EDD Triggers: High-Risk Countries, Sectors and Products

Enhanced due diligence is not a catch-all for any customer the firm is uncertain about — it is a defined set of measures triggered by specific risk factors. Knowing precisely when EDD is required, and what it must involve, is fundamental to a compliant and proportionate CDD framework.

Regulation 33 of the Money Laundering Regulations 2017 requires regulated firms to apply enhanced due diligence — and enhanced ongoing monitoring — in situations presenting a higher risk of money laundering or terrorist financing. The regulation identifies specific mandatory triggers for EDD and requires firms to apply EDD in any other situation that, by its nature, presents a high risk. This post covers the principal triggers and what EDD must involve in practice.

High-Risk Third Countries

The most clearly defined mandatory EDD trigger is a business relationship or transaction involving a high-risk third country — a country identified by the EU Commission, or designated by HM Treasury in the UK post-Brexit, as having strategic deficiencies in its AML/CFT framework. The current UK list of high-risk third countries can be found via the HM Treasury guidance. Where a business relationship involves a customer based in, or a transaction connected to, a high-risk third country, EDD is mandatory regardless of any other risk indicators.

In addition to the mandatory HM Treasury list, firms should also reference the FATF grey list (jurisdictions under increased monitoring) and FATF blacklist (jurisdictions subject to a call for action) when assessing geographic risk. A customer in a FATF grey-listed country may not trigger mandatory EDD under the current UK designation — HM Treasury’s UK list is more limited than the FATF lists — but should trigger enhanced scrutiny and potentially EDD under the firm’s risk-based approach. The firm-wide risk assessment should document how the firm treats FATF-listed countries not on the mandatory UK list.

Politically Exposed Persons

A customer who is a politically exposed person — or who has a PEP as a close associate or family member — is a mandatory EDD trigger under Regulation 35 of the MLR 2017. PEP status arises from holding a prominent public function: heads of state, government ministers, senior politicians, senior judiciary, senior military officers, senior executives of state-owned enterprises, and senior officials of international organisations. PEP status persists for at least 12 months after the person leaves the prominent function, and most firms apply a longer look-back period in their risk policies.

EDD for PEPs must include: taking reasonable measures to establish the source of wealth and source of funds used in the business relationship; senior management approval for establishing or continuing the relationship; and enhanced ongoing monitoring of the relationship. The requirement applies to domestic as well as foreign PEPs — a senior UK government official is a PEP for MLR 2017 purposes, although domestic PEPs may be assessed as presenting lower risk than foreign PEPs in certain contexts.

High-Risk Business Sectors

Beyond the mandatory triggers, firms must apply EDD in any situation that presents a higher risk of money laundering or terrorist financing by its nature — which the firm’s risk assessment should specify. Certain business sectors are consistently identified as elevated risk in FATF typologies, FCA guidance and industry AML frameworks.

Cash-intensive businesses — retailers, hospitality, car washes, nail bars, parking operators — present elevated risk because the volume of legitimate cash transactions creates cover for introducing illicit funds. Firms banking these businesses, or processing their payments, should apply EDD including source of funds verification and enhanced transaction monitoring.

Real estate and professional services — estate agents, legal firms, accountants — are high-risk for layering, particularly through complex property transactions involving offshore entities. Firms providing services to these sectors should apply EDD commensurate with the layering risk profile.

Virtual asset service providers — cryptocurrency exchanges, digital wallet operators — are high-risk for both money laundering and TF given the pseudo-anonymity and speed of blockchain transactions. Banks and payment firms providing services to VASPs should apply EDD including enhanced transaction monitoring and clear policies on the VASP relationships they are prepared to bank.

Correspondent banking is one of the highest inherent risk categories in financial services. Correspondent relationships involve a respondent bank’s customers being indirectly served through the correspondent’s accounts — creating exposure to customer risks the correspondent cannot directly assess. Firms with correspondent relationships must apply the MLR 2017’s specific EDD requirements for correspondent banking, including assessing the respondent’s AML framework, obtaining senior management approval, and clearly documenting the responsibilities of each institution.

High-Risk Product Types

Certain product types carry elevated inherent risk regardless of the customer’s profile or geography. Private banking — relationship-managed wealth management for high-net-worth individuals — creates risk through the personalised service model, which can create opportunities for conflicts of interest and for unusual transactions to go unchallenged. Trade finance is a known vector for trade-based money laundering, where the invoice values or quantities in trade documents are manipulated to move value across borders. Complex legal arrangements — trusts, foundations, complex corporate structures with multiple layers of beneficial ownership — create opacity that can be used to conceal the ultimate beneficial owner.

The firm’s CDD framework should identify, product by product, whether elevated risk applies and what additional measures are required. The product risk mapping should connect directly to the firm-wide risk assessment rather than being a separate exercise.

Non-Face-to-Face and Complex Transactions

The MLR 2017 requires EDD where a transaction is particularly complex or unusually large, has no apparent economic or legal purpose, or involves an unusual pattern of transactions. These are judgment-based triggers rather than rule-based ones — they require the relationship manager or compliance analyst to identify that something about the transaction warrants greater scrutiny than standard CDD provides.

Non-face-to-face business relationships — digital onboarding, intermediary introductions, remote-only customer interactions — are also identified as higher risk in the MLR 2017’s risk factors. The firm’s CDD policy should specify what additional measures are applied to non-face-to-face relationships to compensate for the reduced verification opportunity that direct interaction would provide.

What EDD Must Involve in Practice

EDD is not a single step — it is a set of additional measures applied proportionately to the level of risk. The mandatory elements for high-risk third country business and PEPs include source of wealth verification and senior management approval. Beyond these mandates, a well-structured EDD process typically involves: more intensive verification of the customer’s identity and beneficial ownership; verification of the source of funds in the transaction; verification of the source of the customer’s wealth; more frequent and intensive ongoing monitoring; shorter review cycles for the customer’s risk rating; and in some cases an independent second-line compliance review before the relationship is approved.

The documentation of EDD must show the steps taken, the information obtained and the conclusions reached — not merely a checkbox confirming that EDD was completed. An EDD file that records the questions asked and the answers received, with the analyst’s conclusion on how the risk is mitigated, provides the evidence base the firm needs if the relationship is subsequently scrutinised.

Key References

• MLR 2017, Regulation 33 — Enhanced customer due diligence
• HM Treasury — High-risk third countries list
• FATF — High-risk and other monitored jurisdictions