Most compliance “failures” aren’t because the team didn’t collect documents. They happen because the customer file doesn’t explain risk in a way an auditor (or regulator) can follow. A defensible file answers three questions, clearly and consistently:
- Who is the customer—really? (identity, ownership, control)
- What is the risk—and why? (risk scoring with reasons)
- What did you do about the risk? (EDD actions + outcomes + approvals)
KYC vs CDD vs EDD (in plain language) - KYC = Identity and profile verification. Are they who they claim to be?
- CDD = Risk-based understanding. What do they do, where do funds come from, who benefits, what’s the expected activity?
- EDD = Stronger measures for higher risk. More evidence, deeper checks, senior approvals, and tighter monitoring.
Think of it like this:
KYC = Identify. CDD = Understand. EDD = Prove & Control. What auditors actually look for Auditors rarely complain about one missing document. They complain about missing logic, such as:
- The risk score says “Medium” but the narrative describes “High-risk behavior”
- UBO ownership is “unknown” but the file is approved anyway
- Source of Funds is claimed but not supported with evidence
- Adverse media exists but there’s no conclusion or escalation note
A simple “Defensible File” structure (use this as your standard) 1) Customer Profile Summary (1 page) - Legal name, registration, business model
- Products/services requested
- Geography, counterparties, expected monthly volumes
2) Ownership & Control - UBO declaration + proof
- Shareholding structure (simple chart if needed)
- Authorized signatories + evidence
3) Risk Assessment (with reasons) - Risk score (low/med/high)
- Drivers: geography, industry, PEP exposure, complexity, cash intensity, delivery channel
- Clear narrative: “Because X and Y, risk is Z”
4) Screening & Adverse Media - Sanctions/PEP results
- Adverse media summary + conclusion
- False positive reasoning (if applicable)
5) Source of Funds / Source of Wealth (where relevant) - What was claimed
- What evidence supports it
- Any gaps + how you resolved them
6) Decision & Approval - Final decision (approve/reject/conditional)
- Conditions (limits, monitoring frequency, document renewals)
- Approver name + date (and senior approval for EDD)
Mini case: When CDD becomes EDD A trading company applies for onboarding:
- Complex ownership with multiple entities
- Transactions expected across multiple high-risk corridors
- One UBO has politically exposed connections (PEP proximity)
Result:
EDD triggers. You don’t just collect more docs—you document
why the extra work was necessary, what you checked, what you found, and who approved it.
How SSDA trains this (the difference-maker) In the
KYC, CDD & EDD program, learners don’t just “learn definitions.” They practice:
- Building a customer risk story
- Writing defensible investigation notes
- Producing a clean approval pack (the “audit-ready file”)
Launch your Graphy