Customer due diligence: what it is and how it works

Customer due diligence (CDD) is required of any business that interacts with customers and is covered by anti-money laundering (AML) regulations. Its purpose is to prevent financial crime and uncover any risks to your organization that could arise from doing business with certain customers.

There are different types of CDD, from simplified CDD to enhanced due diligence. In this article we will focus on standard CDD requirements.

What is CDD?

Customer due diligence (CDD) is a series of checks to help you verify your customers’ identities and assess their risk profiles.

CDD is a regulatory requirement for companies entering into business relationships with a customer and is a big part of anti-money laundering (AML) and Know Your Customer (KYC) directives. 

CDD involves analyzing information from different sources, including the customer, sanctions lists as well as public and private data sources. The information you collect depends on the risk profile of your customer, but basic customer due diligence requires the following:

  • Information about the identity of your customers, such as their name, address and a photograph of an official identity document

  • An overview of your customer’s activities and the markets they operate in

  • An overview of any other entities that your customer does business with

CDD meaning: the different types of CDD

CDD is an important part of your businesses’ risk management. Different customers pose different levels of risk, therefore CDD is carried out through a risk-based approach.

You should assess the potential risk level of each customer, and adjust your due diligence approach accordingly. For the majority of clients, standard due diligence practices — which require you to identify and verify customer identities — are appropriate.

In certain lower-risk scenarios, simplified due diligence may suffice. When carrying out simplified due diligence, you only need to identify your customers rather than identify and verify them.

On the other hand, there might be instances where standard due diligence isn’t sufficient. In this case, you’d need to adopt enhanced due diligence.

Read the difference between customer due diligence and enhanced due diligence.

Customer due diligence for banks

Financial institutions must take a risk-based approach to customer due diligence as part of KYC and other regulations. This is to ensure that the organization remains compliant with the local laws and regulations of the markets that they operate in.

The level of CDD in banking will depend on the type of business-customer relationship and the customer’s risk profile. But broadly, banks must take necessary steps to make sure that the customer is really who they say they are so that they can prevent fraudulent activity such as identity fraud or impersonation.

When do you need to apply CDD in banking?

  • Establishing a business relationship: Ahead of a new customer-business relationship, banks must perform due diligence to check the customer’s risk profile, verify who they are and ensure they aren’t using a fake identity.

  • Occasional transactions: Certain transactions might require further CDD measures. For example, transactions over a certain monetary amount (USD/EUR 15,000) or if the customer is transacting with high-risk persons or regions.

  • Suspicious activity: Banks must implement CDD checks if the customer is suspected of activity related to money laundering or financing terrorism.

  • Unreliable identification: If the information your customer has provided is unreliable, suspicious or doesn’t meet requirements, banks should implement additional CDD measures. 

Find out more about what your banking peers are doing to support CDD, KYC and AML compliance initiatives in this survey with 200 management-level bank employees.

Customer due diligence checklist

Conduct basic customer due diligence 

The first step is to conduct simple investigations, such as identifying and verifying a customer’s identity. Businesses are required to verify the identity of their customers before or during the start of that business-customer relationship. These requirements apply to all new customers as part of Know Your Customer (KYC) regulations.

Unfamiliar with KYC? Find out more in our What is KYC? blog

There are several ways that businesses can verify customer identities. One approach is online document verification, which involves digitally assessing the legitimacy of a customer’s identity document as part of onboarding processes.

In addition to identity verification, businesses should also consider a customer’s financial information (both current and previous) as well as their business activity.

Select any third parties  

Often businesses will opt to work with third parties when conducting customer due diligence. This could be lawyers, auditors, or providers of CDD solutions such as online identity verification. Businesses should ensure that any third parties they work with are reliable and trusted. 

Decide if enhanced due diligence (EDD) is needed 

If the customer is considered high risk, the business might need to carry out enhanced due diligence (EDD) checks. EDD is necessary if you’re entering into a business relationship with a politically exposed person (PEP), if the transaction involves a person from a high-risk country or any other situation where there’s a high risk of money laundering.

Secure all record-keeping 

By law, businesses must now keep a record of all financial transactions for at least five years. This includes any information collected through CDD measures, account files and business correspondence, as well as any related analysis.

Businesses must also securely document and store any such information obtained during the previous steps. As this information is often sensitive, it would be problematic if it were ever lost or leaked.

Maintain up-to-date records 

If the circumstances of your customers ever change, as a business you’ll need to amend their risk assessment and carry out further due diligence if necessary. Examples of when this might happen are if there was a change in ownership or structure of a business.

Customer due diligence solutions

Any approach to CDD must allow you to collect and verify basic information about your customer. Including their name, date of birth and photograph of an official document that confirms their identity and residential address.

One way to do this is to ask for a government-issued identity document like a passport or driver’s license. Onfido’s solution — which combines a document check with a biometric check — first verifies that this ID is genuine. We then compare the photo on the identity document with a person’s biometric to ensure that the document belongs to a real human, and hasn’t been stolen. 

Businesses can then layer other checks and signals on top of this step. For example, requesting bank statements or other official documents, or capturing information from the electoral register.

An approach like Onfido’s builds higher assurance in your customers’ identities than many other outdated and less secure approaches, such as database checks. Effective CDD and KYC solutions are built on a combination of technology and expertise. As digital threats and the way we approach business-customer relationships evolve, businesses should consider innovating their approach to CDD.

Previous Article
Digital ID award: a first glimpse of the future of IDs?
Digital ID award: a first glimpse of the future of IDs?

Could an award for a digital version of a national ID card hint at the future of digital IDs?

Next Article
Q&A featuring Forrester: The Total Economic Impact™ of Onfido
Q&A featuring Forrester: The Total Economic Impact™ of Onfido

We sat down with Kim Finnerty, author of our Total Economic Impact™ study, to discuss common questions and ...