Financial institutions can expect regulators to zoom in on how they handle high-risk customers, unusual transactions and complex ownership structures, especially when controls have to stand up under examination.
According to Alessa, in that environment, a clear documentation trail is not “nice to have” paperwork — it is the evidence that Enhanced Due Diligence (EDD) was applied consistently, proportionately and in line with a risk-based approach.
EDD is the higher-intensity layer of customer due diligence used when standard checks are not enough. It tends to be triggered by factors such as politically exposed persons (PEPs), intricate corporate structures, high-value or high-volume flows, or links to higher-risk jurisdictions. In practice, EDD means gathering and analysing more detail than you would under routine Customer Due Diligence (CDD): verifying identity and beneficial ownership, understanding source of funds and wealth, capturing the purpose of the relationship, and setting expectations for ongoing monitoring.
Those expectations are reflected across global and national frameworks. Bodies such as the Financial Action Task Force (FATF), and domestic regimes including the US Financial Crimes Enforcement Network (FinCEN) and Canada’s FINTRAC, expect firms to demonstrate why EDD was required, what was done, and how decisions were reached — with records that can be retrieved quickly when challenged.
The first building block is the risk assessment and the rationale for escalation. Files should show which risk factors were identified, how the customer was scored or tiered, and why that result crossed your internal threshold for EDD. Regulators will look for a brief narrative that links the decision back to your policy and risk appetite, rather than a tick-box label of “high risk”.
Next comes identity verification and beneficial ownership. For individuals, retain the documents used and the steps taken to validate them. For entities, record incorporation and registration materials, shareholder information, and analysis of control structures — including how you addressed nominees, trusts, or offshore layers. Crucially, note the sources used and the dates checks were performed, keeping copies or screenshots where your governance permits.
Source of funds, source of wealth and the purpose of the relationship are often where good files become defensible files. Document what the customer said, what evidence they provided, and how you tested plausibility against expected activity. When something does not add up — for example, a stated business purpose that does not match transactional behaviour — record the follow-up, the outcome, and any restrictions or monitoring put in place.
Screening and background checks should be equally auditable. Keep sanctions and watchlist results with dates, search terms and outcomes. Where adverse media or PEP exposure exists, document the findings, any escalation (including senior management involvement where required), and what “enhanced” ongoing monitoring looks like in practical terms — frequency, triggers and ownership.
The conclusion should read like a decision record, not an afterthought. State whether the relationship was accepted, declined, or accepted with conditions, and list the mitigating controls applied — such as transaction limits, enhanced monitoring or periodic re-approval. The governance trail matters here: who approved, when they approved, and whether a committee or senior sign-off was required.
Finally, show the relationship did not end at onboarding. Maintain periodic review logs, note event-driven triggers (ownership changes, new adverse media, unusual activity), and record the investigation steps and outcomes. Store everything securely and retain it for the required period, ensuring the file is complete across the customer lifecycle and easy to produce on request.
Most EDD failures are not about intent — they are about gaps. Thin rationales, missing verification evidence, untested source-of-funds narratives, absent approval records, fragmented storage across systems, and no credible monitoring plan can all undermine an otherwise sound decision.
For teams modernising their approach, a practical roadmap usually starts with tightening policy and triggers, then standardising templates and checklists, training staff on how to write risk narratives, centralising case files, formalising approval workflows, scheduling periodic reviews, and running quality-control sampling to spot weak documentation before a regulator does.
When supervisors assess an AML programme — whether in routine exams or following a SAR — they will not only look for “good examples”. They will sample high-risk relationships to see whether your institution can prove it identified the risk, understood the customer, applied proportionate controls, and monitored appropriately over time. In that context, strong EDD documentation is both your operational discipline and your regulatory defence.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
