What Makes Someone a High-Risk Customer for Enhanced Due Diligence?

In financial crime compliance (FCC), few topics generate more confusion and more consequential errors than Enhanced Due Diligence (EDD)

Ask a room full of compliance professionals who qualifies as a high-risk customer, and you’ll often get a range of answers. Some will point to Politically Exposed Persons (PEPs), others to customers operating in sanctioned jurisdictions, and still others to companies with complex ownership structures. The reality is far more nuanced.

Too often, institutions rely on checklists and categorical triggers rather than genuine risk assessment. The consequence is a compliance function that spends excessive time investigating legitimate customers while potentially overlooking the individuals and organisations that present the greatest financial crime risks. This creates a costly paradox: more effort, more expense, and often less protection.

The challenge for modern compliance teams is not simply identifying risk indicators. It is understanding what those indicators actually mean in context and when does EDD become a legitimate exercise.

The Fundamental Misconception: Risk Is Not Binary

At the outset, it’s worth dismantling a pervasive mistake in EDD practice: applying uniform enhanced scrutiny without contextual understanding.

Most EDD frameworks are built around categorical triggers — PEP status, jurisdiction flags, industry codes, transaction thresholds. These are valid as they are statistically associated with elevated risk. However, it is important to remember that they are signals and nothing more. A customer who triggers three EDD categories may be entirely legitimate, and vice-versa.

The second, closely related mistake is over-indexing on screening results while neglecting network, UBO, and contextual risk. In the context of organisations, Sanctions Screening tells you little about who they transact with, what their business model actually produces, or whether their stated activity matches observable behaviour.

The mindset needs to move from process and box ticking to analytical and data driven holistic approaches.

The Three Categories Most Frequently Mishandled

Our experience is that three customer profiles are most problematic in the context of EDD.

1. Sanctions-Exposed and Sanctions-Sensitive Customers

Sanctions exposure is a hugely misunderstood risk category in compliance. Institutions frequently conflate proximity to a sanctioned jurisdiction with sanctions violation, leading to the exclusion of legitimate customers with entirely lawful business connections to sensitive geographies.

Consider a retailer incorporated in the UAE with commercial relationships across the Gulf, Central Asia, and East Africa. It may transact in currencies that pass through correspondent banks with Iran or Russia exposure. It may have beneficial owners with dual nationalities that include sanctioned states. Though none of this is inherently illegal, it will trigger internal escalation at most institutions.

The analytical question should be “Is there evidence of deliberate sanctions evasion — structuring, concealment, false documentation, or transactions that serve no plausible commercial purpose except to circumvent restrictions?” That is a fundamentally different inquiry, and it requires different evidence.

2. Complex Ownership and Opaque UBO Structures

Beneficial ownership complexity is real and a reliable indicator of financial crime risk. However, complexity, opacity and concealment are three very different states of play.

The distinction matters enormously in practice. Consider three customers with multi-layered structures:

• A large multinational with holding companies across five jurisdictions, driven by tax efficiency, regulatory requirements, and legacy M&A activity
• A private equity fund with a waterfall structure that deliberately obscures ultimate economics until distribution
• A shell company with nominee directors, a registered agent in a secrecy jurisdiction, and no traceable commercial activity

All three present complex ownership structures. Only the third presents a genuine red flag — and the red flag is not the structure itself, but the absence of any commercial rationale for it.

The analytical test for UBO risk is: Is the structure proportionate to the stated business, and does the complexity serve a legitimate purpose that the customer can articulate? Where the structure is disproportionate, obscures rather than organises, and lacks a coherent commercial explanation that is where genuine EDD scrutiny should intensify.

3. High-Risk Geographies and Offshore Structures

Geography remains a legitimate risk factor but is often bluntly applied, leading to unnecessary noise. FATF grey and black lists, OFAC country programs, and institutional internal jurisdiction risk ratings all serve as triggers, but they routinely capture enormous volumes of legitimate business alongside genuine risk.

The more productive framework is to treat geography as a multiplier or a weighted risk factor rather than a standalone trigger.

De-risking: A Compliance Failure, Not a Compliance Solution

The practice of exiting entire customer categories to avoid the burden of EDD deserves direct challenge. It has become common, particularly in correspondent banking, money services businesses, crypto assets, and NGOs operating in conflict-affected regions.

De-risking is often framed as a prudent risk management response. In reality, it is frequently a failure of the compliance function — a substitution of effort avoidance for genuine risk assessment. It has significant implications in terms of lost revenues and profits.

From a broader perspective, legitimate remittance businesses lose banking access, pushing transactions into informal channels with no oversight. NGOs operating in fragile states cannot move funds to where they are needed. Correspondent banking exits entire regions with deleterious effects on financial inclusion and economic development.

The irony is that de-risking often increases systemic risk. Transactions that regulators and financial institutions could previously observe move into channels they cannot.

What Technology Can and Cannot Do

Advances in network analysis, UBO mapping tools, and AI-driven risk scoring have meaningfully improved the EDD toolkit. Graph analytics can surface ownership connections and transaction networks that would take analysts weeks to map manually. Machine learning models can identify anomalous behavioural patterns across millions of data points simultaneously.

However, technology is only as good as the analytical framework it serves. Institutions that implement sophisticated screening tools without investing equally in the judgment to interpret their outputs are not more secure — they have more data and the same level of understanding.

Technology amplifies analytical capability and empowers the team. It is not yet at a maturity level where it can replace human expertise in EDD.

The Regulatory Direction Is Sound — Execution Remains the Gap

FATF’s evolving guidance, the FCA’s risk-based approach framework, FinCEN’s beneficial ownership rules, and comparable regulatory frameworks globally are moving in the right direction. The emphasis on understanding actual risk rather than performing compliance activity is increasingly explicit in regulatory expectations.

The gap is not in the framework but rather in institutional execution. The pressure to process volume and avoid regulatory criticism for under-flagging creates systematic incentives to flag broadly and investigate shallowly. Add to this the tech

Practical Implications for Compliance Teams

For compliance officers the operational implications come down to a few critical shifts:

• Move from category triggers to risk constellations. No single factor makes a customer high-risk. EDD decisions should be based on the totality of risk indicators — their combination, their context, and their proportionality to the customer’s stated profile.
• Invest in the quality of EDD, not just its volume. An EDD file that contains ten data points and a coherent analytical narrative is more valuable, more defensible than one that contains fifty data points and no synthesis.
• Distinguish between complexity and concealment. Not all opaque structures are attempts to hide. The question is always whether the structure makes sense given the customer’s legitimate business.
• Challenge de-risking as a default. When a relationship is proposed for exit on risk grounds, ask whether the exit is based on genuine risk assessment or on the cost of conducting it properly.
• Use technology to inform judgment, not replace it. Risk scores and network maps are starting points for analysis. They are not conclusions.

Conclusion

The question of what makes someone a high-risk customer for EDD does not have a clean list answer. It requires contextual understanding, network thinking, analytical depth, and — critically — the discipline to distinguish between customers who are complex and customers who are dangerous.

The institutions that get this right are not those with the most sophisticated screening technology or the most exhaustive EDD checklists. They are those that have built compliance functions capable of genuine risk understanding: functions that can tell the difference between a legitimate business operating in a difficult environment and one using that environment as cover.

That is the standard EDD was always meant to achieve. The gap between that standard and current practice remains significant. Closing it is the defining challenge of the next decade in financial crime compliance.