KYC, CDD and EDD: getting the due-diligence tier right

KYC, CDD and EDD are often used interchangeably, and that confusion costs money. Apply too little and you have a control gap a regulator will find. Apply too much and you burn budget and frustrate good customers. The skill is matching the level of effort to the level of risk.

1. The three terms

• KYC (Know Your Customer) is the umbrella: identifying and verifying who your customer is.
• CDD (Customer Due Diligence) is the standard process applied to most customers: identity, beneficial ownership, and understanding the purpose of the relationship.
• EDD (Enhanced Due Diligence) is the deeper process applied when risk is higher.

2. When each applies

This is a risk-based decision. Lower-risk relationships may justify simplified measures; standard relationships get CDD; and higher-risk situations, such as politically exposed persons, complex ownership, high-risk jurisdictions or unusual activity, trigger EDD. The trigger logic should be defined, consistent and documented, not left to individual judgement.

3. What EDD actually requires

• Establishing source of funds and, where relevant, source of wealth.
• Senior management approval to enter or continue the relationship.
• Enhanced ongoing monitoring at a higher intensity than standard customers.

4. The cost of getting the tier wrong

Set the tier too low for a high-risk customer and you have a finding waiting to happen. Set it too high across the board and you create onboarding friction, lose good customers, and spend analyst time where it adds little. Both errors are expensive; one is just more visible than the other.

5. Evidencing it

From an audit perspective, the file is the proof. A defensible file shows why a risk tier was chosen, what was collected, and that the work matches the stated risk. If the rationale is not written down, it did not happen, as far as an examiner is concerned.