RuleIQ — AML/KYC Essentials for Fintechs

Understanding the Spectrum of Due Diligence

If CIP is about confirming who your customer is, Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) are about understanding what your customer does, why they need your services, and what risks they present. The CDD Rule (31 CFR 1010.230), which took effect in May 2018, formalized these requirements for banks — but the underlying principles apply broadly across financial services.

Customer Due Diligence (CDD) — The Baseline

CDD must be performed on every customer at onboarding and on an ongoing basis. The CDD Rule requires four core elements:

Customer identification and verification (overlaps with CIP)
Beneficial ownership identification and verification — For legal entity customers, you must identify and verify the identity of each individual who owns 25% or more of the entity, plus one individual with significant management responsibility (e.g., CEO, CFO, managing member). The Corporate Transparency Act (CTA) modified this landscape starting in 2024, requiring companies to report beneficial ownership directly to FinCEN via the BOI reporting system.
Understanding the nature and purpose of the customer relationship — What products does the customer want? What is the expected account activity? Where do their funds come from?
Ongoing monitoring — Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Practical CDD data points to collect:

Occupation or business type (use standardized industry codes like NAICS or SIC)
Source of funds (salary, business revenue, investments, inheritance, etc.)
Expected transaction volume and frequency
Geographic scope of activity (domestic only, specific countries, global)
Purpose of the account (personal spending, business operations, payroll, etc.)

Enhanced Due Diligence (EDD) — When the Risk Demands More

EDD is required when CDD reveals elevated risk factors. The goal is to gain a deeper understanding of the customer's activity to mitigate the higher ML/TF risk. EDD triggers typically include:

Politically Exposed Persons (PEPs): Individuals who hold or have held prominent public functions. This includes heads of state, senior government officials, senior judicial or military officials, senior executives of state-owned enterprises, and their immediate family members and close associates. There is no universal PEP definition — FATF provides guidance, but each jurisdiction defines PEPs differently. In the U.S., there is no explicit statutory PEP definition, but regulators expect institutions to identify and apply EDD to foreign PEPs (per Section 312 of the USA PATRIOT Act, 31 CFR 1010.620).
High-risk jurisdictions: Countries identified by FATF as having strategic AML/CFT deficiencies (the "grey list" and "black list"), countries subject to comprehensive U.S. sanctions (e.g., North Korea, Iran, Cuba, Syria), or countries with known corruption or narcotics trafficking risks. Check FATF's regularly updated lists and FinCEN's advisories.
High-risk business types: Money services businesses, cash-intensive businesses (restaurants, car washes, vending machine operators), marijuana-related businesses, third-party payment processors, offshore corporations, and non-profit organizations operating in conflict zones.
Complex ownership structures: Multi-layered corporate structures, nominee shareholders, bearer shares, trusts with undisclosed beneficiaries, or entities registered in secrecy jurisdictions.
Unusual account activity: Transactions inconsistent with the customer's stated profile, frequent large cash deposits, rapid movement of funds through multiple accounts, or structuring patterns.

What EDD Looks Like in Practice

EDD measures go beyond standard CDD and may include:

Enhanced source of wealth and source of funds verification: Request and verify supporting documentation such as tax returns, audited financial statements, property records, or employment contracts.
Senior management approval: Require sign-off from a compliance manager or executive before onboarding or continuing the relationship.
Increased monitoring: Apply lower thresholds for transaction alerts, review account activity more frequently (e.g., monthly instead of quarterly), or implement real-time monitoring.
Adverse media screening: Conduct detailed searches for negative news coverage related to the customer, their business, or their associates. Use structured adverse media databases (e.g., Dow Jones, LexisNexis WorldCompliance) rather than relying solely on Google searches.
On-site visits: For business customers, visiting the physical location can reveal significant information about the legitimacy and scale of the operation.
Third-party intelligence: Engage external due diligence firms for deep-dive investigations into high-risk customers.

The Risk-Based Approach in Practice

Regulators expect you to apply a risk-based approach to due diligence — not to apply EDD to everyone (which would be prohibitively expensive and slow) and not to apply only CDD to high-risk customers (which would be negligent). Your customer risk rating model should:

Assign risk scores based on customer type, geography, product, and channel
Define clear thresholds for CDD, EDD, and potentially simplified due diligence (SDD) for the lowest-risk customers
Be documented and approved by senior management
Be tested and validated regularly (at least annually)

CDD/EDD Checklist