Customer Due Diligence Checklist by Industry Sector
Complete customer due diligence (CDD) checklist by sector: banking, real estate, legal, accounting. SDD, CDD and EDD levels with FCA guidance.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCustomer due diligence (CDD) is the process by which regulated businesses verify the identity of their clients, assess risk, and monitor the ongoing relationship for suspicious activity. In the UK, CDD requirements are set out in the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) and supervised by the FCA, HMRC, and sector-specific professional bodies. Different industries face different risk profiles, and the depth of verification required varies accordingly. This article provides a sector-by-sector CDD matrix covering the documents required, applicable due diligence levels, and review frequencies for each regulated sector.
What is customer due diligence (CDD)
Customer due diligence refers to the legal obligation for regulated firms to identify their customers, verify that identity using reliable evidence, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. The Money Laundering Regulations 2017 set out these requirements, while the Joint Money Laundering Steering Group (JMLSG) provides sector-specific guidance on implementation.
Three levels of due diligence
UK AML regulations define three tiers of customer due diligence, aligned with the risk-based approach recommended by the Financial Action Task Force (FATF):
Simplified Due Diligence (SDD) applies where the risk of money laundering or terrorist financing is demonstrably low. SDD allows firms to reduce the extent of verification measures, but does not eliminate the requirement to identify the customer. It may apply to UK-listed companies, government bodies, or low-value products with limited functionality.
Standard Customer Due Diligence (CDD) is the default level. It requires identifying the customer and any beneficial owners, verifying identity using reliable and independent sources, understanding the purpose of the business relationship, and conducting ongoing monitoring of transactions and activity.
Enhanced Due Diligence (EDD) applies where there is a higher risk of money laundering or terrorist financing. EDD requires additional measures such as establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting more intensive ongoing monitoring. EDD is mandatory for Politically Exposed Persons (PEPs), correspondent banking relationships, and customers connected to high-risk third countries.
| Level | Trigger | Key measures | Review frequency |
|---|---|---|---|
| Simplified (SDD) | Demonstrably low risk, listed companies, government bodies | Reduced verification, identity still required | Every 3-5 years |
| Standard (CDD) | Default for all business relationships | Full identification, document verification, ongoing monitoring | Annual to biennial |
| Enhanced (EDD) | PEPs, high-risk countries, complex structures | Source of funds/wealth, senior management approval, intensive monitoring | Semi-annual or more frequent |
CDD requirements by sector
The MLR 2017 defines the regulated sectors. Each faces distinct risks that shape the scope and depth of due diligence. The table below provides a comparative matrix of requirements across UK-regulated sectors.
| Sector | Supervisor | Default level | Documents required | Sector-specific considerations |
|---|---|---|---|---|
| Banking and credit institutions | FCA / PRA | CDD, frequent EDD | Photo ID, proof of address, certificate of incorporation, UBO register | Real-time sanctions screening, transaction monitoring systems |
| Insurance | FCA | CDD | Photo ID, proposal form, proof of address | Risk profiling of policyholder, beneficiary clause review |
| Estate agents | HMRC | CDD | Photo ID, proof of address, proof of funding | Both buyer and seller verification, transactions above GBP 10,000 |
| Legal professionals | SRA / Law Society | CDD | Photo ID, proof of address, certificate of incorporation (corporate clients) | Legal professional privilege limits scope; SARs via MLRO |
| Accountants and tax advisers | HMRC / ICAEW / ACCA | CDD | Photo ID, certificate of incorporation, engagement letter | Detection of anomalous financial flows, trust services |
| High-value dealers | HMRC | CDD | Photo ID, proof of address | Cash transactions above GBP 10,000, art market participants |
For a comprehensive overview of document verification requirements, see our document verification guide.
PEP and sanctions screening
Politically Exposed Persons (PEPs)
PEP identification is a mandatory component of customer due diligence across all regulated sectors. Under the MLR 2017, a PEP is any individual who holds or has held a prominent public function: heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned enterprises, and senior officials of international organisations. Family members and known close associates of PEPs are also in scope.
Any business relationship with a PEP triggers EDD automatically. This includes obtaining senior management approval before establishing or continuing the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.
The FCA has clarified that domestic PEPs (UK-based) should generally be treated as lower risk than foreign PEPs, but EDD still applies.
Sanctions screening
Regulated firms must screen customers against the OFSI Consolidated List of financial sanctions targets. Since Brexit, the UK maintains its own sanctions regime under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), separate from the EU sanctions list. Screening must occur at onboarding and on an ongoing basis.
| Check | Minimum frequency | Source | Action on match |
|---|---|---|---|
| PEP screening | Onboarding + annual refresh | Commercial databases (World-Check, Dow Jones, Moody's) | Apply EDD, senior management approval |
| OFSI sanctions list | Onboarding + ongoing (daily recommended) | OFSI Consolidated List | Freeze assets, report to OFSI within 1 working day |
| UN sanctions | Onboarding + ongoing | UN Security Council resolutions | Freeze assets, report to OFSI |
| EU sanctions (if applicable) | Onboarding + ongoing | EU Official Journal | Assess applicability post-Brexit, freeze if required |
Sector-specific checklists
Financial services (banks, payment institutions)
Financial services face the most intensive CDD requirements. The FCA fined regulated firms over GBP 100 million for AML failures in 2024-2025, with inadequate CDD systems being the most common finding.
Individual clients:
- Valid photo ID (passport, driving licence)
- Proof of address dated within 3 months (utility bill, bank statement)
- Source of funds documentation (if EDD applies)
- PEP and sanctions screening
- Purpose and intended nature of business relationship questionnaire
Corporate clients:
- Certificate of incorporation
- Memorandum and articles of association
- Companies House confirmation statement
- Register of persons with significant control (PSC register)
- Photo ID for directors and beneficial owners
- Group structure chart (complex structures)
- Proof of registered office
- PEP and sanctions screening on all beneficial owners
Real estate (estate agents, lettings agents)
Estate agents have been regulated for AML purposes since 2004. Property transactions remain a significant money laundering vector: HMRC's National Risk Assessment identifies real estate as a high-risk sector due to the large values involved and the opacity of some transactions.
Buyer:
- Photo ID
- Proof of address
- Evidence of source of funds (mortgage offer, bank statements, gift letter if applicable)
- Proof of source of wealth (if EDD applies)
- PEP and sanctions screening
Seller:
- Photo ID
- Proof of address
- Proof of ownership (Land Registry title)
For more on real estate document verification requirements, see our article on document verification for estate agents.
Legal professionals (solicitors, barristers)
Solicitors and barristers are subject to CDD when undertaking certain activities: real estate transactions, management of client money, company formation, trust administration, and financial or tax advice. Legal professional privilege does not exempt firms from CDD obligations, though Suspicious Activity Reports (SARs) are filed through the firm's Money Laundering Reporting Officer (MLRO).
Legal sector checklist:
- Photo ID for the client (or authorised representative)
- Certificate of incorporation and articles (corporate clients)
- Identification of beneficial owners
- Verification that the transaction is consistent with the client profile
- PEP and sanctions screening
- Retention of records for 5 years after the end of the relationship
- Risk assessment documented in the client file
Accountancy and tax advisory
Accountants and tax advisers have direct visibility into their clients' financial flows, placing them in a strong position to detect anomalous activity. HMRC supervises accountancy firms not regulated by a professional body; ICAEW and ACCA supervise their own members.
Accountancy checklist:
- Photo ID for the principal or directors
- Certificate of incorporation and articles
- Engagement letter signed by both parties
- Identification of beneficial owners
- Review of unusual transactions (international transfers, cash-intensive activity)
- PEP and sanctions screening
- Annual client file refresh
For a broader enterprise-level due diligence checklist, see our due diligence checklist for businesses.
Ongoing monitoring and review
Customer due diligence does not end at onboarding. Regulation 28(11) of the MLR 2017 requires ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of the relationship and keeping CDD documentation up to date.
When to re-verify
Several events should trigger a review of the client file:
- Change in ownership or control: new directors, change in beneficial ownership structure, corporate restructuring
- Unusual transaction patterns: amounts, frequency or destinations inconsistent with the known customer profile
- External events: new sanctions designation, adverse media coverage, change in risk classification of the client's country of residence
- Periodic review deadline: based on risk level (semi-annual for EDD, annual for CDD, 3-5 years for SDD)
Automating CDD processes
Manual verification at scale is expensive and error-prone. Automated document validation enables continuous verification of identity documents, detection of tampered or fraudulent documents, and cross-referencing against official databases. For regulated firms processing hundreds of client files per month, automation reduces processing time by up to 80 % while improving audit trail completeness.
Explore our pricing plans designed for different verification volumes.
Frequently asked questions
What is the difference between KYC and customer due diligence?
KYC (Know Your Customer) is a subset of customer due diligence. KYC specifically refers to identifying and verifying a customer's identity. CDD encompasses KYC but extends further: it includes understanding the nature of the business relationship, assessing risk, screening for sanctions and PEPs, and conducting ongoing monitoring throughout the relationship.
Do estate agents need to verify both the buyer and the seller?
Yes. Under the MLR 2017, estate agents must conduct CDD on both parties to a property transaction. This includes verifying identity and, for the buyer, establishing the source of funds. HMRC guidance makes clear that both buyer and seller verification is required before the transaction can proceed.
How often should CDD records be updated?
The frequency depends on the risk level assigned to the customer. For SDD customers, a review every 3 to 5 years is generally acceptable. For standard CDD, an annual review is recommended practice. For EDD customers, reviews should occur at least every 6 months, with additional reviews triggered by significant events.
Are small accountancy firms subject to the same CDD requirements as banks?
Yes, the same underlying regulations apply. However, the risk-based approach means that the intensity and extent of measures should be proportionate to the firm's size, nature, and the risks it faces. Small firms may have simpler procedures, but they must still identify clients, verify identity, assess risk, and maintain records. HMRC or the relevant professional body supervises compliance.
Build a robust CDD framework for your sector
Customer due diligence is a legal requirement, not an optional extra. Non-compliance exposes firms to regulatory fines, criminal prosecution, and reputational damage. But CDD does not have to be a bottleneck. By structuring your checks according to sector-specific risk profiles and automating document verification, you can maintain full compliance while keeping onboarding efficient. CheckFile.ai helps regulated businesses automate identity and document verification across all sectors. Contact us to discuss how our solution fits your due diligence workflows.