What is Customer Due Diligence?
Customer Due Diligence (CDD) is the process by which a regulated firm verifies the identity of its customers, understands the nature of their business, and assesses the money laundering and terrorist financing risks they pose. CDD is a legal obligation under the Money Laundering Regulations 2017 and a core requirement of FATF Recommendation 10.
CDD is not a one-time exercise — it forms the foundation of an ongoing relationship between the firm and the customer, with continuous monitoring throughout the relationship lifecycle.
When CDD Must Be Conducted
Under the MLR 2017, regulated firms must conduct CDD in four situations:
New Relationship
Before establishing a business relationship — opening an account, entering a service agreement, or starting an ongoing professional relationship
Occasional Transaction
Before carrying out a single transaction (or series of linked transactions) amounting to EUR 15,000 or more
Suspicion
When there is a suspicion of money laundering or terrorist financing — regardless of transaction size or relationship status
Doubt About Existing ID
When there is reason to question the accuracy or adequacy of CDD information already held
The Four Verification Elements
CDD involves four core elements:
1. Identity Verification
Verify the customer's identity using reliable, independent sources. For individuals: government-issued photo ID (passport, driving licence), proof of address (utility bills, bank statements within the last 3 months). For legal entities: certificate of incorporation, articles of association, and confirmation of registered address. Electronic verification is increasingly used — cross-referencing data against credit reference agencies, electoral rolls, and other databases.
2. Beneficial Ownership
Identify any person who ultimately owns or controls 25% or more of shares or voting rights. For trusts: identify the settlor, trustees, beneficiaries, and any person exercising ultimate effective control. Under the ECCTA 2023, Companies House now requires identity verification for directors and persons with significant control.
3. Purpose and Intended Nature
Understand why the customer needs the product or service. Assess expected transaction patterns (types, volumes, frequencies, geographies). This information forms the baseline for ongoing monitoring — deviations trigger further investigation.
4. Ongoing Monitoring
Continuous scrutiny of transactions to ensure they are consistent with the firm's knowledge of the customer, their business, and risk profile. Keeping CDD documents and data up to date, particularly for higher-risk customers. Triggered by events such as change of directors, significant transaction pattern changes, or adverse media.
Simplified Due Diligence (SDD)
SDD may be applied where the firm assesses that the risk of money laundering or terrorist financing is low (FCA MLR guidance). SDD does not mean no due diligence — it means a reduced level of verification.
Listed companies on regulated markets, UK government bodies and agencies, EU/EEA public authorities, and certain regulated financial institutions.
SDD vs Standard CDD
| Aspect | SDD | Standard CDD |
|---|---|---|
| Identity verification | May use fewer sources | Must verify from reliable, independent sources |
| Beneficial ownership | May rely on public registers | Must identify and verify 25%+ owners |
| Ongoing monitoring | Reduced frequency | Regular, risk-based monitoring |
| Record keeping | Same 5-year requirement | Same 5-year requirement |
| Risk assessment | Must be documented as low risk | Standard risk documentation |
The proposed MLR amendments decouple pooled client accounts from the SDD provisions — firms can no longer automatically apply SDD to these accounts.
Documents Used for Verification
Individuals
- Passport (UK or foreign) — primary photo ID (iDenfy)
- Driving licence (photocard) — primary photo ID
- National identity card (EEA) — primary photo ID
- Utility bill (within 3 months) — proof of address
- Bank/building society statement (within 3 months) — proof of address
- Council tax bill (current year) — proof of address
- HMRC correspondence (within 12 months) — proof of address
Legal Entities
- Certificate of incorporation — confirm legal existence (ComplyCube)
- Articles of association / memorandum — understand governance structure
- Register of directors and shareholders — identify key individuals
- Confirmation statement (Companies House) — verify current details
- Proof of registered address — confirm location
- Financial statements — understand business scale
Record Keeping: The 5-Year Rule
Under FATF Recommendation 11 and the MLR 2017, firms must maintain CDD records and transaction records for at least 5 years after the end of the business relationship or the completion of an occasional transaction (FCA MLR guidance).
Records must include:
- Copies (or references to) the documents and data used for identity verification
- Transaction records sufficient to reconstruct individual transactions
- Results of risk assessments and any analysis undertaken
- Records of any SARs filed
Key CDD & KYC Terminology
Click each card to reveal its definition. You must view all 15 cards to unlock the next module.