Customer due diligence is not a single, uniform standard applied equally to all clients. The FATF framework — and the domestic AML legislation that implements it across CSP jurisdictions — establishes a risk-based approach under which the depth and breadth of CDD measures are calibrated to the assessed money laundering and terrorist financing risk of each business relationship. This means applying more rigorous measures to higher-risk relationships and, crucially, applying lighter-touch measures where the risk is demonstrably lower.
The practical challenge for CSPs is that the risk-based approach is frequently misapplied in both directions. Some firms apply standard or enhanced CDD measures to every client regardless of risk, creating unnecessary administrative burden and inefficiency. Others apply simplified measures too broadly, without adequate documentation of the basis for doing so, and face regulatory challenge during inspection. Getting the calibration right — and documenting it clearly — is the central compliance challenge in CDD management.
The Three CDD Tiers
AML frameworks distinguish three tiers of CDD: standard customer due diligence (the default), simplified due diligence (SDD, applied where risk is demonstrably lower), and enhanced due diligence (EDD, applied where risk indicators are present or certain client types are mandatorily subject to enhanced measures).
Standard CDD requires: identification and verification of the customer and any beneficial owners above the relevant threshold (typically 25%); understanding the nature and purpose of the business relationship; and ongoing monitoring. This is the baseline that applies unless there are specific grounds for applying a different tier.
Simplified due diligence allows some or all of these measures to be applied in a reduced form — for example, relying on verification by the client's regulated introducer rather than obtaining primary documentation directly; accepting simplified identification for certain low-risk entity types; or applying less frequent refresh cycles. SDD is not the absence of due diligence — it is a proportionate reduction where the risk justifies it.
When Is Simplified Due Diligence Legitimate?
The specific circumstances in which SDD may be applied vary by jurisdiction, but the common FATF-aligned framework identifies certain categories of client or transaction where lower risk may be inherent. For CSPs, the most relevant SDD-eligible categories typically include: listed companies on regulated markets (where public disclosure obligations act as a proxy for identity verification); regulated financial institutions in equivalent jurisdictions (where they are themselves subject to AML obligations); government bodies and public authorities; and certain categories of low-value, low-risk transaction.
"The key misunderstanding about simplified due diligence is that it means you don't have to do anything. The correct understanding is that you apply measures proportionate to the risk — you still need to identify the customer, you still need to understand the relationship, you just don't need to go to the same depth and the same verification sources as for a standard or high-risk client. And you absolutely need to document why you assessed it as eligible for SDD."
— Compliance Officer, BVI-licensed CSP
The critical operational requirement is documentation. A CSP cannot simply apply SDD to a client without recording the basis for that decision in the client file. The record must show: the risk assessment that generated a low-risk finding; the specific SDD-eligible category that applies; and the reduced measures that were applied and why they are proportionate. Without this documentation, SDD is indistinguishable from CDD failure in a regulatory inspection.
When Is Enhanced Due Diligence Mandatory?
EDD is required in circumstances where the risk of money laundering or terrorist financing is assessed as higher than standard, or where specific regulatory requirements mandate enhanced measures regardless of the individual risk assessment. For CSPs, the mandatory EDD categories almost universally include: politically exposed persons (PEPs) and their associates and family members; clients connected to high-risk jurisdictions on relevant FATF grey lists or equivalent government designations; clients where unusual or unexplained transaction patterns are identified; and business relationships established by non-face-to-face means where additional verification risk exists.
Ongoing Monitoring and Refresh Cycles
CDD is not a one-time exercise at onboarding. The regulatory obligation for ongoing monitoring requires CSPs to keep CDD information current and to monitor the business relationship for transactions or activities that are inconsistent with the firm's understanding of the client. The refresh cycle — how frequently CDD information is reviewed and updated — should be risk-stratified.
A typical risk-stratified refresh schedule for CSPs: high-risk clients (including all PEPs) — annual review; standard-risk clients — review every 3 years; low-risk clients applying SDD — review every 5 years. These are indicative timescales; actual refresh triggers should also include material changes to the client's circumstances, adverse media alerts, unusual transaction patterns, and any new information that affects the risk assessment. The ongoing monitoring system must be capable of generating alerts when refresh is due and of escalating risk-based triggers to the compliance team.
Documenting the Risk-Based Approach
The risk-based approach only works — from both a compliance and a regulatory defence perspective — if it is documented. For each client, the file should contain: the initial risk assessment and the factors that drove it; the CDD tier applied (SDD, standard, or EDD) and the justification; the specific measures applied and the documentation obtained; the date of the last review; any trigger events that prompted an interim review; and the current risk rating with any changes from the initial assessment clearly noted.
Regulators inspecting CSPs are now highly experienced at identifying files where CDD tier decisions have been made informally without documentation. The absence of documented risk assessment is treated as equivalent to a CDD failure, regardless of the actual documents held. Building documentation habits into the onboarding and refresh workflows — ideally through structured fields in the entity management system that cannot be bypassed — is the most effective way to ensure that the risk-based approach is consistently evidenced.