Why It Matters
Due diligence is the principle that you must know who you're doing business with. Whether it's a new customer, a vendor, an acquisition target, or a business partner, failing to conduct proper due diligence exposes your organization to fraud, money laundering, sanctions violations, corruption, and data breaches. Regulators routinely penalize organizations for inadequate due diligence โ "we didn't know" is not a defense.
Types of Due Diligence
Customer Due Diligence (CDD)
Required by AML regulations:
- Identity verification โ confirm the customer is who they claim to be
- Beneficial ownership โ identify who ultimately owns or controls the entity
- Business purpose โ understand the nature and purpose of the relationship
- Risk classification โ assign a risk level (low, medium, high)
Enhanced Due Diligence (EDD)
Additional scrutiny for higher-risk situations:
- Politically Exposed Persons (PEPs) โ government officials and associates
- High-risk jurisdictions โ countries on FATF or EU risk lists
- Complex structures โ layered entities, trusts, nominees
- Large or unusual transactions โ disproportionate to the customer profile
Vendor/Third-Party Due Diligence
Before engaging suppliers or service providers:
- Financial stability โ can they deliver on commitments?
- Security posture โ will they protect your data?
- Compliance status โ do they meet regulatory requirements?
- Reputation โ adverse media, litigation, sanctions screening
- Contractual terms โ DPAs, SLAs, audit rights, exit clauses
M&A Due Diligence
Before acquiring or merging with another company:
- Regulatory compliance โ pending investigations, past violations, open fines
- Data protection โ GDPR compliance, breach history, data assets
- Anti-corruption โ FCPA/Bribery Act exposure, third-party risks
- Contractual obligations โ existing agreements, liabilities, IP
- Litigation โ pending or threatened legal actions
Red Flags
- Reluctance to provide documentation or answer questions
- Complex ownership structures with no clear business purpose
- Connections to high-risk jurisdictions or sanctioned entities
- Adverse media coverage (fraud, corruption, money laundering)
- Inconsistencies between stated business and actual activities
- Pressure to bypass normal verification procedures
- Unusually favorable terms or unsolicited approaches
Regulatory Requirements
| Regulation | Due Diligence Requirement |
|---|---|
| EU AML Directives | CDD, EDD for all obliged entities |
| FATF Recommendation 10 | International CDD standard |
| GDPR Article 28 | Processor due diligence before engaging |
| NIS2 | Supply chain security assessment |
| FCPA | Third-party due diligence for anti-corruption |
| UK Bribery Act | Adequate procedures include due diligence |
Key Regulation
- EU 6AMLD / AMLR โ customer due diligence requirements
- FATF Recommendations 10โ22 โ CDD and record-keeping standards
- DOJ FCPA Resource Guide โ third-party due diligence expectations
- ISO 37001 โ anti-bribery due diligence requirements