What Is Customer Due Diligence (CDD)?

To meet anti-money laundering (AML) and know your customer (KYC) guidelines, financial institutions must ensure they’ve verified the identities of their customers, the type of activities they’re involved in, and where their funds come from.

This is called customer due diligence, which helps organizations manage risk and ensure they’re only serving legitimate customers who aren’t involved in illegal activities like terrorism financing, human trafficking, or money laundering. Below, we’ll discuss what’s involved in the customer due diligence, who it applies to, and how it works.

What is Customer Due Diligence?

Customer due diligence (CDD) refers to the process of verifying customer identities and determining the risk of doing business with them.

This includes identifying any individuals that own or control a legal entity applying for an account, allowing providers to know who is profiting or benefiting from the service. In this way, CDD helps to prevent a scenario where criminals can conceal or finance their illegal activities with the help of an unsuspecting bank or other financial institution.

These checks are conducted upon the opening of a new account and rely on both the primary data that the applicant provides to the institution directly, as well as data from third-party sources, such as government-issued watchlists.

Customer due diligence practices directly support an organization’s anti-money laundering (AML) and Know Your Customer (KYC) programs, ensuring regulatory compliance and preventing financial crimes.

What’s Involved in Customer Due Diligence?

In general, to meet CDD requirements, a business must meet four core requirements:

  • Collect basic information from individuals who are customers to verify their identities, including their names, addresses, dates of birth, tax identification number, etc.
  • Identify and verify anyone who owns or controls legal entities that are customers of the organization (generally anyone who owns at least 25% of the entity)
  • Understand the purpose of the account and what types of transactions are expected to create a personalized risk profile
  • Continuously monitor transactions for signs of suspicious activity, updating the customer’s information as needed

The History of CDD Requirements

CDD requirements have evolved over the years, with initial stipulations provided in 1970 with the Bank Secrecy Act (BSA). This legislation aimed to prevent money laundering and other financial crimes by requiring institutions to report and keep detailed records of suspicious transactions to the proper authorities.

Additional requirements were introduced as part of the KYC standards introduced by the USA PATRIOT Act of 2001, specifically targeting counter-terrorism financing.

The Financial Crimes Enforcement Network (FinCEN) introduced the most recent version of CDD requirements in 2016. This is known formally as the Customer Due Diligence Requirements for Financial Institutions (the CDD Rule), which took effect on May 11, 2018.

According to the FinCEN, the objective of the CDD Rule is “… to improve financial transparency and prevent criminals and terrorists from misusing companies to disguise their illicit activities and launder their ill-gotten gains.”

Who Does the CDD Rule Apply to?

The primary businesses subject to customer due diligence requirements are those in the financial services industry. In other words, some level of CDD should occur any time a customer wants to open a new bank account, apply for a loan, or create an investment account. 

The Different Types of CDD

There are three main types of CDD, which are applied according to a customer’s risk profile, as assessed during initial onboarding. The three different CDD levels address the varying degrees of risk customers pose to organizations. Here is a quick overview of the three types:

Standard (CDD)

The large majority of customers will fall under this category. These customers carry a standard amount of risk without posing an outsized threat to the organization.

Standard CDD practices include the core requirements we outlined above, including identifying and verifying the customer’s identity, as well as monitoring ongoing activities.

Simplified (SDD)

Customers deemed low-risk may qualify for simplified due diligence (SDD). This is conducted when there is little expectation or evidence that a customer will be involved in illicit or criminal activities.

When a customer qualifies for SDD, the organization simply needs to identify them. There are no requirements to verify the person’s identity. However, you should continually monitor their account for suspicious activity and perform additional due diligence if necessary.

Enhanced (EDD)

EDD is the greatest level of due diligence, which is applied to customers who are deemed high-risk.

Customers or entities in this category are subject to more stringent due diligence and verification procedures. This helps the organization understand the source of its funds and what it does to earn them.

Some of the risk factors that can qualify a customer for EDD include:

  • The majority of the entity’s clients come from a foreign nation
  • The customer is a high-net-worth individual or a politically exposed person (PEP)
  • The customer’s business is largely cash-based
  • The entity has a complex ownership structure
  • The entity/individual’s transaction patterns are irregular and don’t reflect their known business or personal activities
  • The business operates in “high-risk” industries like precious metals, real estate, casinos, etc.

The Importance of Customer Due Diligence

It’s in financial institutions’ best interest to adhere to the CDD Rule and AML and KYC regulations. For starters, it prevents organizations from unknowingly supporting criminals and illegal enterprises. Plus, non-compliance could result in costly fines, penalties, and reputational damage.

In this way, compliance with these guidelines has positive ripple effects throughout our society. Limiting criminals’ ability to access financial services, like storing and transferring funds, can hamstring their operations and reduce the amount of harm they can impose on the public.

Identity Proofing