What is standard due diligence?

The term ‘standard due diligence’ is not used in the UK Money Laundering Regulations 2017 (as amended) or other AML legislation. The regulations refer instead to “customer due diligence” (CDD), which must be applied on a risk‑sensitive basis, rather than creating a separate legal category called “standard due diligence”.

Sector guidance, including LSAG for legal, AMLGAS for accountancy and HMRC’s guidance for estate and letting agency businesses, uses “standard” or “normal” due diligence as shorthand for the level of CDD you apply where the overall risk is neither clearly low (when simplified due diligence may be appropriate) nor clearly high (when enhanced due diligence is needed). In this article, “standard due diligence” is used in that informal sense only.

Standard due diligence applies when a business relationship or transaction presents a normal level of risk and should give you a reliable understanding of who your client is, what they do and why they need your services.

Deciding whether to apply simplified, standard or enhanced due diligence is part of taking a risk‑based approach. You assess the client and the context first, then apply the level of due diligence that matches the risk.

When standard due diligence applies

For legal, accountancy and property businesses, and for high‑value dealers, Regulation 27 of the MLRs sets out when you must apply customer due diligence measures. Where the risk is assessed as normal, these are the circumstances in which standard due diligence will usually apply. When you:

• establish a business relationship;
• carry out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;
• suspect money laundering (ML), terrorist financing (TF) or proliferation financing (PF); or
• doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.

A high‑value dealer must also apply customer due diligence measures if they carry out an occasional transaction in cash that amounts to 10,000 euros or more, whether in a single operation or in several operations which appear to be linked.

A letting agent must apply customer due diligence in relation to any transaction that consists of the conclusion of an agreement for the letting of land for a term of a month or more, at a rent which during at least part of the term is, or is equivalent to, a monthly rent of 10,000 euros or more. This applies to both the person by whom the land is being let and the person who is renting the land.

The latest National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA) reinforces that weak or incomplete due diligence is one of the most common compliance failings across all professional sectors, especially in accountancy, legal and property firms. Strengthening your standard due diligence is therefore a practical step in reducing exposure across your client base.

What standard due diligence involves

Standard due diligence has three core elements, which flow from the CDD requirements in Regulation 28. Even at the standard level, each element must be completed and recorded properly.

1. Identifying and verifying the client

You must establish who your client is and verify that identity using reliable and independent sources. The level of verification should be proportionate to the risks you have identified.

Individuals: photographic ID, proof of address and independent verification (for example electronic checks or corroborating information from trusted sources).

Companies: incorporation records, information about ownership and control (including directors and people with significant control) and verification of the person who is actually instructing you.

Trusts or other structures: details of trustees, settlors, beneficiaries and anyone exercising control, supported by the trust deed or equivalent documentation.

The verification must be sufficient to give you confidence that the client is genuine and that the information you hold is consistent with the risks you have identified.

Technology can help, but the NRA warns that criminals increasingly use AI‑generated fake IDs, synthetic identities and deepfake calls to bypass superficial checks. To manage these risks in practice, it is sensible to:

• use more than one source of evidence, rather than relying on a single document or data provider;
• build in a “genuine presence” check for higher‑risk or non‑face‑to‑face clients (for example a live video call or liveness check);
• sanity‑check key details against open‑source information and, where relevant, independent third‑party records;
• keep a short record of the steps taken and why they were sufficient in light of the risks.

2. Identifying beneficial owners

If your client is not a natural person, you must identify the ultimate beneficial owners (UBOs) who control or benefit from the entity and take reasonable steps to verify them. This is not limited to a simple “more than 25 percent” ownership test.

For most corporate clients, beneficial owners will include individuals who directly or indirectly own or control more than 25 percent of the shares or voting rights, but also those who otherwise exercise significant influence or control – for example, someone who can appoint or remove the majority of the board, who has veto rights over key decisions or who is clearly the controlling mind of the business even with a smaller shareholding.

For partnerships and other unincorporated businesses, you should look at who is ultimately entitled to or controls a significant share of capital, profits or voting rights, and who in practice directs the business. For trusts and similar arrangements, the settlor, trustees, beneficiaries (or class of beneficiaries) and anyone who has control over how assets are used will normally be treated as beneficial owners.

You must take reasonable steps to verify each beneficial owner and understand how they fit into the ownership and control structure. This might involve using corporate registries and registers of people with significant control, reviewing structure charts and asking targeted questions about decision‑making and voting arrangements.

Where no individual meets the “more than 25 percent” test, you should still identify and record the senior person or people who ultimately control the client and explain briefly why you reached that conclusion.

3. Understanding the purpose and nature of the relationship

To complete standard due diligence, you must understand the purpose and intended nature of the business relationship or transaction. In practice, that means understanding:

• why the client is using your services;
• how their business operates;
• whether the relationship or transaction makes commercial and financial sense; and
• how the client expects to fund the work or transaction.

This part of standard due diligence is where many firms fall short. The NRA highlights that criminals exploit weak understanding of client activity, vague explanations of source of funds and inconsistencies that go unchallenged. You should avoid relying on generic statements such as “private funds” or “family money” without obtaining proportionate evidence, and you should resolve any inconsistencies between what the client tells you and what you see in documents or open sources.

When standard due diligence becomes enhanced

Under the risk‑based approach, standard due diligence must be strengthened when the level of risk increases. Regulation 33 of the MLRs requires you to apply enhanced due diligence in situations where, for example:

• you discover the client has provided false or stolen identification documentation or information;
• there is a high risk of ML, TF or PF;
• transactions with the client have no apparent economic or legal purpose;
• transactions with, or made by, the client are complex, unusually large or show an unusual pattern;
• the client or beneficial owner is a Politically Exposed Person (PEP), a known close associate of a PEP or a family member of a PEP;
• any of the parties is established in a high‑risk third country; or
• your client risk assessment or information from your AML supervisor indicates that the client is high risk.

You may start from standard due diligence and then move to enhanced due diligence if new information, behaviour or transaction patterns change the risk profile.

Consequences of weak standard due diligence

The consequences of poor standard due diligence can be serious for both firms and individuals.

Regulatory and supervisory action – including fines, remedial directions, restrictions on activities and, in serious cases, loss of authorisation or registration.

Criminal liability – under the Proceeds of Crime Act and the MLRs where you know or suspect that criminal property is involved, fail to make a required report or tip off a client.

Civil claims – from clients or others who suffer loss where your failure to carry out adequate due diligence contributed to the wrongdoing.

Reputational damage – including negative media coverage, loss of client and referrer confidence and increased scrutiny from supervisors and insurers.

In many enforcement cases, the problem is not an exotic high‑risk structure but ordinary work where standard due diligence was incomplete, poorly evidenced or not kept up to date.

Common weaknesses in standard due diligence

Supervisors repeatedly flag the same issues across accountancy, legal and property firms. These weaknesses almost always relate to standard due diligence rather than the more formal enhanced due diligence cases.

Relying on incomplete identity checks

Firms often verify documents but fail to verify the person behind them, despite rising fake ID risks, such as synthetic identity fraud and AI‑generated impersonation attempts highlighted in the NRA. Checks that stop at “passport on file” without asking whether the document is genuine, current and linked to the person instructing you are unlikely to be sufficient.

Accepting vague or untested explanations

Generic statements about “private funds”, “consultancy income” or “family money” require verification. The NRA shows that criminals rely on professionals accepting stories without evidence, so you should obtain proportionate documentation to back up what you are told and record what you have seen.

Treating templates as compliance

Risk assessments and standard due diligence records must reflect the actual client and matter. Templates and checklists are useful prompts but do not, on their own, demonstrate compliance if the content is thin, inconsistent or clearly not tailored to the engagement.

Not linking standard due diligence and ongoing monitoring

Standard due diligence must be refreshed if the client’s behaviour, ownership or transaction pattern changes. Many firms complete onboarding but fail to update files later, which supervisors consistently view as a breach of the requirement to carry out ongoing monitoring of business relationships.

The role of the risk-based approach in standard due diligence

Standard due diligence is only meaningful when driven by a well‑designed client risk assessment. You cannot apply standard due diligence safely if you do not understand the main risks your firm faces, including:

• the risks within your client base;
• the jurisdictions involved;
• the services you provide;
• the delivery channels you use; and
• your exposure to fraud, sanctions evasion, cryptoassets and other emerging technologies.

The NRA places significant weight on risk‑based decision‑making and highlights the need for firms to update their business‑wide risk assessment in line with emerging threats such as AI‑enabled fraud, cryptoassets and cross‑border risks. Your approach to standard due diligence should evolve alongside that assessment.

Final thoughts

Standard due diligence is the backbone of AML compliance. It is the everyday discipline that protects your firm long before a high‑risk client walks through the door.

Getting standard due diligence right means understanding your client, verifying information independently, documenting the rationale behind your decisions and updating your view as the relationship develops. Doing this well makes it easier to explain and defend your approach to supervisors and helps your firm stay ahead of evolving risks.