Back to Lesson
AML Training Programme

KYC & Due Diligence

Know who you are dealing with. Protect the bank.

What is CDD?

Customer Due Diligence — verifying identity, understanding the business, assessing risk.

When CDD is Required

Four triggers under the Money Laundering Regulations 2017

SDD vs CDD vs EDD

SDD

Low risk. Listed companies, government bodies. Fewer checks.

Standard CDD

The default. Full identity verification, beneficial ownership, monitoring.

EDD

Higher risk. PEPs, high-risk jurisdictions. SOF + SOW, senior approval.

Document verification

The Documents

  • Individuals — passport, driving licence, proof of address
  • Entities — certificate of incorporation, articles, register of directors
  • Retain — all records for at least 5 years after the relationship ends

Enhanced Due Diligence

Document scrutiny

PEPs: Who Qualifies?

  • Heads of state, ministers, senior judges
  • Members of parliament, political party governing bodies
  • Plus family members and known close associates
  • Senior management approval required

Ongoing Monitoring

Not one-time. Not periodic box-ticking. Continuous.

The Stunt & Co Lesson

£46.8M
from a convicted launderer
5 years
without proper review
£39.3M
fine

“Police warnings ignored. Red flags overlooked. Five years of inaction.”

— FCA Final Notice, Barclays Bank PLC, 2025

Get It Right

Dynamic risk assessment. Automated triggers. Immediate escalation.

Verify
Monitor
Escalate
Start Lesson 3
1 / 10

Presenter Notes

Presenter Notes — Slide 1

Opening: Welcome to Lesson 3. In the first two lessons we covered what money laundering is and the regulatory framework. Now we get practical — Know Your Customer is the most important process in AML compliance.

Key message: CDD is not a slogan or a box-ticking exercise. It is a legal obligation under the Money Laundering Regulations 2017 and FATF Recommendation 10.

Transition: "Let's start with the fundamentals of Customer Due Diligence."

Presenter Notes — Slide 2

Four core elements of CDD: Identity (who is the customer?), beneficial ownership (who controls 25%+?), purpose (why do they need this product?), and ongoing monitoring (does behaviour match the profile?). (Source: MLR 2017, FATF R10)

Talking point: CDD is not a one-time exercise at onboarding. It forms the foundation of an ongoing relationship with continuous monitoring throughout the lifecycle. (Source: ComplyCube)

Beneficial ownership: Identifying the 25%+ owner is where complexity hides. Following ownership chains through layered structures across jurisdictions is exactly where criminals hope you will stop looking.

Transition: "There are four specific situations that trigger the CDD requirement."

Presenter Notes — Slide 3

Four triggers under MLR 2017: (1) Before establishing a business relationship. (2) Before an occasional transaction of EUR 15,000+. (3) When there is a suspicion of ML/TF regardless of size. (4) When there is doubt about existing identification data. (Source: FCA MLR page)

Key point on suspicion trigger: This applies regardless of transaction size or whether an ongoing relationship exists. If something feels wrong, CDD is required even for small amounts.

Key point on doubt trigger: If the firm has reason to question the accuracy of CDD already held, fresh verification must be conducted.

Transition: "Not all customers pose the same risk. The regulations recognise three levels of due diligence."

Presenter Notes — Slide 4

SDD (Simplified): For low-risk clients — listed companies on regulated markets, UK government bodies, certain regulated financial institutions. SDD does NOT mean no due diligence — it means a reduced level of verification. (Source: FCA MLR page)

Standard CDD: The default for all business relationships. Full identity verification, beneficial ownership identification, ongoing monitoring.

EDD (Enhanced): For higher-risk situations — PEPs, high-risk jurisdictions, complex structures. Requires source of funds AND source of wealth, senior management approval, enhanced ongoing monitoring.

2025 change: Pooled client accounts are no longer automatically eligible for SDD. (Source: UK Government proposed MLR amendments)

Transition: "Let's look at the specific documents used for verification."

Presenter Notes — Slide 5

Individual documents: Government-issued photo ID (passport, driving licence), proof of address within 3 months (utility bill, bank statement, council tax bill). Electronic verification increasingly used — cross-referencing credit reference agencies and electoral rolls. (Source: iDenfy)

Entity documents: Certificate of incorporation, articles of association, register of directors and shareholders, confirmation statement from Companies House. (Source: ComplyCube)

Record keeping: All CDD records and transaction records must be retained for at least 5 years after the relationship ends or occasional transaction completes. (Source: FATF R11, MLR 2017)

Transition: "When the risk is higher than normal, we need to go deeper. That's Enhanced Due Diligence."

Presenter Notes — Slide 6

EDD triggers: PEPs (domestic and foreign), high-risk jurisdictions (FATF Call for Action list), complex/unusual transactions, complex ownership structures, correspondent banking, new products/technologies. (Source: iDenfy, MLR 2017)

SOF vs SOW: Source of Funds = where the money for THIS transaction comes from (e.g., sale of property, documented). Source of Wealth = how the customer built their OVERALL fortune (e.g., career earnings, inheritance, business income). Both require documented evidence. (Source: ComplyCube)

2025 narrowing: EDD now mandated only for FATF "Call for Action" countries (currently Iran, Myanmar, DPRK). Firms still apply risk-based EDD for others, but it is no longer a blanket requirement. (Source: MCO Compliance analysis)

Transition: "One of the most important EDD categories is Politically Exposed Persons."

Presenter Notes — Slide 7

PEP definition: Anyone holding a prominent public function — heads of state, ministers, senior judges, MPs, political party governing bodies, central bank boards, ambassadors, high-ranking military officers, state-owned enterprise directors. (Source: MLR 2017, iDenfy)

Extended scope: Family members (spouse, children, parents) and known close associates (joint beneficial owners, close business relationships). The net is deliberately wide.

EDD measures for PEPs: Senior management approval to establish or continue the relationship. Establish SOF and SOW. Enhanced ongoing monitoring. Review at least annually, more frequently for high-risk PEPs.

Stunt connection: James Stunt was a high-profile figure linked to the Ecclestone family — exactly the type of relationship requiring heightened scrutiny.

Transition: "CDD does not end at onboarding. Ongoing monitoring is where many failures occur."

Presenter Notes — Slide 8

Continuous obligation: Not periodic box-ticking. Transaction monitoring measures volumes, values, geographies, and counterparties against the customer's known profile. Any deviation demands investigation. (Source: MLR 2017, FATF R10)

Profile updates: Required when circumstances change (new directors, address change), risk rating changes, periodic review cycles reached (low risk: 3-5 years, medium: 1-2 years, high: 6-12 months), or adverse media/regulatory alerts. (Source: iDenfy)

Event-driven reviews: Law enforcement enquiries, adverse media, SAR filed, material change in patterns, sanctions list updates — these cannot wait for the next periodic cycle. (Source: Flagright analysis)

Emerging trend: Perpetual KYC (pKYC) — shifting from periodic reviews to continuous, event-driven monitoring powered by AI and real-time data feeds. (Source: SmartKYC)

Transition: "The Stunt and Co case is a textbook example of what happens when monitoring fails."

Presenter Notes — Slide 9

Timeline of failure: Insufficient information at onboarding. GBP 46.8M from Fowler Oldfield (convicted launderer, part of GBP 400M operation) in just over one year. Police warnings and raids ignored. 5-year delay before proper review. (Source: FCA Final Notice, Barclays Bank PLC, 2025)

The fine: GBP 39.3 million for breaching FCA Principles 2 and 3. The separate WealthTek case added GBP 3.1M plus GBP 6.3M ex-gratia payment. (Source: FCA Press Release)

What should have happened: Immediate review when police made contact. Dynamic risk reassessment. Automated alerts for single-counterparty volume. Clear escalation to senior compliance. Swift action — not a 5-year delay. (Source: Flagright analysis)

Transition: "These cases teach us one clear lesson about what we need to do differently."

Presenter Notes — Slide 10

Three actions: Verify (identity, beneficial ownership, purpose at onboarding and beyond). Monitor (continuous transaction monitoring against profile baselines). Escalate (immediately when something deviates — do not wait for the next review cycle).

Key message: Dynamic risk assessment must replace static, point-in-time reviews. The Stunt & Co case proves that one-time checks are insufficient. Your diligence is the first and most important line of defence.

Closing: "If something does not look right, say something. In Lesson 4, we will learn specifically what to look for — the red flags that signal suspicious activity."