Skip to main content
Learn more about the latest security and privacy threats
Back to Glossary

Customer Due Diligence (CDD)

What Is Customer Due Diligence (CDD)?

Customer Due Diligence is the process financial institutions use to figure out who their customers actually are, what they're doing, and whether they pose a money laundering or terrorist financing risk. It's not optional. FinCEN formalized CDD requirements in 2018, and every bank, credit union, broker-dealer, and mutual fund has to follow them.

CDD goes beyond basic identity verification. When you open a bank account, the bank doesn't just check your driver's license. They're also trying to understand why you need the account, what kind of transactions you'll conduct, and whether your actual behavior matches what you told them to expect. That's CDD.

The practical reality is this: if you're a compliance officer at a financial institution, CDD is your job. You're identifying customers, verifying their information, figuring out who really owns and controls business accounts, understanding the purpose of relationships, and monitoring activity for anything suspicious. Miss any of these pieces, and you've got a compliance problem.

Why does this matter? Because criminals and terrorists need access to the financial system to move money. CDD is how financial institutions catch them. It's also how institutions protect themselves from regulatory penalties that can run into the hundreds of millions of dollars.

The Three Levels of Customer Due Diligence

Not every customer needs the same level of scrutiny. A government agency opening an operating account isn't the same risk as a shell company from a high-risk jurisdiction. CDD recognizes this by establishing three tiers.

Simplified Due Diligence (SDD)

This is the lightest touch. You apply SDD to customers who present minimal risk of money laundering or terrorist financing. Think publicly traded companies that already file extensive disclosures with the SEC, government entities, and regulated financial institutions in well-supervised jurisdictions.

With SDD, you still verify identity, but you can use streamlined procedures. Less documentation, less frequent monitoring, more reliance on publicly available information. The logic is straightforward: a publicly traded company isn't hiding its ownership structure. The SEC already knows who they are.

But there's a catch. You can't apply SDD if anything about the relationship raises suspicion. And you need to document why SDD is appropriate and review that decision periodically. SDD isn't a free pass to ignore the customer.

Standard Customer Due Diligence (CDD)

This is the baseline for most customers. Standard CDD includes collecting and verifying identifying information, understanding the purpose of the account, assessing risk, and conducting ongoing monitoring appropriate to that risk level.

For individuals, that means name, date of birth, address, and identification number, verified through documents or databases. For businesses, add beneficial ownership identification, entity documentation, and understanding of the business purpose.

Most customers fall into standard CDD. They're not obviously low-risk enough for SDD, and they don't present the elevated risk factors that trigger enhanced due diligence.

Enhanced Due Diligence (EDD)

When a customer presents elevated risk, you need to dig deeper. EDD applies to politically exposed persons and their associates, customers from high-risk jurisdictions (check the FATF gray and black lists), complex ownership structures, cash-intensive businesses, correspondent banking relationships, and private banking clients.

EDD means more verification, not just checking the box. You're verifying source of funds and source of wealth. Where did this money come from? How did this person accumulate their assets? You're getting senior management sign-off before establishing the relationship. You're monitoring more frequently and more intensively. You're documenting everything.

EDD relationships require a conscious decision to accept the risk. Some institutions look at a potential EDD customer and decide the compliance burden isn't worth it. That's a valid business decision.

Choosing the Right Level

Factor SDD Standard CDD EDD
Customer Type Regulated entities, government, public companies Most individuals and businesses PEPs, high-risk jurisdictions, complex structures
Verification Depth Basic Standard Enhanced, multiple sources
Source of Funds Not typically required Sometimes required Always required
Senior Approval No No Yes
Monitoring Reduced frequency Standard frequency Intensive, frequent


The key is documentation. Whatever level you apply, document why. If an examiner asks why Customer X got SDD treatment while Customer Y got EDD, you need an answer grounded in your risk assessment.

CDD vs. KYC: Understanding the Relationship

People use these terms interchangeably, but they're not the same thing. Understanding the distinction helps you structure your compliance program correctly.

KYC is the umbrella. Know Your Customer encompasses everything you do to understand who your customers are and what they're doing. It includes your Customer Identification Program (CIP) for verifying identity at onboarding, Customer Due Diligence (CDD) for understanding relationships and assessing risk, Enhanced Due Diligence (EDD) for high-risk customers, and ongoing monitoring throughout the relationship.

CDD is one component within KYC. It's the set of procedures you use to understand who customers are, what they want to do, and how risky they are. CDD includes identifying beneficial owners, understanding the purpose of accounts, and conducting ongoing monitoring.

Here's a practical way to think about it. CIP answers the question: "Is this person who they claim to be?" CDD answers the question: "What is this customer going to do, and does it make sense?" Together, they form KYC: "Do we really know this customer?"

The regulatory language can make this confusing because FinCEN's "CDD Rule" actually covers multiple KYC components, including beneficial ownership requirements that some might consider part of CIP. Don't get hung up on taxonomy. What matters is that your program covers all the required elements.

The FinCEN CDD Rule Explained

The Customer Due Diligence Requirements for Financial Institutions rule came out in 2016 and took effect on May 11, 2018. It was the most significant update to U.S. AML requirements since the PATRIOT Act, and it formalized requirements that regulators had been expecting for years.

Who's Covered

Banks, credit unions, savings associations, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. If you're one of these, the CDD Rule applies to you directly.

The Four Requirements

The Beneficial Ownership Certification

The CDD Rule introduced a requirement to collect beneficial ownership information using a certification form. FinCEN published a standard form, but you can use your own version as long as it captures the same information.

Customers certify who owns 25% or more of the entity and who has significant managerial control. You verify that information the same way you verify individual customer identity. And you keep it on file.

Some entities are exempt from beneficial ownership requirements: publicly traded companies, regulated financial institutions, government entities, and a few other categories. But most business customers need to provide this certification.

What Is a CDD Check?

A CDD check is the process of verifying customer information and assessing risk. It's not one thing. It's several things that happen together.

When CDD Checks Happen

CDD isn't a one-time event. It happens at account opening, of course. But it also happens when something changes. A significant shift in customer activity. Negative news about the customer. A request for new products or services. A change in beneficial ownership.

Periodic reviews happen on a schedule based on risk. High-risk customers get reviewed annually or more frequently. Medium-risk customers every two to three years. Low-risk customers every three to five years. The schedule is risk-based, and you need to document your rationale.

CDD Requirements for Financial Institutions

Different types of institutions have different regulatory frameworks, but CDD requirements apply across the board.

Banks and Credit Unions

Banks face the most mature and well-developed CDD requirements. They're examined by the OCC, FDIC, Federal Reserve, or NCUA depending on their charter. CDD is evaluated as part of the regular BSA/AML examination, and examiners know exactly what to look for.

The expectations are detailed: written CDD policies and procedures, risk-based customer due diligence programs, beneficial ownership identification and verification, ongoing monitoring, board approval of CDD policies, and independent testing. Banks that fall short face enforcement actions.

Broker-Dealers

The SEC and FINRA regulate broker-dealers, and CDD requirements layer on top of securities-specific rules. FINRA Rule 2090 is the "know your customer" rule, and it requires broker-dealers to use reasonable diligence to know the essential facts about every customer.

In practice, broker-dealers often collect more information than banks because they need customer profiles for suitability determinations as well as AML purposes.

Mutual Funds

Mutual funds have CDD requirements when selling directly to investors. But most fund shares are sold through intermediaries, and in those cases, the fund can rely on the intermediary's CDD if there's a proper agreement in place.

Insurance Companies

Certain insurance products trigger CDD requirements, particularly products with cash value or investment components. Life insurance and annuities are covered. Term life and property/casualty generally aren't. State insurance regulators enforce these requirements.

Money Services Businesses

MSBs have CDD requirements as part of their AML program obligations. State licensing often adds additional requirements. Crypto exchanges operating as MSBs have the same obligations, even though implementation looks different when everything happens online.

Beneficial Ownership Requirements

The beneficial ownership requirement was the headline change in the CDD Rule, and it's where many institutions struggle most.

Who Qualifies as a Beneficial Owner

There are two prongs. The ownership prong captures each individual who directly or indirectly owns 25% or more of the legal entity's equity. If someone owns 30% of the company, you need their information. If four people each own 20%, none of them individually trigger the ownership prong.

The control prong captures a single individual with significant responsibility to control, manage, or direct the entity. This is typically the CEO, CFO, COO, managing member, general partner, president, or equivalent. You need at least one control person even if no one meets the 25% ownership threshold.

What Information You Need

For each beneficial owner, collect the same information you'd collect for an individual customer: full legal name, date of birth, residential address, and Social Security Number or equivalent. Then verify that information the same way you'd verify an individual's identity.

Which Entities Are Exempt

Not every business account triggers beneficial ownership requirements. Publicly traded companies are exempt because they already disclose ownership through SEC filings. Regulated financial institutions are exempt. Government entities are exempt. Certain non-profits, pooled investment vehicles, and other specific entity types are also carved out.

For most business customers, though, you need beneficial ownership information.

Verification Challenges

Complex ownership structures make this difficult. A company owned by another company owned by a trust with multiple beneficiaries requires real detective work. Foreign ownership adds another layer of complexity because foreign documents may be unfamiliar and foreign databases may not exist.

Have clear procedures for handling complexity. Require organizational charts for multi-layered structures. Use commercial beneficial ownership databases. And know when to decline a relationship because you can't get comfortable with the ownership structure.

CDD for Business Accounts

Business accounts present unique CDD challenges. Individual customers are relatively straightforward compared to the variety of legal structures businesses use.

Different Entity Types

Corporations have shareholders, officers, and directors. You need to identify who owns 25% or more of the shares and who exercises control as an officer or director. Review incorporation documents, verify with state records.

LLCs can be member-managed or manager-managed. You need to understand the structure to know who has control. Review the operating agreement. Identify members with 25% or more ownership.

Partnerships have general partners and limited partners. General partners typically have control. Identify partners with 25% or more interest.

Sole proprietorships are treated more like individual accounts since there's only one owner.

Complex Structures

Some business structures exist specifically to obscure ownership. Shell companies, multi-layer holding companies, foreign entities, trusts with complex beneficiary arrangements. These aren't automatically disqualifying, but they do require enhanced scrutiny.

Ask for organizational charts. Trace ownership through multiple layers. Apply the 25% threshold at each level. If a holding company owns your customer, who owns the holding company? Keep going until you reach humans.

For trusts, identify the trustees who have control. Consider beneficiaries in certain circumstances. Review trust documents to understand the arrangement.

Business Risk Factors

Some business types are inherently higher risk. Cash-intensive businesses like restaurants, car washes, and convenience stores can easily commingle illicit funds with legitimate revenue. Money services businesses move value rapidly across borders. Crypto businesses operate in a rapidly evolving regulatory environment. Third-party payment processors can mask the true parties to transactions.

Geographic factors matter too. Businesses operating in high-risk jurisdictions or conducting cross-border transactions warrant enhanced scrutiny.

Ongoing CDD and Customer Monitoring

CDD at account opening is necessary but not sufficient. Customer circumstances change. Someone who looked low-risk at onboarding might look very different two years later.

Transaction Monitoring

You need systems that watch account activity and flag anomalies. The specifics depend on your institution and customer base, but generally you're watching for transactions that don't fit the customer's profile, unusual patterns like rapid movement of funds through accounts, activity with high-risk jurisdictions, and signs of structuring to avoid reporting thresholds.

Most institutions use automated transaction monitoring systems that generate alerts for human review. The system catches the volume. Humans investigate the alerts and decide whether activity is suspicious.

Periodic Reviews

Beyond transaction monitoring, conduct periodic reviews of customer files. High-risk customers get reviewed annually or more often. Medium-risk every two to three years. Low-risk every three to five years.

During periodic review, verify that customer information is still accurate. Review transaction history. Reassess whether the risk rating is still appropriate. Check for new adverse information. Update beneficial ownership if it's changed.

Triggered Reviews

Some events trigger immediate review regardless of the periodic schedule. Significant changes in transaction patterns. Adverse news about the customer. Requests for new products or services that don't fit the existing profile. Any time something doesn't feel right.

Keeping Information Current

Customers don't always tell you when things change. Someone moves and doesn't update their address. A business changes ownership and doesn't notify you. Part of ongoing CDD is maintaining accurate information even when customers aren't proactive about updates.

Detect changes through transaction monitoring when possible. Reach out to customers when information seems stale. Make it easy for customers to update their information through self-service channels.

CDD Compliance Challenges

CDD isn't always straightforward. Here's where institutions typically struggle.

Data Quality

CDD depends on accurate, current information, but customer data goes stale. People move, change names, update contact information. Businesses change ownership, merge, dissolve. External data sources have gaps and inconsistencies.

The fix is ongoing attention to data quality. Regular remediation projects. Multiple data sources for verification. Customer communication processes that make updates easy.

Beneficial Ownership Complexity

This is the single biggest challenge for most institutions. Complex corporate structures make identifying owners difficult. Customers push back on providing information ("Why do you need to know who owns my company?"). Foreign ownership adds verification challenges.

Have clear questionnaires that walk customers through the requirements. Use commercial data providers that specialize in beneficial ownership research. Establish escalation procedures for difficult cases. And be willing to decline relationships when you can't get adequate information.

Balancing Compliance and Customer Experience

Customers want quick, easy onboarding. Compliance wants thorough verification. These goals can conflict, especially in digital channels where competitors are touting instant account opening.

The answer is risk-based procedures and technology. Low-risk customers get a streamlined experience. Higher-risk customers get more scrutiny. Use automation to speed verification. Be clear with customers about why you're asking questions so they understand it's regulatory, not arbitrary.

Keeping Up with Regulatory Change

CDD requirements evolve. New guidance, new examination expectations, enforcement trends that signal changing priorities. What was acceptable three years ago might not be acceptable today.

Monitor regulatory developments actively. Participate in industry groups. Engage with regulators when you can. Assess your program regularly against current expectations, not just what was required when you built it.

Resource Constraints

Effective CDD takes people, technology, and money. Smaller institutions especially struggle to invest adequately while keeping up with larger competitors.

Prioritize based on risk. Focus enhanced procedures on truly high-risk relationships. Consider outsourcing specific functions. Use technology to create efficiency. And accept that some manual processing will always be necessary.

CDD Best Practices for 2026

Here's what leading institutions are doing to stay ahead.

Smarter Technology

The best CDD programs use technology that goes beyond simple rule-based systems. Machine learning models identify risk patterns that humans miss. Automated document verification catches sophisticated fakes. Continuous monitoring updates risk assessments in real time based on behavior, not just static information.

The goal isn't to replace human judgment. It's to focus human attention where it matters most.

Dynamic Risk Assessment

Traditional CDD assigns a risk rating at onboarding and reviews it periodically. Better programs update risk continuously based on customer behavior. When transaction patterns shift, the risk rating adjusts automatically. Analysts see changes in context rather than reviewing static profiles.

Customer Experience Focus

Compliance doesn't have to mean friction. Design CDD processes with customer experience in mind. Collect information once and use it throughout the relationship. Offer digital channels that make verification convenient. Explain why you're asking for information. Make it easy to update information when circumstances change.

Strong Governance

CDD works best when there's clear accountability. Define who's responsible for what. Report meaningful metrics to management. Test controls regularly and act on findings. Foster a culture where compliance is everyone's job, not just the compliance department's.

About Customer Due Diligence (CDD)

What is customer due diligence?

Customer Due Diligence (CDD) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What are the four components of CDD?

Customer Due Diligence (CDD) requires structured implementation combining technology systems, policy frameworks, and governance controls to satisfy regulatory requirements while protecting users and maintaining operational efficiency. Organizations must balance multiple competing priorities including regulatory compliance across jurisdictions, fraud prevention and risk mitigation, user privacy and data protection, operational efficiency and cost management, and user experience optimization. Success comes from treating compliance as continuous program requiring sustained investment, leveraging automation for routine tasks while maintaining human oversight for complex cases, implementing privacy-preserving architecture, and continuously optimizing based on performance data and evolving regulatory expectations.

What is the CDD rule?

Customer Due Diligence (CDD) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What is risk-based CDD?

Customer Due Diligence (CDD) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What information is collected in CDD?

Customer Due Diligence (CDD) requires structured implementation combining technology systems, policy frameworks, and governance controls to satisfy regulatory requirements while protecting users and maintaining operational efficiency. Organizations must balance multiple competing priorities including regulatory compliance across jurisdictions, fraud prevention and risk mitigation, user privacy and data protection, operational efficiency and cost management, and user experience optimization. Success comes from treating compliance as continuous program requiring sustained investment, leveraging automation for routine tasks while maintaining human oversight for complex cases, implementing privacy-preserving architecture, and continuously optimizing based on performance data and evolving regulatory expectations.

How is CDD different from KYC?

Customer Due Diligence (CDD) operates through structured processes combining automated technology, documented policies, and human oversight. Organizations begin by defining requirements based on applicable regulations and risk appetite, then select appropriate technology solutions and integrate them with existing infrastructure. Automated systems handle routine verification and monitoring tasks using predefined rules and risk models, while edge cases requiring judgment escalate to trained compliance analysts. Comprehensive audit trails document every decision for regulatory review. Success requires coordination across technical, compliance, and operational teams with continuous monitoring and periodic optimization.

What is the purpose of CDD?

Customer Due Diligence (CDD) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

Who needs to conduct CDD?

Customer Due Diligence (CDD) requirements vary by jurisdiction, industry sector, and business model but typically include identity verification capabilities meeting regulatory standards, risk assessment frameworks categorizing customers and transactions, transaction monitoring systems detecting suspicious patterns, suspicious activity reporting procedures, comprehensive record retention protocols, and detailed audit trail maintenance. Requirements apply to financial institutions, money services businesses, cryptocurrency exchanges, payment processors, and any entity handling financial transactions or storing customer funds. Specific obligations depend on transaction volumes, customer risk profiles, geographic footprint, and services offered.

What are CDD requirements?

Customer Due Diligence (CDD) requirements vary by jurisdiction, industry sector, and business model but typically include identity verification capabilities meeting regulatory standards, risk assessment frameworks categorizing customers and transactions, transaction monitoring systems detecting suspicious patterns, suspicious activity reporting procedures, comprehensive record retention protocols, and detailed audit trail maintenance. Requirements apply to financial institutions, money services businesses, cryptocurrency exchanges, payment processors, and any entity handling financial transactions or storing customer funds. Specific obligations depend on transaction volumes, customer risk profiles, geographic footprint, and services offered.

What is beneficial owner identification?

Customer Due Diligence (CDD) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

Related Terms

Customer Identification Program (CIP)
Know Your Customer (KYC)
Enhanced due diligence (EDD)
Anti-money laundering (AML)
Bank Secrecy Act (BSA)
Politically exposed person (PEP)

Secure verifications for every industry

We provide templated identity verification workflows for common industries and can further design tailored workflows for your specific business.

Book a Demo