Customer Due Diligence (CDD) Process Defined

Learn how User Migration with Okta reduced unexpected password resets and reduces helpdesk calls and support issues.

Customer due diligence (CDD) is a set of requirements and processes that financial institutions are required to use to establish customer identities. 

CDD is part of the Bank Secrecy Act and falls under the Know Your Customer (KYC) and anti-money laundering (AML) regulations required by FinCEN (Financial Crimes Enforcement Network). With customer due diligence, financial institutions are required to gather enough information about a potential customer or entity to verify that they are not engaged in criminal activity — such as money laundering, fraud, or terrorist financing — before entering into a business relationship with them.

Customer due diligence requires that banks and financial institutions understand and mitigate potential risks they will undertake by doing business with particular individuals or organizations. CDD requires information to be collected from a variety of sources, and it is a major component of KYC regulations. 

Customers who are deemed high-risk are subject to enhanced due diligence (EDD), which is a more in-depth scrutiny of the organization or individual to better understand the risks. CDD and EDD are important business activities that are required to maintain regulatory compliance.

What is customer due diligence (CDD)?

Customer due diligence is part of the Know Your Customer (KYC) regulations. It requires that banks and financial institutions collect information about their customers and verify their customers’ identities to assess the level of risk of doing business with them. 

This is to prevent financial institutions from entering into a potentially criminal business relationship. CDD aims to mitigate potential fraud and financial crime risks.

With customer due diligence, financial institutions will collect information on customers from a variety of sources, including these:

  • Basic identity information provided by the customer directly, such as name and address
  • Public data sources, which can include company listings
  • Private data sources from third parties
  • Sanctions lists, which are published by most governments

With CDD, financial institutions will verify the identity of the customer, collect information about the type of business they are involved in, and determine how they plan to use their account. Under customer due diligence, financial institutions are then required to prove that the information is accurate by checking documents like these:

  • Driver’s license
  • Passport
  • Utility bills
  • Business licenses
  • Incorporation documents

CDD, as part of KYC, requires that financial institutions know who their customers are, understand their financial behavior, and be aware of what kind of risk for terrorist financing or money laundering they present.

Elements of Customer Due Diligence

With CDD, organizations collect information on who the customer is, the people they do business with, the nature of their business, and their level of assessed risk. Typically, organizations are required to maintain CDD records and information gathered for at least five years. 

KYC/AML and CDD measures are to be conducted for new customers during the customer onboarding experience, and they should also include continual monitoring. The level of monitoring will depend on the amount of determined risk. High-risk customers, for example, will need closer monitoring.

The CDD process will go through the following steps:

  1. Customer identity information is collected and verified during the customer onboarding process for new customers.
  2. After verifying the customer’s identity, a risk assessment profile is created to determine the level of risk doing business with the customer will involve. This data needs to be securely stored, so it can be easily accessed for regulator checks.
  3. Customers who fall into the high-risk category will require enhanced due diligence (EDD), which involves more intensive CDD measures.
  4. Ongoing monitoring of a customer and their financial transactions is required to track any potentially suspicious activity and report it.

The importance of CDD

Customer due diligence helps to assess the level of risk a potential or current customer will possess. It aims to minimize fraud and financial crime. 

Fraud costs businesses and individuals more than $5 trillion globally each year. Regulations such as KYC and AML are designed to help prevent financial crime and fraud. As part of these regulations, CDD helps financial institutions to ensure that they are not financing terrorism or aiding other criminal activities such as money laundering.

Customer due diligence helps financial institutions to remain compliant with industry regulations, including KYC and AML. It also ensures that customers really are who they say they are and that they are not engaged in financial criminal activities. CDD also enables financial institutions to assist law enforcement with investigations into fraud, money laundering, and potential terrorist funding.

4 requirements of the CDD rule

The four core requirements of CDD, as outlined by FinCEN, are as follows:

  1. Identification and verification of existing and potential customers: This includes a wide range of information from the address of the company to the names of all the individual executives
  2. Identification and verification of beneficial owners of the customer opening the account: This includes those who benefit from the activities of the company and anyone who acts on behalf of the company as well as the reporting of any individual owning 25 percent or more of the entity or those who control the entity.
  3. Understanding the purpose and nature of all business relationships the customer engages in to develop risk profiles: Knowing customer relationships helps to create a risk profile, which is important for preventing financial crime.
  4. Ongoing monitoring and reporting of suspicious activity: Customer information is to be maintained and updated. Customers are to be monitored on a risk basis for potentially suspicious activity, which is to be reported immediately if identified.

Understanding enhanced due diligence (EDD)

Customer due diligence uses a risk-based approach. When customers are believed to be high risk after the initial CDD process, additional measures are taken through enhanced due diligence, or EDD. 

Customers who are on sanctions lists or are politically exposed persons (PEPs) are classified as high risk. A PEP is someone with political influence or an individual entrusted with a prominent public function. If a person is classified as a PEP, or is a close family member or acquaintance of someone who is, enhanced due diligence is necessary.

EDD is a more comprehensive look at the customer and their business and financial history and behaviors. This will entail deeper CDD requirements, which can include the following:

  • Obtaining additional customer identification records
  • Establishing financial sources
  • Taking a closer look at business relationships and the purposes of transactions
  • Ongoing monitoring procedures

Risk-based customer due diligence assessment

The customer’s risk profile and relationship with the financial intuition will define the level of due diligence required. CDD develops a risk-based assessment to determine the level of risk a customer presents for potentially engaging in financial fraud, money laundering, sanctions busting, or terrorist financing. During the initial customer identity information gathering and verification process, a risk profile is created that determines the necessary level of CDD to be completed. 

Ongoing monitoring is required based on this risk-based assessment. Customers who are considered low risk, for example, will likely only require basic CDD measures and less frequent ongoing monitoring. Those who are deemed high risk, on the other hand, can require EDD and a closer look at financial transactions as well as more frequent monitoring.

Certain transactions, such as those over a specific regulatory threshold, may also warrant closer inspection through CDD. In addition, unreliable or inadequate customer identification documents or suspicion of money laundering or terrorist financing will necessitate EDD. 

The cost of CDD

Maintaining compliance with KYC/AML and CDD can be a costly endeavor for financial institutions. Financial services firms spend an average of $14.3 million on AML compliance alone. 

While performing customer due diligence can involve high costs, these costs will undoubtedly be lower than regulatory fines for non-compliance with AML and KYC regulations. 

Customer due diligence protects financial institutions from money lost due to fraud and criminal activity. Not only is there a financial loss when fraud is perpetuated, but it can also hurt the reputation of the financial institution, which can greatly impact the company’s bottom line. 

There are various resources for maintaining CDD and KYC/AML compliance, including third-party resources and solutions. 

Additional resources

The Financial Crimes Enforcement Network (FinCEN) sets the regulations as well as KYC/AML and CDD compliance requirements.

The Office of the Comptroller of the Currency (OCC) provides more details on the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations.

FinCEN also publishes frequently asked questions (FAQs) on customer due diligence (CDD) requirements and regulations for financial institutions.


Customer Due Diligence Requirements for Financial Institutions. (May 2016). Financial Crimes Enforcement Network (FinCEN).

Fraud Costs the Global Economy Over US$5 Trillion. (July 2019). Crowe.

Information on Complying With the Customer Due Diligence (CDD) Final Rule. Financial Crimes Enforcement Network (FinCEN).

Financial Crimes Enforcement Network. Financial Crimes Enforcement Network (FinCEN).

Bank Secrecy Act (BSA). Office of the Comptroller of the Currency (OCC).

Frequently Asked Questions Regarding Customer Due Diligence (CDD) Requirements for Covered Financial Institutions. (August 2020). Financial Crimes Enforcement Network (FinCEN).