Customer Due Diligence for Business Accounts: CDD, EDD and the Risk-Based Approach at Onboarding
Customer due diligence for business accounts — how CDD, EDD, and the risk-based approach apply at onboarding, and what banks must collect before an account is opened.
Customer due diligence (CDD) is the discipline of knowing who you are banking before money moves. For a business customer that means identifying and verifying the legal entity, looking through it to the people who own and control it, understanding why the account is being opened, and screening the parties against the risks that matter. This article explains how CDD, enhanced due diligence (EDD), and the risk-based approach apply specifically at onboarding, and how a structured digital journey collects the right evidence before an account is ever created.
What CDD means for a business customer
CDD for an individual is comparatively simple: verify a name, a national identity document, and an address. A business customer is harder because the customer is a legal construct, not a person. Under the Central Bank of Kenya prudential guidelines on account opening and KYC, and the broader FATF and ESAAMLG framework that informs them, a bank must take four steps before opening a business account.
The first is to identify and verify the entity itself: its registered name, its registration or incorporation details, its KRA PIN, the nature of its industry and activities, and where it operates from. The second is to identify the beneficial owners — the natural persons who ultimately own or control the company — and not stop at the corporate shell. The third is to understand the purpose and intended nature of the relationship: what the account will be used for, the expected turnover, and the products required. The fourth is to screen the entity and its associated people against sanctions, politically exposed person (PEP), and adverse-information sources.
These four steps are not paperwork for its own sake. They are how a bank forms a defensible view of risk at the moment of onboarding, and how it later explains, to a regulator or to its own board, why it accepted a customer. The same logic underpins the wider know your business discipline, which frames entity verification as the foundation everything else rests on.
Identify and verify the entity
Verification of the entity is evidence-based. A bank establishes that the company exists, that it is the company it claims to be, and that the people presenting it have the authority to act. In Kenya the core documents are the Certificate of Incorporation and the CR12, both obtainable through the Business Registration Service via eCitizen, the KRA PIN certificate, and the company's Memorandum and Articles of Association. Depending on the structure, annual returns, partnership deeds, or sole-proprietor registrations may apply.
The Creodata Business Account Opening System collects this evidence through a checklist-driven document step rather than an open-ended request for "whatever you have". The application wizard opens with a Business Information step that captures entity and company details, the KRA PIN, date of incorporation, registration and business type, the nature of industry and key activities, employee range, annual turnover range, the stated purpose of the account, and both addresses and contacts. That structured capture is what makes the rest of CDD possible — risk and screening decisions are only as good as the entity data underneath them. The document checklist for Kenya sets out the full list a corporate applicant should expect to upload.
Look through to beneficial owners
The single most consequential CDD step for a business account is beneficial ownership. A company can be a clean front for individuals a bank would never knowingly bank, and ownership can be layered deliberately to obscure control. CDD therefore requires looking through the entity to the natural persons who own or control it — directors, shareholders, partners, or a sole proprietor — and recording them as significant stakeholders.
In the BAOS wizard this is handled in the Compliance step, which captures the PEP and FATCA declarations and records significant stakeholders as a defined list of beneficial owners. Capturing them as discrete, structured records — rather than a free-text note buried in a form — is what allows each individual to be screened and risk-assessed in their own right. The depth of this topic, including how ownership chains are unwound, belongs to the beneficial ownership and significant stakeholders guide for the onboarding view, and to the AML cluster's treatment of beneficial ownership and entity resolution for the harder cases of nested and cross-border structures.
Screening: sanctions, PEPs and adverse information
Once the entity and its owners are known, they are screened. Screening asks whether any party is subject to sanctions, is a politically exposed person whose position carries heightened corruption risk, or is the subject of credible adverse information. A PEP is not automatically a customer to refuse — it is a customer who warrants closer attention and, usually, senior sign-off.
The BAOS compliance screening service runs PEP, FATCA, and KYC/AML checks and feeds a compliance review workflow that staff complete inside the platform. It is important to be precise about scope: BAOS performs and records the screening and review steps and routes them through the workflow; it does not ship an integration to a named commercial sanctions or PEP data vendor. The mechanics of how matches are generated, scored, and dispositioned — and how false positives are managed — are covered in depth in the onboarding PEP and sanctions screening article and, at the methodology level, in the AML cluster's sanctions and PEP screening explained.
The risk-based approach: how much diligence does this applicant get?
Not every business customer presents the same risk, and treating them identically wastes effort on the low-risk majority while under-examining the few that matter. The risk-based approach is the principle that the depth of diligence should be proportionate to the risk each applicant presents. A domestic retailer with a simple ownership structure and a transparent purpose sits at one end; a cash-intensive business, a complex multi-layered ownership chain, a foreign-currency account, or a PEP among the owners sits at the other.
In practice the risk-based approach turns the four CDD steps into a decision: standard diligence for most applicants, simplified attention where genuinely low risk, and enhanced diligence where the indicators warrant it. The structured data captured at onboarding — industry and activities, turnover range, account purpose, currency, and the stakeholder and PEP declarations — are precisely the inputs a risk model consumes. The full methodology, including how factors are weighted, is the province of the AML cluster's risk-based approach to AML and the six-factor customer risk assessment model; this article only sets out where in onboarding those inputs are gathered.
| Diligence level | Typical trigger | What it adds |
|---|---|---|
| Standard CDD | Most domestic, transparent applicants | Identify and verify entity, beneficial owners, purpose; baseline screening |
| Simplified | Genuinely low-risk, lower-value relationships | Lighter verification within policy limits |
| Enhanced (EDD) | High-risk industry, PEP, complex or opaque ownership, foreign nexus | Additional evidence, source-of-funds enquiry, senior approval, closer scrutiny |
When EDD is triggered and what it adds
Enhanced due diligence is what a bank does when standard CDD is not enough. It is triggered by the higher-risk indicators above: a high-risk or cash-intensive industry, a PEP among the beneficial owners, ownership that is complex, layered, or opaque, or a foreign-currency and cross-border dimension. EDD does not replace CDD; it adds to it. Typically that means obtaining additional documentary evidence, enquiring into source of funds and wealth, applying closer scrutiny to the intended nature of the relationship, and requiring sign-off at a more senior level before the account proceeds.
Because BAOS routes every application through a six-stage workflow — Submission, Compliance Check, Document Verification, Internal Review, Approval, and Account Creation — the additional scrutiny EDD demands has a natural home. The compliance and internal review stages are where staff apply the extra examination, request further documents through the checklist-driven document step, and record their conclusions before approval. Every action is captured in the platform's append-only audit log, which is what lets a bank later evidence that EDD was actually performed. The mechanics of EDD as a discipline are set out in the AML cluster's enhanced due diligence guide.
CDD has to be evidenced, not just performed
A CDD or EDD decision a bank cannot later reconstruct is, for regulatory purposes, a decision it did not make. Examiners and the Financial Reporting Centre expect to see not only the outcome but the basis for it: what was collected, who reviewed it, what the screening returned, and who approved the account. This is where a paper or PDF process fails — the trail is scattered across email, scanned forms, and individual memories.
A digital onboarding journey solves this by making the trail a by-product of the work. In BAOS, role-based access control with branch scoping governs who can see and act on an application, the six-stage workflow records the path each application took, SLA timers show how long each stage held, and the append-only audit log captures every action with attribution. Together that forms the evidentiary spine of CDD — the subject of the audit-ready onboarding trail article, and a theme the AML cluster develops further in audit-ready AML and four-eyes review. For the end-to-end onboarding picture, the complete guide to business account opening places CDD within the full journey, and the digital business account opening overview explains why banks are moving away from paper in the first place.
CDD is also not finished when the account opens. The view a bank forms at onboarding is a baseline that ongoing monitoring revises over the life of the relationship — the role of the Creodata AML Compliance Platform, which picks up where onboarding hands off.
Frequently asked questions
What is the difference between CDD and EDD for a business account?
CDD is the standard set of checks applied to every business customer: identifying and verifying the entity, looking through to its beneficial owners, understanding the account's purpose and intended nature, and screening the parties. EDD is the additional layer applied only when risk indicators warrant it — a high-risk industry, a PEP among the owners, or complex ownership. EDD adds further evidence, source-of-funds enquiry, and senior approval; it does not replace CDD but builds on it.
When does an applicant trigger enhanced due diligence at onboarding?
EDD is triggered by higher-risk indicators captured during the application: a high-risk or cash-intensive industry, a politically exposed person among the beneficial owners, ownership structures that are complex, layered, or opaque, or a cross-border and foreign-currency dimension. The risk-based approach uses the structured data collected in the wizard — industry, turnover, account purpose, currency, and the stakeholder and PEP declarations — to decide which applicants move from standard CDD into enhanced scrutiny before approval.
Does a digital onboarding system perform the CDD decision for the bank?
No. A platform like the Creodata Business Account Opening System structures the journey, captures the evidence, runs PEP, FATCA, and KYC/AML screening, routes the application through a compliance and internal review workflow, and records every action in an append-only audit log. The diligence judgement — accepting, declining, or escalating an applicant — remains with the bank's compliance and review staff, who act within the platform's role-based controls and four-eyes review stages.
Building defensible CDD into onboarding starts with capturing the right entity, ownership, and purpose data in a structured, auditable way. See how the Creodata Business Account Opening System turns the CDD and EDD steps into a guided, fully tracked digital journey, and book a demo to walk through the compliance and review workflow with our team.