CDD checklist

Customer Due Diligence is a multi-step process that involves collecting and verifying information about a business during onboarding. We’ve compiled a checklist to help companies streamline this process while ensuring full compliance with regulations.

CDD checklist

CDD helps companies minimize the number of illegal activities conducted through their platform, including identity fraud or money laundering.

In case a company fails to implement efficient CDD procedures, criminals may abuse it for money laundering and other crimes. And if this occurs, the company may be held liable.

To stay safe and compliant, companies need to ensure they perform essential CDD procedures, which are covered in the list below:

#1. Collect necessary data

A company should decide whether a client suits an established risk profile before establishing any kind of relationship with them. Most jurisdictions require the following information to be collected during the onboarding process:

Full name;
Date of birth;
Residential address.

If identifying a business, regulators usually require companies following to collect:

Full name;
Registered office in the country of incorporation;
Principal business address.

After collecting personal information, the company should verify it through comparison with government-issued documents.

How: Companies can conduct verification manually or with an automated solution. Manual solutions can allow companies more control over the verification process, while automated solutions can process large amounts of data and onboard more customers. Sumsub’s experience shows that automated approaches can save up to 40% on verification.

#2. Employ third-party providers

Some data needed for CDD is only accessible through reliable third-party sources, such as banks, lawyers, or auditors. These can improve a company’s ability to verify customer information and determine their involvement in criminal activity.

How: It should be noted that companies need to ensure that their third-party providers are trustworthy and that the shared information is reliable. This is because companies can be held liable for mistakes made by third parties. Therefore, it’s essential to check the third-party data provider’s certification prior to hiring them.

#3. Determine the customer’s risk level and take additional measures

Based on the customer’s risk level, companies should choose between two types of due diligence: Simplified Due Diligence (SDD) for low-risk clients and Enhanced Due Diligence (EDD) for high-risk clients.

How: When a company implements the EDD process, it should include the following steps:

Employing a risk-based approach;
Obtaining additional identifying information;
Analyzing source of funds;
Transaction monitoring;
Adverse media and negative checking;
On-site visit;
Ongoing monitoring.

If using SDD, companies can loosen the checks by adjusting:

The timing of CDD;
The quantity of information obtained for identification, verification, or monitoring purposes;
The quality or source of obtained information;
The frequency of CDD updates and reviews of the business relationship;
The frequency and intensity of transaction monitoring.

More information about detecting and dealing with low- and high-risk customers is available in our complete guide to the UK (which also applies elsewhere).

#4. Organize secure and compliant data storage

Not only does a company need to verify its customers, it also needs to store the collected information in case regulators request it.

How: Each country sets a timeframe during which all information about customers and their transactions must be kept. The minimum period recommended by the FATF is five years.

For example, in the US, India, and China, companies are obliged to retain information about clients for five years after the end of the customer relationship or five years after the completion of an occasional transaction. Other countries, such as Saudi Arabia and Qatar, have established a period of ten years. In El Salvador it’s even longer, at 15 years under the Bitcoin Law