CLARITY - our library of practical, frank compliance information for regulated businesses

EDD Is an Equation, Not an Answer

Most people understand, in broad terms, that a high-risk client or matter triggers enhanced due diligence. That part of the message has landed. Application is where it tends to fall apart.

The most common response to a high-risk flag looks something like this: the firm gathers a little more information than usual, works a bit harder on the standard due diligence, records that everything has been established to a satisfactory standard, and files the matter as EDD complete. Job done.

It isn’t.

Doing “CDD, but harder” is not EDD. Enhanced due diligence is something different, and the distinction matters a great deal when a regulator is reviewing your file.The confusion is understandable, because “enhanced due diligence” is one of those terms that sounds self-explanatory right up until you have to actually do it. EDD is not a checklist and it is not a single thing. It is an equation, and like any equation, both sides have to balance. To my mind, there are four stages to working through it properly.

Stage one: unpick the risk flag

EDD starts not with gathering information but with understanding why you are in high-risk territory in the first place. That means interrogating the risk flag itself and understanding what it actually brings with it. This matters because EDD is ultimately asking you to manage a risk. Without digging into what that risk trigger actually represents in practice, you have nothing concrete to manage.

Think of the high-risk trigger as a topic headline. The detail, and the real work, sits underneath it.

Say, for example, that your only high-risk trigger for a particular client is that they are a high-net-worth individual. That is a common trigger, and on the face of it a fairly anodyne one. Wealth is not inherently suspicious. But wealth does come with a set of characteristics that carry genuine risk implications, and this is the stage at which you need to identify them.

What does high-net-worth typically bring with it? Complex asset structures, often spanning multiple jurisdictions. Sophisticated financial instruments and investment vehicles. International business dealings and corporate interests that can be difficult to unpick. Access to private banking, trust arrangements and offshore structures. The possibility of politically adjacent relationships that have not risen to the level of a formal PEP designation. Wealth that has accumulated over time in ways that may be entirely legitimate but are not always straightforward to evidence. None of these things are inherently problematic. All of them are worth understanding, because they are the raw material of stage two.

Stage two: identify the real-world risks that the risk flag represents

A risk flag is an indicator. It tells you something warrants closer attention. It does not tell you what the actual risks are, because those depend entirely on the specific client and circumstances in front of you.

This is the stage where you take everything you identified at stage one and ask: which of these applies here, and what does it actually mean for this relationship? Be practical here in your assessment.

Your high-net-worth client may have the bulk of their wealth in a straightforward property portfolio and a single long-established business. Or they may have layered corporate structures across three jurisdictions, a family office arrangement spanning decades of generation wealth and a business partner with political connections. On the face of it, both clients carry the same high-risk flag but the actual risks are completely different.

The EDD question is not “is this person legitimately wealthy?” Your source of wealth investigation has (hopefully) already answered that. The EDD question is: given what we now know about what this client’s wealth involves, what does that actually introduce in terms of risk?
Complex source of funds on specific transactions? Beneficial ownership that requires active maintenance rather than a one-off check? Reputational exposure that could evolve over time? A financial picture that is likely to change significantly and may not always be immediately visible?
Identify the risks that are live in this particular relationship. Those are what you are managing.

Stage three: design measures that actually do something

Once you know what the risks are, EDD becomes something you can design. The measures you put in place should speak directly to the risks you have identified, and they should be genuinely useful. If you cannot draw a clear line between a specific risk and a specific mitigation, the EDD is not working.

For the high-net-worth client with international corporate interests, that might mean rigorous source of funds enquiry at each material transaction rather than just at onboarding; regular review of the beneficial ownership picture where structures are likely to evolve; and closer attention to whether the pattern of instructions continues to make sense given what you know. It might mean something as straightforward as a set of Google alerts on the client’s name, their wider business interests and key associates. For a client who is an active business owner internationally and for whom the Isle of Man relationship represents only a small part of their overall activity, that kind of monitoring keeps you in the loop on developments you would not otherwise see: reputational issues emerging in other jurisdictions, new business connections, links to sanctioned parties or problematic territories. It builds an ongoing picture of the client’s wealth and activities without requiring a formal review every time something shifts.

For the client with the straightforward property portfolio, the measures will look quite different, because the risks look quite different.

Some measures will be one-off. Others will need to recur. Being clear about which is which is essential, because it shapes what comes next.

Stage four: document, own and maintain

EDD is not a fixed point of action. Think of it less as a noun and more as a verb.

Once established, it needs to be documented clearly, assigned to an owner, and actively kept up to date. Your EDD record should explain what the risk flag is, what specific risks it gives rise to in this case, and what measures are in place to address each of them. It should be written in a way that a third party picking up the file can follow, because at some point a third party will pick up that file. Vague notes that a high-risk relationship has been “managed appropriately” will not do.

Every EDD action needs an owner and, where relevant, a timetable. Which brings us to another important point: your EDD monitoring cycle does not have to run at the same frequency as your general relationship review. A higher-risk relationship might be reviewed annually as a matter of course, but some EDD activities may need revisiting quarterly or every six months. That is entirely legitimate, and it is worth building into your EDD record explicitly. An annual review date on the file does not mean that everything on the file waits until the annual review.

When you do revisit, the question is not just “has the EDD been done?” but “is it still right?” Circumstances change. Business interests evolve. Geopolitical situations shift. An EDD package that was perfectly calibrated eighteen months ago may now be under or over-specified, and both carry risk. When changes are made, record them: what changed, why, and what the revised position looks like. The audit trail is not bureaucratic overhead. It is the evidence that you are genuinely managing the relationship rather than processing it.

The equation has to balance

Risk flag-> real-world risks-> targeted mitigation-> documented management.

That is the equation. Each stage depends on the one before it, which is why shortcuts never quite work. If you skip the interrogation at stage one, stage two has nothing to build on. If stage two is superficial, stage three will be generic. And generic EDD, however neatly documented, will not hold up when a regulator asks you to explain what you were actually managing and why.

When all four stages are working properly, the file tells a coherent story: here is what we identified, here is what we understood it to mean, here is what we did about it, and here is how we are keeping track. That is a file a regulator can follow. It is also, more importantly, a file that reflects genuine risk management rather than the appearance of it.