Simplified Due Diligence (SDD): Definition and Use in Compliance

What is Simplified Due Diligence (SDD)?

Simplified Due Diligence is the lightest tier of the three-level due diligence framework that financial institutions apply under a risk-based approach to AML and Know Your Customer (KYC) compliance. Where Customer Due Diligence (CDD) is the standard, SDD is the approved reduction you apply when the risk from a given customer or product is demonstrably low, and you can document exactly why.

The key requirement is documentation. Regulators don't accept intuition. To apply SDD, a firm needs evidence that the customer or product meets pre-defined criteria set out in national legislation implementing FATF Recommendation 10 or the EU's Anti-Money Laundering Directives.

Categories that commonly qualify under 5AMLD and equivalent frameworks:

• Regulated financial institutions licensed in FATF-equivalent jurisdictions
• Publicly listed companies on recognized stock exchanges
• Central and local government bodies in low-risk jurisdictions
• Low-risk financial products: basic savings accounts, insurance policies with annual premiums below defined thresholds, occupational pension schemes with no early surrender options

What SDD actually reduces: the depth of initial identification, the volume of documents collected, and the frequency of periodic review. It doesn't eliminate the obligation to conduct due diligence. You still need to know who the customer is, what they do, and whether the relationship is consistent with your expectations.

FATF Recommendation 10, published in the Forty Recommendations, is explicit on this point. Countries permitting simplified measures must still require firms to collect enough information to detect suspicious behavior. If a customer on an SDD path starts generating unusual transactions, the firm still has an obligation to report. SDD doesn't suspend the Suspicious Activity Report (SAR) obligation.

The contrast with Enhanced Due Diligence (EDD) is direct. EDD adds documentation, senior management sign-off, and source-of-wealth verification. SDD removes process steps. They sit at opposite ends of the spectrum, with standard CDD in between. The simplification is real, but it's bounded by what the customer's risk profile actually supports.

How is Simplified Due Diligence (SDD) used in practice?

The SDD workflow typically starts at onboarding. When a new customer is classified as low-risk and matches an approved SDD category, the compliance system routes them to the simplified path. That means collecting a single government-issued ID instead of multiple documents, skipping the source-of-funds questionnaire, omitting full Ultimate Beneficial Owner (UBO) verification for certain entity types, and setting the periodic review cycle to three to five years instead of the annual cadence applied to standard CDD customers.

The most common real-world scenario is correspondent banking. When a bank onboards another regulated institution, say a German savings bank supervised by BaFin and listed on a recognized exchange, it can apply SDD without collecting beneficial ownership documentation on that institution's underlying customers. That's a significant reduction in both onboarding time and documentation overhead.

On the consumer product side, basic prepaid accounts frequently qualify. A card capped at 150 EUR per transaction with no cash withdrawal function typically meets the criteria under Article 16 of 5AMLD. The same logic applies to certain low-premium life insurance policies and employer pension schemes where the funds are managed by a regulated entity.

For teams using automated onboarding platforms, SDD eligibility is encoded as a conditional branch. If a customer's risk score is below threshold AND their category matches an approved SDD type, the system triggers the simplified path automatically. That cuts analyst touchpoints and shortens the onboarding journey without reducing compliance coverage.

The risk that experienced MLROs flag most often is category drift. A customer who qualified for SDD at onboarding may not qualify 18 months later. Public companies get delisted. Correspondent banks lose their regulatory licenses. SDD is a snapshot classification, not a permanent status. Mature programs run a separate annual category validation, distinct from the periodic review cycle, to catch changes before an examiner finds them first.

Transaction monitoring for SDD customers runs with higher thresholds and fewer alert types. But the monitoring doesn't stop. If a customer on an SDD path starts generating high-volume cross-border transfers, a well-configured system escalates their risk rating and re-routes them to standard CDD or EDD automatically.

Simplified Due Diligence (SDD) in regulatory context

FATF Recommendation 10 is the global anchor. The Forty Recommendations establish that countries may permit simplified CDD measures where "the risks of money laundering and terrorist financing are lower." Critically, the FATF specifies that national regulators, not individual firms, define which categories qualify. A firm decides whether a specific customer fits a pre-approved category. It can't invent new low-risk categories on its own.

In the EU, the framework sits in Articles 15 and 16 of 4AMLD (Directive 2015/849) and was refined by 5AMLD (Directive 2018/843). Article 16 lists factors that may indicate lower risk: geographic factors (customers from EU member states or equivalent third countries), customer type (regulated financial institutions, listed companies, public bodies), and product characteristics (low transaction limits, no cash function, purpose-limited use). The incoming 6AMLD, to be transposed by 2027, tightens eligibility criteria further and introduces harmonized definitions across EU member states.

In the United States, the Bank Secrecy Act doesn't use the term "SDD" explicitly, but FinCEN's Customer Due Diligence Rule (31 CFR § 1020.220) permits risk-based variation in due diligence depth consistent with the FATF framework. Lower-risk customers can be handled with reduced procedures, and the practical effect is equivalent to SDD.

UK firms follow the Money Laundering Regulations 2017 (MLRs 2017), specifically Regulation 37. The FCA's Financial Crime Guide, Section 5 is direct: if a firm can't explain why a customer qualified for SDD, the regulator treats it as a CDD failure, not a valid application of simplified measures.

The clearest recent enforcement example: the FCA fined Santander UK £107.7 million in December 2022 partly for correspondent banking due diligence failures, including cases where simplified measures were applied without documented justification. That case made the principle plain. SDD requires a paper trail, not just a risk score in a system field.

Common challenges and how to address them

The most frequent mistake compliance teams make is treating SDD as a one-time classification. A customer gets approved for the SDD path at onboarding and isn't reviewed for five years. The FCA cited "set and forget" SDD classifications as a recurring deficiency in its 2022 supervisory findings on money laundering controls. Circumstances change. The classification has to keep pace.

Documentation gaps are the second problem. Applying SDD without a recorded rationale is functionally the same as not applying it at all. During an AML exam, examiners ask for the specific factor that justified reduced measures. "They're a regulated bank" doesn't pass muster. You need the jurisdiction's equivalence status, the entity's licensing details, and the date of the assessment recorded in the customer file.

Third: transaction monitoring calibration. SDD customers get higher alert thresholds. That's defensible when the risk profile justifies it, but static thresholds create a blind spot when behavior changes. Dynamic thresholding, where the system tightens monitoring automatically as a customer's activity deviates from their expected pattern, removes that blind spot. Several Regulatory Compliance Automation platforms now support behavioral baseline monitoring that adjusts thresholds at the individual customer level, not just the category level.

Fourth: correspondent banking scope errors. Applying SDD to a correspondent institution doesn't mean you accept that institution's underlying customers at SDD level. The SDD applies to the institution itself. Transactions flowing through the correspondent on behalf of high-risk underlying customers still need appropriate scrutiny. This distinction has been a direct contributor to enforcement action.

A practical annual review framework works like this: confirm the customer still meets the qualifying criteria; compare their recent transaction profile against the baseline established at onboarding; verify no changes in sanctions status, adverse media coverage, or regulatory standing. The FCA Financial Crime Guide Section 5.3 sets a workable baseline for what "adequate ongoing monitoring" looks like in SDD relationships. Automating these three checks removes the manual burden without creating coverage gaps.

Related terms and concepts

Understanding SDD requires understanding where it sits in the broader Know Your Customer (KYC) framework. KYC is the overarching obligation. Due diligence is the mechanism within KYC. SDD is one of three possible intensities, with standard Customer Due Diligence (CDD) in the middle and Enhanced Due Diligence (EDD) at the top.

Standard CDD includes identity verification, understanding the nature and purpose of the relationship, and ongoing monitoring calibrated to the risk profile. SDD removes specific steps from that process for qualifying customers. EDD adds steps for higher-risk relationships: additional documentation, senior management approval, source-of-wealth verification, and shorter review cycles.

For entity customers, SDD intersects with Know Your Business (KYB) obligations. Even under SDD, firms need to understand what the business does and where it operates. SDD typically exempts firms from full Ultimate Beneficial Owner (UBO) verification for certain entity types, such as regulated financial institutions where ownership disclosure is already a regulatory requirement. That exemption has limits. If the firm has any reason to question the entity's legitimacy, the SDD path is closed.

From a reporting perspective, SDD affects trigger thresholds for Suspicious Transaction Reports (STR). Higher thresholds mean fewer alerts, which is the intended efficiency gain. But the underlying reporting obligation doesn't change. A suspicious transaction on an SDD account still requires a report.

SDD is the operational expression of the risk-based approach for lower-risk customer segments. The FATF defines the risk-based approach as calibrating AML measures to the actual risk profile of customers, products, geographies, and delivery channels. SDD is what the low end of that calibration looks like when translated into an onboarding workflow and a monitoring rule set.

For firms managing large customer volumes, AML Transaction Monitoring Rules Tuning is where SDD classifications translate directly into monitoring rule parameters. Thresholds set too high miss genuine alerts. Thresholds set too low generate noise that overwhelms analysts. Getting that calibration right is where the SDD tier makes its biggest practical difference, and where poorly governed SDD programs tend to break down first.