Enhanced Due Diligence (EDD): When and How to Apply It
Most deals get a standard look. A smaller set get a much harder look, and that harder look is what the industry calls enhanced due diligence (EDD). I have sat on both sides of it: as a founder whose c
On this page
- What enhanced due diligence actually is
- Who runs EDD, and when
- A step-by-step EDD process
- 1. Define the risk and the scope
- 2. Build the request list and open the room
- 3. Verify the financials independently
- 4. Map ownership and screen the people
- 5. Resolve every flag in writing
- 6. Decide and set up monitoring
- The EDD checklist
- Red flags I have learned to take seriously
- How a data room streamlines EDD
- Frequently asked questions
- What is the difference between standard and enhanced due diligence?
- When is enhanced due diligence required?
- Who is responsible for performing EDD?
- How long does enhanced due diligence take?
- Can a data room replace the human judgment in EDD?
Most deals get a standard look. A smaller set get a much harder look, and that harder look is what the industry calls enhanced due diligence (EDD). I have sat on both sides of it: as a founder whose cap table got pulled apart line by line, and as an operator running diligence on an acquisition target where the numbers were clean but the ownership structure was anything but. EDD is the gear you shift into when the routine checks raise a flag, when the counterparty is high risk, or when the money or stakes are large enough that a surface-level review would be negligent.
This guide defines EDD, explains who runs it and when, walks through a step-by-step process, gives you a checklist you can copy, lists the red flags I watch for, and shows how a well-run data room makes it manageable. If you want the wider context first, start with my overview of due diligence and come back here for the deep end.
What enhanced due diligence actually is
Standard due diligence verifies that a counterparty is who they say they are and that the deal is roughly what it appears to be. Enhanced due diligence goes further. It applies extra scrutiny, deeper data, and independent verification to relationships that carry above-average risk. The phrase has two related homes.
In regulated finance and anti-money-laundering (AML) work, EDD is a defined obligation. When a customer or transaction is classified as higher risk, a politically exposed person, a counterparty in a high-risk jurisdiction, an unusually complex ownership chain, the firm must go beyond basic identity checks. That means establishing source of funds and source of wealth, mapping beneficial ownership, screening against sanctions and adverse-media databases, and keeping the relationship under closer ongoing monitoring.
In M&A and investment, EDD is less of a statutory term and more of a posture. It is the heightened version of normal deal diligence that you trigger when something does not add up: offshore entities you cannot easily trace, founders with a litigation history, or revenue that looks too smooth. The mechanics differ from the AML version, but the instinct is the same. You stop accepting documents at face value and start independently verifying them.
The simplest way to hold the two apart:
| Standard due diligence | Enhanced due diligence | |
|---|---|---|
| Trigger | Default for every counterparty or deal | Elevated risk, red flags, or high stakes |
| Depth | Confirm identity and headline facts | Verify source, ownership, and history independently |
| Sources | Documents the other side provides | Provided documents plus third-party and public records |
| Effort | Hours to days | Days to weeks, sometimes longer |
| Monitoring | Periodic | Closer and ongoing |
Who runs EDD, and when
On a deal, EDD is rarely a one-person job. The lead is usually a deal team, corporate development, a fund's investment team, or a founder's lawyer, pulling in specialists as the flags demand: forensic accountants for the numbers, IP and employment counsel for the legal exposure, and technical reviewers for the codebase. In financial institutions, a compliance or financial-crime team owns the AML flavor of EDD outright, and the obligation is non-negotiable.
You move from standard to enhanced when any of these is true:
- The counterparty sits in a higher-risk category: a politically exposed person, an entity in a sanctioned or high-risk jurisdiction, or a structure with opaque beneficial ownership.
- The deal size or strategic importance is large enough that a mistake would be material to your business.
- Early checks surface a red flag: inconsistent financials, undisclosed related-party transactions, pending litigation, or a regulatory inquiry.
- The sector carries inherent risk: defence, crypto, gambling, healthcare data, or anything with heavy licensing.
- A regulator, lender, or your own internal policy requires it.
I treat the trigger as a one-way door. Once I have decided a relationship needs enhanced scrutiny, I do not quietly downgrade it later because the early answers looked fine. Comfortable surface answers are exactly what you are testing.
A step-by-step EDD process
Here is the sequence I run, adapted to whether the deal is an investment, an acquisition, or an onboarding. Across all three the shape holds: scope the risk, gather evidence, verify it independently, and document your conclusion.
1. Define the risk and the scope
Write down, in one paragraph, why this relationship is high risk and what specifically you are worried about. Vague EDD that tries to check everything equally tends to check nothing well. If the flag is ownership opacity, the scope leans toward beneficial-ownership mapping and source of funds. If the flag is financial irregularity, it leans toward forensic accounting. Scope first, then gather.
2. Build the request list and open the room
Turn the scope into a concrete document request: the financials, contracts, corporate records, and disclosures you need to see. This is where a virtual data room due diligence workflow earns its keep, because EDD generates far more requests, versions, and follow-ups than a standard review, and email cannot track them. Set deadlines, and watch what comes back fast, what comes back late, and what never comes back at all. Absence is data.
3. Verify the financials independently
Do not just read the statements. Reconcile them against bank records, tax filings, and audited accounts where they exist, and trace large or unusual transactions to their counterparties. This is the heart of financial due diligence, and in EDD you push harder: you establish not just that the numbers are accurate but that the money behind them has a legitimate, traceable source.
4. Map ownership and screen the people
Pull the corporate registry filings and build the actual ownership tree, including ultimate beneficial owners behind any holding companies or nominees. Screen the principals and entities against sanctions lists, watchlists, and adverse-media coverage, and search litigation and regulatory enforcement records. For an acquisition, layer in the specialist reviews the deal needs, technical due diligence on the product and code and commercial due diligence on the market and customer base, because a clean balance sheet can still hide a broken product or a churning customer list.
5. Resolve every flag in writing
For each concern you raised in step one, record what you found, what evidence supports it, and whether the flag is cleared, mitigated, or still open. Open flags either kill the deal, reprice it, or move into the legal documents as warranties and indemnities. A flag you cannot resolve and cannot price is a reason to walk.
6. Decide and set up monitoring
Make the call: proceed, proceed with conditions, or stop. If you proceed, EDD does not end at signing. For ongoing relationships, set a monitoring cadence so a change in ownership, a new sanction, or a fresh lawsuit reaches you before it becomes a crisis.
The EDD checklist
This is the working checklist I keep open during an enhanced review. Treat it as a starting point and add sector-specific items as your scope demands. For a deal-room-specific version, pair it with my due diligence data room checklist.
| Area | What to verify | Why it matters in EDD |
|---|---|---|
| Identity | Legal name, registration, addresses, key principals | The foundation; everything else builds on it |
| Beneficial ownership | Ultimate owners behind every holding entity | Opaque ownership is the classic EDD trigger |
| Source of funds | Where the money for this deal originates | Establishes the transaction is legitimately funded |
| Source of wealth | How the principals built their overall wealth | Separates a clean fortune from an unexplained one |
| Sanctions and watchlists | Screening of entities and individuals | A single hit can make the relationship unlawful |
| Adverse media | Negative press, investigations, allegations | Surfaces risk that filings will never show |
| Litigation history | Pending and past disputes, judgments | Predicts future exposure and character |
| Regulatory record | Enforcement actions, license status | High-stakes in regulated sectors |
| Financials | Reconciled statements, tax filings, audits | The numbers must survive independent checking |
| Related-party deals | Transactions with insiders and affiliates | A common place for value to leak out |
| Contracts | Customer, supplier, and change-of-control terms | Reveals concentration and deal-breaking clauses |
| Ongoing monitoring | A cadence and an owner after close | EDD is a posture, not a one-time event |
Red flags I have learned to take seriously
Some findings are inconvenient. A few are the deal telling you something. The ones below have, in my experience, the highest ratio of signal to noise.
- Ownership you cannot trace to a real person. Layered holding companies, nominee directors, and secrecy-jurisdiction entities are sometimes innocent and sometimes the whole problem. Either way, keep pulling the thread until you reach a name.
- Source of funds that does not match the story. When the money behind a transaction is larger or stranger than the counterparty's known wealth or business can explain, find out why.
- Financials that are too smooth. Real businesses are lumpy. Revenue that grows in a straight line, or margins that never wobble, often means the statements have been managed.
- Documents that arrive slowly, partially, or never. In an honest process the awkward documents still show up. Persistent delay on one item usually points at the answer.
- Undisclosed litigation or regulatory contact. A lawsuit or inquiry the counterparty did not mention tells you as much about their candor as about the matter itself.
- Related-party transactions buried in the detail. Value flowing to insiders or affiliated companies on non-market terms is a quiet way for a balance sheet to lie.
- Adverse media the counterparty waves away. "That was nothing" is a hypothesis, not a conclusion. Verify it before you accept it.
In M&A specifically, the broader version of this discipline lives in my guide to m&a due diligence, and the customer-screening cousin used in onboarding is covered in customer due diligence.
How a data room streamlines EDD
EDD is heavy because of its evidence load. You are requesting more, verifying more, and documenting more than in a standard review, under time pressure while the other side watches. The room you run it in decides whether that load is manageable or chaotic.
A capable virtual data room helps in concrete ways. Granular permissions let you give a forensic accountant access to the financials without exposing the legal files, and revoke access the moment a party drops out. Full audit logs record who opened which document and when, which matters when you later need to show you reviewed the source material rather than skimmed it. Watermarking and view-only controls keep sensitive ownership and source-of-funds documents from leaking while reviewers work. Versioning and a structured index mean that when the counterparty answers a follow-up by replacing a file, you can see exactly what changed.
This is the work Plox was built for. I run my own enhanced reviews in it because the audit trail and permission model handle the boring, essential parts of EDD without me babysitting a folder of email attachments. The honest caveat: the data room organizes and secures the evidence, it does not verify it for you. The screening, the reconciliation, and the judgment are still yours. What the room removes is the friction, the lost versions, the access mistakes, and the question, three weeks later, of who saw what.
If you are weighing platforms for this work, my comparison of the best data room for due diligence and a breakdown of virtual data room cost will help you match the tool to the stakes. For high-risk, high-value EDD, the worst false economy is a cheap room with a weak audit trail.
Frequently asked questions
What is the difference between standard and enhanced due diligence?
Standard due diligence is the default check you run on every counterparty: confirm identity, verify the headline facts, and review the documents provided. Enhanced due diligence applies deeper scrutiny and independent verification to relationships that carry above-average risk, such as opaque ownership, a high-risk jurisdiction, or large stakes. EDD adds source-of-funds and beneficial-ownership analysis, sanctions and adverse-media screening, and closer ongoing monitoring.
When is enhanced due diligence required?
It is required whenever a counterparty or transaction is classified as higher risk. In regulated finance and AML, that classification is mandatory for politically exposed persons, high-risk jurisdictions, and complex structures. In M&A and investment, you trigger it when early checks surface red flags, when the deal is large or strategically critical, or when the sector itself carries heavy risk. Many firms also require it by internal policy above a certain deal size.
Who is responsible for performing EDD?
It depends on the context. In a financial institution, a compliance or financial-crime team owns the AML form of EDD. In a deal, the lead is usually corporate development, a fund's investment team, or the founder's lawyer, supported by specialists such as forensic accountants, IP and employment counsel, and technical reviewers as the specific risks demand.
How long does enhanced due diligence take?
Longer than standard diligence, because of the extra verification. A focused EDD review can run from a few days to a few weeks. Complex cases with hard-to-trace ownership or unresolved red flags can take considerably longer. The biggest time sink is usually waiting on documents and chasing follow-ups, which a well-organized data room reduces substantially.
Can a data room replace the human judgment in EDD?
No. A data room secures, organizes, and audits the evidence, which removes most of the friction and the access risk, but it does not perform the verification or make the call. Screening, reconciling the financials, mapping ownership, and deciding whether a flag is cleared or fatal remain human work. The tool makes that work faster and more defensible; it does not do it for you.
Written by Rohit Pai · Co-founder, Plox
Rohit co-founded Plox, where the team builds secure document sharing and virtual data rooms for founders and dealmakers.
Connect on LinkedIn