Home » Blogs » CDD – Customer Due Diligence

Blogpost

CDD – Customer Due Diligence

Key Takeaways Introduction to Customer Due Diligence and Client Risk Customer due diligence is the structured process financial institutions, retailers, manufacturers, and traders use to understand who they are doing business with and what risks that business relationship carries. It has never mattered more. Fraud-related crimes cost $485.6 billion globally in 2023, and enforcement actions…

Key Takeaways

  • Risk-based customer due diligence reduces exposure to money laundering, sanctions breaches, and ESG violations across global supply chains.
  • Since around 2020, regulators including the EU (AMLD5/6), FinCEN (CDD Rule), and CSDDD drafters have raised expectations for documented customer risk assessment and enhanced due diligence.
  • Effective CDD combines customer identification, risk scoring, enhanced checks for high risk customers, and continuous monitoring across the full customer relationship lifecycle.
  • Platforms like ImpactBuying connect CDD, supplier due diligence, and product traceability to identify human rights, deforestation, and environmental risks alongside traditional financial crime risk.
  • This article provides a concrete, step-by-step customer due diligence process with practical tips for compliance teams operating in 2024–2026.

Introduction to Customer Due Diligence and Client Risk

Customer due diligence is the structured process financial institutions, retailers, manufacturers, and traders use to understand who they are doing business with and what risks that business relationship carries. It has never mattered more. Fraud-related crimes cost $485.6 billion globally in 2023, and enforcement actions keep climbing. Danske Bank paid over $2 billion in 2022 for AML control failures. Monzo was fined £21 million in 2023 by the FCA. In 2024, a US bank was fined $3.09 billion for AML violations. CDD protects businesses from fines and reputational damage of this magnitude.

CDD is not limited to banking. Companies dealing with complex supply chains must also know who their customers and suppliers are, how they operate, and where ESG and financial crimes risks may arise. This article is written from ImpactBuying’s perspective, focusing on integrating CDD with supply chain transparency, ESG reporting, and regulations like CSRD, EUDR, CSDDD, and LkSG.

  • CDD serves both regulatory compliance and strategic risk management
  • It spans financial crime prevention and ESG due diligence
  • Customer Due Diligence helps prevent financial crimes and assess potential risks across your entire value chain

What Is Customer Due Diligence (CDD)?

Customer due diligence CDD is the structured process of identifying customers, verifying their identity, understanding the nature and purpose of the business relationship, and assessing customer risk on an ongoing basis. CDD aims to prevent financial crimes and assess potential client risks before and during the engagement.

CDD is vital for anti money laundering compliance. While KYC focuses on who the customer is at onboarding, CDD extends through the entire customer lifecycle with ongoing monitoring and periodic reviews. CDD is mandated by law in the US and EU. The FinCEN CDD Rule became effective in May 2018, EU AML directives (AMLD5/6) impose similar obligations, and anti money laundering laws globally require documented diligence process steps. CDD processes must comply with local AML and CTF regulations.

CDD applies to both individuals and legal entity customers, including beneficial owners, intermediaries, and counterparties. Practical examples include onboarding a new wholesale buyer in 2026, vetting a cocoa exporter in West Africa, or approving a high-volume marketplace seller.

The Core CDD Customer Due Diligence Process

Every compliance team can adapt the following customer due diligence process to its own risk appetite and sector. Identifying the nature and purpose of a business relationship is crucial in CDD, and these steps ensure nothing is missed:

  1. Customer identification – Collect customer data including full legal name, address, tax ID, ownership structure, and ESG certifications
  2. Customer verification – Confirm the customer’s identity through reliable independent sources and document checks
  3. Understanding the relationship – Document the expected nature, purpose, and scope of the customer relationship
  4. Risk assessment and scoring – Assign a risk profile based on geography, sector, product types, transaction volume, and ESG risk factors
  5. Determining CDD level – Apply simplified, standard, or enhanced due diligence measures based on the risk rating
  6. Decision and onboarding – Approve or decline, with senior management approval for high risk cases
  7. Continuous monitoring and periodic review – Refresh customer information at intervals tied to the customer’s risk level

This process is risk-based: low risk customers may go through simplified due diligence while higher-risk profiles trigger enhanced checks.

Customer Identification and Verification

Robust customer identification is the foundation of any CDD process. CDD includes gathering baseline data on clients such as name and address before entering into a formal relationship. Verification of client identity involves reliable independent sources such as government-issued ID, registration documents, and tax records.

For individuals, verify full legal name, date of birth, residential address, passport or national ID, and tax identification numbers. For legal entities, collect official registration documents (Chamber of Commerce extract, Articles of Association, VAT number, LEI), country of incorporation, and legal form. Identifying the Ultimate Beneficial Owner is a key component of CDD and must cover anyone with significant control.

In complex supply chains, the “customer” may include trading houses, agents, and regional buying offices. ImpactBuying’s supply chain mapping reveals upstream and downstream counterparties. Technologies like OCR, eID schemes, and portal-based data collection through tools such as Maxsight™ automate identity verification and risk profiling, streamlining the process for large customer portfolios.

Customer Risk Assessment Methodology

Customer risk assessment is the heart of the diligence process, turning raw identity data into a risk rating that guides due diligence measures and monitoring intensity. A risk-based approach is used to assess client risks in CDD, and companies categorize clients into risk profiles based on several factors.

Key risk factors include:

Risk Factor

Examples

Geography

High risk jurisdictions per FATF lists, high risk countries flagged for corruption

Sector

Cash-intensive, high-ESG-risk sectors (cocoa, palm oil, cotton, timber)

Product type

Commodities prone to deforestation or forced labour

Transaction patterns

High transaction volume, unusual frequency, complex payment routes

Ownership

Opaque ownership structure, nominee shareholders

ESG indicators

Adverse media on child labour, deforestation alerts, environmental violations

Other risk factors

PEP connections, sanctions exposure, regulatory history

Data sources for customer risk assessment include sanctions lists, PEP databases, adverse media screening, sustainability ratings, NGO reports, and ImpactBuying’s supplier and product chain database. The initial risk rating directly determines whether simplified, standard, or enhanced due diligence is required and the intensity of ongoing due diligence applied. Risk management depends on getting this scoring right.

Types of Due Diligence: Simplified, Standard, and Enhanced

There are three types of customer due diligence: standard, enhanced, and ongoing. Each maps to a different risk level.

  • Simplified Due Diligence (SDD) is the most basic verification level, applicable to low risk customers such as public authorities in low-risk countries buying small volumes. Fewer data points, less frequent reviews.
  • Standard CDD applies to low-risk customers requiring basic verification and is the default level, involving full identification, verification, and structured risk assessment aligned with AML and ESG obligations.
  • Enhanced Due Diligence (EDD) is for high-risk customers needing thorough scrutiny – politically exposed persons, entities in conflict regions, suppliers linked to deforestation hotspots under EUDR, or companies with unresolved human rights allegations.

Both financial crime triggers and ESG risk indicators can escalate a customer to EDD in 2024–2026. Financial risks like sanctions exposure and potential risks of deforestation or forced labour are equally valid triggers, tying CDD directly to ImpactBuying’s broader sustainability mission.

Enhanced Due Diligence (EDD) for High-Risk Customers

Enhanced due diligence EDD is a deeper diligence process applied where customer risk is assessed as high. Enhanced Due Diligence is required for high risk clients, and regulators expect clear policies specifying when and how EDD is triggered.

Typical triggers include high risk jurisdictions listed by FATF, complex ownership structures, PEP status (politically exposed persons), history of regulatory violations, or links to ESG issues like child labour in cocoa supply chains. Additional documentation collected during EDD includes:

  • Source of wealth and source of funds
  • Expanded corporate structure diagrams showing all beneficial owners
  • ESG certifications, third-party audit reports, human rights policies
  • Environmental impact reports and on-site assessment results

EDD findings require senior management approval and must be documented to withstand regulatory inspection. ImpactBuying’s platform supports EDD by aggregating multi-tier supply chain data, third-party ESG assessments, and transaction information into a single customer risk view for the compliance team.

Continuous Monitoring and Ongoing Due Diligence

CDD is not a one-time event. Ongoing CDD involves continuous monitoring of customer activities throughout the customer relationship. Financial institutions must continuously monitor customer activities, and ongoing monitoring is required by AML regulations globally. It is also known as perpetual KYC (pKYC).

Ongoing monitoring helps identify unusual patterns in client behavior and detect changes indicating increased risk. Continuous monitoring is essential in maintaining client risk profiles and updating customer risk profiles as circumstances change. It includes:

  • Automated transaction monitoring to flag suspicious transactions and suspicious activity
  • Sanctions and PEP rescreening at regular intervals
  • Periodic risk-based CDD refreshes (annually for high-risk, every 3–5 years for low-risk)
  • Review of adverse media, ESG reports, and customer behavior changes

When suspicious behavior is detected – such as a supplier appearing on a sanctions list or media revealing forced labour – the compliance team must conduct an immediate customer risk reassessment. Where warranted, they must file suspicious activity reports with relevant authorities. CDD requires ongoing monitoring of customer activities to maintain the integrity of the financial system and meet ESG frameworks like CSRD and CSDDD.

ImpactBuying’s real-time dashboards and alerts help track customer risk signals across thousands of supply chains simultaneously.

Customer Due Diligence in Global Supply Chains and ESG Compliance

Traditional CDD concepts are increasingly applied beyond banking. Retailers, brands, and manufacturers must understand not only who their customers are, but how and where products are produced. This proactive approach connects CDD with regulatory frameworks like CSRD, EUDR (effective 2025–2026), CSDDD, and LkSG.

Customer risk assessment in this context means evaluating risks of child labour, forced labour, deforestation, and environmental harm across operations and upstream suppliers. For example, assessing a new apparel customer sourcing cotton from high-risk regions in 2024 requires integrating financial checks with social compliance audits and satellite-based deforestation analysis. Companies must mitigate risks across the entire value chain and address financial risks alongside ESG exposures.

ImpactBuying’s mapping of more than 250,000 supply and product chains provides a unique data foundation to enrich CDD decisions with verified supplier and product information, turning due diligence into a strategic sustainability tool.

Building a Robust CDD Framework and Governance Model

An effective CDD framework depends on clear policies, defined roles, and strong governance. Compliance with CDD can help avoid regulatory penalties and protect reputations, but only if the framework is properly built and maintained. The UK FCA requires full documentation for CDD compliance, and other regulators expect the same.

Key elements include:

  • Documented risk-based approach with customer acceptance criteria
  • Robust CDD processes covering standard and EDD procedures, review cycles, record-keeping, and escalation for risk issues
  • Clear responsibilities for the compliance team, first-line business units, and senior management
  • Regular staff training on AML, sanctions, human rights risks, terrorism financing, and terrorist financing typologies
  • Independent compliance monitoring and internal audit checks to ensure compliance with regulatory requirements and regulatory obligations

ImpactBuying consultancy helps design or review CDD frameworks, align them with ESG strategies, and prepare for audits.

Technology, Automation, and Data in the CDD Process

Manual CDD is no longer sustainable for organizations managing thousands of customers across multiple jurisdictions. Automated CDD processes enhance efficiency and compliance. CDD software improves accuracy in risk assessment and reduces human error across the diligence process.

Key technology capabilities include digital onboarding portals, document capture and verification, automated systems for PEP/sanctions/negative news screening, risk scoring engines, workflow management, and API integrations. ImpactBuying’s platform connects supplier databases, product traceability data, ESG risk indicators, and external compliance data into a single customer risk profile.

Consider a practical scenario: a retail compliance team in 2026 uses automated rules to flag customers sourcing from newly restricted deforestation areas, routing them automatically into enhanced due diligence workflows. Data quality, version control, and audit trails remain critical – robust documentation supports defensible decisions if questioned by regulators.

Practical Steps to Strengthen Your CDD Process in 2024–2026

Here is a prioritized list of improvements you can implement over the next 12–24 months to address other financial crimes and evolving ESG obligations:

  1. Map your existing customer due diligence process end to end
  2. Define or update risk scoring criteria incorporating financial and ESG risk levels
  3. Consolidate customer data into a single customer view
  4. Integrate ESG and supply chain data into risk assessments
  5. Automate screening, monitoring, and financial transactions flagging
  6. Set clear review frequencies by risk level
  7. Align CDD enhancements with EUDR obligations on coffee, cocoa, palm oil, soy, and timber imports
  8. Train front-line teams on red flags for both financial crime and ESG risk issues

Phased roadmap example: Q3 2024 – map processes and define scoring. Q1 2025 – consolidate data and automate screening. Q3 2025 – integrate ESG data. Q1 2026 – full alignment with EUDR and CSDDD requirements.

How ImpactBuying Supports Customer Due Diligence and Risk Assessment

ImpactBuying combines a supply chain transparency platform with expert consultancy to strengthen both financial and ESG aspects of customer due diligence.

Core capabilities include:

  • Multi-tier supply chain mapping across 250,000+ supply and product chains
  • Centralized supplier and customer databases with verified ESG data
  • Deforestation and environmental impact analytics using satellite and field data
  • Configurable dashboards delivering real-time insights to compliance teams

ImpactBuying automatically enriches customer profiles with country risk, sector risk, certifications, and verified production site data, serving food, retail, textiles, homeware, and DIY sectors.

Ready to assess risk across your supply chain? Schedule a demo or workshop with ImpactBuying to review your current CDD framework against 2026 regulatory expectations.

Frequently Asked Questions about CDD and Customer Risk Assessment

These FAQs address practical questions facing compliance teams in 2024–2026.

How often should we review and update customer due diligence files?

Review frequency should be risk-based. High-risk customers require review at least annually. Medium-risk customers should be reviewed every two years, and low risk customers every three to five years. Immediate reviews are required when significant risk events occur, such as a sanctions listing, serious ESG allegation, or drastic change in transaction patterns. Regulators from 2022–2025 expect documented review cycles with clear evidence that files and risk assessments have been updated. Automated reminders and dashboards help manage these cycles across large portfolios.

What can we do if key CDD information is hard to obtain in high-risk regions?

In some countries, official records and reliable documentation are limited. Use multiple independent sources, third-party field audits, local partner attestations, and triangulate data from trade documents, ESG audits, and satellite imagery. Document limitations transparently, record residual risks, and explain the rationale for proceeding or declining the customer relationship. Apply enhanced due diligence or stricter risk appetite in such cases. The customer’s background must be assessed with whatever credible evidence is available.

How does CDD connect with ESG and human rights due diligence under CSRD and CSDDD?

AML-focused CDD and ESG due diligence come from different legal frameworks, but both require systematic risk assessment, data collection, and continuous monitoring. Customer risk assessment can integrate ESG risk indicators – child labour risk scores, deforestation alerts, climate risks – so one customer profile supports both financial crime and sustainability reporting. ImpactBuying’s platform bridges this gap by mapping supply chains, collecting verified ESG data, and linking it to customer records used in CDD processes.

What is the minimum CDD we must perform for small, low-risk customers?

Even for small or low-risk customers, perform basic customer identification, verification, and a simple risk assessment aligned with applicable AML and sector regulations. A minimal data set includes verified identity, country, basic business description, expected transaction levels, and any ESG red flags. Document your reasoning for classifying the customer as low-risk. Ongoing monitoring should still occur at lower intensity with less frequent reviews.

How can smaller companies build an effective CDD process with limited resources?

Start with a clear risk-based policy, simple risk scoring, and a standardized checklist. Use scalable tools like ImpactBuying’s platform that allow gradual adoption – begin with supplier mapping and basic screening, then add advanced analytics as your business grows. Focus on the highest-risk customers and supply chains first, ensuring scarce compliance capacity is allocated where it reduces the most risk.