Customer Due Diligence
Before you rely on this session
This guide is for educational purposes only. It is not legal advice and is not a substitute for jurisdiction-specific professional counsel. Legislation, regulation and regulatory guidance change. Always verify current requirements with a qualified adviser in your jurisdiction before relying on this material for compliance decisions.
AML Compliance: Legislation, Regulation and Practical Implementation
Nine sessions covering the full AML framework from first principles to implementation. Written primarily with reference to the UK framework, with the equivalent position in New Zealand and Australia addressed throughout.
- Session One: Introduction and the Nature of Money Laundering
- Session Two: The Legislative Framework
- Session Three: Money Laundering Regulations
- Session Four: Customer Due Diligence
- Session Five: Sources of Guidance
- Session Six: The Risk-Based Approach and Record Keeping
- Session Seven: Reporting Suspicious Activity
- Session Eight: Staff Training
- Session Nine: Implementation Summary
Customer due diligence is where AML work stops being theoretical. It is where the legal duties under POCA and the MLR 2017 have to stand up to a real customer, a real transaction, and a real risk decision. This session explains what firms need to know, what they need to verify and what sound practice looks like in day-to-day compliance work.
KYC is often used as if it means the same thing as CDD. It does not. KYC is the broader discipline of understanding who you are dealing with and what they do. CDD is the specific set of obligations under the MLR 2017 that firms must meet when they start and maintain a business relationship. This session deals with both, but keeps the distinction clear.
What CDD is designed to achieve
CDD is designed to answer three practical questions: who is this person or entity, what are they doing with us and why, and is their activity consistent with what we know about them?
Those questions map to identity and verification, the purpose and nature of the relationship, and ongoing monitoring. Together they give a firm what it needs to assess risk, spot suspicious activity and decide when something needs to be escalated.
The framework under regulation 28 of the MLR 2017 is built around these three questions. Identification and verification, understanding the purpose and intended nature of the relationship, and ongoing monitoring are not three separate tasks to be completed once and then forgotten. They are a continuous cycle that runs for the life of the customer relationship.
Identifying and verifying individual customers
For an individual, identification means establishing the person's full name, date of birth and residential address. Verification means confirming those details against evidence from a reliable, independent source.
Government-issued photographic identity documents remain the standard: a passport, national identity card or driving licence. The document should be current, and the details should match what the customer has provided. Where you are relying on a copy rather than an original, it should be properly certified.
Address verification will usually require a separate document, such as a recent utility bill, bank statement or official correspondence. What matters is that the source is independent and recent enough to be reliable.
Practice point: digital identity checks
Electronic verification is now well established in practice and can be a reliable way to verify identity, but it is not a shortcut around the rest of CDD. A firm still needs to assess risk, understand the purpose of the relationship and keep proper records.
In February 2026, HM Treasury and the Department for Science, Innovation and Technology published approved guidance on the use of digital identities under the MLR 2017. That guidance explains how digital verification services can support compliance with regulation 28. Where a firm uses digital identity for CDD, it should check that the service is certified against the UK digital identity and attributes trust framework and appears on the digital verification services register. That helps show the source is reliable and independent.
The firm remains responsible for judging whether the level of assurance is appropriate for the risk and for meeting the record-keeping requirements in regulation 40. A service that is not certified and registered should not be treated as meeting the standard set out in the 2026 guidance.
Identifying and verifying corporate customers
Where the customer is a company or other corporate body, the CDD task is wider. Under regulation 28 of the MLR 2017, a firm must obtain and verify the entity's name, company or registration number, registered office and, if different, principal place of business, as well as the full names of the board or equivalent management body and the senior people responsible for operations.
Companies House is the primary verification source for UK-incorporated entities. Under the Economic Crime and Corporate Transparency Act 2023, identity verification became mandatory for new directors and persons with significant control from 18 November 2025, with a transition period for existing directors and PSCs. That improves confidence in the register, but it does not remove the need for firms to assess reliability in the round.
For foreign-incorporated entities, verification is harder. There is no single equivalent to Companies House across all jurisdictions, and the quality of corporate registers varies considerably. Firms need to use the best official or recognised sources available in the relevant jurisdiction and apply more scrutiny where transparency is weak.
What you need for a corporate customer
- Name of the corporate body.
- Company or registration number.
- Registered office address and, if different, principal place of business.
- Full names of the board of directors or equivalent management body.
- Full names of the senior persons responsible for operations.
- Beneficial owners: any individual who owns or controls more than 25% of the entity.
Beneficial ownership: the 25% threshold and beyond
Identifying the beneficial owner is one of the hardest parts of CDD and one of the most important. Under the MLR 2017, a beneficial owner is any individual who ultimately owns or controls more than 25% of the shares or voting rights in a company, or who otherwise exercises control over its management.
Where no individual meets the 25% threshold, the firm must treat the senior managing official as the beneficial owner. This is a practical fallback, not a licence to stop looking. If there are grounds to believe that the ownership structure has been designed to avoid identification, that is itself a red flag.
The 25% threshold is a starting point, not an endpoint. A firm that identifies a beneficial owner at exactly 26% but has reason to believe that person is acting on behalf of another individual has not completed its CDD simply by ticking the threshold box. The obligation is to understand the ownership and control structure, not just to identify who sits above a numerical threshold.
Hidden beneficial ownership: structures used to obscure control
Some of the highest AML risk sits in structures designed to hide beneficial ownership. If you are carrying out CDD on corporate customers, you need to recognise the common ways control is obscured.
A company without substantive activity, assets or operations. Shell companies can be legitimate vehicles for holding assets, but they are also commonly used to interpose layers between the beneficial owner and their assets or transactions. A chain of shell companies across multiple jurisdictions is a classic layering technique.
A legitimate-looking business used to conceal criminal activity and give criminal proceeds the appearance of a commercial origin. The business may conduct some genuine trade, making it harder to distinguish from a bona fide enterprise.
Trusts can make ownership and control harder to trace, especially where several parties are involved or there is an overseas element. In the UK, many express trusts must be registered on the Trust Registration Service, but the registration rules are technical and continue to evolve. Firms should work from the current legislation and HMRC guidance rather than assuming registration alone answers the question of beneficial ownership.
A nominee director or shareholder holds a position on behalf of the real controller. Companies House reforms have strengthened the requirements around nominee arrangements, but they remain a common means of obscuring true control.
Bearer bonds, bearer shares and similar instruments confer ownership by physical possession rather than by registered title. Most major jurisdictions have significantly restricted or abolished bearer shares, but they remain a risk where older structures have not been updated.
Cash-intensive and often operating across borders, the charity sector has been identified as a vector for both money laundering and terrorist financing. Regulatory responses include enhanced due diligence requirements for transactions with charities in high-risk jurisdictions and greater scrutiny of the source of funds.
Third-party reliance
Regulation 39 of the MLR 2017 allows a relevant person to rely on CDD carried out by a third party if the conditions are met. In many legal and financial services relationships, intermediaries are involved, and requiring every firm to repeat the full exercise from scratch would add duplication without always adding value.
To rely on a third party, the third party must itself be a relevant person under the MLR 2017 or an equivalent person subject to equivalent AML requirements in their own jurisdiction. The third party must have applied CDD measures and kept records in accordance with the Regulations. And the relevant person must be able to obtain the CDD information from the third party immediately on request.
What reliance does not do is shift legal responsibility. The firm relying on the third party remains fully responsible for the adequacy of the CDD. If the third party's work is weak, the relying firm has still failed in its own obligations. That point is often missed and regularly appears in regulatory findings.
Practice point: relying on a third party
- The third party must be a relevant person under the MLR 2017 or subject to equivalent obligations in their jurisdiction.
- The third party must have applied the required CDD measures and kept records in accordance with the Regulations.
- The firm must be able to immediately obtain the CDD information and documentation from the third party.
- The third party must consent to providing that information on request.
- The firm relying on the third party remains legally responsible for the adequacy of the CDD.
Ongoing monitoring
CDD does not end when the relationship starts. Regulation 28(11) of the MLR 2017 requires ongoing monitoring throughout the life of the business relationship. In practice, that has two parts: reviewing transactions and keeping customer information up to date.
Transaction scrutiny means reviewing transactions to ensure they are consistent with the firm's knowledge of the customer, their business and their risk profile. A transaction that is inconsistent with what the firm knows, whether in value, frequency, destination or nature, should be investigated. It may have an innocent explanation, but it must not simply be ignored.
Keeping information up to date means that CDD is not a one-time exercise. Where circumstances change, the CDD should be reviewed and updated accordingly. Trigger events for review should be built into the firm's policies and procedures rather than left to individual judgment.
Common triggers for a CDD review
- A change in the customer's ownership or control structure.
- A material change in the nature or volume of transactions.
- Intelligence or adverse media suggesting a change in the customer's risk profile.
- A change in the customer's jurisdiction of incorporation or operation to a higher-risk country.
- Identification of the customer or a connected person as a PEP or on a sanctions list.
- Notification from the customer of a significant change in their business.
- Passage of time: most firms apply periodic review cycles based on the customer's risk rating.
KYC and the risk-based approach
KYC is the practical expression of the risk-based approach. The basic obligation is to understand who your customer is and what they do. The risk-based approach tells you how far you need to go and how often you need to revisit that understanding in light of the risk the customer presents.
In practice, not all customers receive the same level of scrutiny. A long-standing customer with straightforward domestic transactions will receive a different level of CDD than a newly onboarded corporate entity with a complex ownership structure and transactions flowing through high-risk jurisdictions. The framework of standard, simplified and enhanced CDD reflects this.
The risk rating a firm assigns to a customer at onboarding is not permanent. It should be reviewed periodically and updated when circumstances change. A customer originally rated as low risk who begins transacting in ways inconsistent with their profile may need to be re-rated and additional CDD conducted. The ongoing monitoring obligation and the risk rating are connected.
The CDD checklist: practical questions for compliance teams
These questions cover the core CDD obligations under the MLR 2017 and work well as a practical review tool. They are not exhaustive. Sector guidance and your own internal policies may require more.
CDD in New Zealand and Australia
New Zealand
In New Zealand, the equivalent obligations are set out in the AML/CFT Act 2009, associated regulations and approved codes of practice. The framework broadly follows the same standard, simplified and enhanced CDD structure, with obligations matched to risk.
New Zealand reporting entities must conduct CDD before establishing a business relationship and before conducting an occasional transaction above the relevant threshold. The Act requires identity verification using reliable and independent sources, identification of beneficial owners, and ongoing monitoring. The specific verification requirements and acceptable documents are set out in the codes of practice issued by each supervisor.
The DIA, FMA and the Reserve Bank of New Zealand each publish practical guidance for their respective sectors. Firms should work from the guidance issued by their own supervisor rather than assuming the UK approach carries across unchanged, because the thresholds, documents and treatment of some customer types differ.
Australia
In Australia, customer identification and verification are governed by the AML/CTF Act 2006 and the AML/CTF Rules 2025. AUSTRAC now uses the language of customer due diligence more consistently, covering customers and beneficial owners at onboarding and on an ongoing basis.
Australia's Tranche 2 reforms have extended the regime to lawyers, accountants, real estate professionals and trust and company service providers. Existing reporting entities moved to the new framework on 31 March 2026. Newly regulated Tranche 2 entities are required to enrol with AUSTRAC by 31 March 2026 and comply with the regime from 1 July 2026.
For firms working in in-scope sectors, AUSTRAC's guidance is the practical starting point alongside the Act and Rules. The law sets the framework, but day-to-day compliance depends on applying it properly, documenting what you did and revisiting CDD when the risk changes.
Key takeaways from Session Four
- CDD is built around three questions: who is the customer, what is the purpose of the relationship, and is their activity consistent with what we know about them? All three must be addressed throughout the relationship.
- For individual customers, identification requires name, date of birth and address, verified against a reliable independent source. Digital identity services certified against the UK trust framework and appearing on the digital verification services register can satisfy the independent source requirement, but firms must still assess whether the level of assurance fits the risk.
- For corporate customers, CDD extends to the entity, its directors and senior management, and its beneficial owners. The 25% threshold is a starting point, not a ceiling. Where no individual meets the threshold, the senior managing official is treated as the beneficial owner.
- Structures designed to obscure beneficial ownership, including shell companies, nominees, trusts and front companies, are among the most significant money laundering risk factors. Identifying these structures is a core CDD skill.
- Third-party reliance under regulation 39 is available but does not transfer legal responsibility. The firm that relies on a third party remains fully responsible for the adequacy of the CDD.
- Ongoing monitoring is a continuous obligation, not a one-time check. Trigger events for CDD review should be built into policies and procedures. A customer's risk rating should be reviewed and updated when circumstances change.
- The KYC concept sits within the risk-based approach. The depth and frequency of CDD should be calibrated to the risk the customer presents, not applied uniformly regardless of risk.
- New Zealand and Australia have equivalent frameworks, but the legislation, guidance, thresholds and timing are different. In Australia in particular, the 2026 reform programme means firms need to work from the current AML/CTF Rules 2025 and AUSTRAC's implementation guidance.
Coming up in Session Five
Session Five examines the sources that regulated firms use to navigate their AML duties. The legislation and the MLR 2017 set out what firms must do. Guidance from FATF, the FCA, JMLSG, Joint Supervision Colleges and sector bodies helps explain how to do it and how supervisors are likely to assess it.
Understanding the hierarchy of guidance is a practical skill for compliance. Not every source carries the same weight, and knowing which ones matter most in a supervisory review makes a real difference.
Primary sources and further reading
All are publicly available.
Regulations 27 to 40 cover the CDD obligations in full. Available at legislation.gov.uk. Always use the consolidated version.
Approved guidance published in February 2026 on how certified and registered digital verification services can support compliance with the MLR 2017. Available at gov.uk.
Chapter 2 covers CDD and KYC in detail, including the FCA's expectations for firms in the regulated sector. Available at fca.org.uk.
Chapter 5 provides comprehensive sector-specific guidance on CDD, including practical examples for different customer types. Available at jmlsg.org.uk.
Updated guidance on CDD for law firms, including on digital identity verification and certified digital identity services. Available at lawsociety.org.uk.
Guidance on the identity verification requirements introduced under the Economic Crime and Corporate Transparency Act 2023, including the 18 November 2025 start date for new directors and PSCs. Available at gov.uk/companies-house.
Available at legislation.govt.nz. Supervisor-specific CDD guidance from DIA, FMA and the Reserve Bank is available on each supervisor's website.
Available at legislation.gov.au. AUSTRAC's guidance on customer due diligence and implementation for newly regulated entities is available at austrac.gov.au.
Download this session
Save a formatted PDF copy for offline reading or to share with colleagues.