Customer Due Diligence (CDD): Definition and Use in Compliance

What is Customer Due Diligence (CDD)?

Customer Due Diligence is the formal process financial institutions use to verify who their customers are, assess the risk each customer presents, and monitor ongoing account activity for signs of money laundering or financial crime. It's the operational core of any AML compliance program.

FATF's Recommendation 10 defines four core CDD elements: identify the customer, verify that identity using reliable independent sources, identify beneficial owners of legal entity customers, and monitor the relationship on an ongoing basis. FinCEN's Customer Due Diligence Rule (31 CFR 1010.230, effective May 2018) added a fifth element for US-regulated institutions: collecting verified beneficial ownership information at account opening, requiring identity confirmation for any natural person who owns 25% or more of a legal entity customer.

Not every customer gets the same treatment. A salaried employee opening a basic checking account is low risk. A foreign national establishing a private banking relationship with complex offshore structures is high risk. The Know Your Customer (KYC) framework classifies customers into risk tiers and CDD scales accordingly. The least complex customers may qualify for Simplified Due Diligence (SDD). Those with elevated risk profiles enter Enhanced Due Diligence (EDD), which adds source-of-funds verification, senior management approval, and more frequent review cycles.

CDD doesn't end at account opening. Transaction monitoring continuously tests whether customer behavior matches their stated profile. A manufacturing company that starts receiving large cash deposits from shell entities should trigger a CDD refresh, going well beyond a standard transaction alert.

The Beneficial Owner requirement changed business account opening at US banks. The distinction between CDD and Know Your Business (KYB) is that KYB is the corporate-specific extension covering entity verification, ownership structure, and business activity screening for legal entity customers.

How is Customer Due Diligence (CDD) used in practice?

In a typical bank, CDD starts the moment a new customer application arrives. The compliance team, or an automated onboarding system, collects identity documents, runs them through an identity verification service, screens names against sanctions lists and PEP databases, and assigns a risk rating. All of that happens before the account opens.

For individual customers, the document set is straightforward: a passport or national ID, proof of address, and sometimes source-of-funds documentation for higher-value accounts. For business customers, the process is more involved. The onboarding team needs registration documents, an ownership chart, and verified identity for anyone who owns 25% or more. That's where Ultimate Beneficial Owner (UBO) verification becomes central to the CDD workflow.

Once the account is open, CDD is ongoing. Transaction monitoring flags activity that diverges from the customer's stated risk profile. A retail customer who said they'd move $3,000 per month and starts receiving $50,000 international wire transfers needs a CDD review. That review may result in a risk re-rating, a documentation request, or, if the activity can't be explained, a Suspicious Activity Report (SAR).

Periodic reviews complete the cycle. Most banks schedule these by risk tier: annually for high-risk accounts, every two to three years for standard ones. Trigger events, like sanctions screening hits or negative news, accelerate the schedule outside the normal cycle.

Teams using Identity Verification and KYC/AML Automation can automate document collection, screening, and review scheduling. Automation cuts time per case from hours to minutes. The final risk rating decision stays with the compliance officer.

Customer Due Diligence (CDD) in regulatory context

CDD requirements exist in every major AML framework. FATF's Recommendation 10 is the international baseline: financial institutions must conduct CDD on customers, identify beneficial owners, and understand the purpose of each business relationship. All 39 FATF member jurisdictions are expected to transpose this into national law.

In the United States, the legal obligation flows from the Bank Secrecy Act, implemented through FinCEN's Customer Due Diligence Rule (31 CFR 1010.230, effective May 2018). Covered institutions include banks, credit unions, broker-dealers, mutual funds, and futures commission merchants. The rule added mandatory beneficial ownership collection at business account opening, which significantly increased KYB workloads across the industry.

In the European Union, CDD is governed by successive Anti-Money Laundering Directives. The Fourth AMLD (2015) aligned EU requirements with FATF standards. The Fifth AMLD (2018) added public beneficial ownership registers and tightened due diligence for high-risk third country transactions. The Sixth AMLD (2020) expanded predicate offenses and introduced personal criminal liability for senior managers who fail to prevent money laundering.

In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) implement equivalent requirements for FCA-regulated firms. The FCA fined NatWest £264.8 million in 2021 for AML failures that included deficient CDD on a cash-intensive customer who deposited £365 million in cash over five years. That remains the largest AML penalty in FCA history.

Inadequate CDD carries serious consequences: civil monetary penalties, regulator-imposed remediation programs, and in the most severe cases, consent orders that restrict business activity.

Common challenges and how to address them

CDD sounds straightforward on paper. In practice, it generates more operational headaches than almost any other AML control.

The first problem is outdated customer profiles. Many banks opened accounts before the 2018 FinCEN CDD Rule took effect, with no beneficial ownership information on file. Remediating that backlog takes years for any institution with a large business account portfolio. Manual periodic review cycles add enormous volume without proportional staff increases.

Document quality is a persistent issue. Customers submit expired IDs, documents in languages the compliance team can't process, or ownership structures designed to obscure the real Beneficial Owner. The ownership question gets especially complicated with multi-tier holding companies and nominee shareholders in secrecy jurisdictions. A bank onboarding a Cayman Islands shell owned by a BVI holding company requires due diligence at each layer, not just the entity in the contract.

Cross-border relationships create a risk rating problem. A customer who qualifies as standard risk in one jurisdiction may be high risk in another, depending on local PEP definitions, sanctions exposure, or predicate offense classifications. Material ties to a FATF-designated high-risk jurisdiction require heightened scrutiny regardless of actual transaction behavior.

Alert fatigue in ongoing monitoring compounds everything. Rule-based transaction monitoring systems produce high proportions of false positive alerts. Analysts who spend most of their day clearing non-events have less capacity to investigate real risk. Better calibration of AML transaction monitoring rules is a direct lever for improving CDD quality.

A few approaches have reliably helped: risk-based questionnaires at onboarding tied to automated document collection, AI-based screening to cut false positive rates, and automated review scheduling to keep profiles current. None of these replace compliance officer judgment. They reduce the manual burden so analysts can work on genuine cases.

Related terms and concepts

CDD sits at the intersection of several compliance concepts. Knowing where each begins and ends matters for building accurate procedures and controls.

Know Your Customer (KYC) is the broader program of which CDD is one component. KYC covers customer identity, due diligence, and ongoing monitoring as a complete program. CDD is specifically the due diligence element: the risk assessment, the information collected beyond basic identity, and the ongoing review cycle.

Know Your Business (KYB) extends CDD to legal entity customers. Where individual CDD focuses on personal identity and risk, KYB adds entity verification, corporate structure analysis, and source-of-funds assessment for business accounts. For any institution that onboards corporate clients, KYB is a distinct and more complex CDD workflow.

Enhanced Due Diligence (EDD) is the elevated version of CDD for high-risk customers. EDD requires deeper scrutiny: source-of-wealth verification, senior management approval, more frequent review cycles, and enhanced transaction monitoring. It's mandatory for politically exposed persons, customers from high-risk jurisdictions, and certain correspondent banking relationships.

Simplified Due Diligence (SDD) applies at the other end of the risk spectrum. Certain low-risk customers (some government entities, listed companies, regulated financial institutions) may qualify for reduced verification requirements, subject to regulatory approval.

When CDD monitoring identifies activity that can't be explained, the output is typically a Suspicious Activity Report (SAR) in the US or a Suspicious Transaction Report (STR) in many other jurisdictions. The SAR or STR is the direct regulatory output of effective CDD and transaction monitoring working together. Institutions that automate the chain from identity checks through to case escalation reduce time from alert to filing from days to hours.