Customer Due Diligence - CDD - is one of the five mandatory elements of a BSA-compliant AML program, and it's the one most businesses get wrong. Not because it's complicated, but because the regulatory standard is higher than most businesses realize. Here's exactly what CDD requires and how to do it correctly.
CDD has four components: customer identification, beneficial ownership, relationship understanding, and ongoing monitoring
Customer Due Diligence (CDD) is the process of collecting, verifying, and maintaining information about your customers to understand who they are, what they do, and whether their transactions make sense given that context. Under FinCEN's CDD Rule - which became effective in 2018 and applies to banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers - CDD has four core components: customer identification, beneficial ownership identification, understanding the nature and purpose of customer relationships, and ongoing monitoring.
Beneficial ownership requires identifying individuals who own 25%+ of entity customers - not just the entity name
Customer identification is the foundation. For individual customers, this means collecting and verifying name, date of birth, address, and an identification number - typically a Social Security number for U.S. persons or a passport number for foreign nationals. For business customers, it means collecting the legal name, principal place of business, EIN, and - critically - identifying the beneficial owners of the entity. Verification means confirming this information against reliable, independent sources. "The customer told us" is not verification.
Customer risk profiles are the baseline that makes ongoing monitoring meaningful
Beneficial ownership is where CDD gets complicated for most businesses. Under the CDD Rule, covered institutions must identify and verify the identity of any individual who owns 25% or more of a legal entity customer, plus one individual who controls the entity. This requirement exists because shell companies and complex ownership structures are among the most common tools used to launder money. If your customer is an LLC, a corporation, or a trust, you need to know who actually owns and controls it - not just the entity name on the account.
Enhanced Due Diligence (EDD) applies to higher-risk customers and requires more information and more frequent review
Understanding the nature and purpose of the customer relationship is the CDD element most businesses treat as a formality. It shouldn't be. This element requires you to develop a customer risk profile - an understanding of what the customer does, what their expected transaction patterns look like, and what level of activity is normal for their business. This profile is the baseline that makes ongoing monitoring meaningful. Without it, you have no baseline against which to measure whether a transaction is suspicious.
The most common CDD failure is a gap between written policy and actual onboarding practice
Ongoing monitoring is the fourth CDD component and the one that makes the others useful. Collecting customer information at account opening and never updating it is not CDD - it's a snapshot that becomes less accurate over time. Ongoing monitoring means reviewing customer transactions against their established risk profile, updating customer information when material changes occur, and re-evaluating the customer relationship when activity deviates significantly from expectations. For higher-risk customers, this monitoring should be more frequent and more rigorous.
Enhanced Due Diligence (EDD) is the elevated version of CDD applied to higher-risk customers. Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, customers with complex ownership structures, and customers whose transaction patterns are inherently higher-risk all warrant EDD. EDD means collecting more information, verifying it more rigorously, and monitoring more frequently. The specific EDD requirements are risk-based - they scale with the level of risk the customer presents.
The most common CDD failure we see in program reviews is the gap between what the policy says and what actually happens at the point of customer onboarding. Policies that require beneficial ownership collection but onboarding staff who don't know how to ask for it - or who accept "I'm the only owner" without documentation - create a compliance gap that examiners find immediately. CDD is only as strong as the people executing it, which is why training on CDD procedures is as important as the procedures themselves.
Tags
Compliance Program Specialist · Soflo Consulting
Sofia Delgado is a Compliance Program Specialist at Soflo Consulting with expertise in mortgage lender AML requirements, Florida-specific regulatory obligations, and small business compliance program design. She works with non-bank mortgage lenders, title companies, and real estate professionals to build practical, examiner-ready compliance programs.
5 sections
Key Takeaways
- 1CDD has four components: customer identification, beneficial ownership, relationship understanding, and ongoing monitoring
- 2Beneficial ownership requires identifying individuals who own 25%+ of entity customers - not just the entity name
- 3Customer risk profiles are the baseline that makes ongoing monitoring meaningful
- 4Enhanced Due Diligence (EDD) applies to higher-risk customers and requires more information and more frequent review
- 5The most common CDD failure is a gap between written policy and actual onboarding practice
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox - no fluff.