Compliance Technology

Customer due diligence in Nigeria — CDD and EDD requirements

Customer due diligence (CDD) is the process of verifying a customer's identity, understanding their business and the expected nature of their transactions, and assessing the money laundering risk they present. The MLPPA 2022 and CBN guidelines require all Nigerian financial institutions to apply risk-proportionate CDD — with enhanced due diligence (EDD) for high-risk customers and simplified CDD for demonstrably low-risk ones.

Three levels of due diligence

LevelWhen appliedWhat it involves
Simplified CDD (SDD)Demonstrably low-risk customers — e.g. regulated financial institutions, listed public companies, government entitiesReduced verification requirements; no ongoing enhanced monitoring. Note: SDD is not available for all categories — the institution must document its basis for applying SDD
Standard CDDAll customers who do not qualify for SDD and are not classified as high riskIdentity verification, address confirmation, understanding of business activity and expected transaction profile, beneficial ownership for corporates
Enhanced Due Diligence (EDD)High-risk customers: PEPs, non-resident customers, customers from high-risk jurisdictions, complex corporate structures, high-value transactionsAll standard CDD plus: source of wealth verification, source of funds verification, senior management sign-off, more frequent periodic reviews, enhanced ongoing transaction monitoring

Standard CDD — what must be collected

For individual customers, standard CDD requires:

  • Full legal name as it appears on the verified identity document
  • Date of birth
  • Residential address — verified through a utility bill, government document, or bank statement not older than three months
  • BVN and NIN (both required for Tier 2 and above accounts since December 2023)
  • Purpose of the account and expected transaction volume and frequency
  • Occupation or source of income

For corporate customers, standard CDD additionally requires:

  • Certificate of Incorporation and CAC registration details
  • Directors list and authorised signatories with individual KYC for each
  • Beneficial ownership information for shareholders holding 5% or more
  • Nature of business and principal activities
  • Registered and operating address

When EDD is triggered

EDD is triggered by customer risk classification, transaction characteristics, or changes in account activity. Common triggers include:

  • Customer identified as a PEP or close associate of a PEP
  • Customer is a non-resident or the transaction involves a high-risk jurisdiction flagged by FATF or the NFIU
  • Unusual or complex corporate ownership structure with multiple layers or offshore entities
  • Transaction volumes significantly above what was stated at onboarding
  • Transaction monitoring alert that cannot be satisfactorily explained through standard review
  • Adverse media identifying the customer in connection with financial crime
  • Sanctions screening potential match that cannot be cleared as a false positive

Ongoing CDD and periodic review

CDD is not a one-time event. The CBN requires periodic review of all customer relationships:

  • High-risk customers (including PEPs): annual review minimum
  • Medium-risk customers: review at least every two years
  • Low-risk customers: review every three to five years
  • Any customer: ad hoc review triggered by material change in circumstances or transaction monitoring alert

Frequently asked questions

What is the difference between CDD and KYC in Nigeria?
KYC (Know Your Customer) and CDD (Customer Due Diligence) are closely related but not identical. KYC typically refers to the identity verification process — confirming who the customer is through BVN, NIN, and identity documents. CDD is broader — it includes KYC but also covers understanding the customer's business, assessing their money laundering risk, identifying beneficial owners, and conducting ongoing monitoring. CDD is the overarching compliance obligation; KYC is a component of it.
Can a bank open an account before completing CDD?
In exceptional circumstances, the CBN allows institutions to open an account and begin standard CDD after the relationship starts, provided the risk is low and CDD is completed promptly. This is sometimes referred to as a verification window. However, transactions cannot proceed beyond the Tier 1 limit (NGN 30,000/day) until CDD is complete. For high-risk customers, CDD must be completed before the account is opened or the business relationship begins.
What happens if a customer refuses to provide CDD information?
If a customer refuses to provide information required for standard CDD, the institution cannot complete the verification process. The CBN guidelines require institutions to decline to open the account or, if an existing customer refuses to provide updated CDD information during a periodic review, to suspend or close the account. In some circumstances, a refusal to provide information may itself be a suspicious indicator that warrants filing an STR.

Free resource for Nigerian compliance teams

The NFIU STR/CTR Rejection Codes Reference Guide — every common goAML rejection explained with root causes and fixes.

Download the free guide