Do you know when to apply standard checks versus enhanced scrutiny for your clients? Could you confidently explain to HMRC why you chose one level of due diligence over another?
A single “No” to any of these questions could create serious problems and leave your firm exposed to money laundering risks, regulatory penalties, and even criminal prosecution in severe cases. But subject every client to enhanced checks, and you’re wasting resources, slowing onboarding, and frustrating legitimate customers with unnecessary bureaucracy.
This guide helps you understand what level of due diligence is required for each of your clients and gives you the practical knowledge to apply simplified, standard, and enhanced due diligence appropriately.
Sounds good! Let’s dive in.
KEY TAKEAWAYS
- Three distinct levels exist under MLR 2017: Simplified Due Diligence for low-risk clients, Customer Due Diligence as the standard baseline, and Enhanced Due Diligence for high-risk situations
- Standard customer due diligence is your default position unless specific conditions trigger simplified or enhanced measures
- You cannot simply decide a client is low-risk for simplified due diligence—they must meet specific criteria in MLR 2017 Regulation 37
- Seven situations require enhanced measures, whether you think the risk is manageable or not
- Your initial risk assessment before controls are applied dictates requirements, not the residual risk after your procedures
- You must record why you applied to each level and what specific measures you took
- Choosing the wrong level typically also breaches risk assessment, policies and procedures, and training requirements
What is Customer Due Diligence (CDD)?
Customer Due Diligence represents the standard baseline of checks that UK accounting firms, bookkeepers, and tax advisers must conduct for most clients under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
CDD forms the foundation of your AML compliance framework. It ensures you:
- know who your client is,
- understand what they do, and
- can spot when their activity doesn’t match their profile
For regulated sectors like accountancy services, tax advice, and bookkeeping, CDD isn’t optional discretion but a legal requirement before establishing any business relationship.
The process involves four core elements.
- First, you identify your customer by obtaining their name, address, and date of birth
- Second, you verify this identity through reliable, independent sources such as passports, driving licences, or electronic verification services
- Third, you assess and understand the purpose and intended nature of the business relationship by understanding what services they need and why
- Fourth, you conduct ongoing monitoring throughout the relationship to ensure transactions remain consistent with what you know about the client
CDD applies to the vast majority of your clients. Unless they meet the specific low-risk criteria for simplified due diligence or trigger one of the seven high-risk factors requiring enhanced due diligence, standard CDD is what you must perform. This makes CDD your default position, the measures you apply when no special circumstances push you toward simpler or more rigorous checks.
What is Simplified Due Diligence (SDD)?
Simplified Due Diligence allows you to apply reduced measures for clients who present lower money laundering and terrorist financing risks. The emphasis here is on regulatory permission, not firm discretion. You cannot simply decide that a client seems low-risk and apply lighter checks. They must meet specific criteria set out in Regulation 37 of MLR 2017.
SDD recognises that certain customers, products, and transactions carry inherently lower risks due to their nature, transparency, or existing regulatory oversight. Rather than requiring firms to conduct full CDD on demonstrably low-risk relationships, the regulations permit streamlined verification and monitoring where appropriate.
The regulations specify particular categories of clients who meet the criteria.
Credit or financial institutions authorised in the UK or EEA states qualify because they’re already subject to rigorous AML supervision
Companies whose securities are listed on regulated markets meet the requirements due to transparency and disclosure requirements
UK public authorities and certain pension schemes fall within scope, as do regulated persons supervised for compliance with money laundering regulations
When simplified measures apply, you have flexibility in how you conduct due diligence. You may verify identity and ownership through fewer documents or sources. You might reduce the frequency or intensity of ongoing monitoring. You could delay verification until after establishing the relationship in specific low-risk circumstances.
The key principle is that you’re taking a lighter touch because the regulatory framework judges these situations as presenting minimal risk.
What is Enhanced Due Diligence (EDD)?
Enhanced Due Diligence represents the most rigorous level of client scrutiny, applied when higher money laundering or terrorist financing risks are present. Where CDD provides a baseline, and SDD offers a lighter touch for low-risk cases, EDD demands significantly deeper investigation into your client’s background, funding sources, and transaction purposes.
EDD isn’t about doing “a bit more” than standard checks. It’s a qualitatively different process requiring additional measures specifically designed to mitigate elevated risks. You must go beyond accepting information at face value to actively verify details from multiple independent sources, understand complex ownership structures, and scrutinise transaction patterns with heightened attention.
The distinction centres on depth and intensity. While standard due diligence might accept a bank statement showing available funds, enhanced measures require you to trace where those funds originated. Where CDD confirms a company’s registered address, EDD investigates the entire corporate structure, including ultimate beneficial owners across multiple jurisdictions. Standard monitoring reviews transactions periodically; enhanced monitoring examines them continuously with lower thresholds for investigation.
Two categories of EDD measures exist under MLR 2017:
-
Flexible Measures
It gives you discretion to choose appropriate additional steps from a non-exhaustive list, such as seeking extra verification from independent sources, obtaining a deeper understanding of the client's background and ownership, or increasing monitoring frequency and intensity.
-
Prescribed Measures
Prescribed measures are mandatory requirements you must complete for specific high-risk scenarios, particularly clients in high-risk third countries and politically exposed persons.
The trigger for moving from standard to enhanced due diligence is initial risk, not residual risk. If a client meets one of the seven EDD triggers under Regulation 33, you must apply enhanced measures regardless of whether you believe your general procedures adequately manage the risk.
When to Apply CDD, SDD or EDD
Determining which level of due diligence to apply requires a systematic risk assessment before you establish the business relationship. You can start with the presumption of standard CDD for all clients. Move to simplified due diligence when the client meets specific criteria in Regulation 37 (UK or EEA regulated financial institution, company listed on a regulated market, UK public authority or another explicitly qualifying category).
Escalate to enhanced due diligence when any of the seven mandatory triggers apply, including clients in high-risk third countries, politically exposed persons, complex ownership structures, or unusually large transactions.
The decision to apply CDD, SDD or EDD follows clear regulatory triggers and risk indicators.
Most of your client relationships will fall into standard CDD territory, particularly straightforward accountancy services, bookkeeping for established businesses, or tax advice for individuals with transparent UK income sources. This remains your default position unless specific conditions push you toward simplified or enhanced measures.
For simplified due diligence, the client must meet the regulatory criteria, and you must have no suspicions of money laundering or terrorist financing. If they don’t meet the specific categories in Regulation 37, simplified due diligence is not available regardless of how low-risk the client appears.
For enhanced due diligence, the seven mandatory triggers are:
- The customer is established in a high-risk third country on the FATF lists
- The customer is a politically exposed person, family member, or known close associate of a PEP
- The situation involves risks you identified in your firm’s business-wide risk assessment
- Your sector guidance identifies the scenario as high-risk
- The customer provided false or stolen identification, but you’re continuing the relationship
- The transaction is complex, unusually large, follows unusual patterns, or has no apparent economic or legal purpose
- Any other situation that, by its nature, presents a higher money laundering or terrorist financing risk
The presence of even one trigger makes EDD mandatory. You cannot argue that your standard procedures adequately manage the risk. The regulations require enhanced measures based on initial risk factors, not your confidence in existing controls.
This risk-based approach demands documentation. You must record why you applied to each level, what specific factors influenced your decision, and what measures you completed as a result. HMRC expects to see a clear audit trail showing your risk assessment led logically to your chosen due diligence level.
Difference Between SDD, CDD & EDD
Understanding the distinctions between simplified, standard, and enhanced due diligence requires examining how they differ across multiple dimensions. This comparison shows when and how to apply each level effectively.
The table demonstrates progression from reduced scrutiny through baseline measures to heightened investigation. Each level serves a distinct regulatory purpose within the risk-based framework.
Moving between levels isn’t unusual during client relationships. You might begin with standard CDD, then escalate to EDD when the client enters a transaction that triggers enhanced requirements. Conversely, a client who initially required EDD due to PEP status might no longer need enhanced monitoring after they leave public office and sufficient time has passed, though you must carefully document this decision.
The key is matching your approach to the actual risks present. Applying SDD to a high-risk client creates serious compliance gaps and exposure. Subjecting every client to EDD wastes resources and creates unnecessary friction. Getting the level right requires understanding these distinctions and applying them consistently across your practice.
Key Components: What Each Level Involves
Each due diligence level comprises specific measures designed to address the risks present in that category.
Standard Due Diligence (CDD) Requirements
Standard CDD forms your baseline compliance approach and includes four mandatory elements you must complete before establishing any business relationship: identity verification, risk assessment, understanding the business relationship purpose, and ongoing monitoring.
-
Identity Verification
Obtain the customer's full name, residential address, and date of birth, then confirm this information through reliable, independent sources. For UK residents, this typically means examining a current passport or photocard driving licence, supplemented by a recent utility bill or bank statement confirming their address.
-
Risk Assessment
Evaluate the money laundering and terrorist financing risks this specific client presents by considering their business activities, whether they operate in cash-intensive sectors, their geographic locations, the complexity of their ownership structure, and the services they're requesting. This assessment determines whether standard measures suffice or whether you need to escalate to enhanced procedures.
-
Understanding the Business Relationship Purpose
Know what services the client needs and why they need them, including their business model, typical transaction volumes, and what they expect from your services. This context allows you to spot unusual activity later because you know what normal looks like for this client.
-
Ongoing Monitoring
Ensure transactions are consistent with what you know about the client, their business, and their risk profile throughout the relationship. You must be alert to significant changes, unusual patterns, or activities that don't fit the client's profile, and investigate further when something doesn't look right.
Simplified Due Diligence (SDD) Measures
Simplified due diligence reduces the intensity of standard measures where clients meet specific low-risk qualifying criteria under Regulation 37. This includes flexibility in verification timing, reduced documentation requirements, and lighter ongoing monitoring.
-
Verification Timing
Complete identity verification after establishing the relationship rather than before, provided the transaction risks are small and verification occurs as soon as reasonably practicable. This recognises that certain low-risk customers shouldn't face unnecessary delays for legitimate transactions
-
Reduced Documentation
Accept fewer identity documents or rely on the customer's existing verification by another regulated entity. If you're providing services to another UK accountancy firm, you might simply confirm their FCA or HMRC registration rather than requesting passports and utility bills.
-
Lighter Monitoring
Conduct less frequent reviews of the relationship, such as annually rather than quarterly, or only when significant changes occur. The lower risk profile means intensive scrutiny isn't necessary to detect potential money laundering activity.
-
Critical Exclusions
You cannot use SDD if you suspect money laundering or terrorist financing, regardless of whether the client technically qualifies. If unusual or suspicious circumstances arise during the relationship, you must immediately escalate to standard or enhanced measures.
SDD never means abandoning due diligence entirely. You must still identify the customer, understand the business relationship, and conduct sufficient monitoring to detect suspicious transactions.
Enhanced Due Diligence (EDD) Measures
Enhanced due diligence demands significantly deeper investigation designed to mitigate specific high-risk factors that standard procedures cannot adequately address. This includes additional information gathering, source of wealth and funds verification, senior management approval, transaction purpose investigation, and enhanced monitoring.
-
Additional Information Gathering
Investigate the customer's complete background beyond standard CDD. For individuals, this includes employment history, public profile, business interests, and connections to other entities or individuals. For companies, you must understand the full ownership structure, including beneficial owners across multiple layers and jurisdictions, verified through independent sources such as corporate registries, financial disclosures, or background checking services.
-
Source of Wealth & Funds Verification
Establish how the client accumulated their total assets over time (source of wealth) and where the specific money for this transaction comes from (source of funds). You need both pieces of information and must verify them through documentation such as tax returns, audited accounts, sale agreements, or inheritance records. This is mandatory for high-risk third countries and PEPs.
-
Senior Management Approval
Obtain approval from someone with sufficient authority and risk understanding before establishing or continuing the business relationship. This is mandatory for high-risk third countries and PEPs. The approving manager must review the risk factors, understand the enhanced measures being applied, and make an informed decision rather than rubber-stamping every case.
-
Transaction Purpose Investigation
Understand not just what service the client needs but why they need it, why now, and why from your firm. Accepting vague explanations like "investment opportunity" or "privacy preference" doesn't meet EDD requirements. You must establish legitimate business or personal reasons.
-
Enhanced Monitoring
Conduct continuous scrutiny with lower thresholds for investigation, examining transactions monthly or more frequently rather than quarterly. Unusual patterns that might not trigger investigation in standard CDD relationships require immediate inquiry under EDD, with intensity proportionate to the specific risks identified.
Common Mistakes When Applying Due Diligence Levels
HMRC inspections and enforcement actions reveal patterns of failure that accounting firms should actively avoid when determining and implementing due diligence levels.
-
Applying SDD When CDD is Required
Some firms treat simplified due diligence as available whenever they judge a client to be low-risk, without checking whether the client actually meets the qualifying criteria in Regulation 37. A long-standing client who seems trustworthy doesn't automatically qualify for reduced measures unless they're a regulated financial institution, listed company, or other specified category. Your subjective assessment of low risk doesn't create regulatory permission to apply SDD.
-
Missing EDD Triggers
Firms don't understand the seven mandatory scenarios or fail to implement proper screening. A firm provided accountancy services to a client with beneficial owners in Iran without conducting enhanced measures because they thought "high-risk countries" meant active conflict zones. When clients self-declare they're not politically exposed persons without independent verification, actual PEPs slip through undetected.
-
Treating All Clients as High-Risk
Some firms react to regulatory pressure by applying enhanced measures to every client regardless of actual risk factors. This wastes significant resources on unnecessary checks, slows legitimate client onboarding, frustrates low-risk customers with intrusive questioning, and often means truly high-risk clients don't receive the focused attention they need. The risk-based approach demands proportionality in both directions.
-
Not Documenting Risk Assessment Decisions
Without contemporaneous written records, you cannot prove you conducted a proper risk assessment and chose the appropriate due diligence level. HMRC expects to see clear documentation showing what risk factors you identified, why you concluded SDD, CDD, or EDD was appropriate, and what specific measures you applied. Memory and verbal explanations don't satisfy regulatory requirements.
-
Having Procedures But Not Following Them
One firm had written EDD procedures requiring nominated officer approval for third-party payments, but HMRC found multiple cases where only standard CDD was conducted and none of the documented procedures were followed. Staff either didn't understand the procedures, didn't recognise when they applied, or chose to ignore them for convenience.
Additional Resources
- Discover the best AML software for accountants in 2025/26: Best AML Software 2025 | Leading AML Solutions for UK Firms | FigsFlow
- Most accountancy firms assume they’re compliant, but scratch beneath the surface and the picture changes. Here’s your complete guide to compliance: Complete Guide to AML Compliance & Financial Crime Prevention | FigsFlow
- Learn how FigsFlow is leading Digital ID Verification in 2025/26: Future of Digital ID Verification in AML | FigsFlow
- A simple explanation of AML for accountants: AML Meaning: Explanation for Accountants| FigsFlow
- Financial Action Task Force High-Risk Jurisdictions: “Black and grey” lists
Conclusion
The three-tier approach to due diligence reflects a fundamental regulatory principle: your compliance measures should be proportionate to actual risks. Getting this right protects your firm while allowing efficient service delivery.
Review your recent client intake against this guide. Identify whether you correctly applied SDD, CDD, or EDD in each case. Check your FATF lists are current and verify your procedures clearly specify when each level applies.
The difference between compliant firms and those facing penalties comes down to understanding these distinctions and implementing them consistently.
Streamline Your AML Compliance with FigsFlow
Frequently Asked Questions (FAQs)
Simplified Due Diligence (SDD) applies reduced checks to low-risk clients who meet specific regulatory criteria. Customer Due Diligence (CDD) is the standard baseline for most clients. Enhanced Due Diligence (EDD) requires deeper investigation for high-risk situations like politically exposed persons or clients in high-risk countries.
Customer Due Diligence (CDD) is the process of verifying client identity, assessing money laundering risks, and understanding the business relationship purpose. It forms part of the Know Your Customer (KYC) requirements and helps prevent financial crime while protecting your firm from regulatory penalties.
CDD stands for Customer Due Diligence, the standard level of client checks required under MLR 2017. EDD stands for Enhanced Due Diligence, a more rigorous investigation process applied when clients present higher money laundering or terrorist financing risks.
Simplified due diligence is the lowest level of client checks, applied only when customers meet specific low-risk criteria in Regulation 37. It allows reduced verification requirements and lighter monitoring for clients like UK-regulated financial institutions or companies listed on regulated markets.
Yes, Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) are core components of Know Your Customer (KYC) processes. They work alongside identity verification and ongoing monitoring to ensure you understand your clients and comply with anti-money laundering regulations.
Red flags are warning signs that indicate potential money laundering or compliance risks, such as unusual transaction patterns, complex ownership structures with no clear purpose, clients providing false documents, or reluctance to provide source of funds information.
