Enhanced due diligence under the JMLSG Part I Guidance is triggered by specific factors that the firm should have identified at onboarding or during ongoing monitoring. The triggers fall into customer factors, jurisdictional factors, product and channel factors, and behavioural factors. A defensible EDD framework documents which triggers apply, what evidence the firm obtained in response, and what residual risk the firm is willing to accept.
EDD is one of the most frequently misapplied parts of the AML framework, and the misapplication tends to go in one of two directions. Either the firm applies EDD to almost everyone, in which case EDD becomes the standard rather than the exception and loses its meaning. Or the firm applies EDD to almost no one, in which case the trigger conditions are being filtered out somewhere in the process and the firm cannot show why.
Both failures are visible to a regulator. Both are avoidable.
The JMLSG Part I Guidance is the industry-developed guidance that the FCA refers to when assessing whether firms have met their MLR 2017 obligations. The guidance sits alongside the regulations rather than replacing them, but it carries weight in supervisory exchanges and is the framework most UK firms organise their AML thinking around.
EDD under Part I is triggered when the firm identifies one or more risk factors that elevate the relationship above standard customer due diligence. The guidance does not give a finite list. It gives categories of factors and examples within each category. The firm is expected to identify which factors apply to its business model, document them, and apply EDD when they are present.
This means the EDD trigger framework is firm-specific. A wealth manager's triggers are not the same as a retail bank's, and a Gulf-facing private bank's are not the same as a UK consumer credit firm's. The firm has to do the thinking.
The first category is customer factors. The client is a politically exposed person, a family member or close associate of a PEP, or someone whose profile suggests elevated risk. The client has a complex ownership structure, operates through nominees, or has connections to jurisdictions or industries that warrant additional scrutiny. The client's stated wealth narrative requires documentation that goes beyond the standard for an ordinary onboarding.
The second category is jurisdictional factors. The client, the source of funds, the source of wealth, or the destination of services involves jurisdictions identified by FATF as high risk, jurisdictions on the UK's own high-risk list, or jurisdictions whose regulatory environment, governance standards, or financial transparency are below international norms. The Gulf, parts of Africa, parts of Eastern Europe, and a long tail of smaller jurisdictions all sit somewhere on this spectrum, and the firm's country risk matrix needs to reflect a considered view rather than a colour-coded shortcut.
The third category is product and channel factors. The relationship involves products or services that are themselves higher risk: private banking, correspondent banking, trust and company service provision, certain types of investment vehicles, or services delivered without face-to-face contact. The channel through which the relationship was established carries weight too. A relationship onboarded entirely remotely, through an introducer, or through a third-party platform raises questions that an in-person onboarding does not.
The fourth category is behavioural factors. The client's transactional behaviour does not match the profile established at onboarding. The client requests services that are unusual for their stated profile. The client provides information reluctantly or inconsistently. The relationship undergoes changes in beneficial ownership, control, or stated purpose that were not anticipated. Behavioural triggers are the most often missed because they require ongoing monitoring rather than point-in-time assessment.
EDD is not just more of the same. It is qualitatively different work. The firm is moving from accepting the client's account at face value, with reasonable corroboration, to actively investigating whether the account holds up.
That investigation typically includes additional source of wealth corroboration beyond what would be obtained at standard CDD. It includes deeper screening, often across more datasets and with closer attention to false positive resolution. It includes senior management approval of the relationship, with documentation of what was approved and on what basis. It includes ongoing monitoring at higher intensity, with shorter refresh cycles and more sensitive trigger thresholds.
Most importantly, it includes a documented decision. The firm is choosing to accept a higher risk relationship. The reasoning behind that choice, the evidence that supports it, and the conditions on which the relationship is accepted all need to be on the file. EDD without a documented decision is just CDD performed slightly more thoroughly, and it does not satisfy the regulation.
The most common failure pattern is the unrecorded trigger. A factor that should have triggered EDD was identified somewhere in the process, but the firm did not act on it. The factor sits in a free text field, or in a screening result that was never resolved, or in correspondence that did not feed into the CDD decision. The trigger existed. The firm did not see it. The reviewer does.
The second is the trigger that fired but was overruled without documentation. The system flagged the relationship as requiring EDD. Someone overrode the flag. The override is recorded as a click. The reasoning is not. A regulator examining that file cannot see why the trigger was suppressed, and the firm cannot reconstruct the reasoning after the fact.
The third is the EDD that happened but was not documented as EDD. The firm did additional work because the relationship looked higher risk. The work is on the file. It is not labelled, not structured, and not visible as a discrete EDD exercise. From the outside, the file looks like a standard CDD file with some extra documents in it, which does not tell the reviewer that the firm consciously elevated the level of scrutiny.
The fourth is the EDD that became a standing process. Once a relationship is in EDD, it stays in EDD forever. The trigger that got the relationship there is not revisited, the residual risk is not reassessed, and the firm is doing enhanced work years after the original concern is no longer relevant. EDD that does not have a defined exit pathway is not really risk-based.
A defensible framework does five things.
It documents the firm-specific trigger conditions, derived from the categories above and tailored to the firm's actual business. It identifies triggers consistently across all relationships, through systems that capture rather than rely on individual judgement at the moment of onboarding. It executes EDD as a discrete, labelled process with documented decisions, not as a vaguer notion of "extra work". It records senior approval, with reasoning, of relationships that proceed on EDD terms. And it has defined exit and refresh pathways so that EDD remains proportionate to actual risk over time.
None of these are technically demanding. They are organisationally demanding. They require the firm to treat EDD as a structured process rather than a discretionary practice, and to invest in the systems that make the structure visible.
| Category | Examples |
|---|---|
| Customer factors | PEPs, complex ownership, nominees, unusual wealth profile |
| Jurisdictional factors | FATF high-risk lists, UK high-risk list, jurisdictions below transparency norms |
| Product and channel | Private banking, TCSP services, remote onboarding, third-party introducers |
| Behavioural factors | Profile mismatch, inconsistent information, ownership changes mid-relationship |
The trigger framework is the most important investment a firm can make in its AML programme. Get the triggers right, document them properly, and execute EDD as a structured process, and the rest of the framework starts to work the way the regulations intended. Get them wrong, and every other investment in compliance technology, training, and governance is being made on top of a foundation that the regulator can challenge.
Verigrade ships with over 30 EDD trigger conditions structured around customer, jurisdictional, product, and behavioural factors. Every trigger is captured, every override is recorded, and the framework is configurable to your firm's specific risk appetite.