Customer Due Diligence Explained: A Comprehensive Guide

Customer due diligence (CDD) is the process of verifying the identity and risk profile of individuals or businesses that a certain type of institution deals with. As such, it helps understand whether a customer and their source of funds are legitimate, which is necessary for anti-money laundering (AML) compliance.

As for the types of businesses that employ CDD, it’s not only banks—art dealers, cryptocurrency exchanges, and even real estate agencies are increasingly adopting these measures.

While KYC and CDD are closely related, they differ in scope and purpose, with KYC being the foundation for CDD. 

KYC focuses purely on identity verification—confirming that customers are who they claim to be. This happens during customer onboarding, as well as periodically throughout the entire customer lifecycle.

CDD, on the other hand, builds on KYC and performs ongoing risk (re-)assessment of already verified customers. 

For example, a cryptocurrency exchange might perform KYC during registration by verifying a user’s ID. But it is through CDD that the platform can later detect patterns like frequent large withdrawals—potential red flags for money laundering.

Ultimately, KYC and CDD are both parts of Anti-Money Laundering (AML) compliance as together they help uncover bad actors disguising their source of funds.

We can highlight four core types of customer due diligence: three of them revolve around the degree of risk associated with a customer, while the last one is somewhat all-encompassing. 

Let’s dive deeper into all these types and what they involve.

Simplified due diligence is used for customers or transactions where risk factors like jurisdiction, customer type, or transaction purpose are minimal. According to this approach, there should rarely be a need for verifying beneficial ownership or collecting detailed information about a customer’s business activities.

A good example would be publicly traded companies that are listed on a recognized exchange. They tend to qualify for simplified due diligence because of the financial transparency that comes with going public.

That said, institutions remain obligated to monitor accounts for changes that might alter risk profiles.

Standard due diligence is the baseline for most customer interactions and applies to customers deemed to present a moderate level of risk. 

At this level, institutions verify essential customer information such as identity, address, and the intended purpose of the relationship. While this may seem straightforward, the verifier must make sure that all customer data is collected and retained in a manner compliant with regulations like the GDPR or the US Gramm-Leach-Bliley Act.

There’s also always room for risk profile reassessment. For example, if a customer suddenly starts conducting high-value transactions or simply deviates from initial expectations, it may trigger a transition to enhanced due diligence protocols (more on them below).

Enhanced due diligence (EDD) is meant for customers flagged as high-risk, such as politically exposed persons (PEPs), businesses in high-risk industries, or entities linked to sanctioned countries. 

On top of standard customer due diligence requirements, EDD demands additional steps—investigations into the source of funds, as well as closer monitoring of transaction patterns.

How are these conducted? Institutions often rely on external data sources, such as adverse media checks, court records, and third-party intelligence reports. They may also consult regulators or law enforcement for guidance in ambiguous cases.

Ongoing due diligence is a category of its own, as it involves continuous monitoring of customers’ activities and reassessing risk profiles when necessary. 

For example, if a low-risk profile customer starts receiving small wire transfers from high-risk jurisdictions, it will be detected and investigated further. Why? This kind of activity could be a sign of smurfing, a common money-laundering tactic.

Depending on the outcome of the investigation, this customer can later be assigned a new risk profile or even be penalized for wrongdoing.

Now let’s take a look at what a typical customer due diligence process looks like, from initial ID verification to ongoing monitoring.

The first step is collecting information to establish a customer’s identity. For individuals, this may include ID document verification, face biometric verification, and proof of address; for businesses, it includes identifying ultimate beneficial owners (UBOs) and their control over the entity.

KYC uses biometric authentication, liveness detection, and ID document examination to tackle the biggest challenges, such as reducing fraud and false positive rates. These technologies are especially relevant for customer due diligence for banks, fintechs, crypto, and trading platforms.

Next up is categorizing customers based on the likelihood of financial crime involvement. Institutions take many factors into account (geographical location, industry type, transaction behavior links to high-risk entities, etc.) to categorize customers as low, medium, or high risk.

For example, customers operating in cash-intensive businesses (e.g., casinos or pawn shops), might warrant closer scrutiny as they are simply more prone to laundering activities.

Now, it’s time to cross-reference the customer information against various sanctions lists, PEP databases, adverse media reports, and Financial Action Task Force (FATF) recommendations. Such checks often rely on automated tools that scan these databases; however, it’s important to have some level of human oversight to avoid false positives.

A typical example here would be denying a PEP’s attempt to open an account in a European bank if they were found on an international sanctions list or deemed too high-risk. 

It’s worth noting that sanctions screening should not be treated as a one-time process, as databases are regularly updated.

Once the account is active, institutions must keep track of all transactional data and detect any anomalies. Above all, this means looking for red flags like unusually large or structured transactions (smurfing) designed to evade reporting thresholds.

Luckily, there exist customer due diligence solutions like ML-based transaction monitoring systems. They help detect subtle anomalies and keep evolving with more incoming data. This way, round-dollar transactions or unusually high-value transfers to high-risk jurisdictions could signal money laundering attempts. 

For instance, the system could flag a customer after noticing 50 small transactions totaling $10,000 in one day—a pattern potentially linked to a criminal scheme.

Lastly, the regulations of customer due diligence for banks and other institutions require them to keep records of all CDD-related activities for several years (five years in the case of the US and EU). These records typically include customer identification data, transaction histories, risk assessments, supporting documents for sources of funds, and any reports of suspicious activity. 

Such record-keeping is not only intended for regular audits, but will also help future investigations if financial crime concerns arise.

For your convenience, we have compiled a comprehensive checklist of things you need to verify and validate over the course of your customer due diligence process.

• Full legal name.
• Date of birth.
• Residential address.
• Valid photo ID (passport, national ID, driver’s license).
• Face biometrics (liveness detection).
• Email address.
• Phone number.
• Nature of the business or personal relationship with the institution (account purpose, operation types, longevity of contract).
• Expected transaction types and volumes.

• Cross-check government-issued ID against possible official databases to ensure document authenticity and validity.
• Verify the ID against facial biometrics to make sure the person on camera is the customer.
• Validate residential address with utility bills, bank statements, or tenancy agreements.
• Identify and verify UBOs holding 25% or more ownership.
• Obtain business registration documents (e.g., Articles of Incorporation, Tax ID).
• Consider geographic risk factors (e.g., customer’s location, operational jurisdiction, country of origin of funds, financial transaction channels).

• Verify the source of funds and wealth through supporting documents like bank statements, property deeds, inheritance records, tax declarations, business contracts; also, verify the legitimacy of these financial documents.
• Check for the customer’s presence on sanctions lists (e.g., OFAC, UN, EU), PEP databases, adverse media reports from trusted sources; also, make sure you use the up-to-date versions of these databases.
• Conduct in-depth reviews of the customer’s financial history.
• Verify the legitimacy of complex corporate hierarchies or cross-border ownership structures.
• Validate all intermediary entities within the ownership chain.
• Monitor involvement with high-risk jurisdictions as defined by the FATF and other local or international regulatory bodies.
• Analyze historical patterns for anomalies (e.g., unusual transaction volumes or sudden spikes).

• Confirm low-risk classification based on transparency, customer type, and jurisdictional factors.
• Validate limited or small transaction thresholds.
• Verify basic information (name, DOB, address, ID, phone number, and email) without requiring extensive documentation.
• Conduct routine monitoring for potential escalations in risk.

• Review customer risk profiles annually or upon significant changes (change of country, unusual transactions, etc.).
• Update records for UBOs, addresses, or contact details.
• Match current activity to expected behavior.
• Escalate deviations that may indicate suspicious activity.
• Incorporate changes in AML guidelines.
• Maintain updated sanctions lists and PEP databases through automated systems for real-time compliance.

In our final section, we would like to give you four important tips on how to make sure that your customer due diligence process runs smoothly and doesn’t discourage customers.

Remember that customer due diligence requirements are not universal: while certain regions require you to identify beneficial owners at a 25% ownership threshold, others may set stricter requirements, such as 10%. 

Additionally, local regulations may impose different KYC and AML standards altogether.

Similarly, definitions of PEPs and their risk implications can vary significantly, depending on their position, duties, and known connections.

A common mistake made by institutions is applying enhanced due diligence even to low-risk customers. Such practices not only result in unnecessary delays, but also bring about higher operational costs and more dissatisfied customers.

At the same time, while it’s true that an overly intrusive process can alienate customers, insufficient diligence opens doors to financial crime. That’s why you need to make sure that your risk (re)assessment is always on point—and that the assigned risk profile matches the measures taken.

You must always categorize your risks according to their potential impact. This can be done by assessing the level of severity and impact that comes from any specific risk factor—for example, what’s potentially more harmful: the customer’s location or transaction amounts?

Then you need to apply weighted scoring models and draw up risk matrices to visualize your decision-making process.

Ultimately, your customer due diligence process can benefit from robust solutions that make it simple, secure, and compliant with regulations. For instance, ID verification and face biometrics with liveness checks can be carried out by solutions like Regula Document Reader SDK and Regula Face SDK.

These customer due diligence solutions can easily integrate with your existing mobile or web applications. Document Reader SDK processes images of documents and verifies their real presence (liveness) and authenticity. The software identifies the document type, extracts all the necessary information, and confirms whether the document is genuine. 

At the same time, Regula Face SDK conducts instant facial recognition and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks.