Customer Due Diligence (CDD): The Complete 2026 Guide
Customer Due Diligence (CDD) is the regulatory process by which financial institutions identify their customers, verify their identities, understand the nature of their activities, and assess the risk that the relationship may be used for money laundering or terrorist financing. This guide explains the standard CDD process, the regulatory framework that mandates it, and how to design a CDD programme that satisfies regulators while delivering an efficient customer experience.
CDD is often described as the foundation of AML compliance, and the description is accurate. Every other AML control — transaction monitoring scenarios, customer risk ratings, escalation thresholds, periodic review schedules — depends on the data captured and verified during CDD. A firm that gets CDD wrong will have unreliable downstream controls regardless of how sophisticated those controls otherwise appear.
This guide walks through the complete CDD process — what regulators expect, how the four core activities are operationalised, and how modern compliance platforms automate the parts that can be automated while preserving human judgement for the parts that cannot.
The Four Activities That Constitute CDD
FATF Recommendation 10 sets out the four activities that every CDD programme must perform. National regulations elaborate on the specifics, but the four activities are universal across all FATF-compliant jurisdictions.
Identify and Verify the Customer
The starting point of every CDD process is the identification of the customer using reliable, independent source documents. For individuals this means government-issued photo identification verified through document authentication and biometric face matching. For corporate customers this means certified incorporation documents, the current register of directors, and shareholding records — sourced from the relevant corporate registry where possible. See our KYC guide for the full identity verification workflow.
Identify the Beneficial Owner
For corporate customers, CDD must identify and verify the natural persons who ultimately own or control the entity. The threshold is typically 25% direct or indirect ownership, though some jurisdictions and some sectors apply lower thresholds. UBO identification is non-trivial for entities with multiple ownership layers, offshore vehicles, or trust structures — and the regulatory expectation is that the firm unwraps the chain until natural persons are identified, not that it stops at the first corporate shareholder. Our KYB platform automates UBO unwrapping across multi-jurisdictional ownership structures.
Understand the Purpose of the Relationship
The third CDD activity is to understand and document the purpose and intended nature of the business relationship. This is the data that anchors all subsequent transaction monitoring — the firm must understand what "normal" looks like for this customer in order to identify deviations from normal that warrant investigation. For a retail customer this is typically expected income source, expected transaction volume, and expected geographic patterns. For a corporate customer it is the nature of the business, expected counterparties, and expected transaction profile.
Conduct Ongoing Monitoring
CDD is not a one-time event. Throughout the relationship, the firm must scrutinise transactions to ensure they are consistent with the customer's known profile and update CDD information periodically as the relationship evolves. The frequency of periodic review is risk-based — typically annually for high-risk customers, every three years for medium-risk, every five years for low-risk. Automated transaction monitoring handles the transaction surveillance component; case management workflows handle the periodic review cycle.
Standard, Simplified, and Enhanced Due Diligence
CDD operates at three intensity levels, calibrated to the assessed risk of the customer:
- Simplified Due Diligence (SDD) — applies to a narrow set of customers explicitly identified by regulation as low-risk, such as listed companies on regulated exchanges, public authorities, or regulated financial institutions in equivalent jurisdictions. Verification requirements are reduced but not eliminated.
- Standard CDD — applies to all customers as the default. Full identity verification, beneficial ownership identification, purpose documentation, and ongoing monitoring.
- Enhanced Due Diligence (EDD) — applies to customers whose risk profile triggers defined criteria: PEPs, residents of high-risk jurisdictions, complex corporate structures, or transactions inconsistent with the customer's stated profile. Additional verification, source-of-wealth documentation, and senior management approval are required.
When CDD Must Be Applied
Regulations require CDD to be performed at multiple specific points in the customer relationship — not just at onboarding:
- At the establishment of the business relationship — before the first transaction and before any account becomes operational.
- For occasional transactions above the threshold — typically EUR 15,000 in the EU, USD 10,000 in the US, or equivalent amounts elsewhere.
- When there is suspicion of money laundering or terrorist financing — regardless of any threshold or exemption.
- When there is doubt about the veracity or adequacy of previously obtained customer identification data — for example, if a name change is reported but cannot be substantiated.
- On a periodic basis — risk-based refresh cycles applied to existing relationships.
Why CDD Programmes Fail (and How to Prevent It)
In our experience working with regulated firms across multiple jurisdictions, the most common reasons CDD programmes fail at supervisory inspection are not exotic. They cluster around a handful of recurring issues:
- Incomplete UBO unwrapping — the firm verifies the corporate customer but stops at the first layer of corporate shareholders rather than unwrapping the chain to natural persons.
- Static risk ratings — customers are rated at onboarding and the rating is never reviewed even when their transaction behaviour or circumstances change materially.
- Inadequate purpose documentation — the firm captures expected transaction volume but no specifics on expected counterparties, geographies, or business rationale, leaving the transaction monitoring scenarios with nothing to compare against.
- Periodic review backlogs — the firm has a documented periodic review schedule but does not actually execute it, or executes only the highest-risk cases while medium and low-risk customers slip behind.
- Documentation gaps — the verification was performed but the evidence was not retained, or was retained in a form that cannot be reconstructed during a regulatory inspection.
Each of these failures is preventable through process design and platform automation. A compliance portal with structured case management ensures every CDD activity is documented and that periodic reviews are scheduled and executed without manual tracking.
Build Your CDD Programme on Production-Grade Infrastructure
One Constellation provides automated identity verification, UBO unwrapping, sanctions and PEP screening, customer risk rating, and ongoing monitoring on a single platform — every CDD activity, with full audit trail and built-in periodic review scheduling.