Customer Due Diligence Requirements: Process Is Not Evidence

Most compliance functions still treat customer due diligence as a process to be completed. Collect the document, run the screen, retain the screenshot, file the SAR if it fires, close the audit ticket. That model fits the 2010s. It does not survive the 2026 reform pair, nor the supervisory question the FCA's 8 April 2026 multi-firm CDD review actually asked.

The shift is concrete. The 10 April 2026 FinCEN AML/CFT Programmes NPRM closed for comment on 9 June 2026 (3). Executive Order 14406, signed 19 May 2026, sets a 17 August 2026 deadline for Treasury to propose changes to BSA regulations to strengthen risk-based customer due diligence requirements (4). The AMLA Article 26(5) Consultation Paper on the draft Guidelines on ongoing monitoring was published on 3 June 2026 with a 3 September 2026 comment-close (5). Three rulemakings, three jurisdictions, one direction: the supervisory question has moved from "did you run the check?" to "can you produce the evidence that would survive scrutiny?" Customer due diligence requirements in 2026 are an evidence-quality regime, not a process-completion regime, and the architectural answer is a verifier-private attestation that travels with the customer rather than a fresh document-collection ritual at every onboarding.

What Customer Due Diligence (CDD) Actually Requires

The international standard is FATF Recommendation 10. FATF Rec 10 (2012, Interpretive Note updated October 2025) obliges financial institutions to undertake customer due diligence measures at four trigger moments: establishing a business relationship; carrying out occasional transactions above the designated threshold; a suspicion of money laundering or terrorist financing; and a doubt about the veracity of previously obtained identification data (8).

Each jurisdiction localises Recommendation 10. UK Regulation 28 of the Money Laundering Regulations 2017 (SI 2017/692) requires a relevant person to identify the customer, verify identity on the basis of documents or information from a reliable source independent of the customer, assess the purpose and intended nature of the business relationship, and — under Regulation 28(11) — conduct ongoing monitoring with the obligation to "demonstrate to its supervisory authority that the extent of the measures it has taken … are appropriate in view of the risks" (7). EU Regulation 2024/1624 (AMLR) codifies the same four operative measures in Articles 19 to 28, with an occasional-transaction CDD threshold of €10,000 and a €3,000 cash threshold written into primary EU law, applying from 10 July 2027 (6). The US baseline is FinCEN's 2016 customer due diligence requirements — codified as 31 CFR 1010.230 — covering identification of the customer, identification and verification of beneficial owners of legal entity customers, an understanding of the purpose and intended nature of the business relationship, and ongoing monitoring (1).

The customer due diligence (CDD) standard converges on four operative measures: identify, verify, assess purpose and intended nature, and monitor on a risk-sensitive basis. Customer due diligence requirements are a continuous statutory obligation across the life of a business relationship, anchored to the customer's identity and to the risk that customer's activity presents for money laundering and terrorist financing. What customer due diligence covers is the evidence trail a supervisor can audit — and that evidence trail is what 2026 is reshaping.

Beneficial Ownership: The 2016 CDD Final Rule and Its 2026 Exceptive Relief

The US pre-reform baseline ran on the 2016 CDD Final Rule. FinCEN's 31 CFR 1010.230 required covered financial institutions to identify and verify the identity of the beneficial owner(s) of each legal entity customer at every new account opening, with a beneficial owner defined as any individual with 25% or more equity ownership, plus one individual exercising significant control (1). Every new account triggered a fresh document-collection ritual against the same set of individuals across multiple banks.

That model is what the 13 February 2026 FinCEN Exceptive Relief Order FIN-2026-R001 retired. Covered financial institutions are no longer required to re-identify and re-verify beneficial owners at each new account opening; they may instead rely on beneficial ownership information the customer submitted to open previous accounts, provided the customer certifies that the information remains accurate and the institution has no knowledge of facts calling its reliability into question (2). The receiving institution accepts the prior verification's evidence. It does not re-run the collection. That is the first concrete US regulatory acceptance of portable, customer-certified attestation in the CDD stack, and the 9 June 2026 close of the broader FinCEN AML/CFT Programmes NPRM formalises the same direction for the AML/CFT programme rule (3).

Why the 2016 rule failed the evidence-quality test

The 2016 rule's failure mode was structural. Every new account opening generated a fresh set of beneficial ownership certifications, with no shared provenance. A beneficial owner of three legal entity customers across three banks generated three independent certifications, retained on three different banks' systems, none cross-checkable against an authoritative source. The Corporate Transparency Act and the FinCEN BOI registry (31 CFR 1010.380, operational from 2024) created an authoritative reference for beneficial-ownership data — the same data the 2016 rule required banks to collect repeatedly. Once the registry was operational, per-account re-collection became redundant. The 2026 Exceptive Relief Order is the operational response (2).

Customer Risk Assessment and the Purpose-and-Nature Test

Every regime anchors customer due diligence to a risk assessment. Two layers are required. The firm-wide risk assessment is established by UK MLR 2017 Regulation 18 and EU AMLR Article 7; the customer-level risk assessment by MLR 2017 Regulation 18A and AMLR Article 16. FATF Recommendation 1 and the Basel Committee's 2017 paper frame the same two-layer obligation. Without a documented risk assessment, every downstream CDD measure floats unanchored.

The operative framing is the risk-based approach. The MLR 2017 risk-based approach requires firms to scale CDD intensity to the assessed risk of the customer; AMLR codifies the same logic at EU level (Article 6 and recital 47); FATF's 2014 Risk-Based Approach Guidance predates and informs both. The risk-based approach is not a licence to apply less due diligence — it is a licence to allocate more diligence where the risk is greater, on a documented basis the supervisor can challenge.

Alongside the risk assessment sits the purpose-and-intended-nature test. MLR 2017 Regulation 28 requires relevant persons to identify the customer, verify identity, and to assess and obtain information on the purpose and intended nature of the business relationship. The firm must form, document, and retain an understanding of why the customer is entering the relationship and what activities are expected. That understanding becomes the baseline against which subsequent activity is judged.

The FCA's 8 April 2026 multi-firm CDD review measured how firms execute against this requirement. The review identified that firms generally claim to operate a risk-based approach but execution is deficient — common failures include not documenting the purpose and intended nature of the business relationship at all, inadequate evidencing of EDD measures, and limited demonstrable distinction between controls applied to low- and high-risk customers (9). Firms claiming a risk-based approach without the documentation to demonstrate the decisions made under that approach are exposed.

The customer risk profile (what the assessment must produce)

The output of customer risk assessment is a customer risk profile — a documented classification (typically low risk, medium, or high) that determines downstream CDD intensity. The profile incorporates customer type (individual versus legal entity), geographic exposure (high-risk third countries under MLR 2017 Regulation 33 and AMLR Annex III), product and service risk, delivery channel, and behavioural signals over time. The classification drives the operating model: low-risk customers may qualify for simplified due diligence measures; the default population receives standard CDD; higher-risk customers trigger enhanced due diligence. The documentation of how the profile was derived is the evidence the FCA's review found firms most consistently lack.

The Customer Due Diligence Process: Identify, Verify, Assess, Monitor

The customer due diligence process across MLR 2017 Regulation 28, AMLR Articles 20 to 26, and FATF Recommendation 10 maps to four steps. The customer due diligence checks each obliged entity carries out follow the same structure across the three regimes.

Step one — identify the customer (and any beneficial owner). Collect the identification data the regime requires. For natural persons this includes legal name, date of birth, address, and a government-issued identifier; for legal entity customers it includes entity name, registered office, and the ownership-and-control structure surfacing the beneficial owners.

Step two — verify the customer's identity on the basis of documents or information obtained from a reliable source independent of the customer. Verification cannot rest on documents the customer alone produces.

Step three — obtain information on the purpose and intended nature of the business relationship. This is the requirement of MLR 2017 Regulation 28(4) and AMLR Article 20(1)(c) — and the evidencing failure most often identified in the FCA's 2026 review.

Step four — conduct ongoing monitoring of the business relationship on a risk-sensitive basis. Under AMLR Article 26 and MLR 2017 Regulation 28(11), the ongoing monitoring obligation splits into two duties: keeping customer information up to date, and scrutinising transactions to ensure they are consistent with the obliged entity's knowledge of the customer, their business, and their risk profile. The AMLA Article 26(5) draft Guidelines (Consultation Paper 3 June 2026; closes 3 September 2026; final Guidelines expected Q4 2026) codify both duties for EU obliged entities (5).

Establishing a business relationship vs occasional transactions

The statutory distinction between an established business relationship and an occasional transaction matters because each triggers a different evidence pattern. A business relationship is a continuing arrangement — defined at AMLR Article 2 sub-paragraph 20 and MLR 2017 Regulation 4(1) — triggering full ongoing monitoring across its life. An occasional transaction above the designated threshold (€10,000 under AMLR Article 19, €3,000 in cash, or €15,000 under MLR 2017) triggers customer due diligence at the point of the transaction but does not establish a continuing relationship. Continuing relationships require ongoing monitoring and the documentation that supports it; occasional transactions require evidence of the trigger, the verification, and the screening run.

Trigger events for refresh (the event-driven model)

The 2026 regulatory direction on refresh is event-driven, not calendar-driven. AMLR Article 26 and the AMLA draft Guidelines under Article 26(5) require obliged entities to refresh customer information when "circumstances change" — change of address, change of beneficial ownership, transactions inconsistent with the customer's stated business activity, adverse-media hits, sanctions-list updates, or the customer becoming a politically exposed person. The FinCEN NPRM that closed for comment on 9 June 2026 frames the same direction in US terms: covered institutions must conduct ongoing CDD and continuously refresh ML/TF risk when triggering events occur (3). Periodic file-refresh exercises miss the events that matter and generate evidence that is months out of date by the time the file is reopened. The deeper path on why periodic review fails operationally is at event-driven KYC refresh.

Continuous monitoring is the regulator's word, not a vendor feature

"Continuous monitoring" appears in the AMLR Article 26 family and in the FinCEN NPRM as a description of what an obliged entity must do — maintain the currency of customer information across the life of the business relationship. It is not a vendor product category any single tool delivers as a single capability. The CDD stack that supports continuous monitoring is the firm's customer risk system, transaction-monitoring platform, identity layer, and sanctions and adverse-media screening tools working in concert. Portable verifier-private attestation addresses the foundational identification layer; it cannot replace the transaction-side stack downstream.

Enhanced Due Diligence (EDD) for Higher-Risk Customers

Enhanced due diligence is triggered when the assessed risk is higher. FATF Recommendation 10 paragraph (a) requires enhanced measures in higher-risk situations; MLR 2017 Regulation 33 codifies enhanced customer due diligence under UK law; AMLR Article 28 sets the EU enhanced due diligence (EDD) standard. The triggers include high-risk third countries (MLR 2017 Regulation 33 and AMLR Annex III), politically exposed persons (PEPs) and their family members and known close associates, complex or unusually large transactions with no apparent economic or lawful purpose, and adverse-media or screening hits indicating money laundering or terrorist financing exposure. EDD applies to a narrow customer population by design, but the evidence intensity required for higher-risk customers is materially greater than for standard CDD.

The required EDD measures are similarly harmonised: obtain additional information about the customer and the customer's business; obtain additional information about source of funds and source of wealth; secure senior management approval before establishing or continuing the business relationship; carry out enhanced ongoing monitoring at a frequency proportionate to risk. The measures are layered on top of standard CDD.

What EDD evidence the FCA expects (the 2026 review finding)

The FCA's 2025 multi-firm CDD review (published 8 April 2026) identified inadequate evidencing of EDD measures for higher-risk customers as a common failure pattern. Firms had EDD policies; firms could not demonstrate which specific measures were applied to which specific higher-risk customers, with what evidence, on what date. The supervisor cited "limited demonstrable distinction between controls applied to low and high risk customers" (9). The evidence-quality gap is sharper here than at standard CDD because EDD is risk-elevated — examiners scrutinise documentation more closely, and the absence of differentiating evidence between low- and high-risk handling reads, to a supervisor, as the absence of EDD itself. The supervisory question is "show me the evidence the higher-risk customer received a different control set"; the answer cannot be "we have a policy". For the most evidence-intensive EDD subdomain in 2026 — the beneficial-ownership transparency reform pair across FinCEN BOI, AMLR Article 51, and the UK ECCTA — we treat that ground separately in ultimate beneficial ownership.

Identifying and Verifying the Customer's Identity

Identity verification is the foundational customer due diligence measure. UK MLR 2017 Regulation 28(2) requires the relevant person to identify the customer and verify the customer's identity on the basis of documents or information obtained from a reliable source independent of the customer (7). AMLR Article 22 and FATF Recommendation 10 paragraph (a) set the same standard at EU and international level (Sources 6, 8). The technical floor for identity proofing is NIST SP 800-63-3 / 800-63-4 Digital Identity Guidelines.

The acceptable evidence categories follow a consistent pattern. The primary anchor is a government-issued identity document — a passport, driving licence, or national ID card. Supporting evidence covers residential address through documents independent of the customer (a utility bill or bank statement is the standard MLR 2017 acceptable evidence). Biometric binding — a liveness-checked selfie matched to the document portrait — is the model FATF Digital Identity guidance and NIST 800-63 contemplate where the stack supports it.

Document-based vs reusable verification (the 2026 architectural shift)

The traditional CDD model assumes a fresh document collection at every onboarding. The customer presents a passport, the firm runs a verification, the firm retains the artefact. The 2026 reform direction — the FinCEN Exceptive Relief Order, the AMLA Article 26(5) draft Guidelines, and the EU's eIDAS 2.0 EUDI Wallet rollout — makes a verifier-issued, customer-held attestation operationally acceptable for reliance. The architectural distinction is plain: document-based verification produces per-onboarding evidence; reusable verification produces portable evidence with documented provenance, presented by the customer to each platform that needs to verify CDD status. For the EU side of the same direction — the AMLA Article 26(5) ongoing-monitoring framework — the dedicated treatment is at ongoing customer due diligence.

PEP, sanctions, and adverse-media screening as identity-adjacent obligations

The Level 1 customer due diligence bundle also includes PEP screening, sanctions screening, and adverse-media screening, together with the related criminal, barred, and military checks the broader MLR 2017 and AMLR screening obligation contemplates. These checks are not standalone; they run against the verified identity and depend on it. A sanctions screen executed against an unverified name is a name-match exercise, not a sanctions check. Identity verification is the anchor; the screening checks are identity-adjacent obligations whose evidentiary value collapses if the identity underneath is not firmly established.

Record-Keeping, FCA Enforcement, and the Evidence-Quality Gap

Record-keeping is the obligation that turns customer due diligence into defensible evidence. FATF Recommendation 11 requires obliged entities to retain CDD records for at least five years after the end of the business relationship; UK MLR 2017 Regulation 40 mirrors the five-year baseline; AMLR Article 56 sets the same standard at EU level. The records cover identification and verification documents, the risk assessment, the purpose and intended nature of the relationship, EDD evidence where it applies, and the transaction records that support ongoing monitoring. Without the record, the check did not happen — from the supervisor's perspective.

The FCA's 12 December 2025 Final Notice against Nationwide Building Society is the operational illustration. The supervisor fined Nationwide £44,078,500 for failures between October 2016 and July 2021 — including ineffective systems for keeping customer due diligence up to date, no process for periodic or event-driven CDD reviews of a large portion of its customer base, and inadequate monitoring of personal-account customers running business activity through them (10). The fine was not for not running checks. Nationwide ran checks. The fine was for not having the evidence trail to demonstrate, to its supervisor, that the checks it ran were appropriate to the risks present. That is the evidence-quality gap, priced in pounds.

The 8 April 2026 FCA multi-firm CDD review

The FCA's 2025 multi-firm CDD review (published 8 April 2026) is the systemic version of the Nationwide point. The supervisor reviewed how firms execute customer due diligence and identified the same evidence-quality gap across a wider sample. Common failures: not documenting the purpose and intended nature of the business relationship at all; inadequate evidencing of EDD measures for higher-risk customers; limited demonstrable distinction between controls applied to low- and high-risk customers (9). The supervisor is publishing, in advance of further enforcement, the evidence-quality test it intends to apply. The financial crime control framework that survives an FCA review is the one whose records demonstrate not just that a check happened, but that the right check happened, at the right intensity, on the right date, for the right reason. The supervisor's expectation is a comprehensive AML programme whose evidence trail withstands scrutiny.

Cost-of-the-status-quo data

Fenergo's 2025 Financial Crime Industry Trends survey (published October 2025; fieldwork August 2025) quantifies the cost. Average annual AML/KYC operations spend reached US$72.9m per firm in 2025. UK corporate banks averaged more than six weeks to onboard a client. 70% of financial institutions lost clients due to slow onboarding in 2025 (11). The reform direction is not anti-CDD; it is anti-redundancy in CDD evidence collection, while making the evidence that remains more defensible.

Where Zero-Knowledge KYC Sits in the CDD Stack

The architectural reframe lands here. A CDD attestation issued at verification time, held by the customer, presented to the receiving platform as proof of the underlying check — never as a copy of the documents behind it. The receiving platform receives a Zero-Knowledge KYC attestation, not a re-shipped passport scan. This is the same pattern the 13 February 2026 FinCEN Exceptive Relief Order endorses for beneficial-ownership data — reliance on a prior customer-certified verification rather than per-onboarding re-collection — applied to the identification-and-screening layer (2). The 3 September 2026 AMLA Article 26(5) consultation close frames the EU side of the same direction (5).

What Verifyo's Level 1 attestation covers

Verifyo operates one live tier — Level 1 - Standard KYC. The canonical public attestation a platform receives when it queries a verified wallet includes the Zero-Knowledge KYC verification token, a pseudonymous identity, KYC level and verification status, document country derived from a verified ID document, a self-declared residence country exposed as an ISO-2 country code (not a verified street address), age attestation booleans (age_over_18, age_over_21) derived from the verified document, AML screening across six independent boolean checks (sanctioned, barred, criminal, pep, military, adverse_media), and wallet ownership binding linking a wallet address to the verified identity. That is the in-scope CDD set we cover directly.

What Verifyo does NOT do (the honest-acknowledgement-and-pivot)

The MLR 2017 and AMLR require enhanced due diligence and ongoing monitoring for higher-risk customers and across the life of every business relationship. Verifyo's current production tier is Level 1 - Standard KYC, which covers identification, verification, and the AML screening checks anchored to that identity. Enhanced due diligence, ongoing transaction monitoring, beneficial-ownership verification, and Travel Rule data exchange sit on Verifyo's roadmap or with complementary vendors in the broader CDD stack. We name the boundary explicitly because the architectural argument only works honestly: a reusable verifier-private attestation reshapes one layer; it does not deliver the full set of customer due diligence services obliged entities need.

Where reusable verifier-private attestation reshapes the evidence-quality question

A verifier-private attestation, issued once by a regulated verifier and held by the customer, addresses the evidence-quality question for Level 1 identification and screening obligations by replacing per-onboarding fresh collections with a single attestation of documented provenance. The receiving platform reads the proof, not the documents; the customer's personal data does not travel; the verification's audit trail lives at the issuer, available for supervisory inspection. The foundational identification layer — where the FCA's 2026 review found firms most struggle to evidence what they did — can be made reusable, portable, and verifier-private without losing evidence quality.

The 2026 reform pair — FinCEN's 9 June 2026 NPRM close, the 17 August 2026 EO 14406 BSA CDD reform deadline, and AMLA's 3 September 2026 Article 26(5) consultation close — has reframed customer due diligence requirements around evidence quality. The supervisory question has shifted from "did you run the check?" to "can you produce the evidence that would survive scrutiny?". The FCA's 12 December 2025 Nationwide Final Notice and 8 April 2026 multi-firm review are the operational illustrations a UK-supervised firm cannot ignore. The architectural answer is portable, verifier-private attestation. The full customer due diligence stack remains broader than identity — ongoing monitoring, EDD, transaction monitoring, and the Travel Rule each sit in their own regulatory and architectural lanes. But the foundational identification layer is where the evidence-quality regime starts, and where the reusable attestation pattern lands first. The CDD operating model that survives 2026 is the one that can answer the evidence question, not the one that filed the most checks.

Sources

1. FinCEN. Customer Due Diligence Requirements for Financial Institutions (CDD Final Rule, 31 CFR 1010.230). Published 11 May 2016. https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions
2. FinCEN. Exceptive Relief Order FIN-2026-R001 (Beneficial Ownership identification and verification at each account opening). Issued 13 February 2026. https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf
3. FinCEN. Anti-Money Laundering and Countering the Financing of Terrorism Programs (NPRM). Published 10 April 2026 in the Federal Register; comments closed 9 June 2026. https://www.federalregister.gov/documents/2026/04/10/2026-07033/anti-money-laundering-and-countering-the-financing-of-terrorism-programs
4. The White House. Executive Order 14406 — Restoring Integrity to America's Financial System. Signed 19 May 2026. https://www.executiveactions.org/actions/restoring-integrity-to-americas-financial-system
5. AMLA. Consultation Paper on the draft Guidelines on ongoing monitoring of a business relationship under Article 26(5) AMLR. Frankfurt am Main, 3 June 2026. Comment deadline 3 September 2026. https://www.amla.europa.eu/policy/public-consultations/consultation-draft-guidelines-ongoing-monitoring-business-relationship_en
6. European Parliament and Council. Regulation (EU) 2024/1624 (AMLR) — Anti-Money Laundering Regulation. Adopted 31 May 2024; applies from 10 July 2027. https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng
7. UK Government. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692), Regulation 28 — Customer Due Diligence measures. https://www.legislation.gov.uk/uksi/2017/692/regulation/28/made
8. FATF. The FATF Recommendations — Recommendation 10 (Customer Due Diligence) and its Interpretive Note. Updated October 2025. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html
9. FCA. Firms' customer due diligence processes and controls: our findings. Multi-firm review published 8 April 2026. https://www.fca.org.uk/publications/multi-firm-reviews/firms-customer-due-diligence-processes-controls-findings
10. FCA. Final Notice — Nationwide Building Society. Published 12 December 2025. https://www.fca.org.uk/news/press-releases/fca-fines-nationwide-44m-failings-financial-crime-controls
11. Fenergo. Financial Crime Industry Trends 2025. Published October 2025; survey fieldwork August 2025. https://resources.fenergo.com/newsroom/global-financial-institutions-struggle-with-rising-client-losses-and-compliance-costs-as-ai-adoption-increases-fenergo