🏆 Neotas Named Chartis FCC50 Market Disruptor Winner – Know Your Third Party & Supply Chain Excellence Award Read More →
🏆 Chartis Best-of-Breed Winner 2026 – Adverse Media Monitoring
FaSQUAL: The BSIA-led Vetting Passport for the UK Security Industry Powered by Neotas Read More →
Neotas Logo
SCHEDULE A CALL
Neotas Logo
Customer Due Diligence Requirements

Due Diligence Financial Crime Compliance

Customer Due Diligence Requirements, Process and Checklist 2026

N
Authored by the Neotas Editorial Team
Reviewed by the Neotas Financial Crime Compliance Practice · Chartis FCC50 recognised · About Neotas
Last updated: June 2026
Reading time: 24 minutes

What this guide covers: Customer due diligence (CDD) is the regulated process through which businesses verify customer identity, understand the purpose of the business relationship, assess the risk each customer presents, and monitor that relationship over time. This guide covers the 4 mandatory CDD requirements, the three CDD levels, the step-by-step process, what CDD checks must include, UK MLR 2017 and US FinCEN obligations, when to repeat due diligence, and how OSINT screening closes the gaps that document checks alone leave open.

28+
UK sectors subject to CDD obligations under MLR 2017, from banks to estate agents, accountants, casinos and art dealers
4
mandatory CDD requirements under Regulation 28 of MLR 2017 and FinCEN’s 2018 CDD Final Rule: identify, verify, beneficial ownership, and monitor
ÂŁ176.9M
FCA financial penalties issued in 2023 alone. AML and CDD failings are the most frequently cited cause in Final Notices
200+
languages Neotas screens across for adverse media. Most standard CDD tools cover English only — the gap where regulatory findings concentrate
Quick-start summary
  • CDD is a legal obligation under MLR 2017 (UK) and FinCEN’s CDD Final Rule (US). It’s not optional and it’s broader than banking: 28+ regulated sectors in the UK have CDD obligations.
  • The 4 CDD requirements are: identify the customer, verify identity from independent sources, identify beneficial owners, and conduct ongoing monitoring.
  • CDD has 3 intensity levels: simplified (low-risk customers), standard (default), and enhanced (EDD for high-risk triggers including PEPs and high-risk third countries).
  • The most common CDD failure in FCA examinations is insufficient independent verification — accepting the customer’s own documentation without cross-checking against independent sources.

What is customer due diligence?

Customer due diligence (CDD) is the regulated process through which a business verifies who its customers are, understands what they do, assesses the financial crime risk they present, and monitors that relationship on an ongoing basis.

The obligation comes from statute, not policy. In the UK, CDD requirements are set by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which transpose the EU’s Fourth Anti-Money Laundering Directive (4AMLD) into UK law. In the US, the FinCEN CDD Final Rule, effective 11 May 2018, sets equivalent obligations under the Bank Secrecy Act (BSA). Both frameworks exist to prevent regulated businesses from being used for money laundering, terrorist financing, and fraud.

The scope in the UK is wider than most compliance teams realise. MLR 2017 applies to credit institutions, financial institutions, auditors, accountants, independent legal professionals, trust and company service providers (TCSPs), estate agents, high value dealers, casino operators, art market participants, and letting agents. Any business in these sectors has CDD obligations, regardless of size.

CDD vs KYC: what the terms mean

KYC (Know Your Customer) is the broader operational process through which regulated firms learn about their customers at onboarding and throughout the relationship. CDD is the legal framework that defines the minimum standards KYC must meet.

KYC is the practice. CDD is the regulatory obligation that defines what the practice must include.

The distinction matters in supervision. An FCA examiner reviewing customer files asks whether the firm met the 4 CDD requirements under Regulation 28 of MLR 2017, not whether the KYC programme scored well against internal benchmarks. See the Neotas KYC and customer due diligence platform for how both are supported.

Key takeaways

  • CDD is a legal obligation in 28+ UK sectors under MLR 2017. Firms that fail it face regulatory fines, licence withdrawal, and in serious cases criminal liability under the Proceeds of Crime Act 2002.
  • CDD has 3 intensity levels: simplified (SDD), standard, and enhanced (EDD). The level depends on the risk assessment applied to each customer.
  • KYC and CDD are not the same term used differently. KYC is the operational practice; CDD is the regulatory standard it must satisfy.
  • CDD applies at onboarding and throughout the relationship. Ongoing monitoring is a CDD obligation, not a separate programme.

Section summary: Customer due diligence is a statutory process set by MLR 2017 in the UK and FinCEN’s CDD Final Rule in the US. It applies across multiple sectors, not just banking, and the required depth scales with the risk level of each customer relationship.

Related read: Financial crime compliance covers how CDD sits within the broader AML and financial crime prevention framework.

Running customer due diligence across a large customer portfolio?

Neotas delivers CDD-compliant identity, beneficial ownership, sanctions, PEP and adverse media screening as a managed service. Reports structured to meet MLR 2017 and FinCEN CDD Final Rule evidential requirements.

Used by banks, insurers, professional services firms and regulated fintechs. Chartis FCC50 recognised.

Request a CDD assessment

No commitment required. We’ll confirm availability within 1 working day.

What are the 4 customer due diligence requirements?

Quick answer: The 4 customer due diligence requirements are: (1) identify the customer; (2) verify that identity from reliable, independent sources; (3) identify and verify any ultimate beneficial owners (UBOs); and (4) understand and conduct ongoing monitoring of the business relationship. These apply under Regulation 28 of MLR 2017 in the UK and FinCEN’s CDD Final Rule in the US.

The 4 CDD requirements apply when establishing every new business relationship and must be maintained on a risk-scaled ongoing basis. Here is what each requires in practice.

Requirement 1

Identify the customer

MLR 2017 Regulation 28(2)(a) · FinCEN CDD Final Rule — Customer Identification Programme

For individuals: full name, date of birth, nationality, and residential address. For corporate entities: full legal name, company registration number, country of incorporation, registered office address, and the nature of the business. For partnerships, trusts, and other legal arrangements, the required information set is larger. The obligation is to collect this information before the business relationship is established — not after.

Requirement 2

Verify identity from reliable, independent sources

MLR 2017 Regulation 28(2)(b) · FinCEN CDD Final Rule — Identity Verification

Identification and verification are two distinct steps. Identification collects the information; verification checks it against a reliable, independent source. For individuals, this means government-issued photo ID (passport, national identity card, driving licence) cross-referenced against an independent data source: credit reference data, an electronic identity verification service, or an in-person document check. A customer sending a copy of their passport to a compliance team that accepts it without cross-checking against any independent source has not been verified — they’ve been identified. This is the single most common gap in FCA examination findings.

Requirement 3

Identify and verify the ultimate beneficial owners

MLR 2017 Regulation 28(3)-(5) · FinCEN CDD Final Rule — Beneficial Ownership Rule (2018)

For corporate customers, the firm must identify the ultimate beneficial owners (UBOs): any natural person who holds, directly or indirectly, more than 25% of the shares or voting rights of the customer, or who exercises control by other means. FinCEN’s 2018 CDD Final Rule added beneficial ownership as a fifth core element for covered US financial institutions, with the same 25% threshold. The verification must use independent sources — corporate registries, the UK Register of People with Significant Control (PSC register), national company registers in other jurisdictions, or OSINT where registry data is incomplete. A customer’s own declaration of ownership, accepted without verification, is not sufficient where there is any reason for doubt.

Requirement 4

Understand the business relationship and conduct ongoing monitoring

MLR 2017 Regulation 28(11)-(12) · FinCEN CDD Final Rule — Understanding and Ongoing Monitoring

The firm must document the purpose and intended nature of the business relationship, obtain source of funds information where the risk level warrants it, and maintain ongoing monitoring throughout the relationship. Ongoing monitoring means three things: keeping CDD documents and information current; scrutinising transactions against the customer’s expected profile; and applying new or updated CDD measures whenever a material change occurs in the relationship or in the customer’s risk classification.

RequirementMLR 2017 regulationFinCEN equivalentMinimum evidence
Identify the customerReg 28(2)(a)CIP — Customer Identification ProgrammeName, date of birth, address (individuals); company number, registered address, business nature (corporates)
Verify identityReg 28(2)(b)CIP — Identity VerificationGovernment-issued photo ID cross-checked against independent source (credit data, electronic ID verification, in-person check)
Identify and verify UBOsReg 28(3)-(5)Beneficial Ownership Rule (2018 amendment)Corporate registry, PSC register or equivalent; independent verification via OSINT where registry data is insufficient
Understand and monitorReg 28(11)-(12)CDD Final Rule — Understanding and Ongoing MonitoringDocumented business purpose, source of funds (where applicable), risk-scaled review schedule, transaction monitoring

Section summary: The 4 CDD requirements are cumulative. Completing identification and skipping verification is a compliance failure. Verifying the customer but not the UBO chain is a compliance failure. The requirement that most consistently fails in regulatory examinations is beneficial ownership verification, particularly where corporate structures cross multiple jurisdictions.

Related read: The CDD checklist for UK regulated firms maps these 4 requirements to a practical document and screening checklist.

 

 

The three types of customer due diligence

CDD applies at three intensities. The level applied to each customer depends on the risk assessment at the start of the relationship, updated as circumstances change.

Type 1

Simplified customer due diligence (SDD)

MLR 2017 Regulation 37 and Schedule 3 — applies only to Schedule 3 eligible customers

Simplified due diligence applies where the money laundering or terrorist financing risk associated with a customer is demonstrably low. Schedule 3 of MLR 2017 lists eligible customer types: credit institutions and financial institutions supervised in the UK, listed companies on regulated markets, UK public authorities, and certain pension schemes. SDD reduces the extent of verification required. It does not remove the obligation to identify the customer or to monitor the relationship. SDD cannot be applied as a blanket policy across a segment without a documented risk assessment for each customer.

Read more: What is simplified due diligence?

Type 2

Standard customer due diligence

MLR 2017 Regulation 28 — default level for all business relationships

Standard CDD is the default. It applies unless there are documented grounds for simplified or enhanced treatment. It requires all 4 CDD requirements to be met: identification, verification from independent sources, beneficial ownership checks, and ongoing monitoring at a frequency appropriate to the customer’s risk level. JMLSG Part I guidance sets out the practical standards for document acceptance and verification in the UK.

Type 3

Enhanced customer due diligence (EDD)

MLR 2017 Regulation 33 — mandatory triggers include PEPs and high-risk third countries

Enhanced due diligence applies where a higher risk is identified. Regulation 33 of MLR 2017 sets out the mandatory EDD triggers: politically exposed persons (PEPs) and their family members and known close associates; customers or transactions connected to high-risk third countries (as listed by the UK government under the MLRs); complex or unusually large transactions; and correspondent banking relationships. EDD goes beyond the standard 4 requirements and typically includes source of funds and source of wealth analysis, senior management approval, and more frequent monitoring. See the enhanced due diligence checklist for the full evidence requirements.

CDD levelWhen it appliesKey characteristicsUK regulation
Simplified (SDD)Schedule 3 customers with demonstrably low ML/TF riskReduced verification scope. Customer must still be identified. Documented risk assessment required.Reg 37, Schedule 3
Standard (CDD)Default for all business relationshipsAll 4 CDD requirements. Risk-scaled ongoing monitoring. Documents kept current.Reg 28
Enhanced (EDD)PEPs, high-risk third countries, complex transactions, correspondent bankingAll CDD requirements plus source of funds/wealth, senior management approval, more frequent monitoring.Reg 33

Section summary: The three CDD levels are not a firm’s own risk management tool — they’re the regulatory instruction. Misapplying simplified CDD to a customer who should receive enhanced CDD is a regulatory failure, regardless of whether any financial crime was involved. The risk-based approach guide covers how to score customers by risk level.

 

 

The customer due diligence process: step by step

The CDD process runs from initial risk classification through to ongoing monitoring throughout the customer relationship. These are the 6 steps that a compliant CDD programme covers.

Step 1

Customer risk classification

Before any checks are designed, classify the customer by risk level. The risk assessment considers: the customer’s country of residence and business; the sectors they operate in; their ownership structure; the type and expected volume of transactions; any PEP exposure; and any unusual complexity in the business relationship. The classification determines whether standard, simplified, or enhanced CDD applies. For the risk scoring methodology, see the risk-based approach to CDD in KYC and AML operations.

Step 2

Customer identification

Collect the required identifying information. For individuals: full legal name, date of birth, nationality, and residential address. For corporate entities: full legal name, company registration number, country of incorporation, registered address, and the nature of the business. For partnerships, LLPs, trusts, and unincorporated associations, the JMLSG Part I guidance sets out the specific information set required for each entity type.

Step 3

Identity verification against independent sources

Verify the collected information against a reliable, independent source. For individuals: government-issued photo ID cross-checked against credit reference data, electronic identity verification services, or via an in-person document check. For companies: Companies House filings (or equivalent), certificate of incorporation, and confirmation of the registered address via corporate registry. The independent source must be reliable: expired documents, photocopies accepted without cross-referencing, or self-certification alone do not satisfy Regulation 28(2)(b).

Step 4

Beneficial ownership identification and verification

For corporate customers, trace the ownership chain to the natural persons holding 25%+ of shares or voting rights, or exercising control by other means. Use the UK Register of People with Significant Control (PSC register), national corporate registries in each relevant jurisdiction, and OSINT where registry data is incomplete or unverifiable. PSC register data is self-reported by companies — it confirms what the company declared, not independently verified ownership. Where there is any reason for doubt, independent verification is required. See the beneficial ownership and source of funds guide.

Step 5

Screening: sanctions, PEPs, adverse media and OSINT

Screen the customer, all directors, and all UBOs against sanctions lists, PEP databases, and adverse media sources. For standard CDD: UK OFSI Consolidated List, OFAC SDN List (for US-facing relationships), UN Consolidated Sanctions List, and major PEP databases. For enhanced CDD cases: OSINT-based adverse media screening across all relevant languages is needed to capture enforcement actions, litigation records, and reputational findings that English-only tools miss. See OSINT tools and techniques for the methodology.

Step 6

Ongoing monitoring

Set a review schedule scaled to the customer’s risk classification: annually or every 2 years for low-to-medium risk; 6-monthly for high-risk and EDD customers. Build event-based triggers that prompt immediate review regardless of the scheduled cycle: ownership changes, PEP designation, adverse media, unusual transaction patterns, or any change in country of operation. See AML transaction monitoring for the monitoring layer.

Section summary: Ongoing monitoring is consistently the most under-resourced part of a CDD programme. Steps 1-5 happen once at onboarding; Step 6 runs for the lifetime of the relationship. FCA supervisory findings consistently identify ongoing monitoring as the area with the largest gap between documented policy and actual practice.

 

 

CDD regulations: UK, US and international requirements

The three frameworks below define the legal standard for CDD in the UK, the US, and internationally. Firms with cross-border operations can design a single CDD standard that satisfies all three simultaneously.

UK: Money Laundering Regulations 2017 (MLR 2017)

MLR 2017 is the primary UK legal framework for anti-money laundering and customer due diligence. It implements the EU’s Fourth Anti-Money Laundering Directive into UK law and has been retained and amended post-Brexit, including through the Money Laundering and Terrorist Financing (Amendment) Regulations 2019.

Regulation 28 sets out the 4 CDD measures. Regulation 33 sets the mandatory EDD triggers. Schedule 3 lists the customer types eligible for simplified CDD. Regulation 43 requires that CDD be completed before establishing a business relationship or, for transactions, before the transaction is carried out.

The FCA is the supervisory authority for most financial services firms. HMRC supervises accountants, estate agents, high value dealers, art market participants, and letting agents. The JMLSG Guidance (Parts I and II, updated 2023) is the primary practitioner-level interpretation of MLR 2017 for the financial services sector.

US: FinCEN CDD Final Rule (2018)

The FinCEN CDD Final Rule amended the Bank Secrecy Act regulations to add explicit CDD requirements for covered financial institutions: banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. It was published on 11 May 2016 and became effective on 11 May 2018.

The rule codifies 5 core elements: identifying and verifying customer identity; identifying and verifying beneficial owners of legal entity customers at the 25% threshold; understanding the nature and purpose of customer relationships; conducting ongoing monitoring and updating customer information; and filing Suspicious Activity Reports (SARs). The rule also requires identification of a “control prong” individual — the executive or senior manager with control over the legal entity — in addition to ownership-based UBOs.

The full text is available at the FinCEN CDD Final Rule page.

International: FATF Recommendation 10

FATF Recommendation 10 is the global baseline for CDD, adopted by 200+ jurisdictions through FATF membership. It requires financial institutions to conduct CDD when: establishing a business relationship; carrying out occasional transactions above USD/EUR 15,000; there is a suspicion of money laundering or terrorist financing; or there is doubt about previously obtained data. FATF Recommendation 10 also requires ongoing due diligence on the business relationship throughout its duration.

ElementUK (MLR 2017)US (FinCEN CDD Final Rule)International (FATF Rec. 10)
UBO threshold25% ownership or control25% + control prong individual25% (recommended) — jurisdiction may set lower
Transaction triggerBefore establishing the relationship; high-value cash: €10,000+Before relationship or on suspicionOccasional transactions at USD/EUR 15,000+
SupervisorFCA (financial services), HMRC (other sectors)FinCEN + prudential regulators (OCC, FDIC, Fed, NCUA)National FIU and AML supervisor
EDD mandatory triggersPEPs, high-risk third countries, complex transactions, correspondent bankingSARs required on suspicion; PEP and high-risk country exposure triggers enhanced measuresHigher-risk customers; PEPs; correspondent relationships

Section summary: MLR 2017 and the FinCEN CDD Final Rule impose largely equivalent obligations. Firms with dual UK-US regulatory footprints can run a single CDD standard designed to meet both frameworks in one assessment. See the financial crime compliance framework for programme design guidance.

Customer Due Diligence Handbook

CDD requirements under MLR 2017 and FinCEN’s CDD Final Rule.
Four-stage checklist. EDD triggers. Screening methodology. Ongoing monitoring schedule.

Trusted by compliance, AML, risk, and legal teams to strengthen investigations
and support audit-ready decision-making.

Download the Customer Due Diligence Report Template

Includes checklists, workflows, and investigation frameworks.

 

What customer due diligence checks must cover

CDD checks are the documentary and screening steps that satisfy the 4 requirements. The precise checks depend on the customer’s risk classification. Here is what a standard CDD file must contain.

CheckWhat it coversRegulatory basisWhen OSINT is needed
Identity verificationGovernment photo ID cross-checked against independent sourceReg 28(2)(b)EDD cases, cross-border customers, disputed identity
Address verificationUtility bill, bank statement or government correspondence dated within 3 monthsReg 28(2)(b); JMLSG Part IWhere address is in high-risk jurisdiction
Beneficial ownershipPSC register, corporate registries, UBO chain traced to natural personReg 28(3)-(5)Multi-jurisdiction structures, nominee ownership, discrepancies between declaration and registry
Sanctions screeningOFSI Consolidated List, OFAC SDN, UN Consolidated List, EU Consolidated ListSanctions Act 2018; OFAC guidanceHigh-risk third country exposure; UBO in opaque jurisdiction
PEP screeningCustomer, directors, UBOs checked against PEP databasesReg 35; Reg 33(1)(a)Lower-profile jurisdictions where commercial PEP databases have gaps
Adverse media screeningRegulatory enforcement, criminal proceedings, litigation, significant negative pressReg 28 — risk assessment; Reg 33 EDDAll cross-border customers. Standard tools screen English only — OSINT across 200+ languages is needed for international customers.
Source of fundsWhere the specific funds entering the relationship came fromReg 33(3)(b) for EDD casesAll EDD cases; high-value transactions; PEPs

 

Why adverse media screening in English alone is insufficient

Commercial adverse media tools typically index English-language press, major newswires, and some multilingual databases. For UK customers this is often adequate. For any customer with international connections — particularly from Central and Eastern Europe, the Middle East, Southeast Asia, or Africa — the most material adverse media will often be in regional-language sources that English-only tools don’t reach.

FCA supervisory assessments of financial crime control frameworks have specifically noted the inadequacy of narrow adverse media screening. The practical consequence is that a regulatory enforcement action against a director in Polish, Turkish, or Mandarin press goes undetected by standard tools and leaves a gap in the CDD file that an FCA examiner will identify.

Neotas screens across 200+ languages using OSINT analyst review. The methodology covers regional press, court records, regulatory enforcement notices, and social media signals. See OSINT tools and techniques for the screening approach and open-source investigation best practices for the methodology.

PEP database coverage gap: PEP status for a cabinet minister in a G7 country will appear in all major commercial databases. PEP status for a regional official in a lower-income country often won’t. OSINT review of political websites, parliament records, and regional press in the relevant language fills the gap. For the full PEP screening methodology, see high-risk customers: types and indicators.

Section summary: Standard document checks satisfy the identification and verification requirements, but leave gaps in adverse media coverage, PEP identification in lower-profile jurisdictions, and beneficial ownership chains through nominee structures. Those gaps are where regulatory examination findings concentrate — and where Neotas’s OSINT capability adds the evidence layer that document checks alone can’t produce.

Related read: Enhanced due diligence services covers the deeper screening layer triggered by EDD requirements, and the AML compliance checklist maps the full screening programme.

 

When should you repeat due diligence on a customer?

Quick answer: Repeat customer due diligence whenever a material change occurs in the customer relationship, and on a risk-scaled periodic schedule: every 3-5 years for low-risk customers, annually for high-risk and EDD customers. Regulation 28(11) of MLR 2017 requires CDD to be kept up to date throughout the relationship.

Ongoing CDD doesn’t have a single universal schedule. MLR 2017 Regulation 28(11) and JMLSG Part I set out the expectation: CDD must be applied at appropriate times on a risk-sensitive basis to keep information current and to identify any change in risk classification.

Periodic review schedule by risk level

Low-risk customers: every 3-5 years is common practice, aligned with JMLSG guidance. Medium-risk customers: annually or every 2 years. High-risk and EDD customers: every 6-12 months, with event-based review whenever a material change occurs.

Event-based triggers that require immediate review

Any of the following should prompt an immediate CDD review, regardless of where the customer sits in the periodic schedule:

  • A material change in the customer’s ownership, control, or corporate structure
  • A new PEP designation affecting the customer, a director, or a UBO
  • An adverse media finding or regulatory action involving the customer
  • A significant or unexpected change in transaction patterns or volumes
  • Any change in the customer’s country of operation, incorporation, or primary banking to a high-risk third country
  • A court order, insolvency event, or investigation involving the customer or a key individual
  • Expiry of key verification documents — passports, corporate registry annual filings, licences
  • Any internal alert generated by transaction monitoring that cannot be immediately explained

Perpetual KYC and continuous monitoring

Perpetual KYC (pKYC) replaces the scheduled review cycle with real-time data updates. The regulatory basis is the same — Regulation 28(11) requires CDD to be kept current — but pKYC achieves this through automated data feeds, continuous screening, and alert-based case management rather than manual periodic reviews. It’s standard practice at larger banks and increasingly adopted by regulated fintechs. See perpetual KYC explained for a detailed guide to the approach.

Section summary: The legal obligation for ongoing CDD comes from Regulation 28(11) of MLR 2017. The practical standard is a risk-scaled periodic schedule with event-based triggers. The most common failure is having a policy document that describes a review schedule that isn’t carried out — the FCA calls this “policies without controls.”

Related read: AML transaction monitoring covers the monitoring layer that generates event-based CDD review triggers.

 

Common CDD failures: what regulators find

FCA Final Notices and FinCEN enforcement actions from 2019-2026 show consistent failure categories. These appear in examination findings across banks, building societies, payment institutions, and professional services firms.

Failure 1: Identification without independent verification

The firm accepts a customer’s passport copy, records the name and date of birth, and treats this as completed CDD. Regulation 28(2)(b) requires verification against a reliable, independent source. The copy alone is not verification. FCA examination guidance is explicit: a scanned document sent by the customer is identification evidence, not verification. This is the single most common CDD failure across all regulated sectors.

Failure 2: Beneficial ownership treated as self-declaration

The CDD file records the customer’s own statement of ownership structure, with no independent verification against corporate registries. For simple UK-incorporated companies, relying solely on Companies House data is generally acceptable. For structures spanning multiple jurisdictions, nominee arrangements, or where there is any doubt, independent registry verification and OSINT are required. The PSC register is self-reported by companies — it confirms what the company declared, not verified ownership.

Failure 3: Adverse media screening limited to English-language sources

For any customer with international connections, English-only adverse media tools leave material risk undetected. FCA supervisory feedback on financial crime controls has specifically flagged the inadequacy of narrow adverse media tools for international customer bases. Regulatory enforcement actions, court proceedings, and reputational findings in regional-language press represent the most common category of adverse findings that English-only screening misses.

Failure 4: Ongoing monitoring policy not executed in practice

Many firms have written periodic CDD review policies that don’t happen in practice. The FCA examination finding is a gap between the documented process and the actual performance records: no evidence of reviews having been carried out, or reviews that were carried out but not documented. Documentation of monitoring activity — not just the policy describing it — is the evidence requirement.

Failure 5: EDD triggers not consistently applied across the firm

PEP status identified by one team but not communicated to account management. A high-risk third country connection flagged at onboarding but not reviewed when the customer’s business expanded. EDD failures are frequently governance failures: the data was available but the escalation process didn’t work. Senior management approval for new high-risk relationships is a regulatory requirement under Regulation 35 of MLR 2017, not a best practice option.

Related read: MLRO responsibilities covers the governance obligations that sit alongside the technical CDD requirements, and the financial crime compliance framework covers programme design.

 

Customer due diligence checklist

This checklist covers the evidence required for a standard CDD file in a UK regulated context under MLR 2017. Adjust for EDD cases using the enhanced due diligence checklist.

Individual customers — standard CDD

  • Full legal name: as it appears on photo ID
  • Date of birth: confirmed against ID document
  • Nationality: recorded and any dual nationality noted
  • Current residential address: confirmed via independent document dated within 3 months
  • Identity verification: government photo ID cross-checked against electronic ID verification service, credit reference data, or in-person check
  • Sanctions screening: OFSI, OFAC (where relevant), UN, EU lists — customer screened at onboarding and on review
  • PEP screening: commercial database check + OSINT for lower-profile jurisdictions
  • Adverse media: English-language press minimum; OSINT in relevant languages for international customers
  • Business purpose: documented — what the relationship is for, expected transaction types and values
  • Risk classification: documented — standard, SDD, or EDD rationale

Corporate customers — standard CDD

  • Full legal name: as registered with the corporate authority
  • Company registration number and country of incorporation
  • Registered address: confirmed via corporate registry
  • Nature of business: SIC code, principal activities, business description
  • Certificate of incorporation or equivalent
  • Directors and authorised signatories: identified and individually screened
  • Beneficial ownership: PSC register checked; UBO chain traced to natural person; OSINT verification where any nominee structure is suspected
  • Sanctions screening: entity, directors, and all UBOs screened
  • PEP screening: directors and UBOs screened via commercial database and OSINT where needed
  • Adverse media: entity and all named individuals; OSINT in relevant languages for international corporates
  • Source of funds: required for high-value or EDD relationships
  • Business purpose: documented, with expected transaction profile
  • Risk classification and review schedule: documented
Download: The Neotas CDD checklist for UK regulated firms includes the full document evidence list for individuals, corporates, partnerships and trusts, with MLR 2017 regulation references for each item.

 

How Neotas supports customer due diligence

Neotas delivers CDD-compliant identity, beneficial ownership, sanctions, PEP and adverse media screening as a managed service and via the Neotas platform. Reports are structured to meet the evidential requirements of MLR 2017 Regulation 28, the FinCEN CDD Final Rule, and JMLSG Part I guidance. Every report cites sources, dates findings, and documents the screening methodology used.

CDD requirementNeotas serviceEvidence delivered
Beneficial ownership verificationUBO tracing via corporate registries and OSINTOwnership chain to natural person level. Nominee structure identification. Jurisdictional risk assessment. Source-cited.
Adverse media screeningOSINT-enhanced adverse media review in 200+ languagesSource-cited findings across regional press, court records, regulatory enforcement notices and social media. Dated. Analyst reviewed.
Sanctions and PEP screeningMulti-list screening across OFSI, OFAC, UN, EU and sector listsEntity, director and UBO coverage. Dated screening output. PEP database plus OSINT for lower-profile jurisdictions.
Enhanced due diligenceFull EDD report on triggered customersCovers all 4 CDD requirements plus source of funds analysis, deeper OSINT review, and senior management summary. Report delivered within 5 working days.
Ongoing monitoringContinuous screening and alert-based case managementReal-time alerts on new sanctions hits, adverse media, PEP designation changes, and regulatory actions. Monthly monitoring summary.

Neotas is recognised in the Chartis FCC50 as a leading financial crime compliance technology provider. The platform combines structured database screening with open-source intelligence and analyst-led investigation across more than 200 languages. It’s used by compliance officers, MLROs, and in-house counsel at regulated financial services, insurance, and professional services firms.

 

Neotas in practice: customer due diligence

Adverse media finding in regional-language press prevented a high-risk onboarding

A UK regulated lender commissioned Neotas enhanced due diligence on a corporate customer with operations in Central Asia. OSINT screening in Cyrillic-language press identified a regulatory enforcement action against a director that was absent from all English-language databases and the standard adverse media tool used by the firm. The lender declined the relationship before completing onboarding. See all case studies

UBO verification identified a sanctioned individual in the ownership chain

A financial services firm requested Neotas CDD support on a new corporate client. Tracing the ownership chain through three jurisdictions identified a UBO with an OFAC SDN designation — a finding the customer’s own ownership declaration did not disclose. The firm declined the relationship before completing onboarding and filed a Suspicious Activity Report. See all case studies

Portfolio re-screen identified undisclosed PEP status across an existing customer base

A professional services firm’s standard onboarding process had missed a PEP designation that occurred after initial onboarding. Neotas’s ongoing monitoring service flagged the change within 48 hours of the designation being published. The firm conducted an EDD review and filed a SAR within 30 days. See all case studies

Close the gaps in your CDD programme

Neotas delivers MLR 2017-compliant CDD and EDD screening for regulated firms. Adverse media in 200+ languages, UBO verification, sanctions and PEP screening, and ongoing monitoring in one managed service.

Chartis FCC50 recognised. Used across banking, insurance, legal and professional services.

Schedule a meeting
See KYC and CDD platform

No commitment required. We will confirm availability within 1 working day.

 

Frequently asked questions: customer due diligence

Covering the questions most commonly asked by compliance officers, MLROs, and in-house counsel at regulated firms in the UK and US. Each answer cites the relevant regulation.

What is customer due diligence?+

Customer due diligence (CDD) is the regulated process by which a business verifies the identity of its customers, understands the purpose and nature of the business relationship, assesses the money laundering or terrorist financing risk presented, and monitors the relationship on an ongoing basis. In the UK, CDD is required under Regulation 28 of the Money Laundering Regulations 2017. In the US, equivalent obligations apply under the FinCEN CDD Final Rule (2018). Both frameworks cover 4 mandatory requirements: identification, verification, beneficial ownership, and ongoing monitoring.

What are the 4 customer due diligence requirements?+

The 4 customer due diligence requirements under Regulation 28 of MLR 2017 are: (1) identify the customer by obtaining their name, date of birth, address, and for corporates: registration number and nature of business; (2) verify that identity from a reliable, independent source — not just the customer’s own documents; (3) identify and verify the ultimate beneficial owners of legal entity customers at the 25% ownership threshold; (4) understand the purpose and nature of the business relationship and conduct ongoing monitoring. These 4 requirements apply at onboarding and must be maintained for the lifetime of the relationship. See the CDD checklist for the document evidence list.

What is the difference between CDD and KYC?+

KYC (Know Your Customer) is the operational process through which a regulated firm gathers information about its customers at onboarding and throughout the relationship. CDD (Customer Due Diligence) is the regulatory framework that sets the minimum standards the KYC process must meet. KYC describes the practice; CDD defines the legal standard. In UK supervisory examinations, the FCA assesses compliance against the CDD requirements in Regulation 28 of MLR 2017, not against internal KYC policies. See the KYC and customer due diligence platform.

What are the three types of customer due diligence?+

The three types of customer due diligence are: simplified CDD (SDD), which applies to Schedule 3 eligible customers with demonstrably low money laundering risk under Regulation 37 of MLR 2017; standard CDD, the default level under Regulation 28 covering all 4 CDD requirements; and enhanced CDD (EDD), which applies under Regulation 33 where higher risk is identified — including PEPs, customers from high-risk third countries, complex transactions, and correspondent banking relationships. The level of CDD applied must be documented and the risk assessment justifying the choice must be on file. See simplified due diligence explained and the enhanced due diligence checklist.

Who does CDD apply to in the UK?+

CDD obligations under MLR 2017 apply to “relevant persons” — a broad category covering 28+ regulated sectors. These include credit institutions, financial institutions, auditors and insolvency practitioners, external accountants, independent legal professionals, trust and company service providers (TCSPs), estate agents, high value dealers (cash transactions above ÂŁ10,000), casino operators, art market participants, and letting agents. The FCA supervises most financial services firms. HMRC supervises accountants, estate agents, high value dealers, art market participants, and letting agents. See GOV.UK guidance on MLR 2017 responsibilities.

When should you repeat due diligence on a customer?+

Repeat customer due diligence whenever a material change occurs in the relationship and on a risk-scaled periodic schedule. Regulation 28(11) of MLR 2017 requires CDD to be kept up to date throughout the relationship. JMLSG Part I guidance sets practical schedules: every 3-5 years for low-risk customers, annually for high-risk and EDD customers. Event-based triggers requiring immediate review include: ownership changes, new PEP designation, adverse media, significant transaction pattern changes, change of country of operation to a high-risk jurisdiction, and any insolvency event. See AML transaction monitoring for the monitoring layer.

What is enhanced customer due diligence?+

Enhanced customer due diligence (EDD) is a deeper level of CDD applied where a higher money laundering or terrorist financing risk is identified. Regulation 33 of MLR 2017 makes EDD mandatory for PEPs and their family members and close associates, customers from high-risk third countries, correspondent banking relationships, and complex or unusually large transactions. EDD requires additional steps beyond the standard 4 CDD requirements: source of funds and source of wealth verification, senior management approval for new relationships, and more frequent ongoing monitoring. See the enhanced due diligence checklist and enhanced due diligence services.

What is simplified customer due diligence?+

Simplified customer due diligence (SDD) applies where the money laundering and terrorist financing risk is demonstrably low, as defined by Schedule 3 of MLR 2017. Eligible customers include UK-regulated credit institutions, financial institutions, listed companies on regulated markets, UK public authorities, and certain pension schemes. SDD reduces the extent of verification required but does not remove the obligation to identify the customer or maintain ongoing monitoring. It requires a documented risk assessment for each customer it’s applied to — blanket SDD across a segment without individual assessment is not compliant. See what is simplified due diligence?

What is the FinCEN CDD rule?+

The FinCEN Customer Due Diligence Final Rule, effective 11 May 2018, amended the Bank Secrecy Act (BSA) regulations to codify CDD requirements for covered financial institutions in the US: banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. The rule established 4 core elements (customer identification and verification, beneficial ownership identification and verification, understanding the nature and purpose of the business relationship, and ongoing monitoring) plus a fifth element requiring the filing of Suspicious Activity Reports (SARs). The beneficial ownership rule requires identification of anyone owning 25%+ of a legal entity plus one control-prong individual. The full rule text is at FinCEN.gov.

What is FATF Recommendation 10 on customer due diligence?+

FATF Recommendation 10 is the international standard for customer due diligence, adopted by 200+ jurisdictions through FATF membership. It requires financial institutions to carry out CDD when establishing a business relationship, when carrying out occasional transactions above USD/EUR 15,000, when there is suspicion of money laundering or terrorist financing, and when there is doubt about the accuracy of previously collected information. Recommendation 10 also requires ongoing monitoring throughout the business relationship. The UK’s MLR 2017 and FinCEN’s CDD Final Rule both implement Recommendation 10 into national law.

What documents are required for customer due diligence?+

For individual customers under standard CDD: government-issued photo ID (passport, national identity card, driving licence) plus an address verification document (utility bill, bank statement, or government correspondence) dated within 3 months, cross-checked against an independent source. For corporate customers: certificate of incorporation, company registration details from the relevant registry, registered office address, list of directors, and beneficial ownership documentation traced through any intermediate holding structure. For EDD cases, source of funds evidence is also required. The JMLSG Part I guidance provides detailed document acceptance standards for UK-regulated firms. See the CDD checklist for the full list.

What is a beneficial owner in customer due diligence?+

A beneficial owner in the context of customer due diligence is the natural person who ultimately owns or controls a legal entity: anyone who holds, directly or indirectly, more than 25% of the shares or voting rights, or who exercises control by other means. Regulation 5 of MLR 2017 sets this definition for the UK. FinCEN’s 2018 CDD rule applies the same 25% threshold in the US, plus a “control prong” individual (a senior executive with decision-making authority over the entity). Beneficial ownership verification requires independent tracing through the ownership chain — not just accepting the customer’s own declaration. See beneficial ownership and source of funds explained.

What is a politically exposed person (PEP) in CDD?+

A politically exposed person (PEP) is an individual who holds or has held a prominent public function: heads of state and government, senior government ministers, members of parliament, senior judiciary, senior military officers, senior executives of state-owned enterprises, senior officials of international organisations, members of governing bodies of political parties, and senior central bank officials. Under Regulation 35 of MLR 2017, a customer being a PEP, or being a family member or known close associate of a PEP, triggers mandatory enhanced due diligence. PEP status persists for at least 12 months after the individual leaves the public position, and firms must apply a risk-based approach to determine when to end EDD treatment. See high-risk customers: types and indicators.

What is the difference between CDD and AML?+

AML (Anti-Money Laundering) is the broad framework of laws, regulations, and controls designed to prevent money laundering and terrorist financing. CDD (Customer Due Diligence) is one specific component of the AML framework: the process of identifying, verifying, and monitoring customers. The AML framework also includes transaction monitoring, suspicious activity reporting (SARs), record-keeping obligations, staff training, and the broader risk assessment of the business. CDD satisfies several AML obligations at the customer level, but a complete AML programme covers activities well beyond CDD alone. See the AML compliance checklist for the full programme scope.

What is customer due diligence in banking?+

In banking, customer due diligence covers the same 4 mandatory requirements under Regulation 28 of MLR 2017 as other regulated sectors, but banks face additional CDD obligations because of their scale and systemic risk. The bank’s CDD programme must cover retail, commercial, and correspondent banking relationships. Correspondent banking relationships between banks are treated as higher risk and require Regulation 34 assessments: the bank must assess whether the respondent institution has adequate AML controls, must not process payments through anonymous accounts, and must document approval from senior management. See the financial crime compliance services for bank-specific CDD support.

What happens if a customer fails CDD checks?+

Regulation 31 of MLR 2017 sets out the obligations where CDD cannot be completed. Where a firm cannot apply CDD measures, it must not establish a business relationship or carry out a transaction. If CDD cannot be completed on an existing customer, the firm must terminate the relationship. If there is suspicion that money laundering or terrorist financing is involved, the firm must consider whether to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) before declining or terminating. See MLRO responsibilities for the SAR reporting obligations.

What is the risk-based approach to customer due diligence?+

The risk-based approach to CDD means applying CDD measures proportionate to the identified money laundering and terrorist financing risk. Regulation 28(3) of MLR 2017 and FATF Recommendation 10 both require firms to calibrate the extent of CDD measures to the risk level of each customer and business relationship. Higher-risk customers receive more intensive checks and more frequent monitoring; lower-risk customers may receive simplified CDD. The risk assessment considers: the customer’s country of origin and business, their sector, ownership structure, transaction type and expected volumes, and any PEP or adverse media exposure. The risk classification must be documented. See the risk-based approach guide for the scoring methodology.

 

Download the Customer Due Diligence Handbook

A practitioner’s reference covering the 4 CDD requirements, the three CDD levels, the screening checklist, and the OSINT layer that standard document checks leave open. Used by compliance officers, MLROs, and in-house counsel at UK-regulated firms.

Turn Compliance Requirements 

Into Actionable Due Diligence

Stop interpreting regulations and start applying them. Access a practical due diligence framework used by compliance, risk, and investigation teams to assess customers, suppliers, partners, and third parties with confidence.

Download the Due Diligence Report (PDF)

Includes checklists, risk indicators, EDD triggers, and OSINT investigation guidance.

 

Related reading

Further resources for compliance officers, MLROs, and in-house counsel working on CDD programmes in UK and US regulated firms.

Customer Due Diligence Checklist for UK Regulated Firms →

Document evidence checklist covering the 4 CDD requirements under MLR 2017 for individual and corporate customers. Includes PEP, sanctions and adverse media screening evidence requirements.

Enhanced Due Diligence Checklist →

Full EDD evidence checklist under MLR 2017 Regulation 33, covering PEPs, high-risk third country customers, source of funds and source of wealth verification, and ongoing monitoring for EDD relationships.

What is Simplified Due Diligence? →

Guide to when simplified CDD applies under MLR 2017 Schedule 3, which customer types qualify, what documentation is still required, and the risk assessment that must be on file for each SDD relationship.

AML Compliance Checklist →

Full AML programme checklist covering CDD, transaction monitoring, suspicious activity reporting (SARs), record-keeping, staff training, and governance obligations under MLR 2017 and the Proceeds of Crime Act 2002.

Risk-Based Approach to AML and CDD →

How to design and document a risk-based approach to customer due diligence under MLR 2017 and FATF Recommendation 10, including customer risk scoring methodology, risk appetite documentation, and how to calibrate CDD depth by risk tier.

Enhanced Due Diligence Services →

Neotas EDD reports covering OSINT-enhanced adverse media screening in 200+ languages, UBO verification, sanctions and PEP screening, and source of funds analysis. Structured to meet MLR 2017 Regulation 33 evidential requirements.

OSINT Tools and Techniques →

Open-source intelligence methodology used to close the adverse media and PEP coverage gap in standard CDD tools. Covers multi-language press screening, corporate registry OSINT, court record research, and social media intelligence for compliance applications.

Financial Crime Compliance Services →

Neotas financial crime compliance services cover the full programme from customer onboarding CDD through to ongoing monitoring, EDD on triggered customers, and SAR support — for regulated firms in the UK, EU and US.

MLRO Responsibilities Under MLR 2017 →

Full guide to the Money Laundering Reporting Officer role: statutory responsibilities for CDD programme oversight, SAR filing, staff training, and regulatory reporting under MLR 2017 and the Proceeds of Crime Act 2002.

Share:

Picture of Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.

đź“‚ New Whitepaper and Checklist

A detailed guide to TPRM and a downloadable checklist to implement the TPRM Framework in 2026

Third-Party Risk Management Framework
DOWNLOAD NOW ⟶

Book a Demo

Explore Neotas Enhanced Due Diligence

Related Blog Posts