A customer applies for a loan at 9:47 PM. By 9:48, the platform needs to know who they are, whether the name matches the PAN, whether the face matches the document, and whether the applicant sits on any sanctions list. That is Customer Due Diligence (CDD) in 2026. It is not a one-time check at onboarding. It is a continuous assessment that runs from the first tap to the last transaction.
This guide explains what CDD is, the 4 things every CDD process must do, the 5 steps that make it work, how Simplified Due Diligence (SDD), standard CDD, and Enhanced Due Diligence (EDD) differ, and how CDD actually operates in India under the Reserve Bank of India (RBI) and the Prevention of Money Laundering Act (PMLA). If you run a regulated onboarding flow, by the end of this piece you should be able to place every customer into the right tier, document the decision, and monitor it for life.
Need to replace a manual CDD process with something that can scale? Talk to our team.
What is Customer Due Diligence?
Customer Due Diligence is the process of collecting and assessing information about a customer to understand the risk they pose, and then continuing to monitor that risk for as long as the relationship lasts. It sits inside Know Your Customer (KYC), which in turn sits inside a broader Anti-Money Laundering (AML) program. CDD is the part that actually interrogates the customer. KYC is the regulatory mandate. AML is the outcome.
CDD definition and role in KYC/AML
At its core, CDD answers four questions. Who is this customer? Who ultimately owns or controls them? What are they trying to do with our product? And is their behavior consistent with that stated purpose over time? Everything else, from identity document capture to transaction monitoring rules, is a way of getting to those answers with enough evidence to defend the decision to a regulator.
CDD is ongoing, not one-time
The most common mistake in CDD is treating it as an onboarding task. It is not. Customer risk changes. A salaried professional becomes a director of a newly incorporated entity. A resident customer starts receiving inward remittances from a jurisdiction on the Financial Action Task Force (FATF) grey list. The risk profile that justified onboarding no longer holds.
This is why Perpetual KYC (pKYC) has moved from a nice-to-have to an operating model. Instead of re-verifying every customer on a calendar (every 2 years for high-risk, every 10 years for low-risk), pKYC triggers a refresh when something material changes: a new address, a sanctions list update, a spike in transaction values, a change in beneficial ownership. The review happens when the risk moves, not when the calendar says so.
The 4 Key Requirements of CDD
Regulators across the world describe CDD in slightly different language, but they converge on the same four obligations. A CDD program that covers these four will satisfy most regimes, and one that skips any of them will fail the first audit.
Identify and verify the customer
The first requirement is to know who you are dealing with. For an individual, this means name, date of birth, address, and a government-issued identifier, each supported by evidence that is verified (not just collected). Verification in 2026 usually combines document authenticity checks, biometric liveness, and a face match between the selfie and the document photo. For a corporate customer, it means the incorporation documents, registered address, and directorship records.
Identify beneficial ownership (UBO)
The second requirement is to look through the corporate customer to the natural person who actually owns or controls it. The United States Financial Crimes Enforcement Network (FinCEN) CDD Rule requires covered financial institutions to identify and verify any individual who owns 25 percent or more of a legal entity, plus an individual who controls the entity . On February 13, 2026, FinCEN issued an Order (FIN-2026-R001) granting exceptive relief from the requirement to re-identify beneficial owners at each new account opening . Institutions should read the Order directly before assuming the 25 percent threshold applies unchanged to their workflow. The 25 percent threshold remains a widely adopted benchmark globally; other regulators set the line lower.
Understand the purpose of the relationship
The third requirement is to understand what the customer intends to do with you. A current account for a manufacturing business has a different expected pattern than a savings account for a salaried individual. You need to capture the nature of business, the expected volume and source of funds, and the reason for opening the account. This baseline is what makes later anomaly detection possible. Without it, transaction monitoring fires alerts on nothing.
Conduct ongoing monitoring
The fourth requirement is the one most programs underinvest in. Ongoing monitoring means watching transactions against the baseline you built at onboarding, re-screening against sanctions and watchlists as those lists update, and refreshing the CDD file when material events occur. This is where pKYC lives. A one-time check followed by silence is a documentation exercise, not a CDD program.
With the four requirements in place, the next question is operational: what does this look like as a workflow?
The 5-Step CDD Process
Most practitioners work the four requirements through a five-step sequence. This is the structure you will see inside onboarding software, audit checklists, and regulatory guidance. Each step produces evidence that ends up in the CDD profile.
Step 1: Identity verification
Collect the identity documents required under the applicable regime (passport, national ID, PAN, Aadhaar in India, or equivalent). Run optical character recognition (OCR) against the document, check for tampering and forgery, confirm liveness on the selfie, and match the selfie to the document face. For a corporate customer, the equivalent is incorporation documents, board resolutions, and authorized signatory proofs.
Step 2: Risk profiling
Score the customer on the dimensions that matter in your regime: geography (country of residence, country of incorporation, source of funds), product (current account vs credit line vs high-value wallet), customer type (individual, company, trust, politically exposed person), and channel (in-branch, digital, agent-assisted). The score is what drives the next step.
Step 3: Determine due diligence level (SDD / Standard / EDD)
Based on the risk score, route the customer into one of three tiers. Simplified Due Diligence (SDD) applies to demonstrably low-risk cases. Standard CDD is the default. Enhanced Due Diligence (EDD) applies to higher-risk cases: politically exposed persons, customers from higher-risk jurisdictions, complex ownership structures, or unusually high expected transaction volumes. EDD does not replace CDD. It layers extra scrutiny on top.
Step 4: Document the CDD profile
Write down the decision. A CDD profile is a structured record that contains identity evidence, the risk score and its drivers, the tier assigned, the beneficial owners identified (for legal entities), the purpose of the relationship, and the monitoring plan. The profile needs to be retrievable in an audit and updatable as things change. Regulators look for reasoning, not just data.
Step 5: Ongoing monitoring and review
Put the profile to work. Transaction monitoring compares real activity against expected activity. Sanctions re-screening runs on every list update. Periodic reviews happen on a calendar for lower-risk customers; trigger-based reviews happen whenever something material changes. Every review either confirms the existing tier or promotes the customer to a higher one.
That promotion, from SDD to Standard, or from Standard to EDD, is the point where the three tiers stop being theoretical and start being operational.
SDD vs Standard CDD vs EDD
The three tiers exist because treating every customer the same is both expensive and counterproductive. Low-risk customers get drowned in friction, and high-risk customers get the same check as a retail salary account. Risk-based due diligence fixes both.
Comparison table: eligibility, depth, documents
| Dimension | Simplified (SDD) | Standard CDD | Enhanced (EDD) |
|---|---|---|---|
| Who it applies to | Demonstrably low-risk customers (regulated FIs, listed companies, government bodies, low-value retail) | The default for most customers | PEPs, high-risk jurisdictions, complex ownership, high volumes |
| Identity depth | Minimum required documents | Full identity and address verification | Full CDD plus source-of-wealth and source-of-funds evidence |
| UBO scrutiny | Standard where applicable | 25 percent threshold under FinCEN; similar globally | Look-through beyond threshold; understand the full chain |
| Monitoring | Reduced but not zero | Standard rules | Heightened review, senior-management sign-off |
| Review cadence | Longer intervals | Periodic | Frequent, often annually or on every trigger |
When to apply each tier
SDD is only valid when you can evidence why the customer is low-risk. That evidence is the audit trail, not the outcome. Standard CDD applies in all cases that do not qualify for SDD or require EDD. EDD kicks in when any single factor hits a defined threshold: PEP match, adverse media, high-risk jurisdiction, complex structure, or a product feature (like large cross-border payments) that amplifies risk.
Moving between tiers
Tiers are not permanent. A customer moves up when a trigger fires (new PEP status, unusual transaction pattern, adverse media, sanctions proximity) and can move down only after a documented reassessment. The common failure is downgrades by default: a customer who was onboarded as EDD quietly drifts back to Standard because nobody re-scored them. Tier moves must be decisions, not drift.
Most of this is global. What changes materially from one jurisdiction to the next is the source of the obligation. In India, that source is layered.
CDD Under India’s RBI and PMLA Framework
India has a risk-based CDD regime that is specific, detailed, and different from the US and EU models in one important way: the rulebook lives primarily in regulator-issued Master Directions, not primary legislation. For a fintech or NBFC operating in India, the starting point is the RBI KYC Master Direction and the PMLA.
RBI KYC Master Direction on CDD
The RBI Master Direction on Know Your Customer (issued in 2016 and updated multiple times since) lays out CDD obligations for banks, Non-Banking Financial Companies (NBFCs), payment aggregators, payment banks, and other regulated entities. It requires risk categorization of customers (low, medium, high), sets minimum CDD measures for each category, and defines the record-retention, reporting, and periodic review obligations. Regulated entities must categorize every customer and be able to show the basis for that categorization. The Master Direction is updated periodically and the current version on the RBI website should be treated as authoritative.
PMLA reporting entities and CDD
The Prevention of Money Laundering Act (and the PML Rules) gives CDD its statutory teeth in India. Reporting entities (banks, NBFCs, capital market intermediaries, and a growing list of designated sectors) must appoint a Principal Officer, file Suspicious Transaction Reports and Cash Transaction Reports with the Financial Intelligence Unit (FIU-IND), and retain records for defined periods. CDD evidence is the raw material these reports draw from.
Sectoral overlays: SEBI, IRDAI, PFRDA
On top of RBI and PMLA, Indian sectoral regulators add their own layers. The Securities and Exchange Board of India (SEBI) issues KYC and CDD norms for capital markets intermediaries. The Insurance Regulatory and Development Authority of India (IRDAI) does the same for insurers. The Pension Fund Regulatory and Development Authority (PFRDA) regulates pension fund intermediaries. For a cross-sector institution, the operating rule is: apply the highest common standard and keep sectoral-specific evidence available.
CDD for Indian fintechs and NBFCs
The Indian regime recognizes digital CDD as full CDD. Aadhaar-based eKYC (for entities authorized under the Aadhaar Act), offline Aadhaar XML or QR verification, Digital KYC with live photo capture and officially valid documents (OVDs), and Video-based Customer Identification Process (V-CIP) are all accepted methods when performed within the conditions RBI specifies. The choice of method does not lower the standard. A V-CIP done right produces the same CDD output as an in-branch check.
This is the foundation that makes scalable digital CDD possible in India. What turns that foundation into an operating model is automation.
Digital CDD: Making It Scalable
Manual CDD does not scale past a certain volume. A bank onboarding 50,000 customers a month cannot put each one through a human-reviewed, paper-trail workflow and still meet service-level targets. Digital CDD is not a quality trade-off; done well, it is usually more consistent than manual review because the decision logic is codified and auditable.
Automated identity and document verification
OCR extracts the data. Document forensics checks for tampering (pixel-level, font anomalies, template mismatches). Liveness checks confirm a real human is present. Face match scores the similarity between the selfie and the document image. A single digital identity check can produce dozens of signals, each logged, each reviewable.
Perpetual KYC (pKYC) in practice
Calendar-based re-KYC is an inheritance from a paper era. Event-driven re-KYC re-verifies when something changes: a new sanctions list match, a transaction that breaks the customer’s baseline, a new ownership filing, a change of address. This both reduces cost (fewer customers re-verified for no reason) and raises protection (risk gets seen when it appears, not on its next calendar slot). The FATF’s risk-based approach is the foundational standard behind this shift.
Video KYC as digital CDD in India
V-CIP in India is not a lighter alternative to in-branch CDD. Under RBI guidelines, it is full CDD, with additional controls: the video session must be live and interactive, the agent must be trained and located in India, the customer’s OVD must be captured on-camera, and the session must be recorded with a timestamp and geo-tagging. For fintechs and NBFCs that cannot rely on a branch network, V-CIP is often the only practical way to perform CDD at national scale.
Automation answers the “how.” The next question is who is actually obligated to do CDD at all.
Who Must Do CDD?
CDD is not confined to banks. The list of obligated sectors has expanded steadily as money laundering typologies have evolved beyond traditional banking.
Regulated financial entities
Banks, NBFCs, payment aggregators, insurers, broker-dealers, mutual fund houses, and Asset Management Companies (AMCs) are the core obligated sectors in most regimes. In India, all of these are reporting entities under PMLA and subject to RBI, SEBI, IRDAI, or PFRDA supervision depending on their license.
Emerging obligated sectors
Virtual Digital Asset (VDA) service providers, online real-money gaming platforms, dealers in precious metals and stones, and real estate intermediaries above defined thresholds have been brought into the PMLA perimeter in India. The direction of travel globally is the same: any sector that can move value at scale will eventually sit inside a CDD regime.
Consequences of Poor CDD
Weak CDD is rarely a single catastrophic failure. It is usually a pattern: missed UBO checks, stale risk scores, monitoring rules that never fired, records that could not be retrieved in an audit. When the regulator arrives, that pattern becomes a case.
Regulatory fines
Across jurisdictions, fines and penalties under AML regimes run into hundreds of millions of dollars annually for the largest cases. The direct cost is meaningful, but for most regulated entities the second-order costs are larger: the cost of remediation (re-KYC programs on millions of existing customers), the cost of heightened supervision, and the cost of delayed licenses or product approvals while the regulator is still unsatisfied.
Operational and reputational impact
Correspondent banking relationships can be cut off if a bank’s CDD program fails to meet a counterparty’s standards. Payment aggregators can lose sponsor-bank arrangements. In India, specifically, weak CDD can trigger restrictions on new customer onboarding, which for a growth-stage fintech is often a bigger problem than the fine itself.
FAQs
What is the difference between KYC and CDD?
KYC is the regulatory requirement to know your customer. CDD is the process that gets you there. KYC is the “what.” CDD is the “how.” CDD includes identity verification, beneficial ownership identification, understanding the purpose of the relationship, and ongoing monitoring. For a deeper breakdown, see our explainer on KYC and AML differences.
What are the 4 requirements of customer due diligence?
The four requirements are: (1) identify and verify the customer, (2) identify beneficial ownership for legal entities, (3) understand the purpose and intended nature of the relationship, and (4) conduct ongoing monitoring of transactions and risk. A CDD program that covers these four will meet the core of most regulatory regimes.
What is the difference between CDD and EDD?
Standard CDD is the default level of due diligence applied to most customers. Enhanced Due Diligence (EDD) is additional scrutiny applied to higher-risk customers: politically exposed persons, customers from higher-risk jurisdictions, complex ownership structures, or high-volume cross-border activity. EDD layers on top of CDD; it does not replace it.
What is the FinCEN CDD Rule?
The FinCEN CDD Rule is a US Bank Secrecy Act regulation that requires covered financial institutions to identify and verify the natural persons who own 25 percent or more of a legal entity customer, plus an individual who controls the entity . In February 2026, FinCEN issued an Order (FIN-2026-R001) granting exceptive relief from the requirement to identify beneficial owners at each new account opening; institutions should refer to the Order directly for the current position .
What is a CDD profile?
A CDD profile is the structured record a regulated entity maintains for each customer. It contains identity evidence, the risk score and its drivers, the due diligence tier assigned, beneficial owners identified, the purpose of the relationship, and the monitoring plan. The profile is what an auditor reads when they ask “why did you onboard this customer, and how are you watching them?”
What is simplified due diligence vs standard CDD?
Simplified Due Diligence applies to demonstrably low-risk customers and uses a reduced set of verification and monitoring measures. Standard CDD is the default, with full identity verification, UBO identification where applicable, and standard monitoring. SDD is not a bypass; it is still a documented risk decision. For when and how to use it, see our guide on Simplified Due Diligence.
What is ongoing customer due diligence?
Ongoing CDD (also called continuous monitoring or perpetual KYC) is the work that happens after onboarding: transaction monitoring against the customer’s expected profile, re-screening against sanctions and watchlists as those lists update, and refreshing the CDD file when material events occur. It is the part of CDD that turns a static check into a living record.
Who is required to perform customer due diligence?
In India, reporting entities under PMLA (banks, NBFCs, capital market intermediaries, insurers, payment aggregators, designated non-financial businesses and professions, VDA service providers, and others) must perform CDD. Globally, the FATF standard extends CDD obligations to financial institutions and designated non-financial businesses and professions that handle value at scale.
Automate CDD End-to-End
CDD is easier to describe than to operate. The design is straightforward; the scale is not. If you are running a digital onboarding flow in India or a cross-border one elsewhere, the pieces that matter are the same: identity and document verification, liveness and face match, V-CIP where needed, UBO discovery, sanctions and PEP screening, and event-driven re-KYC. HyperVerge provides these as a single stack, tuned for regulated onboarding in India and live across banks, NBFCs, and fintechs. Sign up or walk us through your current CDD flow and we will tell you honestly where the gaps are.
