Enhanced Due Diligence for High-Risk Customers — EDD Procedures for UAE VASPs

Enhanced Due Diligence for High-Risk Customers

Enhanced Due Diligence (EDD) is the intensified verification and monitoring applied to customers presenting higher money laundering, terrorist financing, or proliferation financing risk. UAE regulatory frameworks across VARA, ADGM, and DFSA require VASPs to implement risk-based EDD procedures that go beyond standard KYC/CDD measures.

VARA’s January 2026 circular on FATF High-Risk Jurisdictions establishes specific requirements for customers with nexus to FATF-listed jurisdictions. This guide provides the operational EDD framework.

EDD Triggers

EDD is required when any of the following risk indicators are present:

Politically Exposed Persons (PEPs): Individuals who hold or have held prominent public positions, their family members, and close associates. PEP categories include domestic PEPs (UAE government officials), foreign PEPs (foreign government officials), and international organization PEPs (senior officials of international bodies). PEP status does not prohibit the business relationship but mandates enhanced scrutiny.

FATF High-Risk Jurisdictions: Customers domiciled in, incorporated in, or conducting significant business in jurisdictions identified by the FATF as having strategic deficiencies in their AML/CFT frameworks. VARA’s January 2026 circular requires VASPs to apply countermeasures proportionate to the risks arising from these jurisdictions.

Complex Ownership Structures: Entities with multi-layered corporate structures, nominee shareholders, bearer shares, or other arrangements that obscure beneficial ownership.

Unusual Transaction Patterns: Transaction activity inconsistent with the customer’s stated purpose, expected activity profile, or known financial capacity.

High-Value Transactions: Transactions exceeding defined thresholds warrant additional scrutiny, particularly when combined with other risk factors.

Adverse Media: Negative media coverage linking the customer to financial crime, corruption, sanctions violations, or other relevant concerns.

Non-Face-to-Face Relationships: Business relationships established entirely remotely may warrant enhanced verification, particularly for higher-value relationships.

EDD Procedures

When EDD is triggered, compliance teams must implement enhanced verification and monitoring procedures:

Identity Verification Enhancement

• Obtain additional identity documents beyond standard CDD requirements
• Verify identity through multiple independent sources
• Consider requiring certified or notarized document copies
• For PEPs: verify the specific public position and assess the associated corruption risk

Source of Funds and Wealth Verification

• Obtain detailed documentation of the source of funds for specific transactions
• Verify source of wealth independently (not solely relying on customer declarations)
• Acceptable evidence includes tax returns, audited financial statements, employment verification, property ownership records, and documented inheritance or gift records
• For high-value relationships: engage independent verification services

Senior Management Approval

• All EDD relationships require senior management approval before establishment
• Senior management must review and approve the risk assessment, the business rationale, and the proposed monitoring plan
• Approval must be documented and periodically renewed

Enhanced Ongoing Monitoring

• Increase transaction monitoring frequency and scrutiny
• Reduce alert thresholds for EDD customers
• Conduct more frequent KYC refresh cycles (annual for all EDD customers)
• Apply enhanced blockchain analytics screening using tools from Chainalysis, Elliptic, or Crystal Blockchain
• Monitor for changes in PEP status, sanctions list additions, or adverse media developments

FATF High-Risk Jurisdiction Countermeasures

For customers with nexus to FATF high-risk jurisdictions (jurisdictions subject to a FATF call for action or identified as having strategic AML/CFT deficiencies), countermeasures may include:

• Limiting or restricting business relationships and transactions
• Requiring additional information on customers and beneficial owners
• Requiring enhanced external audit reporting
• Applying additional risk management procedures to correspondent VASP relationships
• Reporting systematically on transactions involving these jurisdictions

The UAE itself was removed from FATF’s increased monitoring list in February 2024, following demonstrated progress in strengthening AML/CFT measures. VASPs must maintain awareness of the current FATF lists and update their procedures accordingly.

Documentation Requirements

All EDD decisions and procedures must be comprehensively documented:

• Risk assessment documenting the EDD trigger(s)
• Enhanced verification steps taken and results
• Source of funds/wealth documentation collected
• Senior management approval records
• Ongoing monitoring plan and review schedule
• Any restrictions or conditions applied to the relationship

Enforcement Context

The Morpheus Software (Fuze) case cited AML programme control failures. EDD is a core AML programme control; deficiencies in EDD procedures — such as failing to identify PEPs, failing to screen against FATF high-risk jurisdictions, or failing to obtain senior management approval for high-risk relationships — constitute AML programme control failures that trigger enforcement risk.

EDD Technology Infrastructure

Effective EDD implementation requires technology support beyond standard KYC platforms:

Enhanced screening databases: Sumsub and similar platforms provide PEP screening, sanctions screening, and adverse media monitoring. For EDD purposes, the screening must cover extended PEP databases (including family members and close associates), comprehensive FATF high-risk jurisdiction lists, and real-time adverse media sources.

Blockchain analytics for source of funds: When the customer’s source of funds includes virtual assets, blockchain analytics platforms (Chainalysis, Elliptic, or Crystal Blockchain) provide on-chain source-of-funds tracing. This capability enables the compliance team to verify whether the customer’s virtual assets originate from legitimate sources or show exposure to sanctioned addresses, illicit services, or high-risk activities.

Document management: EDD generates significant documentation including identity verification records, source of wealth documentation, senior management approval records, and ongoing monitoring records. A document management system that supports audit trails, version control, and regulatory retrieval is essential for audit preparation.

EDD Across UAE Jurisdictions

Each UAE regulator imposes EDD requirements through its specific framework:

VARA: The March 2026 AML/CFT/CPF circular and Full Market Product Regulations establish specific EDD triggers and procedures. The January 2026 FATF High-Risk Jurisdictions circular adds jurisdiction-specific EDD requirements.

ADGM-FSRA: The Financial Services and Markets Regulations AML Rules establish EDD requirements aligned with FATF standards. ADGM’s principles-based approach provides flexibility in EDD procedure design while requiring demonstrable effectiveness.

DFSA: The DFSA’s AML module establishes EDD requirements for investment token firms, with specific triggers for PEPs, high-risk jurisdictions, and unusual transactions.

For multi-jurisdiction firms, EDD procedures should be calibrated to the most stringent applicable requirements. See the AML requirements comparison for cross-jurisdictional analysis.

Common EDD Failures and Remediation

Common EDD deficiencies identified in regulatory examinations include:

1. Failure to identify PEPs: Inadequate PEP screening databases or insufficient manual review of screening results
2. Incomplete source of wealth documentation: Accepting customer declarations without corroborating evidence
3. Missing senior management approval: Onboarding high-risk customers without the required board or senior management sign-off
4. Insufficient ongoing monitoring: Applying EDD at onboarding but failing to maintain enhanced monitoring throughout the relationship
5. Stale EDD reviews: Not refreshing EDD documentation at the frequency required for high-risk customer profiles

The Morpheus Software (Fuze) enforcement case cited AML programme control failures that encompass EDD deficiencies. Remediation of EDD weaknesses should be treated as a priority compliance investment to reduce enforcement risk. For enforcement response planning, see how to respond to VARA enforcement action.

For the complete AML program framework, see our AML program design guide. For STR procedures when EDD reveals suspicious activity, see our STR workflows guide. For ongoing compliance scheduling, see our compliance calendar. For the enforcement landscape, see the enforcement action dashboard.

For regulatory context, visit UAE Tokenization Regulations and Dubai Tokenisation.