Skip to main content

Third-Party Information & Enhanced Due Diligence (EDD)

This article explains how businesses should use third-party information, electronic verification services, and enhanced due diligence measures to meet their obligations under the Money Laundering Regulations.

Antonella Sarubbi avatar
Written by Antonella Sarubbi
Updated over a week ago

1. Electronic verification

Using electronic checks alone — for example, only confirming a name and address — does not verify that the individual using your service is genuinely who they claim to be.

To properly verify identity, you must ensure:

  • You have identified the customer.

  • You have confirmed their identity.

  • You have checked that the person engaging with you is the same individual whose identity has been verified (to prevent impersonation).

This requires verifying confidential or strong information that only the real customer would know and that is not publicly available.

Manual and electronic checks

In higher-risk situations, manual identity documents may be checked in addition to electronic verification. Not all electronic tools are suitable for fraud prevention; for example, the Council of Mortgage Lenders notes that some products do not detect impersonation or forged documents effectively.

Requirements when using electronic verification

If you use electronic services to verify identity, you must ensure the provider:

  • Is appropriate for the risks identified in your risk assessment.

  • Uses multiple positive data sources (e.g., address history, financial records).

  • Uses negative data sources (e.g., fraud databases, deceased persons lists).

  • Draws from multiple, independent origins over time.

  • Includes checks that assess the strength of the information provided.

  • Has system settings calibrated to the risk level of the customer.

Unacceptable methods

Certain practices do not meet the requirements for customer due diligence, including:

  • Viewing photo ID over video calls (Skype, etc.).

  • Asking customers for “selfie with ID” photos.

  • Relying solely on facial recognition tools.

These methods cannot reliably detect forged or fraudulent documents.

Selecting a reliable service provider

A compliant electronic verification provider should:

  • Be registered with the Information Commissioner’s Office (ICO).

  • Be accredited through a recognised government, industry, or trade-body process.

  • Use up-to-date, independently sourced information.

  • Undergo regular assessments against its standards.

  • Use multiple positive and negative data sources.

  • Include alerts such as updated sanctions information.

  • Offer transparent reporting so you can see what checks were done and the results.

  • Allow you to set the certainty level appropriate to your risk assessment.

  • Store verification records or allow you to download them for your own records.

  • Ensure you have continued access to customer due diligence data for five years, even if the provider ceases trading.

2. Enhanced due diligence (EDD)

EDD is required when a customer or transaction presents a higher-than-normal risk.
It involves extra steps to identify and verify the customer and increased ongoing monitoring.

For PEPs, this also includes establishing both the source of funds and the source of wealth.

Common EDD risk factors

EDD may be necessary where:

  • The business relationship has unusual features.

  • The customer is resident in a high-risk country.

  • A legal entity or arrangement is used to hold personal assets.

  • The business has nominee shareholders or bearer shares.

  • There is significant cash or unexplained wealth.

  • The organisational structure is unusually complex.

  • Searches reveal adverse information, such as:

    • negative media,

    • director disqualification,

    • fraud or money laundering charges,

    • bribery or corruption.

How Checkboard supports EDD

Checkboard can assist by:

  • Collecting additional identity or address documentation.

  • Verifying documents against extra independent sources.

  • Using electronic verification alongside document checks.

  • Ensuring any payments received come from an account in the customer’s name.

  • Providing deeper insight into ownership, financial history, or transaction purpose.

  • Establishing source of wealth and source of funds for PEPs.

3. Reliance on third parties

A business may rely on another regulated entity to carry out customer due diligence only if:

  1. The third party agrees to be relied upon.

  2. They provide details of the CDD they hold to ensure it meets your requirements.

  3. They supply CDD information immediately upon request.

  4. They retain CDD records for five years from the end of the business relationship or transaction.

Important notes

  • Even when relying on a third party, you remain responsible for ensuring due diligence is done properly.

  • You must carry out your own risk assessment and ongoing monitoring.

  • Reliance is only permitted on supervised businesses carrying out CDD for their own regulatory obligations.

What is not Third-Party reliance

The following do not qualify as reliance:

  • Accepting certified copies of documents.

  • Using an electronic identity verification provider.

  • Outsourcing checks to a service provider.

Related Articles
Why AML checks matter when buying property in the UK
Did this answer your question?