What Is Customer Due Diligence (CDD)? KYC Explained

Customer Due Diligence is the process of identifying and verifying customer identity, understanding the nature of their business, and establishing beneficial ownership information. CDD is a foundational requirement for all financial institutions, including stablecoin platforms and payment companies that serve as Money Service Businesses (MSBs).

The CDD Rule

The Financial Crimes Enforcement Network (FinCEN) published the formal CDD Rule in 2016. It became effective on May 11, 2018, under 31 CFR 1010.230. The rule requires financial institutions to develop and implement CDD policies and procedures.

The mandate applies broadly. Any entity that touches financial transactions and is regulated as an MSB must comply. This includes cryptocurrency platforms, stablecoin operators, payment processors, and money transmitters.

The Four Components of CDD

Effective CDD has four distinct parts:

1. Customer Identification

You must obtain identifying information from each customer. At a minimum, this means collecting name, date of birth, address, and government-issued ID number. For U.S. persons, this is typically a Social Security Number or ITIN. For non-U.S. persons, it might be a passport number or national ID.

The identification process must happen before the account is opened or active. You cannot wait until later to collect this information. If a customer refuses to provide it, you cannot serve them.

2. Customer Verification

Identification alone is insufficient. You must verify that the information is accurate. This means checking the ID against authoritative sources. It might involve:

• Cross-referencing national ID databases
• Running document verification checks with third-party vendors
• Using multi-factor verification for higher-risk customers

Verification must be completed within a reasonable time after the account is opened. Reasonable is typically interpreted as within 30 days.

3. Beneficial Ownership Identification

For customers that are not natural persons (corporations, partnerships, trusts, etc.), you must identify the beneficial owners. A beneficial owner is any individual who owns, directly or indirectly, 25 percent or more of the equity of the customer entity, or any individual who exercises significant control over the customer's management or operations, regardless of ownership percentage.

The 25 percent threshold is bright-line. If someone owns 25 percent or more, they must be identified. If someone has sole executive control (CEO, sole owner of a one-person LLC), they must be identified even if their equity stake is lower.

4. Ongoing Monitoring

CDD doesn't end at account opening. You must monitor customer accounts and activity on an ongoing basis. This means:

• Watching for suspicious activity patterns
• Comparing activity against known customer profiles
• Re-verifying information periodically if circumstances change
• Updating beneficial ownership records when corporate structure shifts

Ongoing monitoring is continuous. It's not a one-time annual task. If something looks off, you investigate.

CDD vs. EDD vs. SDD

CDD is the baseline. Two related concepts modify it based on risk:

Enhanced Due Diligence (EDD) applies to higher-risk customers. These might include individuals from jurisdictions with weak AML controls, customers in high-risk industries, or entities with complex ownership structures. EDD requires additional verification steps and deeper investigation beyond CDD baseline.

Simplified Due Diligence (SDD) applies to lower-risk customers, such as established financial institutions or government entities. SDD streamlines the process, reducing burden on both the company and the customer, while maintaining baseline identity verification.

The Corporate Transparency Act Connection

In 2023, the Corporate Transparency Act (CTA) created a new requirement. All beneficial owners of business entities must be reported to FinCEN in the Beneficial Ownership Information (BOI) Register. This became effective on January 1, 2024.

The CTA is separate from the CDD Rule, but they overlap operationally. When you conduct CDD and identify beneficial owners for compliance purposes, you're also gathering data needed for BOI reporting if your customer is a business entity.

How CDD Applies to Stablecoin Companies

Stablecoin platforms classified as MSBs must implement full CDD. Here's what that looks like in practice:

When someone creates an account to purchase or hold stablecoins, you collect their name, address, DOB, and ID. You verify the information against databases. If the account holder is a business, you identify the beneficial owners.

You monitor their account. If a customer suddenly goes from $1,000 monthly volume to $10 million in transfers, you review the activity. If it looks suspicious, you file a Suspicious Activity Report (SAR) with FinCEN.

You maintain records for at least five years. If regulators or law enforcement request customer information, you produce it.

Implementation Challenges

CDD sounds simple but execution is complex. Verification requires integration with third-party data providers. These services have error rates. You might reject a legitimate customer because their ID didn't verify, or accept a fraudulent customer because a vendor's check failed.

Beneficial ownership identification is even trickier with complex structures like trusts, holdings companies, or entities in jurisdictions with privacy laws. Some structures are intentionally opaque, making true beneficial ownership identification difficult.

For a stablecoin platform, good CDD requires investment in technology, vendor relationships, and compliance staff. It's a cost center, but it's also a liability shield. Done poorly, it exposes the company to regulatory action and financial penalties.

The Compliance Reality

CDD is mandatory. Regulators inspect it regularly. They check whether companies actually have policies in place, whether those policies are followed, and whether records are accurate and accessible.

For stablecoin and payment companies, a mature CDD program means less regulatory friction. It also means knowing your customers, which helps identify fraud and illicit activity before it becomes a problem.

Getting CDD right from the beginning is far cheaper than fixing compliance gaps later. It's foundational work, but it's work that protects both your customers and your company.