Customer Due Diligence (CDD) is the standard due diligence applied to every customer at onboarding. Enhanced Due Diligence (EDD) is the deeper investigation applied to high-risk customers, including source-of-funds verification, ongoing monitoring, and PEP and sanctions screening.
The distinction is not optional. FATF Recommendation 10 makes CDD a baseline obligation for every regulated entity. FATF Recommendation 12 mandates EDD for politically exposed persons and other high-risk segments. India’s RBI Master Direction on KYC, the PMLA, 2002, and the November 28, 2025 KYC Master Direction codify both CDD and EDD as inspection-grade controls. Apply EDD too late and a regulator notices; apply it too early and onboarding stalls.
| Quick comparison | CDD | EDD |
|---|---|---|
| Applies to | Every customer | High-risk customers only |
| Trigger | Onboarding | Risk flag (PEP, jurisdiction, transaction pattern) |
| Source of funds | Self-declared | Verified against documentary evidence |
| Monitoring | Periodic | Continuous |
This article walks through what CDD and EDD actually require under FATF and Indian regulations, when each applies, how to automate them on Indian rails (Aadhaar, CKYCR, DigiLocker), and where automation stops and human judgment takes over. Start with enhanced due diligence (EDD) if you want the EDD-specific deep-dive first.
What is Customer Due Diligence (CDD)?
CDD is the baseline KYC and AML control applied to every customer at onboarding and refreshed periodically through the customer lifecycle. FATF Recommendation 10 codifies it as a global standard.
FATF Recommendation 10: what it requires
FATF Rec 10 requires regulated entities to perform CDD when:
- Establishing business relations with a new customer
- Carrying out occasional transactions above defined thresholds
- There is a suspicion of money laundering or terrorist financing
- The entity has doubts about the veracity of previously obtained customer data
CDD includes four obligations: identification, verification, beneficial ownership identification, and ongoing monitoring.
Identification and verification
The customer’s name, address, date of birth, and identification documents must be obtained and verified through reliable, independent sources. In India, this typically means an Officially Valid Document (Aadhaar, passport, voter ID, driving licence, NREGA card) plus PAN. See customer due diligence (CDD) for the operational view.
Risk assessment
Each customer is assigned a risk category at onboarding (low, medium, high) based on jurisdiction, occupation, transaction pattern, and beneficial ownership structure. The risk category determines which downstream controls apply, including whether the customer is escalated from CDD to EDD. See AML risk assessment for the assessment methodology.
Ongoing monitoring
Customer transactions and profile data must be monitored continuously, with deviations from expected behavior flagged for review. This is where AML transaction monitoring systems sit in the workflow.
Record-keeping and regulatory reporting
All CDD records must be retained for the regulator-mandated period (5 years post relationship-end in most jurisdictions, 5 years in India under PMLA). Suspicious transactions must be reported to the relevant FIU within the required timelines. See what is AML policy for the broader policy framework.
What is Enhanced Due Diligence (EDD)?
EDD is the deeper investigation applied when CDD surfaces a higher-risk customer or transaction. FATF Recommendation 12 mandates it for politically exposed persons (PEPs); regulators extend it to other high-risk segments through national rules.
FATF Recommendation 12: PEPs and high-risk customers
FATF Rec 12 requires regulated entities to:
- Identify whether a customer or beneficial owner is a PEP
- Obtain senior management approval before establishing or continuing the relationship
- Take reasonable measures to establish the source of wealth and source of funds
- Conduct enhanced ongoing monitoring of the relationship
Domestic PEPs, foreign PEPs, and family members and close associates of PEPs are all in scope.
When EDD is required: the triggers
Six recurring triggers escalate a customer from CDD to EDD:
- Politically exposed persons (PEPs) and their immediate family or close associates
- High-risk jurisdictions as defined by FATF (grey-list, black-list) or by national regulators
- Complex or unusual transactions without an apparent economic purpose
- Adverse media linking the customer to financial crime, fraud, or sanctions
- Suspicious activity patterns flagged by transaction monitoring (structuring, layering, rapid pass-through)
- High-net-worth individuals (HNWIs) in some risk frameworks, depending on jurisdiction and product
Read PEP screening for the screening process, AML red flags for the broader trigger taxonomy, and AML typologies for the recurring laundering patterns.
How to perform EDD
EDD adds five layers on top of CDD:
- Beneficial ownership identification beyond standard CDD, often requiring corporate documents, trust deeds, and chain-of-ownership tracing
- Source-of-funds and source-of-wealth verification against documentary evidence (bank statements, salary records, business income, asset documentation), not customer self-declaration
- Sanctions and PEP screening against multiple lists (OFAC, UN, EU, HMT, MAS, plus India’s MEA designated lists), refreshed continuously
- Adverse media screening across global news, regulatory enforcement databases, and court records
- Enhanced ongoing monitoring with lower transaction-pattern thresholds and faster escalation than standard CDD
Real-world EDD scenarios
The patterns that almost always trigger EDD in Indian banking workflows:
- A non-resident customer applying for a high-value loan, with funds sourced from a jurisdiction on the FATF grey-list
- A corporate onboarding where the beneficial ownership chain involves three or more layers of holding companies
- A retail customer whose transaction pattern shifts from monthly salary credits to high-value cross-border remittances within 90 days
- A customer flagged in adverse media for an unrelated fraud allegation, even where unproven
- A PEP’s spouse opening an investment account in their own name
Simplified Due Diligence (SDD): the third tier
Most due-diligence discussions stop at CDD vs EDD. There is a third tier: Simplified Due Diligence (SDD), applied to genuinely low-risk segments where full CDD would be disproportionate.
When SDD is allowed
National regulators define SDD-eligible segments differently. Common categories across jurisdictions:
- Public-sector entities and government bodies
- Other regulated financial institutions (where the institution itself is subject to supervised KYC)
- Listed companies on recognized exchanges, where ownership is already public
- Low-value, low-risk products (small-balance prepaid wallets, basic savings accounts)
India’s regulatory framework permits abbreviated KYC for some PPI categories and certain low-risk customer segments, with the November 2025 KYC MD tightening the eligibility criteria. SDD is not a license to skip controls; it is a lower-friction baseline for genuinely low-risk relationships.
SDD vs CDD vs EDD: the three-tier framing
| Tier | Applies to | Identity verification | Source of funds | Monitoring |
|---|---|---|---|---|
| SDD | Low-risk customers (public sector, regulated FIs, listed companies) | Reduced documentary requirements | Not always required | Light |
| CDD | All other customers (default) | Standard documentary requirements | Self-declared | Periodic |
| EDD | High-risk customers (PEPs, high-risk jurisdictions, complex transactions) | Multiple sources, beneficial ownership tracing | Verified against documentary evidence | Continuous |
CDD vs EDD: side-by-side comparison
The full comparison, with regulatory anchors and ongoing-monitoring expectations.
| Dimension | CDD | EDD |
|---|---|---|
| Who it applies to | Every customer | High-risk customers only |
| Trigger | Onboarding | Risk flag (PEP, jurisdiction, transaction pattern) |
| Identity verification | Standard ID + address | Standard + beneficial ownership + multiple sources |
| Source of funds | Self-declared | Verified against documentary evidence |
| Source of wealth | Not required | Required for FATF Rec 12 cases |
| Monitoring | Periodic | Continuous + escalation |
| Sanctions and PEP screening | Standard list checks | Multi-list, continuous, adverse media included |
| Senior management approval | Not required | Required for PEPs and high-risk relationships |
| Reporting | Routine | STR/SAR-ready |
| Regulatory anchor | FATF Rec 10 / RBI MD on KYC | FATF Rec 12 / PMLA Section 11A |
India-specific regulatory framing
Indian CDD and EDD obligations sit at the intersection of four frameworks: RBI Master Direction on KYC, the PMLA, 2002, FIU-IND reporting requirements, and FATF alignment.
RBI Master Direction on KYC and CDD obligations
The RBI MD on KYC, originally issued in 2016 and amended periodically, codifies CDD as a baseline obligation for every regulated entity (RE): banks, NBFCs, payment aggregators (newly in scope from November 2025), and prepaid payment instrument issuers. CDD includes customer identification, address verification, beneficial ownership for non-individual customers, and a documented risk assessment.
RBI KYC Master Direction 2025 (November 28, 2025) and the June 2025 amendment
The November 28, 2025 KYC MD supersedes the 2016 framework. Headline changes affecting CDD and EDD:
- Payment aggregators are now explicitly subject to CDD obligations
- Periodic updation cadence has been formalized; self-declaration alone no longer suffices for several customer categories
- BC-facilitated re-KYC is permitted under defined controls
- Audit trails for CDD and EDD decisions must be regulator-ready for inspection
The June 12, 2025 KYC Amendment Directions, issued earlier in 2025, refined periodic updation rules and is now subsumed into the November MD.
PMLA Section 11A and reliance on third-party CDD
Section 11A of the Prevention of Money Laundering Act, 2002, allows a regulated entity to rely on CDD performed by another regulated entity, subject to defined conditions: the third party must itself be a regulated entity in India, the original CDD must be of equivalent or higher quality, and the relying entity remains responsible for compliance. This is the legal foundation for shared KYC workflows.
FIU-IND reporting: STR / CTR / NTR
EDD-flagged customers and suspicious transactions surfaced through ongoing monitoring must be reported to the Financial Intelligence Unit, India (FIU-IND) through Suspicious Transaction Reports (STR), Cash Transaction Reports (CTR), and Non-profit Organization Transaction Reports (NTR), within the timelines defined by FIU-IND. STR reporting timeline is 7 working days from suspicion forming. See AML investigations for the operational workflow and AML compliance for the broader regime.
Recent RBI penalty actions for KYC and AML lapses
The RBI has imposed monetary penalties on multiple regulated entities for KYC and AML lapses through 2024 and 2025, with enforcement focused on inadequate periodic updation, missing audit trails, and failures in beneficial ownership identification. Specific recent figures should be cross-checked against the latest RBI press releases (rbi.org.in) before publish; figures cited here would not be reliable without that cross-check. See AML fines for the broader fine landscape.
Automating CDD and EDD for Indian banking workflows
Most CDD checks can be fully automated. EDD is partially automatable; the high-judgment components remain human. Knowing where the line sits is essential for any compliance team building automation.
Aadhaar-based eKYC as a CDD input
Aadhaar-based eKYC, where the customer authorizes data fetch from UIDAI under the AUA framework, returns identity, address, photo, and demographic data in seconds. For CDD, this satisfies identification, verification, and address checks in one step for any Aadhaar-holding customer. Aadhaar OTP-based eKYC remains valid for low-value, low-risk products; biometric or video-based authentication is required for higher-value relationships.
CKYCR for shared KYC across regulated entities
The Central KYC Records Registry (CKYCR), operated by CERSAI, holds standardized KYC records across regulated entities. After a successful first-time KYC, the regulated entity uploads the record to CKYCR, generating a CKYC Identifier (KIN). Future regulated entities can pull the existing record using the KIN, eliminating duplicate KYC for the customer. CKYCR is operated by CERSAI under the Ministry of Finance; it is informational context here.
DigiLocker for documentary evidence in CDD/EDD
DigiLocker holds government-issued documents (Aadhaar XML, PAN, driving licence, vehicle registration, education certificates) signed by the issuing authority. For CDD, fetching documents from DigiLocker eliminates document-forgery risk: the documents arrive with the issuer’s cryptographic signature. For EDD, DigiLocker can serve as a source for additional documentary evidence (educational qualifications, vehicle ownership) needed for source-of-wealth verification.
Sanctions and PEP screening at scale
Sanctions screening against OFAC, UN, EU, HMT, MAS, and India’s MEA designated lists must run at onboarding, periodically through the customer lifecycle, and in real-time at transaction. PEP screening adds the politically-exposed-persons databases. Modern systems run all of these through name-matching engines that handle phonetic variations, transliteration (especially across English, Hindi, and regional scripts), and date-of-birth corroboration. See types of sanctions, best sanctions screening software, and HyperVerge’s AML solutions for an integrated stack. For the API view, see AML screening API.
Where automation stops: human escalation rules
Three categories of EDD work are not safely automatable:
- Beneficial ownership tracing through complex structures. Automation surfaces the structure; a human compliance officer interprets the intent.
- Source-of-wealth narrative validation. Documentary evidence can be collected automatically; assessing whether the narrative is plausible against the customer’s profile is judgment.
- STR filing decisions. Automation flags suspicious patterns; the decision to file an STR is the compliance team’s, with named accountability.
A documented exception protocol routes these cases to named human reviewers with escalation thresholds and audit trails. Automation handles the 95-plus percent of cases; humans handle the 2 to 5 percent that require judgment. See AML in client onboarding for the integrated onboarding view.
Why CDD/EDD failures cost more than the fines
The headline cost of a CDD/EDD failure is the regulatory penalty. The actual cost runs deeper.
Direct cost: fines and remediation
Recent RBI and FinCEN actions show that penalties for KYC and AML failures escalate quickly. Repeat findings, missing audit trails, or systemic failures push penalties into the multi-crore range. Remediation costs (consultants, system rebuilds, lookback reviews) typically exceed the headline penalty.
False-positive cost on customer experience
The opposite failure (applying EDD where it is not needed, or applying CDD heavy-handedly) has a measurable cost too. Every additional document request and every consent-flow friction point cuts conversion. For high-volume retail flows, the cost of false-positive friction often exceeds the cost of well-targeted compliance.
Competitive disadvantage from heavy-handed EDD
Onboarding speed is a product attribute now. Customers who experience smooth onboarding at one bank and friction at another remember the difference. Heavy-handed EDD that does not match the actual risk profile is a self-imposed competitive cost.
Reputational and licensing risk
Beyond fines, the reputational and licensing implications matter. Repeat KYC and AML observations affect a regulated entity’s standing with the regulator, with downstream effects on license renewals, expansion approvals, and capital adequacy assessments.
See HyperVerge’s CDD and EDD automation in action
CDD and EDD done well disappear into the background. Customers feel the smooth onboarding; compliance teams keep the audit trail; regulators see the documentation when they ask. The right automation handles routine CDD in seconds, escalates clean on EDD triggers, and leaves human judgment for the cases that genuinely need it.
Talk to our team about CDD/EDD automation to see how the layered model fits your compliance stack.
FAQs
What is the difference between CDD and EDD?
CDD is the standard due diligence applied to every customer at onboarding: identity verification, address verification, beneficial ownership for non-individuals, and a risk assessment. EDD is the deeper investigation applied to high-risk customers (PEPs, high-risk jurisdictions, complex transactions): source-of-funds verification against documentary evidence, enhanced beneficial ownership tracing, sanctions and PEP screening, adverse media checks, and continuous monitoring.
When should EDD be applied instead of CDD?
EDD applies when a customer or transaction shows higher risk indicators: the customer is a PEP or close associate, the customer or beneficial owner is from a high-risk jurisdiction, the transaction pattern is complex or unusual without an apparent economic purpose, adverse media links the customer to financial crime, or transaction monitoring flags a suspicious pattern. The escalation should be documented in the risk assessment, not informal.
What is simplified due diligence?
SDD is a lower-friction baseline applied to genuinely low-risk customer categories: public-sector entities, regulated financial institutions, listed companies, and low-value low-risk products. Identity verification requirements are reduced, source-of-funds is not always required, and monitoring is light. National regulators define SDD-eligible segments; India’s regulatory framework permits abbreviated KYC for some PPI categories and certain low-risk segments under defined conditions.
What are the components of EDD?
EDD adds five layers on top of CDD: enhanced beneficial ownership identification (corporate documents, trust deeds, chain-of-ownership tracing), source-of-funds and source-of-wealth verification against documentary evidence, multi-list sanctions and PEP screening with continuous refresh, adverse media screening across global news and enforcement databases, and enhanced ongoing monitoring with lower transaction-pattern thresholds and faster escalation.
Who is required to perform CDD?
Every regulated entity is required to perform CDD: banks, NBFCs, payment aggregators (newly in scope under the November 2025 KYC MD), prepaid payment instrument issuers, mutual fund houses (under SEBI), insurers (under IRDAI), and other reporting entities under PMLA. The obligation extends to occasional customers above defined thresholds and to customers where suspicion of money laundering or terrorist financing arises.
What triggers EDD?
Six recurring triggers: politically exposed persons (PEPs) and their close associates, high-risk jurisdictions per FATF or national lists, complex or unusual transactions without economic purpose, adverse media flagging financial crime or fraud, suspicious activity patterns from transaction monitoring (structuring, layering), and high-net-worth individuals in some risk frameworks. The trigger should be documented in the risk assessment with the rationale for escalation.
Can CDD and EDD be automated?
CDD can be fully automated for routine cases: Aadhaar eKYC, document verification, sanctions screening, PEP screening, and risk scoring all run end-to-end without human input. EDD is partially automatable. The data-collection and screening layers run automatically; beneficial ownership tracing through complex structures, source-of-wealth narrative validation, and STR-filing decisions remain human-judgment work. Most Indian banks run a hybrid: automation handles the 95-plus percent of routine cases, named human reviewers handle the 2 to 5 percent that require judgment.
What is FATF’s role in CDD/EDD?
The Financial Action Task Force (FATF) sets the global AML/CFT standards through its 40 Recommendations. Recommendation 10 codifies CDD as a baseline obligation for every regulated entity. Recommendation 12 mandates EDD for politically exposed persons. National regulators (RBI in India, FinCEN in the US, FCA in the UK) translate FATF standards into binding national rules. India’s PMLA, 2002, and the RBI KYC Master Direction implement FATF Recs 10 and 12 in the Indian regulatory regime.
