A Comprehensive Due Diligence Checklist

Due diligence is how a business checks who it is dealing with, both before a relationship starts and while it continues, so problems surface early instead of after the money moves. It comes up in real estate deals, partnerships, and investments. In regulated financial services it goes further than good practice: verifying customers is a legal duty. This guide walks through the main types of due diligence, then gives you three checklists you can adapt: a general one, a customer due diligence (CDD) checklist, and an enhanced due diligence (EDD) checklist.

Types of Due Diligence

The depth of checking should match the risk. That principle, the risk-based approach, is what regulators and the FATF expect, and it decides which of the following you apply:

  • Simplified Due Diligence (SDD) is the lightest level, used for low-risk customers or transactions.
  • Customer Due Diligence (CDD) is the standard level for most customers. It covers identity verification and a risk assessment.
  • Enhanced Due Diligence (EDD) applies to high-risk customers, such as politically exposed persons or people based in high-risk countries.
  • Vendor and third-party due diligence looks at the financial health, reputation, and compliance record of suppliers and partners.
  • Legal due diligence is the review of contracts, agreements, and other documents to find liabilities, pending lawsuits, or obligations that could affect a deal.

examination of due diligence types such as CDD, EDD, VDD

The Due Diligence Checklist

This works as a general checklist for any due diligence exercise. Where AML rules apply, use it alongside the customer-specific checklists further down.

  1. Define scope and objectives first. Knowing what you are assessing, and why, stops you from wasting effort or missing something that mattered.
  2. Prepare a due diligence questionnaire. A structured set of questions, tailored to the entity or transaction, keeps the rest of the work on track.
  3. Collect and review the documents: contracts, financial statements, ownership records, legal filings. Read them properly rather than skimming, because the important detail is usually buried.
  4. Verify identity and ownership. For a company, that means finding the ultimate beneficial owners (UBOs), meaning anyone who owns or controls 25% or more.
  5. Screen names against sanctions, PEP, and adverse media lists. For a quick first pass, the free Sanction Check runs a name against OFAC, UK, and EU lists in seconds.
  6. Score the risk by likelihood and impact so you know what to prioritise. The free Risk Exposure Calculator is a fast starting point before a full Customer Risk Assessment.
  7. Write down what you found and the reasoning behind your decision, and keep that information secure.
  8. Keep monitoring. Due diligence is not a one-time event, and a customer who looked low-risk at onboarding will not always stay that way.

Customer Due Diligence (CDD) Checklist

In financial services, CDD is a legal requirement under AML and KYC rules. At a minimum it covers:

  • Verifying the customer's identity from reliable, independent documents or data.
  • Identifying the beneficial owners and ownership structure when the customer is a company.
  • Understanding what the relationship is actually for.
  • Screening the customer against sanctions, PEP, and adverse media sources.
  • Assigning a risk rating, which then sets how closely you monitor them.

effective cdd is crucial for financial institutions to identify and mitigate money laundering and terrorist financing risks

Enhanced Due Diligence (EDD) Checklist

For higher-risk customers, these steps sit on top of standard CDD:

  1. Apply a risk-based approach to decide who counts as high-risk and needs a closer look. Getting that judgment right is central to AML compliance and to staying clear of penalties from regulators such as the FCA.
  2. Gather more information than standard CDD asks for, and keep it in a dedicated EDD file.
  3. Analyse the source of wealth and confirm the UBO. The point is to check that a customer's wealth lines up with their known assets, and to know who really controls any company involved.
  4. Track transactions over time, including their purpose and nature, and look into anything that does not fit the pattern.
  5. Check adverse media and reputation. The free Adverse Media Check scans a name for negative coverage, and if the press or other sources turn up serious negative information, that is a reason to walk away.
  6. Visit physical addresses where something cannot be confirmed digitally. An address that does not check out is a red flag worth taking seriously.
  7. Record customer activity and write it up using AML compliance software, with risk factors specific to your industry.
  8. Keep high-risk customers under ongoing monitoring, with automated alerts tuned to their risk profile.

Best Practices

A few habits make the difference between a checklist people follow and one that sits in a drawer.

Review documents in full rather than sampling them, since the liability you miss is the one that hurts. Pull in a mix of skills, so finance, legal, operations, and someone who knows the industry all look at the same risk assessment. Agree the scope before anyone starts. Lock down the data you collect, both to protect people and to stay on the right side of privacy law. Rank risks by severity and likelihood so time and money go where they count, and keep stakeholders updated as you go.

Rules change, so build the process to keep up. In the EU, for instance, the new AMLR will standardise CDD obligations across every member state from 2027. Have a plan for bad findings before you get one, and revisit the whole process periodically as the business and the regulations shift.

Automating Due Diligence

Manual due diligence stops working once the numbers grow. More customers and higher transaction volumes mean more screening, scoring, and monitoring than a team can do by hand without either slowing onboarding to a crawl or letting risk slip through. Automation is what keeps both under control.

Start by naming what you actually need: sanctions and PEP screening, adverse media, transaction monitoring, or the full set. Then compare providers on data coverage, quality, and how cleanly the tool fits your industry and your existing systems. Sanction Scanner covers each step in the checklists above, from AML screening and customer risk assessment through transaction monitoring and ongoing monitoring, for banks, fintechs, crypto businesses, and other regulated firms.

Key Takeaways

Good due diligence comes down to a few things done consistently: match the checking to the risk, confirm who you are dealing with and who owns them, screen against the right lists, and keep looking after onboarding. That holds whether you are handling real estate transactions, weighing up an investment, or onboarding a customer under AML rules.

Real estate is a good example of how wide the net goes. A property deal needs its own checks: confirming the title, assessing the condition of the buildings and infrastructure, reading the market, and looking for legal encumbrances or environmental problems before anything is signed.

Try sanction scanner aml solutions


Sources

Contents