Three levels of due diligence
| Level | When applied | What it involves |
| Simplified CDD (SDD) | Demonstrably low-risk customers — e.g. regulated financial institutions, listed public companies, government entities | Reduced verification requirements; no ongoing enhanced monitoring. Note: SDD is not available for all categories — the institution must document its basis for applying SDD |
| Standard CDD | All customers who do not qualify for SDD and are not classified as high risk | Identity verification, address confirmation, understanding of business activity and expected transaction profile, beneficial ownership for corporates |
| Enhanced Due Diligence (EDD) | High-risk customers: PEPs, non-resident customers, customers from high-risk jurisdictions, complex corporate structures, high-value transactions | All standard CDD plus: source of wealth verification, source of funds verification, senior management sign-off, more frequent periodic reviews, enhanced ongoing transaction monitoring |
Standard CDD — what must be collected
For individual customers, standard CDD requires:
- Full legal name as it appears on the verified identity document
- Date of birth
- Residential address — verified through a utility bill, government document, or bank statement not older than three months
- BVN and NIN (both required for Tier 2 and above accounts since December 2023)
- Purpose of the account and expected transaction volume and frequency
- Occupation or source of income
For corporate customers, standard CDD additionally requires:
- Certificate of Incorporation and CAC registration details
- Directors list and authorised signatories with individual KYC for each
- Beneficial ownership information for shareholders holding 5% or more
- Nature of business and principal activities
- Registered and operating address
When EDD is triggered
EDD is triggered by customer risk classification, transaction characteristics, or changes in account activity. Common triggers include:
- Customer identified as a PEP or close associate of a PEP
- Customer is a non-resident or the transaction involves a high-risk jurisdiction flagged by FATF or the NFIU
- Unusual or complex corporate ownership structure with multiple layers or offshore entities
- Transaction volumes significantly above what was stated at onboarding
- Transaction monitoring alert that cannot be satisfactorily explained through standard review
- Adverse media identifying the customer in connection with financial crime
- Sanctions screening potential match that cannot be cleared as a false positive
Ongoing CDD and periodic review
CDD is not a one-time event. The CBN requires periodic review of all customer relationships:
- High-risk customers (including PEPs): annual review minimum
- Medium-risk customers: review at least every two years
- Low-risk customers: review every three to five years
- Any customer: ad hoc review triggered by material change in circumstances or transaction monitoring alert
Frequently asked questions
What is the difference between CDD and KYC in Nigeria?
KYC (Know Your Customer) and CDD (Customer Due Diligence) are closely related but not identical. KYC typically refers to the identity verification process — confirming who the customer is through BVN, NIN, and identity documents. CDD is broader — it includes KYC but also covers understanding the customer's business, assessing their money laundering risk, identifying beneficial owners, and conducting ongoing monitoring. CDD is the overarching compliance obligation; KYC is a component of it.
Can a bank open an account before completing CDD?
In exceptional circumstances, the CBN allows institutions to open an account and begin standard CDD after the relationship starts, provided the risk is low and CDD is completed promptly. This is sometimes referred to as a verification window. However, transactions cannot proceed beyond the Tier 1 limit (NGN 30,000/day) until CDD is complete. For high-risk customers, CDD must be completed before the account is opened or the business relationship begins.
What happens if a customer refuses to provide CDD information?
If a customer refuses to provide information required for standard CDD, the institution cannot complete the verification process. The CBN guidelines require institutions to decline to open the account or, if an existing customer refuses to provide updated CDD information during a periodic review, to suspend or close the account. In some circumstances, a refusal to provide information may itself be a suspicious indicator that warrants filing an STR.