Customer due diligence (CDD) is one of the quintessential anti-financial crime operations. Now a must-have in many countries by law, CDD reduces exposure to illicit activities and supports anti-money laundering goals.
But how exactly does CDD work? And what is the difference between various CDD types? Read further to find out.
Get posts like this in your inbox with the bi-weekly Regula Blog Digest!
What is customer due diligence (CDD)?
Customer due diligence is a core set of checks that confirm who a customer is, why they need a product, and what “normal” use should look like. It supports anti-money-laundering work through verifying their identity, collecting beneficial ownership for businesses, screening against sanctions and politically exposed person (PEP) lists, and recording the expected activity profile.
In practice, you gather reliable evidence at onboarding, keep it current as circumstances change, and use it to judge alerts with context.
What are the types of CDD?
Customer risk always varies, so the intensity of CDD checks varies too, with most regulatory requirements broken into three levels:
Simplified due diligence (SDD): Used for low-risk situations, for example, a basic savings product with strict limits and clear, low-risk customer segments. You still perform CDD checks, but the data you gather and the verification steps are lighter. Collect only the core data (name, date of birth, address, email, phone, valid ID image), verify basic attributes, and keep routine monitoring in place so you can escalate if risk rises.
Standard due diligence (CDD): This is the default for the bulk of retail banking and many business accounts. Verify identities with biometrics and liveness, cross-check IDs in official databases, validate addresses with reliable documents, capture beneficial ownership information for ≥25% owners, obtain business registration papers, consider geographic exposure, and record a concrete expected profile to support CDD checks and ongoing monitoring.
Enhanced due diligence (EDD):Used when risk rises. Triggers often include PEPs, higher-risk geographies, complex legal entity customers, or patterns that hint at financial crime risk. Verify source of funds with solid evidence, review current sanctions and PEP data plus adverse media, map and validate each intermediary in complex structures, track any link to high-risk jurisdictions, and analyze history for spikes or new counterparties as part of additional CDD requirements.
What are the main customer due diligence requirements?
Occasionally, we see people ask, “What are the four customer due diligence requirements?” But it’s hard to limit those requirements down to four without leaving a key part out. Instead, customer due diligence typically centers around five key components: identity verification, beneficial ownership checks, profiling of the business relationship, sanctions screening, and ongoing monitoring.
1) Identity verification of customers
At customer onboarding, institutions confirm that the person is who they claim to be, using trustworthy data. The specifics vary by product and jurisdiction, but the principle never changes: match the person or business in front of you with real-world evidence.
What checks to perform:
Document authentication: Inspect security features under multiple light sources; parse MRZ/barcodes; compare data consistency across visual and digital zones; check for tampering or template misuse. Where available, read the RFID chip and compare the chip portrait to the live capture.
Biometric match and liveness: Compare a selfie to the document portrait with robust similarity thresholds, and perform a liveness check to block presentation attacks. Additionally, device capture metadata can be checked to guard against recycled selfies and synthetic faces.
Authoritative cross-checks: Check document validity and status in government or trusted registries; confirm that the person exists at the claimed address using dependable proofs such as a utility bill, recent bank statement, or tenancy agreement.
Such procedures are often powered by robust ID verification solutions like Regula Document Reader SDK (for document verification) and Regula Face SDK (for biometrics and liveness).
A practical example
A digital bank accepts a new retail customer through a mobile app. The user scans a passport and takes a selfie. The system validates the document’s security features, compares the selfie to the portrait, and checks the data against a trusted identity source. If the passport is valid and the match is strong, the account proceeds; if anomalies appear, the case moves to manual review. This is central to CDD requirements for financial institutions of every size.
2) Uncovering beneficial ownership
For companies and other organizations, collect and verify beneficial ownership information so you know who truly benefits and who makes decisions. Identify individuals meeting the ownership threshold and test for control where shareholdings sit below that line.
Obtain articles of incorporation, registration numbers, and tax IDs, then verify each named person to the same standard as a retail client. When structures are layered or cross-border, validate each intermediary entity and keep the chain clear in the file. Doing this properly closes gaps that financial crime networks exploit and matches what examiners expect under customer due diligence requirements for financial institutions.
A practical example
An SME in import/export opens an account. The bank pulls corporate registry records, confirms directors and shareholders, and sees that two individuals hold 30% each through a holding company. The bank collects passports from those individuals and documentary proof for the holding structure, then records the chain of ownership. If a trust sits in that chain, the bank records the trustee, settlor, and any known beneficiaries.
3) Determining purpose, intended nature, and customer risk profiles
Knowing the customer includes understanding how they plan to use the account and creating a baseline for “normal” activity. Collect concrete details at onboarding: main sources of funds, expected payment corridors, typical counterparties, cash usage, and anticipated volumes. Use this to build customer risk profiles that feed both onboarding risk rating and future monitoring.
A practical example
A freelance designer opens a business account and reports monthly income in a narrow range, paid through two platforms, with occasional transfers to a personal account. Later, the same account starts receiving high-value incoming wires tagged as “consulting” from unrelated jurisdictions. That deviation trips a review.
4) Screening and sanctions controls
While identity and purpose focus on who and why, screening focuses on illicit activities linked to who you are onboarding or serving. You need screening for sanctions, PEP status, and negative media that signals financial crime risk.
Check names against current sanctions lists from OFAC, the UN, and the EU; review PEP exposure; and check adverse media from trustworthy sources. Keep lists up to date, set solid match rules, and document decisions so you can explain why a near match was cleared or escalated. Higher-risk hits often trigger additional CDD requirements, such as senior approval, tighter limits, or EDD refresh. Screening sits alongside identity work in all credible CDD requirements and is a core deterrent to illicit activities under anti-money laundering programs.
A practical example
A remittance provider flags a customer with a near match to a recently sanctioned individual. Analysts compare the date of birth, location history, and known associates, then decide it is a false positive. The decision, the evidence, and the rationale are saved to the case management record. If it had been a true hit, onboarding would have halted, and internal notifications would have been sent to the AML officer in line with regulatory requirements.
5) Ongoing monitoring, recordkeeping, and reporting
CDD does not end when the account opens. You must conduct ongoing monitoring to confirm that transactions align with the profile you set at the start. Monitoring includes automated scenarios and manual reviews, periodic refresh of KYC data, and risk-led rechecks after key events such as a surge in volume, new high-risk corridors, or a change in ownership.
Alongside monitoring, CDD frameworks require keeping reliable records of identification data, verification materials, screening outcomes, alerts, and decisions. Retention periods depend on local law (usually 5 to 10 years).
There are also certain reporting obligations to consider: in the US, for example, institutions have reporting duties to the Department of the Treasury, including filings to FinCEN when suspicious activity suggests financial crime. Other countries set their own filing routes and timelines, but the backbone is similar: document your reasoning and report when red flags cross certain boundaries.
A practical example
A crypto exchange sees small trades during the first three months of an account, then a jump to large withdrawals routed through mixers. The alerting system is triggered based on a scenario built for sudden risk shifts. Investigators pull the CDD file, compare current activity to the onboarding profile, and add blockchain analytics to the evidence pack. If suspicion remains, a report is filed under the relevant anti-money laundering law.
A final word on customer due diligence requirements
Effective CDD means you can reliably verify who you are dealing with, understand why the account exists, see who the business owners are, and keep activity consistent with that profile.
Build around five practical pillars: identification and verification, beneficial ownership, purpose and risk profiling, screening, and ongoing monitoring and records. Teams that follow these CDD requirements spot anomalies sooner and handle alerts with fewer mistakes.
.webp)
