Who is accountable when enhanced due diligence reveals suspicious activity?

Accountability should sit with the function that owns the review workflow, usually compliance with support from fraud or security operations. The organisation must also define when the issue is escalated to regulators or a financial intelligence unit. Clear ownership matters because EDD fails when everyone sees the risk but no one closes the case.

Why This Matters for Security Teams

enhanced due diligence only works when suspicious activity has a named owner and a defined escalation path. If compliance, fraud, and security each see fragments of the same event but no one is accountable for closure, the organisation can miss regulatory reporting windows or continue processing risky activity. That is why case ownership is a governance control, not just an administrative preference.

For operational teams, the key distinction is between detection and disposition. A monitor can flag unusual transactions, sanction hits, or account anomalies, but the review function must decide whether the issue is a false positive, a temporary hold, or a reportable event. NIST frames this kind of ownership discipline within risk management and governance in the NIST Cybersecurity Framework 2.0, while NHI Management Group emphasises how unclear ownership repeatedly causes control failure in the Ultimate Guide to NHIs.

In practice, many security teams encounter unresolved suspicious cases only after a regulator, auditor, or downstream control has already asked why nothing was closed.

How It Works in Practice

In a sound EDD workflow, accountability follows the workflow owner, not the person who first notices the anomaly. That usually means compliance owns the review decision, while fraud, financial crime operations, or security provide evidence, enrichment, and technical investigation. The accountable function should be able to answer four questions quickly: who opened the case, who is assigned, what evidence is required, and when escalation is mandatory.

Current guidance suggests separating case ownership from evidence production. Evidence can come from transaction monitoring, sanctions screening, device intelligence, account behaviour, or NHI telemetry when automated systems are involved. The owner then decides whether activity is explainable, suspicious, or reportable. If the organisation uses shared queues, there still needs to be a single accountable decision-maker with authority to close, hold, or escalate the matter.

Practical controls usually include:

• A named accountable function for every EDD case, with a backup owner for absence coverage.
• Documented thresholds for escalation to legal, regulators, or a financial intelligence unit.
• Time-based service levels so cases do not sit open indefinitely.
• Evidence standards that require a recorded rationale, not just a status update.
• Audit trails showing who reviewed the alert and why the final decision was made.

This is especially important because EDD often depends on partial information. The Ultimate Guide to NHIs notes that 80% of identity breaches involve compromised non-human identities such as service accounts and API keys, which reinforces why suspicious activity sometimes spans both financial and technical control domains. When that happens, NIST Cybersecurity Framework 2.0 style ownership and escalation discipline keeps the response coordinated.

These controls tend to break down when the case spans multiple business units and no single team has authority to force a final disposition.

Common Variations and Edge Cases

Tighter case ownership often increases operational overhead, requiring organisations to balance faster escalation against the risk of overburdening compliance teams. That tradeoff becomes sharper in high-volume environments, where suspicious activity is frequent but only a small portion is truly reportable.

Best practice is evolving for complex cases that involve both financial crime and cyber signals. In those situations, there is no universal standard for whether fraud, security operations, or compliance should lead the first investigation step. The safer model is usually a triage approach: the first detecting function opens the case, compliance retains final accountability, and specialised teams contribute evidence under a common playbook.

Edge cases also matter when activity appears suspicious but is tied to legitimate automation, third-party access, or shared service accounts. Those scenarios can look like abuse unless the organisation has strong identity provenance and review criteria. NHI Management Group’s research shows how often identity control gaps hide the real root cause, which is why ownership needs to extend beyond human reviewers when machine-driven activity is involved.

Where firms operate across jurisdictions, escalation timing may differ by regulator, and local legal advice should define the reporting trigger. The practical test is simple: if a reviewer cannot state who is accountable for closure and escalation, the EDD process is not yet operationally complete.

Related resources from NHI Mgmt Group

• When should a business relationship move from standard review to enhanced due diligence?
• Who is accountable when a third-party notices suspicious identity activity first?
• Who is accountable when suspicious activity is missed in an AML programme?
• Who is accountable when enhanced due diligence fails to catch a high-risk relationship?