Inferensys

Glossary

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is the foundational risk assessment process of collecting and verifying customer information to create a baseline behavioral profile for ongoing monitoring against financial crime.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
FOUNDATIONAL AML CONTROL

What is Customer Due Diligence (CDD)?

Customer Due Diligence (CDD) is the mandatory, risk-based process of collecting and verifying customer identification data and assessing the nature of the business relationship to create a baseline behavioral profile for ongoing transaction monitoring.

Customer Due Diligence (CDD) is the foundational Know Your Customer (KYC) control requiring financial institutions to identify and verify a customer’s identity using reliable, independent source documents before establishing a business relationship. This process establishes a risk rating by assessing the customer’s nature of business, ownership structure, and intended transaction volume, creating a baseline profile against which future activity is measured for anomaly detection.

A critical component of CDD is the identification of beneficial ownership, requiring institutions to pierce through corporate layers to identify the natural persons who ultimately own or control a legal entity. This verified data feeds directly into transaction monitoring and sanctions screening systems, enabling machine learning models to distinguish legitimate activity from potential structuring or layering schemes.

FOUNDATIONAL FRAMEWORK

Core Components of a CDD Program

A robust Customer Due Diligence program is built on four interdependent pillars that work together to establish a customer's identity, assess their risk, and create a baseline for ongoing monitoring.

01

Customer Identification Program (CIP)

The mandatory foundation of CDD requiring the collection and verification of a customer's core identity before account opening. This process must be completed prior to establishing a business relationship.

  • Core Identifiers: Full legal name, date of birth (for individuals), physical address, and government-issued identification number (e.g., TIN, passport).
  • Verification Methods: Documentary verification (validated ID documents), non-documentary verification (credit bureau checks, database queries), or a combination of both.
  • Recordkeeping: Institutions must retain CIP records for five years after account closure, including a description of how identity was verified.
  • Customer Notice: Financial institutions are legally required to provide adequate notice to customers that they are requesting information to verify their identity.
5 Years
Minimum Record Retention
02

Customer Risk Rating

A systematic methodology to assign a risk score to each customer based on inherent risk factors. This score dictates the intensity of ongoing monitoring and the need for Enhanced Due Diligence (EDD).

  • Geographic Risk: Jurisdiction of incorporation, nationality, and operational footprint, cross-referenced with FATF high-risk lists and sanctions regimes.
  • Product & Channel Risk: Inherent anonymity of private banking, cross-border wire capabilities, or virtual asset exposure versus low-risk retail deposit accounts.
  • Entity Type Risk: Complexity of corporate structure, presence of bearer shares, or status as a Politically Exposed Person (PEP).
  • Dynamic Adjustment: Risk scores are not static; they must be recalculated based on trigger events like adverse media hits or material changes in transactional behavior.
Low/Med/High
Standard Risk Tiers
03

Beneficial Ownership Identification

The process of piercing the corporate veil to identify the natural persons who ultimately own or control a legal entity. This is a critical control against shell corporations and opaque structures.

  • Ownership Prong: Identify any individual who owns, directly or indirectly, 25% or more of the equity interests of the legal entity.
  • Control Prong: Identify a single individual with significant responsibility to control, manage, or direct the legal entity (e.g., CEO, Managing Member).
  • Verification: Rely on certified ownership charts, audited financial statements, or direct access to official registries; self-certification alone is insufficient for high-risk clients.
  • Complex Structures: Requires recursive unwinding of intermediate holding companies, trusts, and foundations to reach the ultimate flesh-and-blood beneficiary.
≥25%
Ownership Threshold
04

Ongoing Monitoring & Profile Baseline

The continuous comparison of a customer's transactional activity against their established behavioral baseline to detect anomalies that may signal money laundering or fraud.

  • Baseline Construction: Uses initial CDD data to predict expected transaction volume, velocity, geography, and counterparty types for a given risk profile.
  • Deviation Detection: Automated systems flag transactions that deviate materially from the expected baseline, such as sudden spikes in cash deposits or wires to high-risk jurisdictions.
  • Periodic Reviews: Low-risk profiles require standard refresh cycles (e.g., every 3 years), while high-risk profiles mandate annual or continuous review.
  • Trigger Events: Specific occurrences—such as a new PEP designation, adverse media, or a law enforcement inquiry—immediately trigger a CDD refresh regardless of the review cycle.
Real-Time
Ideal Monitoring Latency
CUSTOMER DUE DILIGENCE

Frequently Asked Questions

Clear, technical answers to the most common questions about the foundational risk assessment process that underpins anti-money laundering compliance.

Customer Due Diligence (CDD) is the mandatory, risk-based process of collecting and verifying a customer's identity and assessing their risk profile before and during a business relationship to prevent money laundering and terrorist financing. It works by establishing a baseline behavioral profile against which future transactions are monitored for anomalies. The process involves four core pillars: identifying and verifying the customer's identity using reliable, independent source documents; identifying and verifying the beneficial owner who ultimately controls the legal entity; understanding the nature and purpose of the customer relationship to establish expected activity; and conducting ongoing monitoring of transactions to detect deviations from the established baseline. This foundational data feeds directly into transaction monitoring systems and risk rating models.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.