Customer Due Diligence (CDD): The Complete Guide for 2026
In 2024, global regulators imposed more than $6.6 billion in AML-related fines — and at the root of many enforcement actions was a familiar failure: inadequate customer due diligence. Whether you’re a bank onboarding corporate clients, a fintech processing cross-border payments, or a real estate firm handling high-value transactions, CDD is the foundation that everything else in your compliance program rests on.
This guide covers the full scope of customer due diligence, from its CDD meaning and regulatory foundations to the CDD process, real-world failures, and how CDD automation is reshaping compliance operations.
What Is Customer Due Diligence (CDD)?
Customer due diligence is the set of procedures that financial institutions and regulated businesses use to verify a customer’s identity, assess the risk they present, and understand the nature and purpose of the business relationship. CDD is a core component of Know Your Customer (KYC) requirements and a critical pillar of any Anti-Money Laundering (AML) compliance program.
At its core, CDD money laundering prevention works by ensuring institutions know who they’re dealing with before and throughout a business relationship. The goal is to detect and prevent criminals and terrorist organizations from accessing legitimate financial systems — and to create an auditable trail that demonstrates compliance to regulators.
CDD applies to every customer. It is the default level of due diligence, sitting between simplified due diligence (SDD) for demonstrably low-risk relationships and enhanced due diligence (EDD) for high-risk ones.
CDD vs. EDD vs. SDD: The Three Tiers of Due Diligence
Most regulatory frameworks establish three tiers, each calibrated to a different risk level. Understanding the CDD and EDD distinction — and where SDD fits — is essential for a proportionate compliance program.
Attribute | SDD (Low Risk) | CDD (Standard) | EDD (High Risk) |
When applied | Demonstrably low-risk customers | All customers (default) | High-risk indicators present |
Identity verification | Basic checks, may defer | Full verification required | Enhanced verification + additional documents |
Beneficial ownership | Standard identification | Identify & verify UBOs | Deep UBO investigation + source of wealth |
Source of funds | Not typically required | May be requested | Mandatory, with corroborating evidence |
Ongoing monitoring | Reduced frequency | Standard monitoring | Intensified, higher-frequency monitoring |
Senior mgmt approval | Not required | Not required | Required for relationship establishment |
Regulatory basis | FATF Rec. 10; AMLD Art. 15 | FATF Rec. 10; AMLD Art. 13 | FATF Rec. 19; AMLD Art. 18 |
Enhanced customer due diligence adds deeper investigation — source of wealth analysis, intensified screening, and senior management sign-off — for customers presenting elevated risk.
CDD Requirements: Regulatory Frameworks Worldwide
CDD requirements are mandated across multiple jurisdictions, though the specifics vary. The key frameworks include FATF Recommendation 10 CDD, which establishes the international standard for customer due diligence and the risk-based approach, the EU’s Anti-Money Laundering Directives (AMLD6, with the AML Regulation taking effect in 2027), the U.S. Bank Secrecy Act and FinCEN’s CDD Rule, and the UK’s Money Laundering Regulations 2017 (as amended).
The 4 CDD Requirements Under FinCEN’s Final Rule
The FinCEN CDD rule, effective since May 2018, codifies four core requirements; often called the 4 CDD requirements or the “four pillars of KYC.” Covered financial institutions must establish and maintain written policies and procedures to: (1) identify and verify the identity of customers, (2) identify and verify the identity of beneficial owners of legal entity customers, (3) understand the nature and purpose of customer relationships to develop customer risk profiles, and (4) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information.
Notably, in February 2026, FinCEN issued an Order granting exceptive relief from the requirement to identify and verify beneficial owners at each new account opening, a significant procedural update that compliance teams should incorporate into their CDD rule workflows.
The CDD Process: A Step-by-Step Guide
While specific CDD checks vary by institution and jurisdiction, the CDD process generally follows five steps.
Step 1: Customer Identification. Collect identifying information: name, date of birth, address, and identification number for individuals, registration documents, articles of incorporation, and director details for entities.
Step 2: Identity Verification. Verify the information against independent, reliable sources. This may include government-issued documents, electronic identity verification, or database cross-referencing as part of KYC CDD procedures.
Step 3: Beneficial Ownership Identification. For legal entities, identify and verify any individual who owns 25% or more (or 10% in some jurisdictions) and the individual who controls the entity.
Step 4: Customer Risk Profiling. Assess the customer’s risk level based on factors including geography, industry, transaction patterns, PEP status, and the products or services they’re using. This is where AML CDD intersects with your institution’s broader risk appetite.
Step 5: Ongoing Monitoring. Continuously monitor transactions and periodically update customer information to ensure the relationship remains consistent with the institution’s understanding of the customer.
CDD Checklist: Building an Effective CDD Program
A structured CDD checklist ensures consistency. Use this as a baseline for your CDD program:
Identity and Ownership:
Verified identity through independent sources
Beneficial ownership traced to ultimate level
Corporate structure mapped
Directors and signatories identified
Financial Profile:
Expected transaction profile documented
Initial deposit aligned with stated purpose
Source of funds requested where risk warrants
Screening:
Sanctions screening across all relevant lists (OFAC, EU, UN)
PEP screening completed
Adverse media screening across multiple sources
Risk Assessment:
Overall risk rating assigned and justified
Monitoring frequency defined
Next review date scheduled
Ongoing Monitoring:
Transaction thresholds for alerts defined
Geographic and behavioral triggers configured
Periodic review calendar maintained
CDD for Banks, Fintech, Real Estate, and Crypto
Different industries face different CDD landscapes. CDD for banks focuses on correspondent banking, trade finance, and cross-border wire transfers, with particular emphasis on the FinCEN CDD rule’s beneficial ownership requirements. CDD in banking also involves managing large corporate client portfolios where UBO structures can span multiple jurisdictions.
For fintech and payments companies, the challenge centers on high-volume digital onboarding, cryptocurrency transactions, and merchant due diligence. Speed is critical, but so is ensuring that automated CDD checks don’t create blind spots.
In real estate, CDD applies to high-value property transactions, particularly those involving foreign buyers, shell companies, or all-cash purchases where the risk of money laundering is elevated.
For crypto and virtual asset service providers (VASPs), CDD must address the unique risks of pseudonymous transactions, unhosted wallets, and cross-chain transfers where tracing beneficial ownership is inherently more complex.
Ongoing CDD: Why Due Diligence Never Ends
Ongoing CDD is not optional, every major regulatory framework requires it. Effective ongoing monitoring for standard-risk customers includes transaction monitoring against the expected profile, periodic re-screening against sanctions, PEP, and adverse media databases, trigger-based reviews when material events occur (a customer is newly designated as a PEP, a jurisdiction lands on the FATF grey list, or transaction behavior changes significantly), and scheduled periodic reviews proportionate to the risk level.
When ongoing CDD identifies new concerns, the institution must be prepared to escalate, whether that means applying enhanced customer due diligence measures, filing a suspicious activity report, or exiting the relationship entirely.
Real-World CDD Failures: Enforcement Actions and Lessons
Understanding how CDD failures play out in practice illustrates why these processes matter.
Wirecard (2020). The collapse of Wirecard revealed that billions in reported assets did not exist. Regulators failed to apply adequate due diligence to third-party acquiring partners, many of which were shell entities, exposing systemic CDD gaps across banks, auditors, and regulators.
Westpac (2020). Australia’s second-largest bank was fined A$1.3 billion for 23 million AML/CTF breaches, including inadequate CDD on correspondent banking relationships and failures in ongoing transaction monitoring.
TD Bank (2024). TD Bank paid over $3 billion — the largest BSA penalty in U.S. history for systematic AML failures including CDD deficiencies and inadequate transaction monitoring across trillions of dollars.
CDD Automation: How AI and Technology Are Changing Compliance
Traditional CDD processes are resource-intensive a single onboarding review can take days when performed manually. Modern CDD solutions are transforming this through AI-powered risk scoring that analyzes hundreds of data points for more consistent assessments, automated adverse media screening using NLP to scan databases in real time across multiple languages, digital identity verification that completes biometric and document checks in minutes, and API-driven data aggregation that consolidates corporate registries, sanctions lists, and PEP databases into a single workflow.
CDD automation doesn’t replace human judgment, it ensures analysts spend their time on genuine risk assessment rather than data gathering.
Frequently Asked Questions
What is the main difference between CDD and EDD?
What are the 4 CDD requirements?
How often should CDD be updated?
Is CDD required for all customers?
What is FATF Recommendation 10?
