What’s the difference between KYC and CDD?

KYC (“know your customer”) and CDD (“customer due diligence”) are both international AML terms used by regulators, financial institutions and other regulated businesses around the world. They overlap heavily, which is why they often get used interchangeably. They aren’t quite the same thing.

KYC is typically the narrower concept, focused on identifying and verifying the customer. CDD is the wider process set out in FATF Recommendation 10, which includes identification and verification but also extends to beneficial ownership, understanding the relationship and ongoing monitoring. In practice, KYC sits inside CDD.

Where the terms come from

Both KYC and CDD have roots in the global AML framework. CDD is the formal language used in the FATF Recommendations, which are the international standards for combating money laundering, terrorist financing and proliferation financing. 

FATF Recommendation 10 sets out what CDD must include, and national regulators around the world have embedded those requirements into their own AML laws.

KYC predates the modern FATF framework. It originated in banking regulation, particularly in the United States, where “know your customer” rules grew out of the Bank Secrecy Act and were strengthened after the USA PATRIOT Act in 2001. 

The term spread internationally through global banking practice and is now widely used by regulators in many jurisdictions, including in EU guidance, Basel Committee publications and national AML rulebooks.

The result is that both terms appear in international regulation, often alongside each other. KYC tends to refer specifically to customer identification and verification. CDD covers the wider process.

What KYC requires

KYC focuses on establishing who the customer actually is. In most regulatory frameworks, that commonly involves these four elements:

• Identification, which means obtaining the customer’s full name, date of birth, address and other identifying information;
• Verification, which means confirming that identity using reliable, independent source documents, data or information such as passports, government-issued identity documents or electronic verification services;
• Screening against sanctions lists, politically exposed persons (PEP) lists and other relevant watchlists, depending on the jurisdiction;
• Record-keeping so that the identification and verification work can be evidenced later.

KYC is applied at onboarding, when a new customer relationship begins. Many jurisdictions also require periodic KYC refreshes throughout the business relationship.

What CDD requires

CDD covers everything KYC does and adds further elements. FATF Recommendation 10 also sets out four core CDD requirements:

• Identifying the customer and verifying their identity using reliable, independent source documents, data or information;
• Identifying beneficial ownership and taking reasonable measures to verify the identity of all beneficial owners, including understanding the ownership and control structure of corporate customers;
• Understanding the purpose and intended nature of the business relationship, including what the customer plans to do and why;
• Conducting ongoing monitoring of the relationship, including reviewing transactions for consistency with what you know about the customer and keeping customer information current.

The interpretive note to Recommendation 10 also sets out when CDD must be applied: 

• at the start of a relationship;
• for occasional transactions above a defined threshold;
• when there’s suspicion of money laundering or terrorist financing regardless of any threshold;
• when there are doubts about previously obtained customer information.

All your findings should be documented in a client risk assessment. This needs to document the risk the customer presents, taking account of factors such as the nature of the customer, the products or services involved, the geographies and any risk factors flagged. 

CDD operates on the risk-based approach. Recommendation 10 provides for simplified due diligence in lower-risk situations and enhanced due diligence in higher-risk ones, including for PEPs, high-risk jurisdictions and complex or unusually large transactions.

Each client risk assessment should show how the risk level was reached for that specific client and underpin how those elements have been applied. This should be reviewed as the relationship continues.

How KYC and CDD relate

The cleanest way to think about the relationship is that KYC delivers part of CDD. The identification, verification and screening work that sits at the heart of KYC corresponds to the first CDD requirement. 

CDD then goes further, adding beneficial ownership, understanding the relationship and ongoing monitoring, and a documented client risk assessment that determines how those elements are applied. That’s why a strong KYC programme is necessary but not sufficient for AML compliance. 

A business that identifies and verifies every customer perfectly but doesn’t establish beneficial ownership, understand the purpose of the relationship or monitor it over time, has not met its CDD obligations.

The distinction between KYC and CDD matters

In day-to-day conversation, KYC and CDD often get used interchangeably without causing real problems. The distinction matters most when:

• you’re reading regulatory guidance, where CDD is typically the formal term used;
• you’re designing your AML processes and need to make sure each of the CDD elements is covered, beyond just identification;
• you’re discussing ongoing monitoring, which is a CDD requirement and often the weakest part of a programme that’s framed around KYC alone;
• you’re responding to a supervisory review, where regulators will assess whether full CDD has been applied.

Final thoughts

Knowing your customer is the foundation. Customer due diligence is the framework that puts that knowledge to work, by establishing who really owns and controls the customer, why the relationship exists and whether activity continues to match expectations over time.

When KYC sits inside a wider CDD process, supported by ongoing monitoring and clear escalation routes, both pieces do their job. Whichever term your jurisdiction’s regulator uses most often, the underlying expectation is the same: continuous, risk-based knowledge of the people and entities you do business with.