Enhanced Due Diligence (EDD) Explained
Accountants, Blog

Enhanced Due Diligence (EDD) Explained 

Enhanced Due Diligence (EDD) requirements explained for UK accounting firms, covering mandatory triggers, prescribed measures, common compliance failures, and practical implementation steps under MLR 2017.
4 November 2025
15 Min Read
Start using FigsFlow today
  • Professional Proposals
  • Regulatory Compliant LOEs
  • Advanced Pricing Calculator
  • Automation & Integrations
  • Built-in E-Signature
Start 30-day Free Trial

55% of accounting firms got it wrong.  

The 2025 ICAS thematic review revealed a concerning finding: more than half of firms had misjudged their money laundering risks. One critical area where firms frequently fall short is Enhanced Due Diligence (EDD), the additional checks required when standard customer due diligence is not enough.  

For accountancy service providers, trust and company service providers, tax advisers, and bookkeepers, understanding when and how to apply EDD isn’t just about regulatory compliance. It’s about protecting your firm from being used as a vehicle for money laundering, avoiding significant penalties, and maintaining your professional reputation. 

This guide cuts through the complexity of HMRC’s guidance to give you practical, actionable information about EDD requirements under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). 

Key Points for Busy Readers  

  • EDD is mandatory when specific high-risk factors are present. It’s not optional or discretionary  
  • You cannot outsource EDD to third parties under reliance arrangements, unlike standard customer due diligence  
  • Three main triggers: customers in high-risk third countries, politically exposed persons (PEPs), and complex/unusual transactions  
  • Prescribed measures exist for certain scenarios, simply doing “a bit more” isn’t sufficient for high-risk third countries and PEPs  
  • Initial risk matters, not residual risk. EDD applies based on risk factors before your controls are applied  
  • Written procedures are mandatory. Having procedures “in your head” breaches Regulation 19  
  • Case studies show common failures: not recognising triggers, having procedures but not following them, and superficial checks that don’t actually mitigate risk  
  • Breaches cascade: failing to apply EDD typically also breaches risk assessment (Reg 18) and policies/procedures (Reg 19) requirements 

What is Enhanced Due Diligence?

Enhanced Due Diligence represents the additional measures you must take beyond standard customer due diligence when higher money laundering or terrorist financing risks are present. 

Standard CDD covers the basics:  

  • understanding their business purpose 

EDD takes you significantly further into your client’s affairs, their transactions, and their funding sources.  

The key distinction is proportionality. Your approach to EDD must be tailored to the specific risks you’ve identified in each case. What’s proportionate for a domestic PEP with transparent UK-income sources will differ substantially from what’s needed for a client with beneficial owners in high-risk third countries conducting, complex, high value transactions. There is no universal checklist.  

HMRC’s guidance emphasises that you must understand not just what additional checks to perform, but why you’re performing them and how they mitigate the specific risks you’ve identified. A critical concept to grasp is the difference between initial risk and residual risk. EDD requirements are triggered by the initial risk rating – the risk before your controls are applied, not the residual risk remaining after controls are in place. 

For example, if an art market participant has customers in high-risk third countries, they cannot argue that their general EDD procedures have reduced the risk to “low” and therefore EDD isn’t needed. The requirement to apply specific EDD measures is triggered by the presence of the high-risk factor itself. 

When is EDD Required?

MLR 2017 specifies seven situations where Enhanced Due Diligence is mandatory. Understanding these triggers is essential for compliance. 

Trigger When It Applies Key Points
High-Risk Third Countries Customer is established in a country on FATF's "Call for Action" (blacklist) or "Increased Monitoring" (grey list) "Established in" means resident (individuals) or incorporated/principal place of business (companies). Simply being born there doesn't trigger EDD if they now reside elsewhere.
Politically Exposed Persons (PEPs) Customer is a PEP[1], or family member[2] or known close associate[3] of a PEP Applies to domestic, foreign, and international organisation PEPs. Excludes middle-ranking or junior officials.
Business-Identified Risks High-risk factors your firm identified in its own risk assessment If your practice assessed third-party payments as high risk, apply EDD when this occurs.
HMRC-Identified Risks High risks identified in HMRC's published guidance for your sector Includes "Understanding risks and taking action" guidance and National Risk Assessment. Example: super-prime property for estate agents.
False or Stolen Documentation Customer provided false or stolen ID documents or false information, and you continue dealing with them EDD is mandatory if you choose to proceed with the relationship.
Complex or Unusual Transactions Transactions that are complex, unusually large, follow unusual patterns, or have no apparent economic or legal purpose What counts as "unusual" or "complex" depends on what's normal for your practice and client base.
Any Other High-Risk Case Any situation that by its nature presents higher money laundering or terrorist financing risk Covers cash-intensive businesses, products favouring anonymity, non-face-to-face relationships without safeguards, or transactions involving countries with significant corruption or sanctions.

If any of these seven triggers apply to your client relationship, EDD is not optional. You must apply the additional measures proportionate to the risks identified. 

Definitions:  

[1] PEP (Politically Exposed Person): Someone entrusted with prominent public functions.

[2] Family Member: Spouse, partner, children, children’s spouses or partners, and parents. 

[3] Known Close Associate: Business partners or individuals with joint beneficial ownership. 

What Enhanced Due Diligence Involves

The specific measures you must take depend on which trigger applies. Regulation 33(5) MLR 2017 provides a non-exhaustive list of EDD measures that may include: 

  • Additional Verification from Independent Sources – Seek additional independent, reliable sources to verify information provided to you. This goes beyond accepting documents at face value. If a client provides a bank statement to verify source of funds, you must check it actually shows the fund origins, not just that money exists in the account. 
  • Deeper Understanding of Client Background – Take additional measures to understand the background, ownership, and financial situation of the customer and other transaction parties. This means going deeper into the client’s business structure, understanding their revenue sources, and identifying who ultimately controls and benefits from the entity. 
  • Transaction Purpose Verification – Take further steps to confirm transaction consistency with the purpose and intended nature of the business relationship. You should be able to explain why this transaction makes sense for this particular client at this particular time. 
  • Enhanced Monitoring – Increase the frequency and intensity of monitoring the business relationship, including greater transaction scrutiny. This means more frequent reviews, lower thresholds for investigation, and closer attention to patterns that might indicate unusual activity. 

These measures provide flexibility to tailor your approach to the specific risks identified. However, for high-risk third countries and PEPs, prescribed measures are mandatory. You cannot simply choose from the general list above. 

Prescribed EDD Measures for High-Risk Scenarios

Different high-risk scenarios require specific mandatory measures. You must complete all requirements listed for the relevant category. 

High-Risk Third Countries 

Requirement What You Must Do
Additional Customer Information Gather information about the customer and beneficial owners that goes beyond standard CDD requirements
Business Relationship Details Understand the intended nature of the business relationship in greater depth
Source Verification Obtain information and documents proving both source of funds and source of wealth[1]
Transaction Purpose Establish why the customer wants to conduct this transaction
Management Approval Get approval from senior management[2] to establish or continue the relationship
Enhanced Monitoring Conduct ongoing monitoring with increased frequency and intensity of controls

Politically Exposed Persons 

Requirement What You Must Do
Management Approval Senior management[2] must approve establishing or continuing the business relationship
Source Verification Take adequate measures to establish source of wealth and source of funds[1]
Enhanced Monitoring Conduct enhanced ongoing monitoring for business relationships (not required for occasional transactions)

These measures are mandatory when the specified triggers apply. You cannot choose to apply only some of them. 

Definitions: 

[1] Source of Wealth vs Source of Funds: Source of wealth means the origin of the client’s total assets or net worth (how they accumulated their wealth over time). Source of funds relates to the origin of the particular money being used in this specific transaction or business relationship. 

[2] Senior Management: Someone with sufficient knowledge of money laundering risks and authority to make decisions affecting your business’s risk exposure. Typically, a director, partner, or sole proprietor. 

7 Ways Firms Fail at EDD

HMRC case studies reveal patterns of failure that accounting firms should actively avoid: 

  • Not Recognising When EDD is Required – An accountancy firm provided services to a customer with beneficial owners in a high-risk third country but conducted no EDD. When questioned, they explained they thought “high-risk countries” meant conflict zones. They hadn’t reviewed HMRC guidance since registering five years earlier. 
  • Having Procedures but Ignoring Them – An art market participant had written EDD procedures requiring nominated officer approval for third-party payments. During inspection, HMRC found a third-party payment where only standard CDD was conducted. None of the firm’s documented EDD procedures were followed. 
  • Going Through the Motions Without Substance – A high-value dealer requested bank statements to verify source of funds for large cash payments. However, staff routinely accepted statements showing a large credit from a third party without investigating where that money originated. The check was performed but didn’t actually reduce the risk. 
  • Misunderstanding “Established In” – Some firms apply EDD based on where someone was born rather than where they currently live or operate. A client born in a high-risk country but resident in the UK for 20 years doesn’t trigger high-risk third country requirements unless they maintain residence or operations there. 
  • Relying Only on Customer Self-Declaration – When asked if they’re a PEP, customers may not understand the term or may not disclose truthfully. Relying solely on self-declaration without independent verification leaves your firm exposed if you later discover the customer was indeed a PEP. 
  • Using Outdated High-Risk Country Lists – The FATF lists change regularly. Firms using outdated lists may fail to apply EDD when required or apply unnecessary EDD to countries no longer listed. Your procedures must specify who updates these lists, how often, and where the current list is kept. 
  • Cascade Effect of Failures – Failing to apply EDD rarely happens in isolation. If you haven’t conducted EDD, you’ve likely also failed to identify the risk properly, establish appropriate procedures, or provide adequate staff training. One compliance failure typically signals deeper systemic issues across your AML framework. 

Understanding these common failures helps you spot vulnerabilities in your own practice before HMRC does. Each represents an opportunity to strengthen your compliance approach and protect your firm. 

How to Implement EDD Effectively

Effective EDD requires more than writing procedures. You need to build risk awareness into how your practice operates day to day. 

Area What You Need to Do
Written Procedures Document what additional measures apply in each EDD scenario, who approves high-risk relationships, and how enhanced monitoring works. Any trained staff member should be able to follow your procedures consistently.
Specific Measures State exactly what checks you'll perform, which sources you'll consult, what information you'll gather, and how you'll record findings. Avoid vague statements like "we conduct additional checks."
Risk Assessment Link Address the risks identified in your firm assessment and sector guidance directly in your procedures. If you've identified cash payments as high risk, specify what you'll do when they occur.
Staff Training Teach staff how to spot EDD triggers, which measures to apply, who to escalate to, and how to document their work. Include regular refresher training when requirements or lists change.
Senior Management Role Create clear processes for which senior manager reviews high-risk relationships, what criteria they use, and how approval gets documented. Approval should be informed, not automatic.
Monitoring Systems Set up systems to flag unusual activity, generate reports about higher-risk clients, and schedule regular reviews. Identify what patterns require investigation and who acts on them.
Regular Updates Review procedures when sector guidance updates, when FATF lists change, or when you identify new risks. Document reviews and communicate changes to staff.
Record Keeping Keep detailed records of measures applied, sources checked, information gathered, approvals given, and reasons for decisions. Records must prove compliance for specific customers.

Implementation success depends on making these elements work together as a system. Strong procedures mean nothing if staff don’t understand them, if records don’t prove they were followed, or if senior management approves relationships without proper review. 

Action Steps: What Firms Should Do Now

Understanding EDD requirements is the first step. Implementing them effectively is what protects your firm. 

Immediate Actions: 

  • Review your procedures. Compare your written EDD procedures against the requirements in this guide. Do you have specific procedures for high-risk third countries, PEPs, and the risks identified in HMRC guidance for your sector? Document any gaps and create an action plan 
  • Check recent clients. Review your recent client intake and identify whether any should have triggered EDD. If you find cases where EDD should have been applied but wasn’t, investigate why 
  • Update your FATF lists. Check when you last updated your high-risk country lists. If you’re working from pre-2024 lists, update immediately and establish a process for monthly checks 
  • Train your staff. Ensure all client-facing staff understand EDD triggers and know what to do when they encounter them. Document this training and repeat it regularly 
  • Verify documentation. For current high-risk clients, ensure you have comprehensive records of the EDD measures applied. Could you demonstrate exactly what checks you performed if HMRC reviewed your compliance tomorrow? 
  • Confirm management approval. For clients requiring senior management approval, verify it actually occurred, was documented, and was informed rather than automatic 

EDD represents a significant compliance obligation, but it’s fundamentally about understanding your clients and the risks they present. The firms that struggle with EDD typically treat it as a box-ticking exercise rather than embedding risk awareness throughout their practice. By taking a systematic approach, you achieve compliance efficiently while building genuine resistance to money laundering risks. 

Introducing FigsFlow: Your EDD Compliance Solution

FigsFlow’s AML module helps accounting firms meet EDD requirements without the complexity or cost of traditional compliance software. Here’s what it includes: 

Core EDD Features: 

  • Risk assessment templates that let you identify which clients require EDD and which need standard CDD 
  • Integrated PEP screening during client onboarding with configurable workflows for all prescribed measures 
  • Senior management approval tracking with clear documentation of who approved what and when 
  • Source of wealth and funds documentation with structured templates and prompts 
  • Enhanced monitoring schedules that let you schedule AML checks at custom period based on client risk ratings 
  • Comprehensive audit trails recording exactly what checks were performed, when, by whom, and with what results 
  • Document organisation that keeps all EDD evidence in one place and easily accessible for HMRC reviews 
  • Sector-specific procedure templates addressing HMRC’s published risk factors for accountancy services 

Beyond EDD compliance, FigsFlow offers a complete practice management solution. Generate engagement letters, create professional proposals, manage your service pricing, handle client communications, and integrate seamlessly with major accounting software including Xero, QuickBooks and Sage. Everything you need to run your practice efficiently is in one platform. 

FigsFlow is truly software designed by accountants for accountants. The workflows match how accounting practices actually operate, the interface is simple and intuitive, the features are comprehensive, and most importantly, it’s budget-friendly. 

🤔 Take a Guess: What Does FigsFlow Cost? 

Here’s everything FigsFlow offers complete AML compliance with automated EDD workflows, PEP screening, FATF list updates, risk assessments, audit trails, engagement letters, proposals, service pricing, client management, and integrations with major accounting platforms. 

 What would you expect to pay? £100/month? £200/month? £500/month? 

FigsFlow starts at just £8/month for proposals and engagement letters.

For AML compliance, choose what works for your practice:

  • Pay-as-you-go: £3.00 per ID check
  • Subscription: £8/month base + £2.10 per ID check

See full pricing details → 

Additional Resources 

Conclusion

Enhanced Due Diligence isn’t optional. With 55% of firms misjudging their money laundering risks, the gap between what firms think they’re doing and what regulations require is significant. 

You now understand when EDD is required, what measures to apply, and how to implement them effectively. The difference between compliant firms and those facing penalties comes down to action: understanding the requirements and actually implementing them consistently. 

The immediate actions are clear: 

  • Review your procedures against this guide.  
  • Check your recent clients for missed EDD triggers.  
  • Update your FATF lists.  
  • Train your staff.  
  • Verify your documentation.  
  • Confirm management approvals are genuine. 

Don’t wait for an HMRC inspection to discover gaps in your compliance.  

Take the first step today.  

💡 Not Sure Where to Take Your First Step? 

Start with FigsFlow. See how automated EDD workflows, integrated PEP screening, and comprehensive documentation make compliance manageable. Book a demo and discover why accountants choose FigsFlow at £18/month. 

Book your demo → 

Frequently Asked Questions

Is EDD required for all customers?

No. EDD is only required when specific risk factors are present, such as customers in high-risk third countries, PEPs, complex transactions, or other high-risk situations identified in your risk assessment or HMRC guidance. Most customers only require standard CDD. Apply EDD proportionately based on actual risks identified. 

What is an example of enhanced due diligence?

For a client in a high-risk third country, EDD includes obtaining senior management approval, gathering additional information about beneficial owners, verifying source of wealth and funds with supporting documents, understanding transaction purposes, and conducting enhanced ongoing monitoring with increased frequency compared to standard clients. 

Is EDD the same as KYC?

No. KYC (Know Your Customer) encompasses all customer identification and verification processes, including standard CDD. EDD is a specific level of KYC applied only to higher-risk customers. Think of KYC as the umbrella term, with standard CDD and EDD as different levels within it based on risk. 

When would EDD be required for accountants?

Accountants must apply EDD when serving customers in high-risk third countries, PEPs or their associates, clients providing false documents, complex or unusual transactions, risks identified in their firm assessment, risks in HMRC guidance, or any other high-risk situations. Third-party payments often trigger EDD requirements. 

What is the difference between standard due diligence and enhanced due diligence?

Standard CDD verifies identity, understands business purpose, and monitors activity. EDD goes further with additional verification from independent sources, deeper investigation of beneficial ownership and financial background, more frequent monitoring, senior management approval, and source of wealth/funds verification. EDD intensity matches the specific risks identified. 

Don’t forget to share this post!

The Future of Proposals, Pricing & Engagement is Here!
Sign Up
Book a Demo
figsflow demo & trial

Related Articles

Log In
Book a Demo
Start 30-day free trial