Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): A Practical Guide

Most CDD failures that auditors find are not in the trigger decision. Compliance teams generally know when to apply enhanced due diligence. The problem is what happens next: the review gets done, the account stays open, and three years later an examiner opens the file and finds a risk assessment with no source-of-wealth narrative, a senior management approval that amounts to a single line in an email chain, and no evidence that monitoring was ever adjusted upward.

A poorly documented EDD review is treated by supervisors the same as no EDD at all. That is the uncomfortable reality driving examination findings across MAS, BNM, BSP, and AUSTRAC-regulated institutions right now.

This guide is not a glossary. It is a working reference for compliance professionals at banks, fintechs, and payment institutions across APAC who need to understand what CDD and EDD require, how the three tiers operate under each major regulator, and what examiners actually look at when they review a customer file.

What Is Customer Due Diligence (CDD)?

Under the FATF Recommendations, customer due diligence is the process of identifying and verifying a customer's identity, understanding the purpose and nature of the business relationship, and conducting ongoing monitoring of that relationship and the transactions flowing through it.

CDD is the core of the KYC process. It sits at the foundation of every AML/CFT programme and applies from the moment a customer relationship is established.

FATF Recommendations 10 through 12 set out four core CDD elements:

1. Customer identification and verification — collect identifying information and verify it against reliable, independent source documents
2. Beneficial ownership identification and verification — identify the natural persons who ultimately own or control a legal entity, and verify their identities
3. Understanding the purpose and intended nature of the business relationship — establish why the customer wants an account, what they intend to do with it, and what transaction volumes to expect
4. Ongoing monitoring — continuously review the customer relationship, monitor transactions against the customer's profile, and keep CDD records current

The fourth element is where most programmes are weakest. Institutions invest heavily in onboarding controls and then treat the relationship as static. Customers' risk profiles change. Beneficial ownership structures change. Transaction behaviour changes. A customer who was low-risk at onboarding may not remain low-risk at year three — and the programme has to be capable of detecting and responding to that shift.

Three Tiers of CDD: Simplified, Standard, and Enhanced

Simplified Due Diligence (SDD)

Simplified CDD applies where the risk of money laundering or terrorism financing is demonstrably low. FATF allows reduced identification requirements and less frequent monitoring — but it does not eliminate CDD obligations entirely.

Across APAC, SDD is generally permissible for:

• Government entities and state-owned enterprises
• Companies listed on recognised stock exchanges in low-risk jurisdictions
• Certain low-value financial products, such as basic deposit accounts below a specified threshold

The key word is demonstrably. SDD is a documented, risk-based decision. Using it as a default to reduce onboarding friction — without a written risk rationale — is a compliance failure, not an efficiency gain. Examiners will ask for the rationale and they will expect to find it in the file.

Standard CDD

Standard CDD is the default tier. It applies to all customers who do not qualify for SDD and do not trigger EDD.

For individual customers, standard CDD requires:

• Government-issued photo identification
• Proof of address — or an equivalent verification method where physical documents are not available (see the guide to eKYC as a CDD method under BNM's guidelines
• A record of the purpose and expected nature of the account

For legal entity customers, standard CDD requires:

• Certificate of incorporation
• Memorandum and articles of association
• Register of directors
• Beneficial ownership identification — who owns 25% or more of the entity, or who exercises effective control
• Business description and expected transaction patterns

The purpose-of-account requirement is often under-documented. "General business transactions" is not sufficient. The record should capture the customer's stated business activity, the expected transaction types, the anticipated value range, and the source of the initial deposit for corporate accounts.

Enhanced Due Diligence (EDD)

EDD is not optional when it is triggered. It applies to customers with higher-risk characteristics and requires:

• Source of funds verification — where did the money come from for this specific transaction or deposit?
• Source of wealth verification — how did the customer accumulate their overall wealth?
• Senior management or board approval before establishing or continuing the relationship
• Enhanced ongoing monitoring — higher alert sensitivity and more frequent periodic reviews

FATF Recommendation 12 specifies EDD for politically exposed persons. Individual APAC regulators have extended these requirements to cover additional high-risk categories (see the comparative table below).

EDD is a process of investigation, not a checklist. Collecting a salary slip and noting "source of funds: employment income" does not constitute adequate source-of-wealth documentation for a PEP with an account balance of SGD 4 million. The quality of the investigation is what an examiner assesses.

EDD Triggers — When Standard CDD Is Not Enough

The following characteristics trigger EDD requirements across APAC jurisdictions:

PEP status. Any customer identified as a politically exposed person — or a known close relative or close associate of a PEP — triggers mandatory EDD. See our PEP screening guide for the full classification framework, including how "close associate" is defined across different regimes.

High-risk jurisdiction. Customers resident in, or transacting with, jurisdictions on the FATF grey or black lists trigger EDD. The FATF list currently includes Iran, North Korea, and Myanmar. APAC regulators may apply additional country designations based on their own risk assessments.

Complex ownership structure. Beneficial ownership held through multiple layers of legal entities, trusts, or nominee arrangements — particularly in offshore jurisdictions — triggers EDD. The structural complexity itself is a risk indicator, not just the underlying beneficial owner's profile.

High-value transaction inconsistent with profile. A transaction materially inconsistent with the customer's stated purpose, income level, or established transaction history triggers a review. Whether that review rises to EDD depends on what the initial investigation reveals.

Monitoring alerts that cannot be resolved at standard investigation. An alert that the transaction monitoring team cannot close through normal investigation escalates to EDD review. The two processes are connected: transaction monitoring is the mechanism by which ongoing CDD obligations are operationalised. When a customer's transaction behaviour diverges from their risk profile, the CDD record must be updated.

Correspondent banking. Under FATF Recommendation 13, correspondent banking relationships always require EDD. Before establishing a correspondent relationship, the respondent institution's AML/CFT programme must be assessed, the nature of the relationship must be documented, and senior management approval must be obtained.

APAC Regulatory Requirements — Comparative Overview

The following table summarises how the major APAC regulators implement the FATF CDD framework. The instruments and specific requirements differ, but the underlying obligations are consistent.

MAS Notice 626 is the most prescriptive of these instruments on the question of PEP approval — it requires that a senior officer approves the establishment or continuation of a PEP relationship, not just that the relationship is flagged. BSP's Circular 706 requires approval at board or senior management level for all high-risk customers, which is broader than the PEP-specific requirement in some other jurisdictions.

Beneficial Ownership — The Hardest Part of CDD in Practice

FATF Recommendation 10 requires identifying the ultimate beneficial owner (UBO) — the natural person or persons who ultimately own or control a legal entity. The standard FATF threshold is 25% ownership or effective control.

APAC regulators apply variations: BNM and MAS both use 25%. BSP applies 20% for certain entity types. Effective control — the ability to direct the decisions of a legal entity regardless of ownership percentage — applies across all jurisdictions regardless of the threshold.

UBO verification is the most common CDD gap in APAC examination findings. The reasons are practical: complex layered ownership structures, nominee shareholding arrangements, and trusts without publicly accessible beneficiary registers make verification genuinely difficult.

The practical approach is to collect the full ownership chain — every layer, every entity, until you reach the natural person at the top. If a structure is genuinely opaque after reasonable investigation, that opacity is itself a risk indicator requiring EDD, not a reason to proceed with the account on the basis of what the customer has disclosed. An examiner will ask whether the institution made reasonable efforts to verify, and what happened when verification was incomplete.

Ongoing CDD — What "Continuous" Means in Practice

FATF's requirement for ongoing monitoring is not satisfied by periodic review alone. It has two components: scheduled reviews and event-based triggers.

Periodic reviews vary by risk tier. Most APAC regulators expect high-risk customers to be reviewed at least annually. Standard-risk customers are typically reviewed every two to three years, though the specific interval should be documented in the institution's risk appetite and CDD policy.

Event-based triggers require a review regardless of the scheduled cycle. These include:

• A transaction monitoring alert linked to the customer
• Adverse media coverage naming the customer
• A change in the customer's beneficial ownership
• A material change in transaction patterns
• A change in the customer's business activity or geographic footprint

Re-KYC is required when a periodic review or event trigger shows that existing CDD documentation is insufficient, outdated, or no longer accurate. The institution must re-verify the customer's identity and update the CDD record.

Every review must be documented. An examiner looking at a three-year-old account should be able to open the file, find the review dates, see what was assessed at each review, and understand what was found. A review that happened but was not recorded is indistinguishable from a review that did not happen.

What Examiners Actually Check

Documentation requirements differ by customer type, but the principle is the same across all of them: the file must tell a coherent story about who the customer is, what they do, and why the institution assessed them at the risk tier they sit in.

Individual customer files should contain:

• The original ID document reference or eKYC session record, including the verification method and date
• Address verification
• A purpose-of-account statement, not a generic field entry
• Any review dates and what the review assessed

Corporate customer files should contain:

• A complete corporate structure chart reaching the UBO
• UBO identification with the verification source documented
• Business purpose documentation that goes beyond the registered company description
• Expected transaction volume and product usage at account opening

EDD customer files should contain:

• Source of funds evidence — bank statement, salary slip, property sale contract, or equivalent
• Source of wealth narrative — not just an assertion that wealth came from "business activities," but a documented account of how
• The senior management or board approval record, with the date and the approver named
• Confirmation that enhanced monitoring has been configured and is active

The audit trail requirement covers every step: each CDD review, each document update, each approval decision. Everything should be timestamped and linked to the customer record. When examiners trace an alert back to the customer file, they expect to find a complete picture of the relationship, not a collection of disconnected documents.

How Technology Supports CDD

A modern CDD and KYC platform automates document collection, verification — including remote eKYC — UBO mapping, risk scoring, and the ongoing monitoring review cycle. The automation does not reduce the compliance obligation; it reduces the operational cost of meeting it and produces the audit trail that manual processes frequently fail to generate.

The critical integration point is between CDD and transaction monitoring. When a customer's monitoring profile changes — new alert patterns, unusual activity, a shift in counterparty geography — that signal should trigger a CDD review. In institutions where these systems operate independently, the connection rarely happens in a timely or documented way. For a full framework covering how to evaluate software that handles both CDD and transaction monitoring together, see our Transaction Monitoring Software Buyer's Guide.

Book a demo to see how FinCense manages CDD, customer risk scoring, and ongoing monitoring in a single integrated platform — with a full audit trail that meets examiner expectations across MAS, BNM, BSP, and AUSTRAC-regulated environments.