A strong compliance culture starts with understanding the basics — and Customer Due Diligence (CDD) is where it all begins. For every regulated business in the UAE, CDD is the foundation upon which your entire AML programme is built. Get it right, and you have a defensible compliance framework. Get it wrong, and your business faces regulatory penalties, reputational damage, and potential criminal liability.

With Federal Decree-Law No. 10 of 2025 now in effect and the FATF’s onsite mutual evaluation expected in mid-2026, there has never been a more critical time to ensure your CDD processes meet the standard regulators expect.

This guide covers what CDD means in practice, the different levels of due diligence required, what the 2025 AML law changed, and the concrete steps your business must take.

What Is Customer Due Diligence (CDD)?

Customer Due Diligence is the process of identifying your customers, understanding the nature of their business relationships, and assessing the risk they present to your organisation. It is a core obligation under UAE AML law for all regulated entities.

CDD is not a one-time exercise performed at onboarding. It is an ongoing process that continues throughout the business relationship, requiring you to monitor transactions, update customer information, and reassess risk as circumstances change.

At its core, CDD answers three questions:

• Who is your customer? — Verify their identity using reliable, independent documentation.
• What is the purpose of the relationship? — Understand why they are engaging your services and what transactions to expect.
• What risk do they present? — Assess whether the customer, their activities, or their jurisdiction pose a higher risk of money laundering or terrorist financing.

The Three Levels of Due Diligence

UAE AML regulations prescribe three tiers of due diligence, each applied based on the assessed risk level of the customer or transaction.

Simplified Due Diligence (SDD)

SDD may be applied when the risk of money laundering or terrorist financing is demonstrably low. This does not mean skipping verification — it means applying proportionate measures where the customer type, product, or jurisdiction presents minimal risk. SDD must be thoroughly documented and justified in your risk assessment.

Standard CDD

Standard CDD is the baseline requirement for all business relationships. It includes:

• Verifying the identity of the customer using valid identification documents (Emirates ID, passport, trade licence)
• Identifying and verifying beneficial owners — the natural persons who ultimately own or control at least 25% of shares or voting rights
• Understanding the nature and intended purpose of the business relationship
• Conducting ongoing monitoring of the relationship and transactions

Enhanced Due Diligence (EDD)

EDD applies when a customer or transaction presents a higher risk. Under the 2025 AML law and its Executive Regulations, EDD is mandatory for:

• Politically Exposed Persons (PEPs) — Current or former holders of prominent public functions, their family members, and close associates
• High-risk jurisdictions — Countries identified by the FATF or the UAE as presenting elevated money laundering or terrorist financing risks
• Complex or unusual transactions — Transactions with no apparent economic or lawful purpose
• Non-face-to-face business relationships — Where the customer is not physically present for identification

EDD measures now explicitly include identifying the customer’s source of wealth (not just source of funds), requiring initial payments from accounts held in the customer’s name at institutions with comparable CDD standards, and obtaining senior management approval before establishing or continuing the relationship.

What Changed Under the 2025 AML Law

Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 introduced several changes that directly impact your CDD obligations.

Lower Knowledge Threshold

You can now be held liable if you “should reasonably have known” that a customer or transaction involved illicit funds. This shift from subjective to objective knowledge means that inadequate CDD — failing to ask the right questions or collect sufficient documentation — can itself become evidence of non-compliance.

Personal Liability for Managers

Directors and senior managers face personal criminal prosecution if AML failures result from their breach of supervisory duties. A weak CDD framework is no longer just a corporate risk — it is a personal one.

Expanded Scope of Regulated Entities

CDD obligations now apply to a broader range of businesses, including Virtual Asset Service Providers (VASPs), gaming operators (online gaming, sports betting, lotteries), and all Designated Non-Financial Businesses and Professions (DNFBPs). VASPs are now subject to the same CDD regime as traditional financial institutions.

Proliferation Financing

CDD processes must now integrate screening for proliferation financing risks — the illicit trade in materials or technology related to weapons of mass destruction. This must be embedded in your enterprise-wide risk assessments and customer screening procedures.

Digital Identity Verification

The 2025 amendments explicitly recognise digital KYC tools and automated screening for PEPs, sanctions lists, and adverse media. Regulators expect businesses to leverage technology, particularly in high-risk sectors.

Record Keeping

All CDD records — including identification documents, transaction records, and risk assessments — must be retained for a minimum of five years from the date the business relationship ends or the transaction is completed.

CDD Documentation: What You Need to Collect

The specific documents required depend on whether your customer is an individual or a legal entity.

For Individuals

• Valid Emirates ID or passport
• Residence visa (for non-citizens)
• Proof of address (utility bill, bank statement, or tenancy contract)
• Source of funds declaration
• Source of wealth documentation (for EDD cases)

For Legal Entities

• Valid trade licence
• Memorandum of Association and Articles of Association
• Certificate of incorporation
• Identification of all shareholders and directors
• Beneficial ownership declaration — identifying all natural persons who own or control 25% or more
• Board resolution or power of attorney authorising the representative
• Source of funds for the business relationship

Ongoing Monitoring: CDD Does Not Stop at Onboarding

One of the most common compliance gaps is treating CDD as a one-time onboarding exercise. UAE regulators expect ongoing monitoring that includes:

• Transaction monitoring — Reviewing transactions to ensure they are consistent with your knowledge of the customer, their business, and their risk profile
• Periodic reviews — Reassessing customer risk at defined intervals (annually for high-risk, every two to three years for standard risk)
• Trigger events — Updating CDD when there is a material change in the customer’s circumstances, such as a change in ownership, business activity, or jurisdiction
• Sanctions screening — Continuously screening your customer base against updated sanctions lists, PEP databases, and the UAE Local Terrorist List

Automated monitoring tools can flag deviations from expected behaviour, but human review remains essential for making final determinations and filing Suspicious Transaction Reports (STRs) through the goAML portal.

Common CDD Mistakes That Put Your Business at Risk

Regulators and FATF assessors look beyond policies to evaluate whether CDD is genuinely effective. Common failures include:

• Incomplete beneficial ownership identification — Failing to look beyond the immediate shareholder to identify the ultimate natural person in control
• Outdated customer records — Not updating CDD information when customer circumstances change
• No risk differentiation — Applying the same level of due diligence to all customers regardless of risk
• Missing source of wealth for EDD — Collecting source of funds but not source of wealth, which is now an explicit requirement
• Tick-box approach — Collecting documents without genuinely understanding the customer or their business rationale
• No ongoing monitoring — Conducting CDD at onboarding but failing to review the relationship over time

How Technology Strengthens Your CDD Programme

Manual CDD processes are time-consuming, error-prone, and difficult to scale. Modern compliance technology can transform your CDD programme by:

• Centralising KYC management — Storing all customer identification, documentation, and risk assessments in a single, auditable platform
• Automating screening — Running real-time checks against global sanctions lists, PEP databases, adverse media, and the UAE Local Terrorist List
• Flagging anomalies — Using AI to detect unusual transaction patterns and escalate cases to your compliance team for review
• Generating audit trails — Maintaining a complete record of every CDD action taken, which is critical for demonstrating compliance to regulators

Adil Zone’s 1ST COMPLIANCE software is purpose-built for these requirements — centralising your KYC processes, automating risk-based screening, and providing the audit trail regulators expect.

Frequently Asked Questions

What is Customer Due Diligence (CDD)?

CDD is the process of verifying a customer’s identity, understanding the nature of their business relationship, and assessing the risk they present. It is a legal requirement for all regulated entities in the UAE under Federal Decree-Law No. 10 of 2025.

When is Enhanced Due Diligence (EDD) required?

EDD is required when dealing with Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, complex or unusual transactions, and non-face-to-face business relationships. It involves additional verification steps, including identifying source of wealth and obtaining senior management approval.

How long must CDD records be kept in the UAE?

All CDD records must be retained for a minimum of five years from the date the business relationship ends or the transaction is completed, in accordance with the 2025 Executive Regulations.

Does CDD apply to Virtual Asset Service Providers (VASPs)?

Yes. Under the 2025 AML law, VASPs are subject to the same CDD obligations as traditional financial institutions, including customer identification, beneficial ownership verification, transaction monitoring, and STR filing.

What happens if my business fails to conduct adequate CDD?

Non-compliance can result in fines of up to AED 100 million for legal entities, imprisonment of up to 10 years for individuals, and personal criminal liability for directors and managers. There is no statute of limitations for AML offences.

Build a CDD Framework That Regulators Trust

Customer Due Diligence is not a regulatory burden — it is the single most important control your business has for preventing money laundering at the point of entry. With the FATF evaluating the UAE’s compliance effectiveness in 2026, now is the time to ensure your CDD processes are robust, documented, and demonstrably effective.

Adil Zone helps UAE businesses implement CDD programmes that go beyond tick-box compliance. From AML policy development and sanctions screening to staff training and automated KYC management through 1ST COMPLIANCE, we provide the tools and expertise your compliance team needs.

Get in touch to discuss how we can strengthen your CDD framework.