How Does Customer Due Diligence Work in Compliance and KYC?

Customer due diligence sits at the heart of modern financial compliance. For banks, wealth managers and regulated firms, understanding how to verify customers and assess their risks is no longer optional. Diligence important: robust customer due diligence is essential for ensuring regulatory compliance, verifying customer identities, and preventing fraud, which ultimately protects financial institutions and supports law enforcement efforts. This guide breaks down the customer due diligence process, explains why it matters, and shows how technology can transform your compliance efforts.

What is Customer Due Diligence (CDD)?

Customer due diligence CDD is the process used by financial institutions to identify, verify and understand customers before and during a business relationship. It forms a core pillar of anti money laundering and counter terrorist financing frameworks, working alongside Know Your Customer procedures and ongoing transaction monitoring.

• CDD focuses on financial crime risks including money laundering, sanctions evasion, tax evasion, fraud and corruption
• Global guidance from FATF and EU AML directives shapes how institutions must approach due diligence
• Modern regulations require CDD for both natural persons and legal entity customers, including identification of beneficial owners
• The process aims to mitigate risks and protect the financial system from criminal exploitation

CDD measures vary depending on the customer’s risk profile, the type of transaction, and any suspicion of illicit activity. Applying appropriate CDD measures, such as standard or enhanced due diligence, is essential for compliance and effective risk mitigation.

InvestGlass is a Swiss sovereign CRM and onboarding platform that embeds CDD steps into digital onboarding workflows for regulated firms, helping them maintain full control over sensitive client data.

Overview of the CDD Process

The customer due diligence process functions as a multi stage lifecycle that begins before customer onboarding and continues throughout the client relationship. Rather than a single check, effective CDD requires continuous engagement with customer information.

• Information collection from the customer and external sources such as company registers
• Identity verification through official documents and database lookups
• Beneficial ownership discovery for legal entities
• Risk assessment based on customer profiles and associated risk factors, including identification and evaluation of specific elements such as politically exposed persons (PEPs), sanctions, adverse media, and other indicators
• Decisioning on whether to proceed with the relationship
• Ongoing monitoring of transactions and behaviour against expected patterns
• Screening against sanctions lists, politically exposed persons databases and adverse media
• Records retention for at least five years, reflecting EU AMLD requirements and United Kingdom rules

InvestGlass can orchestrate these steps inside one platform, reducing manual re keying and improving auditability for regulatory compliance.

Types and Levels of Customer Due Diligence

A risk based approach means not all customers require the same scrutiny. Regulations allow firms to apply diligence measures proportionate to assessed risk through a tiered framework.

• Simplified due diligence applies to low risk customers such as certain regulated counterparties or low value products, subject to local regulatory requirements
• Standard due diligence is the default level, involving identity verification, documenting business purpose, establishing expected activity and basic risk profiling
• Enhanced due diligence is required for high-risk customers, such as politically exposed persons, individuals with complex ownership structures, or those connected to high-risk jurisdictions.
• Enhanced measures typically include deeper source of funds and source of wealth checks, site visits and senior management approval

InvestGlass allows firms to configure rule based workflows so that higher risk profiles automatically trigger enhanced due diligence requirements, ensuring consistent application of the diligence rule across all customer relationships.

Why Customer Due Diligence Matters for Financial Institutions

Weak CDD exposes covered financial institutions to severe consequences that extend far beyond regulatory fines. Understanding these risks helps justify the investment in robust compliance efforts.

• Enforcement action, licence restrictions and criminal liability for facilitation of money laundering remain real threats
• Since 2010, global banks have received multi billion dollar penalties for AML and sanctions failings linked to poor CDD implementation
• Reputational damage, loss of correspondent banking relationships and increased cost of capital create secondary impacts
• Strong CDD protects customers from identity theft, account takeover and impersonation by verifying who really controls an account
• Robust CDD data enables better risk based pricing, suitability assessments and personalised portfolio management
• For European institutions, effective customer due diligence is central to meeting requirements under the EU’s 5th and 6th AML Directives and United Kingdom FCA expectations

Key Elements and Checks in the CDD Rule

The CDD rule, as used in US and international guidance, rests on four widely cited elements that requires covered financial institutions to maintain comprehensive client knowledge.

Customer identification and verification involves:

• Collection of official documents such as passports or national identity cards
• Electronic ID verification and biometric checks where applicable
• Database lookups to confirm the customer’s identity against authoritative sources as part of verifying the customer’s identity

Beneficial ownership identification requires firms to:

• Identify natural persons who ultimately own or control a legal entity
• Apply thresholds typically set at 25 percent shareholding or similar levels
• Follow requirements formalised since 2018 in the United States and mirrored by EU rules

Understanding nature and purpose means documenting:

• Why the potential customer needs the product or service
• Expected transaction volumes and frequency
• Countries and counterparties involved in typical financial transactions
• Behaviour patterns that establish a baseline for the customer’s activities, which is essential for ongoing monitoring

Ongoing monitoring requires:

• Scrutiny of transactions against established expectations
• Periodic KYC refreshes based on the customer’s risk profile
• Screening against updated sanctions and PEP lists
• Detection of unusual behaviour that may trigger a report suspicious transactions obligation

InvestGlass can centralise these four elements within a single client file, with configurable fields, document storage and automated reminders for review dates.

Customer Identity

Customer identity forms the foundation of the customer due diligence process for financial institutions. Verifying a customer’s identity is essential not only for regulatory compliance but also for assessing the risks associated with each business relationship. The identity verification process typically involves collecting key information such as the customer’s name, address, date of birth, and official identification documents. For legal entity customers, financial institutions must go further by identifying and verifying the beneficial owners, as mandated by the Financial Crimes Enforcement Network’s CDD rule. This ensures that the individuals who ultimately control or benefit from the entity are known and assessed.

Once collected, this customer information is used to build a comprehensive customer profile, which is central to determining the customer’s risk profile and the appropriate level of due diligence. Ongoing monitoring of customer identities is equally important, as it allows institutions to detect changes that may affect the customer’s risk status. Regular updates and reviews help ensure that customer data remains accurate and that any shifts in ownership or control are promptly identified. By embedding robust identity verification and continuous monitoring into the CDD process, financial institutions can better manage risk and maintain the integrity of their customer due diligence efforts.

Risk Based Customer Due Diligence

The risk based approach recommended by FATF, EU AMLDs and United Kingdom regulators directs resources where potential risks are highest, rather than applying uniform checks to all customer profiles.

• Customer type: individual, corporation, trust or high net worth client
• Product type: standard accounts versus complex investment products
• Delivery channel: branch based, digital onboarding or third party introduced
• Geographic exposure: jurisdictions with elevated financial crime risks
• Transactional behaviour: expected versus actual patterns
• Ownership complexity: simple versus layered beneficial ownership structures

Firms commonly categorise customers into low, medium and high risk bands that dictate onboarding scrutiny, approval levels and frequent monitoring intensity. Features such as cross border private banking, cash intensive businesses or links to high risk jurisdictions typically trigger enhanced due diligence automatically.

InvestGlass embeds risk scoring models that automatically calculate scores from data points and update risk ratings as new information arrives, while documenting the methodology for supervisors and auditors to review.

Ongoing CDD, Monitoring and Perpetual KYC

CDD is not a one off exercise at onboarding but a continuous monitoring process for the entire duration of the client relationship. Ongoing customer due diligence ensures that customer information remains current and risk assessments stay accurate.

• Automatic re screening for sanctions and PEPs using updated government lists
• Periodic KYC reviews scheduled on a risk basis, with high risk customers reviewed more frequently
• Transaction monitoring matched to expected activity patterns
• Continuously monitoring for changes that alter the customer risk assessment

The concept of perpetual KYC represents a shift from calendar based review cycles to dynamic updates whenever new information surfaces. Triggers for event driven reviews include:

• Change of address or new authorised signatories
• Unusual transaction patterns inconsistent with the customer’s risk profile
• Adverse media hits or negative news coverage
• Changes in beneficial ownership structure

InvestGlass automates alerts, tasks and workflow escalations when thresholds are breached, supporting timely investigation and effective customer management throughout ongoing CDD cycles.

Suspicious Activity

Detecting and reporting suspicious activity is a critical responsibility for financial institutions within the customer due diligence process. As part of their diligence process, institutions must monitor customer transactions for signs of financial crime, such as money laundering or terrorist financing. When suspicious activity is identified, financial institutions are required to file a Suspicious Activity Report (SAR) with the relevant Financial Intelligence Unit, in accordance with the Bank Secrecy Act. These reports must be submitted promptly, typically within 30 days of detecting the suspicious activity, and must include detailed information about the transaction and any actions taken.

Maintaining thorough records of all suspicious activity is essential for regulatory compliance and for supporting subsequent investigations. Effective suspicious activity reporting not only helps prevent financial crime but also demonstrates a financial institution’s commitment to robust due diligence and regulatory standards. By integrating suspicious activity monitoring into the customer due diligence process, institutions can better protect themselves and the wider financial system from illicit activity, while fulfilling their obligations under anti-money laundering regulations.

Technology and Automation in Customer Due Diligence

Manual CDD using spreadsheets and email is slow, error prone and difficult to audit, especially for cross border financial institutions managing thousands of customer relationships. Modern RegTech platforms transform this challenge.

• Automated identity verification through APIs connecting to trusted identity providers
• Beneficial ownership discovery using company register lookups
• Sanctions and PEP screening with results stored centrally
• Adverse media searches using news and database aggregation services
• AI enabled tools that classify documents, extract data, detect anomalies and prioritise alerts to reduce false positives

InvestGlass is a Swiss sovereign CRM and onboarding suite that integrates digital onboarding forms, document capture, electronic signatures, KYC questionnaires, automated risk scoring and workflow automation inside a single environment.

Deployment in Swiss data centres or on premise gives institutions full control over where CDD data is stored and processed, offering a sovereign alternative to American or Chinese platforms for organisations that want to protect client data sovereignty.

Global Regulatory Context for CDD

Customer due diligence requirements are shaped by international standards and local regulations. FATF functions as the global standard setter, with national frameworks implementing its recommendations.

• United States: Bank Secrecy Act and FinCEN rules, including the fincen customer due diligence rule effective May 2018 that formalised beneficial ownership checks
• European Union: 4th, 5th and 6th Anti Money Laundering Directives establishing comprehensive AML compliance requirements
• United Kingdom: Money Laundering Regulations supervised by the FCA and other bodies
• Switzerland: Local AML legislation and FINMA circulars

Although terminology differs across jurisdictions, most regimes converge around identity verification, beneficial ownership identification, risk assessment and ongoing monitoring. Financial crimes enforcement network guidance in the United States aligns closely with EU approaches, creating a consistent global framework.

Swiss institutions benefit from a Swiss hosted solution like InvestGlass that aligns with both domestic regulatory requirements and cross border expectations.

Bank Secrecy Act Compliance

Compliance with the Bank Secrecy Act (BSA) is a fundamental requirement for financial institutions operating in the United States and for those with cross-border activities. The BSA mandates that financial institutions implement effective customer due diligence processes, including a risk-based approach to identifying and verifying customer identities, understanding the nature and purpose of customer relationships, and conducting ongoing monitoring to detect and report suspicious activity. This approach is designed to prevent financial crime, such as money laundering and terrorist financing, by ensuring that institutions have a clear understanding of their customers and their financial activities.

Financial institutions must maintain accurate and complete records of customer information, including identification documents and transaction histories, to support regulatory compliance and assist law enforcement when necessary. Failure to comply with the BSA can result in significant regulatory fines, reputational damage, and increased scrutiny from regulators. By embedding BSA requirements into their due diligence processes, financial institutions can strengthen their defences against financial crime, ensure effective customer management, and safeguard their reputation in an increasingly regulated environment.

Customer Due Diligence Costs and Operational Challenges

AML compliance, including CDD, typically costs financial institutions millions of dollars or euros annually. Understanding these costs helps organisations make informed decisions about technology investment.

• Onboarding delays when documents are incomplete or require resubmission
• Investigation of false positives from sanctions screening that consume compliance team resources
• Repeated outreach to clients requesting missing customer information
• Staff fatigue, inconsistent decision making and difficulties creating complete audit trails

Non compliance creates far higher costs through regulatory fines, remediation programmes required by supervisors and business restrictions. Automation and integrated platforms like InvestGlass can lower per client onboarding cost, shorten time to revenue and improve evidence gathering for regulators, helping firms assist law enforcement when required.

Why Sovereign Data Control Matters in CDD

CDD files contain highly sensitive information extending beyond basic identity details. They include copies of identity documents, beneficial ownership structures, financial history and sometimes source of wealth narratives that reveal intimate details about customers and their business relationships.

• Growing concern among European banks, wealth managers and public institutions about storing this data on American or Chinese infrastructure
• Extraterritorial access risks create uncertainty about data protection
• Swiss hosting and on premise deployment allow organisations to maintain strict control over data residency, encryption and lawful access
• Alignment with EU and Swiss privacy expectations provides regulatory comfort

InvestGlass positions itself explicitly as a European and Swiss sovereign alternative to large American or Chinese CRM and onboarding platforms. For politically sensitive clients, public sector bodies and family offices, the assurance that CDD data never leaves trusted jurisdictions can be a decisive factor in platform selection, protecting the sovereignty of client data.

How InvestGlass Supports Customer Due Diligence

InvestGlass combines CRM, digital onboarding, portfolio management and compliance workflows to support the full CDD lifecycle in one platform. This integrated approach addresses the challenges outlined throughout this guide.

• Configurable onboarding forms tailored to customer type and diligence requirements
• ID document upload with automated processing and verification
• Electronic signatures for consent and authorisation
• KYC questionnaires customised to risk level
• Automated risk scoring based on configurable rules
• Reminders for periodic reviews and ongoing customer due diligence activities
• Integration with external screening providers for sanctions, PEPs and adverse media
• Approval workflows, task assignment, case notes and complete audit trails

Compliance teams can design workflows that reflect their specific diligence process requirements while maintaining evidence for regulators. Hosting in Switzerland or on premise gives institutions a sovereign, non American and non Chinese option for safeguarding sensitive CDD data.

Effective customer due diligence protects financial institutions from regulatory penalties while building client trust and enabling better business decisions. If your organisation is seeking to modernise CDD processes while preserving full data control, explore how InvestGlass can support your compliance journey. Contact the InvestGlass team to learn how a sovereign platform can transform your approach to customer due diligence.