Simplified Due Diligence: What It Is, What Regulators Expect, and What Gets You Cited

What is Simplified Due Diligence?

Simplified Due Diligence (SDD) is a risk-proportionate tier of Customer Due Diligence (CDD) that allows regulated financial institutions to apply reduced identity verification, lower documentation thresholds, and less frequent ongoing monitoring to customer relationships assessed as presenting genuinely low money laundering or terrorist financing risk.

SDD sits within the broader Know Your Customer (KYC) framework. The logic is straightforward: if a relationship genuinely carries low risk, applying the same scrutiny as a high-risk correspondent banking relationship wastes compliance resources and creates friction for legitimate customers. SDD is the calibration mechanism that matches effort to actual risk.

Also referred to as "reduced due diligence" or "simplified CDD" in some supervisory guidance, SDD appears explicitly as "simplified due diligence measures" under Article 15 of AMLD4. In the UK, the Joint Money Laundering Steering Group (JMLSG) describes it as proportionate CDD under Regulation 37 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

SDD is not a blanket exemption from CDD. A firm can apply it only where it has documented evidence that the customer, product, or transaction type presents low risk. If that risk assessment changes, the firm must escalate to standard CDD or Enhanced Due Diligence (EDD). Getting that line wrong is one of the most common findings examiners raise in this space. The control requires active management, not a one-time classification at onboarding.

Why is Simplified Due Diligence required?

The authorization for SDD flows from the risk-based approach (RBA) at the core of modern AML/CTF regulation. FATF Recommendation 10 on Customer Due Diligence explicitly permits countries and regulated entities to apply simplified measures "where the risks of money laundering and terrorist financing are lower." This sits alongside FATF Recommendation 1 on the risk-based approach, which establishes that compliance resources should be directed proportionately to actual risk, not distributed uniformly.

That permission has been translated into binding law across major jurisdictions. In the EU, Articles 15-17 of AMLD4 (Directive 2015/849) set out the conditions under which firms may apply SDD, requiring documented identification of the low-risk factors that justify reduced measures. The Fifth AMLD (AMLD5, Directive 2018/843) tightened these provisions following revelations about supervisory failures at banks including those involved in the Danske Bank 2018 enforcement action, where inadequate risk differentiation between customer types contributed to one of the largest AML failures in European banking history.

In the UK, Regulation 37 of the MLR 2017 grants firms discretion to apply simplified measures where, after conducting a risk assessment, they can demonstrate the relationship presents a lower degree of risk. The FCA's Financial Crime Guide (FCG) clarifies that SDD is conditional on ongoing monitoring continuing at a frequency appropriate to the assessed risk. Monitoring doesn't stop; it's calibrated down.

In the US, FinCEN's Customer Due Diligence Rule (31 CFR 1010.230) doesn't use the "SDD" label but achieves similar risk calibration by permitting firms to tailor CDD procedures to the specific risk level of each customer category. The underlying principle is consistent across jurisdictions: proportionality, with evidence.

What do regulators expect to see?

On exam day, examiners aren't looking for a policy document that mentions SDD. They want evidence the control actually operates as documented. Here's what that means in practice.

A documented risk assessment per customer segment. Firms must demonstrate they evaluated the risk factors listed in applicable regulations (AMLD4 Annex II; JMLSG guidance) before applying SDD to any customer type. A generic "low-risk" label attached to a category without supporting analysis won't survive scrutiny.

A written, board-approved SDD policy with specific eligibility criteria. Which customer types qualify? Which products? When does the classification expire or require review? Examiners expect clear criteria, not ad hoc decisions made at the relationship manager level.

Calibrated ongoing monitoring. SDD doesn't mean no monitoring. Transaction Monitoring rules for SDD-classified customers should be documented separately, with alert thresholds and review frequencies justified by the risk rationale. Switching off monitoring for the SDD tier is a findings-generating error.

Evidence of trigger-based and periodic review. Customer risk classifications don't stay static. Regulators expect a formal review process that fires when transaction patterns change, adverse news appears, or on a scheduled cycle (at minimum annually for SDD portfolios).

Governance and escalation trails. Who approved the SDD framework? Who reviews outliers? Is there a documented escalation path to standard CDD or EDD? Examiners look for clear accountability at each decision point.

Board-level MI. Senior management and the board should receive regular reporting on the size of the SDD portfolio, the proportion that triggered reclassification, and any anomalies. Absence of board MI is a recurring finding in thematic reviews.

Records in line with FATF Recommendation 11. Documentation supporting the SDD determination must be retained for at least five years and available to regulators on request. This includes the risk assessment itself, not just the customer file.

What does good Simplified Due Diligence look like?

Best-practice SDD programs share characteristics that FATF's guidance on the Risk-Based Approach for the Banking Sector and the Wolfsberg Group's AML Principles both point toward. Where it can be expressed as steps, here is how well-run programs operate:

1. Risk categorization is specific, not generic. Good programs identify precise customer types eligible for SDD: domestic listed companies on regulated exchanges, domestic public authorities, subsidiaries of entities subject to equivalent AML/CTF requirements. Broad buckets like "corporate" or "domestic retail" aren't sufficient on their own.

2. Low-risk eligibility is documented at onboarding. The rationale for SDD classification is captured in the customer record at the time onboarding occurs, with specific risk factors cited by reference to regulatory criteria. This is the audit trail that survives examination.

3. Ongoing monitoring continues, calibrated down. A domestic government entity in the SDD tier might receive annual relationship reviews rather than quarterly, but transaction monitoring still runs continuously. Review frequency drops; monitoring doesn't stop.

4. Trigger-based reclassification operates automatically. Any change in transaction behavior, adverse media hit, or sanctions list match escalates the customer out of SDD to standard CDD or EDD review. This is an automated system function, not a manual process relying on analyst judgment.

5. Regular backtesting validates the SDD population. Firms test whether SDD-classified customers actually behave like low-risk customers. If 15% of the SDD portfolio is generating transaction monitoring alerts, the classification criteria need revisiting.

6. Policies are reviewed at least annually. Regulatory change, product changes, or shifts in the firm's risk appetite all require a formal review of which customers still qualify for simplified measures.

The Basel Committee's 2017 guidelines on sound management of ML/TF risks (BCBS 353) and the FCA's financial crime thematic reviews both reach the same conclusion: the quality of the underlying risk assessment determines whether SDD reduces unnecessary friction or conceals it.

Common audit findings and exam citations

SDD failures that lead to regulatory action fall into four recurring patterns.

Blanket SDD application without documented risk rationale. The FCA and EBA have cited firms that applied SDD to entire customer segments ("all SMEs," "all online accounts") without conducting segment-level risk assessments. The policy existed. The analysis underpinning it didn't.

No ongoing monitoring. The mistaken belief that SDD means no transaction monitoring is a persistent finding. The Danske Bank 2018 enforcement action illustrates the scale of damage when institutions fail to monitor non-resident portfolios regardless of their nominal risk classification. Danske Bank's Estonian branch processed approximately €200 billion in suspicious transactions over a decade, partly because adequate controls were never applied to what were treated as lower-scrutiny relationships. The branch's non-resident portfolio was a de facto SDD population with no meaningful transaction monitoring.

Failure to reclassify. Customers who trigger alerts or appear in adverse media remain in the SDD tier because there's no automated escalation mechanism. The FCA's 2021 Financial Crime Annual Report identified this as a systemic weakness across multiple mid-tier banks.

Weak documentation. When examiners ask for the rationale behind a specific customer's SDD classification, they receive either nothing or a generic template with no customer-specific analysis. This is particularly damaging for SAR filings: if a customer in the SDD tier later generates a suspicious activity report, the institution needs to show why SDD was appropriate at onboarding. Without that documentation, the firm's defence collapses.

Stale risk assessments. SDD classifications from 2019 or 2020 with no review since, applied to customers whose transaction profiles look nothing like the original assessment. This is a live exam finding in 2024 and 2025 across both the FCA and the European Banking Authority's AML supervisory peer reviews.

Metrics and KPIs

Measuring SDD control health requires visibility into three areas: the accuracy of the risk classification, the behavior of the SDD population, and the responsiveness of the reclassification mechanism.

SDD population size and trend. What percentage of the customer base is classified SDD? A ratio above 60-70% in a retail bank warrants internal challenge. If that percentage rises sharply quarter-on-quarter without a corresponding explanation in the business, either risk assessment criteria have loosened or the customer base has shifted in profile.

Reclassification rate. How many SDD customers were escalated to standard CDD or EDD in the period? Zero is a red flag. A well-calibrated program shows a small but non-zero reclassification rate, typically 1-3% quarterly in a stable retail portfolio.

Alert rate for SDD customers. What proportion of transaction monitoring alerts originate from SDD-classified customers? If SDD customers generate alerts at a rate approaching standard-risk customers, the classification criteria are wrong, not the customers.

Time to reclassify. When a trigger fires (adverse media, an alert above threshold, a sanctions hit), how long does it take to reclassify and review the customer? Best-practice programs achieve under 24 hours for automated triggers.

Policy review frequency. Is the SDD policy reviewed at least annually, with documented sign-off from the MLRO and the relevant governance body? This should appear in committee minutes, not just on a checklist.

Documentation completeness rate. What percentage of SDD-classified customers have a complete, current risk rationale on file? This should be 100%. Below 95% is an exam risk.

These metrics belong in regular board MI and MLRO reporting, not just internal audit packs. Gaps in any of these measures are precisely what examiners focus on in thematic reviews.

How Simplified Due Diligence connects to other controls

SDD is a calibration point within the broader KYC lifecycle. It doesn't stand alone.

Customer Due Diligence is the parent control: SDD is one tier within it, alongside standard CDD and EDD. The risk assessment that determines SDD eligibility also feeds into Sanctions Screening and PEP Screening frequencies. A customer in the SDD tier still goes through sanctions and PEP checks at onboarding and on a scheduled basis thereafter. The difference is the frequency and depth of ongoing review, not whether the checks happen at all.

Transaction Monitoring is the runtime control that validates the SDD classification over time. When monitoring produces alerts inconsistent with the SDD tier, that's the signal to reclassify. The two controls need to be connected operationally: a spike in alerts from the SDD population should trigger a review of the classification criteria, not just the individual customer file.

On the typology side, SDD weaknesses most commonly surface in Smurfing and Structuring schemes, where criminals deliberately target lower-monitoring tiers. Structured deposits can stay below alert thresholds calibrated for low-risk customers while moving significant volumes. Money Mule Networks exploit SDD classifications when mule accounts are established using customer profiles that initially qualify for simplified measures, such as students or low-income domestic workers whose early transaction behavior appears low-risk.

Understanding the SDD-to-EDD escalation pathway is essential for maintaining a coherent customer risk profile across the relationship lifecycle. A firm that can't trace that escalation path in its system documentation has a governance gap that examiners will find.

How FluxForce supports Simplified Due Diligence

FluxForce AI agents continuously monitor SDD-classified customer behavior. When patterns are inconsistent with the assessed risk tier, the system flags them and triggers reclassification workflows automatically. Nova Sentinel's behavioral analytics detect structured activity and mule network patterns in populations that standard controls may underweight. Every SDD classification decision, threshold adjustment, and reclassification event is captured with full audit evidence. Exam preparation becomes straightforward. For teams managing large SDD portfolios across multiple jurisdictions, FluxForce's Regulatory Compliance Automation capabilities reduce manual review burden and keep documentation audit-ready. Book a demo to see it in action.