Why It Matters
Due diligence is the principle that you must know who you're doing business with. Whether it's a new customer, a vendor, an acquisition target, or a business partner, failing to conduct proper due diligence exposes your organization to fraud, money laundering, sanctions violations, corruption, and data breaches. Regulators routinely penalize organizations for inadequate due diligence — "we didn't know" is not a defense.
Types of Due Diligence
Customer Due Diligence (CDD)
Required by AML regulations:
- Identity verification — confirm the customer is who they claim to be
- Beneficial ownership — identify who ultimately owns or controls the entity
- Business purpose — understand the nature and purpose of the relationship
- Risk classification — assign a risk level (low, medium, high)
Enhanced Due Diligence (EDD)
Additional scrutiny for higher-risk situations:
- Politically Exposed Persons (PEPs) — government officials and associates
- High-risk jurisdictions — countries on FATF or EU risk lists
- Complex structures — layered entities, trusts, nominees
- Large or unusual transactions — disproportionate to the customer profile
Vendor/Third-Party Due Diligence
Before engaging suppliers or service providers:
- Financial stability — can they deliver on commitments?
- Security posture — will they protect your data?
- Compliance status — do they meet regulatory requirements?
- Reputation — adverse media, litigation, sanctions screening
- Contractual terms — DPAs, SLAs, audit rights, exit clauses
M&A Due Diligence
Before acquiring or merging with another company:
- Regulatory compliance — pending investigations, past violations, open fines
- Data protection — GDPR compliance, breach history, data assets
- Anti-corruption — FCPA/Bribery Act exposure, third-party risks
- Contractual obligations — existing agreements, liabilities, IP
- Litigation — pending or threatened legal actions
Red Flags
- Reluctance to provide documentation or answer questions
- Complex ownership structures with no clear business purpose
- Connections to high-risk jurisdictions or sanctioned entities
- Adverse media coverage (fraud, corruption, money laundering)
- Inconsistencies between stated business and actual activities
- Pressure to bypass normal verification procedures
- Unusually favorable terms or unsolicited approaches
Regulatory Requirements
| Regulation | Due Diligence Requirement |
|---|---|
| EU AML Directives | CDD, EDD for all obliged entities |
| FATF Recommendation 10 | International CDD standard |
| GDPR Article 28 | Processor due diligence before engaging |
| NIS2 | Supply chain security assessment |
| FCPA | Third-party due diligence for anti-corruption |
| UK Bribery Act | Adequate procedures include due diligence |
Key Regulation
- EU 6AMLD / AMLR — customer due diligence requirements
- FATF Recommendations 10–22 — CDD and record-keeping standards
- DOJ FCPA Resource Guide — third-party due diligence expectations
- ISO 37001 — anti-bribery due diligence requirements