Enigma Knowledge

Compliance

Customer Due Diligence (CDD): Requirements and Best Practices

February 5, 2026

Understand Customer Due Diligence requirements, the FinCEN CDD Rule, risk-based approaches, and how CDD applies to business customers under KYB compliance.

Customer Due Diligence (CDD) is the process of gathering and analyzing information about customers to assess and manage the risks they present. CDD is a cornerstone of anti-money laundering (AML) compliance—it's how financial institutions and other regulated entities know who they're doing business with and whether those relationships pose unacceptable risk.

For business customers, CDD is the regulatory framework that drives KYB (Know Your Business) requirements.

What Is Customer Due Diligence?

CDD encompasses everything an organization does to:

  1. Identify the customer (individual or entity)
  2. Verify that identity using reliable sources
  3. Understand the nature and purpose of the relationship
  4. Assess risk based on customer characteristics and behavior
  5. Monitor the relationship on an ongoing basis

CDD isn't a one-time activity at onboarding—it's a continuous process throughout the customer lifecycle.

The FinCEN CDD Rule

In 2016, the Financial Crimes Enforcement Network (FinCEN) issued the Customer Due Diligence Requirements for Financial Institutions rule, which took effect in May 2018. This rule formalized CDD requirements for covered financial institutions and, critically, added explicit beneficial ownership requirements for legal entity customers.

Covered Institutions

The CDD Rule applies to:

  • Banks and credit unions
  • Broker-dealers in securities
  • Mutual funds
  • Futures commission merchants and introducing brokers in commodities

The Four Pillars

The CDD Rule requires covered institutions to establish and maintain written policies and procedures for:

1. Customer Identification: Identify and verify the identity of customers

2. Beneficial Ownership: Identify and verify beneficial owners of legal entity customers

3. Understanding the Relationship: Understand the nature and purpose of customer relationships

4. Ongoing Monitoring: Conduct ongoing monitoring and update customer information

The beneficial ownership requirement was new—before the CDD Rule, there was no explicit federal requirement to identify the individuals behind business customers.

CDD vs. CIP: What's the Difference?

The Customer Identification Program (CIP) and CDD are related but distinct:

Origin

  • CIP: USA PATRIOT Act Section 326 (2001)
  • CDD: FinCEN CDD Rule (2016/2018)

Focus

  • CIP: Identity verification
  • CDD: Risk assessment and understanding

Scope

  • CIP: All customers
  • CDD: All customers, with emphasis on legal entities

Beneficial ownership

  • CIP: Not required
  • CDD: Required for legal entity customers

Ongoing monitoring

  • CIP: Not explicitly required
  • CDD: Explicitly required

CIP establishes the baseline: verify that customers are who they claim to be. CDD builds on this by requiring a deeper understanding of customers and their risk profiles.

Three Levels of Due Diligence

CDD operates on a spectrum based on risk:

Simplified Due Diligence (SDD)

Reduced verification for demonstrably low-risk customers:

  • Publicly traded companies with transparent ownership
  • Regulated financial institutions
  • Government entities
  • Established customers with long, clean history

SDD doesn't mean no due diligence—it means proportionately less intensive measures where risk is clearly low.

Standard CDD

The baseline for most customer relationships:

  • Full identification and verification
  • Beneficial ownership identification (for legal entities)
  • Understanding of relationship purpose
  • Standard ongoing monitoring

Enhanced Due Diligence (EDD)

Intensified measures for higher-risk customers:

  • Deeper investigation into ownership and control
  • Source of funds and source of wealth verification
  • Senior management approval for relationship
  • More frequent and intensive monitoring
  • Additional documentation requirements

EDD triggers include:

  • PEPs (Politically Exposed Persons)
  • High-risk jurisdictions
  • Complex ownership structures
  • Cash-intensive businesses
  • Adverse media or screening hits
  • Unusual transaction patterns

When the customer is a business rather than an individual, CDD encompasses KYB requirements:

Entity Identification

Collect and verify:

  • Full legal name
  • Principal place of business address
  • State/country of formation
  • Taxpayer identification number (EIN in the US)

Beneficial Ownership Identification

Under the CDD Rule, financial institutions must identify:

At least one individual with significant responsibility to control, manage, or direct the legal entity (a "control person"), AND

Each individual who owns 25% or more of the equity interests

For each beneficial owner, collect:

  • Name
  • Date of birth
  • Address
  • Identification number (SSN or passport)

This is where CDD intersects directly with UBO verification.

Exemptions

Certain legal entities are exempt from beneficial ownership requirements:

  • Regulated financial institutions
  • SEC-registered entities
  • State-registered investment advisers
  • Insurance companies
  • Publicly traded companies
  • Government entities
  • Entities whose beneficial ownership is already available to the financial institution

Risk-Based Approach

CDD must be proportionate to risk. A risk-based approach means:

Assess Inherent Risk

Consider factors that indicate higher or lower risk:

Customer type

  • Individual vs. legal entity
  • Industry and business model
  • Domestic vs. foreign

Geographic risk

  • Country of incorporation/residence
  • Countries of operation
  • Jurisdictions with weak AML controls

Product/service risk

  • Transaction types and volumes
  • Cross-border activity
  • Cash handling

Channel risk

  • Face-to-face vs. remote onboarding
  • Introduced business vs. direct relationship

Apply Proportionate Measures

Low: SDD — streamlined verification, standard monitoring

Medium: Standard CDD — full verification, regular monitoring

High: EDD — enhanced verification, intensive monitoring, senior approval

Document Risk Decisions

Record:

  • The risk factors considered
  • The risk rating assigned
  • The rationale for the rating
  • The due diligence measures applied

Ongoing CDD

CDD doesn't end at onboarding. Ongoing CDD includes:

Transaction Monitoring

Monitor customer activity for:

  • Transactions inconsistent with expected behavior
  • Unusual patterns or volumes
  • Transactions involving high-risk jurisdictions
  • Potential suspicious activity

Periodic Review

Reassess customer risk periodically:

High risk: Annually or more frequently

Medium risk: Every 2-3 years

Low risk: Every 3-5 years

Trigger-Based Review

Re-evaluate when:

  • Adverse information emerges
  • Customer requests unusual products or services
  • Transaction patterns change significantly
  • Ownership or control changes
  • Regulatory guidance changes

Information Updates

Keep customer information current:

  • Request updated documentation at reviews
  • Monitor for changes via registries and data providers
  • Require customers to report material changes

Documentation Requirements

Maintain records demonstrating:

  • What information was collected — customer identification, beneficial ownership, business purpose
  • How it was verified — sources used, documents reviewed, checks performed
  • Risk assessment — factors considered, rating assigned, rationale
  • Decisions made — relationship approval, conditions imposed, EDD measures
  • Ongoing monitoring — reviews conducted, alerts investigated, actions taken

Retention requirements vary by jurisdiction but typically require keeping CDD records for at least 5 years after the relationship ends.

Common CDD Challenges

Balancing Thoroughness and Friction

More due diligence means more customer friction. Organizations must find the right balance:

  • Risk-based approach helps—apply intensity where it's needed
  • Technology and automation reduce manual burden
  • Clear communication helps customers understand requirements

Data Quality and Availability

CDD depends on reliable data, but:

  • Business registries vary in quality and accessibility
  • Beneficial ownership information may be incomplete
  • Some jurisdictions have limited public records

Keeping Information Current

Customer circumstances change:

  • Ownership transfers happen
  • Businesses expand to new jurisdictions
  • Risk profiles evolve

Ongoing monitoring and periodic reviews are essential but resource-intensive.

Regulatory Divergence

Different jurisdictions have different CDD requirements:

  • Varying ownership thresholds
  • Different exempt entity categories
  • Inconsistent documentation standards

Global organizations must navigate overlapping and sometimes conflicting requirements.

Key Takeaways

  • CDD is the framework for knowing your customers and assessing their risk
  • The FinCEN CDD Rule established four pillars including beneficial ownership requirements
  • Three levels — SDD, standard CDD, and EDD — apply based on risk
  • For legal entities, CDD encompasses KYB including UBO identification
  • Risk-based approach means proportionate measures based on assessed risk
  • Ongoing CDD — monitoring, reviews, and updates — continues throughout the relationship
  • Documentation is critical for demonstrating compliance