Customer Due Diligence (CDD) is a fundamental pillar of the UK’s Anti-Money Laundering framework, setting out essential risk management processes that financial institutions and designated non-financial businesses must follow to verify customer identity and monitor clients effectively to mitigate money laundering risks.
This analysis explores the detailed CDD requirements under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs 2017), focusing on the legal framework, procedural duties, and practical issues faced by regulated entities.
Importance of Customer Due Diligence (CDD)
As financial crimes are becoming increasingly polished, the UK has been developing regulatory measures to safeguard the financial system’s integrity. CDD, as mandated by Regulation 27 of the MLRs 2017, is a critical defence mechanism designed to prevent the misuse of legitimate business relationships for money laundering or terrorist financing.
The regulations position accounting firms, financial institutions, and other designated businesses as key “gatekeepers” responsible for detecting and mitigating risks associated with illicit activities.
The UK Government has announced its initiative to reform the MLR by the end of 2025, responding to widespread concerns within the professional services sector about complex AML requirements. These reforms aim to reduce regulatory complexity while maintaining its defences against financial crime, with a specific focus on streamlining CDD processes and encouraging the use of digital identity verification.
The changes are part of the Government’s broader commitment to reduce administrative regulatory costs by 25% and support the UK’s professional services sector, which contributed £300 billion to the economy in 2024. While maintaining compliance with international standards, the reforms seek to create a more proportionate and risk-based approach that will lift the complexity on regulated entities without compromising the integrity of the financial system.
Legal Framework and Core Customer Due Diligence Requirements
The Money Laundering Regulations 2017 (MLR 2017) outlines four mandatory Customer Due Diligence (CDD) measures under Regulation 27. These include verifying customer identity through reliable, independent documents; identifying beneficial owners with 25% or more ownership or control; understanding the purpose and intended nature of the business relationship; and continuously monitoring the relationship.
Importantly, the regulations also require firms to identify and verify the board of directors and senior persons responsible for operations. Where there is no formal board of directors, this extends to members of the equivalent management body and senior persons responsible for
For More detailed guidance on identifying beneficial ownership, check out our KYC Compliance Guide.
The Role of a Risk-Based Approach in Customer Due Diligence (CDD)
The regulations require a risk-based approach to Customer Due Diligence (CDD), compelling businesses to assess and classify money laundering risks into three tiers: high, medium, and low. High-risk scenarios, such as complex corporate structures, clients from high-risk jurisdictions, or politically exposed persons (PEP) trigger Enhanced Due Diligence (EDD) procedures.
Medium risk is the default category, applying standard CDD measures, while low-risk clients, including public authorities and credit institutions subject to equivalent AML standards, may qualify for Simplified Due Diligence (SDD).
Learn how to perform an accurate risk assessment to classify customers in our Risk Assessment Guide
Documentation and Verification
The MLRs impose comprehensive documentation standards for both individuals and corporate clients. Verifying Identity for Individual verification typically involves government-issued photo ID (example: passports, driver’s licenses) and proof of address (example: utility bills, council tax bills).
For corporate entities, documentation includes certified Certificates of Incorporation, shareholder registers, articles of association, and proof of registered office. The process also requires beneficial ownership verification to ensure transparency.
Certification must be performed by qualified professionals such as lawyers, chartered accountants, or notaries. Identifying beneficial owners is crucial, especially for private companies where ownership is not publicly transparent, requiring detailed verification of individuals holding significant control or ownership.
Timing and Application of CDD
CDD must be applied at key points: when establishing new business relationships, during occasional transactions above specified thresholds, upon suspicion of money laundering or terrorist financing, or when doubts arise about previously obtained information. The process involves three stages: identification, risk assessment, and verification. This ensures that client information is not only collected but continuously evaluated and validated against independent sources.
Ongoing Monitoring and Compliance
Regulation 28 (11) mandates ongoing monitoring to ensure transactions align with the customer’s profile and that documentation remains current. Businesses must implement transaction monitoring systems to detect suspicious activity and ensure compliance with Customer Due Diligence requirements.
This dynamic process recognises that risk profiles evolve, requiring more frequent reviews for higher-risk clients and triggering additional scrutiny when unusual activity occurs. Annual reviews are standard for all relationships, with transaction monitoring designed to detect inconsistencies and verify sources of funds when necessary.
Enhanced Due Diligence (EDD)
When standard Customer Due Diligence (CDD) is insufficient due to heightened risks, Enhanced Due Diligence (EDD) measures under Regulation 33 come into effect. These include obtaining deeper insights into the customer’s background, purpose of the relationship, and sources of wealth. EDD also demands senior management approval for onboarding high-risk clients and increased frequency and intensity of monitoring, particularly for clients linked to high-risk countries or politically exposed persons.
Conclusion
The UK’s Customer Due Diligence (CDD) framework under the MLR 2017 represents a comprehensive risk-focused system designed to combat evolving money laundering threats while attempting to balance regulatory compliance burdens with practical implementations.
However, the current regulatory landscape is ready for significant transformation, with the UK Government’s announcement of comprehensive MLR reforms by the end of 2025 reflecting a growing recognition that the existing framework, while vital for safeguarding against financial crime, has become overly complex for regulated entities.
Its success depends not only on formal procedures but on the quality of implementation requiring firms to cultivate a strong compliance culture, maintain up to date knowledge of risks, and exercise professional judgment in assessing client relationships. As financial crime tactics evolve, the CDD regime must remain flexible, ensuring the continued protection of the financial system from criminal exploitation.
Frequently Asked Questions
The four key Customer Due Diligence (CDD) requirements are:
Verify the customer’s identity.
Identify the beneficial owner(s).
Understand the purpose of the business relationship.
Continuously monitor the relationship and transactions.
Customer Due Diligence (CDD) refers to the process of verifying the identity of clients and assessing potential risks to prevent financial crimes like money laundering and terrorism financing.
Customer Due Diligence (CDD) involves verifying a customer’s identity and understanding their business relationship. For example, a bank verifies a client’s identity with a passport and utility bill before opening an account.
CDD (Customer Due Diligence) is a process within KYC (Know Your Customer). KYC refers to the overall procedure of verifying a customer’s identity, while CDD focuses on assessing risk and monitoring ongoing transactions.
English (UK) 
English