layer of investigation that financial institutions apply when a client's profile, location, or activity carries a higher risk of money laundering, fraud, or sanctions exposure. It goes beyond standard identity checks to examine the source of funds, beneficial ownership, and ongoing transaction behavior. For US compliance teams, EDD is not optional. It is a core requirement under the Bank Secrecy Act, and FinCEN has actively reshaped how it applies to customer due diligence programs in 2026.
EDD is a risk-based extension of Customer Due Diligence (CDD). Every customer goes through CDD at onboarding. EDD only kicks in when specific risk factors are present, such as a politically exposed person (PEP), a customer from a high-risk jurisdiction, or a business structure that obscures who actually owns it.
Understanding customer due diligence vs enhanced due diligence matters because regulators expect a documented decision point. A bank cannot simply apply EDD to everyone nor skip it for customers who clearly meet the criteria. The Financial Action Task Force (FATF) sets the international standard, but in the United States, FinCEN and the Bank Secrecy Act define how that standard is implemented in practice.
US compliance teams need to track a real regulatory shift that took effect this year. On February 13, 2026, FinCEN issued an exceptive relief order (FIN-2026-R001) that changes when covered financial institutions must re-verify the beneficial owners of legal entity customers.
Previously, the CDD Rule required institutions to identify and verify beneficial ownership information every time a legal entity customer opened a new account, even if that customer already had an established relationship with the bank. Under the new order, covered institutions can bypass repeat verification and rely on previously collected beneficial ownership information across three explicit scenarios:
(1) when a legal entity customer first opens an account,
(2) any time the institution has knowledge of facts that reasonably call into question the reliability of past data,
(3) as dictated by the institution's ongoing risk-based procedures.
Crucially, when relying on prior data for subsequent accounts under this third scenario, institutions must still obtain a formal certification or confirmation—either orally or in writing—from the customer verifying that the information is completely up to date, and a record of this confirmation must be maintained.
This does not reduce EDD obligations. It is a targeted, risk-based adjustment to one part of the CDD Rule, and FinCEN has been explicit that it does not weaken the underlying Bank Secrecy Act framework. For high-risk customers specifically, ongoing monitoring and periodic review still apply in full. What changes is the administrative burden of repeat verification for lower-risk, established relationships, freeing up compliance resources to focus on the customers who actually warrant EDD.
EDD red flags are warning signs that a customer may carry elevated financial crime risk and needs closer review. They do not prove wrongdoing, but they shift a customer into a higher scrutiny category.
Unclear source of funds or wealth. The customer cannot explain where money originated, or the explanation does not match their declared occupation or business activity.
Layered or opaque ownership structures. Shell companies, nominee directors, or ownership chains that cross multiple jurisdictions make it difficult to identify the real beneficial owner.
Transaction patterns that do not fit the profile. Frequent large transfers, round-tripping, or activity inconsistent with the stated purpose of the account.
Exposure to high-risk jurisdictions. Ties to countries on FATF's grey list or subject to OFAC sanctions programs.
Adverse media findings. Credible negative news linking the customer to fraud, corruption, or sanctions evasion.
Reluctance to provide documentation. Repeated delays, incomplete forms, or pushback on standard verification requests.
High-risk industry involvement. Crypto exchanges, money services businesses, arms-related trade, and certain gambling operators carry inherently higher exposure.
If EDD red flags are identified, teams need the skills to investigate, document, and escalate risks correctly. Our Anti-Money Laundering (AML) & Sanctions Compliance course provides practical guidance for managing high-risk customers.
Not every customer carries the same risk profile, which is why a risk-based approach sits at the center of any EDD framework. Four categories come up most often in practice.
Politically Exposed Persons (PEPs). Individuals who currently hold, or have held, senior public office, along with their immediate family members and close associates. Their access to public funds and influence over government decisions raises bribery and corruption risk.
Customers from high-risk jurisdictions. Clients connected to countries with weak AML controls, high corruption levels, or active sanctions programs administered by OFAC.
High-risk industries. Cryptocurrency businesses, money services businesses, arms dealers, and certain gambling operators, where transaction volume and structure make illicit activity easier to disguise.
Complex ownership structures. Entities with layered ownership, trusts, or shell companies where identifying the ultimate beneficial owner takes real investigative work.
Being flagged as high risk is not an accusation. It is a signal that the relationship needs a closer look before and after onboarding.
Every EDD case starts with evaluating the customer's profile: location, industry, source of funds, ownership structure, and expected transaction behavior. Indicators like a PEP connection, a high-risk jurisdiction, or an unusually complex structure should trigger escalation to EDD immediately, rather than waiting for a problem to surface later.
Once a customer is classified as high risk, gather information that goes beyond standard KYC, including detailed source of funds and source of wealth documentation; a clear picture of business activities and account purpose, full beneficial ownership details; and expected transaction volumes and patterns. The goal is to understand not just who the customer is, but whether their stated activity actually makes sense.
Self-reported information is a starting point, not an answer. Verify it against independent sources such as government company registries, financial databases, corporate filings, and third-party verification tools. If documents conflict or key details remain unclear, resolve those gaps before the relationship moves forward.
Screen the customer against OFAC's sanctions lists, other global watchlists, and adverse media sources for links to money laundering, fraud, terrorism financing, or corruption. This step often surfaces risks that identity verification alone would miss entirely.
EDD does not end at onboarding. High-risk relationships need continuous transaction monitoring, scheduled profile reviews, and risk score adjustments whenever a customer's behavior, ownership, or geographic exposure changes.
Reading through a process like this is useful, but applying it consistently under real workload pressure is a different skill. Our Anti-Money Laundering (AML) & Sanctions Compliance course walks compliance staff through these exact decision points using realistic case scenarios, so the process holds up when an analyst is reviewing their fortieth file of the day, not just their first.
Use this checklist as a quick audit-ready reference when onboarding or reviewing high-risk customers.
Identity verification completed and supported by independent sources
Source of funds validated with documentary evidence
Source of wealth documented in detail, not just summarized
PEP status checked, including immediate family and close associates
Sanctions screening completed against current OFAC and global watchlists
Adverse media check completed and findings documented
Risk score assigned and the rationale recorded
Ongoing monitoring schedule established and assigned to an owner
A checklist like this does not replace judgment. It makes sure judgment gets applied consistently across every file, which is exactly what examiners look for during an audit.
Two institutions can follow the same checklist and end up with very different outcomes. The difference usually comes down to a handful of practical factors.
Technology and automation. Strong programs use screening tools and transaction monitoring systems to flag unusual patterns automatically, freeing analysts to focus on genuinely complex cases instead of clearing routine alerts. Weak programs rely on manual review for everything, which slows down onboarding and increases the chance that a real red flag gets buried in volume.
Dynamic risk scoring. A customer's risk level should move based on behavior, new adverse media, or changes in ownership. Programs that set a risk score once at onboarding and never revisit it miss exactly the kind of drift that EDD exists to catch.
Documentation discipline. Every EDD decision, including the decision not to escalate a borderline case, needs a documented rationale. In an audit, "we decided this customer didn't need EDD" is only defensible if the reasoning was written down at the time.
Team training. Regulations and typologies change. The FinCEN relief order described earlier is a good example of a rule update that staff need to understand correctly, since misapplying it in either direction creates real risk, either unnecessary friction for customers or a gap in beneficial ownership records.
Understanding what good EDD looks like on paper is one thing. Recognizing it in a live file, under time pressure, with incomplete information, is what actually gets tested during an audit or a regulatory exam. That gap is exactly what our AML & Sanctions Compliance course is built to close, with practical exercises based on the kinds of files compliance teams handle every week.
Even a well-designed EDD framework runs into friction in practice. Data reliability is a constant issue, since customer-provided information can be incomplete, outdated, or deliberately misleading. Cross-border relationships add another layer, because AML standards vary by country and what counts as sufficient verification in one jurisdiction may not satisfy a US regulator.
False positives in sanctions and adverse media screening create their own bottleneck. When a screening tool generates too many alerts, analysts spend time clearing low-value matches instead of investigating genuine concerns, and backlogs build up. At the same time, institutions have to balance thorough checks against a reasonable onboarding experience. Customers who face excessive delays or repeated document requests are more likely to abandon the process or take their business elsewhere.
None of these challenges have a one-time fix. They require a program that is reviewed and adjusted on an ongoing basis, not a policy document that gets written once and left alone.
Enhanced due diligence for high-risk customers in 2026 means applying a structured, risk-based process and keeping it current as regulations shift, including changes like FinCEN's February 2026 exceptional relief order on beneficial ownership re-verification. Getting the framework right on paper is the starting point. Applying it correctly, case by case, under real conditions is where most programs are actually tested.
Our Anti-Money Laundering (AML) & Sanctions Compliance course gives compliance, risk, and onboarding teams hands-on practice with EDD, risk assessment, and sanctions screening, built around the situations they encounter on the job.
News
News
News