What Is Customer Due Diligence (CDD)? Requirements & Process

What Is Customer Due Diligence?

Customer due diligence CDD is the process of verifying a customer's identity, understanding the nature of their business activities, and assessing the risk they pose to your organization. It is a core component of Know Your Customer (KYC) programs. As a KYC customer due diligence requirement, it is a legal obligation under anti money laundering AML regulations worldwide.

CDD serves a dual purpose. It protects your organization from being used as a vehicle for money laundering, terrorist financing, or other financial crimes. It also demonstrates to regulators that you have implemented reasonable measures to identify and manage customer risk. Through structured due diligence processes, financial institutions can prevent financial crimes before they occur.

The Bank Secrecy Act (BSA), FinCEN's CDD Rule (2018), the EU's Anti-Money Laundering Directives (currently the 6th AMLD), and the Financial Action Task Force (FATF) Recommendations all mandate customer due diligence as a foundational AML control. These money laundering AML regulations apply to banks, credit unions, broker-dealers, mutual funds, and other covered financial institutions.

The Three Levels of Customer Due Diligence

Regulatory frameworks establish three tiers of due diligence. Each is applied proportionally based on the customer's risk profile.

Simplified Due Diligence (SDD)

Applied to customers assessed as low-risk based on predefined criteria. SDD involves reduced identity verification and less frequent monitoring. Typical SDD candidates include:

• Publicly listed companies subject to regulatory disclosure requirements
• Government entities in low-corruption jurisdictions
• Regulated financial institutions in equivalent jurisdictions
• Low-value, low-frequency transactions below defined thresholds

Important: SDD does not mean no due diligence. You must still verify identity and have a reasonable basis for the low-risk classification. Regulators have penalized institutions that applied SDD too broadly without adequate justification.

Standard Customer Due Diligence (CDD)

The baseline requirement for most customer relationships. Standard CDD encompasses:

• Identity verification — Collecting and verifying the customer's legal name, date of birth, address, and identification number using reliable, independent sources (government-issued ID, utility bills, database verification)
• Beneficial ownership identification — For legal entities, identifying individuals who ultimately own or control the entity (typically those holding 25%+ ownership, though some jurisdictions use 10% thresholds)
• Purpose and nature of relationship — Understanding what products or services the customer intends to use and why
• Risk assessment — Classifying the customer into a risk category based on customer type, geography, products requested, transaction patterns, and other relevant factors

Enhanced Due Diligence EDD

Required for higher-risk customers, including:

• Any customer identified as a politically exposed person PEP, along with their family members or close associates
• Customers from high-risk jurisdictions (FATF grey or black list countries)
• Complex or unusual ownership structures
• Cash-intensive businesses
• Correspondent banking relationships
• Any customer whose risk assessment triggers enhanced scrutiny

Enhanced due diligence EDD involves deeper investigation. This includes corroborating the source of funds and source of wealth, obtaining senior management approval, increasing the frequency and intensity of ongoing monitoring, and conducting more detailed background checks including adverse media screening.

The CDD Process: Step by Step

Step 1: Customer Identification Program (CIP)

Collect identifying information during the onboarding process:

• Individuals — Full legal name, date of birth, residential address, government-issued ID number (SSN, passport, national ID)
• Legal entities — Registered name, incorporation number, registered address, formation documents, ownership structure, authorized signatories

Verification can be documentary (inspecting original or certified copies of identification documents) or electronic (checking information against reliable databases, credit bureaus, or government registries).

Step 2: Beneficial Ownership Identification

For entity customers, identify the natural persons who:

• Own or control, directly or indirectly, 25% or more of the entity (some jurisdictions require 10%)
• Exercise significant control through other means (voting rights, board positions, contractual arrangements)

Verify beneficial owners' identities using the same standards applied to individual customers. Screen all identified beneficial owners against sanctions lists, PEP databases, and adverse media sources.

Step 3: Risk Assessment and Classification

Assign a risk rating based on multiple factors:

Risk ratings drive the depth of ongoing monitoring, the frequency of periodic reviews, and the approval authority required. These risk profiles also determine whether the customer needs standard CDD or enhanced due diligence.

Step 4: Screening

Screen all customers and beneficial owners against:

• Sanctions lists — OFAC SDN, EU consolidated list, UN Security Council, HMT, and other applicable lists
• PEP databases — Domestic and international politically exposed persons
• Adverse media — Negative news related to financial crime, fraud, corruption, terrorism, or other relevant risk indicators
• Law enforcement databases — Where legally permissible and available

Screening must occur at onboarding and on an ongoing basis as lists are updated.

Step 5: Ongoing Monitoring

CDD is not a one-time event. Organizations must conduct ongoing monitoring to keep their risk assessment current:

• Transaction monitoring — Automated systems flag transactions that deviate from the customer's expected profile
• Periodic reviews — Scheduled reassessments aligned with the customer's risk profile (annually for high risk, every 2–3 years for standard, every 3–5 years for low risk)
• Trigger-event reviews — Reassessment when material changes occur (new product requests, significant transaction changes, adverse media alerts, sanctions list updates)
• Record updates — Keeping customer identification information, beneficial ownership data, and risk ratings current

CDD Requirements by Regulation

Common CDD Challenges and Solutions

Challenge: Incomplete beneficial ownership data. Many jurisdictions lack transparent ownership registries. Customers may be reluctant to disclose complex structures. Solution: Use multiple data sources (corporate registries, commercial databases, direct declarations). Apply reasonable measures and document your efforts. Where ownership cannot be fully resolved, apply enhanced scrutiny.

Challenge: Balancing customer experience with compliance. Extensive document requests create friction during the onboarding process that can drive customers to competitors. Solution: Leverage electronic verification where possible. Implement risk-proportionate requirements. Don't apply EDD-level requests to low-risk customers. Communicate clearly about why information is needed.

Challenge: Maintaining current records across large customer portfolios. Periodic reviews consume significant resources. Solution: Prioritize higher risk customers for frequent manual review. Use automated monitoring and trigger-based alerts for lower-risk populations.

Challenge: Inconsistent application across business lines. Different teams may apply CDD standards differently. Solution: Centralize CDD policies. Standardize procedures and questionnaires. Implement automated workflow tools and conduct regular quality assurance testing.

Building a Robust CDD Program

A mature customer due diligence program integrates people, process, and technology. It applies proportionate measures based on assessed risk, maintains comprehensive records for regulatory examination, and adapts as customer relationships, regulatory requirements, and risk landscapes evolve.

When implemented effectively, CDD AML compliance is not just a regulatory obligation. It is a commercial tool that helps you understand your customers, protect your organization, and build relationships on a foundation of trust and transparency.

Frequently Asked Questions

What are the four requirements of the FinCEN CDD Rule?

The CDD Rule requires covered financial institutions to: (1) identify and verify the customer's identity, (2) identify and verify beneficial owners of legal entity customers, (3) understand the nature and purpose of customer relationships to develop risk profiles, and (4) conduct ongoing monitoring to identify suspicious transactions and update customer information on a risk basis.

When is enhanced due diligence required?

Enhanced due diligence is required for any customer that poses higher risk. Common triggers include a customer identified as a politically exposed person PEP, customers in FATF-listed high-risk jurisdictions, complex ownership structures, cash-intensive businesses, and correspondent banking relationships. EDD involves deeper investigation into the source of funds, source of wealth, and more frequent monitoring.

How does CDD differ from KYC?

Customer due diligence is a subset of KYC. KYC is the broader compliance framework that includes CDD, the Customer Identification Program (CIP), and ongoing monitoring. The CDD process specifically focuses on verifying identity, assessing risk, and understanding the nature of the relationship. KYC encompasses all of these plus the overarching program governance and regulatory reporting obligations.