CDD and KYC compliance — engage a specialist or outsource

What is Customer Due Diligence (CDD)?

Customer Due Diligence (CDD) is the set of measures a financial institution or obliged entity is required to take under AML legislation to establish a customer's identity, understand the business relationship and assess the risk of money laundering or terrorist financing. CDD is not a one-off action at onboarding — it is a continuing obligation throughout the entire customer relationship.

The Dutch AML Act (WWFT) and the European AML Directives (AMLD5 and AMLD6) distinguish three levels of customer due diligence, each tied to the risk profile of the customer and the business relationship.

Simplified due diligence (SDD)

Applies to customers and transactions with a demonstrably low risk. Identity verification requires a limited set of documents; ongoing monitoring is less intensive. SDD is the exception, not the standard — the institution must be able to substantiate the lower risk.

Standard due diligence (CDD)

The baseline level for most business relationships. This includes identification and verification of the customer, establishing the ultimate beneficial owner (UBO), understanding the purpose and nature of the relationship, and ongoing transaction monitoring. Documentation must be kept current and reviewed regularly.

Enhanced due diligence (EDD)

Mandatory for high-risk customers: PEPs (Politically Exposed Persons), customers in high-risk countries, business relationships with complex ownership structures or atypical transaction patterns. EDD requires deeper investigation, additional sources and explicit senior-management approval to enter into or continue the relationship.

AML obligations in 2026

AML legislation imposes a range of concrete obligations on obliged entities — including banks, leasing companies, insurance intermediaries, accountants and notaries. In 2026 the practical application of these obligations is firmly in the supervisor's focus.

What supervisors expect

Supervisors have consistently raised the bar in recent years for the depth and demonstrability of CDD procedures. Institutions are assessed on more than the existence of a policy document: supervisors expect procedures to be genuinely followed, deviations to be documented, and the organisation to be able to show that risk awareness is embedded in day-to-day operations.

Common shortcomings found during inspections: incomplete UBO documentation, outdated customer files not reassessed after risk changes, the absence of a documented escalation procedure for high-risk signals, and an overly broad application of the SDD regime without substantiation.

Practical obligations in 2026

Every obliged entity in 2026 is required to have: a documented and current integrity risk analysis (SIRA), a customer acceptance policy with explicit risk classification, procedures for ongoing monitoring and periodic review, an internal reporting procedure and escalation line to the compliance officer, and documented AML training for relevant staff.

KYC onboarding — the risks of a generic approach

Many organisations use a KYC procedure consisting of a standard questionnaire, an identity check via an automated tool and a signature under a declaration. This works for low-risk relationships in a stable environment — but it is insufficient for most B2B relationships in regulated sectors, and it structurally fails to meet the EDD obligation.

Why template KYC fails

A generic approach lacks sector-specific risk awareness. The risk factors relevant to a leasing company financing business customers are fundamentally different from those for a retail insurer or a fintech platform. A template does not recognise these nuances and produces files that look formally complete but are substantively insufficient to satisfy a supervisor.

Moreover, generic tools are poorly equipped for complex ownership structures: holdings, joint ventures, foreign entities, UBOs in jurisdictions with limited transparency requirements. Precisely the structures that occur frequently in automotive finance and institutional leasing.

What institutional KYC looks like

Quality KYC onboarding begins with a risk-driven approach: not every customer warrants the same depth, but the decision on the level of investigation must be substantiated and documented. The specialist not only establishes who the customer is, but understands the economic purpose of the relationship, the source of funds where relevant, and the transaction patterns that can be expected.

The end product is a file that holds up under audit: structured, reproducible, with a clear decision rationale.

Enhanced Due Diligence (EDD) and PEP screening

Enhanced Due Diligence is mandatory as soon as a customer or business relationship displays characteristics indicating elevated risk. AML legislation names a number of situations in which EDD is always required; in addition, the institution must determine, based on its own risk analysis, when further investigation is necessary.

When is EDD mandatory?

The most common situations requiring EDD: the customer is a Politically Exposed Person (PEP) or a direct family member or close associate of a PEP; the customer is established or active in a high-risk country on the FATF list; the business relationship or transaction has no clear economic or lawful purpose; or the customer's ownership structure is unusually complex without a clear explanation.

What EDD involves

EDD goes beyond standard identity verification. It includes verifying the source of wealth and funds, consulting additional external sources (trade registers, court databases, adverse media), establishing an enhanced monitoring profile for the relationship, and obtaining explicit approval from senior management or a compliance committee.

PEP screening requires access to current, reliable databases and the analytical capacity to interpret results. An automated match is a signal, not a conclusion — the specialist assesses the context and decides whether further investigation is necessary. This is a field where experience and judgement make the difference.

Working with Finaxis — audit-ready from day one

Finaxis delivers CDD and KYC as a managed service or as an embedded compliance specialist in your organisation. Both models start quickly and produce audit-ready work immediately — no ramp-up period, no learning curve at the expense of your files.

Our documentation standard

Every file we produce contains: a documented risk classification with substantiation, a complete identity-verification file in line with AML requirements, UBO determination with source attribution, a record of the purpose and nature of the business relationship, and for EDD a full account of the additional investigation including sources consulted and the approval note.

This level of documentation is not only necessary for compliance — it also protects your organisation in the event of a complaint, a supervisory inspection or an internal audit. An audit-ready end product is not an add-on for us but the standard.

Integration into your existing processes

We work within your KYC platform, CRM or document management system. Platform migration is not a requirement. We adapt our methods to your environment — not the other way around. All data processing is carried out under a data processing agreement compliant with GDPR Article 28.

Need an embedded KYC specialist in your team rather than a managed service? See our freelance page. For broader operations see our page on underwriting outsourcing.

Related pages

• Underwriting outsourcing — credit assessment and underwriting
• Accounts receivable outsourcing — reduce DSO and improve cash flow
• Hire a freelance KYC specialist — embedded compliance expertise