Customer Due Diligence: What It Is, What Regulators Expect, and What Gets You Cited

What is Customer Due Diligence?

Customer Due Diligence (CDD) is the process of verifying who a customer is, understanding why they want access to a product or service, and assessing the money laundering and terrorist financing risk they present to the institution. It's a foundational control in any AML/CFT program, applied at onboarding and maintained throughout the customer lifecycle.

The control operates at three levels. Standard CDD covers identity verification, collection of beneficial ownership information for legal entities, and an assessment of the intended nature and purpose of the business relationship. Simplified Due Diligence (SDD) is permitted for demonstrably lower-risk customer types, such as listed public companies or certain government bodies, where documentary requirements can be reduced proportionate to the risk. Enhanced Due Diligence (EDD) applies to higher-risk relationships: politically exposed persons, customers in high-risk jurisdictions, correspondent banking counterparties, and complex ownership structures that obscure the ultimate beneficial owner.

CDD sits within the broader Know Your Customer (KYC) framework. KYC is the overarching obligation to understand who customers are; CDD is the structured process that delivers that understanding. The two terms are often used interchangeably, but CDD is more specific. It's the documented procedure with defined tiers, clear triggers, and periodic review requirements.

The obligation runs to the institution, not the customer. A customer who declines to provide the information required to complete CDD cannot proceed. Institutions can't waive this requirement, and regulators don't accept "customer refused" as a justification for incomplete files.

Why is Customer Due Diligence required?

The international standard is FATF Recommendation 10, which requires financial institutions to apply CDD measures when establishing business relationships, executing occasional transactions above €15,000 (or the applicable local threshold), when there's suspicion of money laundering or terrorist financing, or when the institution doubts the accuracy of previously collected identification data. The FATF Rec 1 risk-based approach governs how CDD is calibrated across customer segments: institutions must direct resources proportionate to risk, which means the depth of due diligence isn't uniform.

FATF Rec 12 extends Recommendation 10 specifically to politically exposed persons, requiring EDD for any customer identified as a PEP, their family members, and close associates. That obligation isn't discretionary or tiered by perceived seniority. PEP status triggers EDD, full stop.

FATF Rec 11 extends the requirement further: institutions must retain CDD records for at least five years from the end of the business relationship. Regulators don't just want evidence that CDD was completed; they want to see when it was done, by whom, and on what evidentiary basis.

In the US, FinCEN's CDD Final Rule (31 CFR § 1010.230), effective May 2018, added a fifth pillar to BSA AML program requirements: mandatory identification and verification of beneficial owners of legal entity customers at a 25% ownership threshold. In the EU, 6AMLD and the national legislation transposing it codify equivalent obligations. The UK's MLR 2017 imposes similar requirements, with the FCA expecting risk-proportionate CDD across the full customer book.

The Danske Bank 2018 enforcement action is the defining case study. Approximately €200 billion flowed through Danske's Estonian branch over nine years, with the bank's own post-mortem acknowledging that CDD on non-resident customers was fundamentally inadequate. The failure to verify beneficial ownership structures enabled layering at a scale that would have been visible with a functioning CDD program.

What do regulators expect to see?

On an exam day, regulators look for evidence that the CDD program is documented, risk-calibrated, consistently applied, and independently tested. In concrete terms, this is what they want to find.

Documented CDD policies and procedures. A current policy that defines the three tiers, the criteria for each, who approves exceptions, how decisions are recorded, and what happens when a customer doesn't cooperate. Procedures should be detailed enough that a new analyst could apply them consistently without additional instruction.

Risk-based customer risk ratings. A written methodology showing how customer risk scores are calculated: what inputs drive them (jurisdiction, business type, product, channel, ownership structure, PEP status), how those inputs are weighted, and how the resulting score determines the CDD tier and review frequency.

Beneficial ownership records. For legal entities, documented collection and independent verification of UBO data at or above the applicable threshold. Regulators check both whether the data was collected and whether it was actually verified against a reliable, independent source.

Periodic refresh schedules. CDD isn't an onboarding exercise. Higher-risk customers need annual reviews; mid-risk customers every two to three years; low-risk customers every four to five years at minimum. Regulators want documented schedules and evidence of compliance with them.

Enhanced Due Diligence (EDD) documentation. For PEPs, correspondent relationships, and customers from higher-risk countries, examiners want to see what additional steps were taken, who approved the relationship, what source-of-wealth evidence was collected, and the rationale for the ongoing monitoring frequency.

Independent testing records. Results from compliance testing or internal audit, the specific findings from those reviews, management responses, and evidence that issues were tracked to resolution. The feedback loop between testing and program improvement is what regulators want to see working.

MI and escalation trails. Committee minutes or equivalent documentation showing that CDD exception volumes, backlogs, and policy breaches were reported to senior management. The absence of board-level MI on CDD backlogs is itself a finding in most exam frameworks.

What does good Customer Due Diligence look like?

The FATF Guidance on Customer Due Diligence and Beneficial Ownership and the Wolfsberg AML Principles describe consistent characteristics of well-run CDD programs. At a practical level, good CDD follows this sequence.

1. Risk-based customer classification at onboarding. The institution assigns a risk rating before account opening, using a written methodology covering customer type, geography, product, channel, and ownership structure. That rating determines the due diligence tier applied before the relationship begins.

2. Identity verification using independent sources. Documentary verification (passport, national ID) combined with non-documentary methods such as database checks and biometric verification. Multiple independent sources reduce the chance that fabricated or synthetic identities pass onboarding.

3. Beneficial ownership collection and verification. For legal entities, UBO identification down to the applicable ownership threshold, with verification against independent sources. Complex structures including trusts and multi-layered corporate chains are documented in full, with source-of-funds and source-of-wealth collected for higher-risk entities.

4. Ongoing monitoring tied to risk tier. CDD files are reviewed on a schedule proportionate to risk. High-risk customers annually; mid-risk customers every two to three years; low-risk every four to five years at minimum. PEP Screening results and adverse media alerts can trigger out-of-cycle reviews between those intervals.

5. EDD for higher-risk relationships. PEPs, correspondent bank relationships, and customers from higher-risk jurisdictions receive additional scrutiny: senior management approval before account opening, source-of-wealth documentation, and tighter review cycles than standard CDD.

6. Automated alerts when profiles diverge. When observed transaction behavior no longer matches the expected profile established at CDD, the monitoring system flags the account for review. This is the feedback loop that keeps CDD and transaction monitoring aligned.

The Basel Committee's Sound Management of Risks Related to Money Laundering and Financing of Terrorism provides the governance framework for embedding CDD within a bank's broader risk management architecture, including how CDD findings should flow to senior management and board-level oversight.

Common audit findings and exam citations

CDD is one of the most frequently cited failures in AML enforcement actions. The patterns repeat.

Stale CDD files. High-risk customers whose files haven't been refreshed in three or more years. Regulators treat this as a controls failure regardless of whether any suspicious activity occurred in the interval.

Incomplete beneficial ownership records. Legal entity customers where UBO data was collected at onboarding but never verified against independent sources, or where subsequent ownership changes weren't captured on periodic refresh.

Weak EDD documentation. PEP relationships or high-risk-country accounts labeled "EDD" in the system with no documentation of what additional steps were taken, who approved the relationship, or what source-of-wealth evidence was collected.

Exception backlogs without governance escalation. Thousands of expired CDD reviews, with no formal escalation to senior management or the board. The Westpac 2020 enforcement action resulted in a A$1.3 billion penalty (the largest in Australian corporate history at the time) and included systemic failures in customer identification and ongoing due diligence across more than 23 million alleged breaches of AML/CTF law.

Profile mismatches with no follow-up. Customers whose stated business purpose didn't match their actual transaction patterns, with no system in place to detect or investigate the discrepancy.

CDD and transaction monitoring operating in silos. Programs where the two controls ran independently with no mechanism for a transaction alert to initiate a CDD review, and no process for updating CDD files when a SAR was filed.

The HSBC 2012 enforcement action, which resulted in a $1.9 billion penalty, included specific findings on inadequate CDD applied to Mexican customers and correspondent banking relationships. Regulators found that HSBC's compliance function was systematically unable to manage basic CDD review cycles. That consent order remains a standard reference in exam-preparation programs.

Metrics and KPIs

A CDD program without measurement is a program that can't demonstrate effectiveness to regulators or its own board.

CDD file currency rate. The percentage of customer files reviewed within their required refresh cycle. A healthy program runs above 95%. Below 90%, most examiners treat it as a finding.

EDD refresh timeliness. Average days between scheduled and actual EDD review completion for high-risk customers. Systematic delays here are a governance indicator regulators test for specifically, not a secondary concern.

Beneficial ownership completion rate. The percentage of legal entity customers with fully documented and verified UBO data. Gaps in this number almost always trace to process failures at onboarding or weak exception management.

CDD exception volume and aging. How many accounts are in exception status and how long they've been there. Exceptions aged over 90 days without documented escalation are a consistent exam finding across jurisdictions.

Risk classification accuracy. If a disproportionate number of customers are classified as high-risk at onboarding and immediately downgraded after EDD, the initial methodology is over-sensitive. If virtually no customers in high-risk business lines are ever escalated to EDD, it's under-sensitive. Both patterns attract examiner attention.

Triggered review volume. How many out-of-cycle CDD reviews were initiated in the period, and what triggered them: SAR filings, PEP screening matches, adverse media alerts, or transaction pattern changes. A program generating near-zero triggered reviews in a high-risk business book almost certainly has a broken connection between monitoring and CDD functions.

FinCEN's Customer Due Diligence Final Rule FAQ provides additional measurement context for US-regulated institutions.

How Customer Due Diligence connects to other controls

CDD is the foundation other controls depend on.

Transaction Monitoring uses the customer risk profile to calibrate alert thresholds. If the CDD profile is stale or inaccurate, the calibration is wrong. An account reclassified as low-risk two years ago, with no refresh since, generates fewer alerts than current behavior may warrant. The two controls must share data bidirectionally to function correctly.

PEP Screening and Sanctions Screening are both inputs into CDD. A positive PEP match during onboarding or a routine refresh triggers EDD. A sanctions match triggers immediate account review and potential reporting obligations. These controls don't operate independently of CDD; they feed into it.

Adverse Media Screening provides an ongoing monitoring layer between scheduled CDD refresh cycles. A negative news alert about a customer can initiate an out-of-cycle review before the next scheduled date, often catching material risk changes before they escalate to a SAR or regulatory inquiry.

At the typology level, CDD is the primary defense against Synthetic Identity Fraud, where fabricated combinations of real and invented data are used to open accounts and generate a clean transaction history. Robust identity verification at the CDD stage catches synthetic identities before they enter the transaction monitoring layer.

CDD documentation also feeds SAR quality. A well-maintained CDD file gives the investigator the verified identity, the stated business purpose, and the expected transaction profile, which together produce a more accurate and defensible SAR narrative. Regulators expect CDD files to be updated when a SAR is filed; a file unchanged after a filing indicates a broken feedback loop between the SAR and CDD functions.

How FluxForce supports Customer Due Diligence

FluxForce's AI agents automate the evidence collection and risk scoring that CDD programs require at scale. Aiden Flux continuously monitors customer profiles against observed transaction behavior and flags mismatches that indicate a stale or inaccurate risk classification. Nova Sentinel processes real-time PEP and adverse media signals and routes EDD triggers directly into case queues. Every decision produces a timestamped audit trail, so examiners see the full review history alongside the data inputs and analyst actions at each point. Request a demo to see the CDD workflow in practice.