Most accounting firms have a KYC process. Very few have a clearly defined policy on when that process is no longer enough.
That gap is where regulatory exposure lives. FinCEN and state regulators are scrutinizing accountants, bookkeepers, and tax advisers more closely than at any point in the past decade. And when compliance files get reviewed, the question auditors ask is not whether you ran KYC checks. The question is whether you ran the right checks for the right client.
Understanding the difference between KYC vs EDD is where that answer starts. This guide breaks down exactly where standard due diligence ends and Enhanced Due Diligence begins, written specifically for US accounting and tax professionals who need practical answers.
What KYC Actually Means for Accounting Firms
Know Your Customer (KYC) is the overarching compliance framework that governs how your firm identifies, verifies, and monitors clients. Under the Bank Secrecy Act (BSA) and FinCEN’s AML program requirements, regulated entities, including accounting firms acting as trust and company service providers or handling client funds, must maintain a documented KYC program.
In plain terms, KYC is your firm’s policy-level commitment to understanding who you are working with, why they need your services, and what their expected financial activity looks like.
A KYC program typically covers four areas:
- client identification,
- beneficial ownership verification,
- risk classification, and
- Ongoing monitoring.
Think of it as your firm’s compliance constitution. It sets the rules. The actual checks you run to fulfill those rules are a separate process entirely.
KYC tells you what you must do. Customer Due Diligence and Enhanced Due Diligence are how you do it.
What Is CDD and When Does It Apply?
Customer Due Diligence (CDD) is the operational execution of your KYC program for standard-risk clients. It is the baseline procedure applied during onboarding and periodic reviews for the majority of your client base.
CDD has three core components.
- First, identity verification – confirming who the client is through government-issued documentation, and identifying beneficial owners who hold 25% or more of a business entity, as required under FinCEN’s CDD Rule.
- Second, understanding the business relationship – documenting the nature of the engagement, the client’s business activities, and the purpose of their transactions.
- Third, ongoing monitoring – reviewing client activity periodically to confirm it aligns with their stated profile and flagging any unusual behavior for further review.
For most clients, a small business owner seeking tax advisory services or a salaried individual needing bookkeeping support, standard CDD satisfies your compliance obligation fully. The checks are proportionate to the risk, the documentation is clean, and your file is defensible.
The problem arises when firms apply CDD uniformly, without a mechanism for identifying when a client or situation calls for something more rigorous.
What Is EDD and How Is It Different?
Enhanced Due Diligence (EDD) is not simply doing more checks. It is a distinct, documented escalation process reserved for clients and situations that present a higher risk of money laundering, fraud, or financial crime.
Where CDD establishes who the client is and what they plan to do, EDD asks a deeper set of questions.
- Where did their wealth come from?
- Who ultimately controls the funds moving through this engagement?
- Does their financial activity match their stated business profile?
Are there any adverse media reports, sanctions hits, or jurisdictional red flags that require further investigation before the relationship continues?
The depth of EDD goes beyond standard verification. It includes Source of Funds (SOF) and Source of Wealth (SOW) documentation, independent verification through public registries and adverse media screening, senior partner sign-off before the relationship proceeds, and a more frequent monitoring schedule once the client is onboarded.
KYC vs EDD: The Core Differences
The confusion between KYC, CDD, and EDD often comes from how loosely these terms are used in training materials and compliance checklists. Here is how they actually relate to each other.
KYC is your program. It is the policy framework that exists at the firm level, setting out your obligations and procedures. CDD is what you do for most clients within that program. EDD is what you do when the risk profile of a client or transaction exceeds the threshold that standard CDD can adequately address.
The differences between CDD and EDD come down to four dimensions.
A firm that has KYC and CDD policies but no defined EDD trigger criteria has a compliance gap. When a regulator asks why you did not escalate a particular client relationship, “our standard checks were completed” is not an adequate answer.
When US Accounting Firms Must Escalate to EDD
This is the section most compliance training materials skip. Knowing that EDD exists is not enough. Your firm needs a documented trigger framework that tells your team precisely when standard CDD is no longer sufficient.
Under FinCEN guidance, EDD is required when a client or transaction presents elevated risk indicators. These triggers are not edge cases reserved for banks and financial institutions. They show up in everyday accounting and tax advisory work, and your team needs to recognize them on sight.
EDD is required when any of the following are present:
The trigger framework matters as much as the checks themselves. If your firm cannot point to a written policy that defines when escalation is required, a regulator reviewing your files will treat that absence as a gap in your AML program, regardless of what checks were actually completed.
What EDD Looks Like Inside Your Firm: Meet James
James runs a small retail shop and wants help with his self-assessment. You send the engagement letter, he signs it, and KYC begins. That is where things get complicated.
The income figure James declares does not match what you would expect from a small retail business. You ask for Source of Funds documentation (where the specific money came from) and Source of Wealth documentation (how he built his overall financial position). He provides both, but the documents originate from a country on a sanctions list.
A mismatched income profile plus a sanctioned jurisdiction make this a formal EDD case. You run sanctions screening against his full details, verify his identity documents for authenticity, and conduct Cifas and National Hunter checks. You independently search corporate registries and beneficial ownership registers rather than relying on what James has told you.
The file goes up to senior management for review. They weigh the findings against the firm’s risk appetite, consider the explanations James has provided, and decide to proceed with the engagement. It is not a comfortable onboarding, but it is a defensible one.
That caution carries forward. James moves to quarterly reviews with lower transaction monitoring thresholds, so any unusual activity surfaces quickly rather than going unnoticed until the next scheduled review.
Helpful Resources
- Everything You Need to Know About OFAC Sanctions List: OFAC Sanctions List: What You Must Know | FigsFlow
- 2026 Guide to AML Screening: What is AML Screening? A Complete Guide [2026 Edition] | FigsFlow
- Here’s What You Must Know About Social Media Screening: What is Social Media Screening? Figsflow’s Guide | FigsFlow
- Smurfing Often Looks Legitimate. It’s Not. Here’s Everything You Need to Know: Smurfing in Money Laundering (2026): Why It’s a Problem
- Handle Cross-Border Accounting With Confident. Your Only Guide to AML Compliance: Cross-Border Accounting & AML Compliance for US Firms (2026)
Conclusion
As technical as it sounds, the real distinction behind KYC vs EDD is simple.
KYC is your firm’s compliance rulebook. CDD is how you fulfill it for most clients. And EDD is what you do when a client’s risk profile demands more than standard checks can cover.
Think of it this way. KYC sets the rules. CDD works the room. EDD steps in when something feels off, and you need to look harder before you commit.
The James scenario is not an edge case. Clients with mismatched income profiles, foreign document trails, and sanctioned jurisdiction links walk through accounting firm doors more often than most practitioners expect. Knowing when to escalate, and having a documented process that backs that decision, is what separates a defensible compliance file from a regulatory liability.
Know the difference. Apply it consistently. Document everything.
Frequently Asked Questions (FAQs)
No. KYC is your firm’s overall compliance program and policy framework. CDD is the standard operational procedure used to fulfill KYC obligations for most clients. CDD sits inside the KYC program, not alongside it.
EDD applies when a client presents elevated risk indicators, including PEP status, beneficial owners in high-risk jurisdictions, complex ownership structures, adverse media findings, or transaction patterns inconsistent with their stated business purpose. It is not limited to financial institutions.
You risk missing critical red flags such as sanctions links, undisclosed beneficial owners, or suspicious fund trails that CDD is not designed to catch. You may also find yourself in a business relationship you were never permitted to enter in the first place.
There is no universal fixed interval, but quarterly reviews are a widely observed standard for high-risk relationships. The key requirement is that your firm’s policy sets a defined, shorter review cycle for EDD clients than for standard-risk clients, and that reviews are actually conducted and documented on that schedule.
Any firm subject to FinCEN’s AML program requirements, or that operates as a trust and company service provider under state-level obligations, needs a documented EDD policy. Even firms outside formal AML supervision benefit from having a defined escalation framework. It reduces liability, creates defensible audit trails, and signals to regulators and clients that compliance is taken seriously.
