Customer Due Diligence (CDD): AML Requirements Explained
Customer due diligence (CDD) is the set of checks a regulated business runs to verify who its customers really are, understand the nature of their activity, and judge how much money-laundering or sanc
On this page
- What customer due diligence is
- Who runs CDD, and when
- The customer due diligence process, step by step
- 1. Risk-assess the customer first
- 2. Collect identity evidence
- 3. Verify against reliable sources
- 4. Map beneficial ownership
- 5. Understand the purpose of the relationship
- 6. Screen and decide
- 7. Monitor and refresh
- A customer due diligence checklist
- Common red flags
- How a data room streamlines CDD
- Frequently asked questions
- What is the difference between CDD and KYC?
- When is enhanced due diligence required instead of standard CDD?
- Who is responsible for performing customer due diligence?
- How long do I have to keep CDD records?
- Does customer due diligence overlap with deal due diligence?
- Can CDD be automated?
Customer due diligence (CDD) is the set of checks a regulated business runs to verify who its customers really are, understand the nature of their activity, and judge how much money-laundering or sanctions risk they bring. If you have ever opened a business bank account, onboarded a fund's first limited partner, or signed up a corporate client at a fintech, you have been on one side of a CDD process. I have run it from both ends: collecting documents to satisfy a bank's compliance team, and building the room that auditors and counterparties pull those documents from.
This guide explains what CDD actually requires under anti-money-laundering (AML) rules, who has to do it and when, the step-by-step process, a working checklist, the red flags that should slow you down, and how a clean document room makes the whole thing faster. CDD is one branch of the wider due diligence family, and it shares a lot of mechanics with the deal-side reviews, even though the goal is different. Deal diligence asks "is this a good investment?" CDD asks "is this customer who they say they are, and is their money clean?"
What customer due diligence is
CDD is a legal obligation for regulated entities under AML frameworks. In the United States it flows from the Bank Secrecy Act and the FinCEN Customer Due Diligence Rule. In the European Union and the United Kingdom it comes from the Anti-Money Laundering Directives and the Money Laundering Regulations. The Financial Action Task Force (FATF) sets the global recommendations that most national regimes are modeled on. The wording differs by jurisdiction, but the spine is the same.
At its core, CDD has four pillars:
- Identify and verify the customer. For an individual, that means name, date of birth, address, and a government ID checked against a reliable source. For a legal entity, it means the registered name, company number, and formation documents.
- Identify and verify beneficial owners. You have to know the natural persons who ultimately own or control the entity, typically anyone holding 25% or more, plus the person who exercises effective control.
- Understand the purpose and intended nature of the relationship. What is this account for? What kind of transactions do you expect, and in what volumes?
- Conduct ongoing monitoring. CDD is not a one-time gate. You keep watching activity over the life of the relationship and refresh the file when things change.
The depth you apply scales with risk. That gives you three tiers: simplified due diligence (SDD) for low-risk customers, standard CDD for the bulk of relationships, and enhanced due diligence for high-risk ones such as politically exposed persons, customers in high-risk jurisdictions, or unusually complex ownership structures.
Who runs CDD, and when
CDD is performed by "obliged entities," the regulated businesses that AML law applies to. That list is broad and getting broader:
- Banks, credit unions, and payment institutions
- Investment firms, fund managers, and broker-dealers
- Fintechs, neobanks, and crypto exchanges
- Insurers and pension providers
- Lawyers, accountants, and company formation agents
- Real estate agents and high-value goods dealers
If you run a startup in any of these categories, you are an obliged entity, and CDD is your responsibility, not your customer's.
The triggers for running CDD are well defined. You must perform it:
- At onboarding, before you establish a business relationship or open an account.
- For occasional transactions above a regulatory threshold (commonly EUR 15,000, or EUR 1,000 for certain transfers) even where there is no ongoing relationship.
- When you suspect money laundering or terrorist financing, regardless of any threshold.
- When you doubt the veracity of identification data you collected earlier.
- On a periodic review cycle, more frequently for higher-risk customers.
A point that trips up founders: as a startup raising capital, you sit on both sides. Your investors and banking partners run CDD on you and your cap table, and if your own product is regulated, you run CDD on your customers. The room that satisfies an investor's financial due diligence is often the same room that satisfies a bank's onboarding team, because both want clean, verifiable corporate records.
The customer due diligence process, step by step
Here is the sequence I follow, whether I am the one being checked or the one doing the checking.
1. Risk-assess the customer first
Before you collect a single document, decide the risk tier. A domestic salaried individual opening a basic account is low risk. A multi-layered offshore holding company with a politically exposed beneficial owner is high risk. The tier you assign decides how much evidence you need and how often you refresh it. Document the rationale, because a regulator will ask why you classified someone the way you did.
2. Collect identity evidence
For individuals: full legal name, date of birth, residential address, and a government-issued photo ID. For entities: certificate of incorporation, articles of association, proof of registered address, and the names of directors and signatories. Increasingly this step is automated through identity-verification providers and electronic ID checks, but you still own the file.
3. Verify against reliable sources
Collecting a document is not the same as verifying it. You check the ID against an independent source: a government register, a credit bureau, a sanctions and PEP screening database. For entities, you confirm the company exists and is in good standing in its register of incorporation.
4. Map beneficial ownership
This is where deals and CDD get hard for the same reason: ownership can be deliberately obscured. Trace the chain up through holding companies until you reach the natural persons who own 25% or more or otherwise control the entity. Document each layer. If the structure is so opaque you cannot identify the ultimate beneficial owner, that is itself a finding.
5. Understand the purpose of the relationship
Record what the customer says the account is for and what activity you expect. This baseline is what later monitoring measures against. A trading company that suddenly receives large personal remittances has deviated from its stated purpose, and you only notice if you wrote the baseline down.
6. Screen and decide
Run sanctions, PEP, and adverse-media screening. Based on everything collected, make an onboarding decision: accept, accept with enhanced measures, or decline. Keep the decision and its basis on file.
7. Monitor and refresh
Set the review cadence, watch transactions against the expected pattern, and re-run CDD when ownership changes, when the customer enters a new market, or when periodic review comes due. Keep records for the retention period your regime requires, typically five years after the relationship ends.
A customer due diligence checklist
Use this as a starting template and adjust for your jurisdiction and risk appetite.
| Item | Individual customer | Legal entity customer |
|---|---|---|
| Legal name verified | Yes | Yes (registered name) |
| ID document collected and checked | Passport or national ID | Certificate of incorporation |
| Address verified | Proof of address | Registered office proof |
| Beneficial owners identified | N/A | Owners at 25%+ traced to natural persons |
| Control persons identified | N/A | Directors and signatories listed |
| Sanctions screening done | Yes | Yes (entity and owners) |
| PEP screening done | Yes | Yes (owners and controllers) |
| Adverse-media check | Risk-based | Risk-based |
| Purpose of relationship recorded | Yes | Yes |
| Source of funds / source of wealth | Risk-based | Risk-based |
| Risk tier assigned and justified | Yes | Yes |
| Review cadence set | Yes | Yes |
The structure here will feel familiar if you have worked through a due diligence data room checklist on the deal side. The categories differ, but the discipline of "collect, verify, document the decision" is identical.
Common red flags
Most CDD failures are not exotic. They are ordinary signals that someone skipped past because the file looked complete. Watch for:
- Reluctance to identify beneficial owners or evasive answers about who really controls the entity.
- Ownership structures more complex than the business needs, especially layered offshore vehicles with no commercial rationale.
- Mismatch between stated purpose and actual activity, such as a consultancy receiving large unexplained inflows.
- Documents that do not reconcile, where the name on the ID, the register, and the bank reference disagree.
- Source of funds the customer cannot explain in proportion to their known wealth or business.
- Connections to sanctioned parties or high-risk jurisdictions surfaced by screening.
- Pressure to onboard quickly or to skip steps, which is itself a behavioral red flag.
Any single flag is a reason to slow down and apply enhanced measures, not necessarily to decline. The mistake is treating CDD as a box-ticking exercise and ignoring the signal because the paperwork is technically present.
How a data room streamlines CDD
The slow part of CDD is rarely the analysis. It is the document logistics: chasing the right version of an incorporation certificate, emailing a beneficial-ownership chart that gets forwarded to the wrong inbox, re-collecting an ID that expired because nobody tracked the renewal date. A structured, access-controlled document room removes most of that friction.
When I set up a room for a raise or for a banking-partner onboarding, I want a few specific things, and they map almost one-to-one onto good CDD practice:
- A single source of truth for corporate documents, so the certificate of incorporation in the room is the certificate everyone references.
- Granular access control, so a compliance reviewer sees the entity file and nothing else, and an individual customer cannot see another customer's records.
- An audit trail of who viewed or downloaded each document and when, which is exactly the evidence a regulator wants when they ask how you handled a file.
- Expiry and watermarking on sensitive identity documents, so a passport scan is not floating around an inbox forever.
This is the work virtual data room due diligence is built for. Plox is the room I use for this: I can organize the corporate and identity documents once, grant time-limited access to a bank or counterparty, and watch the access log instead of guessing whether the file was opened. The point is not the tool for its own sake. The point is that CDD generates a defined set of documents that get reviewed by outside parties under access controls, and that is precisely the problem a data room solves. You can see how the access and tracking features fit together on the /data-rooms page, and the best data room for due diligence comparison walks through what to look for if you are choosing one.
A word on cost, since founders always ask. Data room pricing in this market splits into per-user or quote-based enterprise tiers and flatter subscription pricing. For CDD work, where you are sharing the same corporate file with a handful of reviewers rather than running a thousand-document deal, you rarely need the heavyweight enterprise tier. I cover the trade-offs in the virtual data room cost breakdown, and you can check current plans on /pricing.
Frequently asked questions
What is the difference between CDD and KYC?
KYC (know your customer) usually refers to the identity-verification step: confirming who the customer is at onboarding. CDD is the broader ongoing obligation that includes KYC but also covers understanding the purpose of the relationship, identifying beneficial owners, assessing risk, and monitoring activity over time. In short, KYC is a component of CDD, not a synonym for it.
When is enhanced due diligence required instead of standard CDD?
Enhanced due diligence applies when a customer presents higher money-laundering or sanctions risk. Typical triggers are politically exposed persons, customers or transactions linked to high-risk jurisdictions, unusually complex ownership structures, and any relationship where standard checks surface concerns. Enhanced measures mean more evidence (such as source of wealth), senior sign-off, and tighter ongoing monitoring.
Who is responsible for performing customer due diligence?
The regulated business, the "obliged entity," is responsible. That includes banks, payment firms, fund managers, fintechs, crypto exchanges, and certain professional services firms. The customer supplies documents, but the legal duty to verify them and to decide whether to onboard sits with the regulated entity, and so does the liability if it goes wrong.
How long do I have to keep CDD records?
Retention periods are set by your jurisdiction, but the common standard is five years after the business relationship ends or after an occasional transaction is completed. Keep the identity evidence, the screening results, the risk assessment, and the basis for your onboarding decision. A data room with a clear audit trail makes this retention requirement much easier to satisfy.
Does customer due diligence overlap with deal due diligence?
They are different goals using similar mechanics. Deal diligence, including m&a due diligence and technical due diligence, evaluates whether an investment or acquisition is sound. CDD verifies a customer's identity and the legitimacy of their funds for AML compliance. The shared element is document collection, verification, and review under access controls, which is why the same data room often serves both.
Can CDD be automated?
Parts of it, yes. Identity verification, sanctions and PEP screening, and adverse-media checks are commonly automated through specialized providers, and ongoing transaction monitoring runs on rules and models. What stays human is the judgment: assigning risk tiers, interpreting red flags, and making the onboarding decision. Automation speeds up evidence collection; it does not remove your responsibility for the conclusion.
Written by Rohit Pai · Co-founder, Plox
Rohit co-founded Plox, where the team builds secure document sharing and virtual data rooms for founders and dealmakers.
Connect on LinkedIn