Client due diligence: what a complete file should contain

Client due diligence is the operating core of AML: know who the client is, understand what they want you to do, identify the people who control them, screen the relevant parties and record a risk-based decision before acting.

A complete CDD file is not just a copy of a passport. It should connect identification evidence, mandate scope, UBO data, sanctions/PEP/adverse-media screening, source-of-funds questions where relevant and the approval path for the client risk rating.

The standard supervisors look for is repeatability. If two staff members handle similar files, the same controls should happen, the same exceptions should be escalated and the evidence should be easy to reconstruct months or years later.

Who this applies to

This guide is for offices that onboard clients, representatives, beneficial owners or counterparties and need a defensible baseline for ordinary client due diligence.

• New individual or company clients
• Existing clients starting a new in-scope matter
• Representatives acting for the client
• Company directors and UBOs
• Files where the office must evidence why simplified or enhanced measures apply

Legal and supervisory context

CDD is the first control supervisors test because it proves whether the office knew who it was dealing with before acting. The legal duty is risk-based, but risk-based does not mean informal: the file should show why the chosen depth of due diligence was appropriate.

For non-financial obliged entities, CDD also needs to reflect the mandate. A low-risk personal tax query is not the same as a property acquisition through a foreign company, even if the same client is involved.

What the office must actually do

A practical CDD workflow identifies the client, understands the mandate, identifies UBOs, screens relevant parties, assigns a risk rating and records approval before work proceeds where required.

• Capture identity and authority to act.
• Record mandate scope and regulated activity.
• Identify and verify UBOs for legal entities.
• Screen client, representatives, UBOs and counterparties where relevant.
• Assess geography, sector, structure, payment method and source of funds.
• Escalate exceptions and record approval.
• Set review cadence and monitoring triggers.

What good evidence looks like

Good CDD evidence shows the information collected, the checks performed, the risk conclusion, the person who approved it and the version of the rules or lists used.

Common mistakes supervisors find

• Treating CDD as a passport upload only.
• Not linking the CDD depth to the mandate risk.
• Screening the client but not the UBO or representative.
• Letting exceptions sit in email instead of a decision queue.
• Refreshing files without recording what changed.

Practical checklist

• Identify the client.
• Verify authority to act.
• Scope the mandate.
• Collect UBO data.
• Run screening.
• Assign risk rating.
• Record approval and review date.

FAQ

Official references

• EUR-Lex — Regulation (EU) 2024/1624
• EUR-Lex — AML package summary and application dates