EDD, high-risk customers, and the governance gap teams miss

TL;DR: Enhanced due diligence is the deeper AML control layer used for high-risk customers, beneficial owners, transactions, and jurisdictions, and Sumsub’s guide shows how risk-based screening, source-of-funds checks, transaction monitoring, and sanctions review fit together. The governance lesson is that EDD fails when it becomes a disconnected checklist instead of a lifecycle process with evidence, escalation, and auditability.

NHIMG editorial — based on content published by SumSub: Enhanced Due Diligence (EDD): When It Is Required and How It Works

By the numbers:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations decide when a customer needs enhanced due diligence?

A: Organisations should escalate to enhanced due diligence when a customer, beneficial owner, transaction, or jurisdiction creates a materially higher AML risk than standard onboarding can explain.

Q: Why do high-risk customers need more than standard customer due diligence?

A: High-risk customers need more than standard customer due diligence because basic verification only confirms identity, while EDD tests whether the relationship is economically and legally credible.

Q: What breaks when enhanced due diligence is treated as a one-time check?

A: When EDD is treated as a one-time check, the organisation loses the ability to catch changes in ownership, behaviour, or jurisdictional risk after onboarding.

Practitioner guidance

• Tie EDD triggers to explicit risk indicators Map high-risk indicators such as PEP proximity, adverse geography, ownership complexity, and unusual transaction patterns to a documented escalation path.
• Require corroboration for source-of-funds narratives Do not accept customer-provided explanations without independent records that support the funds trail, ownership chain, or transaction purpose.
• Link monitoring to the original risk case Connect sanctions screening, transaction monitoring, and periodic review back to the reason the customer was placed in EDD so changes in behaviour can reopen the case when needed.

What's in the full article

Sumsub's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step EDD workflow guidance for high-risk customers, including the specific documents requested at each stage
• Jurisdiction-by-jurisdiction regulatory context, including how different AML regimes shape the review standard
• Examples of EDD failings and the enforcement outcomes that followed, useful for compliance benchmarking
• Practical case-management detail on how teams can maintain records, decisions, and rationale for audit

👉 Read Sumsub's guide to enhanced due diligence and high-risk AML review →

EDD, high-risk customers, and the governance gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →