What is Customer Due Diligence (CDD)?

In the European Union, customer due diligence duties are defined by successive Anti-Money Laundering Directive² (Directive (EU) 2015/849, the 4th AMLD). The 4th AMLD established a risk-based framework requiring “obliged entities”, such as banks and other financial institutions, to apply CDD measures when entering a business relationship.

Under article 13 of the 4th AMLD, firms must:

1. identify the customer and verify the customer’s identity using reliable, independent documents or data;
2. identify any beneficial owner, who ultimately holds ownership of a company or account, and implement measures to verify that person’s identity and understand the ownership/control structure;
3. obtain information on the purpose and intended nature of the business relationship; and
4. conduct ongoing monitoring of the relationship, including scrutiny of transactions to ensure they are consistent with the customer’s profile and keeping information up to date.

These steps align with international standards set by the Financial Action Task Force and create a comprehensive KYC process.

The EU has continually updated its AML regime to address emerging risks. The 5th AMLD (Directive (EU) 2018/843)³ expanded CDD obligations in several ways. It brought new sectors under AML/CFT requirements. For example, virtual currency exchanges, wallet providers, or art intermediaries became “obliged entities” subject to CDD duties. It also enhanced transparency of beneficial ownership by requiring greater public access to central registries of company beneficial owners and by tightening the conditions for anonymous instruments, such as prepaid cards, to mitigate misuse. The 6th AMLD (Directive (EU) 2024/1640)⁴, among other things, harmonized rules on beneficial ownership registers and cooperation between Financial Intelligence Units.

Together, these directives oblige EU firms to maintain robust CDD programs (including verification of customers and owners, monitoring of transactions, and reporting of suspicious activities) under the oversight of national regulators. It’s important to note that EU directives set minimum standards which member states implement through national laws. Many EU countries have their own AML laws that meet or exceed the directive requirements. In addition to the EU rules, the European Banking Authority (EBA) issues guidance⁵ on risk factors and customer due diligence to ensure consistent supervisory expectations across the EU.

The United Kingdom codified the CDD requirements in the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017⁶. Under this regulation, before entering a business relationship or conducting certain transactions, a relevant person (e.g., a bank or other regulated firm) must perform standard CDD measures. This includes

• identifying the customer,
• verifying their identity, and
• identifying any beneficial owner behind the customer.

Firms must also assess the purpose and intended nature of the business relationship, and they must conduct ongoing monitoring of the relationship and transactions to spot inconsistencies or suspicious activity. These obligations in the UK regulation closely mirror the EU’s directive requirements.

The United Kingdom's regulatory framework delineates the specific conditions that necessitate the implementation of Customer Due Diligence. These circumstances encompass the establishment of business relationships, the execution of occasional transactions exceeding a defined threshold, cases where there is suspicion of money laundering or terrorist financing, and instances where there are uncertainties regarding the veracity of previously obtained customer information. The UK guidance⁷ from the Financial Conduct Authority (FCA) emphasizes the approach to due diligence is risk-based. The depth of due diligence should, therefore, be commensurate with the risk posed by the client or transaction.

In the event of non-compliance with CDD obligations, regulatory action may be initiated, with severe consequences for institutions. These consequences may include the imposition of substantial fines and the possibility of criminal penalties. The following case studies, drawn from both the EU and the UK, illustrate the consequences of inadequate customer due diligence.

The Estonian branch of Danske Bank was subject of a major money laundering investigation,⁸ which revealed a significant breach of financial regulations, where about €200 billion in suspicious flows from non-resident clients (2007–2015) went largely unchecked. The bank's CDD controls were found to be severely deficient, with the branch being utilised for tax evasion, and potentially for military and terrorist financing. This failure in due diligence and monitoring not only allowed illicit funds to flow through Estonia but also had the effect that other banks processed the funds downstream. Investigations by Danish, Estonian, U.S., and other authorities revealed systemic AML failures. By 2022, Danske Bank pleaded guilty to fraud in the U.S. (for misleading U.S. banks about its Estonian AML controls) and agreed to pay about $2 billion⁹ in fines and forfeitures as part of a global settlement. This case serves as a warning to the European financial sector, demonstrating the consequences of inadequate CDD, particularly concerning high-risk non-resident clients and intricate corporate structures. The case highlights the potential regulatory and reputational repercussions that can arise from such practices.

In the United Kingdom, National Westminster Bank (NatWest) was fined £264.8 million in 2021¹⁰, after pleading guilty to offenses under the UK Money Laundering Regulations. The case centered on NatWest’s relationship with a client (a jewelry business) that deposited staggering amounts of cash. When NatWest onboarded this small business, it initially expected little or no cash turnover. However, over a five-year period, approximately £365 million flowed into the account, £264 million of it in cash. Despite these red flags, NatWest failed to conduct appropriate ongoing due diligence and monitoring. Some bank employees raised internal suspicions, but the bank’s investigation unit took no sufficient action. NatWest’s automated transaction monitoring system also erroneously treated large cash deposits as cheques, assigning them a lower risk score. The combination of these failures meant the alarm bells that should have rung loudly were ignored. In sentencing the bank, the Director of Enforcement and Market Oversight at the FCA observed that NatWest played a "functionally vital" role in the money laundering activities that took place. In the absence of the bank's compliance breaches, it is believed that such flagrant instances of laundering would not have been able to occur.

The case underscores the importance of robust CDD and ongoing monitoring: A bank must not only verify a client at onboarding, but also continually assess whether the client’s activity matches the expected profile. The examples given demonstrate that regulators in the EU and UK are taking proactive measures to enforce CDD and AML requirements. In the context of financial institutions, the failure to adhere to rigorous due diligence procedures can facilitate money laundering. Such negligence may take various forms, including the failure to adequately screen customers, the misunderstanding of the provenance of funds, or the inadequate monitoring of transactions. The consequences of such actions may include financial penalties amounting to millions or even billions of dollars, the prospect of criminal prosecution, the imposition of business restrictions, and the potential for long-lasting reputational damage.

Customer due diligence is a fundamental obligation for any institution subject to AML/CFT laws. Across the jurisdictions, the core requirements of CDD are comparable and rooted in global standards:

• knowing your customer’s identity,
• understanding their beneficial owners and business purpose,
• and keeping an eye on their transactions.

These measures protect the financial system by making it harder for illicit money to flow undetected. Both clients and compliance professionals should appreciate that CDD is not a one-time box-ticking exercise, but an ongoing, dynamic process. The numerous enforcement cases in recent years underline a clear message: Failure to conduct adequate CDD can lead to legal penalties and business consequences, whereas strong due diligence programs are not only a legal requirement but also good business practice to manage risk and maintain trust in an institution.