Customer Due Diligence (CDD): What It Is & Why It's Important

Customer Due Diligence (CDD): What It Is & Why It’s Important

Chances are, you’ve been asked to submit a copy of your ID or social security card for digital onboarding at a credit union, a bank, or a financial organization. Email addresses, phone numbers, and addresses are even more common forms of information collection, spanning multiple industries. While you may not have known, these procedures are part of Customer Due Diligence (CDD). 

What Is Customer Due Diligence?

Customer Due Diligence, known as the CDD Rule, is an amendment to the Bank Secrecy Act and refers to the process of identifying and verifying the identity of the customer behind a legal entity and determining who benefits from the activities associated with the entity. The primary purpose of CDD is to prevent criminals and terrorists from disguising unlawful activities and laundering their illegal profit through a company.

Why Is CDD Important?

Customer Due Diligence is part of compliance with Anti-Money Laundering (AML) policies to prevent criminals from making money through illegal activities. Banks and financial businesses must comply with AML practices, where CDD and Know Your Customer (KYC) practices are required. 

CDD serves as a Risk Assessment Tool that can reduce the cost of fraud for your business and protect against money laundering and terrorist financing. It also protects against fines from noncompliance and keeps your organization safe, regulated, and free from fraud. 


CDD and KYC are related and even have overlapping roles. However, it is crucial to discern the differences to ensure you’re legally compliant and using industry best practices. 

Components of CDD: 

  • CDD is the overarching term for the practice involved in preventing money laundering and confirming customer identity. 
  • CDD includes initial verification of the customer to ongoing monitoring throughout the life of the business relationship. 
  • The Financial Action Task Force recommends that CDD should be conducted at critical points of interaction with the customer, including:
    • The beginning of the customer relationship
    • Transactions with high-risk foreign countries, and as suspicious transactions or activity take place 
    • Throughout the relationship for fraud monitoring 

Components of KYC: 

  • Know Your Customer refers to customer identification and verification protocols, such as:
    • Gathering PII such as IDs or Social Security cards
    • Using biometric authentication processes
    • Using AI software to confirm the “liveness” of the customer as they provide onboarding material 
  • KYC is conducted at the onset of the business relationship as the first stage of CDD
  • KYC is a method for complying with AML and CDD regulations

When Is Customer Due Diligence Required?

CDD is required not only at the start of a business relationship but also as ongoing monitoring throughout the course of the business relationship. Additional CDD measures can be prompted by:

  • Suspicious activity that raises concerns about money laundering, terrorism financing, or other illegal activity
  • Insufficient documentation is provided by the customer, or discrepancies are found in the provided documentation
  • Financial transactions that exceed regulatory thresholds or are considered high-risk

While Covered Financial Institutions are the primary focus of CDD regulatory measures, other industries choose to partake in CDD as a method for safeguarding their funds and protecting their business from potential legal repercussions. 

Customer Due Diligence compliance is mandated for the following companies or roles: 

  • Banks
  • Mutual funds
  • Brokers in securities 
  • Dealers in securities
  • Futures commission merchants
  • Brokers in commodities

Please note that CDD compliance requirements may vary by location.

Customer Due Diligence Requirements

There are multiple layers to Consumer Due Diligence for businesses, and each layer serves as protection and limits the chance of unauthorized or fraudulent activity. 

1. Customer Identification & Verification

The first component of CDD is customer identification, which includes gathering relevant customer information. This information is then used to verify the customer’s identity and ensure you know who they are. 

Examples of collected personal information include: 

  • Name
  • ID
  • Birth certificate
  • Address
  • Email address

2. Beneficial Ownership Identification & Verification

Next, information about the customer’s business is acquired. This includes identifying their business model, business owner, Registered Corporate Name, registration number, and source of funds. 

As criminals may attempt to disguise their identity by hiding within a corporate infrastructure and conducting transactions anonymously, it is essential to establish beneficial ownership. This means you must identify who within the organization stands to benefit from your relationship or any transactions made via your organization. These are typically individuals that own 25% or more of the organization. 

High-risk customers will require a greater understanding of beneficial ownership than low-risk customers as they have more significant potential for abusing the business relationship. 

3. Business Relationship Nature & Purpose

Before entering into business with any customer, you must define the business relationship’s purpose, nature, and parameters. This aids the detection of unusual or suspicious activity by establishing expected behavior. 

4. Ongoing Monitoring & Risk Assessment

After determining your customer’s risk level, you should develop a protocol for ongoing monitoring. High-risk customers should be accompanied by more rigorous monitoring, whereas lower-risk customers require less frequent monitoring. Financial services onboarding software can be leveraged to identify unusual transactions or changes. 

How to Automate CDD & Customer Risk Assessment

An organization can determine a customer’s risk rating by analyzing the following factors: 

  • Who their customer is
  • The geographic location of the business 
  • Their products and services 
  • Transactions the customer requires 
  • How the business’ products and services are delivered 

Assessing customer risk is no longer a complicated process with the support of an Identity Verification Platform. Incode Omni incorporates advanced risk measurement capabilities that help you identify customer risk levels. The platform uses AI to identify potentially fraudulent applicants through ID document verification, biometric liveness, and data mismatch detection during the onboarding process. 

Customer Due Diligence vs. Enhanced Due Diligence

Based on a customer’s risk level, you may need to escalate your Customer Due Diligence protocol to Enhanced Due Diligence (EDD). High-risk customers are flagged due to the more significant potential of engaging in fraudulent activity or money laundering. EDD protocols go deeper than CDD and require more time and documentation to make informed decisions on the customer’s validity. 

Enhanced Due Diligence protocols include: 

  1. Identifying PEPs: The Financial Action Task Force recommends that politically exposed persons (PEP) undergo increased AML/CFT measures. Their positions can more easily be abused to participate in money laundering; thus, additional screening is required.
  2. Collecting Detailed Information: While there is no defined expectation, the EDD process requires more data collection from verified sources. This information must be documented and easily obtainable for regulators to review. 
  3. Data Verification: Not only does a large amount of data need to be gathered to pass muster for Enhanced Due Diligence protocols, but the data source must be proved accurate, and the source must be verified. Many companies rely on third-party professionals to help with the data verification process. 
  4. Intelligence Reports: Depending on the risk factor of a business or individual, intelligence reports on the beneficial owners may be requested to determine the authenticity of the requested business relationship and if the beneficial owners are connected to any criminal activity. 
  5. Enhanced Monitoring: High-risk companies require increased monitoring, both in frequency and depth, than typical CDD protocols call for. This means checking for changes in business ownership, transaction frequency or type, or other structural changes. This allows suspicious activity to be caught sooner than later. 

Create More Efficient Customer Due Diligence Processes with Incode

Due to the depth of CDD, KYC, and AML regulations, these protocols can be frustrating for companies and may even result in significant fees. 

With Incode Omni, you can streamline your CDD requirements through rapid data entry, data verification and authentication, and automated risk level assessments. The frictionless user onboarding experience makes it easy for you and your customers and minimizes the hassle of developing compliant CDD procedures. Ongoing monitoring features alert you when suspicious activity or risk levels change. 

Support your business’ long-term health while capitalizing on the power of AI. Request a demo with an Incode Solution Specialist today.