When should the EDD apply?

How do you know when standard customer due diligence is no longer sufficient? Since 2024, most European regulators have strengthened AML/CFT requirements for financial intermediaries. At the center of this shift is Enhanced Due Diligence — a mandatory measure when dealing with PEPs, offshore entities, or high-risk countries. The problem is that the boundary between standard and enhanced checks is not always clear. A misstep in qualification can result in fines, blocked transactions, or even license revocation. So how can businesses remain compliant without overloading their compliance teams? In this article, we’ll break down when EDD is required, how to apply it correctly, and how to stay ahead of regulatory scrutiny.

What is EDD and why is it needed?

Enhanced Due Diligence (EDD) is a mandatory part of any AML/CFT program and applies in high-risk situations. Unlike standard Customer Due Diligence (CDD), EDD involves a deeper review of the customer’s profile, documented proof of the source of funds, and ongoing monitoring of transactions.

EDD isn’t an optional best practice - it’s a clear legal requirement under international standards. According to FATF Recommendation 10, financial institutions must apply EDD whenever the risk of money laundering or terrorist financing is high. The same rule appears in the Fourth and Fifth EU Anti-Money Laundering Directives (AMLD4 and AMLD5).

The goal of EDD is not only to meet legal obligations, but also to protect the business itself from being misused for money laundering, terrorist financing, or transactions with fake or criminal entities. Companies that ignore or underestimate the need for EDD face serious consequences, including regulatory sanctions, reputational damage, and blocked operations.

EDD vs CDD vs SDD: 3 levels of customer validation

Customer due diligence procedures under AML regulations are divided into three levels: Simplified Due Diligence (SDD), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD). The appropriate level depends on the risk assessment carried out by the company for each client, product, or jurisdiction.

1. SDD applies when the risk of money laundering or terrorist financing is considered low — for example, when dealing with government bodies or highly regulated entities.
2. CDD is the standard process involving client identification, verification, understanding the purpose of the business relationship, and monitoring transactions. It is mandatory for most cases under MiCA and AMLD.
3. EDD is applied in high-risk situations, such as working with PEPs, offshore jurisdictions, complex ownership structures, or clients from FATF-listed countries.

The table below summarizes the key differences between the three levels:

When is Enhanced Due Diligence required?

MiCA, FATF, and the EU AML Directives clearly define a number of situations where crypto-asset service providers must conduct deeper customer identification and assess the legitimacy of their activities.

Politically exposed persons (PEPs)

Clients who qualify as politically exposed persons are always considered high-risk. This category includes not only current but also former government officials, judges, ambassadors, senior executives of state-owned companies, and their close relatives or business associates. Under AMLD5 and FATF recommendations, EDD is mandatory for all PEPs and must include verification of the source of funds, enhanced background checks, and ongoing monitoring.

Customers in high-risk or sanctioned jurisdictions

If a client is based in a country listed on the FATF’s grey or black list — or is subject to EU, UN, or OFAC sanctions — EDD must be applied. These jurisdictions typically have systemic AML/CFT weaknesses, lack transparency, and pose elevated political and financial risks. Special attention should also be given to clients who send or receive funds from such jurisdictions, even if they are registered in a "safe" country.

Customers with high-value transactions or unusual activity

A client who previously passed standard checks may still be reclassified as high-risk if their behavior raises red flags. Examples include:

• One-time or frequent high-value transactions;
• Sudden increase in transaction volumes;
• Use of unconventional payment channels;
• Frequent changes to contact details, IP addresses, or payment accounts.

Customers with adverse media reports

Credible media coverage linking a client to financial crime, corruption, or other legal violations is a valid trigger for EDD. Even in the absence of formal charges, if the information comes from a reliable source (such as Reuters, OCCRP, or national investigation databases), the company must initiate enhanced scrutiny. FATF treats such media findings as grounds for elevated risk assessment.

Entities with complex ownership structures

Companies whose beneficial ownership is difficult to trace are also considered high-risk. This includes complex holding structures, offshore jurisdictions, nominee directors, trust arrangements, or white-label setups. EDD in these cases involves full disclosure of ownership, analysis of the structure’s purpose, and checks for sanctions, PEP status, or legal concerns.

Company-initiated EDD based on internal risk assessment

Both MiCA and modern AML rules follow a risk-based approach, meaning that crypto companies are responsible for applying EDD even if a client doesn’t fall into a formal risk category. Situations that may justify EDD based on internal policies include:

• The client refuses to disclose the source of funds;
• Their behavior contradicts the stated business model;
• There’s a sudden, unexplained change in transaction activity;
• The client’s partners are linked to high-risk sectors or jurisdictions.

Such cases must be well-documented, supported by internal justification, and reported to financial intelligence units (FIUs) if suspicious activity is detected.

High-Risk third countries

Both European and international regulations require special attention to clients and counterparties associated with so-called high-risk third countries. These are jurisdictions officially recognized as failing to effectively combat money laundering and terrorist financing. Among the countries identified as high-risk are jurisdictions with political instability as well as offshore centers lacking transparency. As of 2025, the list includes:

• Iran
• North Korea (DPRK)
• Syria
• Myanmar
• Pakistan
• Burkina Faso
• Jamaica
• Morocco
• Uganda
• Nicaragua
• Panama
• Cambodia
• Zimbabwe
• Mauritius
• Barbados
• Cayman Islands
• Albania

These countries raise red flags due to low data transparency, non-membership in FATF, repeated AML/CFT violations, suspicious financial or corporate structures, and lack of effective international cooperation or information sharing. The full list, along with the criteria used, is available on the official European Commission website.

How is Enhanced Due Diligence conducted?

Enhanced Due Diligence involves a set of mandatory steps, each of which must be documented and justified:

1. Establishing the source of funds and origin of assets. This goes beyond simply asking the client. You must obtain objective evidence such as bank statements, tax returns, contracts, or corporate documents.
2. Verifying beneficial ownership and complex structures. If the client is a legal entity, the entire ownership chain must be disclosed, including trusts, holding companies, and ultimate beneficial owners (UBOs).
3. Conducting expanded screenings for sanctions and PEP status. External databases and automated monitoring tools must be used to check against lists such as OFAC, the EU, and the UN, as well as national registers of politically exposed persons.

Risks of EDD non-compliance: from fines to market exclusion

Neglecting or superficially implementing Enhanced Due Diligence obligations not only increases compliance risks, but can also lead to critical consequences for crypto companies and their key partners:

1. Administrative sanctions and fines. EU national regulators and the European Commission consider failure to apply EDD as a serious breach of anti-money laundering rules. In some jurisdictions, fines for such violations can reach millions of euros, especially in cases of repeated offenses or non-compliance with regulatory orders.
2. Loss of CASP license. Under MiCA, proper EDD implementation is a fundamental component of a compliance program. If a crypto platform is found to consistently neglect EDD obligations toward high-risk clients, its CASP license may be suspended or revoked.
3. Restrictions from banks and partners. Financial and payment institutions perform their own AML compliance assessments. Companies that fail to meet EDD standards often end up on internal blacklists, lose access to settlement accounts, and become unable to process euro-denominated transactions.
4. Reputational damage. Even a mention in the media or a public report from a regulator detailing EDD violations can seriously undermine trust from clients, investors, and authorities. In the crypto industry, reputational losses are particularly damaging, as they directly affect usability and liquidity.
5. Criminal liability. In some countries, involvement in money laundering schemes — even due to negligence — may result in personal criminal liability for company executives, if it is proven that proper EDD procedures were not applied to problematic clients.

Utilizing technology to improve the effectiveness of EDD procedures

Enhanced Due Diligence relies on a range of advanced technologies to ensure compliance and reduce risk:

1. Automated client screening and monitoring systems. Solutions integrated with global databases (such as Dow Jones, World-Check, and Refinitiv) enable real-time detection of connections to sanction lists, PEP profiles, and high-risk jurisdictions.
2. Transaction behavior analysis based on algorithms. Behavioral modeling, machine learning, and trigger-based scenarios help identify abnormal transactions in real time, especially critical for VASPs and platforms with high user activity.
3. Electronic KYC/EDD platforms (eKYC). Digital identity verification, document authentication, and biometric data collection provide reliable remote onboarding with automated data archiving.
4. Beneficial ownership visualization tools. These tools visually map relationships between companies, trusts, and individuals—essential when dealing with corporate clients from offshore or opaque jurisdictions.

Benefits of technology adoption include reduced human error and operational risks, faster onboarding, time savings in analysis, enhanced auditability for regulators, and stronger safeguards against AML/CTF breaches.

Technology cannot replace legal expertise, but it provides the necessary infrastructure for sustainable and scalable EDD. Each EDD procedure should be accompanied by a formal client file, documented risk analysis, justification for business relationship decisions, and a schedule for data review, at least every 6 to 12 months.

How Key2Law can support your EDD compliance under MiCA

The Key2Law team provides end-to-end regulatory support on AML/CFT compliance and MiCA alignment, including the implementation and review of Enhanced Due Diligence procedures:

• Client risk assessment and business model review — we identify where EDD is legally required and deliver a regulatory opinion tailored to your case;
• Policy and procedure development — we adapt international EDD standards to your business model, covering UBO verification, source of funds, country risk, and adverse media screening;
• Technical integration — we assist in selecting and implementing appropriate screening tools, digital KYC platforms, and modular monitoring solutions;
• Training and audit — we deliver staff training, conduct internal compliance checks, and help you prepare for regulator inspections.

If your business operates in the crypto space and you want full confidence in your compliance process, contact us. Key2Law will help you build a robust EDD framework that can stand up to any regulatory audit.