Customer Due Diligence (CDD)

In order to understand the money laundering risks that they face, banks and financial institutions, and obligated financial service providers must verify the identities of their customers, and the nature of the business in which they are involved. The process of establishing customer identities is known as customer due diligence (CDD). 

What is CDD / Customer Due Diligence?

Customer Due Diligence (CDD) refers to the act of collecting identifying information in order to verify a customer’s identity and more accurately assess the level of criminal risk they present. At a basic level, CDD requires firms to collect a customer’s name and address, information about the business in which they are involved, and how they will use their account. In order to ensure that customers are being honest, companies should then verify that information with reference to official documents such as driving licenses, passports, utility bills, and incorporation documents.

CDD is a foundation of the Know Your Customer (KYC) process, which requires companies to understand who their customers are, their financial behavior, and what kind of money laundering or terrorism financing risk they present. All Financial Action Task Force (FATF) member states must implement CDD requirements as part of their domestic AML/CFT legislation – as set out in Recommendation 10 of the FATF’s 40 Recommendations. 

Customer Due Diligence Basics

Customer Due Diligence involves the following basic regulatory obligations:  

• Customer Identification: Companies must identify their customers by obtaining personal information and data, including name, photographic ID, address, and birth certification, from a reliable, independent source.
• Beneficial Ownership: When a company or third-party is acting on behalf of someone else, companies should seek to establish ultimate beneficial ownership (UBO). This refers to the individual(s) who benefit from the activities of a person or group of persons.
• Business Relationship: In addition to personal and beneficial ownership identification, companies must also establish the nature and purpose of the business relationship into which they are entering with the customer. 

When is CDD Required?

 Institutions should implement KYC/AML and CDD measures under the following circumstances:

• New business relationships: Companies must perform due diligence prior to establishing a new business relationship. The information they gather will inform any subsequent AML/CFT risk assessment and ensure that the customer is not using a fake identity to access their services.
• Occasional transactions: Certain occasional transactions warrant CDD measures. These might involve amounts of money that exceed regulatory thresholds, or transactions that involve entities in high-risk foreign countries.
• Money laundering suspicion: If a customer is suspected of money laundering or terrorism financing, companies should implement additional CDD checks.
• Unreliable documentation: When customers provide unreliable or inadequate identification documents companies should apply further CDD scrutiny to resolve discrepancies.
• Ongoing monitoring: CDD is not a one-off obligation. Companies should perform CDD periodically throughout a business relationship in order to ensure that customers’ transactions are consistent with their established risk profiles.

Record Keeping for CDD

CDD regulations typically include a requirement for companies to maintain records of the information they collect for at least five years. This includes copies of all identification documents (driving licenses, passports, birth certificates, etc.) and business documentation. Companies should be able to comply quickly and efficiently with requests for records from competent authorities, and enable those authorities to reconstruct individual transactions, including details of the amounts of money and types of currency involved. 

Third Party CDD

FATF standards permit companies to engage third parties to carry out Customer Due Diligence processes on their behalf, including the verification of customer identities, beneficial ownerships, and the nature of business relationships. Third parties may also provide CDD record-keeping facilities. 

It is important to remember that regulatory responsibility for CDD remains with the company rather than the third party. Accordingly, companies should ensure that their CDD service provider fulfills certain compliance criteria, and is able to: 

• Meet the compliance standards set out in FATF Recommendation 10
• Make copies of CDD data available upon request
• Meet FATF record-keeping requirements 
• Meet location-based regulatory compliance standards

How to Perform Customer Due Diligence?

Following FATF guidance, companies should implement risk-based CDD measures that reflect the specific level of AML/CFT risk that individual customers present. Risk-based due diligence is a way for companies to balance their compliance obligations with their budget and resource requirements and preserve customer experiences. Under a risk-based approach, firms may deploy faster and more efficient CDD for low risk customers, and slower, more intensive, enhanced due diligence (EDD) for high risk customers – which may entail negative effects on customer experiences. 

With that in mind an effective CDD process should involve the following steps: 

• Prior to beginning a business relationship, companies should establish the identity and business activities of their new potential customer, with the goal of identifying bad actors as early as possible. 
• Once a customer has been identified to a sufficient degree of confidence, companies should categorize their risk level. This information should be stored in a digitally secure location where it can be easily accessed for future regulatory checks.
• After establishing a customer’s risk category, companies should determine whether more intensive enhanced due diligence measures are needed.

Ensure your firm has an effective CDD process in place

Identify risks before they become threats and protect your business. Screen against the world’s only dynamic global database of Sanctions and Watchlists, PEPs, and Adverse Media, in consolidated, structured profiles.

Explore our Customer Screening and
Monitoring software today

What is Enhanced Due Diligence (EDD)?

Under a risk-based approach to compliance, high risk customers should be subject to enhanced due diligence (EDD). Examples of high risk customers include politically exposed persons (PEPs) and customers that are the target of economic sanctions. Intended to give companies a deeper understanding of their customers’ AM/CFT risk, EDD measures generally involve a more intensive level of CDD scrutiny, including requirements to: 

• Obtain additional customer identification materials
• Establish the source of funds or wealth
• Apply closer scrutiny to the nature of the business relationship or purpose of a transaction
• Implement ongoing monitoring procedures

What is Ongoing Monitoring?

Ongoing monitoring refers to the continuous scrutiny of business relationships. This process matters because, while occasional transactions may not initially present as suspicious, they may reveal a pattern of behavior over an extended period of time which necessitates a change to a customer’s risk profile. Ongoing monitoring involves:

• Monitoring transactions throughout the course of a business relationship to ensure a client’s risk profile matches their behavior.
• Maintaining responsiveness to any changes in risk profile, or any factors which might raise suspicion.
• Keeping relevant records, documents, data, and information that may be needed for CDD purposes.

Ongoing monitoring should apply to all business relationships but, like other CDD measures, may be scaled to reflect the customer’s risk profile.

Reporting Suspicious Transactions

Where CDD measures create suspicion or reasonable grounds to suggest that a customer is involved in criminal activity, companies must report that information in a timely manner to their jurisdiction’s financial intelligence unit (FIU), via a suspicious activity report (SAR).

AML/CFT legislation includes measures that protect employees, company directors, and officers from any criminal and civil liability incurred by disclosing suspicious activity to the authorities in good faith. Following FATF standards, that protection is applied regardless of contractual, legislative, or administrative provisions and “even if the reporting parties did not know precisely what the underlying criminal activity was, and regardless of whether the illegal activity actually occurred”. 

Similarly, employees, company directors, and officers are prohibited from tipping off customers that a SAR has been filed against them. 

Technology and Expertise for an Effective Customer Due Diligence Process

Ultimately, effective CDD and KYC measures are built on a combination of technology and expertise. As risk profiles and criminal threats evolve, financial institutions must be prepared to be as flexible and innovative with their approach to CDD as any other aspect of their AML/CFT policy. While technology provides useful tools to facilitate CDD processes, human vigilance remains vital to spotting and addressing new threats.

Try our Screening Solution for Free

Screen any name or entity against live Sanctions, PEPs and Adverse Media data and insights for free

Screen for Free

Originally published June 24, 2019, updated June 26, 2022