How Customer Due Diligence (CDD) Works
Customer Due Diligence is a structured process that regulated entities must follow before and during any customer relationship. It combines identity verification, risk scoring, and continuous monitoring into a single compliance workflow. The exact steps vary by jurisdiction and risk tier, but the core sequence is consistent across FATF member countries.
Customer Identification
Collect the customer's legal name, date of birth, address, and government-issued identification. For corporate customers, gather registration documents, articles of incorporation, and proof of legal address. This step must be completed before any business relationship begins.
Identity Verification
Confirm that the information provided is genuine. This typically involves document verification (passport, national ID, driving licence), biometric checks, or database cross-referencing against authoritative sources. Digital onboarding platforms use automated OCR and liveness detection to perform this step in seconds.
Beneficial Ownership Identification
For business customers, identify all beneficial owners — individuals who own or control 25% or more of the entity (or a lower threshold depending on jurisdiction). Collect and verify their personal information using the same standards applied to individual customers.
Risk Assessment
Assign a risk rating (low, medium, or high) based on factors including the customer's country of residence, industry, transaction volumes, PEP status, and sanctions exposure. This rating determines the depth of due diligence applied and the frequency of future reviews.
Sanctions and PEP Screening
Screen the customer against global sanctions lists (OFAC, EU, UN) and politically exposed persons databases. Matches must be escalated for manual review and, where confirmed, trigger Enhanced Due Diligence or outright rejection.
Ongoing Monitoring
CDD does not end at onboarding. Transactions must be monitored continuously for patterns inconsistent with the customer's declared profile. Periodic record reviews ensure that customer information remains current and that any change in risk level triggers appropriate action.
Why Customer Due Diligence (CDD) Matters
Regulators worldwide treat inadequate CDD as one of the primary enablers of financial crime, and enforcement actions reflect that view. Beyond regulatory pressure, effective CDD protects businesses from being used as conduits for illicit funds — a reputational and operational risk that can be existential for payment companies.
The scale of the problem justifies the compliance burden. According to the United Nations Office on Drugs and Crime, an estimated 2–5% of global GDP — between $800 billion and $2 trillion — is laundered annually. Financial institutions and payment providers that fail to identify and report suspicious customers become unwitting participants in that ecosystem.
Enforcement costs are equally stark. In 2023 alone, global anti-money-laundering fines exceeded $6 billion across banking, fintech, and payments sectors, according to Fenergo's annual AML fine analysis. The largest penalties were directly tied to failures in customer identification and monitoring — precisely the gaps CDD is designed to close. For payment service providers operating across multiple jurisdictions, a single CDD programme failure can trigger simultaneous regulatory action in several countries.
Regulatory Threshold
Under the EU's Sixth Anti-Money Laundering Directive (6AMLD) and FATF Recommendation 10, CDD is mandatory for all occasional transactions of €15,000 or more, regardless of whether they are executed in a single transaction or appear to be linked.
Customer Due Diligence (CDD) vs. Enhanced Due Diligence (EDD)
Standard CDD and enhanced due diligence share the same foundation — identity verification and risk assessment — but differ substantially in scope, depth, and ongoing obligations.
| Dimension | Standard CDD | Enhanced Due Diligence (EDD) |
|---|---|---|
| Applies to | Most retail and business customers | PEPs, high-risk countries, complex structures |
| ID verification | Standard document check | Multiple independent sources required |
| Source of funds | Not always required | Mandatory documentation |
| Senior approval | Not required | Required before onboarding |
| Review frequency | Every 2–5 years | Annually or more frequently |
| Ongoing monitoring | Standard transaction monitoring | Heightened monitoring with lower thresholds |
| Beneficial ownership | 25% threshold | May apply lower threshold (e.g. 10%) |
The decision to apply EDD must be documented and defensible. Regulators expect firms to show that their risk-based approach is calibrated — not that they apply EDD to everyone (over-compliance) or to no one (under-compliance).
Types of Customer Due Diligence (CDD)
Regulation does not prescribe a single level of CDD for all customers. A risk-based approach allows firms to calibrate their effort to the actual risk presented. Three tiers are recognised across most major AML frameworks.
Simplified Due Diligence (SDD) is permitted for customers presenting a demonstrably low risk of money laundering — certain listed companies, domestic public authorities, and regulated financial institutions. SDD reduces the documentation burden but does not eliminate the need to verify identity or monitor transactions.
Standard CDD is the baseline applied to most customers. It covers the full six-step process described above and is required for all customers unless a firm has documented justification to apply a different tier.
Enhanced Due Diligence (EDD) is mandatory for higher-risk relationships. This includes know-your-customer deep dives into source of wealth and funds, senior management sign-off, and enhanced ongoing monitoring. EDD applies automatically to PEPs and should be triggered by any customer or transaction that scores high on the firm's risk matrix.
Best Practices
Implementing CDD effectively requires different considerations depending on whether you are a merchant accepting payments or a developer building payment flows.
For Merchants
Start with a clear onboarding policy that defines which customers require which tier of CDD before they can transact. Avoid collecting excessive data — only request information that is proportionate to the risk level and legally required. Maintain a documented audit trail for every CDD decision, including cases where you accepted a customer despite elevated risk indicators. Ensure that periodic review obligations are scheduled and tracked, not left to ad hoc processes. Train customer-facing staff to recognise the signs that a customer's risk profile may have changed — new ownership, unusual transaction spikes, or requests that fall outside their stated business purpose.
For Developers
Design CDD workflows as modular, API-driven processes so that risk tier changes — such as a customer being reclassified from standard to EDD — can trigger different document collection flows without rebuilding the entire onboarding journey. Integrate sanctions and PEP screening as a real-time step, not a batch process, to avoid onboarding restricted individuals during processing delays. Build structured data models that capture the outcome and evidence of every CDD check, including timestamps and the version of any screening list used. Ensure your system can produce a complete CDD record on demand for regulatory audits — regulators expect to see not just outcomes but the data and logic that produced them.
Common Mistakes
Even well-intentioned compliance programmes routinely make the same errors when implementing CDD.
Treating CDD as a one-time event. Many businesses complete onboarding checks and then never revisit a customer's profile. Regulations explicitly require ongoing due diligence — a customer who was low-risk at onboarding may become high-risk after a change in ownership or business activity.
Inconsistent application across customer segments. Applying thorough CDD to new customers but skipping re-verification for long-standing ones creates regulatory exposure. Tenure is not a risk mitigant.
Over-relying on automated screening without human review. Sanctions and PEP screening tools generate false positives. Without a structured escalation process for matches, firms either block legitimate customers unnecessarily or, worse, dismiss real matches without proper investigation.
Failing to document the risk-based rationale. Regulators do not expect perfection — they expect reasoned decisions. Accepting a medium-risk customer without documenting why the risk is acceptable is a compliance failure even if the customer turns out to be legitimate.
Ignoring beneficial ownership for corporate customers. Collecting a company's registration documents without identifying the individuals who ultimately own or control it leaves a critical gap. Complex corporate structures are frequently used to obscure the true source of funds.
Customer Due Diligence (CDD) and Tagada
Tagada is a payment orchestration platform that routes transactions across acquiring banks and payment processors. As a business operating in the payments space, any merchant or partner onboarding through Tagada's platform must satisfy CDD requirements that apply to their own regulatory context.
If you are a merchant building checkout flows with Tagada, ensure your onboarding process captures the CDD data your acquiring bank or payment processor will require. Tagada's orchestration layer can route payments, but your upstream acquirer will apply its own CDD standards — misalignment between what you collect and what they require is a common cause of onboarding delays and payment holds. Work with your compliance team to align your customer data collection to the highest-common-denominator standard across all your active processors.