How to evidence ongoing customer due diligence (CDD)

For many professionals, ‘ongoing CDD’ sounds like something complex or constant. A never-ending loop of re-verifying clients and chasing paperwork. In reality, it can be far simpler than that.

Ongoing or continual customer due diligence isn’t about repeating the onboarding process. It’s about showing that you remain alert to risk and keep your client knowledge up to date.

If you can demonstrate that you’re paying attention, and recording what you see, you’re already most of the way there.

What ongoing CDD actually means

Under the Money Laundering Regulations 2017, ongoing monitoring has two parts:

1. Scrutinising transactions to ensure they make sense for that client and their known activities.
2. Keeping CDD information up to date by reviewing and refreshing documents, data and risk assessments when necessary.

That’s it. You’re simply showing that the relationship between your client’s activity and your knowledge of them still makes sense, and that you’ve checked in at reasonable intervals.

How often to review CDD

There’s no fixed timetable set in law. It all depends on the level of risk.

For low-risk clients, a periodic review every couple of years is usually enough, provided nothing changes in the meantime.

For high-risk clients, including politically exposed persons (PEPs) or those in higher-risk jurisdictions, reviews should happen much more frequently, typically at least once a year or whenever new information comes to light.

The important thing is that your records show a reasoned, risk-based approach. Regulators don’t expect a strict schedule. But they do expect to see that you’re applying common sense and keeping client knowledge current.

Knowing when to trigger a review

You don’t need to refresh CDD every time you speak to a client. Instead look for triggers, for example when new information alters the level of risk.

For example:

• A new director, shareholder or beneficial owner appears
• There’s a significant change in ownership, structure or jurisdiction
• Unusual or unexpected transactions occur
• The client enters a new line of business
• There’s adverse media or sanctions exposure
• Your professional instinct says “something feels different”

When these things happen, you don’t need to panic. Just pause, reassess and record.

What to evidence

Your AML supervisor will want to see how you’re maintaining oversight. That means being able to show:

• When you last checked and verified key CDD documents
• Notes of any ongoing monitoring or risk re-assessments
• Evidence that client files are reviewed and signed off
• Audit trails of any escalations, SARs or risk-rating changes
• Records showing updates to policies, training and controls

In other words, proof that your compliance framework is live, not static.

AMLCC makes this straightforward by time-stamping every update, automatically linking risk assessments, CDD documents and training records so your audit trail builds itself.

Practical ways to stay on top of it

Ongoing CDD doesn’t have to add to your workload. Here are some practical steps that make it manageable:

Use your dashboard: If you’re using AMLCC, your CDD reviews, document expiry dates and risk assessments updates are all tracked automatically.

Keep CDD in your workflow: When you speak with clients, note anything that changes – address, ownership or business activity – and update the file there and then.

Run quick sense-checks: Does the client’s activity still align with what you know about them? If not, flag it for review.

Train staff to notice changes: The people who deal with clients daily are your best monitoring tool. Make sure they know what “normal” looks like so they can spot what’s not.

Document your decisions: Even if you decide no change is needed, record that conclusion and why. “We checked, nothing new to note” still counts as evidence.

In summary

Evidencing ongoing CDD is not about endless re-checking. It’s about awareness, documentation and proportionate action.

If you can show that your firm:

• Understands its clients,
• Spots and records changes,
• Updates information when needed, and
• Keeps a clear audit trail…

…then you’re already demonstrating effective ongoing CDD.

With the right system behind you, like AMLCC, it simply becomes part of how you do business.