Enhanced due diligence and identity verification , where teams miss risk

TL;DR: Enhanced due diligence extends customer identity verification, risk scoring, and ongoing monitoring for high-risk relationships, occupations, jurisdictions, and transaction patterns according to 1Kosmos. The broader lesson is that stronger identity proofing does not remove governance burden; it shifts it toward evidence quality, escalation discipline, and auditability.

NHIMG editorial — based on content published by 1Kosmos: enhanced due diligence and identity verification for high-risk customers

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should security teams apply enhanced due diligence to high-risk identities?

A: Security teams should treat enhanced due diligence as a risk-based control path, not a universal process.

Q: Why do standard due diligence checks fail for higher-risk relationships?

A: Standard checks fail because they are designed for baseline trust, not elevated exposure.

Q: What do organisations get wrong about ongoing monitoring in KYC programmes?

A: They often treat monitoring as a compliance formality instead of the operational core of the control.

Practitioner guidance

• Define explicit EDD triggers Map the cases that require enhanced review, including high-risk jurisdictions, politically exposed persons, unusual transaction patterns, and adverse reputation signals.
• Separate baseline CDD from enhanced review Document what every customer receives at onboarding and what additional evidence is required when risk rises.
• Tie monitoring to escalation and reporting Ensure suspicious activity alerts route to a named reviewer, preserve the underlying evidence, and support filings to the appropriate authority when required.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The exact EDD steps used for high-risk customer onboarding, including what gets collected and when.
• The verification methods the vendor describes for identity proofing, including on-prem and video-based checks.
• The product-specific identity authentication and privacy architecture details that matter during implementation.
• The integration and deployment notes for teams evaluating how the workflow fits existing systems.

👉 Read 1Kosmos's article on enhanced due diligence and identity verification →

Enhanced due diligence and identity verification , where teams miss risk?

Explore further

View Full Forum →  |  NHI Foundation Course →