What is CDD (Customer Due Diligence)?
What is CDD (Customer Due Diligence)?
Customer Due Diligence (CDD) is the process financial institutions and regulated entities use to collect data about customers which helps them prevent financial crime. CDD forms a core component of KYC (Know Your Customer) and AML (Anti-Money Laundering) programmes. Effective CDD prevents money laundering, terrorist financing, fraud, and sanctions violations — all of which incur severe regulatory penalties and negative impacts on your business.
Why CDD matters for financial institutions
For banks and other regulated entities, customer due diligence is both a business imperative and a regulatory must, enabling institutions to understand who their customers are, what activities they conduct, and whether those activities pose financial crime risks.
Under AML and CFT (Combating the Financing of Terrorism) frameworks including FATF Recommendations, AMLD6, and FinCEN regulations, customer due diligence is legally mandated. Failure to comply with these regulations can incur severe financial penalties.
Beyond compliance, CDD protects institutions from reputational and financial harm by ensuring they don't inadvertently facilitate financial crime. It also enables a risk-based approach, where institutions allocate compliance resources proportionally to actual risk — focusing enhanced scrutiny on high-risk relationships whilst streamlining processes for low-risk customers.
Understanding the three levels of due diligence
Financial institutions apply different levels of scrutiny based on customer risk profiles, regulatory requirements, and transaction characteristics.
Simplified Due Diligence (SDD)
Simplified Due Diligence applies to lower-risk customers and scenarios where regulations permit reduced requirements. This might include low-value transactions, regulated financial institutions, or companies listed on recognised stock exchanges subject to disclosure requirements. SDD typically involves basic identity verification without the extensive documentation and ongoing monitoring required for standard customers.
Standard CDD (Customer Due Diligence)
Standard CDD represents the baseline level applied to most customers presenting normal risk profiles. This includes verifying customer identity through reliable sources (such as a passport), understanding the business relationship, and conducting ongoing monitoring for unusual activity. Most retail banking customers undergo standard CDD at onboarding, with periodic reviews throughout the customer lifecycle.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) applies to high-risk customers requiring additional scrutiny beyond standard measures. For example, PEPs (Politically Exposed Persons) trigger EDD requirements, as well as customers from high-risk jurisdictions, and businesses operating in cash-intensive industries. EDD involves additional verification steps including source of funds analysis, source of wealth documentation, adverse media screening, and senior management approval for establishing or continuing relationships.
Key components of CDD
Customer due diligence combines several interconnected components that work together throughout the customer lifecycle.
Customer identification and verification collects identifying information from customers — including their full name, date of birth, residential address, and nationality — then verifies this information. Today, this is typically done digitally using methods such as document scanning and liveness checks. For legal entities, beneficial ownership identification is used to prevent criminals from hiding behind complex corporate structures.
Comprehensive screenings then check customers against multiple databases to identify prohibited relationships or elevated risks. The main screenings conducted as part of CDD include sanctions screening, PEP screening, and adverse media screening.
Finally, risk assessment synthesises information gathered through the previous steps to evaluate each customer's potential involvement in financial crime. Transaction patterns, volumes, relationship complexity, geographic location, and business model all feed into a risk rating, which determines the level and frequency of ongoing monitoring applied to the customer.
How CDD works in practice
The CDD process begins during customer onboarding. Automated verification systems authenticate documents, checking security features and comparing photos against live selfies through biometric matching. Simultaneously, screening tools scan sanctions lists, PEP databases, and adverse media sources for potential matches.
The system assigns a preliminary risk rating based on collected information, geographic factors, and intended account usage. Compliance teams review flagged cases, distinguishing true matches from false positives. The institution then decides whether to onboard the customer, request additional information, or decline the relationship based on risk tolerance and regulatory obligations.
But CDD doesn’t stop at onboarding — it continues throughout the customer relationship. Transaction monitoring systems flag unusual patterns inconsistent with the customer's known profile, such as large cash deposits by a customer whose business should generate electronic payments, or international wire transfers to high-risk jurisdictions by a customer with no stated foreign business connections. In general, the review cadence depends on the customer’s risk profile, with significant events triggering assessment outside of scheduled reviews.
Documentation and audit trail requirements underpin the entire CDD process. Institutions must maintain comprehensive records of all identification documents, verification steps, screening results, risk assessments, and decisions for regulatory review.
CDD requirements across jurisdictions
Customer due diligence requirements converge globally around similar principles, though specific implementation varies by jurisdiction.
FATF Recommendations, particularly Recommendation 10, establish the international standard for CDD that most jurisdictions incorporate into national law. This requires (among other things) customer identification and verification, identifying beneficial ownership structures, and conducting ongoing due diligence throughout the customer relationship.
EU frameworks including AMLD6 implement FATF standards across member states, with MiCA introducing specific CDD requirements for crypto-asset service providers. The UK's Money Laundering Regulations 2017 (as amended) maintain alignment with EU standards post-Brexit whilst introducing some jurisdiction-specific requirements.
US regulations under the Bank Secrecy Act and FinCEN's CDD Rule require covered financial institutions to identify and verify customer identity, identify and verify beneficial owners of legal entity customers, understand the nature and purpose of customer relationships, and conduct ongoing monitoring for suspicious transactions.
Despite variations, core CDD obligations remain consistent: verify who your customers are, understand what they do, assess the risks they present, and monitor relationships for suspicious activity. This convergence simplifies compliance for multinational institutions operating across multiple regulatory regimes.
CDD with Fourthline
Fourthline provides comprehensive customer due diligence solutions that combine automated efficiency with regulatory compliance. Our platform performs digital identity verification, document authentication, and biometric matching to streamline customer onboarding and maintain security.
Fourthline's integrated risk assessment and ongoing transaction monitoring capabilities ensure continuous compliance throughout customer relationships. All verification results, screening decisions, and risk assessments flow into comprehensive CDD reports providing complete audit trail documentation for regulatory examinations.
Discover how Fourthline streamlines CDD whilst maintaining the highest compliance standards. Learn more about Fourthline's AML screening and monitoring solutions.
FAQs
What's the difference between CDD and KYC?
KYC (Know Your Customer) is the broader umbrella term encompassing all processes institutions use to verify customer identities and understand their activities. Customer Due Diligence (CDD) is a specific, critical component of KYC focused on verifying identity, assessing risk, and conducting ongoing monitoring. Understanding this distinction matters for compliance teams structuring their programmes, though the practical overlap means both terms describe largely the same activities.
When is Enhanced Due Diligence (EDD) required?
Enhanced Due Diligence (EDD) becomes mandatory for high-risk scenarios where standard CDD measures prove insufficient. PEPs (Politically Exposed Persons) automatically trigger EDD, as do customers from high-risk jurisdictions or complex corporate structures obscuring ultimate beneficial ownership. Furthermore, unusual transaction patterns inconsistent with known customer profiles, cash-intensive businesses prone to money laundering, and correspondent banking relationships all warrant EDD.
Can CDD be fully automated?
Modern technology automates much of the CDD process, including document verification, database screening, biometric matching, and preliminary risk assessment. However, human review remains essential for complex cases, resolving false positives from screening alerts, assessing unusual transaction patterns in context, and making high-risk decisions like whether to onboard PEPs or exit relationships with adverse information. What’s more, regulators expect human oversight for significant risk decisions.
Customer Due Diligence (CDD) is the process financial institutions and regulated entities use to collect data about customers which helps them prevent financial crime. CDD forms a core component of KYC (Know Your Customer) and AML (Anti-Money Laundering) programmes. Effective CDD prevents money laundering, terrorist financing, fraud, and sanctions violations — all of which incur severe regulatory penalties and negative impacts on your business.
Why CDD matters for financial institutions
For banks and other regulated entities, customer due diligence is both a business imperative and a regulatory must, enabling institutions to understand who their customers are, what activities they conduct, and whether those activities pose financial crime risks.
Under AML and CFT (Combating the Financing of Terrorism) frameworks including FATF Recommendations, AMLD6, and FinCEN regulations, customer due diligence is legally mandated. Failure to comply with these regulations can incur severe financial penalties.
Beyond compliance, CDD protects institutions from reputational and financial harm by ensuring they don't inadvertently facilitate financial crime. It also enables a risk-based approach, where institutions allocate compliance resources proportionally to actual risk — focusing enhanced scrutiny on high-risk relationships whilst streamlining processes for low-risk customers.
Understanding the three levels of due diligence
Financial institutions apply different levels of scrutiny based on customer risk profiles, regulatory requirements, and transaction characteristics.
Simplified Due Diligence (SDD)
Simplified Due Diligence applies to lower-risk customers and scenarios where regulations permit reduced requirements. This might include low-value transactions, regulated financial institutions, or companies listed on recognised stock exchanges subject to disclosure requirements. SDD typically involves basic identity verification without the extensive documentation and ongoing monitoring required for standard customers.
Standard CDD (Customer Due Diligence)
Standard CDD represents the baseline level applied to most customers presenting normal risk profiles. This includes verifying customer identity through reliable sources (such as a passport), understanding the business relationship, and conducting ongoing monitoring for unusual activity. Most retail banking customers undergo standard CDD at onboarding, with periodic reviews throughout the customer lifecycle.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) applies to high-risk customers requiring additional scrutiny beyond standard measures. For example, PEPs (Politically Exposed Persons) trigger EDD requirements, as well as customers from high-risk jurisdictions, and businesses operating in cash-intensive industries. EDD involves additional verification steps including source of funds analysis, source of wealth documentation, adverse media screening, and senior management approval for establishing or continuing relationships.
Key components of CDD
Customer due diligence combines several interconnected components that work together throughout the customer lifecycle.
Customer identification and verification collects identifying information from customers — including their full name, date of birth, residential address, and nationality — then verifies this information. Today, this is typically done digitally using methods such as document scanning and liveness checks. For legal entities, beneficial ownership identification is used to prevent criminals from hiding behind complex corporate structures.
Comprehensive screenings then check customers against multiple databases to identify prohibited relationships or elevated risks. The main screenings conducted as part of CDD include sanctions screening, PEP screening, and adverse media screening.
Finally, risk assessment synthesises information gathered through the previous steps to evaluate each customer's potential involvement in financial crime. Transaction patterns, volumes, relationship complexity, geographic location, and business model all feed into a risk rating, which determines the level and frequency of ongoing monitoring applied to the customer.
How CDD works in practice
The CDD process begins during customer onboarding. Automated verification systems authenticate documents, checking security features and comparing photos against live selfies through biometric matching. Simultaneously, screening tools scan sanctions lists, PEP databases, and adverse media sources for potential matches.
The system assigns a preliminary risk rating based on collected information, geographic factors, and intended account usage. Compliance teams review flagged cases, distinguishing true matches from false positives. The institution then decides whether to onboard the customer, request additional information, or decline the relationship based on risk tolerance and regulatory obligations.
But CDD doesn’t stop at onboarding — it continues throughout the customer relationship. Transaction monitoring systems flag unusual patterns inconsistent with the customer's known profile, such as large cash deposits by a customer whose business should generate electronic payments, or international wire transfers to high-risk jurisdictions by a customer with no stated foreign business connections. In general, the review cadence depends on the customer’s risk profile, with significant events triggering assessment outside of scheduled reviews.
Documentation and audit trail requirements underpin the entire CDD process. Institutions must maintain comprehensive records of all identification documents, verification steps, screening results, risk assessments, and decisions for regulatory review.
CDD requirements across jurisdictions
Customer due diligence requirements converge globally around similar principles, though specific implementation varies by jurisdiction.
FATF Recommendations, particularly Recommendation 10, establish the international standard for CDD that most jurisdictions incorporate into national law. This requires (among other things) customer identification and verification, identifying beneficial ownership structures, and conducting ongoing due diligence throughout the customer relationship.
EU frameworks including AMLD6 implement FATF standards across member states, with MiCA introducing specific CDD requirements for crypto-asset service providers. The UK's Money Laundering Regulations 2017 (as amended) maintain alignment with EU standards post-Brexit whilst introducing some jurisdiction-specific requirements.
US regulations under the Bank Secrecy Act and FinCEN's CDD Rule require covered financial institutions to identify and verify customer identity, identify and verify beneficial owners of legal entity customers, understand the nature and purpose of customer relationships, and conduct ongoing monitoring for suspicious transactions.
Despite variations, core CDD obligations remain consistent: verify who your customers are, understand what they do, assess the risks they present, and monitor relationships for suspicious activity. This convergence simplifies compliance for multinational institutions operating across multiple regulatory regimes.
CDD with Fourthline
Fourthline provides comprehensive customer due diligence solutions that combine automated efficiency with regulatory compliance. Our platform performs digital identity verification, document authentication, and biometric matching to streamline customer onboarding and maintain security.
Fourthline's integrated risk assessment and ongoing transaction monitoring capabilities ensure continuous compliance throughout customer relationships. All verification results, screening decisions, and risk assessments flow into comprehensive CDD reports providing complete audit trail documentation for regulatory examinations.
Discover how Fourthline streamlines CDD whilst maintaining the highest compliance standards. Learn more about Fourthline's AML screening and monitoring solutions.
FAQs
What's the difference between CDD and KYC?
KYC (Know Your Customer) is the broader umbrella term encompassing all processes institutions use to verify customer identities and understand their activities. Customer Due Diligence (CDD) is a specific, critical component of KYC focused on verifying identity, assessing risk, and conducting ongoing monitoring. Understanding this distinction matters for compliance teams structuring their programmes, though the practical overlap means both terms describe largely the same activities.
When is Enhanced Due Diligence (EDD) required?
Enhanced Due Diligence (EDD) becomes mandatory for high-risk scenarios where standard CDD measures prove insufficient. PEPs (Politically Exposed Persons) automatically trigger EDD, as do customers from high-risk jurisdictions or complex corporate structures obscuring ultimate beneficial ownership. Furthermore, unusual transaction patterns inconsistent with known customer profiles, cash-intensive businesses prone to money laundering, and correspondent banking relationships all warrant EDD.
Can CDD be fully automated?
Modern technology automates much of the CDD process, including document verification, database screening, biometric matching, and preliminary risk assessment. However, human review remains essential for complex cases, resolving false positives from screening alerts, assessing unusual transaction patterns in context, and making high-risk decisions like whether to onboard PEPs or exit relationships with adverse information. What’s more, regulators expect human oversight for significant risk decisions.
Solutions
Solutions
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.