Enhanced due diligence and identity governance in high-risk relationships

At a glance

What this is: Enhanced due diligence is a higher-touch AML screening process for high-risk relationships, with the guide emphasising risk-based triggers, source-of-funds checks, and ongoing monitoring.

Why it matters: It matters because identity teams, compliance leads, and risk owners need a repeatable way to tighten scrutiny without turning every case into manual friction or missing elevated risk.

By the numbers:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Sumsub's guide to enhanced due diligence and high-risk AML review

Context

Enhanced due diligence is the heightened review applied when a customer, transaction, or business relationship presents elevated AML risk. In practice, it extends standard customer due diligence by asking a harder question: do the available identity, ownership, source-of-funds, and behaviour signals justify deeper scrutiny before the relationship proceeds?

For identity and access teams, the interesting parallel is governance maturity. High-risk relationships cannot be managed with a one-time check or a disconnected set of controls, because the risk profile can change over time and the evidence needed to justify the decision often sits across multiple systems.

Sumsub’s guide treats EDD as a risk-based workflow rather than a single approval gate, which is the right framing for any identity programme that has to balance coverage, escalation, and auditability. That starting point is typical for regulated financial services and adjacent industries.

Key questions

Q: How should organisations decide when a customer needs enhanced due diligence?

A: Organisations should escalate to enhanced due diligence when a customer, beneficial owner, transaction, or jurisdiction creates a materially higher AML risk than standard onboarding can explain. The decision should be driven by documented triggers such as PEP links, complex ownership, unusual transaction patterns, or high-risk countries. The key is consistency: the same trigger should produce the same review path.

Q: Why do high-risk customers need more than standard customer due diligence?

A: High-risk customers need more than standard customer due diligence because basic verification only confirms identity, while EDD tests whether the relationship is economically and legally credible. Without source-of-funds checks, beneficial ownership analysis, and ongoing monitoring, illicit activity can pass through a process that looks complete on paper but fails in practice.

Q: What breaks when enhanced due diligence is treated as a one-time check?

A: When EDD is treated as a one-time check, the organisation loses the ability to catch changes in ownership, behaviour, or jurisdictional risk after onboarding. That creates stale risk decisions, weak audit evidence, and a blind spot between initial approval and later transaction activity. EDD only works when review remains connected to ongoing monitoring.

Q: Who is accountable when a high-risk relationship is approved without proper EDD?

A: Accountability usually sits with the obliged entity, but the practical answer is shared across compliance, operations, and governance owners who approved the risk decision. Regulators expect the organisation to prove that enhanced review was applied when warranted and that the decision was documented, reviewed, and monitored over time.

Technical breakdown

Risk-based EDD triage and escalation

Enhanced due diligence starts with risk classification. The point is not to treat every customer as suspicious, but to separate standard relationships from those that require deeper review because of geography, ownership structure, transaction behaviour, or adverse signals. In AML operations, that classification determines whether the case stays within standard customer due diligence or moves into a richer evidence-gathering path. The technical challenge is consistency: if the risk score is too coarse, high-risk cases are missed; if it is too sensitive, reviewers drown in false positives and queue churn. Practical implication: define escalation thresholds that are explainable, repeatable, and tied to specific risk triggers rather than subjective reviewer judgement.

Practical implication: define escalation thresholds that are explainable, repeatable, and tied to specific risk triggers rather than subjective reviewer judgement.

Source of funds, source of wealth, and beneficial ownership evidence

EDD is fundamentally an evidence problem. Standard onboarding may verify who the customer says they are, but enhanced review asks where the money came from, who ultimately controls the assets, and whether the stated purpose of the relationship matches the supporting records. That is why EDD pulls in corporate filings, banking relationships, board and beneficiary information, and independent records instead of relying only on self-attestation. The value of this step depends on evidence quality as much as evidence volume. Weak source-of-funds narratives can look plausible while still masking risk. Practical implication: require documentary corroboration for material inconsistencies and route unresolved gaps to senior review.

Practical implication: require documentary corroboration for material inconsistencies and route unresolved gaps to senior review.

Ongoing monitoring as the control that keeps EDD current

EDD does not end at onboarding. Risk-based compliance only works if transaction monitoring, sanctions screening, and periodic review continue to test whether the customer’s observed behaviour still matches the original risk assessment. This matters because a previously acceptable relationship can become high risk as ownership shifts, counterparties change, or transaction patterns move outside expected bounds. Without ongoing monitoring, EDD becomes a snapshot instead of a control. That weakens audit defensibility and leaves regulators with evidence of stale decisions. Practical implication: connect review cadence to risk tier and alert only on changes that actually alter the relationship’s profile.

Practical implication: connect review cadence to risk tier and alert only on changes that actually alter the relationship’s profile.

Threat narrative

Attacker objective: The objective is to move illicit value through the financial system while avoiding detection, scrutiny, and enforcement.

1. Entry occurs when a customer or relationship presents higher-risk indicators such as complex ownership, adverse geography, or PEP proximity, but the organisation accepts the case without deep enough review.
2. Escalation happens when source-of-funds, source-of-wealth, and beneficial ownership evidence is incomplete or inconsistently checked, allowing the risk profile to remain under-validated.
3. Impact is regulatory exposure, financial crime enablement, and reputational damage when high-risk activity passes through without appropriate scrutiny.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

EDD is an identity governance control, not just a compliance formality. The article shows that risk-based review only works when identity evidence, ownership evidence, and behavioural evidence are treated as one decision chain. That is the same failure mode identity teams see when lifecycle controls are fragmented across onboarding, review, and monitoring. Practitioners should treat EDD as governed identity state, not a one-time approval.

Source-of-funds validation is the named concept that separates real EDD from paper EDD. The guide makes clear that high-risk cases demand more than collected fields. They need corroboration that explains where value originated and whether the stated relationship is consistent with supporting records. In practice, weak source-of-funds validation is where many programmes lose defensibility.

Complex ownership structures create an ownership opacity problem that standard CDD cannot resolve. Beneficial ownership, board control, and third-party relationships often sit across multiple records that must be reconciled before a decision is trustworthy. That makes EDD an evidence reconciliation discipline, not a checkbox expansion. The implication is that practitioners need traceable control ownership across compliance and identity teams.

Transaction monitoring is the operational bridge between initial risk assessment and ongoing trust. A relationship that was acceptable at onboarding can drift into a different risk class as patterns change. Without continuous review, EDD becomes stale and the organisation loses the ability to defend why a case remained open. Practitioners should view monitoring as the control that keeps the original decision valid.

Risk-based review only works when escalation rules are explicit enough to survive audit. The article repeatedly returns to case-by-case judgment, but judgment without consistent criteria creates uneven outcomes and poor defensibility. That is the real governance issue here. Teams should design EDD so every escalation, exception, and closure can be explained in the same language.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the governance angle behind this risk, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that make review and revocation defensible.

What this signals

Source-of-funds opacity is the real governance signal behind many failed EDD programmes. When organisations cannot reconcile ownership, provenance, and transaction purpose across records, the case may look approved but remains structurally weak. That is the same pattern identity teams see when lifecycle ownership is split across compliance, operations, and risk with no single control owner.

EDD is moving from periodic review to continuous evidence testing. As transaction patterns and relationship structures change faster, the programme that matters is the one that can reopen a case when the risk story no longer matches the account behaviour.

A useful way to frame the control gap is as identity decision drift: the initial risk decision becomes stale because the facts that justified it are no longer current. The teams best positioned for this shift will connect screening, monitoring, and review to the same evidence model.

For practitioners

• Tie EDD triggers to explicit risk indicators Map high-risk indicators such as PEP proximity, adverse geography, ownership complexity, and unusual transaction patterns to a documented escalation path. Avoid free-form reviewer discretion unless it is supported by a clear rationale and second-line approval.
• Require corroboration for source-of-funds narratives Do not accept customer-provided explanations without independent records that support the funds trail, ownership chain, or transaction purpose. Escalate contradictions to senior compliance review and preserve the evidence used in the final decision.
• Link monitoring to the original risk case Connect sanctions screening, transaction monitoring, and periodic review back to the reason the customer was placed in EDD so changes in behaviour can reopen the case when needed. This keeps the control current rather than static.
• Separate case intake from case closure evidence Build a record that shows what was known at intake, what changed during review, and why the final outcome was approved, declined, or escalated. That audit trail is what turns EDD from a process into a defensible control.

Key takeaways

• EDD is the higher-assurance layer of AML governance, and it exists because standard due diligence cannot resolve higher-risk ownership, source, and behaviour questions.
• The article’s core message is that risk-based EDD only works when triggers, evidence, and ongoing monitoring are linked into one defensible workflow.
• Practitioners should focus on explicit escalation criteria, corroborated source-of-funds evidence, and audit-ready monitoring rather than treating EDD as a manual checklist.

Key terms

• Enhanced Due Diligence: Enhanced due diligence is the deeper review applied when a customer, transaction, or relationship carries higher AML risk. It goes beyond basic identity verification by testing source of funds, beneficial ownership, jurisdictional exposure, and ongoing behaviour against a documented risk case.
• Source of Funds: Source of funds is the evidence used to show where the money in a transaction or relationship originated. In AML governance, it helps distinguish legitimate value from proceeds that may be tied to laundering, fraud, sanctions evasion, or other illicit activity.
• Beneficial Ownership: Beneficial ownership identifies the person or entity that ultimately controls or benefits from an account, company, or asset. In EDD, it matters because nominal ownership can hide the real decision-maker, which is often the entity regulators and investigators need to understand.
• Risk-Based Approach: A risk-based approach is a control method that allocates scrutiny according to the level and type of risk presented. In AML, it means low-risk cases can receive lighter treatment while higher-risk cases receive deeper review, stronger evidence requirements, and more frequent monitoring.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SumSub: Enhanced Due Diligence (EDD): When It Is Required and How It Works. Read the original.