Customer Due Diligence (CDD): Requirements and Best Practices

Understand Customer Due Diligence requirements, the FinCEN CDD Rule, risk-based approaches, and how CDD applies to business customers under KYB compliance.

9 min read

Customer Due Diligence (CDD) is the process of gathering and analyzing information about customers to assess and manage the risks they present. CDD is a cornerstone of anti-money laundering (AML) compliance—it’s how financial institutions and other regulated entities know who they’re doing business with and whether those relationships pose unacceptable risk.

For business customers, CDD is the regulatory framework that drives KYB (Know Your Business) requirements.

What Is Customer Due Diligence?

CDD encompasses everything an organization does to:

Identify the customer (individual or entity)
Verify that identity using reliable sources
Understand the nature and purpose of the relationship
Assess risk based on customer characteristics and behavior
Monitor the relationship on an ongoing basis

CDD isn’t a one-time activity at onboarding—it’s a continuous process throughout the customer lifecycle.

The FinCEN CDD Rule

In 2016, the Financial Crimes Enforcement Network (FinCEN) issued the Customer Due Diligence Requirements for Financial Institutions rule, which took effect in May 2018. This rule formalized CDD requirements for covered financial institutions and, critically, added explicit beneficial ownership requirements for legal entity customers.

Covered Institutions

The CDD Rule applies to:

Banks and credit unions
Broker-dealers in securities
Mutual funds
Futures commission merchants and introducing brokers in commodities

The Four Pillars

The CDD Rule requires covered institutions to establish and maintain written policies and procedures for:

Pillar	Requirement
1. Customer Identification	Identify and verify the identity of customers
2. Beneficial Ownership	Identify and verify beneficial owners of legal entity customers
3. Understanding the Relationship	Understand the nature and purpose of customer relationships
4. Ongoing Monitoring	Conduct ongoing monitoring and update customer information

The beneficial ownership requirement was new—before the CDD Rule, there was no explicit federal requirement to identify the individuals behind business customers.

CDD vs. CIP: What’s the Difference?

The Customer Identification Program (CIP) and CDD are related but distinct:

Aspect	CIP	CDD
Origin	USA PATRIOT Act Section 326 (2001)	FinCEN CDD Rule (2016/2018)
Focus	Identity verification	Risk assessment and understanding
Scope	All customers	All customers, with emphasis on legal entities
Beneficial ownership	Not required	Required for legal entity customers
Ongoing monitoring	Not explicitly required	Explicitly required

CIP establishes the baseline: verify that customers are who they claim to be. CDD builds on this by requiring a deeper understanding of customers and their risk profiles.

Three Levels of Due Diligence

CDD operates on a spectrum based on risk:

Simplified Due Diligence (SDD)

Reduced verification for demonstrably low-risk customers:

Publicly traded companies with transparent ownership
Regulated financial institutions
Government entities
Established customers with long, clean history

SDD doesn’t mean no due diligence—it means proportionately less intensive measures where risk is clearly low.

Standard CDD

The baseline for most customer relationships:

Full identification and verification
Beneficial ownership identification (for legal entities)
Understanding of relationship purpose
Standard ongoing monitoring

Enhanced Due Diligence (EDD)

Intensified measures for higher-risk customers:

Deeper investigation into ownership and control
Source of funds and source of wealth verification
Senior management approval for relationship
More frequent and intensive monitoring
Additional documentation requirements

EDD triggers include:

PEPs (Politically Exposed Persons)
High-risk jurisdictions
Complex ownership structures
Cash-intensive businesses
Adverse media or screening hits
Unusual transaction patterns

CDD for Legal Entity Customers

When the customer is a business rather than an individual, CDD encompasses KYB requirements:

Entity Identification

Collect and verify:

Full legal name
Principal place of business address
State/country of formation
Taxpayer identification number (EIN in the US)

Beneficial Ownership Identification

Under the CDD Rule, financial institutions must identify:

At least one individual with significant responsibility to control, manage, or direct the legal entity (a “control person”), AND

Each individual who owns 25% or more of the equity interests

For each beneficial owner, collect:

Name
Date of birth
Address
Identification number (SSN or passport)

This is where CDD intersects directly with UBO verification.

Exemptions

Certain legal entities are exempt from beneficial ownership requirements:

Regulated financial institutions
SEC-registered entities
State-registered investment advisers
Insurance companies
Publicly traded companies
Government entities
Entities whose beneficial ownership is already available to the financial institution

Risk-Based Approach

CDD must be proportionate to risk. A risk-based approach means:

Assess Inherent Risk

Consider factors that indicate higher or lower risk:

Customer type

Individual vs. legal entity
Industry and business model
Domestic vs. foreign

Geographic risk

Country of incorporation/residence
Countries of operation
Jurisdictions with weak AML controls

Product/service risk

Transaction types and volumes
Cross-border activity
Cash handling

Channel risk

Face-to-face vs. remote onboarding
Introduced business vs. direct relationship

Apply Proportionate Measures

Risk Level	Due Diligence Measures
Low	SDD — streamlined verification, standard monitoring
Medium	Standard CDD — full verification, regular monitoring
High	EDD — enhanced verification, intensive monitoring, senior approval

Document Risk Decisions

Record:

The risk factors considered
The risk rating assigned
The rationale for the rating
The due diligence measures applied

Ongoing CDD

CDD doesn’t end at onboarding. Ongoing CDD includes:

Transaction Monitoring

Monitor customer activity for:

Transactions inconsistent with expected behavior
Unusual patterns or volumes
Transactions involving high-risk jurisdictions
Potential suspicious activity

Periodic Review

Reassess customer risk periodically:

Risk Level	Review Frequency
High risk	Annually or more frequently
Medium risk	Every 2-3 years
Low risk	Every 3-5 years

Trigger-Based Review

Re-evaluate when:

Adverse information emerges
Customer requests unusual products or services
Transaction patterns change significantly
Ownership or control changes
Regulatory guidance changes

Information Updates

Keep customer information current:

Request updated documentation at reviews
Monitor for changes via registries and data providers
Require customers to report material changes

Documentation Requirements

Maintain records demonstrating:

What information was collected — customer identification, beneficial ownership, business purpose
How it was verified — sources used, documents reviewed, checks performed
Risk assessment — factors considered, rating assigned, rationale
Decisions made — relationship approval, conditions imposed, EDD measures
Ongoing monitoring — reviews conducted, alerts investigated, actions taken

Retention requirements vary by jurisdiction but typically require keeping CDD records for at least 5 years after the relationship ends.

Common CDD Challenges

Balancing Thoroughness and Friction

More due diligence means more customer friction. Organizations must find the right balance:

Risk-based approach helps—apply intensity where it’s needed
Technology and automation reduce manual burden
Clear communication helps customers understand requirements

Data Quality and Availability

CDD depends on reliable data, but:

Business registries vary in quality and accessibility
Beneficial ownership information may be incomplete
Some jurisdictions have limited public records

Keeping Information Current

Customer circumstances change:

Ownership transfers happen
Businesses expand to new jurisdictions
Risk profiles evolve

Ongoing monitoring and periodic reviews are essential but resource-intensive.

Regulatory Divergence

Different jurisdictions have different CDD requirements:

Varying ownership thresholds
Different exempt entity categories
Inconsistent documentation standards

Global organizations must navigate overlapping and sometimes conflicting requirements.

Key Takeaways

CDD is the framework for knowing your customers and assessing their risk
The FinCEN CDD Rule established four pillars including beneficial ownership requirements
Three levels — SDD, standard CDD, and EDD — apply based on risk
For legal entities, CDD encompasses KYB including UBO identification
Risk-based approach means proportionate measures based on assessed risk
Ongoing CDD — monitoring, reviews, and updates — continues throughout the relationship
Documentation is critical for demonstrating compliance

Enigma Resources

Explore more from Enigma on due diligence and compliance:

Guides & Checklists

A Guide to Optimizing Your KYB Process — Streamlining due diligence workflows
KYB Requirements Checklist — Essential CDD requirements for business customers

Webinars

How to Optimize Your KYB Process: Build In-House, Single Partner, or Waterfall — Implementing efficient due diligence
How Financial Institutions Can Navigate a Changing KYB Legislative Landscape — Evolving CDD requirements

Product

Enigma KYB High-Risk Classification — Risk-based due diligence approaches
Enigma KYB for Payment Providers — CDD for payments industry

Case Study

Enigma KYB: 50% Increase in Secretary of State Registration Fill Rates — Improving entity verification for CDD

Follow Enigma: LinkedIn | YouTube