UK Customer Due Diligence (CDD) — the complete guide for accountants and solicitors
The legal foundations under MLR 2017 Regulation 28, the three CDD tiers, when each applies, what verification sources count, and how to build a CDD file that survives inspection.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •Customer Due Diligence (CDD) is the core legal obligation under MLR 2017 Regulation 28 to identify clients, verify their identity using reliable independent sources, understand the purpose of the relationship, and apply ongoing monitoring.
- •CDD has three tiers: Standard (default), Simplified (low-risk only — rarely used in practice), and Enhanced (mandatory for higher-risk relationships under Reg 33).
- •CDD is triggered by entering a Business Relationship (Reg 4) or by an Occasional Transaction reaching €15,000 (Reg 27).
- •Each CDD file should document: identity evidence, beneficial-ownership findings, the documented risk rating, the purpose of the relationship, and the ongoing-monitoring schedule.
- •Retention is 5 years from the end of the relationship (Reg 40). HMRC and SRA inspectors will ask to see the file before they ask anything else.
Answer-first summary
What is Customer Due Diligence in UK AML?
Customer Due Diligence (CDD) is the legal obligation under MLR 2017 Regulation 28 to identify clients, verify their identity using reliable independent sources, identify beneficial owners where the client is an entity, understand the purpose and intended nature of the business relationship, and apply ongoing monitoring throughout. CDD is triggered when a regulated firm enters a Business Relationship (Reg 4) or carries out an Occasional Transaction at or above the €15,000 threshold (Reg 27). It comes in three tiers: Simplified (low-risk), Standard (the default), and Enhanced (higher-risk).
- Statutory basis: MLR 2017 Reg 28 — the cornerstone CDD obligation
- Triggered by Business Relationship (Reg 4) or Occasional Transaction ≥ €15,000 (Reg 27)
- Three tiers: SDD (rare), Standard CDD (default), EDD (higher-risk)
- Records retained for at least 5 years from end of relationship (Reg 40)
The six Standard CDD steps
MLR 2017 Reg 28 expressed as a practical sequence:
Identify the client
Establish who the client is — natural person, company, partnership, or trust — and obtain identifying information. For a company: name, registered office, company number, type, board, business activity. For an individual: name, date of birth, address.
Verify identity using reliable independent sources
Verification must use evidence from a reliable independent source — passport plus address proof for individuals; Companies House plus the firm's own checks for entities. Customer-supplied photocopies alone do not satisfy MLR 2017 — verification must be probative.
Identify beneficial owners (entities)
Where the client is not a natural person, identify the individual(s) who ultimately own or control the entity — typically the 25%+ shareholder or PSC. Trace through layers of holding companies; verify each beneficial owner's identity.
Understand the purpose of the business relationship
Document what the client will use you for, why now, what the expected scale and pattern of the engagement looks like. This anchors the ongoing-monitoring baseline — anything significantly outside that pattern is a red flag.
Assess and document risk
Rate every client as low, medium, or high risk based on client type, geography, services, and delivery channel. The rating drives which CDD tier applies and how often the file should be reviewed. The reasoning must be in writing.
Apply ongoing monitoring
Set a review cadence (typically annual for low-risk, more frequent for higher-risk) and watch for transactions or behaviour inconsistent with the agreed purpose of the relationship. Update the file when circumstances change.
When Enhanced Due Diligence is mandatory
MLR 2017 Reg 33 lists the EDD triggers. The default position when any trigger applies is to escalate, not to push back:
- Client is a Politically Exposed Person (PEP), a family member or close associate of one
- Client is established in a High-Risk Third Country listed in MLR 2017 Schedule 3ZA
- Complex or unusually large transactions, or transactions with no apparent economic or lawful purpose
- Client refuses to provide reasonable identification or source-of-funds evidence
- Business relationship conducted in non-face-to-face circumstances where the firm's risk assessment flags concern
- Firm-wide risk assessment categories the client falls into as higher risk (trust structures, cash-intensive businesses, etc.)
When Simplified Due Diligence is permitted
SDD under MLR 2017 Reg 37 requires the firm to have made and documented a low-risk assessment. SDD does not mean no checks — it means proportionate checks. In practice it is rarely used by accountancy or law-firm practices:
- Client is itself a regulated financial institution supervised in an equivalent regime
- Client is a UK-listed company or company listed on an equivalent regulated market
- Client is a UK public authority or public body of an equivalent jurisdiction
- Beneficial ownership is publicly available and the structure is straightforward
- Firm has carried out an evidenced risk assessment concluding the client is low risk
Reliable independent verification sources
What MLR 2017 Reg 28 actually means in practice. Each row is a minimum baseline — your firm-wide risk assessment may require more:
Individual — identity
- UK passport (in date)
- UK driving licence (photocard, in date)
- EU/EEA national ID card
- Non-UK passport (with visa where required)
Individual — address
- Utility bill ≤ 3 months old (not mobile phone)
- Bank or credit-card statement ≤ 3 months old
- HMRC correspondence ≤ 3 months old
- Council tax bill (current year)
- Tenancy agreement (current)
UK company — entity
- Companies House register entry (verified, not just searched)
- Certificate of Incorporation
- Memorandum and Articles of Association
- PSC register extract
- Most recent confirmation statement
Trust — entity
- Trust deed or written declaration
- TRS registration record (where applicable)
- Most recent trustees' resolution
- Trust accounts (current year)
- Identity evidence for trustees, settlor, beneficiaries
FAQ
Answer-first summary
What is Customer Due Diligence in the UK?
Customer Due Diligence (CDD) is the core legal obligation under MLR 2017 Regulation 28 to identify clients, verify their identity using reliable independent sources, identify beneficial owners (where the client is an entity), understand the purpose and intended nature of the business relationship, and apply ongoing monitoring. CDD applies whenever a regulated firm enters a Business Relationship (under Reg 4) or carries out an Occasional Transaction at or above the €15,000 threshold (under Reg 27).
Answer-first summary
What's the difference between Standard CDD, Simplified CDD, and Enhanced Due Diligence?
Standard CDD is the default — applied to most clients. Simplified Due Diligence (SDD) under MLR 2017 Reg 37 is a reduced level of checks permitted only where the firm has assessed the client as low risk under documented criteria (typically regulated FIs, listed companies, or public authorities); SDD is rare in accountancy and legal practice. Enhanced Due Diligence (EDD) under MLR 2017 Reg 33 is a more thorough level mandated for higher-risk relationships — PEPs, high-risk third countries, complex or unusual transactions, refusal to evidence source of funds, or any client the firm's own risk assessment flags as higher risk.
Answer-first summary
When is CDD triggered under UK law?
Two main triggers under MLR 2017. First, entering a Business Relationship under Regulation 4 — almost any retained engagement counts. Second, carrying out an Occasional Transaction under Regulation 27 at or above the €15,000 threshold (or a series of linked transactions appearing to be one operation). Additional triggers include suspicion of money laundering or terrorist financing (regardless of value), and doubts about the veracity or adequacy of previously obtained identification.
Answer-first summary
What documents satisfy identity verification for an individual?
MLR 2017 requires verification from a 'reliable independent source'. In practice this means a current UK passport, UK driving licence photocard, or equivalent identity document; combined with an independent address evidence document — a utility bill, bank statement, or HMRC correspondence dated within the last three months. Photocopies supplied by the client alone do not satisfy MLR 2017 — verification must be probative, typically by digital verification with a liveness check or by certified copy from a qualified professional.
Answer-first summary
How long must I keep CDD records?
MLR 2017 Regulation 40 requires retention of CDD evidence, risk assessments, screening results, transaction records, and the supporting documents for a minimum of five years from the end of the business relationship or the date of the occasional transaction. Records must be retrievable and suitable for inspection. The five-year clock starts at the end of the relationship, not at the start.
Answer-first summary
Can I rely on another firm's CDD?
Yes — under MLR 2017 Regulation 39 ('Reliance'), you can rely on CDD measures already carried out by another regulated person such as another UK accountancy or law firm, provided you have written consent from the third party, immediate access to the underlying records on request, and you accept that the legal responsibility for CDD remains with you. Reliance is useful for referred clients but does not transfer liability — if the original CDD was inadequate, the relying firm carries the regulatory exposure.
Answer-first summary
What happens if I cannot complete CDD?
MLR 2017 Regulation 31 requires the firm not to carry out a transaction with or for the client, not to establish a business relationship, and to terminate any existing relationship — and to consider whether to make a SAR. A failure to complete CDD does not automatically trigger a SAR, but the circumstances usually warrant one: clients who refuse to provide reasonable evidence are themselves a suspicion indicator.