Customer Due Diligence (CDD)

A compliance analyst opens a case file, pulls data from six systems, checks three external databases, writes a risk assessment, and documents the decision. Four hours later, the customer is approved. Multiply that by thousands of customers and you have the operational reality of customer due diligence (CDD) in most financial institutions. The question is not whether AI can help. It is which part of this chain to automate first.

What is customer due diligence?

Customer due diligence is the process financial institutions use to assess the risk a customer poses for money laundering, terrorist financing, and other financial crime. It encompasses identity verification, understanding the nature and purpose of the business relationship, assessing the source of funds and wealth, and ongoing monitoring of the relationship. CDD is the operational backbone of anti-money laundering compliance.

Three tiers exist. Simplified due diligence applies to low-risk customers with straightforward profiles. Standard CDD applies to the majority. Enhanced due diligence applies to higher-risk customers: politically exposed persons, customers in high-risk jurisdictions, and complex corporate structures. The tier determines the depth of investigation, the frequency of review, and the seniority of the sign-off required.

The cost is substantial. Industry estimates put the average cost of onboarding a corporate customer through CDD at 1,500 to 3,000 pounds, with complex cases exceeding 10,000. Most of this cost is human time spent gathering information, cross-referencing data sources, and documenting decisions. The elapsed time, often measured in weeks for corporate customers, is a competitive disadvantage that drives prospective clients to institutions with faster processes.

The landscape

The EU's Anti-Money Laundering Authority (AMLA) will bring direct supervisory authority over the highest-risk financial institutions from 2025. The single rulebook harmonises CDD requirements across member states, reducing the regulatory fragmentation that currently forces firms to maintain jurisdiction-specific processes. For UK institutions, the divergence between UK and EU AML frameworks creates a dual compliance burden.

The FCA continues to enforce robustly. Fines for CDD failures are not limited to cases where money laundering actually occurred. Firms have been penalised for systemic weaknesses in their CDD processes: inadequate risk assessments, overdue periodic reviews, and insufficient documentation of decisions. The regulatory expectation is not perfection but demonstrable effort and a functioning risk-based approach.

Beneficial ownership transparency is improving but remains incomplete. The UK's Register of Overseas Entities and reforms to Companies House verification powers strengthen the data available for corporate CDD. However, trust structures, nominee arrangements, and multi-layered holding companies continue to obscure true ownership. The gap between what registries disclose and what CDD requires is narrowing but far from closed.

How AI changes this

Automated data aggregation is the highest-value application. Rather than an analyst manually accessing six systems and three external databases, an AI-driven workflow pulls customer data, corporate registry information, sanctions screening results, and adverse media findings into a single case view. The analyst reviews a pre-populated assessment rather than building one from scratch. This cuts the time per case from hours to minutes for standard CDD.

Risk scoring at the point of onboarding uses machine learning to classify customers by risk tier based on the information available. The model considers entity type, jurisdiction, industry, transaction patterns, and screening results to produce a risk score that determines the CDD tier. This replaces rule-based risk categorisation that tends toward over-classification. Banks that have deployed ML-based risk scoring report 20 to 30 per cent reductions in the number of customers classified as high risk, without increasing missed true positives.

Natural language processing automates the review of documentary evidence. Source-of-wealth declarations, corporate filings, and financial statements can be parsed and cross-referenced against the customer's declared profile. Inconsistencies are flagged for human review rather than requiring an analyst to read every document end to end.

Perpetual CDD replaces the periodic review cycle. Instead of reviewing every customer on a fixed schedule, AI systems monitor for material changes: new adverse media, changes in corporate structure, shifts in transaction patterns, or sanctions list updates. Reviews are triggered by events, not by calendar dates. This focuses analyst time on customers where something has actually changed, rather than re-reviewing stable relationships.

What to know before you start

Your CDD process is only as good as your data. If customer records are incomplete, outdated, or inconsistent across systems, automation will surface those problems visibly. Data remediation is a prerequisite, not a parallel workstream. Budget for it explicitly.

Regulators expect firms to understand how their risk scoring models work. A model that classifies a customer as low risk must be able to explain why. The FCA has been explicit that firms cannot delegate risk judgement entirely to a model without understanding its logic. Favour interpretable models over black-box approaches, and maintain documented model governance that covers training data, validation, and ongoing monitoring.

The transition from periodic to perpetual CDD is an operating model change, not just a technology change. Your compliance team's workflow, capacity planning, MI reporting, and audit approach all need to adapt. A perpetual CDD system generates alerts continuously rather than producing a batch of reviews each quarter. The team must be structured to handle this flow.

Start with standard CDD for retail customers, where the data is most structured and the risk assessments are most formulaic. Prove the approach, measure the time savings, and build confidence with your compliance leadership and your regulator. Corporate CDD, with its entity resolution challenges and document processing demands, is the higher-value but harder target.