Simplified Due Diligence (SDD): Definition and Use in Compliance

What is Simplified Due Diligence (SDD)?

SDD is the regulatory permission to do less. More precisely, it's the authorization to apply reduced customer verification measures when the assessed risk of money laundering or terrorist financing is demonstrably low. It sits at the bottom of the due diligence hierarchy, which runs from SDD through standard Customer Due Diligence (CDD) to Enhanced Due Diligence (EDD) at the top.

The legal authority comes from FATF Recommendation 10, which permits countries to allow financial institutions to apply simplified measures "where the risks of money laundering and terrorist financing are proven to be lower." This isn't a blanket exemption. The customer or product must fall within a category that regulators have explicitly assessed as lower risk, either at the national level or within the firm's own documented risk framework.

The EU operationalized this in the Fourth Anti-Money Laundering Directive (4AMLD), Article 16. Eligible categories include entities regulated and supervised within the EU, publicly listed companies on recognized exchanges, public authorities, government bodies, and certain financial products with structural features that constrain misuse. Low-value e-money products, basic savings accounts with capped balances, and life insurance policies with annual premiums below €1,000 are common examples.

In practical terms, SDD allows fewer documents at onboarding, extended monitoring intervals, higher transaction alert thresholds, and lighter periodic review. It doesn't allow zero verification or no records. An SDD customer who starts moving unexplained large transfers doesn't stay on the SDD track. The risk classification is alive, not fixed, and regulators expect firms to treat it that way.

A textbook SDD scenario: a regional bank onboards a UK-listed infrastructure company. The company is on the London Stock Exchange, regulated by the FCA, and the product is a basic current account. The bank verifies the listing, collects a company registration number, and documents the approval. That's it. The CDD pack that a privately held company would require, including Ultimate Beneficial Owner (UBO) mapping and source-of-funds documentation, isn't needed. SDD is the right track, and it's documented as such.

How is Simplified Due Diligence (SDD) used in practice?

Most banks and financial institutions build SDD eligibility into their customer risk rating model. At onboarding, the model assigns an initial risk score. Customers who score below the standard CDD threshold, and whose product type matches an SDD-eligible category, are routed to a lighter onboarding workflow.

For a clearing bank onboarding a domestic pension scheme regulated by the Financial Conduct Authority, the practical difference is real. Standard CDD might require full UBO mapping, trustee identity documents, and source-of-funds documentation. SDD, by contrast, might accept the pension scheme's regulatory registration number and a single authorized signatory check. That's a meaningful reduction in onboarding cost and client friction.

Product-level SDD follows the same logic. A prepaid card with a €150 spending limit and no cash withdrawal function carries structurally constrained money laundering risk. Many European card issuers apply SDD to these products, collecting only basic identity information rather than the full document pack required for a premium card.

Transaction monitoring parameters differ too. An SDD customer's alert thresholds may be set higher, with annual rather than quarterly transaction reviews. That word "may" is doing real work. These are institutional choices within regulatory permission, not automatic outcomes, and they require written policy to justify.

Periodic review is where SDD classification gets tested. Most institutions review customer risk scores annually or upon a triggering event. If a customer appears on a watchlist, changes business activity, or is connected to a Suspicious Transaction Report (STR), the SDD status is reviewed immediately. Drift from SDD eligibility must be caught fast; supervisors look specifically for stale classifications in thematic AML reviews.

The documentation requirement doesn't shrink with SDD. Every placement decision needs a record: which eligibility criteria applied, what verification was performed, who approved it. That audit trail is what an examiner will pull first.

Simplified Due Diligence (SDD) in regulatory context

The regulatory framework for SDD varies by jurisdiction, though FATF provides the shared architecture. Understanding the differences matters for any institution operating across borders.

In the EU, the Fourth Anti-Money Laundering Directive (4AMLD), Article 16 sets out eligible categories and requires member states to provide specific implementation guidance. The European Banking Authority published sector-specific guidelines on risk factors and SDD in 2017, updated in 2021 under EBA/GL/2021/02, covering payment institutions, e-money firms, and banks. The EBA guidelines aren't binding law, but supervisors treat them as the standard of care. Firms that depart from them need a documented reason.

In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, Regulation 37, governs SDD. Post-Brexit, UK firms follow the MLR 2017 rather than 4AMLD directly, though the substance is similar. The Financial Conduct Authority's financial crime guide provides worked examples for regulated firms across banking, insurance, and payments.

The US framework is structurally different. The Bank Secrecy Act and FinCEN's Customer Due Diligence Rule (2016) require CDD for all customers, with verification depth calibrated to risk. There's no formal "SDD" label in US regulation, but functionally equivalent risk-tiered approaches are embedded in most compliance programs. In the US, the emphasis falls on individual transaction monitoring obligations, including Currency Transaction Report (CTR) filings for cash transactions over $10,000, rather than on differentiated onboarding tiers.

Cross-border institutions generally apply the more stringent standard when jurisdictions conflict. A UK bank onboarding a US corporate customer applies UK MLR 2017 rules. If the US customer falls into an SDD-eligible category under UK law but wouldn't qualify under a US analog, the UK rules control.

Common challenges and how to address them

The most common SDD failure is miscalibration. A firm defines SDD-eligible categories in policy, but the risk model or the analyst applies them too broadly. Customers who don't genuinely meet the criteria end up on the SDD track. That's a compliance gap, and regulators spot it quickly during thematic reviews because miscalibrated SDD populations tend to look statistically different from the eligible categories in the firm's own policy.

The second failure is stale classification. A customer is correctly placed on SDD at onboarding, but their risk profile changes and the periodic review cycle misses it. A domestic company acquires a subsidiary in a high-risk jurisdiction. A pension fund's authorized signatories change. These events should trigger a re-assessment. Many institutions rely on annual cycles and miss the in-between changes.

Documentation is the third gap. SDD permits reduced verification, but it doesn't permit reduced record-keeping. Every SDD decision needs documentation: the eligibility criteria applied, the verification performed, the approval chain. Examiners want to see that the firm can demonstrate why a customer was placed on SDD, not just that they were placed there. A spreadsheet with names and "SDD" checked is not adequate.

The fix for all three problems is the same: build SDD as a formal, rule-based track inside the customer lifecycle management system rather than a judgment call. Define eligibility criteria in code, not just policy. Automate triggering events (watchlist hits, unusual transactions, regulatory status changes) that force a risk re-assessment. Require documented approval for every SDD placement, with a named approver and a datestamp.

When an SDD customer generates a Suspicious Activity Report (SAR), that's an automatic trigger to review whether SDD was the right classification. Most institutions include this in their SAR procedures, but enforcement is inconsistent. Build it into the workflow so the reviewer can't close the SAR without addressing the underlying risk rating. That's the kind of control that holds up in a supervisory examination.

Related terms and concepts

SDD sits within a family of terms that together define how a firm structures its customer risk management. The terms are related but distinct, and confusing them creates real compliance problems.

Customer Due Diligence (CDD) is the standard level. It covers identity verification, beneficial owner identification, understanding the nature of the business relationship, and ongoing monitoring. CDD is the default for any customer who doesn't qualify for SDD and isn't high-risk enough to require EDD. SDD is a downward deviation from CDD; EDD is an upward one.

Enhanced Due Diligence (EDD) applies to high-risk customers: politically exposed persons, customers in high-risk jurisdictions, and correspondent banking relationships. EDD is the opposite of SDD in every practical dimension, requiring more documentation, senior management approval, and more frequent review.

Know Your Customer (KYC) is the broader program within which SDD, CDD, and EDD all sit. SDD is one component of how a KYC program is tiered by risk. KYC governs the full customer lifecycle, from onboarding through ongoing monitoring and exit.

Know Your Business (KYB) is the business-entity equivalent of KYC. For corporate customers, SDD decisions often intersect with KYB: whether an entity qualifies for SDD depends on its legal structure, regulatory status, and ownership profile. A company listed on a recognized exchange is a textbook SDD-eligible KYB subject. A privately held company in the same sector almost certainly is not.

The risk-based approach that underlies all of these comes from FATF Recommendation 1. SDD, CDD, and EDD are its practical outputs. Firms that implement SDD without a clear, documented risk assessment methodology are applying the form without the substance. That's what supervisors look for in AML reviews, and it's what leads to enforcement action.