Linkedin-in
Contact us
Employee conducting customer due dilligence

Customer Due Diligence (CDD) Explained: What Businesses Need to Know

Dominique de Koe

Expanding into the European market brings many opportunities, but also important compliance responsibilities. One of the first challenges you’ll encounter is Customer Due Diligence (CDD). It’s a cornerstone of the EU’s anti‑money‑laundering (AML) framework, designed to prevent criminals from using legitimate businesses to launder funds or finance terrorism.

But what exactly is CDD, why is it so important, and how can companies, especially those new to the EU, implement it effectively? This article breaks down the essentials in a clear and practical way.

What Is Customer Due Diligence (CDD)?

Customer Due Diligence (CDD) is the process of identifying and verifying your customers and understanding the nature of your business relationship with them. It ensures that you know who you are doing business with, and whether they pose a risk of money laundering or terrorist financing.

Under EU law, certain categories of companies (known as “obliged entities”) are required to carry out CDD. With the upcoming Anti‑Money Laundering Regulation (AMLR) set to take effect in 2027, CDD rules will be further harmonised across the entire EU.

Which Businesses Must Apply CDD?

Not every business in the EU must perform full CDD. The rules apply to specific categories of obliged entities under EU AML law. These include:

  • Financial institutions: banks, payment providers, e‑money institutions, investment firms, insurers.
  • Professional services: auditors, accountants, tax advisers, and certain lawyers involved in financial or corporate transactions.
  • Trust and company service providers (TCSPs): firms that set up companies, act as directors, or manage trusts on behalf of clients.
  • Real‑estate agents: both for buyers and sellers in property transactions.
  • High‑value goods traders: where payments are made in cash above certain thresholds (e.g., jewelers, car dealers, art dealers).
  • Crypto‑asset service providers: exchanges, custodians, wallet providers.
  • Other high‑risk sectors: under the new AMLR this will expand to include, for example, professional football clubs and agents, and certain luxury‑goods dealers.

If your business does not fall into one of these categories, you may not be legally required to carry out full CDD. However, many non‑obliged companies still implement lighter CDD checks, especially when dealing with financial institutions, to demonstrate reliability and reduce reputational risk.

Why CDD Matters

CDD is much more than a mere box‑ticking exercise. Done properly, it:

  • Protects your business from reputational and financial damage.
  • Helps detect unusual or suspicious activity early.
  • Builds trust with regulators, banks, partners and clients.
  • Creates smoother banking and investment relationships.

For international companies entering the EU, robust CDD is often the first requirement banks, suppliers or professional partners check before they engage with you.

The Core Elements of CDD

EU AML rules outline three main elements of CDD:

Identifying and Verifying Customers

You must collect reliable information about the customer’s identity, such as name, address, date of birth (for individuals) and company registration details (for legal entities). The verification must be based on official documents or reliable electronic sources.

Identifying the Beneficial Owner

It’s not enough to know who signs the contract. You must know who ultimately owns or controls the business. Under current rules that means anyone with 25% or more ownership or control. In complex group structures this can mean tracing through layers or identifying control via voting rights or senior management.

Understanding the Business Relationship

You need to know why the client is engaging with your business. Is it a one‑time transaction or an ongoing relationship? What type of services are they using? This context helps you spot irregular transactions or patterns later.

Standard, Simplified and Enhanced Due Diligence

Not all customers present the same level of risk. That’s why EU rules distinguish between three types of due diligence:

  • Standard CDD: The baseline for most clients. Identity and beneficial‑owner checks + understanding the relationship.
  • Simplified CDD: Allowed for lower‑risk situations (for example, EU‑listed companies subject to transparency rules). Fewer checks are required, though monitoring still applies.
  • Enhanced CDD (EDD): Required for higher‑risk clients such as politically‑exposed persons (PEPs), businesses in high‑risk jurisdictions or transactions involving complex ownership structures. EDD means collecting additional documents, verifying source of funds, and applying stricter monitoring.

Ongoing Monitoring

CDD is an ongoing obligation throughout the business relationship. Companies must:

  • Review and update customer information regularly.
  • Monitor transactions to ensure they match the customer’s expected profile.
  • Investigate unusual activity and report suspicious cases to the appropriate Financial Intelligence Unit (FIU).

This is where many businesses underestimate the workload: ongoing monitoring requires systems, staff training and clear escalation procedures.

Common Challenges in CDD

Even well‑prepared companies face difficulties, especially when expanding internationally. Some of the most common challenges include:

  • Complex ownership structures: Identifying the beneficial owner through multiple layers across jurisdictions can be time‑consuming.
  • High‑risk customers: Deciding when to apply EDD and how much extra information to request can be unclear without strong internal guidelines.
  • Data management: Storing and updating customer records securely while complying with data‑protection laws (such as the General Data Protection Regulation (GDPR)) is a significant operational task.
  • Consistency across markets: Global companies often struggle to align CDD procedures across different countries with different expectations.

Preparing for AMLR: What Will Change in 2027?

The upcoming Anti‑Money Laundering Regulation (AMLR) will bring important updates to CDD across the EU:

  • Lower thresholds: The “occasional transaction” threshold triggering CDD will drop to €10,000, meaning checks will become mandatory for more transactions.
  • Unified rules: No more major differences between Member States; businesses can apply one consistent set of procedures.
  • Stricter rules for cash and crypto: Large cash payments will be capped at €10,000 EU‑wide, and crypto transfers will require sender and recipient details.
  • Greater focus on beneficial ownership: Companies will face tighter obligations to maintain accurate and up‑to‑date ownership records.

For businesses this means stronger, more consistent expectations and less room for interpretation.

Practical Tips for Implementing CDD

To build a strong CDD framework, businesses should:

  1. Develop a written CDD policy aligned with EU standards.
  2. Use checklists and workflows to guide staff through onboarding and ongoing monitoring.
  3. Leverage technology for ID verification, sanctions screening and transaction monitoring.
  4. Train your team regularly
  5. Document everything from CDD files to monitoring results and red‑flag investigations.

Frequently Asked Questions About CDD

What is Customer Due Diligence (CDD) in AML?

Customer Due Diligence (CDD) is the process of verifying a customer’s identity, identifying beneficial owners, and understanding the purpose of the business relationship. It is a core requirement under EU anti‑money‑laundering rules.

Who must carry out CDD in the EU?

CDD applies to obliged entities such as banks, payment providers, auditors, accountants, lawyers (in certain transactions), trust and company service providers (TCSPs), real‑estate agents, crypto‑asset service providers and certain high‑value goods dealers.

What is the difference between standard, simplified and enhanced CDD?

Standard CDD: Basic identity and ownership checks.

Simplified CDD: Fewer checks in lower‑risk cases (e.g., listed companies).

Enhanced CDD (EDD): Additional checks in higher‑risk cases (e.g., politically exposed persons, high‑risk countries).

How long must CDD records be kept?

Under EU AML rules, businesses must retain CDD records for at least 5 years after a relationship ends. In the Netherlands this aligns with the Wet ter voorkoming van witwassen en financieren van terrorisme (WWFT). Under Dutch tax law (e.g., the Algemene Wet Rijksbelastingen (AWR)) companies must keep general financial records (such as invoices) for 7 years. In practice many businesses keep both sets of documents for at least 7 years to cover both requirements.

    If you’re planning to expand into the Netherlands or the wider EU, our team can help you navigate CDD and broader AML obligations with confidence. Contact us to learn more about how we can support your compliance journey.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.

    Accept
    Reject