Customer Due Diligence (CDD) is the foundational Know Your Customer (KYC) control requiring financial institutions to identify and verify a customer’s identity using reliable, independent source documents before establishing a business relationship. This process establishes a risk rating by assessing the customer’s nature of business, ownership structure, and intended transaction volume, creating a baseline profile against which future activity is measured for anomaly detection.
Glossary
Customer Due Diligence (CDD)

What is Customer Due Diligence (CDD)?
Customer Due Diligence (CDD) is the mandatory, risk-based process of collecting and verifying customer identification data and assessing the nature of the business relationship to create a baseline behavioral profile for ongoing transaction monitoring.
A critical component of CDD is the identification of beneficial ownership, requiring institutions to pierce through corporate layers to identify the natural persons who ultimately own or control a legal entity. This verified data feeds directly into transaction monitoring and sanctions screening systems, enabling machine learning models to distinguish legitimate activity from potential structuring or layering schemes.
Core Components of a CDD Program
A robust Customer Due Diligence program is built on four interdependent pillars that work together to establish a customer's identity, assess their risk, and create a baseline for ongoing monitoring.
Customer Identification Program (CIP)
The mandatory foundation of CDD requiring the collection and verification of a customer's core identity before account opening. This process must be completed prior to establishing a business relationship.
- Core Identifiers: Full legal name, date of birth (for individuals), physical address, and government-issued identification number (e.g., TIN, passport).
- Verification Methods: Documentary verification (validated ID documents), non-documentary verification (credit bureau checks, database queries), or a combination of both.
- Recordkeeping: Institutions must retain CIP records for five years after account closure, including a description of how identity was verified.
- Customer Notice: Financial institutions are legally required to provide adequate notice to customers that they are requesting information to verify their identity.
Customer Risk Rating
A systematic methodology to assign a risk score to each customer based on inherent risk factors. This score dictates the intensity of ongoing monitoring and the need for Enhanced Due Diligence (EDD).
- Geographic Risk: Jurisdiction of incorporation, nationality, and operational footprint, cross-referenced with FATF high-risk lists and sanctions regimes.
- Product & Channel Risk: Inherent anonymity of private banking, cross-border wire capabilities, or virtual asset exposure versus low-risk retail deposit accounts.
- Entity Type Risk: Complexity of corporate structure, presence of bearer shares, or status as a Politically Exposed Person (PEP).
- Dynamic Adjustment: Risk scores are not static; they must be recalculated based on trigger events like adverse media hits or material changes in transactional behavior.
Beneficial Ownership Identification
The process of piercing the corporate veil to identify the natural persons who ultimately own or control a legal entity. This is a critical control against shell corporations and opaque structures.
- Ownership Prong: Identify any individual who owns, directly or indirectly, 25% or more of the equity interests of the legal entity.
- Control Prong: Identify a single individual with significant responsibility to control, manage, or direct the legal entity (e.g., CEO, Managing Member).
- Verification: Rely on certified ownership charts, audited financial statements, or direct access to official registries; self-certification alone is insufficient for high-risk clients.
- Complex Structures: Requires recursive unwinding of intermediate holding companies, trusts, and foundations to reach the ultimate flesh-and-blood beneficiary.
Ongoing Monitoring & Profile Baseline
The continuous comparison of a customer's transactional activity against their established behavioral baseline to detect anomalies that may signal money laundering or fraud.
- Baseline Construction: Uses initial CDD data to predict expected transaction volume, velocity, geography, and counterparty types for a given risk profile.
- Deviation Detection: Automated systems flag transactions that deviate materially from the expected baseline, such as sudden spikes in cash deposits or wires to high-risk jurisdictions.
- Periodic Reviews: Low-risk profiles require standard refresh cycles (e.g., every 3 years), while high-risk profiles mandate annual or continuous review.
- Trigger Events: Specific occurrences—such as a new PEP designation, adverse media, or a law enforcement inquiry—immediately trigger a CDD refresh regardless of the review cycle.
Frequently Asked Questions
Clear, technical answers to the most common questions about the foundational risk assessment process that underpins anti-money laundering compliance.
Customer Due Diligence (CDD) is the mandatory, risk-based process of collecting and verifying a customer's identity and assessing their risk profile before and during a business relationship to prevent money laundering and terrorist financing. It works by establishing a baseline behavioral profile against which future transactions are monitored for anomalies. The process involves four core pillars: identifying and verifying the customer's identity using reliable, independent source documents; identifying and verifying the beneficial owner who ultimately controls the legal entity; understanding the nature and purpose of the customer relationship to establish expected activity; and conducting ongoing monitoring of transactions to detect deviations from the established baseline. This foundational data feeds directly into transaction monitoring systems and risk rating models.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts that interact with and extend the Customer Due Diligence framework within anti-money laundering operations.
Know Your Customer (KYC)
The mandatory identity verification process that forms the operational backbone of CDD. While CDD assesses risk, KYC executes the verification:
- Identity Verification: Validating government-issued IDs, biometrics, and personal data
- Document Collection: Gathering proof of address, incorporation certificates, and licenses
- Liveness Detection: Ensuring the person presenting identity is physically present and not a deepfake
KYC provides the verified data inputs that feed CDD risk models. Without robust KYC, CDD risk assessments operate on unverified assumptions.
Enhanced Due Diligence (EDD)
An escalated investigation protocol triggered when standard CDD flags high-risk indicators. EDD applies to:
- Politically Exposed Persons (PEPs) and their close associates
- Customers in high-risk jurisdictions with weak AML controls
- Entities with complex ownership structures suggesting concealment
- Clients in high-risk industries such as arms dealing or precious metals
EDD requires deeper scrutiny of source of wealth and source of funds, often involving external intelligence gathering and senior management approval before onboarding.
Risk Rating
The quantitative output of the CDD process. A composite score derived from weighted risk factors:
- Geographic Risk: Country corruption indices and sanctions exposure
- Product Risk: Inherent vulnerability of specific financial products to misuse
- Entity Type Risk: Shell corporations, trusts, and non-profits carry different risk weights
- Transaction Pattern Risk: Expected vs. actual behavior deviations
Risk ratings determine monitoring frequency, review cycles, and escalation thresholds. Models must be periodically validated to prevent rating drift.
Beneficial Ownership
The ultimate objective of CDD investigations—piercing corporate veils to identify the natural persons who control legal entities. Key challenges include:
- Multi-jurisdictional layering: Entities nested across secrecy havens
- Nominee directors: Figureheads obscuring true controllers
- Bearer shares: Ownership instruments with no registered holder
Regulatory standards like the FATF 40 Recommendations mandate a 25% ownership threshold for identification. Failure to identify beneficial owners is the most common CDD deficiency cited in enforcement actions.
Behavioral Profiling
The ongoing monitoring phase that operationalizes CDD findings. Once a baseline risk profile is established, behavioral profiling detects deviations:
- Expected transaction volume vs. actual throughput
- Typical counterparty geography vs. sudden high-risk jurisdiction transfers
- Normal velocity vs. rapid structuring patterns
- Declared business activity vs. actual transaction purpose codes
Deviations trigger alert generation and may prompt a CDD review cycle. Machine learning models increasingly automate this comparison at scale.
Adverse Media Screening
A continuous intelligence feed that supplements static CDD profiles with dynamic reputational data. Automated systems scan:
- Global news sources in multiple languages
- Regulatory enforcement actions and watchlist publications
- Leaked datasets such as the Panama Papers and FinCEN Files
- Court filings and criminal proceedings
Negative hits trigger reassessment of risk ratings and may escalate to EDD. False positive management is critical—fuzzy matching and entity disambiguation prevent alert fatigue.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us