Customer due diligence: what level applies, and when

Customer due diligence (CDD) is the practical core of AML compliance — verifying who your customer is, and assessing the risk they present, before you do business with them. MLR 2017 sets out three levels, and getting the level wrong is one of the most common compliance failures regulators flag.

The Three Levels

Standard Due Diligence
(SDD)

The baseline for every new customer relationship in the regulated sector: verifying the customer’s identity using reliable, independent sources; identifying and verifying any beneficial owner — anyone owning or controlling more than 25% of the business; and understanding the nature and purpose of the relationship.

Simplified Due Diligence
(SDD-light)

A reduced level of checks available only where you can demonstrate a genuinely low money laundering risk — for example, certain listed companies or public authorities. Simplified due diligence still requires ongoing monitoring; it is not an exemption from due diligence altogether.

Enhanced Due Diligence
(EDD)

A higher level of scrutiny required wherever risk is elevated: Politically Exposed Persons (PEPs), customers from higher-risk jurisdictions, unusually complex or large transactions, and — specifically for crypto asset firms — correspondent relationships with other crypto businesses.

Politically Exposed Persons (PEPs)

A PEP is someone who holds, or has held, a prominent public function — domestically or abroad — along with their family members and known close associates. Doing business with a PEP doesn’t mean something is wrong; it means the relationship carries inherently higher risk and must be subject to enhanced due diligence, senior management approval, and ongoing monitoring of the source of funds.

What changed in the 2026 reforms

The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 — laid before Parliament in March 2026 and now in force — bring several practical changes. Monetary thresholds move from euros to sterling: the old €10,000 CDD trigger is now a flat £10,000, simplifying compliance after Brexit. EDD for high-risk third countries narrows to apply specifically to countries on the FATF call-for-action list — currently Iran, North Korea, and Myanmar — rather than the wider FATF grey list, reducing the burden for firms dealing with grey-list countries that aren’t subject to active call for action. This doesn’t remove the requirement for a risk-based approach elsewhere — firms must still apply judgement to other risk indicators and FATF grey-list status remains a relevant risk factor even where EDD isn’t automatically mandatory. Provisions specific to cryptoasset firms follow in 2027, aligned with the wider FSMA cryptoasset regime.

Getting the level wrong

Under-applying due diligence is the more commonly enforced failure, but over-applying enhanced checks to every customer also causes problems: it slows onboarding, frustrates legitimate customers and signals to supervisors that your risk assessment process isn’t actually risk-based.

Scroll to Top