Customer Due Diligence (CDD): Definition and Use in Compliance

What is Customer Due Diligence (CDD)?

CDD is the process financial institutions use to verify who their customers are, understand the nature of the business relationship, and assess the risk of money laundering or terrorist financing. It's the default verification tier within any Know Your Customer (KYC) program, applied to the broad majority of customers who don't present elevated risk indicators.

FATF Recommendation 10 defines four required elements. First, identify and verify the customer using reliable, independent source documents: a passport or national ID for individuals, certified registration documents for businesses. Second, identify and verify the beneficial owner when the customer is a legal entity; this means tracing the ownership chain back to the natural person who ultimately owns or controls the business. Third, understand the purpose and intended nature of the business relationship: why does this customer need this account, and what transactions do they expect to make? Fourth, conduct ongoing monitoring so that transactions stay consistent with the institution's knowledge of the customer, and refresh the file when circumstances change.

To make this concrete: a UK bank onboarding a new limited company collects the certificate of incorporation, identifies the two directors as beneficial owners each holding 50%, records that the account is for receiving supplier payments with an expected monthly turnover of £200,000, and sets the initial risk rating to low. That file is the baseline for every subsequent monitoring decision the institution will make about that customer.

The framework anticipates two variations. When assessed risk is higher, institutions move the customer to Enhanced Due Diligence (EDD), which adds source-of-wealth documentation, senior management approval, and more frequent review cycles. When risk is demonstrably low and the customer type fits a defined category, Simplified Due Diligence (SDD) allows reduced verification steps.

CDD creates the customer's financial identity file. Every subsequent decision, from monitoring alert triage to relationship exits, depends on the quality of that file. A thin or outdated CDD record means risk assessments throughout the relationship are built on incomplete information.

How is Customer Due Diligence (CDD) used in practice?

Compliance teams run CDD at three distinct points: onboarding, periodic review, and event-triggered reassessment.

At onboarding, analysts collect and verify identity documents. For individual customers, that means government-issued photo ID and proof of address. For legal entities, it means company registration documents, ownership structure diagrams, and identification of every Ultimate Beneficial Owner (UBO) holding 25% or more of shares or control, as required by FinCEN's 2016 Customer Due Diligence Rule. Beyond the documents themselves, the team records the expected transaction profile: estimated monthly volumes, transaction types, counterparty countries, and the stated purpose of the account. That profile is the baseline for all future monitoring work.

Periodic reviews are scheduled based on risk rating. A high-risk corporate client is reviewed annually. A low-risk retail customer might go three to five years between formal reviews. Each review confirms that information on file is still accurate, checks for new sanctions hits or adverse media, and reassesses the risk rating in light of any changes.

Event-triggered reassessments bypass the schedule entirely. Common triggers include: the customer moves to a high-risk jurisdiction, appoints a new UBO, starts using a product type not declared at onboarding, or shows transaction volumes that deviate significantly from their stated profile. Rapid changes in business activity are a standard trigger for corporate clients.

When a review can't reconcile an anomaly with the customer's CDD profile, the case escalates. Four outcomes are possible: update the risk rating and document the rationale, request fresh documentation from the customer, file a Suspicious Activity Report (SAR), or exit the relationship. In practice, the speed of that decision depends almost entirely on the quality of the original CDD record. We've seen cases where analysts spent more time reconstructing a customer's history from raw transaction data than investigating the actual alert, because the CDD file contained almost nothing useful.

Customer Due Diligence (CDD) in regulatory context

FATF Recommendation 10 is the global reference point. It defines the four-element CDD framework that nearly every jurisdiction has embedded in domestic law. FATF's Mutual Evaluation process scores countries on how well their financial sector actually applies CDD in practice. Having the right regulations on paper is necessary; actual implementation determines the score. Poor results carry real consequences: grey-listing restricts correspondent banking relationships and can effectively cut a country's banks off from the dollar clearing system.

In the United States, FinCEN's Customer Due Diligence Final Rule, effective May 2018, added beneficial ownership as an explicit fifth requirement alongside the four FATF elements. Covered institutions, including banks, credit unions, and broker-dealers, must collect beneficial ownership information from legal entity customers at account opening and verify it using documentary or non-documentary methods.

In the EU, CDD requirements appear across successive Anti-Money Laundering Directives. The 4th AMLD strengthened risk-based CDD standards in 2015. The 5th AMLD tightened controls for high-risk third countries and virtual asset service providers. The 6th AMLD, implemented across member states in 2021, expanded predicate offenses and extended personal criminal liability to senior managers whose negligence enabled AML failures.

The UK's Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 set the domestic standard, aligned with FATF. The FCA fined NatWest £264.8 million in December 2021 after the bank pleaded guilty to failing to prevent money laundering. NatWest's systems failed to detect £365 million in deposits from a single customer, including £264 million in cash. The case is a useful illustration: regulators treat CDD failures as institutional failures, not individual compliance officer errors. The fine reflected the systemic breakdown of controls, not one missed alert.

Common CDD Challenges and How to Address Them

The most common failure mode isn't missing the CDD step. It's executing it badly at scale.

Large banks onboard thousands of customers each month. Standardizing document collection across retail, SME, and corporate tiers is harder than it looks. Corporate structures can be genuinely complex: a single customer might be a holding company with five ownership layers across three jurisdictions, with beneficial ownership obscured through nominee arrangements. Manually mapping that structure takes hours per case, and analysts under pressure take shortcuts. In practice, beneficial ownership documentation tends to be the weakest element in most CDD programs. It's where shortcuts are most common and where examiner scrutiny is highest.

Outdated records are the second major problem. A CDD file completed in 2019 is still the basis for risk decisions made in 2025. Customer circumstances change. Directors change. Ownership changes. Countries move onto FATF grey lists. Without systematic periodic review triggers tied to risk rating, files go stale and risk ratings become unreliable.

Third, there's the documentation quality problem. Collecting a passport scan is straightforward. Documenting the reasoning behind a risk judgment, in a way that would survive FCA or FinCEN scrutiny, is a different skill. Examiners look for documented reasoning, not just documents. The file needs to show that someone made a considered judgment, not that boxes were checked.

Approaches that address these consistently:

• Tiered CDD workflows with automated document checklists per customer type, so analysts aren't deciding what to collect each time
• Real-time UBO verification through commercial registry integrations rather than manual ownership diagrams
• Risk-score-triggered review queues, so high-risk customers are reviewed before their scheduled date if their score changes
• Audit trails that capture who made the risk judgment and on what basis, not just what documents were received
• Clear escalation paths so analysts know when a CDD gap requires a management decision versus a documentation update

The goal is to make thorough CDD the default path, not the exception that requires extra effort.

Related Terms and Concepts

CDD sits within a broader set of customer risk management terms. Understanding how they connect matters for anyone designing or auditing a compliance program.

Know Your Customer (KYC) is the overarching program. CDD is one of its primary procedural components, alongside customer identification (the Customer Identification Program, or CIP, in U.S. terminology), risk rating, and ongoing monitoring. When a compliance officer says their KYC program is failing, the root cause is almost always either CDD quality, monitoring coverage, or both.

Know Your Business (KYB) is CDD applied to legal entities. The practical difference is complexity: verifying an individual requires identity documents and address proof. Verifying a business requires understanding its corporate structure, identifying all beneficial owners, confirming the legitimacy of its stated activities, and screening key personnel against sanctions and adverse media lists. KYB is where UBO identification becomes the hard problem.

Enhanced Due Diligence (EDD) is the elevated tier for high-risk customers. EDD adds source-of-wealth and source-of-funds documentation, more frequent reviews, and in many jurisdictions, senior management approval before onboarding or transacting with politically exposed persons. A corporate onboarding that starts as standard CDD can escalate to EDD mid-process if a director is identified as a politically exposed person. That one finding changes the tier, the documentation requirements, and the approval chain.

Simplified Due Diligence (SDD) reduces verification requirements for customer types that regulators designate as inherently low risk. The determination of which customers qualify is itself a risk judgment, and most compliance programs apply it narrowly to avoid regulatory challenge.

CDD failures feed directly into downstream reporting obligations. When ongoing monitoring finds a transaction that can't be reconciled with the customer's CDD profile, the result is typically a Suspicious Activity Report (SAR) or, in jurisdictions that use the equivalent term, a Suspicious Transaction Report (STR). A CDD record that's thin, outdated, or poorly documented makes those reporting decisions much harder to defend.