The Difference Between KYC, CDD, and EDD

Difference between KYC, CDD & EDD

The terms KYC (Know Your Customer), CDD (Customer Due Diligence), and EDD (Enhanced Due Diligence) are often mistakenly used as synonyms, yet they represent a crucial, tiered hierarchy within financial crime compliance.

KYC is the overall regulatory mandate or program that requires the institution to verify identity and understand the nature of its clientele. CDD comprises the standard set of procedures and actions taken to fulfill the KYC mandate for most average-risk customers, while EDD is the mandatory, intensified level of scrutiny applied exclusively to clients flagged as high-risk (such as PEPs or shell companies) during the CDD assessment.

Table of Contents

We’re building World-class AML & Compliance courses designed to elevate your career and impact.

Join the waitlist today to be the first to access our upcoming courses and unlock an exclusive early-bird discount when we launch.”

Understanding this progression is vital for achieving an effective Risk-Based Approach (RBA), ensuring compliance resources are proportional to the threat and focused precisely on relationships that demand maximum oversight.

What is KYC?

Digital Know Your Customer process verifying customer identity and documents for AML compliance.

Know Your Customer (KYC) is the mandatory regulatory framework and internal policies that form the legal foundation of AML compliance for all regulated entities. Its core purpose is to prevent financial institutions from being exploited to facilitate money laundering, terrorist financing, and other financial crimes.

The KYC program legally obligates an organization to establish and continuously maintain a full understanding of its clients, encompassing not just identity verification but also comprehensive risk assessment and an understanding of the intended business relationship. Essentially, KYC compels firms to create a robust, auditable identity file for every customer, ensuring adherence to global regulatory standards (such as those set by the FATF) and avoiding severe penalties and reputational damage.

The ultimate goals of an effective KYC program extend beyond simple documentation. They ensure the long-term integrity and security of the financial institution by:

Establishing Foundational Identity: Definitively identifying and verifying the customer’s legal existence and all associated controlling parties (Beneficial Owners) to prevent fraud or alias operations.
Preventing System Abuse: Actively denying access to criminals, terrorists, and sanctioned entities to block the flow of illicit funds into the legitimate economy.
Assessing and Quantifying Risk: Accurately assessing inherent risks associated with the customer, product, and geography to apply the correct level of due diligence (SDD, CDD, or EDD).
Setting the Activity Baseline: Documenting the customer’s anticipated transactional behavior, source of wealth, and purpose of the account to form the benchmark for future monitoring.
Ensuring Regulatory Compliance: Maintaining a robust, auditable program aligned with international standards and local laws to protect against fines and reputational damage.

What is Customer Due Diligence

Flowchart showing Customer Due Diligence steps: identification, verification, and risk profiling.

Customer Due Diligence (CDD) is the essential operational procedure that puts the KYC policy into action. It represents the standard investigative process for verifying identity and assessing risk for most average-risk customers. CDD ensures that the financial institution collects, verifies, and documents the core information required to confidently assert who the customer is, who their Beneficial Owners are, and what their financial activities are expected to look like.

Successful CDD execution involves three core processes:

Identification and Data Collection: Systematically gathering all required identifying data, corporate registration documents, and proofs of address from the customer and their key principals.
Verification and Screening: Using reliable, independent third-party sources to authenticate the collected data, confirm the identity is real, and screen all associated parties against global sanctions and watchlists.
Understanding and Risk Profiling: Assessing inherent risk factors (Geographic, Product, etc.) to assign a risk rating, and documenting the Source of Funds and the Activity Baseline to benchmark expected transactional behavior.

Key characteristics and application of Standard CDD:

Default Requirement for All New Clients: Standard CDD is the baseline process applied to every new customer unless they clearly qualify for the low-risk category (Simplified Due Diligence, SDD) or immediately trigger a high-risk flag (Enhanced Due Diligence, EDD).
Ongoing Review Frequency: applied during periodic reviews for standard-risk customers, typically on a medium cycle (e.g., every 3 to 5 years), ensuring the customer data and risk profile remain current.
Material Changes Trigger: It is applied anytime there is a significant change in the customer relationship, such as a large increase in expected transactional volume, a change in beneficial ownership, or the introduction of a new product (like international trade finance).
Focus on Baseline Establishment: The primary application is to capture all data necessary to establish the Activity Baseline—the documented profile of what the client’s normal, expected financial behavior looks like, which is crucial for future monitoring.
Allocation of Resources: Strategically, the application of Standard CDD ensures compliance teams dedicate only the necessary, non-intensive resources to the majority of clients, thereby reserving greater effort for the small segment of high-risk customers requiring EDD.

What is Enhanced Due Diligence?

Enhanced Due Diligence process examining high-risk customers such as PEPs and shell companies.

Enhanced Due Diligence (EDD) represents the highest and most rigorous level of due diligence. It is reserved for customers identified as high-risk during the CDD stage and requires deeper investigation to mitigate potential threats and reduce residual risk to acceptable levels..

EDD is mandatory for clients with specific high-risk triggers, such as:

Politically Exposed Persons (PEPs): Customers holding prominent public functions or their close associates and family members.
High-Risk Geographies: Any relationships, transactions, or business operations linked to jurisdictions subject to international sanctions or countries listed by the FATF as high-risk.
Opaque Legal Entities: Clients structured as complex trusts, shell companies, or holding companies with unclear or difficult-to-verify Beneficial Ownership.
High-Risk Product Usage: Accounts dealing with large volumes of private banking or high-value correspondent banking services.
Adverse Media & Enforcement: Customers who have been the subject of credible negative news reports concerning financial crime, corruption, or regulatory enforcement actions.

The key Enhanced Actions for EDD cases include:

Verification of Source of Wealth (SOW): Instead of just verifying the immediate Source of Funds (SOF) for a transaction, EDD requires verifying the overall origin of the client’s total fortune (e.g., verifying wealth came from an approved business sale, long-term employment, or inheritance).
Collection of Additional Independent Data: Obtaining a minimum number of independent verification documents that exceeds the standard requirement, often involving retrieving publicly available information, corporate registries, or independent third-party reports.
Senior Management or Board Approval: Mandating that the onboarding or continuation of the high-risk relationship receive explicit approval from an independent senior compliance officer, senior management, or the board of directors, ensuring accountability at the highest level.
Intensified Continuous Monitoring: Increasing the frequency and depth of transactional monitoring and surveillance, often moving to daily or weekly reviews rather than monthly or quarterly checks, and lowering the monetary thresholds that trigger an alert.
Face-to-Face Interaction Requirement: Where feasible and necessary, requiring physical, face-to-face contact with the Beneficial Owner or senior management of the entity to establish a deeper level of relationship understanding.

The Hierarchy between KYC, CDD & EDD

Diagram showing the hierarchy and relationship between KYC, CDD, and EDD in AML compliance.

The most effective way to grasp the relationship between these concepts is through the Umbrella Analogy

KYC is the overarching umbrella — the regulatory mandate and strategic policy guiding all customer verification and monitoring efforts.
CDD is the standard checkpoint beneath this umbrella, applied to every customer to verify identity and assess standard risk.
EDD is the vault within the system, reserved for high-risk clients who require intensified scrutiny, including Source of Wealth verification and senior-level approval.

Together, they form a hierarchical, risk-based defense system ensuring that the depth of scrutiny aligns with the level of threat.

Alignment with the Risk-Based Approach (RBA)

KYC, CDD, and EDD operate effectively only when guided by the Risk-Based Approach (RBA) — the principle that compliance controls must be proportional to risk exposure.
Under the RBA:

KYC establishes the legal requirement to assess risk.
CDD applies to low- to medium-risk customers.
EDD is reserved for those whose risk scores exceed acceptable thresholds.

The RBA acts as the filter, ensuring due diligence intensity aligns with the firm’s risk appetite and tolerance.

Impact of Misunderstanding the Three Notions

Illustration showing compliance risks caused by misunderstanding KYC, CDD, and EDD differences.

Mistaking KYC, CDD, and EDD for the same thing has severe operational and legal consequences:

Regulatory Non-Compliance: Treating a high-risk client (like a PEP) with only Standard CDD is a critical violation of the RBA, leading to findings of regulatory failure and potentially massive fines, as the intensity of scrutiny did not match the inherent threat.
Inefficient Resource Allocation: Over-applying EDD to low-risk clients is costly and time-consuming, while under-applying EDD to high-risk clients exposes the firm to financial crime, proving the RBA is only effective when the definitions are correctly applied.
Poor Risk Profiling: Failure to differentiate means the firm lacks a clear, auditable distinction between its high- and low-risk customers, undermining the entire purpose of the risk classification system.
Operational Confusion: Staff cannot correctly process exceptions or escalate cases if the internal policies treat CDD and EDD as interchangeable, resulting in inconsistent application of controls across the organization.
Increased Financial Crime Exposure: By not performing the necessary Source of Wealth (SOW) verification or requiring senior approval on high-risk relationships (the core of EDD), the institution remains highly vulnerable to being exploited for money laundering and terrorist financing.

In summary, achieving robust AML defense hinges entirely on accurately differentiating the three concepts: KYC is the essential, overarching regulatory mandate; CDD is the standard procedure applied to the majority; and EDD is the mandatory, intensified scrutiny reserved for the highest-risk relationships. Failing to distinguish this hierarchy leads to a critical violation of the Risk-Based Approach (RBA), resulting in inefficient resource allocation and massive regulatory exposure, as the intensity of controls does not meet the complexity of the threat. Secure your internal processes and avoid catastrophic failures: Join the waitlist for our comprehensive AML Internal Control course to master the operational differences, or contact our consulting team today to inquire about bolstering your corporate AML posture and ensuring ironclad compliance.