A complete guide to effective customer due diligence
Last Updated: 12/18/2025
Protect your business with reliable and effective AML strategies with AML UAE.
Effective CDD: What You Need to Know?
- CDD is a crucial part of the UAE AML/CFT framework requiring entities to identify, verify, and risk-assess customers to mitigate ML/TF/PF risks.
- A risk-based approach drives CDD determining whether simplified, standard, enhanced or ongoing due diligence measures apply across customer lifecycle
- Effective CDD combines KYC, screening, risk profiling, monitoring, reporting, and record-keeping to ensure continuous compliance
- Best CDD practices reduce regulatory and reputational risk while strengthening long-term compliance resilience.
Companies are vulnerable to financial crimes and used as channels for facilitating or carrying out illegal activities, such as Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) of weapons of mass destruction.
Thus, it is crucial for them to undertake an AML Customer Due Diligence (CDD) process to mitigate the ML/FT and PF risks posed by customers
CDD is an essential element of UAE’s AML/CFT regulatory framework, which assesses the ML/FT and PF risks that arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc.
CDD enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be.
Here is a complete guide to effective customer due diligence to help you fight ML/TF/PF risks. This foundational AML customer due diligence practice safeguards businesses against potential financial crime threats.
What is Customer Due Diligence?
Customer Due Diligence (CDD) is all about identifying potential customers and checking their authenticity and legitimacy through systematic CDD measures. In addition, it means cross-verification of the details provided by the customer for their legal validity and accuracy.
The CDD meaning remains the same, but the procedures change across the industries. In total, there are four aspects of CDD, namely, simplified, standard, enhanced, and ongoing.
By conducting CDD, businesses aim to mitigate the potential for financial crimes such as ML/FT and PF. Additionally, this multifaceted approach serves as a foundational element in establishing trust, credibility, and regulatory compliance within the business landscape.
UAE AML/CFT Regulations for CDD
The UAE has established robust AML laws to combat financial crimes, including ML/FT and PF. These robust regulatory frameworks include Federal Regulations, which are aligned with international standards set out by the Financial Action Task Force (FATF).
Additionally, as part of the AML/CFT legal landscape, the regulated authorities in the UAE have released various guidelines supporting the primary regulations for undertaking effective measures.
The UAE’s regulatory framework necessitates CDD AML measures for every customer. The framework governing CDD is also based on FATF recommendation No. 10, which lays down the principle of undertaking a Customer Due Diligence process. This includes disclosure of beneficial ownership and verification of identities.
Furthermore, the Ministry of Economy and Tourism’s Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to undertake CDD measures in assessing and combating risk associated with customers based on the risk-based approach taken by the entities.
Role of CDD in AML Regulatory Framework
As a crucial measure of UAE’s AML/CFT regulatory framework, regulated entities are required to undertake CDD measures, which include a thorough process of identifying and verifying customers, assessing their risk profile, and monitoring them throughout their customer lifecycle. Implementation of an effective CDD process helps reporting entities determine the different levels of risk associated with different customers and further establish the appropriate CDD AML measures for risk mitigation.
The CDD process provided under the UAE’s Regulatory Framework lays down a comprehensive framework for addressing potential ML/FT and PF threats when engaging with both new and existing customers. Therefore, CDD plays an important role in assisting reporting entities in maintaining regulatory compliance and safeguarding themselves against financial crimes.
Reporting Entities subject to CDD in the UAE
The legal framework governing AML/CFT in UAE applies to all financial institutions, banks, insurance companies, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Services Providers (VASPs). Furthermore, these DNFBPs include:
- Dealers in precious Metals and Stones
- Real Estate Agents and Brokers
- Trust and Corporate Service Providers
- Auditors & independent Accountants
- Lawyers, Notaries & Other Legal Professionals
Therefore, every reporting entity in UAE needs to adopt an effective AML/CFT framework in order to mitigate and manage ML/FT and PF risks.
When is CDD required?
The need to apply the CDD AML process comes into the picture when a business organisation is required to abide by AML/CFT regulations and intends to establish a business relationship with a potential customer.
Businesses often ask what are the 4 Customer Due Diligence requirements? These core requirements include customer identification, beneficial owner verification, understanding the business relationship purpose and conducting ongoing monitoring.
In line with the Customer Due Diligence Policy and Procedures, businesses try to understand the following and take adequate CDD measures:
- Why is an account being opened?
- How will it be used?
- What will be the nature of transactions?
- What will be the volume and frequency of transactions?
The business must verify the customer’s identity and assess the risk profile. Therefore, DNFBPs/FIs must carry out the Know Your Customer (KYC) procedure as part of CDD compliance procedures in the following situations.
- Customer Due Diligence becomes mandatory and simply inevitable at the time of entering a new business relationship with an individual or a legal entity. This is important in order to verify the identity of the customer.
- When undertaking the CDD process for a new customer, the customer’s risk profile is also assessed, and the applicability of enhanced due diligence is determined.
- Various occasional transactions warrant customer due diligence measures. An occasional transaction equal to or exceeding AED 55,000/- requires regulated entities to perform proper due diligence on customers.
- An occasional wire transfer for an amount equal to or exceeding AED 3,500/- requires proper performance of CDD measures.
- Business organizations who suspect the involvement of their customers or proposed customers in activities such as money laundering or financing of terrorism should impose KYC, CDD checks.
- When it is observed that the identification documents provided by potential customers are inadequate, unreliable, or suspicious, KYC and CDD measures must be undertaken.
When is CDD conducted?
Customer Due Diligence (CDD) is conducted at specific trigger points to ensure ongoing compliance and risk management. Under UAE AML/CFT regulations, the CDD process is required under the following circumstances:
- Before entering into a business relationship or
- During the course of entering into a business relationship or
- Before opening an account or
- During the course of opening an account or
- Before carrying out a transaction with a new customer
- Before entering into occasional transactions exceeding monetary thresholds
- When there is a suspicion as to ML/TF
- When the previously obtained customer identification data is not proper or adequate.
Fundamentals of Customer Due Diligence
At the initial level, CDD starts by verifying the identity of the customer and understanding the nature of its business. The entire CDD process involves certain steps and a few regulatory obligations imposed on DNFBPs under AML/CFT regulations, as follows:
1. Identification of customer
DNFBPs should first identify their customers by seeking personal information like name, date of birth, nationality, and address. This should further be backed by conclusive evidence issued by the Government in the form of a passport, ID Card, Driving License, etc. Businesses need to implement a comprehensive customer identification program (CIP) to comply with legal requirements.
2. Beneficial ownership
Customer Due Diligence measures should identify the beneficial owner of the customer or proposed transaction. This includes understanding the customer’s ownership control or the organisation’s structure.
3. Business Relationship
After verifying the customer and identifying business ownership, DNFBPs should focus on obtaining information related to the nature of the business relationship the client intends to establish.
Our timely and accurate AML consulting services
For your smooth journey towards your goals
Step-by-Step CDD Process
Understanding the following steps is essential for implementing effective CDD measures within your AML Customer Due Diligence framework.
1. KYC - Identification and Verification
The foremost step of the CDD process is identifying and verifying the identities of customers before entering into business relationships with them. This process is what we call Know-Your-Customer (KYC). KYC is a fundamental element of the CDD process.
KYC is further divided into two steps: identification and verification of the customer.
a) Identification and collection of customer information
The first step of CDD is to get the essential information from customers or potential customers. A Know Your Customer Form or KYC form can be maintained for this purpose. The information to be obtained for the purpose of AML due diligence includes the following:
- KYC for Natural Persons
Here is the list of information to be sought from the customer:
- Complete Name
- Address of the customer
- Contact numbers
- Additional/ alternative contact numbers
- Legit, accessible, and working email address
- Place of birth
- Date of birth
- Nationality
- Gender
- Government-issued identification number
- Occupation
- Signature
Along with the above, at a minimum, a copy of the ID document and proof of address are also obtained.
- KYC for Legal Entities
Here is the list of information to be sought from the customer who is a business entity:
- Name of the business entity
- Type of the business entity
- Nature of business the entity is into
- Date and place of establishment
- Information related to the board of directors
- Certificate of establishment/incorporation
- Information related to shareholders or ultimate beneficial owners
- Annual report for the previous year
- Information pertaining to senior management
Along with the above, a copy of the trade license, Memorandum of Association, Articles of Association, address proof, UBO details, and organisation chart are also obtained.
In high-risk situations, source of funds and source of wealth information is also obtained.
b) Verification of the customer
The second step of the KYC under the CDD program is to verify all the information that has been collected in the identification step. Again, it is essential to note that most of the collected data can be confirmed with the help of a government agency’s site or any reputable independent institution. For instance, documents like identity cards, tax receipts, and passports can be verified on the respective government portals based on the unique number associated with them.
2. Name Screening
Name screening is done in order to identify if the customer is a sanctioned individual or entity, a politically exposed person or a person with a criminal history and adverse media references. The primary objective behind carrying out the process of name screening is to check that the customers do not fall under the following categories:
- Sanctioned individual or an entity
- Politically Exposed Persons (PEPs)
- Reported in Media with alleged involvement in any criminal activities
3. Customer Risk Profiling
At this stage, the AML Compliance Officer determines the risk level of each customer or potential customer based on various factors. While performing risk-based customer due diligence, the following risk factors are taken into consideration:
- Type and nature of business relationship/transaction
- Nationality of the customer
- Political exposure of the customer
- Mode of payment (Cash, Bank Transfer, Cheque)
- Net worth of the individual
- Documentary evidence available
- Amount of transaction
- The complexity of business structure
- Local/international business
- Transaction with a customer based in a blacklisted country
- Transaction with a customer based in a grey-listed country etc.
Customer Risk Rating
Once the customer risk profile is identified, DNFBPs and FIs can decide the type of monitoring and level of controls to be imposed on such customers. The customers are classified into low-risk, medium-risk, and high-risk categories to determine the extent and frequency of monitoring required.
4. Ongoing Monitoring
Once the Customer Due Diligence process is completed and necessary decisions around risk classification have been made, regular monitoring of the customer’s risk profile cannot be overlooked. Monitoring should be carried out regularly for identified accounts for all financial transactions. The customer’s behaviour, along with accounts and transactions, must be compatible with the usual activities, and this needs to be tracked or overviewed at all costs. Depending upon the risks associated, ongoing due diligence frequency is determined.
5. Reporting Suspicion
During employing CDD measures, if the reporting entity comes across any suspicion or reasonable grounds that suggest that a customer is involved in criminal activity, it must take a thorough investigation and must report that information on the goAML platform via suspicious activity report (SAR). It should be noted that all employees, company directors, and officers are prohibited from tipping off customers if a SAR/STR has been filed against them.
Additionally, they need to report other reports, like HRC and HRCA, when engaging with a customer belonging to a high-risk country.
6. Record Keeping
This is the final stage of the entire AML CDD process. At this stage, one has to maintain the CDD-related records in accordance with the retention policies of the business organisation and as prescribed under AML/CFT regulation. In the UAE, AML/CFT regulations require maintenance of Client Due Diligence and other AML/CFT-related records for the period of 5 years from the relevant dates.
However, the record keeping duration varies from one supervisory authority to another.
- The Virtual Assets Regulatory Authority (VARA) mandates Virtual Assets Service Providers (VASPs) to maintain records for a duration of 8 years
- Dubai International Financial Centre (DIFC) requires DNFBPs to maintain AML/CFT compliance and CDD records for 6 years.
- Abu Dhabi Global Market (ADGM) requires DNFBPs and VASPs to maintain AML/CFT compliance and CDD records for 6 years.
A systematic record-keeping facilitates the DNFBPs to meet its reporting obligation under AML/CFT regulations and furnish such details to the relevant supervisory authorities as and when demanded in the context of any Suspicious Transaction Report filed by the DNFBP.
What risks does a reporting entity face if it fails to carry out CDD?
If a reporting entity like a financial institution, DNFBP, or VASP does not carry out Customer Due Diligence, it harms its reputation and exposes itself to various risks like ML/FT and PF. It may also be subjected to administrative penalties. Further, a regulated entity must not enter into a business relationship if it fails to carry out customer due diligence and consider filing SAR/STR with the UAE FIU.
Types of Customer Due Diligence
Reporting entities deal with different types of customers, having different backgrounds, reasons for business establishment, wealth structures, etc. Similarly, risks associated with customers also vary, requiring different kinds of measures to deal with them.
To enhance the overall capabilities of the AML framework, reporting entities need to undertake different CDD procedures.
The following are different types of CDD processes that the reporting entity needs to undertake:
1. Simplified Due Diligence
The process of simplified customer due diligence comes into the picture when the customer belongs to a low-risk category. The Designated Non-Financial Business and Professions (‘DNFBP’) is required to know the customer’s identity and basic details under a simplified customer due diligence process, and there is no need to carry out detailed due diligence.
2. Standard Due Diligence
Generally, DNFBPs adopt Standard Customer Due Diligence procedures for the majority of the customers. As a part of this process, the identity of the respective customer is verified from several reliable sources. In addition to that, DNFBPs also determine and evaluate the nature of the customer’s business or the customer’s purpose for entering into a transaction with the DNFBP.
3. Enhanced Due Diligence
Enhanced Due Diligence is usually required for only those customers who have a high-risk quotient and are more likely to get involved with money laundering or financing of terrorism. There are undoubtedly quite a few factors that clearly establish that a particular customer hails from a high-risk background. For instance, Politically Exposed People (PEPs) are usually categorised as high-risk customers and require enhanced customer due diligence.
With the help of enhanced customer due diligence, the information of the customers is verified, and critical information like the origin or the source of their funds, source of wealth, and the primary purpose of the transaction is obtained.
Further, as a part of the enhanced CDD measures, it is ensured that the customer makes the payment from the bank account in his own name.
It is also required to obtain approval from senior management before entering into a transaction with high-risk customers. Once you meet the above Enhanced Due Diligence Requirements, you can carry out transactions with the customer.
Ongoing Due Diligence
The risks associated with a customer change over a period of time. One needs to have a proper monitoring system in place to detect changes in customer profiles. Ongoing due diligence should aim at discovering changes in the attributes related to a customer. Say a customer becomes a Politically Exposed Person or is placed on a Sanctions list. The KYC software should trigger alerts for the compliance officer the moment it detects changes in the customer profile, which necessitates a change in the risks associated with them.
Unless regulated entities require customers to provide their KYC documents on a regular basis, it becomes difficult to detect changes in their risk profile. A change in risk profile would also be reflected in the transaction patterns associated with a customer.
If the customer happens to be a High-risk customer, he should be placed under more frequent monitoring and CDD refresh.
Here’s a checklist of circumstances requiring KYC refresh:
- Changes in the beneficial owner
- Customers making unusual transactions not aligned with their profile
- Changes in a business relationship with a customer
- Changes in ownership structure at the customer’s end
Our timely and accurate AML consulting services
For your smooth journey towards your goals
Why is CDD necessary?
As mentioned above, CDD is a crucial process for assessing risks associated with customers and ensuring compliance with regulatory compliance.
Here’s a list of reasons that make undertaking the CDD process necessary:
Take a Risk-Based Approach
It is important for reporting entities to adopt the risk-based approach to help them assess risks based on different factors like geographical location, nature of business, etc. CDD facilitates taking a risk-based approach by adopting measures that assess the level of risk associated with the customers, which allows them to tailor their risk management strategies and allocate resources to high-risk customers where they are most needed.
Prevent Financial Crimes
It is important for reporting entities to employ measures that help prevent and detect illicit crimes, including ML/FT and PF. For this purpose, reporting entities undertake CDD measures, which aid in identifying and mitigating the ML/FT and PF risks. Further, it also helps them to easily detect and prevent suspicious activities by verifying the identities of customers and understanding the nature of their transactions.
ML/FT Risk Management
The whole reason why reporting entities adopt an AML framework is to effectively manage ML/FT and PF risks. The CDD process helps them to effectively manage the ML/FT and PF risks associated with customers. Additionally, by implementing robust CDD procedures, reporting entities can identify high-risk customers and transactions and, based on that, implement appropriate control measures and report suspicious activities.
Maintain Reputation
It is essential for reporting entities to maintain their reputation in order to grow and keep doing business. Undertaking CDD practices helps reporting entities to effectively detect and deter ML/FT and PF risks associated with customers, which further aids them in maintaining their reputation in the eyes of regulators and customers, which is essential for long-term success.
Maintain Financial Integrity
The business of reporting entities depends highly on the financial sector in which they are working. For this reason, they need to take actions that help maintain financial integrity. Employing effective CDD processes prevents illicit activities, which aids in maintaining and upholding the integrity of their operations and financial system and further contributes to a safer and more transparent financial environment.
Comply with Regulations
Reporting entities are mandated to comply with the regulatory framework. In UAE, the AML/CFT legal framework requires reporting entities to comply with regulations. Therefore, undertaking CDD practices helps them fulfil their regulatory obligations and avoid penalties, legal consequences, and reputational damage.
Benefits of Effective CDD Measures
Implementing robust CDD measures helps reporting entities to effectively measure the risks associated with customers.
The following are some points highlighting the benefits of undertaking an effective CDD process:
Risk Mitigation
CDD helps reporting entities check the background and activities of customers, which helps them to easily assess the ML/FT and PF risks associated with customers and accordingly take mitigation measures.
Regulatory Compliance
Conducting CDD measures is a regulatory requirement. Therefore, reporting entities must undertake effective CDD processes to comply with regulatory requirements, which is essential to avoid fines, penalties, and legal actions.
Decision Making
Employing CDD measures helps reporting entities get valuable insights about customer identities, which aid in decision-making about onboarding, monitoring, or terminating customer relationships. Furthermore, it helps them assess whether customers align with their risk appetite and business objectives.
Prevention of Financial Crime
CDD helps reporting entities to identify and verify the identities of customers, which further prevents financial crimes such as ML/FT and PF thus safeguarding the integrity of the financial system.
Adoption of a Risk-Based Approach
CDD measures facilitate reporting entities to adopt a risk-based approach to the AML compliance framework. This helps them to employ focused measures for high-risk customers and transactions while applying less-intensive measures to lower-risk ones.
Base for Enhanced Due Diligence
CDD processes help identify high-risks, such as PEPs or sanctioned individuals. This forms the basis for conducting EDD to gather additional information and mitigate associated risks.
Facilitates Ongoing Monitoring
CDD is a continuous process that monitors customer activities for any suspicious behaviour or changes in risk profile. This helps reporting entities to comply with ongoing compliance and risk management.
Limitations of CDD:
Although CDD is one of the important elements of the AML/CFT framework, there are various limitations of CDD in combating financial crimes and ensuring regulatory compliance.
Here’s the list of limitations of CDD:
Complexity
CDD requires undertaking thorough processes and procedures to gather and analyse various types of information about customers, their transactions, and potential risks. This makes the entire CDD process intricate and complex.
Reliance on Third Party
The main element of the CDD process is collecting and verifying data. For this purpose, reporting entities need to gather information from external sources, which introduces their dependencies on third parties, increases potential inaccuracies in the data, and further makes the verification process lengthy and complex.
Resource Intensive
Undertaking thorough investigations and monitoring processes, especially for large volumes of customers or transactions, requires significant resources in terms of time, experts, and technology to conduct. Therefore, CDD takes up a lot of resources, which indirectly impacts the efficiency of the reporting entities.
Difficulty in identifying UBOs
Reporting entities deal with various kinds of customers. Determining the true beneficiaries or owners of complex corporate structures from such numbers of customers can be challenging for them, especially in cases of shell companies or foreign entities.
Dynamic Nature of Risk
Financial crimes keep evolving, and criminals find new ways to facilitate their activities, including ML/FT and PF. This requires the reporting entity to take additional measures to adapt and stay updated to effectively mitigate these risks, making the CDD process more complicated and lengthier.
Dynamic Regulatory Framework
Compliance requirements and regulations related to CDD may change frequently to combat the dynamic nature of financial crimes. This evolving legal landscape makes it difficult for reporting entities to stay consistently compliant.
Privacy Issue
CDD process is about collecting, verifying, and maintaining customer information. However, this often leads to resistance from customers who are concerned about sharing their personal information due to privacy reasons. This reluctance poses a significant challenge, as it can make the CDD process seem intimidating and unwelcoming to customers.
Time Consuming
A thorough CDD process requires undertaking various processes and practices, which can be time-consuming. This leads to delays in onboarding new customers or processing transactions, which not only impacts customer experience but also affects the overall efficiency of business operations.
Our timely and accurate AML consulting services
For your smooth journey towards your goals
Best Practices for Effective CDD Program
Employing CDD is of utmost importance for the reporting entities to combat the ML/FT and PF risks. However, the CDD program should be effective and capable of detecting and preventing risks associated with customers or transactions. Therefore, to adopt an effective CDD program, they need to incorporate a few best practices.
Here are some practices that reporting entities can employ for adopting a comprehensive CDD program:
Adopting a Risk-Based Approach
Reporting entities engage with various customers who pose different levels of risk. Therefore, they need to adopt tailored CDD measures based on the customer’s risk profile. For this purpose, they should implement a risk-based approach while employing CDD measures that consider various risk factors like their industry, geographical location, transaction volume, and the products or services they use. Risks must be prioritised for their impact, and commensurate controls must be put in place.
Establishing CDD measures
CDD is a thorough program that requires undertaking CDD measures. Therefore, reporting entities should clearly define the steps and requirements of processes for undertaking CDD on new and existing customers.
Name Screening for Sanctions, PEP, and Adverse Media Checks
CDD is all about assessing the risk associated with customers by identifying and verifying their profiles and activities. As part of the CDD screening process, reporting entities should implement robust screening processes to identify any matches with sanction lists, politically exposed persons (PEPs), or adverse media coverage. This helps them mitigate the risk of customers involved in illegal or high-risk activities.
CDD Process Automation
Reporting entities should automate their CDD process using modern solutions and technologies to retrieve and evaluate data, determine risk levels, and make customer onboarding decisions based on results. This automation helps them to streamline their AML compliance efforts, which reduces manual errors and enhances the effectiveness of their risk management strategies in countering ML/FT and PF risks.
Data Security Measures
The main element of the CDD measure is collecting information from customers. However, maintaining information becomes challenging due to customers being hesitant about their private information. Therefore, to safeguard customer information and sensitive data, reporting entities can install effective data security measures such as encryption, access controls, regular security audits, and compliance with data protection regulations.
Regulatory Reporting
Reporting entities are required to assess suspicious activities and ensure compliance with relevant regulatory requirements by accurately reporting them to the appropriate authorities. They should be attentive when conducting CDD practices that assess customer risk about any suspicious activities or transactions. Further, based on the assessment, they should file STR/SAR reports or other regulatory filings on the goAML portal as soon as possible.
Periodic Reviews
Onboarding customers, as well as engagement with customers, is an ongoing process. Therefore, reporting entities should conduct regular reviews of customer information and transaction activity to ensure ongoing compliance with CDD requirements. They should also update customer profiles as necessary based on changes in risk profile or regulatory requirements.
CDD Training Programs
Conducting CDD requires expertise. For this purpose, reporting entities should provide comprehensive training to employees involved in the CDD process so they can easily understand their roles and responsibilities. These training programs should cover regulatory requirements, risk assessment methodologies, and the use of CDD tools and systems.
Record Keeping
It is a compliance requirement that reporting entities should keep a record of AML measures. Therefore, they need to maintain thorough and accurate records of CDD activities, including KYC documents, risk assessments, and transaction records. This documentation is essential for audit purposes, submission to regulated authorities when intimated, and demonstrating compliance with regulatory requirements.
AML Customer Due Diligence Checklist
Here is the CDD checklist that the compliance team must follow to ensure that they don’t miss out on any of the customer due diligence steps:
- Collect Customer ID and Residential Proof
- Verify Customer ID and Residential Proof
- Perform screening against the UAE Local Terrorist List and UNSC Sanctions List
- Perform Customer Risk Assessment
- Ongoing Monitoring of Business Relationships with Customer
- Record Keeping for 5 Years
Final Words on Effective CDD Process
AML Customer Due Diligence is an important element of an effective AML CFT Program. CDD process is the primary responsibility of the compliance team and frontline employees. CDD checks help identify red flags and counter ML/TF/PF risks.
AML UAE provides consulting services on customer onboarding, KYC processes, CDD process, and risk profiling of customers. If you are looking to automate your CDD functions, we can help you with the customer due diligence software. We also provide training on customer due diligence procedures and help you comply with UAE AML laws and regulations.
FAQs - Customer Due Diligence
What are CDD measures?
CDD measures are the specific actions businesses take to verify customer identities, assess their risk levels, and monitor transactions to prevent financial crimes like ML, TF, and PF.
Can you rely on a third party to undertake your CDD measures?
Yes, businesses may use third-party providers for certain CDD tasks, but they retain full responsibility for compliance and must ensure these partners are properly vetted and monitored.
What are the CDD measures applied for customers categorised as medium or high risk?
For medium or high-risk customers, enhanced measures include deeper identity verification, source of wealth or funds documentation, senior management approval, and more frequent transaction monitoring.
If Customer Due Diligence measures cannot be completed, should a Suspicious Activity Report be submitted to the FIU?
Yes, if CDD cannot be completed in situations where the customer is acting extremely secretive/evasive or the circumstances raise suspicions of ML/TF/PF, then the entity must submit a Suspicious Activity Report (SAR) to the UAE’s FIU through the goAML portal. In the meanwhile, the entity can either take the decision of terminating the business relationship or proceed cautiously, according to their risk-appetite.
Who is responsible for conducting Customer Due Diligence?
The regulated entity is responsible for conducting CDD, typically through is AML Compliance Officer/MLRO and compliance team who are primarily responsible, with support from frontline staff and oversight from senior management.
Who is responsible for conducting Customer Due Diligence?
The regulated entity is responsible for conducting CDD, typically through is AML Compliance Officer/MLRO and compliance team who are primarily responsible, with support from frontline staff and oversight from senior management.
Why is Customer Due Diligence important?
Customer due diligence is important to avoid dealing with customers that can be a threat to your business in terms of money laundering or terrorism financing. CDD process helps verify the identity of customers, analyse their risk profile, and check their presence in Sanction lists to comply with AML/CFT regulations.
How to conduct customer screening effectively to maximise the efficiency and accuracy of the CDD program?
Effective screening requires accurate data preparations, comprehensive investigation, and sophisticated matching. Key elements include identifying relevant sanction lists, screening local lists, screening local and international data, integrating multiple data sources, customising match rules, reducing false positives, and avoiding duplication of review efforts across the organisation.
How can customer due diligence be improved?
To improve customer due diligence, apply a risk-based approach to enable corrective actions as per the risk profile of customers. Look out for red flags during the journey of forming a business relationship with your clients and keep documenting to avoid missing out on any unusual activity.
Why is Customer Due Diligence (CDD) essential for the financial institutions and Designated Non-financial Businesses and Professions (DNFBPs)?
CDD ensures customers are genuine, prevents fraud and misuse of the financial system, supports compliance with UAE AML laws, and enables businesses to assist law enforcement when required.
What are the 4 customer due diligence requirements?
The four core requirements of CDD are: (
1) Customer identification and verification,
(2) Beneficial Owner identification,
(3) Understanding the business relationship purpose, and
(4) Ongoing transaction monitoring.
What is CDD in compliance?
Customer Due Diligence (CDD) is a compliance process of identifying customers and ensuring they are who they claim to be.
What is CDD in KYC process?
Customer Due Diligence (CDD) in Know Your Customer (KYC) process is the foundation based on which businesses collect and verify information pertaining to a customer and determine the money laundering risks associated with them.
What is the purpose of CDD?
Customer Due Diligence (CDD) is a control mechanism employed by a business to adhere to the risk-based approach adopted by it in relation to money laundering risks. It helps identify the money laundering risks associated with a customer and decide whether to onboard, reject or report a customer to the AML regulatory bodies of the country.
Under what situation is ongoing customer due diligence completed by a business?
Businesses follow a risk-based approach while identifying and mitigating their money laundering risks. Depending upon the nature and size of the business and the risk profile of a customer, ongoing customer due diligence is undertaken by a business. helps them identify, manage, and mitigate their money laundering and terrorist financing risks.
What is an effective transaction monitoring program?
An effective transaction monitoring program is risk-based, aligned with the business’s ML/TF/PF risk assessment, regularly reviewed, and applied to all transactions. It helps detect suspicious activities, address red flags promptly, and ensure continuous monitoring of customer relationships.
When are we supposed to identify and verify a customer?
As per UAE AML Laws, FIs, DNFBPs, and VASPs are supposed to identify and verify a customer before entering into a business relationship with them.
Who is responsible for carrying out the Customer Due Diligence (CDD) Process?
DNFBPs, FIs, and VASPs are required to carry out the Customer Due Diligence (CDD) Process. The reporting entities appoint Money Laundering Reporting Officer or AML Compliance Officer to oversee the overall AML compliance function. The MLRO/AML Compliance Officer ensures that the CDD process is clearly laid out and operating as intended.
For how long do we have to maintain records related to Customer Due Diligence (CDD)?
As per UAE AML Laws, reporting entities are required to maintain Customer Due Diligence Records for a minimum period of 5 years.
What is customer due diligence in banking?
Banks conduct CDD before onboarding and throughout relationships to identify ML/TF/PF risks. This includes verifying identity documents, understanding customer risk, monitoring transactions and updating controls and risk level change.
Why is CDD Necessary?
CDD is necessary to identify ML/TF/PF risks, comply with UAE AML laws, establish business relationships, detect suspicious activity and apply controls proportionate to customer risk.
For whom is a CDD policy important?
All Financial Institutions, DNFBPs, and VASPs need to have a clearly defined Customer Due Diligence policy and procedures.
How do I successfully implement a CDD policy?
Documenting and following a Customer Due Diligence (CDD) policy is a legal requirement. However, it isn’t easy to carry out CDD checks manually. Customer Due Diligence software can help you meet legal requirements, manage risks, and make informed decisions. Automation is the key to successfully implementing CDD policy and procedures.
Why are adverse media searches or negative news searches important while performing CDD of a customer?
Adverse media searches or negative news searches help reporting entities carry out a risk assessment of a customer. Sometimes a customer who has cleared all the CDD checks, including identification, verification, PEP, and UBO, is found to be a criminal. A plain Google search can provide valuable information about a customer while determining their risk profile.
Is there a requirement under the UAE AML Laws to use a specific method to carry out the customer risk assessment?
No. UAE AML Laws allow reporting entities to design their own risk assessment methodology, provided it considers ML/TF/PF risks and follows a risk-based approach aligned with the nature and size of the business.
Do the UAE AML Laws require reporting entities to perform reKYC of their customers at a specific interval?
There is no specific requirement that reporting entities have to update their customer information at a specific interval. The FIs, DNFBPs, and VASPs have to employ a risk-based approach and carry out reKYC on a regular or periodic basis.
Can a DNFBP or a VASP adopt more stringent written internal policies and procedures for the collection of beneficial ownership of its customers as a part of its CDD process under UAE AML Laws?
Yes. Entities may adopt more stringent internal policies. While 25% ownership is a global benchmark for identifying Ultimate Beneficial Owners (UBOs), the law does not restrict collecting information below this threshold where risk justifies it.
What is the ultimate purpose of Customer Risk Assessment as a part of the CDD program?
The ultimate purpose is to assess the risk profile of the customer and use it as a baseline for monitoring transactions. Any deviation from the expected behaviour may trigger reassessment or SAR (Suspicious Activity Report)/STR (Suspicious Transaction Report) filing with the UAE goAML portal.
Does the Customer Due Diligence (CDD) requirement under AML laws apply to all businesses in UAE?
No. Customer Due Diligence (CDD) requirements under the UAE AML laws apply only to Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs).
Are reporting entities in UAE required to include the procedures for identifying and verifying the identity of the customers and beneficial owners of legal entity customers in the AML Policy Manual of the company?
Yes. As per the UAE AML laws, the Customer Due Diligence (CDD) procedures must be part of the AML Policy Manual of the company.
What are the important risk factors to consider while performing a risk assessment of customers?
Reporting entities in UAE must consider the following risk factors while performing the risk assessment of customers:
- Type of business
- Source of Funds
- Source of Wealth
- The expected volume of cash transactions
- Nationality of customer
- Place of business of customer
- Place of residence of the customer
- Other criteria depending on the nature and size of business
While performing CDD, in what circumstances should a reporting entity request an additional identification document from a customer?
The reporting entity should request an additional identification document in the following circumstances:
- When the identification document or photo is illegible or unclear
- When there is a signature difference between the KYC form and the documentary evidence submitted
- When the identification document is no longer valid due to its expiry
- For any other reason that the AML compliance officer deems fit to ask for the additional ID document.
What is Standard Due Diligence in KYC?
Standard Due Diligence entails identifying the customer and verifying their identity. Reporting entities perform background checks on the customer and screen them against the sanctions list. They also perform adverse media searches and risk assessment for the customer. In the majority of the cases, reporting entities end up performing Standard Due Diligence as a part of their CDD program.
What is Enhanced Due Diligence (EDD) in the Customer Due Diligence process?
EDD involves additional checks for high-risk customers and Politically Exposed Persons (PEPs), including source of funds/wealth verification, adverse media checks, third party confirmations, document validation, and senior management approval.
What is ongoing due diligence? What is ongoing transaction monitoring?
The ongoing due diligence/transaction monitoring entails monitoring of business activities of the customers on a regular basis. Ongoing Due Diligence ensures that the transactions made by the customers are in sync with their risk profile. Ongoing transaction monitoring is an integral part of effective KYC Due Diligence.
What type of information and documents are obtained from individual customers as a part of the KYC and CDD process?
In case of individual customers, the following information is obtained:
- Complete Name
- Address of the customer
- Contact numbers
- Additional/ alternative contact numbers
- Legit, accessible, and working email address
- Place of birth
- Date of birth
- Nationality
- Gender
- Government-issued identification number
- Occupation
- Signature
What type of information and documents are obtained from corporate customers as a part of the KYC and CDD process?
In case of legal entities, the following information is obtained as a part of the KYC and CDD process:
- Name of the entity
- Type of the entity
- Nature of business
- Date and place of establishment
- Information related to the board of directors
- Certificate of establishment/incorporation
- Information related to shareholders and ultimate beneficial owners
- Annual report for the previous year
- Information pertaining to senior management
What do I do if a customer identified to be a low-risk customer subsequently becomes high-risk or PEP?
Due to changes in circumstances, if a customer subsequently becomes a PEP or high-risk customer, then the AML compliance officer should carry out Enhanced Due Diligence (EDD) and obtain senior management’s approval before entering into a transaction with such a customer.
Can I onboard a customer that does not meet the requirements of the customer acceptance policy?
No. If the customer risk exceeds the entity’s risk appetite, onboarding must be declined, reasons documented by the AML Compliance Officer/MLRO and also consider whether an SAR/STR needs to be submitted with the FIU UAE.
Do reporting entities have to carry out the KYC and CDD process in all cases?
No. If the AML Compliance Officer is of the view that performing the KYC and CDD process would tip off a suspicious person then he may instead submit the Suspicious Activity Report (SAR) with the FIU UAE stating reasons why customer due diligence was not performed.
Why is it important to screen customers on a daily basis as a part of a robust CDD mechanism?
Screening customers on a daily basis helps identify instances like customers becoming sanctioned, PEPs, or high-risk and apply suitable control measures to remain compliant with the requirements of the AML/CFT Laws in UAE.
What are the requirements for sanction screening as a part of CDD procedures in UAE?
Customer name screening is one of the essential aspects of Customer Due Diligence (CDD) under the anti-money Laundering regulations of UAE. Accordingly, reporting entities in UAE must screen their customers, suppliers, and third parties regularly and perform name screening before entering into a new transaction. At a minimum, they have to perform sanction screening against the following lists:
- UNSC Sanctions List
- UAE Local Terrorist List
Can a reporting entity in UAE rely on third parties for customer due diligence and outsource KYC and CDD functions to them?
Reporting entities have to carry out due diligence on the outsourcing partner and ascertain their fitness for the purpose. Further, the third party must adhere to UAE AML/CFT laws. Reporting entity has to ensure that the third party is regulated and supervised, and adheres to the CDD measures towards Customers and record-keeping provisions. The reporting entity has to keep in mind that although the CDD function is outsourced, the primary responsibility to adhere to the AML/CFT laws in UAE remains with it, and it has to take reasonable measures to ensure data security and storage.
What is an example of customer due diligence?
Reporting entities in UAE obtaining customer information, including their name, address, ID, date of incorporation, and information about partners/directors/shareholders, is an example of entities performing customer due diligence as per the requirements of AML/CFT laws.
What is the difference between CDD and EDD?
CDD is a standard customer verification and risk assessment. EDD is stricter and applies to high-risk customers and PEPs, requiring deeper checks and senior management approval.
What is the difference between CIP and CDD?
CIP stands for Customer Identification Program which focuses on identifying and verifying customer identity. CDD is a broader term and includes CIP, screening, risk assessment, and ongoing monitoring. CIP is an integral part of the CDD process.
What are the challenges of due diligence?
What is PEP in due diligence?
What is a risk-based approach in CDD?
It means applying controls based on customer risks. Low-risk customers undergo Simplified CDD, medium-risk customers undergo Standard CDD, and high-risk customers undergo Enhanced CDD.
Share via :
Add a comment
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik