Customer Due Diligence Checklist for Banks and Fintechs

Why Banks and Fintechs Need a Customer Due Diligence Checklist

Customer due diligence CDD is the process financial institutions use to verify the identity and background of their customers. It is a core part of any anti money laundering AML program. The goal is to reduce financial crime by verifying customer identities, building a customer risk profile, and flagging suspicious activities before they cause harm.

Customer due diligence requirements vary by jurisdiction, but the core principles are universal. Every institution must take a risk based approach to assess the risk of money laundering or terrorist financing. This means collecting enough information to understand each customer KYC relationship and applying deeper scrutiny where risk is higher.

Regulatory examinations consistently reveal the same finding: institutions that lack structured, documented customer due diligence processes make more errors, miss more risks, and face more enforcement actions related to money laundering or terrorist financing. A standardized checklist ensures every customer relationship is assessed consistently, completely, and in accordance with your AML program requirements.

For banks, the FFIEC BSA/AML Examination Manual explicitly evaluates the adequacy of CDD procedures. For fintechs — many of which operate under banking-as-a-service (BaaS) partnerships — sponsor banks increasingly require documented CDD processes as a condition of the relationship. A well-designed checklist is both a compliance safeguard and an operational efficiency tool.

The Customer Due Diligence Checklist

Section 1: Customer Identification

For Individual Customers:

• Collect full legal name (including any aliases or former names)
• Collect date of birth
• Collect residential address (P.O. boxes alone are insufficient for most regulatory purposes)
• Collect government-issued identification number (SSN for US persons; passport or national ID for non-US persons)
• Verify identity using at least one of: government-issued photo ID, electronic identity verification service, or documentary plus database cross-check
• Confirm identity document is valid and unexpired
• Retain a copy of the verification document or record of the electronic verification result

For Entity Customers:

• Collect legal entity name, registration number, and jurisdiction of formation
• Collect registered address and principal place of business
• Obtain formation documents (certificate of incorporation, articles of organization, partnership agreement)
• Identify all directors, officers, and authorized signatories
• Verify entity registration status through a corporate registry or commercial database
• Confirm the entity is in good standing (active, not dissolved or struck off)

Section 2: Beneficial Ownership Identification

• Identify all natural persons who own or control 25% or more of the entity (directly or indirectly)
• If no individual meets the 25% ownership threshold, identify the individual(s) exercising effective control (e.g., senior managing official)
• For each beneficial owner: collect name, date of birth, address, and ID number
• Verify each beneficial owner's identity using the same standards applied to individual customers
• Document the ownership structure (org chart or narrative description)
• For complex structures (trusts, foundations, multi-layered entities), trace ownership to the ultimate natural person(s)
• Screen all beneficial owners against sanctions, PEP, and adverse media databases

Section 3: Understanding the Relationship

• Document the purpose of the account or relationship
• Record the expected nature and volume of transactions
• Identify the source of funds for the account
• For entity customers, confirm the nature of the business and primary business activities
• Identify expected counterparties and geographic footprint of transactions
• Assess whether the stated purpose is consistent with the customer's profile and known activities

Section 4: Risk Assessment

• Evaluate customer type risk (individual, small business, large corporation, trust, nonprofit, etc.)
• Evaluate geographic risk (country of residence, nationality, countries of operation)
• Evaluate product/service risk (simple vs. complex products, cash-intensive services, trade finance, private banking)
• Evaluate delivery channel risk (face-to-face vs. remote onboarding)
• Calculate composite risk score using your institution's approved methodology
• Assign risk tier: Low, Medium, High, or Prohibited
• For High-risk customers, obtain senior management approval before establishing the relationship
• Document the risk assessment rationale and the resulting customer risk profile

Section 5: Screening

• Screen customer name (and all known aliases) against OFAC SDN and other applicable sanctions lists
• Screen against EU consolidated sanctions list (if applicable)
• Screen against UN Security Council sanctions list
• Screen against relevant domestic sanctions lists (HMT for UK, SECO for Switzerland, etc.)
• Screen against politically exposed persons PEPs databases (domestic and international)
• Conduct adverse media screening for relevant risk indicators
• Review and resolve all potential matches (true matches, false positives)
• Document screening results and disposition decisions
• For true sanctions matches: block the relationship and file required reports
• For PEP matches: apply EDD measures and obtain senior management approval

Section 6: Enhanced Due Diligence EDD (When Required)

If the customer is classified as high-risk, the following additional steps apply:

• Investigate and document the source of funds and wealth. Source of wealth means how the customer accumulated their assets. Source of funds means the specific origin of money for the account.
• Obtain and review additional documentation supporting the customer's stated business activities
• Conduct deeper adverse media and background research
• Obtain senior management approval for the relationship
• Establish enhanced monitoring parameters (lower thresholds, more frequent transaction reviews)
• Set a review frequency of at least annually

Section 7: Record Keeping and Documentation

• Create a complete customer file containing all identification documents, verification records, risk assessments, screening results, and approval decisions
• Ensure all documents are dated and attributed to the responsible compliance officer
• Store records in a format that is readily retrievable for regulatory examination
• Set retention schedules compliant with applicable regulations (minimum 5 years after relationship ends in most jurisdictions; 7 years under BSA)

Section 8: Ongoing Monitoring

• Enroll the customer in transaction monitoring with parameters aligned to their risk tier
• Schedule periodic review based on risk classification:
  • High risk: annually
  • Medium risk: every 2 years
  • Low risk: every 3–5 years
• Define trigger events that initiate ad hoc reviews (significant transaction anomalies, adverse media alerts, sanctions list updates, customer requests for new high-risk products)
• At each review: refresh customer information, re-run screening, reassess risk rating, update documentation
• Report any suspicious activities to the relevant authorities promptly
• Document all monitoring activities and outcomes

Adapting the Checklist for Fintechs

Fintechs face unique CDD considerations:

Remote onboarding dominance. Most fintech customers never visit a branch. Electronic identity verification, biometric checks (selfie matching, liveness detection), and digital document verification become essential components of the CIP.

Higher volume, lower touch. Fintechs may onboard thousands of customers daily. Automated decisioning for low-risk applications, with manual review reserved for exceptions and higher-risk cases, is necessary to maintain both speed and compliance.

BaaS compliance obligations. Fintechs operating through banking partners must align their CDD processes with the sponsor bank's requirements. The checklist should map to both the fintech's own policies and the partner bank's expectations.

Product-specific risks. Cryptocurrency, cross-border payments, lending, and embedded finance each carry distinct risk profiles that the CDD checklist must address.

Quality Assurance

A checklist is only effective if consistently followed. Implement quality controls:

• First-line review — Supervisors review completed CDD files for completeness and accuracy before relationship approval
• Second-line testing — Compliance performs periodic sampling of CDD files across business lines to identify gaps and training needs
• Third-line audit — Internal audit independently evaluates CDD program design and operating effectiveness

Track metrics including: CDD file completion rates, average onboarding time, screening hit resolution turnaround, periodic review completion rates, and quality assurance pass rates.

Frequently Asked Questions

What is a customer due diligence checklist?

A customer due diligence checklist is a structured tool that guides financial institutions through every step of the CDD process. It ensures that no critical step is missed when onboarding a new customer or reviewing an existing one. The checklist typically covers identity verification, beneficial ownership, risk assessment, screening, and ongoing monitoring.

When is enhanced due diligence required?

Enhanced due diligence is required for high risk customers. This includes politically exposed persons, customers from high risk jurisdictions, and relationships that show unusual transaction patterns. EDD involves deeper investigation into the source of funds, closer monitoring, and senior management approval.

How often should CDD reviews be conducted?

Review frequency depends on the customer's risk level. High risk customers should be reviewed at least annually. Medium risk customers every two years. Low risk customers every three to five years. Any significant change in a customer's behavior or profile should also trigger an immediate review.

What is the difference between CDD and KYC?

KYC, or Know Your Customer, focuses on verifying a customer's identity at the start of the relationship. CDD is broader. It includes KYC but also covers risk assessment, beneficial ownership identification, and ongoing monitoring throughout the entire customer lifecycle. Think of KYC as the first step and CDD as the full, continuous process.

What records should be kept for CDD?

Financial institutions must keep all CDD records for at least five years after the relationship ends. In some jurisdictions the minimum is seven years. Records include identification documents, verification results, risk assessments, screening outcomes, transaction monitoring alerts, and all decisions made during the CDD process. These records must be available for regulatory examination at any time.

From Checklist to Culture

A customer due diligence checklist provides structure and accountability, but it works best when embedded in a compliance culture where every team member — from frontline staff to senior management — understands why CDD matters and takes personal responsibility for its execution. When compliance is viewed as a shared organizational value rather than a paperwork exercise, CDD becomes a genuine risk management tool that protects the institution and its customers alike.