What is Customer Due Diligence (CDD)?
Think of CDD as the baseline for onboarding any new customer: individual or business. It’s the standard process that involves:
- Collecting key information (e.g., name, address, company details)
- Verifying identity through documents or data sources
- Assessing customer risk based on the information provided
- Monitoring transactions going forward for anything suspicious
Let’s say your company onboards small businesses, the CDD process starts with the onboarding questions. These help you collect initial data and perform a preliminary risk assessment. Based on your internal criteria, you might request documents such as company registration certificates, Directors & UBOs (Ultimate Beneficial Owners) ID, and basic details about business operations.
Once the information is verified, you assign a definitive risk score. If the customer is classified as low or medium risk, standard CDD is usually sufficient. For higher-risk customers, additional steps, such as Enhanced Due Diligence (EDD), is required.
What is Enhanced Due Diligence (EDD)?
Now imagine a customer who triggers red flags: maybe they’re from a high-risk country, deal in crypto, or have complex ownership structures. That’s when Enhanced Due Diligence (EDD) comes into play. It builds on standard CDD by adding a deeper layer of investigation, such as:
- Verifying source of funds or wealth
- Asking for additional documentation
- Doing more rigorous background checks
- Reviewing ownership chains (e.g., for shell companies)
A new client registers a holding company in a jurisdiction known for secrecy. Your onboarding process identifies them as high-risk. Instead of just asking for incorporation docs, you now also request shareholder details, source of wealth for the UBOs and perform more extensive screening.
In such cases, ongoing monitoring through pKYC measures must also be adapted to the customer’s risk level. High-risk customers may require more frequent reviews, real-time alerts, or continuous data checks, ensuring that your understanding of the customer stays up to date over time.
CDD vs EDD - when to use them?
Understanding when to apply EDD isn’t just a matter of checking a box; it’s about making informed, risk-based decisions. A well-configured risk engine is key. It looks at the customer’s answers during onboarding and automatically scores their risk based on factors like jurisdiction, business activity, transaction volume, or company structure.
Based on that score, your system should automatically determine whether standard CDD is sufficient or if EDD is required. Here’s how to think about it:
Use only CDD when…
- The customer is low to medium risk, according to your internal risk model.
- Their jurisdiction is not high-risk (e.g., FATF non-grey-listed countries).
- Their business activities are straightforward and don’t raise red flags.
- The company ownership is transparent, and UBOs are easy to identify.
- There are no hits on sanctions or adverse media lists.
Apply EDD when…
- The customer is flagged as high-risk by your risk engine.
- They’re based in or connected to a high-risk country or jurisdiction (e.g., offshore financial centers, countries with weak AML controls).
- The company has a complex ownership structure - e.g., layers of holding companies or trusts.
- You detect PEPs or there are links to sanctioned individuals/entities.
- There are concerns about the source of funds or wealth.
- The customer operates in a high-risk industry (e.g., crypto exchanges, gambling platforms, remittance services).
Just because a customer passed CDD once doesn’t mean they’re always low-risk. Continuous monitoring is key. Depending on their activities, you might need to reassess the risk and upgrade from CDD to EDD.
How Dotfile makes it simple?
At Dotfile, we specialize in automating and simplifying this process. Here’s how we help:
- Automated risk scoring: You define the rules, and we apply them consistently to every customer.
- Smart triggers for EDD: No more guesswork. When a profile is high-risk, EDD flows are automatically launched.
- Frictionless document collection: Back and forth with a client is deadly, our interface guides users through exactly what they need to provide at first stance without having to ask for more documents later.
- End-to-end audit trail: Every action, check, and document is stored and timestamped—so you're always audit-ready.
TL;DR
- CDD = Basic due diligence for low- to medium-risk clients.
- EDD = Extra checks for high-risk clients.
- The risk engine determines which one is required.
- Dotfile automates the entire process, helping teams stay compliant without drowning in manual work.
If you’re looking for a comprehensive solution to automate your CDD and EDD, you just found it. Book a call to see it in action.
