Explore by category
EconomyUser experienceElectronic SignatureRisk ManagementLegal Framework Digital Onboarding RPA - AutomationDigital TransformationIdentity VerificationX TechFraud PreventionElectronic InvoiceCustomer Hub for sales

CDD: What is customer due diligence, steps, and how to do it

16 January 2026·Reading time: 4 minutes.
enes
Share

Index

    icon newsletter
    Get the latest news right in your inbox

    Customer due diligence (CDD) is a mandatory process of identifying, verifying, and assessing customer risk, designed to prevent money laundering (AML) and terrorist financing (CFT). Applied by regulated entities in sectors such as banking, fintech, cryptoassets, real estate, and insurance, CDD is not a one-off procedure, but a continuous process that must be updated throughout the commercial relationship.

    This article delves into the concept of CDD, its regulatory framework, its levels of application, its sectoral scope, and synergies with other European regulations. It also analyzes how digital due diligence technology solutions, such as those offered by Tecalis, are transforming the way organizations comply with these obligations in a secure, efficient, and scalable manner.

    Do you want to implement a digital CDD solution that complies with SEPBLAC and eIDAS?

    What is CDD (Customer Due Diligence)?

    CDD (Customer Due Diligence) is the set of procedures that require regulated entities to know their customer, verify their identity, and assess the risk they pose in terms of financial crime. Technical and regulatory details: 

    • Established by the 40 Recommendations of the FATF.
    • Implemented in the EU through the AMLD6 Directive (2018/843).
    • In Spain, developed in Law 10/2010 of April 28 and its implementing regulations.
    • Overseen by SEPBLAC (Executive Service of the Commission for the Prevention of Money Laundering).

    CDD must be applied before, during, and after the business relationship, and updated in the event of any relevant change in the customer's profile.

    The three mandatory pillars of CDD

    To be effective, CDD is based on three non-negotiable technical elements, designed to ensure correct customer identification, understand their risk profile, and ensure regulatory compliance. These pillars enable organizations to prevent money laundering and other financial crimes in a structured and verifiable manner.

    Customer identification

    Collection of data such as: 

    • Full name, identity document number (ID card, foreigner identification number, passport), date and place of birth, nationality. 
    • For legal entities: company name, tax identification number (CIF/NIF), registered office, shareholding structure, legal representatives, and beneficial owner (who owns >25% of the capital or effective control).
    • For foreign customers, the tax address and country of residence are also required.

    Documentary or identity verification

    Confirmation that the data corresponds to a real person, by means of: 

    • In-person methods (physical documents).
    • Secure remote verification: facial biometrics, OCR reading, validation against official records or reliable sources (such as the Civil Registry or EU databases). 

    In the digital environment, only methods authorized by SEPBLAC or based on qualified eIDAS identities are valid.

    Customer risk assessment

    Classification based on objective factors such as: 

    • Economic activity (high or low risk exposure).
    • Jurisdiction of residence (countries on FATF lists = high risk). 
    • Complexity of the corporate structure. 
    • Status as a politically exposed person (PEP) 

    All of these factors influence the risk rating. This assessment allows the appropriate level of diligence (standard, simplified, or enhanced) to be applied and continuous monitoring measures to be adopted.

    The three levels of Due Diligence: Standard, simplified, and enhanced (EDD)

    AML regulations establish three levels of due diligence, which must be applied according to the customer's risk profile:

    • Standard due diligence: Applies in most cases. It includes the three pillars mentioned above (identification, verification, and evaluation) and is considered sufficient for low- or medium-risk customers.
    • Simplified due diligence: Allows less stringent measures to be applied to certain low-risk customers or transactions. Examples include public entities, subsidiaries of listed companies, or customers residing in jurisdictions with robust AML systems. However, its use is highly regulated and subject to ongoing review.
    • Enhanced due diligence (EDD): This is mandatory when the risk is high. This includes PEP customers, operations with high-risk countries, complex transactions, or opaque corporate structures. EDD requires additional measures such as obtaining the source of funds, approval by senior management, intensified ongoing monitoring, and, in some cases, the intervention of specialized compliance units.

    This approach allows for efficient allocation of resources, concentrating efforts where the risk is real.

    Woman validating the correct customer identification with a card.

    Are CDD and DDC the same thing?

    Yes, in practice, CDD and DDC (Customer Due Diligence) are equivalent terms. "CDD" is the acronym used internationally, especially in documents from the FATF, the European Union, and the global financial industry. "DDC" is the Spanish translation and is commonly used in regulations and communications in Spanish-speaking countries, such as Spain.

    For regulatory purposes, there is no operational difference: both refer to the same process of customer identification, verification, and risk assessment. The distinction, therefore, is mainly linguistic/terminological, not operational.

    Who oversees customer due diligence (CDD) and who is required to comply with it?

    The key supervisory authorities responsible for ensuring compliance with AML regulations are the bodies responsible for supervising and monitoring the entities subject to these regulations. These are:

    • The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC), attached to the Bank of Spain. SEPBLAC receives, analyzes, and transmits information related to suspicious transactions and supervises regulated entities to ensure compliance with their obligations, including CDD.
    • At the European level, the European Banking Authority (EBA) issues guidelines and technical standards to harmonize the application of AMLD6 in all Member States.
    • The FATF establishes the 40 Recommendations that serve as a global framework for combating money laundering and terrorist financing.

    CDD is no longer exclusive to the traditional financial sector. Currently, regulated entities in Spain (according to Law 10/2010) are: 

    • Traditional banking and finance.
    • Fintechs (especially those with payment services or electronic money licenses).
    • Crypto-asset companies (VASPs registered with SEPBLAC since 2022).
    • Real estate agents (in transactions exceeding €10,000).
    • Insurance companies (especially for investment products).
    • Telecommunications (when offering mobile payment services or digital wallets).
    • Collective investment and crowdfunding platforms.
    • Lawyers, notaries, auditors, and tax advisors in sensitive transactions.
    • Auction houses, jewelers, and art dealers (in high-value transactions)

    Each sector must adapt its CDD process to its specific risks. These entities must implement compliance programs (AML Compliance), appoint a Compliance Officer, and apply CDD before establishing any business relationship.

    Are you a regulated entity and need to scale up your CDD?

    How to apply CDD in banking: secure technical protocol

    In the banking sector, CDD is critical. Banks must not only verify the customer's identity when opening an account, but also monitor their transactions and periodically update their risk profile. Some best practices for applying CDD securely and effectively in banking are: 

    1. Rigorous and documented onboarding

      • Verification of customer identity using valid official documents (ID card/passport for individuals; deeds, commercial register, articles of association, powers of attorney, and corporate structure for legal entities).
      • Detection of the beneficial owner: identifying who is behind the company, who has control, who benefits.

    2. Risk assessment based on objective criteria

      • Analysis of factors such as country of residence or incorporation, corporate structure, economic activity, expected transactional profile, political exposure (PEP), estimated volume of transactions.
      • Classification of customers as low/medium/high risk, with assignment of the corresponding level of due diligence (normal, simplified, or enhanced).

    3. Additional verification in cases of medium-high or high risk

      • Verification of the origin of funds or wealth where appropriate.
      • Justification of the purpose and nature of transactions, together with ongoing monitoring of transactions.

    4. Maintenance of comprehensive records

      • Retention of documentation, verification evidence, transaction histories, customer profile updates. Many regulatory frameworks require this information to be retained for a minimum period (e.g., 10 years after the end of the relationship).

    5. Secure procedures for remote transactions

      • Use of SEPBLAC-authorized methods for remote onboarding, such as videoconferencing, remote verification of electronic documents, and electronic signatures.
      • In its regulations, SEPBLAC defines minimum specifications for remote identification to be legally valid.

    6. Continuous updating and monitoring

      • It is not enough to verify the customer at the outset. It is always necessary to monitor their transactions, detect unusual patterns, changes in corporate structure, new beneficiaries, and updated relevant data.

    Banks must apply continuous due diligence: if a customer who previously carried out low-volume transactions begins to move large sums without economic justification, the system must alert the compliance team for further review.

    Security in banking CDD is not only regulatory, but also reputational: failure to identify a high-risk customer can result in millions in fines, penalties, and even loss of operating license.

    Essential steps for implementing effective CDD

    The execution of robust customer due diligence requires the integration of technological and regulatory processes that ensure operational integrity at all times. A recommended roadmap would be:

      1. Design a customized risk framework: Define the criteria for classifying customers (geography, sector, profile, type of transaction).
      2. Automate onboarding: Implement digital identification flows with OCR, biometrics, and validation against trusted sources.
      3. Integrate real-time screening:  Connection to PEP lists, sanctioned entities (OFAC, EU, UN), and high-risk territories (FATF).
      4. Apply continuous monitoring: Business rules and automated alerts for changes in customer behavior.
      5. Train staff: Train employees in detecting red flags and using CDD tools.
      6. Audit the process: Conduct periodic reviews of the due diligence process to ensure its effectiveness.
    Three men talking near a table with papers about CDD.

    CDD and other European regulations: synergies and key differences

    CDD does not operate in isolation. It is intertwined with multiple European regulations that share security, privacy, and traceability objectives:

    • GDPR (General Data Protection Regulation): Both regulations require the processing of personal data, but for different purposes. CDD justifies processing under "legitimate interest" and "legal obligation," while GDPR requires minimization and limited retention. Organizations must balance both requirements.
    • eIDAS 2.0: The new European digital identity regulation (finalized in 2025) will establish a common framework for qualified electronic identification (QES), facilitating digital CDD through verifiable identities via QTSP providers.
    • NIS2 (Network and Information Systems Security Directive): Although focused on cybersecurity, NIS2 reinforces the need for robust controls in processes such as user identification and access management, complementing CDD controls.
    • AMLD6 and MiCA: The Sixth AML Directive tightens sanctions and broadens the definition of predicate offenses. MiCA (Markets in Crypto-Assets Regulation), meanwhile, imposes specific CDD obligations on crypto-asset service providers, including the verification of counterparties in transfers.
    • International KYC standard: "Know Your Customer" is a broader concept that includes CDD as an essential component. KYC also covers the assessment of financial product suitability and the monitoring of transactions.

     

    How a QTSP transforms CDD into secure digital due diligence

    A Qualified Trust Service Provider (QTSP), certified under eIDAS, offers legally valid solutions across the EU to comply with CDD digitally:

      • Verify customer identity remotely using secure video identification.
      • Generate qualified electronic signatures (QES) that have the same legal validity as a handwritten signature.
      • Validate official documents in real time against government records.
      • Archive proof of identity with cryptographic integrity.

    Tecalis, as a European QTSP, offers a comprehensive set of tools that enhance CDD:

    • Tecalis Identity: Digital identification solution with facial biometrics, spoofing detection, and OCR reading. 
      • Benefit: Accelerates remote onboarding with certified security levels.
    • Tecalis Sign: Qualified electronic signature with QSCD (Qualified Signature Creation Device). 
      • Benefit: Guarantees the traceability and non-repudiation of documents associated with CDD.
    • Tecalis Verify: Verification engine against PEP lists, sanctioned lists, and official databases. 
      • Benefit: Automates real-time risk screening.
    • Tecalis Flow: Process automation engine (BPM) for CDD flows. 
      • Benefit: Automatically assigns the level of diligence (simplified, standard, or enhanced) according to predefined risk rules.

    Thanks to these solutions, organizations can implement digital due diligence that not only complies with regulations but also improves the customer experience, reduces operating costs, and minimizes human error.

    Conclusion: CDD as a driver of trust in the digital economy

    Customer due diligence (CDD/DDC) is no longer just a regulatory obligation, but a strategic element of trust in the digital economy. With the evolution of regulations such as eIDAS 2.0, MiCA, and AMLD6, the trend is toward smarter, automated, and risk-based CDD. Trusted providers such as Tecalis are at the epicenter of this transformation, offering technological infrastructures that enable companies not only to comply, but to anticipate compliance challenges.

    Implementing a digital CDD strategy is not an expense, but rather an investment in security, reputation, and regulatory sustainability. And in an environment where fines for non-compliance exceed hundreds of millions of euros, that investment is more necessary than ever.

    Discover Tecalis tools for CDD procedures of any kind

    Tags
    Identity VerificationRisk ManagementLegal Framework
    Newsletter icon

    Get the latest news right in your inbox

    Ft
    aifintech
    regtech
    etica
    techbehemoths
    finnovating
    ecija

    Trust, identity and automation services

    Tecalis creates disruptive digital product to make the most innovative companies grow and evolve. We drive growth and digital transformation processes to bring the future to businesses today.
    Identity

    KYC (Know Your Customer) Video Identity Verification, Digital Onboarding and Authentication (MFA/2FA) solutions and services enable our customers to provide their users with an agile and secure experience.

    Our RPA (Robot Process Automation) software enables the creation of sustainable, scalable, productive and efficient business models through BPM (Business Process Management), allowing unlimited growth.

    Digitization

    Advanced and Qualified Electronic Signature and Certified Communication services (Electronic Burofax) allow customer acquisition, contracting and acceptance processes that used to take days or weeks to be completed and approved in minutes or seconds.

    Customer Onboarding (eKYC), Digital Signature (eSignature) services and Automated Fraud Prevention are making it possible for companies to operate online and without borders.

    Trust

    As an EU-certified Trust Services Provider and an established RegTech partner, we help organizations comply with the most demanding regulatory standards in their sector and region, including AML (Anti-Money Laundering), eIDAS (Electronic IDentification, Authentication and etrust Services), GDPR (General Data Protection Regulation), SCA (Strong Customer Authentication) or PSD2 (Payment Services Directive) regulations thanks to Tecalis Anti-Fraud Controls and Document Verification.

    Union europea
    Union europea