Customer Due Diligence Requirements for Banks: A Complete Guide

What banks must verify, monitor, and document under FinCEN's CDD Rule — including the 2026 beneficial ownership changes and how to evaluate your program.
Chrisjan Wüst, Co-Founder & CTO of Sphinx
Chrisjan Wüst

TL;DR: Customer due diligence requires banks to verify customer identities, identify beneficial owners, assess risk profiles, and monitor relationships on an ongoing basis. FinCEN's February 2026 exceptive relief order shifted the emphasis from periodic re-verification to continuous, trigger-based monitoring — and the FCA's 2025 multi-firm review found that most firms still struggle with the depth and independence of their compliance monitoring arrangements.

What Customer Due Diligence Actually Requires

Four-pillar diagram showing the core CDD requirements: Identity verification, Beneficial Ownership, Risk Profile, and Ongoing Monitoring
FinCEN's CDD Rule rests on four explicit pillars: customer identity, beneficial ownership, risk profiling, and ongoing monitoring.

Customer due diligence is the set of processes a bank uses to verify who its customers are, understand why they want a banking relationship, and assess the financial crime risk they present. CDD is not a single check at account opening. It is an ongoing obligation that spans the full lifecycle of the customer relationship.

FinCEN's 2016 CDD Rule codified four core requirements for covered financial institutions:

The first two elements address identity. The third and fourth address risk. All four are explicit BSA/AML program requirements, not optional enhancements. Banks that treat CDD as a checkbox exercise at onboarding — rather than a continuous risk management function — expose themselves to enforcement action and operational blind spots.

Three Regulators, Three Sets of Changes

CDD requirements hardened across three jurisdictions in 2025 and 2026. The rules are not more numerous than they were in 2017, but they are more operationally demanding.

FinCEN (United States): On 13 February 2026, FinCEN issued the FIN-2026-R001 exceptive relief order, which eliminated the requirement to re-identify and re-verify beneficial owners each time an existing legal entity customer opens a new account. The relief sounds like a loosening. It is not. The order conditions itself on the bank having no facts that reasonably call into question its existing beneficial ownership information. The effect pushes the center of gravity from periodic re-collection toward continuous monitoring for trigger events — a shift that demands stronger ongoing surveillance infrastructure, not weaker controls.

FCA (United Kingdom): The FCA published PS24/17 in November 2024, incorporated changes into its consolidated Financial Crime Guide in April 2025, and continued an enforcement cycle that produced penalties on UK banks and payments firms running into hundreds of millions of pounds. The FCA's 2025 multi-firm review examined CDD systems and controls through questionnaires, desk-based reviews, customer file reviews, and staff interviews. Most firms tailored their CDD approach to customer risk profiles, but the review found that the level and depth of compliance monitoring — and the independence of audit functions — varied significantly.

FATF (Global): The Financial Action Task Force tightened Recommendation 24 on beneficial ownership transparency in March 2022, updated its assessment methodology, and began applying those standards in mutual evaluations. Four jurisdictions — Algeria, Angola, Cote d'Ivoire, and Lebanon — were added to the grey list in October 2024. Recommendation 10 continues to require that financial institutions apply CDD measures using a risk-based approach, verify customer and beneficial owner identities before or during the establishment of a business relationship, and refuse to open accounts or terminate relationships when CDD cannot be completed.

Standard CDD vs. Enhanced Due Diligence

Tiered pyramid showing three levels of customer due diligence: Standard CDD at the base, Simplified CDD in the middle, and Enhanced CDD at the top
Due diligence intensity scales with risk: standard CDD for most customers, enhanced CDD for higher-risk relationships.

Standard CDD applies to every customer relationship. It covers identity verification, beneficial ownership identification, risk profiling, and ongoing monitoring. For the majority of retail and low-risk commercial accounts, standard CDD is sufficient.

Enhanced due diligence applies when the risk is elevated. EDD is mandatory for politically exposed persons, customers from high-risk jurisdictions, complex ownership structures, correspondent banking relationships, and any situation where the money laundering or terrorist financing risk is increased. EDD requires banks to go deeper: obtaining source of wealth and source of funds information, securing senior management approval for the relationship, and conducting more frequent reviews.

The distinction matters operationally. A bank that applies the same level of scrutiny to every customer wastes resources on low-risk accounts while potentially under-resourcing high-risk ones. Risk-based segmentation — where standard CDD scales down and EDD scales up according to assessed risk — is what regulators expect.

Beneficial Ownership: The Hardest Requirement to Sustain

Identifying beneficial owners at account opening is straightforward in concept. Keeping that information accurate over time is where most banks struggle. Corporate structures change. Ownership stakes transfer. Individuals rotate in and out of control positions. A beneficial ownership record collected two years ago may bear little resemblance to reality today.

FinCEN's 2026 exceptive relief order explicitly conditions itself on the bank's ability to detect trigger events that call previously verified information into question. This means banks need systems that flag material changes — ownership transfers, control changes, adverse media hits, sanctions designations — as they happen, not on a periodic review cycle.

UBO identification becomes especially complex with multi-layered holding structures, trusts, and nominee arrangements. Banks operating across jurisdictions face the additional challenge of reconciling different beneficial ownership thresholds. The US uses a 25% ownership trigger. The EU's Anti-Money Laundering Directives have moved toward lower thresholds. FATF Recommendation 24 leaves the specific threshold to national implementation but requires that both ownership and control be captured.

Ongoing Monitoring: Where Compliance Programs Break

Ongoing monitoring is the fourth pillar of CDD, and it is where most compliance programs show the most strain. FinCEN does not require banks to update customer information on a specific schedule. The obligation is risk-based: when monitoring reveals a change in customer information relevant to assessing risk, the bank must update its records and reassess the risk profile accordingly.

In practice, this creates a two-track obligation. Transaction monitoring must detect activity inconsistent with the customer's profile and generate SARs where warranted. Customer information monitoring must detect changes that affect the reliability of identity, beneficial ownership, or risk profile data. Both tracks must operate continuously.

According to Encompass Corporation's 2026 Corporate Treasurers Report, 95% of corporate treasury professionals are dissatisfied with banks' KYC processes — up from 73% in 2024. The report found that 96% of organizations have abandoned a banking application due to processing delays, and 99% reported revenue losses from onboarding complexity. These numbers point to a systemic failure in how banks execute ongoing due diligence at scale.

The operational cost is substantial. Perpetual KYC models — which replace periodic bulk reviews with continuous, event-driven updates — are gaining traction as a more sustainable alternative. According to Celent's 2025 analysis, AI-powered KYC processes reduce the cost per CDD review by 50 to 70% for standard retail accounts, though enhanced due diligence cases still require senior analyst judgment and show more modest cost reductions of 25 to 40%.

How to Evaluate a CDD Program

Regulators assess CDD programs against a set of practical criteria that go beyond written policies. Banks preparing for examination should evaluate their own programs against the same standards.

Banks that score well on these criteria tend to share a common trait: they treat CDD as a data infrastructure problem, not purely a compliance staffing problem. Accurate, accessible, continuously updated customer data is the foundation. Without it, policies and procedures — however well-drafted — cannot be executed consistently.

Where Technology Fits — and Where It Does Not

The CDD services market reached $3.39 billion in 2025 and is projected to grow to $3.72 billion in 2026, according to The Business Research Company. McKinsey's 2025 data indicates that over 60% of financial institutions now use AI in some part of their AML or KYC operations. The technology is no longer experimental.

Automation addresses the volume challenge. Banks processing thousands of account openings and periodic reviews per month cannot sustain manual CDD at acceptable cost or speed. AI-powered tools handle document verification, identity matching, adverse media screening, and sanctions checks at a pace and consistency that manual teams cannot match for standard-risk accounts.

Where automation falls short is in judgment-intensive work. KYB processes involving complex corporate structures, cross-border ownership chains, and trust arrangements still require experienced analysts who can interpret ambiguous information and make risk-based decisions. EDD cases involving PEPs, high-risk jurisdictions, or unusual source-of-wealth narratives demand the kind of contextual reasoning that current AI systems support but do not replace.

The most effective CDD programs use technology for what it does well — speed, consistency, and coverage — while preserving human judgment for the cases that require it. KYC software that integrates into existing workflows, documents every decision for audit, and escalates edge cases to human reviewers reflects this hybrid approach.

Where Sphinx Fits

Sphinx deploys AI compliance agents that operate inside existing bank systems to automate high-volume CDD tasks — identity verification, beneficial ownership checks, sanctions screening, and ongoing monitoring reviews. Agents log into the same platforms analysts use, review cases using the same data sources, and document every decision with a full audit trail. For standard-risk CDD, Sphinx reduces review time by up to 80% while maintaining the documentation quality regulators expect. Edge cases and EDD work are escalated to human analysts with the context already assembled.

Frequently Asked Questions

What are the four core CDD requirements under FinCEN's rule?

FinCEN's CDD Rule requires covered financial institutions to identify and verify customer identity, identify and verify beneficial owners of legal entity customers, understand the nature and purpose of each customer relationship to develop a risk profile, and conduct ongoing monitoring for suspicious activity and customer information changes.

How did FinCEN's February 2026 order change CDD obligations?

The FIN-2026-R001 exceptive relief order removed the requirement to re-identify and re-verify beneficial owners every time an existing legal entity customer opens a new account. Banks must still collect beneficial ownership information at initial account opening and update it whenever they become aware of facts that call existing information into question. The practical effect shifts the compliance burden toward continuous monitoring rather than periodic re-collection.

When is enhanced due diligence required instead of standard CDD?

Enhanced due diligence is required for higher-risk relationships, including politically exposed persons, customers from high-risk or sanctioned jurisdictions, correspondent banking relationships, complex legal structures, and any scenario where the bank's risk assessment identifies elevated money laundering or terrorist financing risk. EDD typically involves obtaining source of wealth and source of funds documentation and securing senior management approval.

How often must banks update customer due diligence records?

FinCEN does not mandate a fixed schedule for updating CDD records. The obligation is risk-based: banks must update customer information when ongoing monitoring reveals changes relevant to the customer's risk profile. Many banks adopt periodic review cycles — annually for high-risk, every three to five years for standard-risk — but these are internal policy choices, not regulatory minimums.

What role does technology play in CDD compliance?

Over 60% of financial institutions now use AI in AML or KYC processes, according to McKinsey. Technology automates identity verification, document extraction, adverse media screening, and sanctions checks for standard-risk accounts, reducing review costs by 50 to 70% per case. Enhanced due diligence cases still require human analyst judgment, with more modest automation gains of 25 to 40%.

Get Your Free AI Compliance Handbook

What compliance leaders need to know about AI-driven fraud, autonomous laundering, and how your team can
fight back.
Submit
Thank you! Your submission has been received!
Something went wrong while submitting the form. Please try again.