Customer due diligence is the work of identifying the customer, understanding the purpose of the relationship, and revisiting the file when risk facts change. It matters at onboarding, during periodic review, and when new circumstances mean an earlier outcome should be tested again. Record source + timestamp + rationale + policy version + owner role for every material outcome.

Quick answer

• It applies when a business relationship starts, when an occasional transaction must be assessed, when there is suspicion, and when earlier customer data is no longer adequate.
• Keep identity evidence, purpose-and-nature notes, risk profile, decision rationale, and owner role so the assessment can be replayed later.
• A common mistake is treating a screening result as the customer due diligence conclusion.
• Clear CDD makes follow-up faster and makes later decisions easier to compare, explain, and reopen.

Records to keep (for traceable control)

• Identity and verification evidence: Show which customer details were actually checked — Store as: Source log with timestamp
• Purpose and nature note: Explain why the relationship is being established and what it is meant to be used for — Store as: Customer profile with purpose field
• Risk profile and trigger events: Show why the level of diligence was chosen and when renewed review is required — Store as: Risk assessment with version reference
• Decision note and rationale: Explain why the relationship was accepted, escalated, or followed up — Store as: Review note with rationale field
• Responsible role and decision date: Show who owned the outcome and when it was taken — Store as: Decision record with owner and date

Definition and scope

Customer due diligence means knowing who the customer is, what the relationship is for, and what level of risk the relationship carries. It includes identification, verification, understanding the purpose and intended nature of the relationship, and ongoing review when facts change.

For risk and compliance teams, that makes CDD broader than a single ID check. The work also includes risk profiling, ownership or control checks when needed, and the documentation that allows a later reviewer to understand why a material decision was reasonable at the time.

When those elements stay connected, the organisation can explain why a relationship was accepted, why enhanced measures were used, or why an earlier outcome was reopened. When they are split across systems and notes, similar customers become harder to handle consistently.

Why it matters

Customer due diligence shapes which relationships you start, what needs deeper review, and when an existing customer file must be revisited. It affects onboarding, periodic review, and the judgement that decides whether an earlier outcome still stands.

Weak records create avoidable remediation work. If a reviewer cannot reconstruct which data was collected, which purpose was documented, or which risk profile applied when the decision was taken, the organisation ends up relying on memory instead of evidence.

It also affects how well screening and follow-up work later. Sanctions or PEP findings are harder to assess if the baseline facts about the customer, the purpose of the relationship, and the earlier rationale are not available in the same review trail.

What CDD covers in operations

The work starts before the first relationship is accepted. Teams need to identify the customer, verify information from reliable sources, understand the purpose of the relationship, and decide whether more information about beneficial ownership or control is needed.

It continues after onboarding. The customer’s risk profile needs to stay current, and new facts should trigger further action when earlier information is no longer accurate or sufficient.

That means customer due diligence is not only a collection task. It is also a documentation discipline where identity, purpose, risk level, decision, and accountability need to travel with the relationship over time.

Common pitfalls

• Identity is verified at the start, but the purpose and intended nature of the relationship are documented too thinly.
• Earlier customer data is reused even when new facts should trigger renewed review.
• Screening findings are stored without a clear connection to the customer risk profile and the rationale behind the decision.
• Ownership or control evidence is collected, but it is unclear why those specific details mattered in the case.
• Policy version and responsible role are missing, which makes similar cases harder to compare later.

These problems are usually operational rather than theoretical. The issue is rarely whether teams know CDD is required. The issue is whether evidence, risk logic, and review notes actually stay connected in day-to-day work.

A practical process

1) Define when customer due diligence must be refreshed

Set out which events should lead to fresh collection, new verification, or enhanced review. That makes it clear when earlier evidence is no longer enough.

2) Keep evidence separate from decision

Separate source data, verification steps, and the final assessment in each material case. That makes it possible to see both what facts you had and how you used them.

3) Record purpose, risk profile, and rationale

Tie the purpose of the relationship and the risk level to the selected level of diligence. That makes it easier to explain why a case was accepted, monitored, or escalated.

4) Reopen the file when facts change

If transaction patterns, ownership, PEP exposure, or other risk facts change, the same relationship should be reviewed again without forcing the team to rebuild the case from zero.

Roaring field guide

• Define which events should trigger renewed due diligence, enhanced measures, or ongoing follow-up before live cases reach the team.
• Store identity source, timestamp, purpose note, risk profile, and decision rationale so outcomes can be replayed later.
• Keep baseline facts, screening outputs, and the final judgement separate so each step can be explained clearly.
• Route new risk events to the right team or process with enough context to support a fresh decision.
• Treat customer due diligence as an ongoing review discipline rather than a one-off onboarding check.

How Roaring can help

• Integration Suite can bring person and company data into existing CDD workflows so identity, screening, and decision support can run in the same process.
• Lookup can act as the entry path for teams that want to test data, verify details manually, or understand information needs before building an integration.
• Monitoring and webhooks can support follow-up when sanctions exposure, ownership, or other risk facts change after onboarding.
• Selected sanctions and ownership datasets can make re-review easier because the same evidence inputs can be compared over time.