What is Customer Due Diligence?

Angela Marrujo Fornaca

Content Writer

Customer due diligence (CDD) is the process of verifying the identity of a customer and assessing the potential risks associated with a business relationship. The process involves collecting and analyzing personal information about the customer to prevent financial crimes. It is a legal requirement for businesses and helps protect them from financial losses and reputational damage.


Money laundering is pervasive and endemic – while as much as 5% ($3.6 trillion) is laundered annually globally, less than 1% of that money is actually seized. Businesses are required to comply with various regulations and laws in order to prevent money laundering, terrorist financing, and other financial crimes. One of the key requirements for businesses is to conduct customer due diligence (CDD) to verify the identity of their customers and assess the risks associated with them.

What is CDD, and why is it not just required, but important for businesses to conduct thoroughly?

Cross Your T’s and Dot Your I’s

CDD is the process of collecting and verifying customer information, such as their name, address, and date of birth. It is a critical component of the Know Your Customer (KYC) process, which is aimed at preventing financial crimes by identifying and verifying the identity of customers. The purpose of CDD is to mitigate the risks associated with customers and ensure that businesses are not unknowingly facilitating financial crimes.

CDD is particularly important for financial institutions, such as banks, credit unions, and other financial service providers. Failure to comply with strict AML laws and regulations can result in significant fines, legal action, and reputational damage.

However, it’s not one-size-fits-all for CDD. There are different types of CDD processes suited for different levels of potential customer risk.

Three Types of Customer Due Diligence

Generally speaking, the CDD process typically involves several steps. The first is to collect personally identifiable information (PII), such as the customer’s full name, business and home addresses, and date of birth. This information is then verified through various means, like government-issued identification documents and third-party databases. The level of verification required may vary depending on the risk associated with the customer, the nature of the business, and the regulatory requirements.

Once the customer information is verified, the next step is to assess the risk associated with the customer. This involves evaluating various factors, such as the customer's country of origin, occupation, and business activities. The risk assessment helps businesses determine the level of due diligence required for the customer and the ongoing monitoring needed to ensure compliance.

This is where the different types of CDD come into play, and when a compliance professional needs to evaluate which type is most appropriate for the customer.

  • Simplified due diligence: For low-risk customers. Involves identifying the customer (but doesn't require verifying their identity) and conducting basic checks to ensure that they are not on any sanctions or watchlists.

  • Standard due diligence: Customers who present minimal risk upon initial assessment. Requires collecting PII of the customer or beneficial owners to identify them and verify their identity.

  • Enhanced due diligence (EDD): Highest level of due diligence for high-risk customers. High-risk triggers include:

    • Being identified identified as a PEP
    • Having a trust that contains personal assets
    • Being a non-resident of the country that the financial institution is headquartered and is a resident/permanent citizen of a country with minimal money laundering or anti-terrorism laws

EDD involves conducting more thorough checks on the customer's identity, background, and business activities. This may include conducting site visits and obtaining additional documentation.

Reporting Suspicious Activity

In the event your organization identifies any red flags or suspicious activity during the CDD process, you are required to report it to the appropriate authorities in accordance with laws and Customer Due Diligence regulations, such as the Anti-Money Laundering Act and the Bank Secrecy Act. This means filing a suspicious activity report (SAR) to law enforcement. Not only does it help you remain compliant, you’re doing your part to support global AML efforts.

Wrap Up

A compliance professional’s work is never done: the CDD process is not a one-time event, but an ongoing one. It’s important to regularly monitor for suspicious activity – unusual transactions, patterns that may indicate money laundering, etc. – which can crop up at any time. Low-risk customers should have a CDD check done once a year; medium to high-risk customers should have CDD done every six months.

CDD is a critical component of the KYC process and is essential for remaining compliant and mitigating risk. It’s crucial to stay on top of CDD not just because it’s required, but because it helps contribute to the fight against financial crime.

Stay Connected

Subscribe to receive new content from Hummingbird