Customer Due Diligence Checklist by Industry Sector
Complete customer due diligence (CDD) checklist by sector in Canada: banking, real estate, legal, accounting.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCustomer due diligence (CDD) is the process by which reporting entities verify the identity of their clients, assess risk, and monitor the ongoing relationship for suspicious activity. In Canada, CDD requirements are set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations, and supervised by FINTRAC. Different industries face different risk profiles, and the depth of verification required varies accordingly. This article provides a sector-by-sector CDD matrix covering the documents required, applicable due diligence levels, and review frequencies for each regulated sector.
What is customer due diligence (CDD)
Customer due diligence refers to the legal obligation for reporting entities to identify their clients, verify that identity using reliable evidence, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. The PCMLTFA and its regulations set out these requirements, while FINTRAC guidance provides sector-specific direction on implementation. The FINTRAC client identification methods guidance details the accepted approaches for verifying identity.
Three levels of due diligence
Canadian AML regulations define three tiers of customer due diligence, aligned with the risk-based approach recommended by the Financial Action Task Force (FATF):
Simplified Measures apply where the risk of money laundering or terrorist financing is demonstrably low. Simplified measures allow reporting entities to reduce the extent of verification measures in certain circumstances, but do not eliminate the requirement to identify the client.
Standard Customer Due Diligence (CDD) is the default level. It requires identifying the client and any beneficial owners, verifying identity using reliable and independent sources, understanding the purpose of the business relationship, and conducting ongoing monitoring of transactions and activity.
Enhanced Due Diligence (EDD) applies where there is a higher risk of money laundering or terrorist financing. EDD requires additional measures such as establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting more intensive ongoing monitoring. EDD is mandatory for Politically Exposed Persons (PEPs โ domestic and foreign), correspondent banking relationships, and clients connected to high-risk jurisdictions.
| Level | Trigger | Key measures | Review frequency |
|---|---|---|---|
| Simplified | Demonstrably low risk, publicly traded companies, government bodies | Reduced verification, identity still required | Every 3-5 years |
| Standard (CDD) | Default for all business relationships | Full identification, document verification, ongoing monitoring | Annual to biennial |
| Enhanced (EDD) | PEPs (domestic and foreign), high-risk countries, complex structures | Source of funds/wealth, senior management approval, intensive monitoring | Semi-annual or more frequent |
CDD requirements by sector
The PCMLTFA defines the reporting entity categories. Each faces distinct risks that shape the scope and depth of due diligence. The table below provides a comparative matrix of requirements across Canadian regulated sectors.
| Sector | Supervisor | Default level | Documents required | Sector-specific considerations |
|---|---|---|---|---|
| Banks and credit unions | OSFI / FINTRAC | CDD, frequent EDD | Photo ID, proof of address, articles of incorporation, beneficial ownership declaration | Real-time sanctions screening, transaction monitoring systems |
| Insurance (life) | FINTRAC / provincial regulators | CDD | Photo ID, proposal form, proof of address | Risk profiling of policyholder, beneficiary review |
| Real estate brokers | FINTRAC | CDD | Photo ID, proof of address, proof of funding | Both buyer and seller verification |
| Legal professionals | Provincial Law Societies / FINTRAC | CDD | Photo ID, proof of address, articles of incorporation (corporate clients) | Solicitor-client privilege limits scope; STR obligations |
| Accountants | FINTRAC | CDD | Photo ID, articles of incorporation, engagement letter | Detection of anomalous financial flows, trust services |
| Dealers in precious metals and stones | FINTRAC | CDD | Photo ID, proof of address | Cash transactions above CAD 10,000 |
| Money services businesses | FINTRAC | CDD | Photo ID, proof of address | Large cash and electronic funds transfers |
For a comprehensive overview of document verification requirements, see our document verification guide.
PEP and sanctions screening
Politically Exposed Persons (PEPs)
PEP identification is a mandatory component of customer due diligence across all reporting entity categories. Under the PCMLTFA, a PEP includes both foreign and domestic politically exposed persons: heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned enterprises, and senior officials of international organisations. Family members and close associates of PEPs are also in scope.
Any business relationship with a PEP triggers EDD automatically. This includes obtaining senior management approval before establishing or continuing the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.
Unlike some jurisdictions, Canada requires EDD for both domestic and foreign PEPs, although the risk assessment for domestic PEPs may differ.
Sanctions screening
Reporting entities must screen clients against the Canadian Consolidated Autonomous Sanctions List and UN Security Council sanctions. Canada maintains its own sanctions regime under the Special Economic Measures Act (SEMA), the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law), and the United Nations Act. Screening must occur at onboarding and on an ongoing basis.
| Check | Minimum frequency | Source | Action on match |
|---|---|---|---|
| PEP screening | Onboarding + annual refresh | Commercial databases (World-Check, Dow Jones, Moody's) | Apply EDD, senior management approval |
| Canadian sanctions | Onboarding + ongoing (daily recommended) | Canadian Consolidated Autonomous Sanctions List | Freeze assets, report to RCMP |
| UN sanctions | Onboarding + ongoing | UN Security Council resolutions | Freeze assets, report to RCMP |
| OFAC sanctions (if applicable) | Onboarding + ongoing | OFAC SDN List | Assess applicability, freeze if required |
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotSector-specific checklists
Financial services (banks, credit unions, MSBs)
Financial services face the most intensive CDD requirements. FINTRAC's examination activities in 2024-2025 identified client identification deficiencies as the most common finding across financial institutions.
Individual clients:
- Valid photo ID (Canadian passport, provincial driver's licence, permanent resident card)
- Proof of address dated within 3 months (utility bill, bank statement)
- Source of funds documentation (if EDD applies)
- PEP and sanctions screening
- Purpose and intended nature of business relationship questionnaire
Corporate clients:
- Certificate of incorporation (federal or provincial)
- Articles of incorporation
- Corporate annual return or Corporations Canada certificate
- Beneficial ownership declaration (25% threshold)
- Photo ID for directors and beneficial owners
- Group structure chart (complex structures)
- Proof of registered office
- PEP and sanctions screening on all beneficial owners
Real estate (brokers and agents)
Real estate brokers and agents have been reporting entities under the PCMLTFA since 2008. Property transactions remain a significant money laundering vector: Canada's National Risk Assessment identifies real estate as a high-risk sector due to the large values involved, foreign investment flows, and the use of corporate structures.
Buyer:
- Photo ID
- Proof of address
- Evidence of source of funds (mortgage pre-approval, bank statements, gift letter if applicable)
- Proof of source of wealth (if EDD applies)
- PEP and sanctions screening
Seller:
- Photo ID
- Proof of address
- Proof of ownership (provincial land title)
Legal professionals
Lawyers and notaries in Canada have distinct AML obligations. While they are reporting entities under the PCMLTFA for certain activities (real estate transactions, management of client funds, company formation, trust administration), the Federation of Law Societies of Canada has established a model rule framework for client identification and verification that applies through provincial Law Societies. Legal professional privilege considerations apply, but do not exempt firms from client identification obligations.
Legal sector checklist:
- Photo ID for the client (or authorised representative)
- Certificate of incorporation and articles (corporate clients)
- Identification of beneficial owners
- Verification that the transaction is consistent with the client profile
- PEP and sanctions screening
- Retention of records for at least 5 years after the end of the relationship
- Risk assessment documented in the client file
Accountancy
Accountants became reporting entities under the PCMLTFA and are subject to FINTRAC examination. Accountants have direct visibility into their clients' financial flows, placing them in a strong position to detect anomalous activity.
Accountancy checklist:
- Photo ID for the principal or directors
- Certificate of incorporation and articles
- Engagement letter signed by both parties
- Identification of beneficial owners
- Review of unusual transactions (international transfers, cash-intensive activity)
- PEP and sanctions screening
- Annual client file refresh
For a broader enterprise-level due diligence checklist, see our due diligence checklist for businesses.
Ongoing monitoring and review
Customer due diligence does not end at onboarding. The PCMLTFA requires ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of the relationship and keeping CDD documentation up to date.
When to re-verify
Several events should trigger a review of the client file:
- Change in ownership or control: new directors, change in beneficial ownership structure, corporate restructuring
- Unusual transaction patterns: amounts, frequency or destinations inconsistent with the known client profile
- External events: new sanctions designation, adverse media coverage, change in risk classification of the client's country of residence
- Periodic review deadline: based on risk level (semi-annual for EDD, annual for CDD, 3-5 years for simplified measures)
Automating CDD processes
Manual verification at scale is expensive and error-prone. Automated document validation enables continuous verification of identity documents, detection of tampered or fraudulent documents, and cross-referencing against official databases. For reporting entities processing hundreds of client files per month, automation reduces processing time by up to 80% while improving audit trail completeness.
Explore our pricing plans designed for different verification volumes.
For a comprehensive overview, see our document verification complete guide.
Frequently asked questions
What is the difference between KYC and customer due diligence?
KYC (Know Your Customer) is a subset of customer due diligence. KYC specifically refers to identifying and verifying a client's identity. CDD encompasses KYC but extends further: it includes understanding the nature of the business relationship, assessing risk, screening for sanctions and PEPs, and conducting ongoing monitoring throughout the relationship.
Do real estate agents need to verify both the buyer and the seller?
Yes. Under the PCMLTFA, real estate brokers and agents must conduct client identification on both parties to a property transaction. This includes verifying identity and, for the buyer, establishing the source of funds. FINTRAC guidance makes clear that identification of both parties is required.
How often should CDD records be updated?
The frequency depends on the risk level assigned to the client. For simplified-measure clients, a review every 3 to 5 years is generally acceptable. For standard CDD, an annual review is recommended practice. For EDD clients, reviews should occur at least every 6 months, with additional reviews triggered by significant events.
Are small accountancy firms subject to the same CDD requirements as banks?
Yes, the same underlying PCMLTFA requirements apply to all reporting entities. However, the risk-based approach means that the intensity and extent of measures should be proportionate to the firm's size, nature, and the risks it faces. Small firms may have simpler procedures, but they must still identify clients, verify identity, assess risk, and maintain records. FINTRAC supervises compliance for all reporting entities regardless of size.
Build a robust CDD framework for your sector
Customer due diligence is a legal requirement, not an optional extra. Non-compliance exposes firms to FINTRAC penalties, criminal prosecution, and reputational damage. But CDD does not have to be a bottleneck. By structuring your checks according to sector-specific risk profiles and automating document verification, you can maintain full compliance while keeping onboarding efficient. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a fraud detection rate of 94.8%, delivering a 67% cost reduction compared to manual CDD processes. CheckFile.ai helps reporting entities automate identity and document verification across all sectors. Contact us to discuss how our solution fits your due diligence workflows.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.