EDD Webinar Transcript

Hi everyone

Welcome to this webinar produced by the Department of Internal Affairs AML Group. Today’s webinar will be focusing Enhanced Customer Due Diligence also known as enhanced CDD or EDD.

Firstly, here's what we will be covering:

The different types of EDD and additional measures. In particular:

So, what is enhanced customer due diligence?

EDD is one of the three types of CDD. The Department has produced a webinar on standard CDD which we recommend listening to before this webinar.

EDD is used or required when there are factors creating a higher level of money laundering and terrorism financing risk or when specified in the AML/CFT Act.

EDD requires a business to use additional measures on top of standard CDD. What those additional measures are depends on the customer or the situation. We will go into this in more detail later.

So why do you need to conduct EDD?

Essentially, to mitigate any risks posed by your customers or clients, or the risk of certain situations. And in some cases, it will be an obligation to conduct EDD under the Act.

Those seeking to launder money or finance terrorism generally try to avoid attracting attention by masking their identity and/or the illegal source of their funds. If you have efective procedures, policies and controls to conduct EDD, it will make it more difficult for money launderers or financers of terrorism to conduct illegal transactions through your business.

What to do before you start conducting EDD…

You will need to have written your business risk assessment and looked at any risk that may be posed by your customers and clients and what situations will amount to higher levels of ML/TF risks where you may need to use additional measures.

You will have needed to have written an AML/CFT programme which outlines your policy, procedures and controls for complying with the different types of EDD.

In writing both these documents you should refer to the supervisor guidance that exists on EDD. This Enhanced CDD guideline can be found on our website – yo should be able to see on your screen now where to find the EDD Guideline. This guideline has also been recently updated, so if you have read the previous guide, be sure to read the updated version.

When do you need to conduct EDD?

There are various circumstances set out in the Act where EDD is required. These are what we will be going through, as well as what information you need to collect.

You must conduct EDD on your customer or client before any activities or transactions have commenced.

So, remember… essentially EDD requires a business to use additional measures. But what those measures look like will depend on the customer or situation.

Additional measures are required for:

A common mistake or “myth” is that EDD means always collecting information about source of wealth or source of funds, or that they are the same thing.

In reality obtaining source of wealth or source of funds information is just one type of “additional measure”.

You are only required to do this in certain situations or for certain customer types.

The types of EDD that requires you to collect this information is EDD for Identity Requirements and EDD for PEPs.

Let’s talk about EDD for identity verification first, the most common type of EDD, and the one most people are familiar with.

You must obtain information about your customer’s source of wealth or source of funds when…

You are establishing a business relationship with, or looking to conduct an occasional transaction/activity for, a customer that is:

You consider there is a higher level of ML/TF risk, including the need to submit an SAR.

Lets look at all these customers or situations in more detail now.


The Act says you must conduct EDD on a trust or another vehicle for holding personal assets. This requirement recognises the potential use of trusts to disguise the criminal origin of funds or the true ownership and effective control of the trust. Your risk assessment and programme will determine the level of EDD you conduct on these entities and the assessed ML/TF risk associated with them.

Your risk assessment may assess certain circumstances for trusts as lower than the risk presented by other circumstances. For example, a New Zealand based “family trust” may be considered lower risk than a trust based overseas from a jurisdiction with weak AML/CFT measures or high levels corruption. While you will still need to conduct EDD, including verification of Source of wealth or SoF, on the family trust it will not need to be as in-depth as with the overseas trust. The level of EDD you decide to undertake should be proportionate to the risks involved.

Where the owner of a customer that is a trust is a company or trust, you must take reasonable steps, according to the level of risk involved, to look behind that entity or trust to verify the identity of beneficial owners and those who have effective control. In other words, you need to find the natural person or individual.

For a customer that is a trust you must obtain the name and date of birth of each beneficiary of the trust. There is no requirement to verify this information unless the beneficiary also meets the definition of beneficial owner. If there are more than 10 beneficiaries, you can obtain a description of each class or type of beneficiary instead. If the trust is a discretionary trust you must obtain a description of each class or type of beneficiary. And if the trust is a charitable trust you must obtain the objects of that trust.

To identify the Source of wealth or SoF of a trust you will need to identify the individual or individuals who are the settlor(s), and the origin of the settlor’s wealth. For example, the settlor may have inherited family wealth, accumulated business earnings, or received funds from the sale of property. You will also need (if relevant) to identify the source of any income that the trust is receiving. For example, it may be income from an underlying company or simply a monthly deposit from a family bank account. There is more on this in the EDD guideline.

Countries with insufficient AML/CFT measures.

If your customer is non-resident and from a country with insufficient AML/CFT measures and/or higher ML/TF risks you must undertake EDD. The AML/CFT supervisors Countries Assessment Guideline will help you to determine which countries have insufficient AML/CFT measures in place.

Companies with nominee shareholders

You must conduct EDD on a customer that is a company with nominee shareholders. The use of nominee shareholders makes it more difficult to identify the beneficial owners of a company, increases the complexity of the company structure and adds another level of obfuscation. This increases the ML/TF risk and EDD measures are necessary.

Companies with shares in bearer form

Shares in bearer form present a high risk of ML/TF. You must conduct EDD on a customer that is a company with some or all of its shares in bearer form. A higher risk of ML/TF exists when a company has some, or all, of its capital in the form of bearer shares. It is often difficult to identify the beneficial owners of a company with bearer shares because they are not registered with any authority. Instead, ownership is based on the customer who physically holds the share document. This means that any transfer of ownership is not registered or regulated. Companies that issue bearer shares are often also in higher risk jurisdictions.

Complex or unusual transactions

You must conduct EDD on a customer if they conduct:

  • A transaction that is complex;
  • A transaction that is unusually large;
  • An unusual pattern of transactions that have no apparent or visible economic or lawful purpose.

Adequate and effective CDD provides context and helps you understand the types of transactions that your customer should be conducting. It also helps you identify complex and unusual transactions or patterns of transactions, and the situations when you need to conduct EDD.

Your account monitoring is also a vital element in identifying these types of transactions. Whether an automated or manual system is used, this should generate ML/TF alerts for review and examination. You should base your thresholds and scenarios for these alerts on your risk assessment and you should detail your procedures, policies and controls in your programme.

Assessed risk for a particular situation

You must conduct EDD when you consider the level of risk in a particular situation is such that EDD should apply.

This requirement applies to any other situation where there is ML/TF risk not otherwise or specifically identified in the Act. The situations where these ML/TF risks arise should be based on the findings of your risk assessment and they will be particular to your business. These situations may arise from a combination of vulnerabilities associated with the size, nature and complexity of your business, your types of customers, your products and services and your methods of delivery, as well as the types of institutions and countries that you deal with.

While your risk assessment is the starting point to identify situations where there is ML/TF risk, other indicators may only be identifiable as you administer your programme. This will include your customer’s behaviour, the CDD or EDD you have conducted, your account monitoring and the wider AML/CFT environment. Your risk assessment and programme must also have regard to supervisory AML/CFT guidance.

Suspicious activity reports (SARs)

As soon as practicable after you become aware that you must report an SAR you must conduct EDD.

Conducting EDD in these circumstances could include asking your customer further questions about their activity or transactions and confirming the nature and purposes of the business relationship. It may be the case that after conducting EDD you determine that your customer’s activity is no longer suspicious, and an SAR will not be required. Please note that this obligation only relates to existing customers or occasional transaction and activities.

Maintaining clear and logical records of decisions made, by whom, and the reasons for them will help you demonstrate your appropriate handling of unusual or suspicious activities.

So for all those situations I just spoke on, from trusts to suspicious activity, you are required to obtain the same information. That is:

Identity requirements

So what you are required to obtain for Standard CDD and information relating to the source of the funds or the wealth of the customer. For a trust, the name and date of birth of beneficiaries (unless there are more than 10). For more information on Trusts, please see our CDD Factsheet for Trusts on our website.

Verification requirements:

For information on the source of funds or wealth, you must take reasonable steps to verify this information. Like I said earlier, what these steps look like may depend on the assessed risk.

Other Requirements

Information relating to nature and purpose of business relationship.

Now lets talk about source of wealth and source of funds.

The difference between source of wealth and SoF

Someone's wealth is the origin of their entire body of assets

Obtaining this information will give you an indication of the amount of wealth your customer would have and how they acquired it

Funds is more narrow. You are collecting information on the origin of the funds used for the transactions or activities that occur within your business relationship

When establishing your customers risk profile you may need to collect and verify their Source of wealth but when EDD is triggered by particular circumstances involving transactions or activities, you may need to focus on the SoF.


When obtaining this information you must take reasonable steps according to the level of risk to verify the information using reliable and independent sources.

You may be able to use publicly available information on the internet or other commercially available databases but in many situations it will be necessary for your customer to provide you with documents issued by third parties.

While you have to develop and understanding of the size and nature of your customer’s overall wealth and how it was acquired this does not require you to verify their entire financial history.

A customer may have multiple categories of income or assets. You should focus your verification on the larger of them, or those that are more complex or obfuscated.

It is not expected every part of SoW will be accounted for but you must be satisfied that the wealth of your customer matches what you know about them.


With verifying SoF it is important that your verification relates to a specific transaction that your customer is involved in.


Use data or documents issued by a credible and reliable source such as a multi-national company, a reputable third-party commercial provider or a government department from a low-risk country with sufficient AML/CFT measures.

For example you could use:

  • Government-issued or registered documents or data;
  • Full bank and other investment statements;
  • Full payslip or wage slip or other documents confirming salary;
  • GST number and IRD statement of earnings from the most recent year (for sole traders);
  • Inheritance documentation (stamped grant of probate, stamped grant of letters of administration);
  • Audited financial accounts from a chartered accountant;
  • Letter from an agent of the customer confirming they have knowledge of and established business relationships with the customer;
  • A copy of a will; or
  • Sales and purchase agreements.

Now that we have gone through the EDD for Identity Verification requirements which is just one type of EDD, lets talk about another types and what additional measures are required.

You are required to conduct EDD in accordance with section 26 of the Act if you establish a business relationship with a PEP or a PEP seeks to conduct an occasional activity or transaction.

What is a PEP?

A PEP is a person who in the last 12 months has held a prominent overseas position. The term PEP includes their relatives and close associates.

You must as soon as practicable after establishing a business relationship (or occasional activity or transactions) take reasonable steps to determine if your customer, or their beneficial owner, is a PEP. With larger or more complex businesses you may want to consider using the services of a third-party provider and commercially available databases to screen for PEPs. However, if you are a small business, conducting your own open source research may be sufficient.

Additional measures.

In terms of additional measures when you are establishing a business relationship with a PEP, you must have senior management approval AND obtain information about the source of wealth and funds of the customer and take steps to verify this information. In addition you may wish to check whether they are from a country with high levels of bribery, corruption and organised crime. If they are, this will factor into the risk of this customer.

For ongoing CDD and account monitoring of a higher risk PEP, you may need to undertake ongoing media monitoring or increase transaction monitoring activity. You may wish to conduct more frequent EDD reviews.

Key EDD questions to consider are:

  • Is the PEP’s transaction/activity in line with your expectations?
  • Is the PEP’s identity data, address, employment, SoW or SoF and relatives and close associates status, up to date in your records?
  • Are there any unexplained changes to the PEP’s details?
  • If the PEP’s net worth has grown substantially in a short amount of time, do you have a clear explanation for the sudden growth?
  • Have you sought clarification from the PEP where necessary and updated their details?

EDD for Wire Transfers

Wire transfers are electronically transferred funds – usually by the SWIFT network or internet based systems.

A reporting entity must conduct enhanced customer due diligence in accordance with sections 27 and 28 if it is an ordering institution, an intermediary institution, or a beneficiary institution in relation to a wire transfer.

Those institutions are names of parties to a wire transfer. To learn more about these terms, please refer to our guidance on wire transfers on our website.

The additional measures are to collect:

  • the originator’s full name; and
  • the originator’s account number or other identifying information that may be prescribed and allows the transaction to be traced back to the originator; and

one of the following:

  • the originator’s address;
  • the originator’s national identity number;
  • the originator’s customer identification number
  • the originator’s place and date of birth;

The originator is the person who the ordering institution is carry out the funds transfer for. They are also known as the Payer. They authorise the wire transfer.

These additional measures are designed to enable information on the parties of a wire transfer to be immediately available to hinder the anonymous use of wire transfers by criminals or those seeking to launder money.

In summary, an ordering institution of a wire transfer (which is over $1,000) must identify and verify the identity of the originator of a wire transfer. That information must be transmitted to the next reporting entity in the chain, and in turn, through to the Beneficiary Institution. The Beneficiary Institution therefore has visibility of who is sending money to its client. If a Beneficiary Institution does not receive the required information with a wire transfer, it is required to use appropriate risk-based procedures for handling its receipt of those funds and consider whether the wire transfer constitutes a suspicious activity.

New and developing technologies and products can present unknown ML/TF risks and vulnerabilities, and new methods of delivery may be able to bypass existing AML/CFT measures to allow anonymity.

Where you have a customer who wants to establish a business relationship, or conduct an occasional transaction/activity, involving new and developing technology and products that might favour anonymity, you must take additional measures to mitigate and manage these ML/TF risks. It is for you to determine what measures are required according to the level of risk involved.

Your risk assessment should consider whether your business is, or may be, exposed to customers involved in new and developing technologies and products. Your programme should then detail the procedures, policies and controls that you will implement for this type of customer and technology.

What this looks like will depend on your business but these measures could take the form of additional or more frequent risk assessment, additional steps to identify their customers, additional monitoring, restrictions on transactions and/or potentially applying lower thresholds for EDD for identity verification, meaning you will obtain source of wealth or funds information in these situations.

And that concludes the EDD Webinar.

If you still have any questions please email us at amlcft@dia.govt.nz or call us on 0800 257 887.

Let us know what other webinar topics you would like us to complete by emailing us or filling out our online survey on our website.