March 27, 2026

CDD vs EDD: when proof of address matters most

AML regulations don't treat every customer the same. A low-risk domestic customer opening a basic account gets standard checks. A politically exposed person sending large transfers to a high-risk jurisdiction gets scrutinised much more closely. This is the risk-based approach, and it's the foundation of every modern AML framework.

For proof of address verification specifically, the risk-based approach means different customers should face different standards: different document requirements, different match thresholds, different recency windows. But most companies apply the same verification process to everyone, either because they don't know how to differentiate or because their tools don't support it.

This article explains the practical difference between customer due diligence (CDD) and enhanced due diligence (EDD) for address verification, when each applies, and how to implement both levels without making your process unnecessarily complex.

What is CDD?

Customer due diligence is the baseline verification that AML regulations require for every customer. Before you can provide services to someone, you need to confirm three things:

1. Identity: who they are (verified with an ID document)
2. Address: where they live (verified with a proof of address document)
3. Risk profile: whether they appear on sanctions lists, PEP databases, or adverse media

For address verification under standard CDD, the requirements are straightforward:

• One document from a recognised category (utility bill, bank statement, government letter)
• Issued within the last 3 months (sometimes 6 months for lower-risk scenarios)
• Shows the customer's full name and residential address
• Issued by an independent third party

Standard CDD is designed to be proportionate. It adds enough friction to catch obvious fraud and meet regulatory requirements, without making onboarding so burdensome that you lose legitimate customers.

What is EDD?

Enhanced due diligence is a higher level of scrutiny applied to customers who present elevated money laundering risk. It's not optional: AML regulations explicitly require EDD in certain situations, and they require you to document why you applied it and what additional steps you took.

EDD doesn't replace CDD. It adds to it. Everything required for standard CDD still applies, plus additional measures that vary based on the specific risk factors present.

For address verification, EDD typically means some combination of:

• Stricter matching: higher match thresholds for name and address, reducing tolerance for discrepancies
• More recent documents: requiring documents issued within the last 30 days instead of 3 months
• Multiple documents: requiring two independent proof of address documents instead of one
• Restricted document types: accepting only the most reliable categories (utility bills, government letters) and excluding less reliable ones
• Manual review: having a compliance officer review the automated result before approving

When does EDD apply?

AML regulations specify certain situations where EDD is mandatory. The exact triggers vary by jurisdiction, but these are the most common across the EU (AMLD/AMLR), UK (FCA/JMLSG), and US (BSA/FinCEN):

Mandatory EDD triggers

• Politically exposed persons (PEPs): anyone who holds or has recently held a prominent public function, along with their family members and close associates. This is the most universally mandated EDD trigger.
• High-risk countries: customers resident in or connected to countries identified as high-risk by the FATF, the European Commission, or your national regulator. The lists change periodically, so your process needs to account for updates.
• Complex or unusual transactions: transactions that are unusually large, have no apparent economic purpose, or involve complex ownership structures.
• Correspondent banking relationships: cross-border banking relationships with institutions in certain jurisdictions.

Risk-based EDD triggers

Beyond the mandatory triggers, your own risk assessment may identify situations that warrant enhanced checks:

• High-value customers: customers with transaction volumes above a threshold you define
• Cash-intensive businesses: business customers in sectors known for money laundering risk (casinos, precious metals, real estate)
• Unusual onboarding patterns: customers who are reluctant to provide information, provide inconsistent details, or attempt to onboard multiple times with different data
• Adverse media: customers who appear in negative news coverage related to financial crime
• Non-face-to-face relationships: customers onboarded entirely remotely, without any in-person verification

The key point: your risk assessment policy determines which triggers require EDD. Regulators don't expect you to apply the same triggers as every other company. They expect you to have a documented, proportionate risk assessment that you follow consistently.

What this means for address verification

Most companies think of address verification as a binary: either you verify the address or you don't. But a risk-based approach means your address verification should have at least two levels, each with different parameters.

Standard CDD address verification

The goal is to confirm the customer lives where they claim to, quickly and with minimal friction.

• Documents accepted: utility bills, bank statements, government letters, insurance documents, mortgage statements
• Recency: issued within the last 3 months
• Name match threshold: moderate (e.g., 0.8 out of 1.0), allowing for minor differences like abbreviations, middle names, or transliteration variations
• Address match threshold: moderate (e.g., 0.7-0.8), accommodating formatting differences like "St" vs "Street" or "Apt" vs "Apartment"
• Number of documents: one
• Review: automated pass/fail, with manual review only for edge cases

Enhanced due diligence address verification

The goal is to establish a higher degree of confidence that the address is genuine and current.

• Documents accepted: restricted to the most reliable categories only (utility bills, government letters)
• Recency: issued within the last 30 days
• Name match threshold: strict (e.g., 0.9 out of 1.0), allowing minimal tolerance for discrepancies
• Address match threshold: strict (e.g., 0.85-0.9)
• Number of documents: two independent documents from different issuers
• Review: automated check plus mandatory manual review by a compliance officer before approval

Common mistakes

These are the errors that come up most often when companies try to implement a risk-based approach to address verification:

1. Treating every customer as high-risk

Some companies apply EDD-level checks to everyone because it feels safer. In practice, this creates unnecessary onboarding friction for low-risk customers, increases costs per verification, and doesn't actually improve your compliance position. Regulators expect proportionality: the level of scrutiny should match the level of risk. Over-checking low-risk customers is a waste of resources that could be directed at genuinely high-risk cases.

2. Having no documented policy

Applying different verification standards to different customers is only defensible if you've documented why. You need a written policy that specifies: what triggers EDD, what additional checks are performed, and who is responsible for the decision. Without this, inconsistent treatment looks like discrimination or negligence, not risk management.

3. Making EDD a manual-only process

Enhanced due diligence doesn't mean "do everything by hand." The enhanced part should be tighter thresholds, more documents, and mandatory human review of the automated result. The underlying extraction, matching, and scoring should still be automated. Manual-only EDD is slow, inconsistent, and doesn't scale.

4. Forgetting ongoing monitoring

CDD and EDD aren't one-time events. AML regulations require ongoing monitoring, which includes periodically re-verifying customer information. For address verification, this means checking that the customer's address is still current at intervals determined by their risk level. Higher-risk customers should be re-verified more frequently.

5. Not recording the rationale

When you apply EDD, record why. When you decide a customer is standard CDD, record that too. If a regulator reviews your files and sees different verification levels applied to different customers, the first thing they'll ask is "what criteria did you use?" If the answer isn't documented alongside each verification, you have a problem.

How to implement this in practice

A risk-based address verification process doesn't need to be complicated. Here's a practical framework:

Step 1: Define your risk tiers

Start with two tiers: standard and enhanced. You can add more later if needed, but two is enough for most companies. Document the criteria for each tier in your AML policy.

Step 2: Map verification parameters to each tier

For each tier, specify:

• Accepted document types
• Maximum document age
• Name match threshold
• Address match threshold
• Number of documents required
• Whether manual review is required

Step 3: Determine the tier before verification

Your onboarding flow should assess risk factors (country, PEP status, transaction type) before triggering the address verification. This way, the verification request is submitted with the correct parameters from the start, rather than verifying first and applying risk logic after.

Step 4: Configure your verification tool

If your address verification provider supports per-request configuration, you can implement both tiers through a single integration. Instead of maintaining two separate verification workflows, you adjust the parameters on each API call based on the customer's risk tier.

For example, a standard CDD verification might use a name match threshold of 0.8 and accept documents up to 3 months old. An EDD verification for the same API endpoint would use a threshold of 0.9 and require documents from the last 30 days. Same integration, different parameters.

Step 5: Review and update periodically

Your risk tiers and verification parameters aren't permanent. Review them when regulations change, when you enter new markets, or when your customer risk profile shifts. Document each change and the reason for it.

What regulators want to see

When a regulator audits your AML address verification process, they're looking for evidence of four things:

1. A documented risk-based policy: written criteria for when standard CDD and EDD apply, with specific verification parameters for each level
2. Consistent application: evidence that the policy is followed uniformly, not applied differently depending on who's reviewing or how busy the team is
3. Adequate records: for each verification, a record of what was checked, what thresholds were used, what the result was, and who made the decision
4. Periodic review: evidence that the policy and its application are reviewed and updated, not written once and forgotten

Automated verification with configurable thresholds and detailed audit trails makes all four of these easier to demonstrate. The system applies the same rules every time, produces detailed records automatically, and the configuration history shows how your parameters have evolved.

Implementing CDD and EDD with trusqo

trusqo supports risk-based address verification through per-request configuration. Every parameter that differs between CDD and EDD can be set on each individual API call:

• Match thresholds: set nameMatchThreshold and addressMatchThreshold independently per request (0 to 1). Use 0.8 for standard CDD, 0.9 for EDD, or whatever your policy specifies.
• Document age: set acceptedDateFrom per request. For CDD, accept documents from the last 3 months. For EDD, require the last 30 days.
• Document types: set acceptedDocTypes per request. For CDD, accept all standard types. For EDD, restrict to utility bills and government letters only.
• Multiple documents: for EDD, submit two separate verification requests for the same customer, each with a different document.

Every verification produces a detailed response with extracted data, match scores, thresholds used, and reasoning notes. PDF audit reports are available for download via API or dashboard.

This means your integration handles both CDD and EDD through a single endpoint. Your application determines the risk tier, sets the parameters accordingly, and trusqo handles the rest. No separate workflows, no manual configuration changes.

See the AML compliance use case for more on how trusqo fits into AML workflows, or read the API documentation to see the full list of configurable parameters.