Customer Due Diligence Checklist Template

CDD Programme Governance & Setup

A CDD programme is only as reliable as the governance framework behind it. Regulators assess not just individual customer files but the robustness of the programme that produced them.

• Confirm a documented CDD/AML policy exists — approved by senior management or the board; current, version-controlled, and reviewed at least annually
• Confirm a named Money Laundering Reporting Officer (MLRO) or equivalent compliance officer is appointed — with documented authority and responsibilities
• Confirm the risk appetite statement is documented — which customer types, geographies, and business activities are within and outside the organisation’s risk tolerance
• Confirm a risk-based approach (RBA) framework is in place — defining the criteria for SDD, standard CDD, and EDD for different customer categories
• Confirm the CDD process is documented as a standard operating procedure — all staff involved in onboarding or compliance follow the same defined process
• Confirm staff training on CDD and AML obligations is current — all relevant staff have received training appropriate to their role; training records are maintained
• Confirm the technology stack for CDD is adequate — identity verification, sanctions screening, PEP screening, and adverse media tools are in place and current
• Confirm record retention procedures are in place — CDD records must typically be retained for five years from the end of the business relationship (or longer as required by applicable regulations)
• Confirm the MLRO has direct access to all CDD records — and that the SAR reporting process is documented and understood
• Confirm the CDD programme has been reviewed by internal audit or an independent third party within the required period

Customer Identification Programme

• Confirm the customer is identified before establishing the business relationship or conducting a transaction — CDD must be completed before or concurrent with customer onboarding
• Collect the required identifying information for individual customers — full legal name, date of birth, address, and taxpayer identification number or national identifier as required by jurisdiction
• Collect the required identifying information for corporate customers — full legal entity name, registered address, company registration number, jurisdiction of incorporation, and nature of business
• Collect the required identifying information for beneficial owners — individuals who own or control 25% or more of a corporate entity (or lower thresholds as required by jurisdiction)
• Identify the authorised signatories or control persons for corporate accounts — individuals with authority to act on behalf of the entity
• Confirm all collected information is accurate and current — do not proceed with onboarding on the basis of incomplete or unverified information
• Confirm the purpose and intended nature of the business relationship is understood and documented
• Document the source of funds and source of wealth where required — applicable to EDD customers and as required by risk assessment
• Confirm all CIP information is recorded and stored securely in the customer file
• Note the date of initial CIP completion — for ongoing monitoring and periodic review purposes

Identity Verification

• Verify the identity of individual customers — using government-issued photo identification (passport, national ID card, or driving licence); confirm document is current and not expired
• Verify the address of individual customers — utility bill, bank statement, or official government correspondence dated within three months
• Confirm the verification method used — in-person original document review, certified copy, electronic identity verification (eIDV), or other approved method; document the method and outcome
• For corporate customers — verify incorporation documents, certificate of good standing, and registered company information against the relevant companies register
• Verify the identity of all beneficial owners — apply the same identity verification standard as for individual customers
• For complex corporate structures — map the full ownership chain to the ultimate beneficial owner(s); do not accept nominee owners without identifying and verifying the underlying principals
• Document any verification failures — where identity cannot be verified to the required standard, the business relationship must not proceed
• Record verification documents used — document type, issuing authority, document reference, expiry date, and verification method
• Apply enhanced verification where required — remote onboarding, cross-border customers, and high-risk customer categories may require additional verification steps
• Confirm verification is complete and recorded before any services are provided

Customer Risk Classification

Risk classification determines the depth of due diligence required. Misclassification in either direction creates regulatory exposure — classifying a high-risk customer as standard is a compliance failure; over-burdening all customers with EDD is operationally unsustainable.

• Apply the organisation’s risk-based approach framework to the customer — assess risk across all applicable risk factors
• Assess country or geographic risk — customer’s country of residence, country of incorporation, and jurisdictions where business is conducted; reference the FATF grey and black lists, and any internal or regulatory high-risk country list
• Assess customer type and sector risk — certain customer types (cash-intensive businesses, precious metals dealers, crypto businesses, charities) carry elevated inherent risk
• Assess product and service risk — which products or services is the customer using? Higher-risk products (cross-border wire transfers, correspondent banking) increase the overall risk rating
• Assess delivery channel risk — non-face-to-face onboarding carries higher inherent risk than in-person
• Assess PEP status — is the customer or any beneficial owner a Politically Exposed Person? PEPs are automatically classified as high-risk requiring EDD
• Assess transaction risk — expected transaction volumes, values, and patterns; document the expected pattern of activity against which future transactions will be monitored
• Apply the overall risk classification — Low (SDD applicable), Standard (CDD), or High (EDD required); document the rationale for the classification
• Obtain approval for the risk classification at the appropriate level — high-risk classifications typically require senior management or MLRO approval
• Record the risk classification, rationale, approver, and date in the customer file

PEP, Sanctions & Adverse Media Screening

• Screen the customer against all applicable sanctions lists — OFAC SDN List (US), EU Consolidated List, UN Security Council List, HM Treasury list (UK), and any other applicable lists
• Screen all beneficial owners and authorised signatories against sanctions lists
• Screen the customer and beneficial owners against PEP databases — current and former political office holders and their close associates and family members
• Screen the customer against adverse media sources — negative news coverage indicating involvement in financial crime, fraud, corruption, sanctions violations, or other illicit activity
• Document all screening results — including negative results (clear screens) with the date and lists/databases screened
• Assess any potential matches — a screening match requires careful assessment; not all name matches represent the same individual; document the assessment and rationale
• Escalate confirmed matches immediately — a confirmed sanctions match requires immediate escalation to the MLRO and legal counsel; the business relationship must not proceed
• Apply EDD automatically for confirmed PEPs — regardless of other risk factors; obtain senior management approval before establishing the relationship
• Confirm rescreening frequency is defined — sanctions and PEP lists change; periodic rescreening of the customer base is required
• Document the screening process completion — date, databases used, results, and any assessment decisions

Enhanced Due Diligence for High-Risk Customers

EDD is mandatory — not discretionary — for high-risk customers including PEPs, customers from high-risk jurisdictions, and correspondent banking relationships. The additional scrutiny applied must be proportionate to the risk level identified.

• Confirm EDD trigger — document which risk factor(s) triggered the EDD requirement (PEP status, high-risk country, high-risk sector, large or unusual transaction pattern, etc.)
• Collect additional identification information beyond standard CDD — additional documents, references, or information as required by the risk profile
• Conduct source of wealth verification — how has the customer accumulated their wealth? Obtain documentary evidence where possible
• Conduct source of funds verification — confirm the origin of specific funds in the business relationship; obtain supporting documentation
• Conduct deeper adverse media research — beyond automated screening; review all publicly available information about the customer, their associates, and their business activities
• Obtain senior management approval for the relationship — EDD customers require MLRO or senior management sign-off before onboarding proceeds
• Define enhanced monitoring requirements — what additional monitoring will be applied to this customer on an ongoing basis?
• Define the review frequency — EDD customers require more frequent periodic review than standard CDD customers
• Document all EDD findings, assessments, and decisions — the EDD file must demonstrate the depth of due diligence conducted
• Confirm EDD approval is documented with the approver’s name, date, and rationale

Ongoing Monitoring & Periodic Review

• Confirm transaction monitoring is in place — transactions are monitored against the expected activity profile established at onboarding
• Define alert thresholds and typologies — what transaction patterns will trigger a review? Confirm these are risk-appropriate and regularly reviewed
• Define the periodic review cycle for each risk tier — high-risk customers typically require annual review; standard CDD every two to three years; SDD less frequently
• Conduct periodic reviews on schedule — re-verify identity information, reassess risk classification, rescreen sanctions and PEP lists, and review actual transaction activity against the expected profile
• Identify trigger events requiring out-of-cycle review — change of control, significant transaction anomaly, adverse media alert, or information suggesting increased risk
• Confirm customer data is kept current — changes to address, directors, beneficial owners, or business activities must be captured and the risk assessment updated
• Review and update the expected activity profile periodically — customer risk profiles evolve; monitoring rules must reflect current reality
• Document all periodic reviews — date, reviewer, findings, any risk reclassification, and approval
• Confirm the review backlog is managed — all reviews are completed within the required schedule; overdue reviews are escalated
• Report the periodic review programme status to the MLRO or compliance committee at defined intervals

Suspicious Activity Reporting & Escalation

• Confirm all staff know how to recognise and report suspicious activity internally — the internal reporting process is documented and communicated
• Confirm the internal reporting process routes to the MLRO — internal SARs are reviewed by the MLRO promptly and documented
• Confirm the tipping-off prohibition is understood — staff must not alert a customer that they are the subject of a SAR or investigation
• MLRO assessment of internal reports — document the MLRO’s assessment, decision, and rationale for each internal report
• File external SARs with the relevant authority where required — FinCEN (US), NCA (UK), or applicable national FIU; confirm filing is within the required timeframe
• Document all internal and external SAR activity — date, subject, nature of suspicion, and outcome; records must be retained for the required period
• Manage consent requests where required — certain transactions require FIU consent before proceeding; confirm the process is documented
• Review SAR trends periodically — patterns in internal reports may indicate systemic CDD process failures or emerging risk areas
• Confirm the SAR process is tested through training and awareness exercises — staff must know what to do and when
• Report SAR statistics to the board or senior management as part of the regular AML compliance report