Notifications
Clear all
Topic starter
12/06/2026 9:40 pm
TL;DR: Enhanced due diligence is the deeper AML control used when customers, transactions, or relationships present elevated risk, with FATF-style risk-based screening, source-of-funds checks, transaction monitoring, and senior review shaping how firms prove accountability according to Sumsub. The governance lesson is that EDD works only when risk signals, evidence collection, and escalation are treated as one lifecycle, not as disconnected compliance tasks.
NHIMG editorial — based on content published by Sumsub: Enhanced Due Diligence (EDD): When It Is Required and How It Works
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should compliance teams decide when standard due diligence is no longer enough?
A: Teams should move to enhanced due diligence when risk signals materially change the expected exposure of the customer, transaction, or relationship.
Q: Why does enhanced due diligence need ongoing monitoring after onboarding?
A: Because risk does not stay fixed after the initial review.
Q: What breaks when beneficial ownership is not verified in high-risk cases?
A: The organisation loses visibility into who actually controls the relationship and whether hidden parties are driving illicit activity.
Practitioner guidance
- Map risk triggers to explicit enhanced review paths Define which signals, such as jurisdiction risk, PEP status, or ownership complexity, move a case from standard review into EDD.
- Standardise the evidence set for high-risk cases Require the same minimum set of documents and external checks for each risk category, including source of funds, beneficial ownership, and corporate records.
- Bind monitoring results to re-review thresholds Set formal triggers for transaction monitoring alerts, adverse media hits, or sanctions screening changes to reopen due diligence.
What's in the full article
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step EDD workflow covering risk assessment, evidence gathering, and review sequencing.
- Examples of the documents and data points used for business entities, PEPs, and jurisdiction risk.
- Detailed discussion of FATF principles and country-specific AML requirements.
- Operational examples of transaction monitoring and sanctions screening inside the EDD process.
👉 Read Sumsub's guide to when enhanced due diligence is required →
Enhanced due diligence risk triggers: what IAM teams should learn?
Explore further
12/06/2026 11:54 pm
EDD is a governance filter, not a documentation exercise. The article shows that enhanced due diligence only works when risk assessment changes the depth of review, not just the size of the file. That is the same failure mode identity teams see when onboarding checklists are treated as proof of control. Practitioners should treat EDD as a decision gate that must reclassify risk and trigger escalation.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- Our research also shows that 97% of NHIs carry excessive privileges, which is why lifecycle governance has to include both access scope and removal discipline.
A question worth separating out:
Q: Who is accountable when enhanced due diligence fails to catch a high-risk relationship?
A: Accountability usually sits with the institution’s AML governance chain, including the analysts, approvers, and compliance leadership that defined the review standard. The practical test is whether the organisation can show it applied a risk-based process, documented the rationale, and maintained monitoring when risk changed.
👉 Read our full editorial: Enhanced due diligence is a governance test for high-risk identity
