US Money Transmitter Licensing
PART ELEVEN: SPECIAL TOPICS Chapter 39

The EDD (Enhanced Due Diligence) Playbook

Enhanced Due Diligence is where the theoretical compliance framework meets the realities of running a money transmission business. Standard KYC (Know Your Customer) is baseline: you collect customer name, address, and government-issued ID. EDD is deeper, more searching investigation triggered by specific risk factors. I've conducted hundreds of EDD investigations. I've also seen operators implement EDD so aggressively that they block legitimate transactions, and I've seen operators implement it so loosely that they might as well not bother. The skill is knowing when to deploy EDD resources, how much investigation is enough, and when you're overthinking a low-risk situation.

When EDD is triggered is determined by your risk policies, which I recommend be written explicitly. Your policies should specify:

High-risk customer categories: Customers engaging in certain professions or activities present inherent risk. This includes: cash couriers, money brokers, import-export businesses dealing with high-risk jurisdictions, foreign exchange traders, precious metals dealers, real estate investors in specific markets, cryptocurrency businesses, legal services firms (because they handle large cash deposits that might be client funds), accountants, and informal money transmitters (hawala operators, for instance).

High-risk geographies: Countries and regions designated as high-risk by FATF or FinCEN, or countries with weak AML regimes. This list changes periodically. Currently, it includes Syria, North Korea, Iran, Venezuela, Yemen, and several others. Additionally, certain regions have been designated as presenting elevated corruption or sanctions evasion risk. I recommend subscribing to a sanctions list monitoring service that updates automatically rather than maintaining your own lists.

High-risk products and services: Some products and transaction types present elevated risk. Large cash transactions (though the $10,000 CTR threshold is not a trigger point—you must file a CTR, but it doesn't automatically trigger EDD). Transactions to sensitive jurisdictions. Transactions with no apparent economic purpose. Rapid movement of funds (funds enter and leave your system within hours). Beneficial ownership structures that obscure who actually owns the money.

Politically Exposed Persons (PEPs): Customers who are, or have been within the past year, in positions of significant political authority in their country of origin, or who have close family members in such positions. A PEP in Argentina might be the former vice president, their spouse, or an adult child. PEP lists are publicly available but not complete. If your customer is a former senator from a Latin American country, that's a PEP. If your customer is a physician whose father was a government minister, that's also a PEP depending on your policy definitions.

Correspondent relationships: Other financial institutions that you rely on to deliver funds, process transactions, or hold customer funds. A correspondent presenting risk might be a bank in a jurisdiction with weak AML enforcement, or a bank you haven't audited recently, or a bank that has been subject to regulatory findings.

When EDD is triggered, the investigation should be proportionate to the risk. I've seen compliance teams spend $5,000 investigating whether a $500 remittance to a customer's sister in Istanbul presents AML risk. That's a waste of resources. I've also seen teams approve a $100,000 wire to a shell company in the Caribbean based on a quick Google search. The balance is judgment, guided by policy.

EDD for high-risk customers has a standard structure. You're trying to answer: Is this customer who they say they are? Is their stated purpose of using our service consistent with what we know about them? Is there evidence of involvement in criminal activity? Are they connected to sanctioned individuals or entities? Are they structuring transactions to avoid reporting thresholds?

For a high-risk customer, the investigation typically includes:

  1. Enhanced ID verification. If a customer provided a driver's license, you call the issuing authority to verify it's genuine. If they provided a passport, you check it against the country's passport issuance database (if available). You compare the photo to the person if the transaction is in-person. For remote transactions, you might require additional documentation (utility bill, bank statement) to corroborate the address.

  2. Beneficial ownership investigation. If the customer is a business entity, you identify the natural persons who ultimately own or control it. If it's a trust, you identify the trustee and beneficiaries. If it's a corporation, you get beyond the registered agent and identify actual decision-makers. Some structures are deliberately opaque—I once investigated a Delaware LLC created specifically to purchase real estate anonymously. The LLC's registered agent was an anonymous agent service. Tracing the actual owner required investigation that eventually led to a Russian oligarch subject to US sanctions.

  3. Source-of-funds investigation. Where did the money come from? For a customer wiring $50,000, you ask: Is this from employment? Inheritance? Business revenue? If employment, what's the company? What's the salary? If business, what's the nature of the business? For a customer in a cash-heavy business (restaurant owner, taxi driver), some EDD might simply be confirming their business type and reasonableness of cash deposits. For a customer claiming the funds are an inheritance, you might ask for probate documentation or a letter from the estate attorney.

  4. Beneficial purpose investigation. Why is this customer using our service? For a remittance to family, the purpose is clear. For a payment to a business entity, it might be less so. If a customer is repeatedly wiring large sums to a company in a jurisdiction known for sanctions evasion, that's a red flag. If a customer is receiving payments from multiple sources and consolidating them before sending abroad, that's structuring and a red flag.

  5. Sanctions and adversary list checking. You check the customer's name (and variations of it) against OFAC lists, ODNI lists, EU sanctions lists, and other relevant lists. You check the beneficiary. If they're sending to a company, you check the company. You look for exact matches but also close matches—a customer named "Muhammad Ali" matching the OFAC listing for a different Muhammad Ali in a different country requires judgment.

  6. Media and industry checking. You Google the customer, looking for adverse news. You check business databases if they're a business entity. You check industry directories to confirm their stated profession. You look at their social media if available (some operators do this, others consider it invasive). The purpose is to corroborate their story or identify discrepancies.

  7. Transaction pattern investigation. You look at their transaction history with you (if any) and with partner institutions (if you have visibility). Are they making rapid micro-transactions consistent with structuring? Are they making single large transactions consistent with legitimate business? Are they sending to consistent beneficiaries or to new beneficiaries each time?

For high-risk geographies, the EDD intensity increases. A customer sending $1,000 to a family member in Canada requires minimal EDD. A customer sending $1,000 to a family member in North Korea might not be permitted at all (North Korea is subject to comprehensive sanctions). A customer sending $1,000 to Syria might be permitted if the customer is a US-based Syrian citizen with family there (OFAC has humanitarian exemptions), but it requires careful EDD to ensure the beneficiary is not a sanctioned entity.

I've worked on cases where EDD for high-risk geography became exceptionally complex. One case involved a customer wanting to send remittances to a family business in Venezuela. Venezuela is subject to comprehensive sanctions and is considered high-risk. The customer was a US citizen with a Venezuelan passport, working as an engineer in Texas, with family still in Venezuela. Sending money to family in Venezuela is not prohibited, but it requires specific OFAC licenses or falls under humanitarian exceptions. The EDD required:

  1. Confirming the customer's identity and US status.
  2. Confirming the beneficiary was indeed a family member (not a front company).
  3. Ensuring the funds were not being used to support a sanctioned entity.
  4. Documenting the humanitarian purpose (support for family members living in Venezuela).
  5. Filing for or relying on an OFAC license or exemption.

This investigation took two weeks and involved legal counsel. But it was necessary because the reputational and legal risk of getting it wrong—funding a sanctioned Venezuelan government entity or front company—was severe.

High-risk products and services require EDD that focuses on the product characteristics. For high-value transactions, you're looking for structuring and source-of-funds legitimacy. For rapid movement transactions (funds coming in and immediately going out), you're looking for whether you're being used as a pass-through for illicit funds or sanctions evasion. One pattern I've seen is a customer deposits funds through multiple agents, consolidates them in a central account, and then wires them out to a foreign entity. That looks like funds consolidation and could indicate money laundering. The EDD in that case focuses on: Who is sending the funds to the customer? Are they all related customers or unrelated? If unrelated, what's the business relationship? Is the customer operating as a broker without licensing? Is this funds consolidation a shell game to obscure the original source?

PEP investigations are particularly sensitive because they can be discriminatory if not handled carefully. A PEP is not per se a problem. Many legitimate PEPs use financial services. The issue is that PEPs are targets for bribery and corruption, so PEPs' funds might represent proceeds of corruption or embezzlement. The EDD for a PEP should focus on:

  1. Confirming the PEP status and the specific position held.
  2. Understanding the source of the funds and whether it's consistent with legitimate income from their position.
  3. Checking the PEP against corruption indices and investigative journalism sources (is there reporting about corruption in their country or their specific position?).
  4. Determining whether they're connected to any sanctioned entities.
  5. Understanding the beneficial purpose of the transaction.

I've worked on PEP cases that were straightforward and ones that required months of investigation. The straightforward ones: A former government minister from an OECD country, now private citizen, making a routine international transfer. Standard PEP investigation, low risk, probably cleared in a week. The complex ones: A current official from a high-corruption jurisdiction making large transfers to a shell company in the Seychelles. That requires deep investigation of the official's actual compensation, verification that the shell company is legitimate, and possibly denial of the transaction if you determine it likely represents corruption.

Correspondent relationships present EDD challenges that often get inadequate attention. Many money transmitters rely on correspondents in foreign countries without actually knowing much about them. I once visited a correspondent in Africa who was supposedly a regulated money transfer company. The visit revealed:

  1. The office was a small room in a shopping center.
  2. There was no visible compliance infrastructure.
  3. Staff had not received AML training.
  4. Transaction records were handwritten in notebooks.
  5. The owner had previously been prosecuted for fraud.

Yet this correspondent was handling thousands of dollars daily in my client's transactions. We immediately terminated the relationship, but the damage was already done. We'd been relying on a correspondent that presented severe risk.

EDD for correspondent relationships should include:

  1. Initial due diligence: Who is this correspondent? What's their regulatory status in their jurisdiction? Do they have licenses or registrations? Have they been subject to enforcement?

  2. Capability assessment: Can they actually handle the transaction volumes and corridors we need? Do they have proper banking relationships? Can they deliver funds reliably?

  3. Compliance assessment: What's their AML program? Have they been audited? What's their transaction monitoring capability? How do they handle suspicious activity?

  4. Ongoing monitoring: Regular contact, periodic audits (annual or biennial), request for compliance certifications, review of any regulatory actions or enforcement.

  5. Audit visits: For high-volume corridors or high-risk correspondents, periodic in-person visits are warranted. You're looking at their actual operations, not just their compliance manual.

EDD documentation requirements are specific. For every EDD investigation you conduct, you must document:

  1. The risk factors that triggered EDD. Why did you investigate this customer or transaction more deeply?

  2. The investigation steps you took. Who did you contact? What documents did you request? What databases did you check?

  3. The findings. What did you learn? Were the risk factors confirmed or mitigated?

  4. Your decision. Did you approve the transaction? Block it? Approve it with restrictions?

  5. Your reasoning. Why did you reach that conclusion?

Documentation should be detailed enough that if a regulator reviews it, they can understand your thinking. "Customer appeared legitimate" is not documentation. "Customer name was checked against OFAC list and ODNI list with no matches. Customer provided articles of incorporation confirming C corporation status, EIN tax documentation from IRS confirming business existence, bank statement from customer's business account showing source of funds. Beneficiary is customer's primary supplier based in Singapore, confirmed through customer's business records. Transaction is payment for goods ordered in customer's regular business. Approved." That's documentation.

Technology solutions for EDD range from simple to sophisticated. At the low end, you might use a spreadsheet to track which customers have received EDD and what the findings were. At the high end, you integrate with specialized EDD platforms that automate much of the investigation. These platforms can:

  1. Check names automatically against OFAC and other sanctions lists.
  2. Check beneficiaries against PEP databases.
  3. Flag high-risk jurisdictions automatically.
  4. Access public records databases to verify identities and business information.
  5. Flag transactions matching predefined risk patterns.
  6. Generate EDD investigation workflows that guide your team through the investigation process.

Good platforms reduce the manual work but don't eliminate judgment. You still need compliance professionals who understand context and can make nuanced decisions.

Building an EDD framework from scratch requires defining:

  1. Risk categories and triggers. What categories of customers, geographies, products, and structures trigger EDD? Write these out. Be specific.

  2. EDD depth by risk level. High-risk customers might require steps 1-7 I listed above. Medium-risk customers might require steps 1-4 only. Low-risk customers might only need standard KYC. Define this so your team knows when to do deep investigation and when to do light investigation.

  3. Timing. Is EDD done before you accept the customer or after? Most frameworks do it before. Can you do transaction-level EDD (investigating specific transactions from existing customers), or only customer-level EDD? Both are appropriate for different risk scenarios.

  4. Escalation and decision-making. Who approves EDD investigations? Who makes the final decision to accept or deny? What's the appeal process if a customer disputes an EDD finding?

  5. Documentation and retention. Where are EDD files stored? Who has access? How long are they retained?

  6. Training. Your team needs to understand EDD concepts, investigation methods, and documentation standards. This requires initial training and ongoing updates.

Common EDD failures I've seen:

  1. No EDD framework at all. Some operators do EDD ad hoc—they investigate some customers and not others based on gut feeling. This is both inefficient and risky. You're likely over-investigating low-risk customers and under-investigating high-risk ones.

  2. EDD that's too aggressive. I've seen operators block legitimate transactions because of EDD findings that, in context, are not problematic. A customer sending remittance to a beneficiary in India gets blocked because India is flagged as high-risk, without any investigation of the actual customer or transaction. Over-aggressive EDD reduces customer satisfaction and may expose you to discrimination claims.

  3. EDD that's too superficial. Checking a customer name against OFAC and calling it EDD is not EDD. True EDD requires investigation.

  4. Poor documentation. EDD investigations that aren't documented can't be defended if questioned. If regulators find you approved a high-risk transaction and you have no documentation of your investigation, you're in trouble.

  5. No ongoing monitoring. EDD is not a one-time event. You need to continuously monitor customers and transactions for changes in risk. A customer who was legitimate two years ago might be presenting new risk indicators today.

A practical case: I consulted with a fintech remittance company that was experiencing high transaction decline rates due to EDD investigations. They were investigating roughly 30% of customers. Most investigations cleared the customer, but the process delayed transactions by 2-3 days, which drove customer complaints. The company's EDD framework was: (1) any transaction over $5,000, or (2) any transaction to a high-risk geography, or (3) any customer who looked unusual.

We restructured the framework to be:

Tier 1 (No additional EDD): Transactions under $2,500, to OECD countries, from customers with prior clean transaction history with us.

Tier 2 (Basic EDD): Transactions $2,500-$10,000, or transactions to non-OECD countries, or first-time customers over $2,500. Basic EDD meant checking OFAC, requesting source-of-funds documentation, and confirming customer identity with a second form of ID.

Tier 3 (Enhanced EDD): Transactions over $10,000, or any Tier 2 transaction that raises flags, or customers matching high-risk indicators. Enhanced EDD meant the full investigation protocol.

This restructuring reduced overall EDD investigations by nearly 50% while still catching the legitimate risk cases. The company went from 30% investigation rate to 15%, and they completed most investigations within 24 hours instead of 2-3 days.

Practitioner's Bottom Line: EDD is not a burden to tolerate—it's a control that protects you from regulatory exposure and reputational damage. A sound EDD framework defines risk triggers explicitly, scales investigation depth to actual risk, and documents findings thoroughly. The best EDD programs balance risk management with customer experience; they investigate real risks without investigating every transaction. Your EDD should make sense to a regulator who reviews it and should be defensible if a transaction later becomes problematic.

Need Help Navigating Money Transmitter Licensing?

Faisal Khan has spent 15+ years solving the exact problems covered in this book. If you are building a payment company, seeking licensing, or need a trusted advisor — reach out.

SPEAK WITH FAISAL KHAN