Customer Due Diligence Checklist by Industry Sector

Customer due diligence (CDD) is the process by which reporting entities verify the identity of their clients, assess risk, and monitor the ongoing relationship for suspicious activity. In Canada, CDD requirements are set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations, and supervised by FINTRAC. Different industries face different risk profiles, and the depth of verification required varies accordingly. This article provides a sector-by-sector CDD matrix covering the documents required, applicable due diligence levels, and review frequencies for each regulated sector.

What is customer due diligence (CDD)

Customer due diligence refers to the legal obligation for reporting entities to identify their clients, verify that identity using reliable evidence, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. The PCMLTFA and its regulations set out these requirements, while FINTRAC guidance provides sector-specific direction on implementation. The FINTRAC client identification methods guidance details the accepted approaches for verifying identity.

Three levels of due diligence

Canadian AML regulations define three tiers of customer due diligence, aligned with the risk-based approach recommended by the Financial Action Task Force (FATF):

Simplified Measures apply where the risk of money laundering or terrorist financing is demonstrably low. Simplified measures allow reporting entities to reduce the extent of verification measures in certain circumstances, but do not eliminate the requirement to identify the client.

Standard Customer Due Diligence (CDD) is the default level. It requires identifying the client and any beneficial owners, verifying identity using reliable and independent sources, understanding the purpose of the business relationship, and conducting ongoing monitoring of transactions and activity.

Enhanced Due Diligence (EDD) applies where there is a higher risk of money laundering or terrorist financing. EDD requires additional measures such as establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting more intensive ongoing monitoring. EDD is mandatory for Politically Exposed Persons (PEPs — domestic and foreign), correspondent banking relationships, and clients connected to high-risk jurisdictions.

CDD requirements by sector

The PCMLTFA defines the reporting entity categories. Each faces distinct risks that shape the scope and depth of due diligence. The table below provides a comparative matrix of requirements across Canadian regulated sectors.

For a comprehensive overview of document verification requirements, see our document verification guide.

PEP and sanctions screening

Politically Exposed Persons (PEPs)

PEP identification is a mandatory component of customer due diligence across all reporting entity categories. Under the PCMLTFA, a PEP includes both foreign and domestic politically exposed persons: heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned enterprises, and senior officials of international organisations. Family members and close associates of PEPs are also in scope.

Any business relationship with a PEP triggers EDD automatically. This includes obtaining senior management approval before establishing or continuing the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.

Unlike some jurisdictions, Canada requires EDD for both domestic and foreign PEPs, although the risk assessment for domestic PEPs may differ.

Sanctions screening

Reporting entities must screen clients against the Canadian Consolidated Autonomous Sanctions List and UN Security Council sanctions. Canada maintains its own sanctions regime under the Special Economic Measures Act (SEMA), the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law), and the United Nations Act. Screening must occur at onboarding and on an ongoing basis.

Sector-specific checklists

Financial services (banks, credit unions, MSBs)

Financial services face the most intensive CDD requirements. FINTRAC's examination activities in 2024-2025 identified client identification deficiencies as the most common finding across financial institutions.

Individual clients:

• Valid photo ID (Canadian passport, provincial driver's licence, permanent resident card)
• Proof of address dated within 3 months (utility bill, bank statement)
• Source of funds documentation (if EDD applies)
• PEP and sanctions screening
• Purpose and intended nature of business relationship questionnaire

Corporate clients:

• Certificate of incorporation (federal or provincial)
• Articles of incorporation
• Corporate annual return or Corporations Canada certificate
• Beneficial ownership declaration (25% threshold)
• Photo ID for directors and beneficial owners
• Group structure chart (complex structures)
• Proof of registered office
• PEP and sanctions screening on all beneficial owners

Real estate (brokers and agents)

Real estate brokers and agents have been reporting entities under the PCMLTFA since 2008. Property transactions remain a significant money laundering vector: Canada's National Risk Assessment identifies real estate as a high-risk sector due to the large values involved, foreign investment flows, and the use of corporate structures.

Buyer:

• Photo ID
• Proof of address
• Evidence of source of funds (mortgage pre-approval, bank statements, gift letter if applicable)
• Proof of source of wealth (if EDD applies)
• PEP and sanctions screening

Seller:

• Photo ID
• Proof of address
• Proof of ownership (provincial land title)

Legal professionals

Lawyers and notaries in Canada have distinct AML obligations. While they are reporting entities under the PCMLTFA for certain activities (real estate transactions, management of client funds, company formation, trust administration), the Federation of Law Societies of Canada has established a model rule framework for client identification and verification that applies through provincial Law Societies. Legal professional privilege considerations apply, but do not exempt firms from client identification obligations.

Legal sector checklist:

• Photo ID for the client (or authorised representative)
• Certificate of incorporation and articles (corporate clients)
• Identification of beneficial owners
• Verification that the transaction is consistent with the client profile
• PEP and sanctions screening
• Retention of records for at least 5 years after the end of the relationship
• Risk assessment documented in the client file

Accountancy

Accountants became reporting entities under the PCMLTFA and are subject to FINTRAC examination. Accountants have direct visibility into their clients' financial flows, placing them in a strong position to detect anomalous activity.

Accountancy checklist:

• Photo ID for the principal or directors
• Certificate of incorporation and articles
• Engagement letter signed by both parties
• Identification of beneficial owners
• Review of unusual transactions (international transfers, cash-intensive activity)
• PEP and sanctions screening
• Annual client file refresh

For a broader enterprise-level due diligence checklist, see our due diligence checklist for businesses.

Ongoing monitoring and review

Customer due diligence does not end at onboarding. The PCMLTFA requires ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of the relationship and keeping CDD documentation up to date.

When to re-verify

Several events should trigger a review of the client file:

• Change in ownership or control: new directors, change in beneficial ownership structure, corporate restructuring
• Unusual transaction patterns: amounts, frequency or destinations inconsistent with the known client profile
• External events: new sanctions designation, adverse media coverage, change in risk classification of the client's country of residence
• Periodic review deadline: based on risk level (semi-annual for EDD, annual for CDD, 3-5 years for simplified measures)

Automating CDD processes

Manual verification at scale is expensive and error-prone. Automated document validation enables continuous verification of identity documents, detection of tampered or fraudulent documents, and cross-referencing against official databases. For reporting entities processing hundreds of client files per month, automation reduces processing time by up to 80% while improving audit trail completeness.

Explore our pricing plans designed for different verification volumes.

For a comprehensive overview, see our document verification complete guide.

Frequently asked questions

What is the difference between KYC and customer due diligence?

KYC (Know Your Customer) is a subset of customer due diligence. KYC specifically refers to identifying and verifying a client's identity. CDD encompasses KYC but extends further: it includes understanding the nature of the business relationship, assessing risk, screening for sanctions and PEPs, and conducting ongoing monitoring throughout the relationship.

Do real estate agents need to verify both the buyer and the seller?

Yes. Under the PCMLTFA, real estate brokers and agents must conduct client identification on both parties to a property transaction. This includes verifying identity and, for the buyer, establishing the source of funds. FINTRAC guidance makes clear that identification of both parties is required.

How often should CDD records be updated?

The frequency depends on the risk level assigned to the client. For simplified-measure clients, a review every 3 to 5 years is generally acceptable. For standard CDD, an annual review is recommended practice. For EDD clients, reviews should occur at least every 6 months, with additional reviews triggered by significant events.

Are small accountancy firms subject to the same CDD requirements as banks?

Yes, the same underlying PCMLTFA requirements apply to all reporting entities. However, the risk-based approach means that the intensity and extent of measures should be proportionate to the firm's size, nature, and the risks it faces. Small firms may have simpler procedures, but they must still identify clients, verify identity, assess risk, and maintain records. FINTRAC supervises compliance for all reporting entities regardless of size.

Build a robust CDD framework for your sector

Customer due diligence is a legal requirement, not an optional extra. Non-compliance exposes firms to FINTRAC penalties, criminal prosecution, and reputational damage. But CDD does not have to be a bottleneck. By structuring your checks according to sector-specific risk profiles and automating document verification, you can maintain full compliance while keeping onboarding efficient. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a fraud detection rate of 94.8%, delivering a 67% cost reduction compared to manual CDD processes. CheckFile.ai helps reporting entities automate identity and document verification across all sectors. Contact us to discuss how our solution fits your due diligence workflows.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.

---

Take action

CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents — results within 48h.

Request a free pilot