Just like you wouldn’t start building a house without knowing the ground is solid, you shouldn’t start a business relationship without knowing who your customers really are. That’s what the process of due diligence is for – to evaluate everyone who wants to do business with you, by checking their credentials, watching for red flags, and finally deciding who gets access.
But due diligence is not a one-size-fits-all verification method. Regulators recognize that some customers and products carry very low risk and don’t require the full-on heavyweight compliance treatment. Instead, they may be treated to Simplified Due Diligence (SDD) – a “lighter” Know Your Customer (KYC) approach reserved for low-risk cases. Let’s examine what SDD means, when it can be used (and when not), and what are the best practices to implement SDD the right way.
What is Simplified Due Diligence?
Simplified due diligence refers to the lowest level of customer due diligence that a financial institution can perform for onboarding or monitoring a client. Essentially, it’s a brief identity verification process applied only when the risk of money laundering or terrorist financing is assessed to be very low.
It’s important to note that SDD complements but does not replace standard Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) processes. Practically speaking, SDD still involves the same four fundamental checks as standard due diligence:
- confirming the customer’s identity,
- identifying beneficial owners,
- understanding the purpose of the account,
- ongoing monitoring.
During an SDD, fewer data points may be collected, and the verification can rely on easily available sources, such as public records or reliable databases, instead of exhaustive documentation.
But why do regulators allow this reduced form of due diligence? The short answer – it’s done to reduce onboarding friction for low-risk clients.
Still, being rather an exemption from the rule, SDD is applied only under strict conditions. The customer’s low risk must be supported by a documented risk assessment, and the decision to use SDD must itself be recorded and justified. Also, SDD never means skipping essential checks like confirming identity or screening against sanctions lists.
In other words, you can’t simply apply SDD to a new client on a whim, you need evidence that the client truly poses a minimal risk, which means – SDD is rather a privilege, not a default.
- The EU’s 4th Anti-Money Laundering Directive eliminated any “automatic” SDD categories and now requires firms to actively demonstrate and document a low-risk rationale before applying SDD measures.
- Canada’s FINTRAC permits a “simplified identification method” only for a short list of entity types and only if the institution documents why those entities are low risk.
When Can SDD Apply?
Not every customer or product qualifies for simplified due diligence. SDD is intended for specific low-risk scenarios, which must be defined by your institution’s risk policy in line with regulatory guidance. Let’s examine the common eligibility signals that SDD may be applicable:
- Regulated or public institution customers
Clients that are themselves heavily regulated or transparent. For example, financial institutions subject to strict AML compliance rules, public authorities or government agencies, and publicly listed companies.
- Low-value or limited-function products
Basic bank accounts with spending and transfer caps, low-limit prepaid cards or e-wallets, or insurance/pension products that can’t be easily cashed out. For instance, an electronic money account that can hold a maximum of €250 and doesn’t allow international transfers poses far less risk than a normal bank account.
- Strong regulatory oversight or co-regulation
Clients that are under strong oversight mechanisms. For example, a client known to be regulated by a reputable authority (such as a broker-dealer registered with the SEC), or an entity accountable to a community governing body with checks and balances.
- Transparent and documented funding sources
Situations where the source of funds and purpose are very clear and leave little room for illicit use, like an account used solely for allocation of government benefits or social welfare payments or other non-cashable benefits.
- Low-risk geographies and customer channels
Regions with low financial crime rates and familiar onboarding methods. For example, a local customer using a regular bank account in a country with robust AML controls and low corruption poses less risk.
- Existing customers with well-known profiles
Long-standing customers with no suspicious actions when opening new accounts. Since you’ve known the customer for years and have insight into their behavior, you might collect only minimal new information for the new account.
Note! Even when these signals are present, SDD is never automatic. Your organization should have a clear policy listing what criteria must be met for SDD, and the risk assessment must confirm minimal risk for that specific customer/product.
When SDD Should NOT be Used
SDD is off the table in any scenario that exhibits higher-risk factors that may be associated with money laundering. Let’s overview what these high-risk factors and conditions are:
- Complex or unusual ownership or control structures
If a customer hides behind layers of shell companies or nominee shareholders, you must dig deeper. Many regulations prohibit opening accounts when you can’t identify the real beneficial owners. This complexity is a serious red flag.
- Connection to high-risk countries or sectioned regions
Customers in countries with weak anti-money laundering controls or under sanctions must be treated as high risk. For example, if funds come from a FATF high-risk country, SDD isn’t allowed. Any connection to sanctioned regions automatically requires EDD. So, geography matters, as high-risk jurisdictions disqualify customers from SDD.
- PEPs or related parties
Politically Exposed Persons (PEPs) are government officials and their close associates who carry higher corruption or bribery risks and always need enhanced scrutiny. Most jurisdictions require EDD for PEPs, including senior management approval and source-of-wealth checks. If your customer or beneficial owner is a PEP, never use SDD.
- Negative media, sanctions hits, or other adverse information
If during screening you come across negative news, such as fraud reports or criminal investigations, you must stop using SDD. Any adverse media, regulatory fines, or watchlist appearances should trigger standard or enhanced due diligence, because SDD is only for clean profiles with no warning signs.
- Anonymous accounts or third-party funding arrangements
AML laws prohibit anonymous accounts. So, if accounts are funded by unknown third parties or the customer demands anonymity (using “straw men” or nominee accounts), they’re not low risk. When ownership or funding sources aren’t transparent, SDD is not applicable, and you must identify all parties or decline the relationship.
- Suspicious or complex transaction patterns
Sometimes a customer’s behavior may raise suspicion: large transactions that don’t fit their profile, complex fund movements, sudden activity spikes. In such cases you must stop using SDD and switch to standard or enhanced due diligence. SDD is only for straightforward, low value, expected activity, and anything unusual requires higher scrutiny.
- Sanctions or watchlist hits
This is non-negotiable: if a customer matches a sanctions or terrorism financing list, you just follow your high-risk protocol and likely report to authorities. Since, sanctions screening is mandatory, any positive watchlist hit disqualifies SDD and often ends the relationship.
- High-risk industries or activities
Some businesses attract money laundering due to the nature of industry they’re in, for example gambling, crypto or precious metal dealers. Clients in high-risk sectors should skip SDD and get standard or enhanced due diligence. The same applies to cash-intensive businesses or private banking clients.
In short, SDD is only for ordinary customers with low risk factors.
Comparison: SDD vs. CDD vs. EDD
Every financial institution typically maintains three tiers of due diligence as part of its risk-based KYC process.
SDD = Simplified Due Diligence is for very low-risk situations.
CDD = Customer Due Diligence is the standard level for normal/medium risk customers.
EDD = Enhanced Due Diligence is for high-risk customers where extra scrutiny is required.
For better clarity, the table below summarizes key differences between simplified vs. standard vs. enhanced due diligence.
| SDD | CDD | EDD | |
| Identity data depth | Minimal/Basic ID | Standard ID plus basics | Extensive/Expanded ID |
| Verification strength | Lightweight, passive sources | Stronger, active verification | Deep verification and corroboration |
| Beneficial ownership (BO) checks | Proportionate or none for individuals | Required for entities | Comprehensive for entities |
| Source of funds verification | Generally limited or case-based | Verification per risk profile | Detailed tracing and analysis |
| Sanctions/PEP/Adverse Media screening | Mandatory | Mandatory | Extended and continuous |
| Ongoing monitoring intensity | Event-driven / threshold-based | Regular periodic review | More frequent monitoring |
| Refresh cadence | Risk rationale + results | Full KYC documentation | Comprehensive evidence logs |
| Documentation required | Risk rationale + results | Full KYC documentation | Comprehensive evidence logs |
Nine Key Steps of the SDD Process
So how exactly do you carry out simplified due diligence in practice? Let’s imagine you’ve preliminarily assessed that the customer qualifies for SDD, and you can now use a “slimmed-down version” of standard due diligence – the SDD process. Here are the key steps you will take:
STEP 1: Initial Risk Screening
Start with a quick risk check before onboarding. Look at customer type (individual vs. company), industry, product they want, channel (online vs. in-person), and location. Everything should point to low risk: local resident, simple retail product, regular employer. If anything seems high risk, don’t use SDD. Many institutions use automated scoring in this step, so only „low” scores should qualify for SDD.
STEP 2. Minimal ID Data Collection
Collect basic identity information, such as name, date of birth, address, and ID/passport number for individuals, and for companies: name, registration number, address, and key directors or shareholders. Keep it minimal, just enough to identify and screen the customer, nothing extra.
STEP 3. Lightweight ID Verification
Now it’s time to verify the basic information you collected: check ID details against reliable databases, government registries, or credit bureaus. For that, you might want to use automated identity verification tools. Skip the extra steps you’d normally do for higher risk, like certified copies or biometric checks, and just confirm the person or business is real. Of course, if something doesn’t match, escalate to standard due diligence.
STEP 4. Beneficial Ownership
If the customer is a company, identify the ultimate beneficial owners, but keep it proportionate for SDD – for example, you can pull a corporate registry extract to see shareholders. If all shareholders are low-risk and none own more than 25%, that’s usually enough, because you’re just making sure there’s no hidden bad actor. If ownership looks complex, that alone might disqualify SDD.
STEP 5. Understand Purpose and Nature of Relationship
Find out why they want the account and how they’ll use it. Usually, a brief statement like „personal checking for salary and expenses” or „small business account for my shop” would do. You’re not asking for detailed business plans, so that’s enough to set a baseline for monitoring later. If their stated purpose doesn’t match their low-risk profile, that’s a red flag.
STEP 6. Sanctions, PEP, Adverse Media Screening
Always screen customers and beneficial owners against sanctions lists, PEP lists, and adverse media. In SDD, this is usually automated, meaning your system runs the names in the background. No hits? Proceed. Any hit means they’re not low risk, and you must escalate to EDD or exit onboarding.
STEP 7. Risk Scoring and Decision
If identity is verified, no watchlist hits (such as PEP, terrorism financing, or adverse media), and low-risk profile is confirmed, approve the customer under SDD. If something minor comes up, a compliance officer reviews and decides whether to accept with conditions or escalate to standard due diligence. Finally, you have to document the decision: either automated SDD status or escalated to human approval – all must be recorded.
STEP 8. Record-Keeping
Document everything: who did the due diligence and when, what information you’ve collected, what checks you’ve performed, and why you’ve assigned their risk as low. Log the risk score, store ID verification details, save screening results that show no watchlist hits, and write a brief justification, for example: „Customer qualifies for SDD: local public-sector employee opening salary account; no high-risk indicators”. You must keep these records for at least 5 years for future audits.
STEP 9. Monitoring Plan
Enroll the customer in automated transaction monitoring with parameters for low-risk accounts (higher alert thresholds). Schedule periodic KYC reviews (every 5 years for low-risk individuals). Define trigger events that prompt immediate review, such as a sudden large international wire or negative news. In this final step, you’re creating guardrails to catch any changes that might upgrade the customer out of SDD.
This step-by-step flow ensures that even though the due diligence is simplified, it remains comprehensive enough to meet all legal requirements in a proportionate way.
Documentation and Evidence
One of the biggest mistakes a firm can make with SDD is failing to document its work. Remember, simplified due diligence is allowed by regulators only if you can show them why. This means that for every customer to whom you apply SDD, you should have a file (physical or electronic) that contains evidence and rationale supporting that decision.
Here’s what you should be recording and filing for SDD customers:
| Documentation type | What to include | Example |
| Risk assessment and rationale | Risk score, written explanation of why the customer is low risk, reference to policy criteria | „Risk score: 12 (threshold <20). Retired teacher with small monthly pension deposit, no international transfers – qualifies for SDD per Policy 3.2” |
| Customer identification info | Basic KYC data, ID copies or reference numbers, database check screenshots, electronic verification reports | Copy of driver’s license, address verification via credit bureau (confirmation #12345), name: John Smith, DOB: 01/15/1960 |
| Beneficial ownership details | Company registry extract, list of beneficial owners with names, DOBs, ownership percentages; note any exemptions | „ABC Shop Ltd – Owner: Jane Doe, DOB 03/22/1975, 100% ownership. Source: Business registry extract dated 10/01/2025” |
| Screening results | Sanctions/PEP/adverse media screening logs showing „no matches” or cleared false positives | „Screening completed 10/09/2025 – No matches in OFAC, UN, PEP databases. One false positive cleared (different birthdate)” |
| Controls applied | Transaction limits, account restrictions, or other risk-mitigation measures | „Account limited to $10k monthly turnover. International transfers restricted per SDD policy” |
| Approval and review logs | Name/ID of approver, timestamp, date of completion, policy reference | „Approved by: Sarah Jones (Compliance Officer), Date: 10/09/2025, per SDD Policy v2.1, Section 4” |
| Ongoing monitoring plan | Review cycle schedule, trigger events, monitoring system enrollment | „KYC refresh due: 10/2030 (5 years). Enrolled in automated transaction monitoring. Triggers: international wires >$5k, adverse media alerts” |
All this documentation should be stored in an accessible way, usually in a centralized AML compliance system or KYC database. More than just a precaution, this move helps you improve auditability. Meaning that an internal auditor, or a regulator in an examination, should be able to pick up the file for a given SDD customer and understand exactly why they were categorized as low risk, what checks were done, and that everything was in line with your procedures.
Ongoing Monitoring Under SDD
Adopting SDD for a customer doesn’t mean you “trust them forever” without oversight. Ongoing transaction monitoring is a cornerstone of any due diligence program, and that remains true for SDD. But what does this look like in practice?
Low-risk customers should still go through your automated transaction monitoring system, just with higher alert thresholds and simpler rules. For example, a $5,000 deposit might not trigger an alert for a low-risk client if it’s expected behavior. But some monitoring is always required, if an SDD customer suddenly makes large international transfers or receives funds from a sanctioned country, the system must flag it for investigation.
Use trigger-based reviews for SDD accounts instead of frequent KYC refreshes. Common triggers include: watchlist or negative news hits, transactions exceeding certain thresholds, profile changes (like switching to a high-risk industry), law enforcement inquiries, ownership changes, or moving to a high-risk country. When any trigger occurs, escalate their due diligence level.
SDD is not permanent. If risk increases, upgrade to CDD or EDD. For example, if a low-risk retail customer starts receiving unexplained large international wires, ask for more information or file a suspicious activity report. Leaving someone on SDD after red flags emerge is a compliance failure.
To catch new risks early, run periodic screening refreshes (monthly or quarterly adverse media/PEP checks) even if you don’t update full KYC as often. An annual or biennial review of a sample of SDD accounts helps ensure profiles remain legitimately low risk.
To sum up, “ongoing” truly means ongoing, even for SDD – you maintain vigilance through automated systems and defined triggers, ensuring that if a low-risk client doesn’t stay low-risk, you will know and react.
Examples of Appropriate SDD Use
Let’s look at a few examples of when simplified due diligence fits best. These scenarios illustrate the types of customers that generally qualify for SDD, given their characteristics.
Example 1: A low-limit prepaid card
A reloadable prepaid card has a strict balance cap, say $300, and can only be funded from a verified bank account. Since it’s nearly impossible to launder significant money through it, the company performing due diligence only asks for basic ID and a quick sanctions check, skipping tedious paperwork like proof of address. Low limit, low hassle.
Example 2: Basic bank account for financial inclusion
A bank offers a „no-frills” basic account, often for students or the financially excluded. It has limits on monthly deposits and no overdraft. A student opening one only needs their ID card and a university letter. The restricted functions make it a textbook low-risk setup, allowing the bank to keep the paperwork light.
Example 3: Welfare pre-paid card
A government issues prepaid cards to distribute social welfare. The funds are government-sourced, and users cannot load third-party money onto it. For activation, the provider simply confirms the recipient’s name, DOB, and a government ID reference against sanctions lists. Risk is negligible, so SDD is a breeze.
Example 4: A customer is a public company
A brokerage onboards a customer that is a major, publicly listed company. Since these firms are already transparent, audited, and heavily regulated, the brokerage omits deep investigation and opts for SDD. Typically, they confirm the public company’s listing status and check its directors against sanctions lists but skip invasive checks.
Example 5: Utility account verification
When a customer signs up for an electricity or gas account, the risk of money laundering is very low. The utility company implements SDD as a quick, proportional ID check, like verifying basic info online, to prevent fraud/misuse of the service. Safe to say, it’s a low-stakes relationship that requires only a basic, one-time identity check.
Common Pitfalls and Regulator Expectations
Although SDD can make compliance easier and faster, you can still mess it up if you’re not careful. Here are some common pitfalls to avoid and what regulators expect in an SDD program:
Employing blanket policies. Don’t automatically label entire customer categories as low risk; for example: all retail accounts or all accounts under $10k get SDD. Regulations require individual risk assessments. If asked why Customer X got SDD your answer is: „because of our blanket policy” – you’re in trouble. Always evaluate and document each case individually.
Maintaining poor documentation. If you don’t write down why a customer is low risk, regulators will act like it never happened. That’s why every SDD file needs a clear rationale referencing specific factors. Examiners sample SDD files during inspections, so missing documentation is likely to cause suspicion.
Skipping mandatory checks. SDD doesn’t mean zero due diligence. You still must identify, verify, screen, and monitor customers, just do it in a simplified way. Never skip sanctions/PEP screening or beneficial owner identification because „they’re low risk”.
Never reassessing risk. Don’t forget your SDD for years, because their risk profile can change. It’s better to have a process to review low-risk customers periodically (every few years minimum) and when triggers occur. Update risk ratings when circumstances change, for example after finding adverse news. Show that you actively monitor and move customers from SDD to higher levels when needed.
Cutting corners. Don’t overuse SDD just to onboard faster or to please your sales teams. Compliance must have final say on risk classification. You must train your staff well on risk indicators, so they don’t mistakenly apply SDD to borderline or hidden-risk customers. Remember – regulators constantly watch for institutions with suspiciously high SDD proportions.
Not having an escalation path. Have clear procedures for what happens when something looks off during SDD onboarding or monitoring. Your staff should know: if an SDD customer shows XYZ risk, refer to compliance and upgrade to CDD/EDD. And, of course, document examples of escalations, because it proves your compliance program isn’t „set and forget”.
No testing or QA. Periodically audit your SDD controls. Are analysts following checklists? Are risk models working correctly? Are files properly documented? If SDD has never been reviewed internally, regulators will take a very close look at it themselves.
In short, regulators expect evidence of a thoughtful, controlled approach to SDD. They also expect that when you do use SDD, you still meet all basic AML obligations and can prove it.
Remember, regulators themselves operate on a risk-based approach – if they see your SDD program is well-controlled, they’ll have lower concern.
How to Implement SDD at Scale
Implementing simplified due diligence across an organization, especially a large one, requires a smart strategy and often a little help from technology. When done right, SDD can save time and cost per every customer with a low-risk profile, freeing up resources to focus on higher risks. Here’s a short playbook for rolling out SDD effectively and at scale:
- Define clear policy criteria aligned with risk appetite. For example, list the types of customers/products eligible, the risk factors that must all be “green” for SDD, and any forbidden cases. Make the criteria as specific as possible.
- Automate configurable decision rules in onboarding systems. For example, by using an automated risk scoring or rule engine to assign customers into SDD, CDD, or EDD, you can automatically assign “low risk” if all inputs meet the SDD thresholds and no flags are present (like PEP or sanction lists). Automation not only speeds things up but also removes individual bias.
- Automate sanctions, PEP, and adverse media screening. For instance, when a new customer comes in, your system should automatically screen their name against the latest sanctions and politically exposed persons lists in real-time.
- Integrate continuous risk scoring and event-driven reviews. For example, if your country has a government ID database or a digital ID system, integrate that for instant verification of name and date of birth. For corporate customers, use business registries and corporate data providers to pull ownership information rather than burdening the client to produce incorporation documents.
- Generate management information (MI) and quality assurance (QA) reports. For example, you can pull monthly reports which summarize the number of customers onboarded using SDD, highlight any escalations to full due diligence, and track compliance with documented risk rationales. Quality assurance checks sample customer files to ensure screening and documentation meet policy standards.
- Use digital verification tools from third-party vendors for accurate registry lookups. For instance, some solutions, including Ondato, can automatically fetch company’s UBOs info from official registries (useful for quicker KYB on low-risk entities), or perform instant electronic ID verification with minimal data input.
As you can see, SDD requires ongoing work. You’ll need to continuously update your risk models, technology, and processes as regulations change. For example, if regulators redefine low risk or add new requirements, your SDD process must adapt.
Successful institutions treat automated KYC, digital ID, and data analytics as helpful tools that improve both compliance and business outcomes. With this approach, SDD becomes a natural, well-managed part of your risk-based AML program.
Key Takeaways
Simplified due diligence, when used correctly, is a win-win: it reduces friction for low-risk customers and saves compliance resources – all without compromising the integrity of your anti-money laundering program.
Let’s recap the main points to remember:
- SDD is only for genuinely low-risk cases.
- All fundamental checks remain in play.
- Documentation and oversight are crucial.
- Be ready to escalate.
- Use a risk-based approach and technology.
In the end, SDD is about working smarter when it comes to anti-money laundering compliance: focusing your heavy due diligence efforts where they matter most and not overburdening the customers who pose minimal risk.
FAQ
