What is Customer Due Diligence (CDD) for UK accountants?
Customer Due Diligence is the full compliance process that every UK accountant must complete before — and throughout — a client relationship. It goes beyond a one-time identity check. Here is what it involves, the three levels that apply, and how to evidence it correctly.
TL;DR — Quick Summary
- •CDD is the full process of verifying and assessing clients under the Money Laundering Regulations 2017
- •It includes KYC identity checks, a risk assessment of the client, and ongoing monitoring throughout the relationship
- •There are three levels: Standard CDD (most clients), Simplified CDD (low-risk only), and Enhanced Due Diligence (high-risk clients)
- •Accountants must apply CDD before beginning work for any new client — not after
- •All CDD evidence must be retained for at least five years after the relationship ends
Answer-first summary
What does CDD mean and when do UK accountants have to do it?
Customer Due Diligence (CDD) is the legal requirement for UK accountants to identify, verify, and assess every client before providing any regulated service. It is mandated by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. CDD must be completed before you begin work — not when it is convenient, and not after you have already started. It covers three things: confirming who the client is (KYC), understanding the purpose of the relationship and assessing the risk they present, and monitoring the relationship on an ongoing basis for the duration of your engagement.
- Verify the client's identity before providing any regulated accountancy service
- Assess the risk each client presents — Low, Medium, High, or EDD — and document the rationale
- Monitor the relationship throughout its life; refresh CDD whenever circumstances change
- Retain all evidence for at least five years after the relationship ends
The three levels of CDD
MLR 2017 sets out three levels of due diligence. The level you apply depends on the risk the client presents, not your preference or convenience.
The default for most clients
Applied to the majority of client relationships. Requires identity verification (KYC), an assessment of the purpose and nature of the business relationship, and assignment of a risk level. Ongoing monitoring is required for the life of the relationship.
Permitted only for demonstrably low-risk clients
Where a client has been assessed as presenting a genuinely low risk of money laundering, a reduced level of verification may be applied. Simplified CDD is not an exemption — you must still document why the lower level is justified and maintain ongoing monitoring.
Mandatory for higher-risk clients
Required whenever a client or transaction presents a higher level of money laundering risk. EDD goes beyond Standard CDD: you must verify the source of funds or wealth, obtain senior management approval before onboarding, and apply more frequent ongoing monitoring throughout the relationship.
What Standard CDD involves
Standard CDD applies to the majority of your clients. It is not a light-touch process — it requires a documented sequence of verification steps, each with evidence. Here is the checklist.
- Verify client identity (KYC) — name, date of birth, address, using an acceptable document
- Understand the nature and purpose of the intended business relationship
- Assess the risk level — Low, Medium, or High — based on client type, geography, and services
- Document your risk assessment and the reasoning behind it
- Set up ongoing monitoring to detect any material changes to the client's circumstances
When EDD is required
Enhanced Due Diligence is not discretionary. These four situations require it by law.
Politically Exposed Persons (PEPs)
Any client who holds or has held a prominent public function — a government minister, senior civil servant, senior military official, or a close associate or family member of such a person — requires EDD. The political exposure does not have to be current; recent PEP status still triggers the requirement.
High-risk jurisdictions
Clients who are based in, have significant operations in, or are transacting with countries identified as high risk by the Financial Action Task Force (FATF) or the UK government require Enhanced Due Diligence. Check FATF's lists before onboarding any client with an international dimension.
Complex or unusual ownership structures
Corporate structures involving multiple layers of holding companies, nominee arrangements, or beneficial ownership spread across multiple jurisdictions should trigger EDD. The complexity itself is a risk indicator, even if each individual element appears legitimate.
Risk assessment flags concern
Even where none of the above apply, if your firm-wide risk assessment or your client-level review raises concern — for example, because the client's stated business does not align with their financial profile — you must apply EDD regardless.
CDD does not end at onboarding
One of the most common misunderstandings about CDD is treating it as a one-time onboarding task. MLR 2017 requires ongoing monitoring throughout the life of every client relationship. This means actively reviewing clients — not just filing their documents and moving on.
Ongoing monitoring includes annual reviews, trigger reviews when circumstances change, and refresh alerts when documents approach expiry. For high-risk and EDD clients, reviews should happen at least every six months.
- Annual reviews of all active clients — more frequently for Medium and High-risk clients
- Trigger reviews when a client changes director, beneficial owner, or country of operation
- Refresh alerts when identity documents approach or pass their expiry date
- Transaction monitoring where your services include financial flows or payment handling
For tools to manage risk reviews, see Certivus risk assessment.
CDD evidence requirements
Under Regulation 40 of MLR 2017, you must keep all CDD evidence for a minimum of five years from the end of the business relationship. Records must be legible, retrievable, and producible quickly — HMRC inspectors may ask to see specific client files during a supervision visit.
| Record type | Minimum retention | Format guidance |
|---|---|---|
| Identity documents | 5 years from end of relationship | Original, certified copy, or digital verification record |
| Proof of address | 5 years from end of relationship | Document dated within 3 months at time of collection |
| Risk assessment records | 5 years from end of relationship | Written rationale for risk rating and any overrides |
| Screening results | 5 years from end of relationship | PEP/sanctions check result with date and provider |
| Ongoing monitoring notes | 5 years from each review | Date, reviewer, outcome, and any changes noted |
Reference: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 40. This page is general information, not legal advice.
How Certivus supports CDD
Certivus brings your CDD workflow — identity requests, risk assessment, and evidence storage — into one structured, auditable platform.
KYC and identity requests
Send secure, branded identity requests to clients. They upload documents and complete verification on any device. Results are stored with timestamps and are exportable.
Learn moreRisk assessment workflow
Score each client as Low, Medium, High, or EDD using a structured checklist aligned to HMRC guidance. Override scores with a documented rationale when professional judgement requires it.
Learn moreEvidence vault and records
Every document, decision note, screening result, and monitoring entry is stored securely in your Certivus vault. Export an audit-ready PDF in one click before any HMRC or professional body review.
Learn moreCDD questions answered
What is CDD?
CDD stands for Customer Due Diligence. It is the full compliance process that UK accountants and other regulated businesses must apply to every client relationship. CDD includes verifying the client's identity (KYC), understanding the purpose and nature of the business relationship, assessing the risk the client presents, and maintaining ongoing monitoring throughout the relationship. CDD obligations arise under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
What is the difference between CDD and EDD?
CDD (Customer Due Diligence) is the standard compliance process applied to most clients. EDD (Enhanced Due Diligence) is an elevated level of CDD applied where a higher risk of money laundering is identified — for example, for Politically Exposed Persons, clients in high-risk jurisdictions, or clients with complex ownership structures. EDD requires additional verification steps, including source-of-funds checks, senior management approval before onboarding, and more frequent ongoing monitoring. EDD is not discretionary where it is triggered — it is a legal requirement.
When is Simplified CDD allowed?
Simplified CDD is permitted only where a client has been assessed as presenting a genuinely low risk of money laundering, and where there are no factors that increase the risk. Even where Simplified CDD applies, you must document why the lower level is justified, and you must continue to monitor the relationship. Simplified CDD is not an exemption from CDD — it is a reduced form of it. If circumstances change and the risk level increases, you must apply Standard or Enhanced CDD.
What evidence must I keep?
Under MLR 2017, you must retain all CDD evidence for at least five years from the end of the business relationship. This includes identity documents, proof of address, risk assessment records, PEP and sanctions screening results, ongoing monitoring notes, and any decision notes explaining overrides or unusual judgements. Records should be stored securely and be retrievable quickly — HMRC supervision visits may require same-day production of evidence.
How often should CDD be reviewed?
CDD is not a one-time exercise. Ongoing monitoring is a legal requirement under MLR 2017. As a minimum, you should review all active clients annually. High-risk and EDD clients should be reviewed more frequently — at least every six months. In addition, any material change in a client's circumstances — new beneficial owner, change of jurisdiction, unusual transaction — should trigger an immediate review, regardless of when the last scheduled review took place.
Is Certivus a CDD solution?
Certivus is AML compliance software that supports your CDD workflow — including KYC requests, risk scoring, evidence storage, and audit export. It is not a substitute for professional judgement, a qualified MLRO, or your firm's AML policies. Final compliance decisions remain with you and your firm. Certivus gives you the workflow structure and evidence trail to meet your obligations efficiently and demonstrate compliance during a supervision visit.
For the identity verification component, see the KYC guide. For AML compliance broadly, see What is AML compliance?
Related reading
What is KYC?
KYC is the identity verification step at the heart of Standard CDD — here's what it involves.
Client risk assessment
How to assign Low, Medium, High, and EDD risk ratings with a structured evidence trail.
AML compliance for accountants
The full AML framework — from initial client intake through to ongoing monitoring.
CDD software for accountants
Certivus structures every CDD step with clear ownership, status, and evidence capture.