Customer due diligence (CDD) and enhanced due diligence (EDD) sit at the core of every AML program. Done right, they give you a defensible audit trail and keep regulators satisfied. Done wrong, they expose your institution to fines, reputational damage, and potential criminal liability.
This checklist walks through every stage of the due diligence lifecycle — from initial risk scoring through ongoing monitoring — using a risk-based approach aligned with FATF Recommendations, FinCEN's Customer Due Diligence Rule (effective June 2026 amendments), and the EU's 6th Anti-Money Laundering Directive (6AMLD).
Risk-based approach (RBA): Not all customers carry the same risk. Your CDD procedures should scale with exposure. Low-risk customers require simplified due diligence (SDD); high-risk customers require enhanced due diligence (EDD). The checklist below marks each item by tier.
Step 1: Risk-Based Customer Classification
Before collecting any documents, assign a risk tier. This determines the depth of due diligence required and the frequency of ongoing review.
STEP 1 Initial Risk Scoring
- Customer type: Individual, corporate entity, trust, PEP, or non-profit — each carries different inherent risk
- Geographic risk: Does the customer's jurisdiction appear on FATF's high-risk list, EU high-risk third countries, or your internal country risk matrix?
- Sector risk: Cash-intensive businesses, real estate, cryptocurrency, arms dealers, and precious metals are higher risk by default
- Business relationship nature: Transactional vs. ongoing; expected transaction volume and frequency
- Delivery channel: Non-face-to-face onboarding triggers additional controls in most jurisdictions
- Source of wealth: Is the stated source of wealth plausible relative to the customer's known profile?
| Risk Tier | Due Diligence Level | Review Frequency | Senior Sign-off |
|---|---|---|---|
| LOW | Simplified (SDD) | Every 3–5 years | Not required |
| MEDIUM | Standard (CDD) | Every 12–24 months | Not required |
| HIGH / PEP | Enhanced (EDD) | Every 6–12 months | Required (senior management) |
Step 2: Document Collection
The documents you collect depend on whether you're onboarding an individual or a legal entity. Both categories require verification — not just collection — against authoritative sources.
CDD Individual Customers
- Government-issued photo ID: Passport, national ID card, or driver's license — unexpired, verified against the document database or biometric check
- Proof of address: Utility bill, bank statement, or government letter dated within 90 days
- Date of birth confirmation: Cross-reference ID with application data
- Taxpayer identification number (TIN): Required in most FATF member jurisdictions for financial account opening
- Source of funds declaration: For significant transactions or higher-risk profiles; supported by payslips, tax returns, or business accounts
CDD Corporate & Legal Entity Customers
- Certificate of incorporation or equivalent: Filed with the relevant company registry, verified against live registry data
- Memorandum and articles of association: To confirm business purpose and authorized signatories
- Proof of registered address: Companies House, SEC EDGAR, or equivalent official filing
- List of directors and authorized signatories: Verify each individual's identity to the same standard as individual CDD
- Corporate structure chart: Required where ownership chains involve holding companies or trusts
- Latest audited accounts or financial statements: For higher-value relationships or where source of funds is material
Step 3: Beneficial Ownership Verification
Identifying who ultimately owns and controls an entity is one of the most critical — and most frequently cited — CDD failures in regulatory enforcement actions. FinCEN's 2024 beneficial ownership rule and the EU's 6AMLD both require financial institutions to identify all beneficial owners holding 25% or more (10% for higher-risk entities).
CDD/EDD Beneficial Ownership
- Identify all natural persons with direct or indirect ownership of 25%+ (or 10%+ for high-risk)
- Control test: Identify any person who exercises control through other means — board composition, veto rights, or contractual arrangements
- Verify each beneficial owner's identity to the same standard as individual CDD (photo ID + proof of address)
- Cross-check against beneficial ownership registers where available (UK PSC register, EU national registers, US FinCEN BOI database effective Jan 2025)
- Identify the senior managing official where no natural person holds 25% — the CEO or equivalent becomes the default beneficial owner for FinCEN compliance
- Document your rationale if the ownership structure is complex — regulators expect a written analysis, not just a form
⚠ Shell company risk: Multi-layered corporate structures involving offshore jurisdictions (BVI, Cayman, Panama) require additional scrutiny. Request written explanations for the commercial rationale of each layer and escalate to EDD automatically.
Step 4: PEP Screening
Politically exposed persons require enhanced scrutiny by law — not enhanced suspicion, but enhanced verification. Every new customer should be screened against PEP databases at onboarding and rescreened when circumstances change.
EDD PEP Screening Checklist
- Screen full legal name against comprehensive PEP databases covering domestic and foreign PEPs, their family members, and known close associates
- Determine PEP category: Foreign PEP (highest risk), domestic PEP, international organization PEP — each carries different regulatory treatment
- Obtain senior management approval before establishing or continuing a business relationship with a PEP
- Establish the source of wealth and funds: For PEPs, source of wealth documentation is mandatory, not optional
- Apply ongoing enhanced monitoring: PEP status must be monitored throughout the relationship, not just at onboarding
- Former PEPs: Individuals who have left public office within the past 12–18 months typically retain PEP status under FATF guidance — do not automatically downgrade
Automate Your PEP & Sanctions Screening
Veridact screens against 29 global agents — PEP databases, sanctions lists, and adverse media — in seconds. No manual searches. Full audit trail.
Step 5: Adverse Media Checks
Adverse media screening — sometimes called negative news screening — identifies financial crime risk that doesn't appear in structured databases. A customer may be clean on sanctions lists but prominently featured in investigative journalism about fraud, corruption, or money laundering.
CDD/EDD Adverse Media
- Search full legal name plus known aliases, associated entities, and geographic identifiers
- Cover key risk categories: Financial crime (fraud, bribery, corruption), sanctions evasion, drug trafficking, human trafficking, tax evasion, terrorism financing
- Use structured screening tools rather than manual Google searches — manual searches are inconsistent, undocumented, and indefensible in enforcement proceedings
- Assess materiality: Not every negative news hit warrants refusal. Document your assessment of relevance, credibility of the source, and how the information affects your risk rating
- Ongoing adverse media monitoring: Real-time or periodic re-screening is required for higher-risk customers — a clean check at onboarding is insufficient
Step 6: Ongoing Monitoring
CDD is not a one-time event. Ongoing monitoring is an explicit regulatory requirement under FATF Recommendation 10, FinCEN's CDD Rule, and the EU's AMLD. Its purpose is to detect activity inconsistent with your understanding of the customer and to trigger re-KYC when risk levels change.
ALL TIERS Ongoing Monitoring Requirements
- Transaction monitoring: Flag transactions that are inconsistent with the customer's stated business purpose, transaction history, or source of funds
- Customer risk re-evaluation: Triggered by unusual activity, negative news, change of control, change of address, or cross-border activity to high-risk jurisdictions
- Periodic KYC refresh: Scheduled re-verification at intervals determined by risk tier (see Step 1 table above)
- Sanctions rescreening: Screen against updated sanctions lists at regular intervals — lists are updated without notice; daily rescreening is best practice for higher-volume institutions
- Change of circumstances: Promptly re-evaluate risk rating when a customer enters politics (PEP trigger), is subject to adverse news, or their transaction profile changes materially
- Exit procedures: Document the grounds for exiting a customer relationship, particularly if driven by AML concerns — this has reporting implications in most jurisdictions
Step 7: Record-Keeping
Every step above is only as good as your documentation. Regulators assess the quality of your CDD program primarily through your records. FATF Recommendation 11, the EU's AMLD, and FinCEN's regulations all require a minimum five-year retention period — measured from the end of the business relationship, not the date of collection.
ALL TIERS Record-Keeping Checklist
- Identity documents: Certified copies of all ID and proof of address collected, stored in a tamper-evident format
- Screening results: Date, database version, match/no-match result, and disposition for every PEP, sanctions, and adverse media check
- Risk assessments: Written record of the risk tier assigned, the factors considered, and any overrides — including the identity of the approving officer
- SAR/STR records: Suspicious activity report filings must be retained separately and kept confidential from the subject of the report
- Audit trail of monitoring: Evidence that ongoing monitoring was performed, not just that it was required by policy
- Retention period: Minimum 5 years from end of relationship; 10 years in some high-risk jurisdictions and for certain transaction types
Tip: Regulators have increasingly cited "record-keeping failures" as a standalone violation — even where the underlying CDD was adequate. Your records need to be retrievable, complete, and explainable to a non-expert regulator within hours, not days.
Automating Your Due Diligence Program
Manual due diligence is slow, inconsistent, and expensive to scale. A compliance officer running 50 CDD reviews per week cannot match the coverage, speed, or documentation quality of an automated platform — and regulators know it.
Veridact automates the entire due diligence workflow: identity verification, beneficial ownership mapping, PEP screening, sanctions checks across 29 global databases, adverse media monitoring, and structured record-keeping with a full audit trail. What typically takes hours takes seconds.
Run Your First Due Diligence Check Free
No credit card required. Screen any individual or entity against our full database — sanctions, PEPs, adverse media, and beneficial ownership — in under 60 seconds.