How Financial Institutions Screen for Terrorism Financing: A CFT Implementation Guide

Not all customers present the same risk. A retiree opening a savings account presents different concerns than a shell company with beneficial owners in multiple high-risk jurisdictions. Customer Due Diligence (CDD) recognizes this reality through tiered due diligence: standard procedures for most customers, enhanced procedures for those presenting elevated risk.

But when exactly should standard CDD escalate to Enhanced Due Diligence (EDD)? This question troubles compliance professionals because the answer isn't always clear. Some situations mandate EDD by regulation. Others require judgment calls based on risk assessment. Getting this wrong in either direction creates problems: under-application of EDD leaves the institution exposed to high-risk customers without adequate understanding, while over-application wastes resources and frustrates customers who don't warrant extra scrutiny.

This guide provides a framework for EDD escalation decisions. We cover mandatory EDD triggers, risk-based triggers that warrant EDD, the specific procedures that distinguish EDD from standard CDD, and practical guidance for making consistent escalation decisions.

Understanding the CDD Continuum

Before examining EDD specifically, it helps to understand the full spectrum of customer due diligence.

Simplified Due Diligence

At the lowest risk level, some jurisdictions permit simplified due diligence (SDD) for customers presenting minimal risk. SDD involves reduced verification requirements and less intensive ongoing monitoring. Typical SDD candidates include regulated financial institutions, publicly traded companies, and government bodies.

SDD is not widely permitted in the United States for Bank Secrecy Act (BSA) purposes, though risk-based approaches allow some calibration of CDD intensity for low-risk customers. The concept is more prevalent in international frameworks.

Standard CDD

Standard CDD applies to the majority of customers. It fulfills the four requirements of FinCEN's CDD Rule: identifying and verifying customer identity, identifying and verifying beneficial owners of legal entities, understanding the nature and purpose of the relationship, and conducting ongoing monitoring.

Standard CDD provides a reasonable understanding of who the customer is, what they do, and what to expect from their account activity. It's sufficient for customers who don't present elevated risk indicators.

Enhanced Due Diligence

EDD applies when standard CDD reveals elevated risk or when specific circumstances mandate additional scrutiny. EDD involves all elements of standard CDD plus additional procedures designed to develop deeper understanding of higher-risk customers.

EDD is not a separate track that replaces standard CDD. It builds on top of standard CDD, adding layers of scrutiny proportionate to the elevated risk.

Mandatory EDD Triggers

Certain situations require EDD as a matter of regulatory mandate rather than institutional discretion.

Politically Exposed Persons

Politically Exposed Persons (PEPs) include current or former senior government officials, their family members, and close associates. The concern is that PEPs may have opportunities for corruption and may seek to launder bribery proceeds through the financial system.

EDD requirements for PEPs appear in various regulations and guidance. FATF Recommendations require enhanced scrutiny for PEP relationships. The USA PATRIOT Act imposes specific EDD requirements for private banking accounts held by senior foreign political figures. While no U.S. regulation explicitly requires EDD for all PEPs, regulatory guidance and examination expectations effectively make PEP EDD standard practice.

EDD for PEPs should include determining the source of the PEP's wealth and the source of funds flowing through the account, understanding the purpose of the relationship and expected activity, obtaining senior management approval to establish and continue the relationship, and implementing enhanced ongoing monitoring.

Correspondent Banking Relationships

Correspondent banking relationships, where one financial institution provides services to another, present elevated risk because the correspondent may facilitate transactions for the respondent's customers without direct knowledge of those underlying customers.

The USA PATRIOT Act requires enhanced due diligence for correspondent accounts with foreign banks. EDD for correspondent relationships includes assessing the respondent institution's AML controls and customer base, understanding the types of customers and transactions the account will serve, and determining whether the respondent bank's jurisdiction presents elevated risk.

Shell banks, which have no physical presence in any country, are prohibited from correspondent relationships entirely.

Private Banking Relationships

Private banking services for high-net-worth individuals present elevated risk due to the larger amounts involved and the potential for sophisticated money laundering schemes.

The USA PATRIOT Act requires EDD for private banking accounts held by non-U.S. persons. This includes identifying all nominal and beneficial owners, determining the source of funds, understanding the purpose and expected activity, and implementing enhanced monitoring.

High-Risk Jurisdictions

Customers from countries identified as presenting elevated money laundering or terrorist financing risk warrant EDD.

FATF maintains lists of jurisdictions with strategic AML/CFT deficiencies. The list of High-Risk Jurisdictions Subject to a Call for Action identifies countries with serious deficiencies, for which FATF calls on members to apply enhanced due diligence or countermeasures. The list of Jurisdictions Under Increased Monitoring identifies countries with deficiencies that have committed to action plans.

OFAC sanctions programs may also identify countries warranting enhanced scrutiny. Customers with substantial connections to sanctioned countries require careful evaluation.

Risk-Based EDD Triggers

Beyond mandatory triggers, institutions should apply EDD when their own risk assessment identifies elevated concern. This requires judgment rather than mechanical rule-following.

Complex Ownership Structures

Entities with complex or opaque ownership structures may warrant EDD because the complexity makes it harder to identify who truly controls the entity and benefits from its activities.

Red flags include multiple layers of holding companies, ownership through trusts or nominee shareholders, ownership spanning multiple jurisdictions with limited transparency, and frequent changes in ownership structure.

EDD for complex ownership involves tracing ownership to natural persons, understanding the business rationale for the structure, and determining whether the complexity serves legitimate purposes or obscures beneficial ownership.

Cash-Intensive Businesses

Businesses that handle large amounts of cash present elevated money laundering risk because cash is difficult to trace and easy to manipulate.

Common cash-intensive businesses include restaurants and bars, convenience stores and gas stations, car washes, parking facilities, vending operations, casinos and gaming establishments, money services businesses, and certain retail operations.

EDD for cash-intensive businesses focuses on understanding expected cash volumes, comparing reported activity against industry norms, and monitoring for structuring or unusual patterns.

High-Risk Industries

Certain industries present elevated risk due to their characteristics or historical association with money laundering or other financial crime.

Examples include precious metals and stones dealers, real estate (particularly luxury residential and commercial), art and antiquities dealers, legal and accounting services (which may be used to structure transactions), arms and defense, cryptocurrency and digital assets, and adult entertainment.

EDD for high-risk industries involves understanding the specific risks associated with the industry, the customer's position within that industry, and controls the customer has in place to mitigate relevant risks.

Adverse Media

Negative news coverage suggesting possible involvement in financial crime, corruption, or other misconduct warrants enhanced scrutiny.

Adverse media screening should be part of standard CDD, but significant negative findings trigger EDD. This includes news coverage of criminal investigations or prosecutions, civil litigation alleging fraud or financial misconduct, regulatory enforcement actions, and credible allegations of corruption or sanctions evasion.

EDD following adverse media involves investigating the allegations, determining their credibility and relevance, and assessing whether the relationship should continue.

Unusual Transaction Patterns

When ongoing monitoring reveals activity inconsistent with the customer's stated profile, EDD may be warranted.

Examples include transaction volumes significantly exceeding expected levels, geographic patterns inconsistent with stated business, transaction types the customer's business doesn't normally use, and structuring or other apparent attempts to evade detection.

EDD in this context involves investigating the unusual activity, updating understanding of the customer's current circumstances, and determining whether activity is consistent with legitimate business or warrants further escalation (potentially including SAR filing).

Prior SARs

Customers who have been the subject of previous suspicious activity reports warrant enhanced scrutiny going forward. The prior SAR indicates the institution identified concerning activity, even if the concern was ultimately unfounded.

See how Zyphe helps institutions identify EDD triggers through comprehensive risk assessment →

EDD Procedures: What Makes It "Enhanced"

EDD involves specific procedures that go beyond standard CDD. The goal is developing deeper understanding of higher-risk customers to enable effective monitoring and informed relationship decisions.

Source of Wealth

Source of wealth refers to how the customer accumulated their total wealth over time. Understanding source of wealth helps assess whether the customer's financial position is consistent with their background and whether there's risk that wealth derives from criminal activity.

Source of wealth investigation considers the customer's employment and business history, inheritance or gifts received, investment returns and capital gains, and historical context (how long have they been accumulating wealth).

Documentation might include tax returns, business financial statements, inheritance documentation, or investment account records. The depth of documentation depends on the level of risk and the amount of wealth involved.

Source of Funds

Source of funds focuses more narrowly on the origin of specific funds flowing through the account. While source of wealth asks "how did this customer become wealthy," source of funds asks "where is this specific money coming from."

Source of funds investigation considers what generates the funds (business revenue, investment returns, etc.), how funds flow into the account, and whether the source is consistent with the customer's known business or employment.

For business customers, this might involve understanding the customer's customers, revenue streams, and normal transaction patterns. For individuals, it might involve understanding employment income, investment sources, or other income.

Senior Management Approval

EDD typically requires senior management involvement in decisions to establish or continue high-risk relationships. This ensures appropriate oversight and creates accountability for risk acceptance decisions.

Senior management approval should be documented, including the risk factors triggering EDD, the enhanced procedures performed, the findings, and the decision rationale. This documentation demonstrates that the institution made an informed decision to accept the elevated risk.

Enhanced Monitoring

High-risk customers warrant more intensive ongoing monitoring than standard customers. Enhanced monitoring might include lower transaction thresholds for alerts, more frequent periodic reviews, additional scenarios targeting specific risk factors, and direct relationship manager oversight for private banking customers.

The monitoring intensity should be proportionate to the risk. A customer who barely crosses an EDD threshold warrants less intensive monitoring than a customer presenting multiple significant risk factors.

Making Consistent Escalation Decisions

Inconsistent EDD escalation creates problems. If similar customers receive different treatment depending on who reviews them, the institution lacks a defensible approach. Examiners will question why one customer triggered EDD while a similar customer didn't.

Documented Criteria

Establish clear, documented criteria for EDD escalation. These criteria should cover mandatory triggers (PEPs, correspondent banking, etc.), risk-based triggers specific to your customer base and products, thresholds for each trigger (what level of risk warrants escalation), and procedures for borderline cases.

Risk Scoring

Systematic risk scoring helps ensure consistency. Assign points for various risk factors (jurisdiction, industry, ownership complexity, etc.) and establish thresholds that trigger EDD.

Risk scoring doesn't replace judgment, but it provides a consistent framework for exercising judgment. A customer with multiple moderate risk factors may aggregate to EDD threshold even if no single factor is decisive.

Escalation Procedures

Establish procedures for escalation decisions. Who makes the initial determination that EDD may be warranted? Who has authority to approve EDD or determine it's not required? What documentation is required?

For borderline cases, consider requiring second-level review or committee decision. This adds process but improves consistency for difficult calls.

Training

Staff involved in EDD decisions need training on criteria, procedures, and rationale. They should understand not just the rules but the underlying purpose: ensuring the institution has adequate understanding of customers presenting elevated risk.

Case studies and scenario exercises help develop consistent judgment across the team.

Quality Assurance

Regular quality assurance review of EDD decisions identifies inconsistencies and training needs. Review both cases where EDD was applied and cases where it was considered but not applied.

Track metrics on EDD application rates, outcomes, and examiner feedback to identify areas for improvement.

Common EDD Mistakes

Experience and examination findings reveal recurring EDD failures.

Treating EDD as Rejection

Some institutions interpret EDD triggers as automatic disqualification. They decline relationships rather than performing the enhanced diligence that might enable acceptance.

This approach abandons legitimate high-risk customers and may constitute illegal discrimination if triggers correlate with protected characteristics. EDD exists precisely to enable relationships with higher-risk customers through enhanced understanding. Declining without performing EDD fails both the customer and the institution.

Checkbox Compliance

Other institutions perform EDD mechanically, collecting required documents without genuine analysis. They obtain source of wealth declarations without evaluating whether the stated sources are plausible. They conduct adverse media searches without investigating findings.

Checkbox EDD satisfies form but not substance. Examiners look for evidence of actual analysis, not just document collection.

One-Time Exercise

EDD isn't complete at onboarding. High-risk relationships require enhanced monitoring and periodic review throughout the relationship. Customer circumstances change. New risks emerge. Risk assessment should be updated accordingly.

Institutions that perform thorough EDD at onboarding but then treat the customer as low-risk for ongoing purposes fail to maintain appropriate scrutiny.

Insufficient Documentation

EDD decisions involve judgment, and judgment should be documented. What risk factors were identified? What enhanced procedures were performed? What did the investigation reveal? Why was the decision made to accept (or decline) the relationship?

Without documentation, the institution can't demonstrate that it made informed decisions about high-risk customers. Examiners will assume the worst about undocumented processes.

Inconsistent Application

When similar customers receive different treatment, the institution's approach isn't defensible. Consistency requires clear criteria, systematic risk assessment, and quality assurance review.

Technology Support for EDD

Technology helps institutions identify EDD triggers and perform enhanced procedures efficiently.

Risk Scoring Automation

Automated risk scoring evaluates CDD information against defined criteria and flags customers for EDD consideration. This ensures triggers aren't missed and provides consistent baseline assessment.

Effective risk scoring systems incorporate multiple data sources, weight factors according to your risk framework, and produce explainable outputs that support human decision-making.

Adverse Media Screening

Automated adverse media screening monitors news sources for mentions of customers in contexts suggesting financial crime, corruption, or other concerns. This identifies EDD triggers that might otherwise be missed and supports ongoing monitoring for high-risk relationships.

Advanced systems filter results to reduce noise and prioritize genuinely relevant findings.

PEP Screening

PEP databases identify current and former politically exposed persons, their family members, and close associates. Screening against these databases at onboarding identifies mandatory EDD triggers. Ongoing screening catches customers who become PEPs after relationship establishment.

Enhanced Verification

For high-risk customers, enhanced verification provides additional confidence in identity and claimed attributes. Decentralized identity verification enables multi-source credential verification without requiring customers to repeatedly submit documents.

Discover how Zyphe's verification platform supports EDD with enhanced identity assurance →

Regulatory Expectations

Regulators expect institutions to demonstrate risk-based EDD application and effective enhanced procedures.

Examination Focus

BSA examinations evaluate whether the institution has identified categories of customers requiring EDD, whether EDD triggers are applied consistently, whether EDD procedures are commensurate with identified risks, whether EDD decisions are appropriately documented, and whether enhanced monitoring is implemented for high-risk relationships.

Examiners may request samples of high-risk customer files to evaluate EDD quality.

Enforcement Trends

Enforcement actions have cited EDD failures including failure to identify and appropriately manage PEP relationships, inadequate source of funds investigation for high-risk customers, failure to update EDD as customer risk profiles changed, and insufficient documentation of EDD decisions.

These enforcement trends signal that regulators view EDD as requiring substance, not merely procedure.

Frequently Asked Questions

What is an enhanced due diligence checklist?

An enhanced due diligence checklist is a structured document that guides compliance staff through the additional procedures required for high-risk customers. A typical EDD checklist includes verifying customer identity through multiple sources, investigating source of wealth (how the customer accumulated their total wealth over time), investigating source of funds (where specific funds flowing through the account originate), screening against sanctions lists and adverse media, documenting the business rationale for complex ownership structures, obtaining senior management approval for the relationship, establishing enhanced monitoring parameters, and documenting all findings and the decision rationale.

What is CIP vs CDD vs EDD?

CIP, CDD, and EDD represent three related but distinct compliance requirements. CIP (Customer Identification Program) is the foundation, requiring financial institutions to collect and verify customer identity information at account opening. CDD (Customer Due Diligence) builds on CIP by adding beneficial ownership identification for entities, understanding the nature and purpose of the relationship, and ongoing monitoring. EDD (Enhanced Due Diligence) applies additional procedures for high-risk customers, including deeper investigation into source of wealth and funds, senior management approval, and enhanced ongoing monitoring. Think of them as layers: CIP establishes identity, CDD establishes the relationship context, and EDD provides deeper understanding when risk warrants it. For more detail, see our guide on CIP vs CDD vs EDD: Understanding the Three Pillars.

What are the steps of enhanced due diligence?

Enhanced due diligence typically follows a structured process. First, identify the EDD trigger (mandatory trigger like PEP status, or risk-based trigger from your risk assessment). Second, gather additional information beyond standard CDD, focusing on source of wealth and source of funds. Third, investigate the customer's background through adverse media screening, public records, and available databases. Fourth, analyze the information to understand whether the elevated risk is acceptable. Fifth, document your findings and analysis thoroughly. Sixth, obtain senior management approval to establish or continue the relationship. Seventh, implement enhanced monitoring with lower thresholds and more frequent periodic reviews. Each step should be documented to demonstrate informed decision-making.

When is enhanced due diligence required?

EDD is required in two categories of situations. Mandatory triggers include politically exposed persons (PEPs) and their family members and close associates, correspondent banking relationships with foreign banks, private banking relationships with non-U.S. persons, and customers from high-risk jurisdictions identified by FATF or subject to OFAC sanctions. Risk-based triggers require institutional judgment and include complex or opaque ownership structures, cash-intensive businesses, high-risk industries (precious metals, real estate, gaming), significant adverse media, unusual transaction patterns, and prior suspicious activity reports. When your risk assessment identifies elevated concern, EDD is warranted even without a mandatory trigger.

What is the difference between CDD and EDD?

The primary difference between CDD and EDD is depth. Standard CDD establishes a baseline understanding of the customer: who they are, what they do, and what to expect from their activity. EDD goes deeper, investigating how the customer accumulated their wealth, where their funds originate, and whether the elevated risk indicators are consistent with legitimate activity. EDD also involves organizational elements absent from standard CDD, including senior management approval for the relationship and enhanced ongoing monitoring. EDD is not a replacement for CDD but an addition to it. High-risk customers receive all standard CDD procedures plus the additional EDD procedures appropriate to their specific risk factors.

Conclusion

EDD escalation decisions sit at the intersection of regulatory requirement and risk management judgment. Mandatory triggers require EDD regardless of other factors. Risk-based triggers require assessment of whether customer characteristics, in aggregate, present elevated risk warranting enhanced scrutiny.

Effective EDD programs establish clear criteria, apply them consistently, and perform genuine enhanced diligence that goes beyond document collection to meaningful analysis. They treat EDD as a tool for enabling relationships with higher-risk customers through enhanced understanding, not as a mechanism for rejection.

Get the balance right, and EDD serves its purpose: ensuring your institution has adequate understanding of the customers who present the greatest potential for harm. Get it wrong, and you either expose the institution to risks it doesn't understand or drive away legitimate customers who happen to present elevated risk profiles.

Build your EDD program with both purposes in mind. Protect the institution while serving customers who deserve access to financial services despite presenting characteristics that warrant additional scrutiny.

‍Ready to strengthen your EDD program? Book a demo with Zyphe to see how our verification and risk assessment tools support effective enhanced due diligence.