CDD · EDD · KYC
Customer Due Diligence (CDD): Step-by-Step Guide for US Firms
Customer Due Diligence is where AML programs meet customers. FinCEN’s rules, federal banking agency guidance, and examiner expectations all converge on a simple idea: you must know who you serve, why they use your product, and whether their activity later makes sense.
This step-by-step guide explains how US firms should design and operate CDD and Enhanced Due Diligence (EDD) programs that satisfy the BSA without drowning operations in manual work.
Regulatory foundation: CIP, CDD Rule, and ongoing diligence
Three layers often get conflated:
- Customer Identification Program (CIP) — minimum identity information collected and verified at account opening (for banks; analogous expectations apply to MSBs through AML program requirements).
- CDD Rule (31 CFR 1010.230) — four core requirements: verify identity, identify and verify beneficial owners of legal entity customers, understand the nature and purpose of the relationship, and conduct ongoing monitoring for suspicious activity.
- EDD — additional measures for higher-risk customers such as PEPs, correspondent accounts, and certain geographies.
If you only verify a passport at signup and never revisit the relationship, you have a CIP artifact—not a CDD program.
Step 1: Define your customer risk taxonomy
Before workflows, define risk tiers tied to observable attributes:
- Customer type (individual, LLC, nonprofit, MSB customer)
- Geography (US domestic, high-risk jurisdiction per FATF or FinCEN advisories)
- Product use (payouts, stored value, OTC trading)
- Distribution channel (direct digital, agent network, ISO referral)
Document tier definitions in your risk assessment. Examiners ask how you calibrate reviews and monitoring intensity.
Step 2: Collect baseline identification data
For individuals, baseline data typically includes legal name, date of birth, residential address, and government ID number. For legal entities, collect formation documents, EIN, business address, and beneficial ownership information.
The CDD Rule requires identifying each beneficial owner who owns 25% or more and one control person, then verifying their identity using documentary or non-documentary methods.
Use reliable, independent data sources—government databases, credit bureaus, or reputable identity vendors. Keep evidence of verification in your record retention system.
Step 3: Verify identity with a risk-based approach
Verification methods include:
- Documentary — review passport, driver’s license, or state ID; check security features; compare selfie or liveness where appropriate
- Non-documentary — database checks, knowledge-based authentication (use cautiously), or hybrid models
Higher-risk customers warrant stronger methods. A low-dollar domestic consumer wallet may use automated checks; a corporate customer sending international wires may need manual review of formation documents and signatory authority.
Step 4: Understand purpose and expected activity
Ask: Why is this customer here? Expected activity includes:
- Anticipated transaction volume and velocity
- Counterparties and corridors
- Source of funds and wealth (especially for EDD)
Mismatch between expected and actual activity is a classic SAR red flag. Document expectations at onboarding and update when customers materially change use cases.
Step 5: Screen against sanctions and watchlists
Before activating an account, screen customers and beneficial owners against OFAC SDN and other applicable sanctions lists. Rescreen when lists update or customer data changes.
PEP screening identifies politically exposed persons requiring EDD under FATF-aligned policies. See Politically Exposed Persons (PEPs) and Am I a PEP? for definitional nuance.
Add adverse media screening for higher-risk tiers—Adverse Media Screening explains why news often surfaces risks before lists do.
Step 6: Apply Enhanced Due Diligence triggers
EDD triggers commonly include:
- Domestic and foreign PEPs and close associates
- Customers in high-risk jurisdictions
- Complex or opaque ownership structures
- Unusual source-of-wealth narratives
- Correspondent relationships with foreign financial institutions
EDD measures may include senior management approval, enhanced source-of-funds documentation, more frequent periodic reviews, and tighter transaction monitoring thresholds.
Step 7: Ongoing monitoring and periodic reviews
CDD does not end at approval. Implement:
- Transaction monitoring for typologies relevant to your product
- Periodic KYC refresh (e.g., annually for high risk, less frequent for low risk)
- Event-driven reviews triggered by chargebacks, fraud spikes, law enforcement inquiries, or adverse media hits
Our ongoing customer monitoring guide details rescreening cadences and alert handling.
Step 8: Escalation, documentation, and SAR considerations
When analysts cannot reconcile activity with the customer profile, escalate to the BSA Officer. Not every alert becomes a SAR, but every decision should be documented with rationale.
If you know, suspect, or have reason to suspect illicit activity, file a FinCEN SAR within applicable timelines—see FinCEN SAR Filing.
Beneficial ownership and the Corporate Transparency Act
FinCEN’s beneficial ownership reporting under the Corporate Transparency Act affects many US entities directly. Even where your customer is a reporting company, your CDD Rule obligations remain: you must collect and verify beneficial owners at account opening for covered legal entity customers.
Align KYB workflows with evolving FinCEN guidance and monitor for updates to implementation deadlines and exemptions.
Technology and evidence
Automate where possible:
- Orchestrated KYC/KYB flows with vendor fallbacks
- Immutable audit trails of analyst decisions
- List screening with match disposition codes
- Case management linking alerts, notes, and SAR drafts
Examiners reward reproducibility: given a customer ID, you should reconstruct the full diligence story quickly.
Common CDD failures in examinations
- Treating business customers like individuals without beneficial ownership collection
- Set-and-forget onboarding with no periodic refresh
- Over-reliance on vendor “pass” without understanding false negative risk
- No documented EDD for PEPs
- Disconnect between fraud and AML teams reviewing the same customer differently
Integrating CDD with onboarding UX
Compliance and growth need not be enemies. Sequence high-friction steps only when risk requires; use progressive data collection for low-risk paths. Compliant Client Onboarding covers funnel design patterns.
Who must implement CDD?
Any entity subject to BSA AML program requirements—MSBs, banks, broker-dealers, and others—must implement risk-based CDD. If you are unsure about coverage, read Who Must Comply with BSA/AML?.
For the big-picture AML architecture, see What Is AML Compliance?.
Aligning CDD with examiner expectations
Federal examiners do not grade CDD on how many fields your intake form collects. They grade whether your institution can demonstrate risk-based judgment with evidence. That means tying each onboarding decision to policy, showing how beneficial ownership was verified, and proving that high-risk exceptions received documented management attention.
When sponsor banks request sample files, they often pick high-risk accounts, not median retail users. Prepare packs in advance: CDD checklist, screening dispositions, expected-activity profile, and monitoring rule mapping. Gaps discovered during bank audits become contractual remediation items with deadlines.
Train product managers on CDD implications before launching features. Instant payout to third parties, anonymous usernames, or high-limit corridors without step-up verification routinely create examination findings. Compliance should sign off on feature risk assessments the same way engineering signs off on security reviews.
Finally, integrate CDD with fraud prevention without blending teams blindly. Fraud declines based on device signals may hide AML-relevant behavior if alerts never reach the BSA Officer. Architecture routing matters as much as policy language.
Get started with Legaltalent
Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.
Start your free trial and see how compliant onboarding and monitoring can scale with your business.
Frequently asked questions
What is Customer Due Diligence under FinCEN?
CDD requires verifying customer identity, identifying beneficial owners of legal entities, understanding the nature and purpose of relationships, and conducting ongoing monitoring for suspicious activity.
When is Enhanced Due Diligence required?
EDD applies to higher-risk customers such as PEPs, high-risk jurisdictions, complex ownership structures, and other factors defined in your risk-based policy.
What beneficial ownership information must I collect?
For covered legal entity customers, identify each individual owning 25% or more and one control person, then verify their identity using documentary or non-documentary methods.
How often should I refresh CDD information?
Refresh on a risk-based schedule—commonly annually for high-risk customers and less frequently for low-risk customers—and whenever material changes occur.
Does CDD apply to MSBs?
Yes. MSBs must implement risk-based CDD procedures as part of their written AML programs.
What documents should I retain for CDD?
Retain identification records, verification evidence, risk ratings, EDD notes, and screening dispositions for at least five years as required by BSA recordkeeping rules.