Foundations

KYC vs CDD: what's the difference?

Know Your Customer (KYC) and Customer Due Diligence (CDD) are used interchangeably but are not the same thing. A plain-English guide to how they relate, the three tiers of CDD, and what each actually requires under UK rules.

Last reviewed 20 June 20263 min read

"KYC" and "CDD" are two of the most-used acronyms in compliance, and they are often treated as synonyms. They are closely related, but they are not the same thing. Getting the distinction right helps you understand what your obligations actually are.

The short version

  • KYC — Know Your Customer is the broad, everyday term for the practice of identifying customers and understanding who you are dealing with. It is industry language, not a precise legal term.
  • CDD — Customer Due Diligence is the specific, defined set of measures that the Money Laundering Regulations 2017 require. It has a legal meaning and prescribed components.

Think of KYC as the goal ("know who your customer is") and CDD as the regulated method for achieving it.

What CDD requires

Under the MLRs (Part 3, regulations 27–37), customer due diligence has four core elements:

  1. Identify the customer and verify their identity from a reliable, independent source.
  2. Identify the beneficial owner where the customer is not an individual — the natural person who ultimately owns or controls the customer — and take reasonable measures to verify them.
  3. Understand the purpose and intended nature of the business relationship.
  4. Conduct ongoing monitoring of the relationship, keeping information up to date and scrutinising transactions for consistency.

That fourth element matters: CDD is not a one-off gate at onboarding. It is a continuing obligation for the life of the relationship.

The three tiers

The MLRs are risk-based, so the depth of CDD scales with the risk:

Simplified due diligence (SDD)

Where a relationship or transaction presents a demonstrably low risk, a firm may apply simplified measures — for example, verifying identity later in the process, or relying on a narrower set of information. SDD is not "no due diligence"; it is a lighter touch that must be justified by a documented low-risk assessment.

Standard customer due diligence (CDD)

The default. The four elements above, applied to a reasonable degree given an ordinary risk profile.

Enhanced due diligence (EDD)

Where the risk is higher, firms must go further. EDD is mandatory in defined situations, including:

  • the customer or beneficial owner is a politically exposed person;
  • the customer or transaction involves a high-risk third country;
  • the customer has provided false or stolen identification;
  • the transaction is unusually complex or large, or has no apparent economic or legal purpose.

EDD typically means obtaining additional information (including on source of funds and source of wealth), seeking senior-management approval, and applying more intensive ongoing monitoring.

When does CDD kick in?

CDD is triggered when a firm establishes a business relationship, carries out a qualifying occasional transaction, suspects money laundering or terrorist financing, or doubts previously obtained information. (The specific occasional-transaction thresholds are covered in our MLR 2017 guide.)

What about KYB?

You will also encounter KYB — Know Your Business. This is KYC applied to corporate customers: verifying the company exists, who runs it, and — critically — who ultimately owns and controls it. For a UK company that means reading the public record at Companies House, including the people with significant control register. KYB is harder than verifying an individual precisely because ownership can be layered through holding companies, trusts and overseas structures.

The international anchor

The whole framework descends from the FATF Recommendations, whose Recommendation 10 sets the global standard for customer due diligence. The UK rules implement that standard; the terminology firms use day to day (KYC, KYB, onboarding) sits on top of it.

Where Probitas fits

Verifying identity is one half of the job; understanding the entity is the other. Probitas focuses on the second: it reads the public record on a UK company or charity, maps the ownership and control, screens the people behind it, and presents the evidence with citations — the raw material your CDD or KYB file needs. It supports your due-diligence process; it does not replace the legal obligation to run one.

Sources

This guide is written from primary sources. Each is linked below; claims in the text link to the specific reference they rely on.

  1. MLR 2017 reg. 27–37 — customer due diligence (legislation.gov.uk)
  2. GOV.UK — Money laundering supervision: your responsibilities
  3. FATF — International standards (Recommendation 10, CDD)

Related reading