Customer Due Diligence Checklist by Industry Sector
Complete customer due diligence (CDD) checklist by sector: banking, real estate, legal, accounting. SDD, CDD and EDD levels with FinCEN and BSA guidance.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCustomer due diligence (CDD) is the process by which regulated businesses verify the identity of their clients, assess risk, and monitor the ongoing relationship for suspicious activity. In the United States, CDD requirements are established under the Bank Secrecy Act (BSA), FinCEN's Customer Due Diligence Rule (31 CFR ยง1010.230), and the Customer Identification Program (CIP) provisions of the USA PATRIOT Act. Different industries face different risk profiles, and the depth of verification required varies accordingly. This article provides a sector-by-sector CDD matrix covering the documents required, applicable due diligence levels, and review frequencies for each regulated sector.
What is customer due diligence (CDD)
Customer due diligence refers to the legal obligation for covered financial institutions to identify their customers, verify that identity using reliable evidence, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. The BSA and FinCEN's CDD Final Rule set out these requirements, while the FFIEC BSA/AML Examination Manual provides detailed implementation guidance across all covered institution types.
Three levels of due diligence
US AML regulations define three tiers of customer due diligence, aligned with the risk-based approach recommended by the Financial Action Task Force (FATF):
Simplified Due Diligence (SDD) applies where the risk of money laundering or terrorist financing is demonstrably low. SDD allows firms to reduce the extent of verification measures, but does not eliminate the requirement to identify the customer. It may apply to publicly traded companies listed on a US stock exchange, government entities, or low-value products with limited functionality. Under the BSA, the concept of reduced verification is risk-based rather than mandated by a specific SDD category.
Standard Customer Due Diligence (CDD) is the default level. Under FinCEN's 2016 CDD Rule, covered institutions must: (1) identify and verify the identity of the customer, (2) identify and verify the identity of beneficial owners holding 25% or more of an entity, (3) understand the nature and purpose of the customer relationship, and (4) conduct ongoing monitoring to maintain and update customer information and identify and report suspicious transactions.
Enhanced Due Diligence (EDD) applies where there is a higher risk of money laundering or terrorist financing. EDD requires additional measures such as establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting more intensive ongoing monitoring. EDD is mandatory for Politically Exposed Persons (PEPs), correspondent banking accounts for foreign financial institutions (under Section 312 of the USA PATRIOT Act), and customers connected to high-risk jurisdictions identified by FinCEN or FATF.
| Level | Trigger | Key measures | Review frequency |
|---|---|---|---|
| Simplified (SDD) | Demonstrably low risk, publicly traded companies, government entities | Risk-based reduced verification, identity still required | Every 3-5 years |
| Standard (CDD) | Default for all business relationships | Full identification, beneficial ownership verification, document verification, ongoing monitoring | Annual to biennial |
| Enhanced (EDD) | PEPs, high-risk countries, correspondent banking, complex structures | Source of funds/wealth, senior management approval, intensive monitoring | Semi-annual or more frequent |
CDD requirements by sector
The BSA defines covered financial institutions broadly. Each faces distinct risks that shape the scope and depth of due diligence. The table below provides a comparative matrix of requirements across US-regulated sectors.
| Sector | Supervisor | Default level | Documents required | Sector-specific considerations |
|---|---|---|---|---|
| Banking and credit institutions | OCC / Fed / FDIC / FinCEN | CDD, frequent EDD | Photo ID (US passport, driver's license, state ID), proof of address, Articles of Incorporation, beneficial ownership certification | Real-time OFAC screening, SAR filing, transaction monitoring systems |
| Insurance (covered products) | State DOI / FinCEN | CDD | Photo ID, application form, proof of address | Risk profiling of policyholder, beneficiary review, SAR filing for suspicious claims |
| Real estate (under FinCEN GTOs / proposed rule) | FinCEN / state regulators | CDD | Photo ID, proof of address, proof of funding, beneficial ownership disclosure | All-cash transactions, Geographic Targeting Orders, shell company identification |
| Legal professionals | State Bar Associations / ABA | CDD (voluntary AML programs) | Photo ID, proof of address, Articles of Incorporation (corporate clients) | Attorney-client privilege considerations; no federal BSA obligation but state bar ethics rules apply |
| Broker-dealers | SEC / FINRA / FinCEN | CDD | Photo ID, SSN/ITIN, proof of address, employment verification | FINRA Rule 2090 (Know Your Customer), suitability obligations |
| Money services businesses (MSBs) | FinCEN / state regulators | CDD | Photo ID, proof of address | Registration with FinCEN, state-by-state licensing, CTR filing for $10,000+ |
For a comprehensive overview of document verification requirements, see our document verification guide.
PEP and sanctions screening
Politically Exposed Persons (PEPs)
PEP identification is a mandatory component of customer due diligence for covered financial institutions. While the BSA does not define PEPs in the same explicit statutory terms as EU directives, FinCEN guidance and the FFIEC BSA/AML Manual direct institutions to identify and apply enhanced measures to customers who are senior foreign political figures, their family members, and close associates. Section 312 of the USA PATRIOT Act specifically requires EDD for private banking accounts held by senior foreign political figures.
Any business relationship with a PEP triggers EDD automatically. This includes obtaining senior management approval before establishing or continuing the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.
FinCEN has indicated that domestic PEPs (US government officials) should be assessed on a risk basis, but many institutions apply enhanced scrutiny to senior government officials regardless of domestic or foreign status.
Sanctions screening
Covered institutions must screen customers against the OFAC Specially Designated Nationals (SDN) List and other OFAC sanctions programs. OFAC administers US sanctions independently from FinCEN, and compliance with OFAC sanctions is a strict liability obligation โ meaning intent is not required for a violation. Screening must occur at onboarding and on an ongoing basis.
| Check | Minimum frequency | Source | Action on match |
|---|---|---|---|
| PEP screening | Onboarding + annual refresh | Commercial databases (World-Check, Dow Jones, LexisNexis) | Apply EDD, senior management approval |
| OFAC SDN list | Onboarding + ongoing (real-time recommended) | OFAC Consolidated Sanctions List | Block transaction, freeze assets, file OFAC report within 10 business days |
| Sectoral sanctions (SSI) | Onboarding + ongoing | OFAC SSI List | Restrict prohibited transactions per directive |
| FinCEN 311/Special Measures | As designated | FinCEN advisories and orders | Apply specified measures (enhanced recordkeeping, restrictions) |
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotSector-specific checklists
Financial services (banks, credit unions, payment institutions)
Financial services face the most intensive CDD requirements. FinCEN and federal banking regulators imposed over $3 billion in BSA-related penalties in 2024, with inadequate CDD systems being the most common finding.
Individual clients:
- Valid photo ID (US passport, driver's license, state ID)
- SSN or ITIN
- Proof of address dated within 3 months (utility bill, bank statement)
- Source of funds documentation (if EDD applies)
- PEP and OFAC sanctions screening
- Purpose and intended nature of business relationship questionnaire
Entity clients:
- Articles of Incorporation or Certificate of Formation
- Operating Agreement or Bylaws
- Certificate of Good Standing from Secretary of State
- FinCEN beneficial ownership certification (25%+ owners)
- Photo ID and SSN for all beneficial owners and control persons
- Organizational chart (complex structures)
- Proof of principal place of business
- PEP and OFAC screening on all beneficial owners and control persons
Real estate (agents, title companies, closing attorneys)
Real estate has been identified by FinCEN as a high-risk sector for money laundering. FinCEN's Geographic Targeting Orders (GTOs) require title insurance companies to identify natural persons behind legal entities making all-cash purchases in targeted metro areas. In 2024, FinCEN proposed extending AML requirements to the entire residential real estate sector (FinCEN โ Real Estate Proposed Rule).
Buyer:
- Photo ID (US passport, driver's license, state ID)
- Proof of address
- Evidence of source of funds (mortgage pre-approval, bank statements, gift letter if applicable)
- Beneficial ownership disclosure for entity buyers
- PEP and OFAC sanctions screening
Seller:
- Photo ID
- Proof of address
- Proof of ownership (deed, title report)
For more on real estate document verification requirements, see our article on document verification for real estate.
Legal professionals (attorneys, law firms)
US attorneys are not currently subject to BSA obligations as covered financial institutions, but the American Bar Association's Formal Opinion 463 recommends voluntary AML programs. State bar ethics rules require attorneys to avoid facilitating client fraud, and several proposals have been made to extend BSA obligations to legal professionals. Attorneys handling real estate closings, entity formation, trust administration, and escrow accounts face the highest risk exposure.
Legal sector checklist:
- Photo ID for the client (or authorized representative)
- Articles of Incorporation and Operating Agreement (entity clients)
- Identification of beneficial owners
- Verification that the transaction is consistent with the client profile
- PEP and OFAC sanctions screening (recommended best practice)
- Retention of records for at least 5 years after the end of the relationship
- Risk assessment documented in the client file
Accounting and tax advisory
Accountants and CPAs have direct visibility into their clients' financial flows, placing them in a strong position to detect anomalous activity. While CPAs are not currently designated as covered financial institutions under the BSA, FinCEN has proposed regulations that would extend CDD requirements to investment advisers, and the accounting profession is widely expected to follow. The AICPA recommends voluntary AML programs for accounting firms.
Accounting checklist:
- Photo ID for the principal or officers
- Articles of Incorporation or Certificate of Formation
- Engagement letter signed by both parties
- Identification of beneficial owners
- Review of unusual transactions (international transfers, cash-intensive activity)
- PEP and OFAC sanctions screening (recommended)
- Annual client file refresh
For a broader enterprise-level due diligence checklist, see our due diligence checklist for businesses.
Ongoing monitoring and review
Customer due diligence does not end at onboarding. FinCEN's CDD Rule explicitly requires covered institutions to conduct ongoing monitoring, including understanding the nature and purpose of customer relationships to develop a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information on a risk basis.
When to re-verify
Several events should trigger a review of the client file:
- Change in ownership or control: new officers, change in beneficial ownership structure, corporate restructuring
- Unusual transaction patterns: amounts, frequency, or destinations inconsistent with the known customer profile
- External events: new OFAC designation, adverse media coverage, change in risk classification of the client's country
- Periodic review deadline: based on risk level (semi-annual for EDD, annual for CDD, 3-5 years for SDD)
- FinCEN advisory or Section 314(a) request: response to law enforcement information sharing requests
Automating CDD processes
Manual verification at scale is expensive and error-prone. Automated document validation enables continuous verification of identity documents, detection of tampered or fraudulent documents, and cross-referencing against official databases. For regulated firms processing hundreds of client files per month, automation reduces processing time by up to 80% while improving audit trail completeness.
Explore our pricing plans designed for different verification volumes.
For a comprehensive overview, see our document verification complete guide.
Frequently asked questions
What is the difference between KYC and customer due diligence?
KYC (Know Your Customer) is a subset of customer due diligence. KYC specifically refers to identifying and verifying a customer's identity through the Customer Identification Program (CIP). CDD encompasses KYC but extends further: under FinCEN's CDD Rule, it includes identifying beneficial owners, understanding the nature of the business relationship, screening for OFAC sanctions and PEPs, and conducting ongoing monitoring throughout the relationship. The terms are often used interchangeably, but CDD is the broader regulatory obligation.
Does a real estate agent need to verify the buyer's identity?
Under current rules, real estate agents are not directly covered by the BSA, but title insurance companies in GTO-covered areas must identify the natural persons behind legal entities making all-cash purchases. FinCEN's 2024 proposed rule would extend reporting requirements to all participants in residential real estate transactions involving non-financed transfers by legal entities or trusts. As a practical matter, real estate professionals should implement CDD procedures to mitigate their own risk exposure and prepare for the anticipated regulatory expansion.
How often should CDD records be updated?
The frequency depends on the risk level assigned to the customer. For low-risk customers (SDD), a review every 3 to 5 years is generally acceptable. For standard CDD, an annual review is recommended practice and expected by examiners. For EDD customers, reviews should occur at least every 6 months, with additional reviews triggered by significant events such as OFAC designations, adverse media, or unusual transaction patterns.
Are small accounting firms subject to CDD requirements?
Currently, CPAs and accounting firms are not designated as covered financial institutions under the BSA and are not subject to mandatory CDD requirements. However, FinCEN has indicated its intent to extend BSA obligations to additional professional sectors, and the AICPA recommends that accounting firms implement voluntary AML programs. Firms that provide entity formation, trust administration, or escrow services face the highest risk and should implement CDD procedures regardless of the current regulatory status.
Build a robust CDD framework for your sector
Customer due diligence is a legal requirement for covered institutions and an essential risk management practice for all professional services firms. Non-compliance exposes firms to FinCEN enforcement actions, DOJ criminal prosecution, and reputational damage. But CDD does not have to be a bottleneck. By structuring your checks according to sector-specific risk profiles and automating document verification, you can maintain full compliance while keeping onboarding efficient. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a fraud detection rate of 94.8%, delivering a 67% cost reduction compared to manual CDD processes. CheckFile.ai helps regulated businesses automate identity and document verification across all sectors. Contact us to discuss how our solution fits your due diligence workflows.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified attorney for advice tailored to your circumstances.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.