What Are the Four Customer Due Diligence Requirements?

What Are the Four Customer Due Diligence Requirements

The four core CDD requirements are to identify and verify the customer, identify and verify any beneficial owner, understand the purpose of the relationship, and monitor it on an ongoing basis.

CDD is more than a one-time identity check. It is a risk-based process that helps regulated businesses confirm who they are dealing with, who owns or controls the customer, why the relationship exists and whether future activity remains consistent with the customer’s profile.

While these four requirements form the core of CDD, businesses may also have duties relating to authorised representatives, record-keeping, enhanced due diligence and situations where checks cannot be completed.

Key Highlights:

  • Identify and verify the customer.
  • Verify any beneficial owner.
  • Understand the purpose of the relationship.
  • Monitor the relationship on an ongoing basis.
  • CDD is a continuous, risk-based process.
  • The level of checks depends on the customer’s risk profile.

The evidence required and the intensity of each check should reflect the customer, product, transaction, jurisdiction and level of financial-crime risk.

What Is Customer Due Diligence in KYC, and Why Does It Matter?

What Is Customer Due Diligence in KYC, and Why Does It Matter

Customer due diligence (CDD) is the process of identifying a customer, verifying relevant information, assessing financial crime risk and monitoring the relationship over time.

CDD forms part of the broader know your customer (KYC) framework. While KYC describes the overall customer verification process, CDD focuses on the specific checks required to meet anti-money laundering obligations.

CDD helps businesses understand more than a customer’s identity. It also considers factors such as:

  • Ownership and control
  • Purpose of the relationship
  • Expected transactions and risk

Updated UK guidance published in July 2026 reflects regulatory changes that took effect on 30 June 2026. It states that businesses should take reasonable steps to reduce the risk of money laundering, terrorist financing and proliferation financing.

By creating a documented customer profile, effective CDD supports onboarding decisions, ongoing monitoring and the identification of changes in customer risk.

What Are the Four Core Customer Due Diligence Requirements?

The statutory basis for the principal measures appears in the UK customer due diligence rules, particularly Regulation 28.

1. Identify and Verify the Customer

The first CDD requirement is to identify the customer and verify that the information provided is accurate using reliable and independent sources.

Identification involves collecting key personal or business details, while verification confirms that those details are genuine.

For an individual, verification may include confirming a legal name, date of birth and residential address. For a business, it can involve checking the registered company name, company number, legal structure, registered office and other official records.

Completing this step helps establish that the organisation knows exactly who it is dealing with before entering into a business relationship.

2. Identify and Verify the Beneficial owner

Where the customer is a company, trust or another legal entity, businesses must identify the natural person who ultimately owns or controls it.

Looking beyond the named organisation helps prevent ownership structures from being used to conceal the identity of the real decision-makers.

Key checks may include:

  • Identifying the ultimate beneficial owner.
  • Reviewing the ownership and control structure.
  • Verifying individuals with significant control.
  • Obtaining information from reliable and independent sources.

Complex ownership arrangements may require additional enquiries because the direct shareholder is not always the ultimate beneficial owner.

3. Understand the Purpose and Intended Nature of the Relationship

Businesses should understand why the customer wants the product or service and how the relationship is expected to operate.

Gathering this information helps create a clear customer profile and allows future activity to be assessed against what was originally expected.

The assessment may include expected transaction values, payment frequency, countries involved, counterparties and the expected source or destination of funds.

This information provides the baseline for ongoing risk assessment throughout the relationship.

4. Conduct Ongoing Monitoring

Customer due diligence does not end once the customer has been onboarded. Businesses should continue monitoring the relationship to ensure customer activity remains consistent with the original risk profile and that records stay up to date.

Ongoing monitoring may involve:

  • Reviewing customer transactions.
  • Updating identification and ownership records.
  • Reassessing the customer’s risk level.
  • Investigating unusual or unexpected activity.

Regular monitoring enables businesses to identify changes in risk, maintain accurate records and respond appropriately where further checks are required.

What Information Is Typically Collected During Customer Due Diligence Checks?

What Information Is Typically Collected During Customer Due Diligence Checks

The information collected should be proportionate to the identified risk rather than based on an inflexible document list.

An organisation should distinguish between customer-provided information, independent verification evidence, screening results and information required only for higher-risk relationships.

Information Commonly Collected:

  • Personal or business details: Legal name, date of birth, address, company number, legal form and jurisdiction.
  • Ownership and representatives: Beneficial owners, directors, shareholders and authorised representatives.
  • Relationship purpose: The product or service, commercial purpose and expected duration.
  • Expected activity and risk: Transaction values, payment patterns, business activity and source of funds or wealth.
  • Verification evidence: Identity documents, official records, reliable databases or electronic verification.

Digital identity services may support identity verification, but they do not automatically satisfy every part of CDD. A regulated organisation remains responsible for assessing risk, understanding the relationship and retaining suitable evidence.

How Does the Customer Due Diligence Process Work from Onboarding to Ongoing Monitoring?

Customer due diligence follows a structured process that begins before a business relationship is established and continues throughout its duration.

Each stage helps organisations verify customer information, assess financial crime risk and keep records up to date as circumstances change.

Customer Onboarding and Risk Assessment

The CDD process begins by identifying the customer, verifying the relevant information and confirming whether someone is acting on the customer’s behalf.

For corporate customers, businesses should also identify beneficial owners and understand the ownership structure. They then record the purpose of the relationship, expected activity and key risk factors.

Screening tools and automated checks can support the process, but professional judgement remains essential. The final risk assessment determines whether standard or enhanced due diligence is required.

When Should CDD Records and Risk Profiles Be Updated?

CDD does not end after onboarding. Customer information should be reviewed whenever the risk profile changes or new information becomes available.

Common review triggers include:

  • Change of ownership
  • Unusual transactions
  • New geographic exposure
  • Expired verification documents
  • Significant business changes

An official monitoring statement is unambiguous:

“You must continue to monitor a business relationship after it is established and for its duration”.

Current guidance also requires businesses to review beneficial ownership, keep CDD records up to date and examine whether transactions remain consistent with the known customer profile.

A universal review interval is not imposed for every customer; the review cycle should reflect the assessed risk.

When Is Customer Due Diligence Required Under UK Rules?

When Is Customer Due Diligence Required Under UK Rules

CDD is normally required before a regulated organisation establishes a business relationship or completes a relevant occasional transaction.

The official CDD timing guidance explains that customer and beneficial-owner verification should generally be completed before the relationship or transaction begins.

Main CDD Trigger Points

  • New business relationship: Complete CDD before establishing an ongoing relationship.
  • Occasional transaction: Carry out checks where the applicable threshold is met.
  • Suspected financial crime: Apply CDD where money laundering or terrorist financing is suspected.
  • Unreliable information: Update checks if existing information is inaccurate or incomplete.
  • Changed circumstances: Review CDD when ownership, business activity or risk changes.
  • Customer representative: Verify anyone acting for the customer and confirm their authority

There is a limited exception allowing verification to be completed after initial contact where beginning the relationship is necessary for normal business and the money-laundering risk is low.

The decision must be justified, documented and followed by verification as soon as practicable.

How Do Simplified, Standard and Enhanced Due Diligence Differ?

The four core requirements describe what CDD seeks to establish. Simplified, standard and enhanced due diligence describe how intensively the measures may be applied according to risk.

Comparison of CDD Types:

TypeWhen It May ApplyTypical Approach
Simplified due diligenceA demonstrably lower-risk relationshipReduced extent or intensity of checks supported by a documented assessment
Standard due diligenceAn ordinary or normal-risk relationshipCore identification, verification, ownership, purpose and monitoring measures
Enhanced due diligenceA higher-risk customer, transaction or relationshipAdditional evidence, deeper enquiries, approvals and more intensive monitoring

Simplified due diligence does not mean that no checks are performed. The organisation must first establish and document why the relationship presents a lower risk.

Enhanced due diligence builds on the standard requirements. It may involve additional information about ownership, source of funds, source of wealth, transaction purpose or relevant jurisdictions, together with senior approval or more frequent monitoring.

The appropriate level should be determined by a defensible risk assessment rather than by commercial convenience or a customer’s willingness to provide information.

What Do Customer Due Diligence Requirements Mean for Banks and Other Financial Institutions?

What Do Customer Due Diligence Requirements Mean for Banks and Other Financial Institutions

Banks and other financial institutions use customer due diligence throughout the customer lifecycle to identify clients, assess financial crime risk and comply with anti-money laundering regulations.

Although the core CDD principles are the same, the checks carried out vary depending on the customer and the level of risk.

Retail and Business Banking Controls

Banks apply CDD to both personal and business customers. For individuals, checks may include identity verification, expected account use and relevant risk factors.

For businesses, they typically cover legal status, ownership, business activities and expected payment patterns.

It is also important to distinguish financial crime risk from credit risk, as a customer may be financially reliable while still presenting money laundering concerns.

How Are Corporate Customers and Beneficial Owners Checked?

Corporate CDD helps financial institutions understand who owns and controls a business before establishing a relationship.

Key checks include:

  • Verifying the company’s registration details and legal structure.
  • Identifying directors, shareholders and authorised representatives.
  • Confirming the ultimate beneficial owners (UBOs).
  • Reviewing complex ownership structures, including trusts or holding companies.
  • Investigating inconsistencies instead of relying only on public records.

These checks help institutions understand the complete ownership structure and assess potential financial crime risks before establishing or continuing the business relationship.

Ongoing Monitoring, Sanctions and Suspicious Activity

An April 2026 financial crime controls review found that some firms lacked practical identity-verification guidance, clear event-driven review procedures and evidence showing how higher-risk checks differed from standard CDD.

Stronger firms tailored information gathering and review frequency to each customer’s risk. They also documented enhanced measures, approval decisions and compliance testing.

Sanctions, politically exposed person and relevant adverse-information checks may support customer assessment and ongoing monitoring.

Some industry frameworks list screening as a separate fifth CDD pillar, while the four-part model generally treats it as part of risk profiling and continuing controls.

What Does a Practical Customer Due Diligence Example Look Like in Banking?

Consider a fictional UK bank onboarding a privately owned import business. The bank verifies the company’s registration details, confirms the applicant is authorised to act and identifies the ultimate beneficial owner through the ownership structure.

The business explains that it expects regular payments from European suppliers and monthly receipts from UK retailers.

This information helps establish the purpose of the relationship and the expected transaction profile. Because the company has links to a higher-risk jurisdiction, the bank carries out additional checks before approving the account.

Several months later, unusually large payments from unexpected countries trigger a review. This example shows how customer identification, beneficial ownership checks, relationship profiling and ongoing monitoring work together to manage financial crime risk.

What Should a UK CDD Checklist Include, and What Happens If Checks Cannot Be Completed?

What Should a UK CDD Checklist Include, and What Happens If Checks Cannot Be Completed

A practical CDD checklist should cover the entire customer lifecycle, from onboarding to ongoing monitoring. It should also document the evidence collected, risk assessments and decisions made throughout the process.

Practical CDD Checklist

  • Confirm the trigger by identifying why CDD is required and which rules apply.
  • Identify and verify the customer using appropriate personal or business information.
  • Verify beneficial ownership to establish who ultimately owns or controls the customer.
  • Understand the relationship by recording its purpose and expected activity.
  • Assess the risk based on customer, product, transaction and geographic factors.
  • Check authorised representatives and confirm their identity and authority.
  • Document decisions including evidence, approvals and risk assessments.
  • Monitor the relationship by reviewing transactions, ownership and customer information.

What Happens If Checks Cannot Be Completed?

If mandatory CDD checks cannot be completed, a business may be required not to establish the relationship or proceed with the transaction.

It may also need to end an existing relationship, consider whether a suspicious activity report is required and record the reasons for its decision.

Conclusion

Customer due diligence helps UK businesses establish who a customer is, who ultimately owns or controls them, why the relationship exists and whether later activity remains credible.

The four core requirements, customer identification and verification, beneficial ownership checks, understanding the relationship’s purpose and ongoing monitoring, work together as a risk-based process.

Effective CDD should be documented, kept current and strengthened whenever higher-risk factors or material changes emerge during the relationship.

Frequently Asked Questions

Are the four CDD requirements a complete statement of UK law?

No, they summarise the core CDD measures, but regulated businesses may also have obligations relating to ownership, record-keeping, enhanced checks, reporting and sector-specific rules.

Can a business rely only on Companies House information for CDD?

No, companies House records can support verification, but they may not be enough for complex or higher-risk cases. Businesses remain responsible for appropriate verification.

Can electronic identity verification satisfy CDD obligations?

Yes, electronic verification can support compliance, provided the service is reliable and the remaining CDD requirements are completed.

How often should a customer’s due diligence file be reviewed?

There is no fixed review period. Reviews should reflect the customer’s risk level and be updated when significant changes occur.

Are the “Four Ps” of due diligence part of CDD law?

No, the “Four Ps” are not part of UK CDD requirements and generally relate to broader commercial or investment due diligence.

Why do some sources refer to five CDD pillars?

Some frameworks treat sanctions screening as a separate fifth element, while others include it within risk assessment and ongoing monitoring.

Are the four main types of business due diligence the same as CDD?

No, business due diligence assesses a company or transaction, while CDD focuses on customer identification and financial crime risk management.

Note:

This article provides general information for UK businesses and financial-services readers. It is informational, not financial or legal advice, and it does not replace sector-specific guidance.

CDD obligations vary according to the regulated activity, customer, transaction, product, jurisdiction and assessed risk. Businesses should consult current legislation, their supervisor’s guidance and qualified advisers where necessary.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *