Auditing CDD, EDD, and KYC File Reviews

Customer due diligence is a ladder, and the exam wants you to know which rung applies when. At the bottom is the Customer Identification Program, or CIP, under thirty-one CFR ten-twenty point two-two-zero: identify and verify who the customer is. Above that is customer due diligence proper, understanding the nature and purpose of the relationship and the customer's expected activity so you can spot deviations.

At the top is enhanced due diligence, EDD, the extra scrutiny applied to higher-risk customers like politically exposed persons, correspondent banks, and high-risk geographies. FATF Recommendation ten frames CDD this way, and audit's job is to test that each rung is applied to the right customers and actually performed.

The core fieldwork technique here is the file review, and it should be risk-based. Rather than a flat random sample, over-weight high-risk customers, where the consequences of a gap are greatest, while still sampling lower-risk files for baseline assurance. For each file, check that identity was verified, that beneficial ownership was collected and verified for legal entities, and that the expected-activity profile makes sense.

Then confirm the customer's risk rating actually matches the facts in the file. And hunt for the three classic defects: missing data, stale data that was never refreshed, and contradictory data, where the file says one thing and the system says another. Each is a finding, and patterns across files point to a process problem.

Enhanced due diligence is where the highest-risk customers live, so test it hard. First, is EDD actually triggered for the right customers, politically exposed persons, correspondent banking relationships, high-risk geographies, cash-intensive businesses? A common failure is EDD criteria that exist on paper but never fire in the system.

Second, where EDD applies, is the deeper information really gathered, source of wealth and source of funds documented and reasonable, ownership structures unwound, ongoing monitoring intensified? The gap to watch for is EDD on paper versus EDD performed: a policy that promises enhanced scrutiny for PEPs, paired with PEP files that hold nothing more than a standard customer's. That gap is exactly what the exam likes to surface.

Finally, audit the customer risk-rating engine and its overrides. Check that the rating methodology is applied consistently, so similar customers get similar ratings, and that the factors feeding it are accurate. Then scrutinize manual overrides, where a human changes the system-generated rating.

Overrides aren't inherently wrong, but each one needs a documented, reasonable justification. The red flag is a pattern of customers quietly downgraded from high to medium risk with no basis, which conveniently reduces monitoring and EDD obligations. A strong technique is to independently re-rate a sample of customers yourself and compare your result to the system's; systematic gaps reveal either a flawed model or improper overrides.

A point the exam emphasizes is that customer due diligence is not a one-and-done event at onboarding; the CDD Rule requires ongoing monitoring to keep customer information current. So audit tests the ongoing side, which is where many programs quietly fail. Are trigger events handled, a change in beneficial ownership, a sharp shift in transaction activity, adverse media or a sanctions hit, all of which should prompt a profile refresh?

Is there a periodic review cadence tied to risk, with high-risk customers reviewed more often than low-risk ones? And critically, do those updates actually happen on schedule, or has a backlog of overdue reviews built up while customers' real risk changed beneath stale profiles? When you find a high-risk customer whose file hasn't been reviewed in years despite changed activity, that's a finding, and a stale profile that never fed back into the risk rating means the whole monitoring posture for that customer is built on outdated facts.

Ongoing CDD is where onboarding diligence either stays alive or silently decays.

Recapping: customer due diligence is a ladder from CIP to CDD to EDD, and audit tests that the right rung is applied to the right customer and genuinely performed. Risk-based file reviews surface missing, stale, and contradictory data, EDD testing exposes the gap between enhanced scrutiny promised and performed, and re-rating a sample reveals flawed models or unjustified overrides. Next, we move to one of the most technical fieldwork areas on the exam: auditing transaction-monitoring systems, including coverage and tuning.

Take the CDD practice questions first.