CIP vs CDD vs EDD: Understanding the Three Pillars of Customer Verification

In the world of regulatory compliance, few areas generate as much confusion as the relationship between CIP, CDD, and EDD. These three acronyms (Customer Identification Program, Customer Due Diligence, and Enhanced Due Diligence) are often used interchangeably, treated as synonyms, or simply lumped together under the umbrella of "Know Your Customer (KYC)."

But they're not the same thing. Each serves a distinct purpose in your anti-money laundering (AML) program, requires different procedures, and applies to different situations. Understanding these distinctions isn't academic. It's essential for building a compliance program that actually works.

Failure to properly distinguish between these requirements leads to real problems: over-verification that frustrates low-risk customers, under-verification that exposes the institution to regulatory action, and compliance programs that are simultaneously too burdensome and not effective enough.

This guide clarifies the differences between CIP, CDD, and EDD, explains when each applies, and shows how they work together to create a comprehensive customer verification framework.

The Quick Answer: How CIP, CDD, and EDD Differ

Before diving into the details, here's the essential distinction:

CIP (Customer Identification Program) answers the question: "Is this customer who they claim to be?" It's about verifying identity at account opening.

‍CDD (Customer Due Diligence) answers the question: "What should I expect from this customer?" It's about understanding the customer's profile to enable effective monitoring.

EDD (Enhanced Due Diligence) answers the question: "What additional information do I need about this higher-risk customer?" It's about applying deeper scrutiny when standard due diligence reveals elevated risk.

Think of it as a progression: CIP confirms identity, CDD establishes baseline expectations, and EDD provides additional scrutiny when circumstances warrant it.

Now let's examine each in detail.

What Is CIP (Customer Identification Program)?

The Customer Identification Program (CIP) is a regulatory requirement established under Section 326 of the USA PATRIOT Act. It mandates that financial institutions verify the identity of customers opening accounts.

CIP Requirements at a Glance

What information must be collected:

• Full legal name
• Date of birth (for individuals)
• Address (residential or business)
• Identification number (SSN for U.S. persons; passport number, alien ID, or government-issued document number for non-U.S. persons)

When it applies:

• At account opening
• Before the customer is allowed to conduct transactions (or within a "reasonable time" after opening in limited circumstances)

How verification occurs:

• Documentary verification (reviewing government-issued ID)
• Non-documentary verification (database checks, credit bureau data, references)
• Often a combination of both

What records must be kept:

• All identifying information collected
• Description of verification methods and results
• Retained for five years after account closure

The Purpose of CIP

CIP serves a singular, critical function: confirming that the person or entity opening an account is who they claim to be. It's the gateway to the customer relationship. Without verified identity, all subsequent compliance activities lose their foundation.

CIP is mandatory. Every customer opening an account must go through CIP procedures. There's no risk-based exception that allows institutions to skip identity verification for "low-risk" customers. The depth of verification may vary based on risk, but the requirement to verify identity applies universally.

CIP Limitations

CIP tells you who the customer is. It does not tell you:

• What the customer plans to do with the account
• Whether the customer's expected transaction patterns are consistent with their profile
• Whether the customer poses elevated money laundering or terrorist financing risk

That's where CDD comes in.

What Is CDD (Customer Due Diligence)?

Customer Due Diligence (CDD) extends beyond identity verification to develop an understanding of who the customer is, what they do, and what their expected account activity should look like. While CIP confirms identity, CDD establishes the context needed for effective ongoing monitoring.

The FinCEN CDD Rule and Its Four Pillars

In 2016, FinCEN issued the Customer Due Diligence Requirements for Financial Institutions rule, which formalized CDD requirements and established four core elements. Understanding these four pillars is essential for compliance.

The first pillar addresses identifying and verifying customer identity. This overlaps significantly with CIP: financial institutions must collect and verify the same core identifying information (name, date of birth, address, and identification number) using documentary and non-documentary methods.

The second pillar focuses on beneficial ownership. For legal entity customers, institutions must identify each individual who owns 25% or more of the equity interests, along with at least one individual who has significant responsibility for controlling or managing the entity, regardless of ownership percentage. This requirement addresses shell company abuse and ensures at least one natural person is accountable for the entity's activities.

The third pillar requires institutions to understand the nature and purpose of customer relationships. This means developing a "customer risk profile" that enables the institution to understand what normal and expected transactions look like for this particular customer, identify transactions that would be unusual, and form a reasonable belief about the legitimacy of the relationship. This information gathering goes beyond simple identity verification and establishes the baseline for ongoing monitoring.

The fourth pillar mandates ongoing monitoring. CDD isn't complete at account opening. Institutions must monitor for suspicious activity on a risk-based schedule, update customer information when triggered by events or periodic reviews, and re-evaluate customer risk ratings as circumstances change.

These four pillars work together. Verified identity enables accurate risk profiling, which enables effective ongoing monitoring, which may trigger re-verification or enhanced due diligence.

The Three Tiers of Customer Due Diligence

Not all customers require the same level of scrutiny. CDD operates on a tiered basis, with the level of due diligence calibrated to the customer's risk profile.

Simplified Due Diligence (SDD) applies to the lowest-risk customers where the money laundering and terrorist financing risk is minimal. SDD may involve reduced identity verification requirements, less detailed information gathering about business purpose, and streamlined ongoing monitoring. Government bodies, publicly traded companies on regulated exchanges, regulated financial institutions, and pension funds typically qualify for SDD treatment.

It's important to note that SDD is not the same as "no due diligence." Institutions must still verify identity and be alert to red flags. SDD simply allows for a lighter touch when risk is demonstrably low.

Standard CDD is the baseline level of due diligence applied to most customers. It includes full CIP procedures for identity verification, beneficial ownership identification for entities, understanding the nature and purpose of the relationship, and ongoing monitoring appropriate to the customer's risk level. Most retail and commercial customers fall into this category.

Enhanced Due Diligence (EDD) applies to higher-risk customers who present elevated money laundering or terrorist financing risk. EDD involves all standard CDD elements plus additional scrutiny, which we detail in the EDD section below.

The key principle is that resources should be allocated based on risk. Applying EDD to all customers wastes resources on low-risk relationships while potentially diluting focus on genuinely high-risk customers.

CDD Requirements in Practice

Beneficial Ownership Identification

For legal entity customers (corporations, LLCs, partnerships, trusts), institutions must identify and verify:

• Each individual who owns 25% or more of the entity
• One individual who controls the entity (regardless of ownership percentage)

This beneficial ownership requirement addresses a major vulnerability: criminals using shell companies to obscure their identities. The 25% threshold catches significant owners, while the controlling individual requirement ensures at least one natural person is identified.

Nature and Purpose of the Relationship

CDD requires institutions to understand:

• The customer's occupation or business type
• The expected account activity (transaction types, volumes, geographic patterns)
• The purpose of the account (operating account, investment, payroll, etc.)

This information establishes the baseline against which future activity will be compared. Without understanding what's normal for a customer, detecting abnormal activity becomes impossible.

Risk Rating

Based on CDD information, institutions assign customers a risk rating that determines:

• The level of ongoing monitoring applied
• Whether enhanced due diligence is required
• The frequency of periodic reviews

When CDD Applies

CDD applies to all customer relationships, but the depth of due diligence should be calibrated to risk. A straightforward individual savings account may require minimal additional information beyond CIP. A complex corporate customer with international operations requires much more extensive due diligence.

This risk-based approach is essential. Applying the same due diligence intensity to every customer regardless of risk creates two problems: it burdens low-risk customers unnecessarily, and it dilutes resources that should be focused on higher-risk relationships.

‍Learn how Zyphe's risk-based verification streamlines CDD while maintaining compliance →

What Is EDD (Enhanced Due Diligence)?

Enhanced Due Diligence (EDD) is exactly what the name suggests: due diligence that goes beyond standard requirements when circumstances indicate elevated risk. While CDD establishes baseline understanding, EDD provides deeper scrutiny for customers who pose greater potential for money laundering, terrorist financing, or other illicit activity.

When EDD Is Required

EDD is triggered by various risk factors. While some situations mandate EDD by regulation, institutions should also apply EDD whenever their risk assessment indicates elevated risk.

Regulatory EDD Triggers:

Politically Exposed Persons (PEPs) are individuals who hold or have held prominent public positions, along with their family members and close associates. PEPs present elevated corruption and bribery risk.

Correspondent Banking Relationships with other financial institutions require enhanced scrutiny due to the potential for nested access to the financial system.

Private Banking Relationships with high-net-worth individuals receive enhanced attention due to the potential for larger illicit flows.

Customers from High-Risk Jurisdictions include those from countries identified by FATF or OFAC as having weak AML controls or as being subject to sanctions.

Risk-Based EDD Triggers:

• Unusual or complex ownership structures
• Cash-intensive businesses (casinos, check cashers, money service businesses)
• Businesses in high-risk industries (precious metals, real estate, art dealing)
• Customers with adverse media coverage
• Customers with previous suspicious activity reports

EDD Procedures

EDD involves additional information gathering and enhanced scrutiny. Specific procedures vary by institution and situation, but typically include:

Source of Wealth Verification

• Understanding how the customer accumulated their wealth
• Reviewing documentation supporting wealth claims (tax returns, business records, inheritance documentation)
• Verifying consistency between claimed wealth and employment/business history

Source of Funds Verification

• Identifying the origin of funds flowing through the account
• Distinguishing between legitimate business proceeds, investment returns, inheritance, etc.
• Obtaining documentation to support fund sources

Enhanced Background Research

• Expanded adverse media searches
• Review of litigation history and court records
• Investigation of business relationships and associates

More Frequent Monitoring

• Transaction review at lower thresholds
• More frequent periodic reviews
• Tighter scrutiny of transaction patterns

Senior Management Approval

• Requiring senior-level approval to open or maintain the relationship
• Periodic management review of the relationship status

EDD Documentation

EDD decisions and procedures must be documented thoroughly. This documentation should capture the risk factors that triggered EDD, what additional information was gathered, how that information was verified, the determination to open or maintain the account, and approval by appropriate personnel.

This documentation is critical for regulatory examinations. Examiners will want to see not just that EDD was performed, but that it was performed thoughtfully and consistently.

EDD Triggers Checklist

Use this checklist to determine when enhanced due diligence is warranted:

Regulatory EDD Triggers (typically mandatory)

• Customer is a Politically Exposed Person or close associate/family member of a PEP
• Customer is from a country subject to OFAC sanctions or FATF designation
• Correspondent banking relationship with foreign financial institution
• Private banking relationship with high-net-worth individual
• Customer appears on adverse media databases for financial crime

Risk-Based EDD Triggers (institution discretion)

• Complex or opaque ownership structure involving multiple jurisdictions
• Cash-intensive business (casinos, check cashing, money services)
• High-risk industry (precious metals, real estate, art dealing, cryptocurrency)
• Unusual transaction patterns inconsistent with stated business purpose
• Customer previously filed in a Suspicious Activity Report
• Beneficial owner resides in high-risk jurisdiction despite entity being domestic
• Significant unexplained changes in account activity
• Customer reluctant to provide requested information

When any of these triggers is present, institutions should escalate from standard CDD to enhanced due diligence procedures.

Practical Examples: CIP, CDD, and EDD in Action

Understanding these distinctions is easier with concrete examples. Here's how CIP, CDD, and EDD apply to different customer scenarios:

Example 1: Individual Retail Customer

Scenario: Sarah, a 32-year-old marketing manager in Chicago, wants to open a personal checking account.

CIP procedures: The bank collects Sarah's full name, date of birth, home address, and Social Security number. She provides her driver's license, which the bank authenticates. Database verification confirms her information matches credit bureau records.

CDD procedures: The bank asks about her employment, expected deposit sources (primarily payroll), and anticipated transaction patterns (direct deposit, debit card purchases, occasional transfers). Based on this information, Sarah is assigned a low-risk rating.

EDD procedures: None required. Sarah presents no elevated risk factors.

Result: Account opened with standard monitoring. The bank will flag activity that deviates significantly from the established baseline (e.g., sudden large cash deposits inconsistent with her salary).

Example 2: Small Business Account

Scenario: Marcus operates a landscaping business in Dallas and wants to open a business checking account for his LLC.

CIP procedures: The bank collects the business name, EIN, and principal place of business. Marcus provides his personal identification as the sole owner and controller. The bank verifies the LLC's existence through state records.

CDD procedures: The bank gathers beneficial ownership information (Marcus owns 100%), understands the nature of the business (residential landscaping services), and documents expected activity patterns (customer payments by check and card, regular expenses for supplies and payroll). Marcus is asked about his customer base, geographic area of operation, and typical transaction sizes.

EDD procedures: None required. Standard small business with straightforward operations.

Result: Account opened with standard monitoring appropriate for a cash-and-check business.

Example 3: Corporate Account with PEP Involvement

Scenario: A consulting firm applies for a business account. During beneficial ownership collection, the bank discovers that one 30% owner is the spouse of a sitting member of the European Parliament.

‍CIP procedures: Standard identity verification for the entity and all beneficial owners.

‍CDD procedures: Standard information collection on the consulting business, client base, and expected transaction patterns.

EDD procedures triggered: The PEP connection requires enhanced scrutiny. The bank investigates the source of the PEP spouse's wealth and investment in the firm. It reviews adverse media for any corruption allegations. It requires senior management approval to open the account. It establishes enhanced monitoring with lower transaction thresholds and more frequent reviews.

Result: Account opened after EDD completion, with ongoing enhanced monitoring. The relationship receives annual senior management review.

Example 4: Cryptocurrency Exchange

Scenario: A startup cryptocurrency exchange applies for banking services.

CIP procedures: Standard verification of the entity and beneficial owners.

CDD procedures: Detailed understanding of the business model, customer onboarding procedures, transaction volumes, and geographic markets served.

EDD procedures triggered: The cryptocurrency industry presents elevated risk. The bank requests detailed information on the exchange's own AML/KYC procedures, examines its licensing status in relevant jurisdictions, reviews the background of all principals, and requires demonstration of adequate transaction monitoring systems.

Result: After extensive EDD, the bank may accept, decline, or accept with significant restrictions (such as limits on transaction volumes or requirements for periodic compliance attestations).

How CIP, CDD, and EDD Work Together

These three components don't operate in isolation. They form a continuous, interconnected process that spans the entire customer lifecycle.

At Account Opening

The process begins with CIP: verifying the customer's identity before opening the account. Simultaneously, CDD information is gathered to understand the customer's profile and assign an initial risk rating.

If CDD reveals elevated risk factors (the customer is a PEP, operates a cash-intensive business, or has complex ownership structures), EDD is triggered before or shortly after account opening.

During the Relationship

CDD isn't a one-time event. Ongoing monitoring compares actual account activity against the expected patterns established during initial CDD. When activity deviates from expectations, it triggers investigation.

Periodic reviews refresh CDD information and reassess risk ratings. A customer who was low-risk at opening may become higher-risk due to changed circumstances: new business activities, adverse media, or changed geographic exposure.

If periodic review or ongoing monitoring reveals new risk factors, EDD may be triggered even for customers who initially required only standard due diligence.

For Suspicious Activity

When monitoring identifies potentially suspicious activity, the investigation draws on all three components:

• CIP records confirm the customer's verified identity
• CDD information provides context for whether the activity is unusual for this customer
• EDD documentation (if applicable) provides additional background for high-risk customers

If investigation confirms suspicion, a Suspicious Activity Report (SAR) is filed with FinCEN, drawing on information from all three sources.

Common Misconceptions

"CIP and CDD Are the Same Thing"

They're not. CIP is about identity verification, confirming the customer is who they claim. CDD is about understanding the customer: their business, expected activity, and risk profile. A customer can pass CIP (their identity is verified) while failing CDD (their business model presents unacceptable risk).

"We Only Need EDD for PEPs"

PEPs are one EDD trigger, but not the only one. Institutions should apply EDD whenever their risk assessment indicates elevated risk, regardless of whether a specific regulation mandates it. A non-PEP customer with complex ownership, a cash-intensive business, and operations in high-risk countries may require EDD just as much as a foreign official.

"EDD Means We Can't Do Business with the Customer"

EDD is enhanced scrutiny, not automatic rejection. Many high-risk customers are entirely legitimate. They simply require more information to understand and monitor effectively. The purpose of EDD is to obtain enough information to make an informed decision and enable effective monitoring, not to create barriers to account opening.

"Once CDD Is Done, We're Finished"

CDD is ongoing, not one-time. The information gathered at account opening becomes stale. Customers change jobs, start new businesses, move countries, and evolve in ways that affect their risk profile. Periodic CDD refresh is essential for effective ongoing monitoring.

"KYC Covers Everything"

KYC is an umbrella term that encompasses CIP, CDD, and EDD. But using "KYC" loosely can obscure important distinctions. When discussing procedures, policies, or regulatory requirements, precision matters. "We need to complete KYC" could mean initial identity verification, ongoing due diligence refresh, or enhanced scrutiny for a high-risk customer. These are very different activities requiring different procedures.

The Technology Advantage: Streamlining CIP, CDD, and EDD

Traditional approaches to customer verification are labor-intensive, friction-heavy, and often inconsistent. Manual document review introduces human error. Paper-based processes create delays. Siloed systems prevent information from flowing between CIP, CDD, and EDD processes.

Modern identity verification platforms address these challenges:

For CIP

• Automated document authentication detects fraudulent documents more reliably than human review
• Database verification confirms information against authoritative sources in real-time
• Biometric matching prevents impersonation
• Decentralized identity enables reusable verification, reducing friction for customers who've already verified elsewhere

For CDD

• Digital beneficial ownership questionnaires standardize data collection
• Integration with business registries and corporate databases automates verification
• Risk scoring algorithms ensure consistent risk assessment
• API-first architectures enable information flow between systems

For EDD

• Adverse media monitoring continuously scans for new risk indicators
• PEP database matching identifies politically exposed persons
• Enhanced data services provide deeper background information
• Workflow automation ensures EDD procedures are applied consistently

The Zyphe Approach

Zyphe's decentralized identity verification platform integrates CIP, CDD, and EDD workflows into a unified system. Key capabilities include:

• Multi-source identity verification that strengthens CIP through database cross-referencing and biometric confirmation
• Beneficial ownership tools that streamline CDD for entity customers
• Risk-based escalation that automatically triggers EDD procedures when risk factors are identified
• Ongoing monitoring integration that surfaces new risk indicators requiring CDD refresh or EDD application
• Decentralized credential storage that reduces data breach exposure while maintaining compliance records

The result: stronger verification with less friction, lower costs, and more consistent compliance.

See how Zyphe transforms your customer verification workflow →

Building an Integrated Verification Framework

Effective compliance programs don't treat CIP, CDD, and EDD as separate obligations. They integrate them into a coherent framework that spans the customer lifecycle.

Policy Integration

Written policies should clearly articulate:

• How CIP, CDD, and EDD relate to each other
• The specific triggers for EDD
• How information flows between processes
• How risk ratings are assigned and updated
• Escalation and approval requirements

Process Integration

Operational workflows should:

• Collect CIP and initial CDD information simultaneously at account opening
• Automatically flag EDD triggers based on CDD information
• Feed monitoring results back into CDD for risk rating updates
• Standardize EDD procedures while allowing for risk-specific customization

Technology Integration

Systems should:

• Share customer data across CIP, CDD, and EDD processes
• Automate risk-based escalation
• Provide unified audit trails
• Enable consistent reporting and analysis

Training Integration

Staff training should:

• Explain the distinctions between CIP, CDD, and EDD
• Clarify when each applies
• Ensure consistent application across the organization
• Address scenario-based decision-making

Conclusion

CIP, CDD, and EDD are not interchangeable. Each serves a distinct purpose in your compliance framework. CIP verifies identity. CDD establishes understanding. EDD provides enhanced scrutiny when risk warrants it.

Understanding these distinctions enables you to build a compliance program that is simultaneously more effective and more efficient: applying the right level of scrutiny to each customer rather than treating all customers identically regardless of risk.

The institutions that excel in this area share common characteristics: they have clear policies that articulate how these three components work together, they invest in technology that streamlines information collection and risk assessment, and they train their staff to understand not just the procedures but the purposes behind them.

As identity verification technology continues to advance, the opportunity to strengthen compliance while improving customer experience only grows. Decentralized identity, automated risk assessment, and integrated workflows enable verification that is faster, more accurate, and more secure than traditional approaches.

The question isn't whether to modernize your approach to CIP, CDD, and EDD. It's how quickly you can do so while maintaining regulatory compliance.

‍Ready to integrate your customer verification processes?Book a demo with Zyphe to see how our platform unifies CIP, CDD, and EDD into a seamless, compliant workflow.