Introduction to Customer Due Diligence (CDD)
An estimated $300 billion of illicit funds are laundered through the U.S. annually. In 2024, a bank was fined $3.09 billion for AML violations – a reminder that weak controls carry consequences measured in billions, not millions. These numbers make one thing clear: customer due diligence is not optional.
Customer due diligence (CDD) is the structured process of identifying customers, verifying a customer’s identity, and understanding their risk profile to prevent money laundering and terrorist financing. It is essential for AML compliance in financial institutions – from global banks and fintechs to crypto platforms navigating the 2024–2026 regulatory environment.
CDD is a core pillar of anti money laundering, Know Your Customer (KYC), and broader financial crime compliance frameworks. Regulators such as the Financial Action Task Force (FATF), FinCEN in the U.S., and the European Banking Authority mandate robust CDD controls for all regulated entities. ZIGRAM, as a RegTech provider, automates key parts of the customer due diligence process, from name screening and identity verification to ongoing monitoring, helping firms reduce operational costs and strengthen risk coverage.
CDD Meaning and Core Objectives
At its core, customer due diligence CDD is the framework financial institutions use for financial crime compliance and risk management. It goes beyond a single check at account opening.
Customer Due Diligence verifies customer identities and assesses risks across the entire relationship lifecycle. The diligence process combines data collection, verification, and risk profile assessment for both individuals and legal entity customers. Basic customer due diligence covers who the customer is, what their business involves, where they operate, and why they need a particular product or service.
The primary objectives are straightforward:
Preventing illicit funds from entering the financial system
Complying with AML laws and regulatory obligations across jurisdictions
Enabling early detection of suspicious activity and financial transactions that deviate from expected patterns
Customer Due Diligence assesses potential risks related to financial crimes and does so continuously. CDD helps detect and report suspicious activities to combat money laundering. Thorough CDD protects business reputation by preventing dealings with fraudulent entities, while proper CDD reduces risks of fraud and financial loss by confirming client identities.
Modern CDD is continuous, not a one-off event at customer onboarding. Ongoing reviews, risk-triggered updates, and perpetual monitoring ensure that a customer’s risk profile stays current as circumstances change.
Global Regulatory Landscape and the CDD Rule
Customer due diligence requirements are rooted in international standards but implemented through local laws. Understanding this layered structure is critical for any firm operating across borders.
Key global sources include:
FATF Recommendations (especially Recommendation 10): identify and verify customers, identify beneficial owners, understand the purpose of relationships, conduct ongoing monitoring
EU AML Directives (4AMLD through 6AMLD): progressively stricter requirements, with AMLD6 introducing higher penalties and coverage of crypto-asset service providers
UK Money Laundering Regulations 2017 and later amendments
In 2018, FinCEN introduced a CDD rule for beneficial ownership verification, codifying four elements into Bank Secrecy Act regulations: customer identification, beneficial ownership identification (25% ownership threshold plus a “control” prong), understanding the nature and purpose of relationships, and ongoing monitoring. The FinCEN CDD rule requires identifying beneficial owners since 2018 and in 2018, FinCEN also introduced a rule requiring ongoing monitoring as a formal obligation.
CDD ensures regulatory compliance with laws such as the Bank Secrecy Act. Identifying beneficial ownership is crucial for corporate clients during CDD, especially for legal entity customers with multi-layered structures. Fines for non-compliance with AML regulations can exceed billions annually – as the 2024 case of a bank facing a $3.09 billion AML fine demonstrated.
Other regions like Singapore (MAS Notice 626), UAE AML guidance, and India PMLA rules impose similar obligations with local variations that institutions must map and manage.
The Customer Due Diligence Process: From Onboarding to Ongoing Monitoring
CDD is a lifecycle process spanning three phases: onboarding, periodic review, and event-driven review. Each phase feeds the next.
Typical steps in the due diligence process include:
Customer identification
Customer verification (identity verification)
Risk profile assessment
Choosing simplified due diligence, standard, or enhanced due diligence
Continuous monitoring and periodic refresh
A risk based approach means higher risk customers receive deeper scrutiny, while low risk customers are handled with proportionate measures – controlling operational costs without sacrificing compliance. Well-documented workflows and audit trails are essential for demonstrating compliance during regulatory inspections. ZIGRAM’s platform orchestrates these steps across multiple products, including name screening, transaction monitoring, adverse media, ESG, and crypto risk modules.
Customer Identification and Verification (KYC)
This is the first gate in the customer due diligence process and overlaps heavily with KYC obligations. For a potential customer, the process involves gathering foundational data.
For individuals: passport, national ID, proof of address, bank statements, and digital identity verification (liveness detection, biometric checks).
For legal entities: incorporation documents, company registers, tax IDs, shareholder records, and identification of ultimate beneficial owners (UBOs) and controllers – as required under AML and CDD rules. For more on entity-level verification, see ZIGRAM’s Know Your Business (KYB) guide.
Methods for verifying a customer’s identity include:
Document checks against reliable independent sources
Database lookups (government registries, credit bureaus)
Liveness detection and biometric matching
Cross-referencing against global watchlists and sanctions
Screening involves cross-referencing customer data against global watchlists and sanctions is a step where automation dramatically reduces manual effort and error rates. ZIGRAM tools such as PreScreening.io and entity risk assessment modules help automate these diligence checks across multiple jurisdictions.
Risk Profile Assessment and Risk Rating
After identity is verified, firms assess the risk of money laundering, terrorism financing, fraud, sanctions evasion, and other financial crimes.
Typical risk factors include:
Risk Factor | Examples |
|---|---|
Geographic risk factors | FATF high risk jurisdictions, sanctioned countries |
Customer type | Politically exposed persons, shell companies, NGOs |
Products/services | Correspondent banking, crypto, trade finance |
Delivery channel | Non-face-to-face, remote onboarding |
Behavior patterns | Unusual transaction volumes, inconsistent financial history |
Risk assessment in CDD assigns a risk rating based on these factors. Customers identify into low, medium, and high risk bands – sometimes with granular scoring models. During CDD, expected behaviors are defined to establish a baseline for monitoring, making it easier to spot deviations later. CDD measures vary based on customer risk profiles, driving what level of scrutiny and review frequency each customer receives.
Determining Appropriate CDD Measures (Simplified, Standard, Enhanced)
The idea is to tailor due diligence to risk rather than applying identical checks to every customer.
Simplified due diligence is reserved for clearly low-risk cases: regulated banks, publicly listed companies with transparent beneficial ownership, and small low-value accounts. Simplified Due Diligence is used for low-risk customers during CDD and is appropriate for low-risk transactions. Regulators define strict limits on when SDD can be applied.
Enhanced due diligence is for high-risk customers like politically exposed persons, complex ownership structures, and entities in high risk jurisdictions. Enhanced Due Diligence (EDD) is applied for high-risk customers such as PEPs and requires deeper source-of-funds analysis, senior management approval, and more frequent reviews. For a deeper look, see ZIGRAM’s Enhanced Due Diligence guide.
ZIGRAM’s workflows apply different rule sets and data depth automatically based on real-time risk scores – no manual reclassification needed.
Ongoing Monitoring, Transaction Review, and Suspicious Activity
Effective customer due diligence extends well beyond onboarding. It requires continuous monitoring of a customer’s activities, financial transactions, and risk environment on an ongoing basis.
Ongoing monitoring is essential for maintaining updated risk profiles. It helps detect changes indicating increased risk such as ownership shifts, new sanctions listings, or spikes in transaction volume. Ongoing monitoring is part of a broader AML compliance strategy and can identify suspicious activity patterns over time. CDD processes must be ongoing to adapt to changing customer risk profiles.
Key ongoing monitoring activities include:
-
Periodic KYC refresh (frequency tied to risk rating)
-
Real-time sanctions and watchlist updates
-
Transaction monitoring calibrated to the customer’s risk profile
-
Adverse media screening for emerging negative news
Unusual patterns like smurfing, rapid in-and-out transfers, and use of high-risk counterparties trigger alerts and case reviews. Financial institutions must report suspicious transactions by filing SARs/STRs with Financial Intelligence Units within jurisdiction-specific timeframes.
ZIGRAM’s Transact Comply for transaction monitoring along with adverse media tools supports dynamic monitoring and early detection of suspicious activity across business relationships.
Types and Levels of Customer Due Diligence
Regulators and industry practice recognize several levels of due diligence aligned with customer risk. Records of all CDD-related activities must typically be maintained for at least five years – regardless of the level applied.
Level | When Applied | Key Requirements |
|---|---|---|
Simplified (SDD) | Demonstrably low risk | Baseline ID checks, reduced source-of-funds scrutiny, ongoing screening |
Standard (CDD) | Most customers | Full identity verification, UBO checks, sanctions/PEP screening, periodic reviews |
Enhanced (EDD) | High risk customers | Deep source-of-wealth/funds analysis, senior approval, frequent refresh |
Ongoing/Perpetual KYC | Cross-cutting | Continuous event-driven and calendar-based reassessment |
Clear internal criteria defining who qualifies for each level and documented decision rationales are essential. Misclassifying customers (e.g., overusing enhanced due diligence) drives up operational costs and slows onboarding unnecessarily.
Simplified Due Diligence (SDD)
Simplified due diligence is reserved for customers and products with demonstrably lower ML/TF risk, as outlined by national AML regulations. Examples include EU-regulated credit institutions, government entities, and publicly listed companies with transparent ownership.
SDD may relax some diligence requirements like granular source-of-funds analysis, but it does not remove the need for ongoing monitoring and sanctions screening. Firms must document the basis for applying SDD and periodically reassess whether the customer risk still justifies it. Automation can quickly reclassify SDD customers if adverse media or sanctions hits emerge, triggering an upgrade to standard or enhanced due diligence.
Standard Due Diligence (CDD)
Standard due diligence is the default level for the majority of retail, SME, and corporate CDD customer relationships.
Key elements include:
Identity verification and document validation
Beneficial ownership checks where relevant
Understanding the purpose and intended nature of the relationship
Sanctions and PEP screening
Initial risk scoring and scheduled periodic reviews (every 1–3 years)
Enhanced Due Diligence (EDD)
Enhanced due diligence focuses on higher risk customers, those posing elevated risks of money laundering, sanctions evasion, corruption, or tax crimes.
Typical EDD measures include:
Deeper source-of-funds and source-of-wealth analysis
Granular transaction pattern review
Senior management approval for onboarding or continuing the relationship
More frequent KYC refresh cycles
Leveraging external data sources: court records, corporate registries, adverse media
ZIGRAM’s due diligence reports and adverse media intelligence significantly shorten manual EDD investigations while improving coverage – particularly for politically exposed persons and entities with opaque beneficial ownership structures.
Ongoing Due Diligence and Perpetual KYC
Ongoing due diligence, sometimes called “perpetual KYC,” constantly updates a customer’s risk profile rather than waiting for calendar-based reviews. Ongoing CDD involves continuous monitoring of customer activities, ownership changes, and external risk signals.
Event-driven triggers include:
Major changes in beneficial ownership or control
Large unexpected financial transactions
New sanctions listings or appearance in negative news
Shifts in geographic risk factors
Machine learning and rules-based engines reprioritize case reviews, especially in large banks and global fintechs handling millions of customer relationships. Regulators increasingly expect near-real-time awareness of key risk events.
Â
ZIGRAM’s media monitoring stack for screening, news, and link analysis supports automated alerts and workflow routing for CDD refresh.
CDD vs KYC vs AML: How They Fit Together
Firms and regulators sometimes use these terms interchangeably, which creates confusion. Here is how they relate:
-
AML is the overarching framework of laws, regulations, and internal controls aimed at preventing money laundering, terrorist financing, and related crimes
-
KYC is focused on collecting and validating customer identity data, primarily at onboarding and during major lifecycle events
-
CDD is the broader, ongoing customer risk assessment function that builds on KYC data and drives monitoring, escalations, and reporting
Think of it as layers: AML sits at the top as the regulatory umbrella. CDD operates beneath it as the risk assessment engine. KYC feeds identity data into CDD at onboarding and key refresh points. Together, these cdd processes form a cohesive system to prevent financial crimes and mitigate risks across an institution.
Operational Challenges and Costs in Customer Due Diligence
CDD has become one of the largest operational costs in compliance. Global AML compliance costs reached an estimated $274 billion in recent years. For mid-market banks in EMEA alone, transaction monitoring costs run between $3 million and $8 million annually.
Key pain points include:
False positive rates of 85–95% in legacy screening systems – analysts spend most of their time triaging noise
Lengthy manual reviews and repeated outreach to customers for missing documents
Fragmented systems and inconsistent data standards that inflate time-to-onboard
The trade-off between thorough due diligence and customer experience is real. Too much friction causes abandonment; weak controls create compliance exposure. ZIGRAM’s approach targets this gap – reducing operational costs through automation, reusable data assets, and AI-powered decision support across the CDD workflow.
Risk-Based Approach and Prioritization
A risk-based approach allows institutions to focus resources on the highest-risk customers and activities rather than applying uniform effort across the board.
Practical techniques include:
Weighted risk scoring models incorporating geographic risk factors, product type, and channel
Scenario-based rules calibrated to typologies (trade-based ML, smurfing, shell company layering)
Segmentation by jurisdiction, delivery channel, and customer type
Regulators expect explicit documentation of an institution’s ongoing risk assessment and how it maps to CDD controls.
Â
ZIGRAM embeds configurable risk matrices and scoring logic that align with each institution’s risk appetite and jurisdictional customer due diligence requirements.
Technology, Automation, and RegTech Solutions
The shift from manual spreadsheets and siloed tools to integrated RegTech platforms is accelerating. Automated CDD processes enhance efficiency and productivity. CDD software streamlines compliance with anti money laundering regulations. Regulatory technology automates identity verification and risk profiling, while automated workflows support ongoing monitoring for compliance efficiency.
Key capabilities to look for in diligence solutions:
Automated ID verification and digital identity checks
Sanctions and PEP screening with contextual matching
Adverse media monitoring across global news sources
Transaction monitoring with tunable alert thresholds
Unified case management with full audit trails
AI and machine learning reduce false positives by 50–65% in pilot programs, prioritize alerts, and detect subtle suspicious patterns. The AML solutions market is expected to grow from roughly $4.13 billion in 2025 to $9.38 billion by 2030.
ZIGRAM’s “Complete AML System” provides a unified toolkit for effective end-to-end customer due diligence and ongoing monitoring. Implementation works best through pilot programs, careful data integration, staff training, and phased roll-out across business lines.
Jurisdictional Nuances and Sector-Specific CDD
While core CDD principles are similar globally, details differ by sector and country. Beneficial ownership thresholds vary (25% in the U.S. vs. potentially lower in some EU jurisdictions under risk-based discretion). Record retention periods, requirements for face-to-face vs. remote onboarding, and specific document sets all shift depending on where you operate.
Sector-specific considerations:
Banking and payments: Full BSA/AML regime, highest regulatory scrutiny
Crypto asset service providers: MiCA obligations in the EU, Travel Rule for transfers over €1,000, on-chain monitoring
Real estate: Large cash flows, opaque ownership structures, increasing regulation
Insurance and capital markets: Additional disclosure demands, cross-border complexity
In H1 2025, EMEA regulators imposed roughly $168 million in AML fines, up 147% year-on-year, with many actions targeting CASPs and fintechs. ZIGRAM works with global clients to harmonize CDD standards across multiple regulators while allowing local tailoring where required, supporting financial transparency across jurisdictions.
Best Practices to Strengthen Customer Due Diligence Programmes
Here is a practical diligence checklist for compliance officers, MLROs, and risk managers:
-
Governance: Establish board-level oversight, define roles clearly, and ensure independent testing by internal audit
-
Training: Certify staff on evolving CDD and diligence requirements, typologies, and red flags – including sector-specific scenarios
-
Model tuning: Regularly recalibrate screening and monitoring models based on feedback loops from investigations and regulatory findings
-
Playbooks: Maintain documented procedures for high-risk scenarios, onboarding PEPs, handling complex cross-border corporate structures, or responding to major data leaks
-
Legal obligations: Ensure legal entity customers have current UBO records; update when ownership or control changes
Effective customer due diligence is not about checking boxes. It is about building a system that adapts as risks evolve.
Balancing Compliance, Customer Experience, and Growth
High-friction CDD processes slow growth and frustrate legitimate customers, especially in digital onboarding and cross-border payments. The challenge in remote KYC is real, but solvable.
Ways to streamline without cutting corners:
Pre-populate forms with trusted data sources
Use dynamic questionnaires that adapt based on jurisdiction and customer risk
Tailor document requests (e.g., don’t ask for bank statements from a regulated bank applying SDD)
Automate repetitive diligence checks so analysts focus on high-value investigative work
Well-designed CDD reduces not only regulatory risk but also credit, fraud, and reputational risk across the institution. It supports stronger customer relationships built on trust and financial transparency.
CDD is not a compliance checkbox – it is a living framework that protects your institution, your customers, and the financial system. If you are looking to modernize your customer due diligence process, reduce false positives, and stay ahead of evolving regulatory obligations, book a demo with ZIGRAM to see how our RegTech platform can help.
