What Is Customer Due Diligence (CDD)? Requirements for Fintechs

What Is Customer Due Diligence (CDD)? Requirements for Fintechs

Customer Due Diligence (CDD) became a formal, codified pillar of the U.S. BSA/AML framework in 2016 when FinCEN issued its landmark CDD Rule. Before that, due diligence expectations existed in regulatory guidance but were not codified with the same specificity or enforceability.

Today, CDD is a non-negotiable legal requirement for most fintechs — and one that goes significantly beyond simply verifying a customer's identity at account opening. CDD is the process of truly knowing your customer: understanding who they are, why they are using your platform, what behavior to expect from them, and identifying when that behavior changes in ways that warrant compliance attention.

This article explains what the CDD Rule requires, how CDD differs from KYC, what Enhanced Due Diligence involves, how to build a compliant CDD program in practice, and what regulators focus on when they examine your program.

CDD vs. KYC — Understanding the Difference

These terms are frequently used interchangeably, but in regulatory terms they refer to distinct layers of the same compliance obligation.

KYC (Know Your Customer) is the broader operational and philosophical concept — the practice of understanding who your customers are, what they do, and what risk they represent. It encompasses identity verification, risk profiling, and ongoing relationship monitoring.

CDD is the specific regulatory framework established by FinCEN's 2016 CDD Rule that formally defines how covered institutions must conduct and document their customer due diligence. CDD gives KYC its legal structure, specific requirements, and enforcement teeth.

A practical way to think about it: KYC is the principle. CDD is the regulation that tells you exactly how to fulfill that principle and what you will be examined against.

The Four Core Elements of FinCEN's CDD Rule

FinCEN's CDD Rule requires covered financial institutions to implement documented procedures for four specific elements. Each is a distinct requirement — not a suggestion.

Element 1 — Customer Identification and Verification

Confirming the identity of each customer at onboarding through documentary or non-documentary means. For individual customers: name, date of birth, residential address, and government-issued identification number. For business customers: legal name, EIN, formation documents, and beneficial ownership information.

This element aligns with and reinforces the Customer Identification Program (CIP) requirements already embedded in BSA regulations. CDD formalizes it as part of the broader due diligence framework with explicit documentation requirements.

Element 2 — Beneficial Ownership Identification and Verification

For legal entity customers — corporations, LLCs, limited partnerships, trusts — CDD requires identifying and verifying the beneficial owners: the real human individuals who ultimately own or control the entity.

FinCEN defines beneficial owners as two categories of individuals:

Ownership prong — any individual who directly or indirectly owns 25% or more of the equity interests of the legal entity. If no individual meets this threshold, this prong results in no beneficial owners identified — which is itself a documented outcome.

Control prong — one individual who has significant managerial control over the entity, regardless of their ownership percentage. This is typically the CEO, President, Managing Member, General Partner, or equivalent executive — the person who actually runs the business.

For each identified beneficial owner, you must collect and verify: full legal name, date of birth, residential address, and a unique identifying number from an acceptable identity document.

This requirement exists specifically to prevent legal entities from being used as shells to conceal the true ownership and origin of funds — one of the most commonly exploited money laundering vehicles.

Element 3 — Understanding the Nature and Purpose of the Customer Relationship

CDD requires you to collect and document information that allows you to understand why a customer is using your platform and what types of transactions you should expect from them. This goes beyond knowing who they are — it means knowing what normal looks like for this specific customer.

For individual customers, this might include their stated occupation, source of income, intended use of the account, and expected transaction frequency and volume.

For business customers, it includes the nature of their business, their industry sector, their typical payment flows, their expected transaction volume and frequency, and the geographic scope of their operations.

This documented understanding becomes the expected activity baseline — the benchmark against which you measure whether future transactions are consistent with the customer's profile or require compliance attention.

Element 4 — Ongoing Monitoring and Information Updates

CDD is not a one-time onboarding exercise. FinCEN requires ongoing monitoring of customer transactions and activity against the established risk profile and expected behavior baseline, as well as timely updating of customer information when risk profiles change.

In practice, this means your CDD program must be directly integrated with your transaction monitoring system. When monitoring detects activity that deviates from a customer's established profile — higher volume than expected, new transaction types, new counterparties, geographic changes — those alerts must be capable of triggering a customer-level CDD review, not just an alert-level investigation.

Customer Risk Rating — The Foundation of Your CDD Program

A functioning CDD program assigns every customer a documented risk rating at onboarding and updates it over time as monitoring data accumulates. Risk ratings are typically structured as a three-tier system:

Low Risk — customers whose identity is verified, whose business purpose is straightforward, whose expected transaction behavior is well-defined, and who show no elevated risk indicators. Subject to standard monitoring and periodic CDD review on a longer cycle.

Medium Risk — customers who present one or more factors that warrant additional attention but do not rise to the level requiring EDD. Subject to moderately enhanced monitoring and more frequent periodic review.

High Risk — customers who present significant risk indicators requiring Enhanced Due Diligence. Subject to the most intensive monitoring, the most frequent periodic reviews, and ongoing senior management awareness.

Risk ratings must be applied consistently across your customer base using documented, objective criteria. The criteria for each tier must be defined in your CDD policy. Inconsistent application — where two customers with identical risk profiles receive different ratings based on individual analyst judgment — is a common and significant examination finding.

Enhanced Due Diligence — When Standard CDD Is Not Enough

For customers who present elevated money laundering or financial crime risk, standard CDD is legally insufficient. Enhanced Due Diligence (EDD) requires a deeper level of scrutiny, additional documentation, and more frequent ongoing review.

EDD is required or strongly indicated for the following categories:

Politically Exposed Persons (PEPs) — Foreign government officials, senior political figures, members of royal families, senior military officials, and their immediate family members and known close associates present an elevated risk of corruption-related money laundering. PEP status must be identified at onboarding through screening and requires EDD regardless of expected transaction volume.

High-Risk Geographies — Customers whose country of origin, residence, or primary business location is on the FATF grey or black list, subject to OFAC comprehensive sanctions, or otherwise identified in your risk assessment as high-risk.

High-Risk Industries — Customers operating in industries associated with elevated financial crime risk: money services businesses, cryptocurrency exchanges, cannabis companies, gambling operators, adult entertainment businesses, arms dealers, and politically sensitive sectors.

Complex or Opaque Ownership Structures — Business customers with multiple layers of corporate ownership, offshore holding companies, trust structures, nominee shareholders, or any arrangement that makes beneficial ownership difficult to establish clearly.

Customers with Unusual Transaction Patterns — Customers whose monitored activity deviates significantly and repeatedly from their established expected behavior profile — even if individual transactions are not individually suspicious.

EDD typically involves collecting additional documentation including source of funds and source of wealth evidence, a corporate structure chart for complex entities, audited financial statements where appropriate, senior management or compliance officer approval before the relationship proceeds, and a defined schedule for more frequent periodic CDD reviews.

Periodic CDD Review — The Ongoing Obligation

Your CDD program must include a structured process for periodically reviewing customer information to confirm it remains accurate and that the original risk assessment still reflects the customer's current profile.

Review frequency must be risk-based and documented in your CDD policy:

— High-risk customers — at minimum annually, often quarterly or semi-annually for the highest-risk relationships

— Medium-risk customers — every 12 to 24 months

— Low-risk customers — every 3 to 5 years, or triggered by monitoring alerts indicating a potential risk profile change

Periodic reviews should reassess the customer's risk rating, verify that identity and beneficial ownership information remains current, confirm that the customer's stated account purpose still aligns with observed transaction behavior, and document the review outcome and any changes to the customer's risk profile.

What Examiners and Sponsor Banks Focus On

During CDD program examinations, evaluators specifically assess:

Whether your written CDD policy covers all four required elements completely and specifically — not in vague or generic terms.

Whether beneficial ownership is being collected and actually verified — not just asked for. Collection without verification is a frequent and significant finding.

Whether customer risk ratings are being applied consistently across your entire customer base using defined, documented criteria.

Whether your ongoing monitoring program is genuinely integrated with CDD — whether monitoring alerts trigger customer-level review where appropriate.

Whether EDD is being applied to all customers and relationships that meet your defined EDD criteria, with appropriate documentation and senior management involvement.

Whether periodic CDD reviews are happening on schedule and producing documented outcomes — not just being logged as completed with no substantive review content.

The most common and serious CDD finding is a program that is well-designed in policy but inconsistently or superficially executed in practice.

Frequently Asked Questions

What is the difference between CDD and EDD?

Customer Due Diligence (CDD) is the standard level of due diligence required for all customers — identity verification, risk rating, ongoing monitoring, and periodic review. Enhanced Due Diligence (EDD) is a higher level of scrutiny required for customers who present elevated risk — PEPs, high-risk geographies, complex ownership structures, or other risk indicators. EDD involves additional documentation, more intensive oversight, and more frequent review.

When did CDD become a formal BSA requirement?

FinCEN's CDD Rule became effective on May 11, 2018, having been finalized in 2016. Before that, while due diligence expectations existed in regulatory guidance, they were not formally codified with the same specificity. The 2016 rule added beneficial ownership as a formal requirement and clarified the four core elements of a compliant CDD program.

Does CDD apply to business customers differently than individual customers?

Yes. For individual customers, CDD focuses on identity verification, risk profiling based on personal characteristics and expected activity, and ongoing monitoring. For business customers, CDD includes all of the above plus beneficial ownership identification and verification — determining who actually owns and controls the entity. Business customer CDD is generally more complex and time-intensive than individual customer CDD.

How long must CDD records be retained?

CDD records — including risk ratings, beneficial ownership documentation, EDD files, and periodic review documentation — must be retained for a minimum of five years following the closure of the account or the end of the customer relationship, consistent with BSA recordkeeping requirements.

How ComplyOne Helps

ComplyOne helps fintechs design and implement CDD programs that satisfy FinCEN's CDD Rule requirements, handle beneficial ownership correctly, integrate with transaction monitoring operations, and hold up under regulatory examination — through compliance technology, advisory services, or both. We help you build the program correctly the first time so you are not rebuilding it under examination pressure.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Compliance requirements vary based on your business model, jurisdiction, and regulatory relationships. Consult a qualified compliance professional for guidance specific to your situation.