Customer due diligence sits at the heart of every Irish designated person's AML obligations. Sections 33, 35, 37 and 39 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 set out when CDD must be performed, what it must achieve, and when enhanced measures are required. In practice, CDD is the first thing an inspector looks at — and the first place most firms fall short.
When is CDD required?
Under the CJA, a designated person must apply CDD:
- When establishing a business relationship
- When carrying out an occasional transaction of €15,000 or more
- When there is suspicion of money laundering or terrorist financing
- When there are doubts about the veracity or adequacy of previously obtained CDD data
- At appropriate points during the life of the relationship (ongoing monitoring)
The three levels of CDD
1. Standard CDD
Identify the customer and verify identity using reliable, independent source documents, data or information. For legal entities, identify the beneficial owners and take reasonable measures to verify them. Understand and, where appropriate, obtain information on the purpose and intended nature of the relationship.
2. Simplified CDD
Available only where the risk is demonstrably low. Simplified CDD is not "no CDD" — it's a reduced, risk-based package. Documenting why simplified CDD applies is just as important as performing it.
3. Enhanced CDD (EDD)
Required for higher-risk scenarios, including:
- Politically Exposed Persons (PEPs), their family members and close associates
- Customers or transactions involving high-risk third countries
- Complex, unusual, or unusually large transactions
- Non-face-to-face relationships (depending on controls)
- Any situation the firm's risk assessment flags as higher risk
Key nuance
EDD is not just "more documents." It is a distinct, evidenced control set — senior approval, source of wealth verification, enhanced ongoing monitoring, and a dated rationale on the file. Firms that add a second ID document and call it EDD fail inspection routinely.
Beneficial ownership
Since 2019, all Irish relevant entities must file beneficial ownership data with the Central Register of Beneficial Ownership (RBO). For designated persons, that means two things:
- Obtain an RBO extract (or equivalent) as part of CDD for corporate customers
- Take reasonable measures to verify the beneficial owner's identity — don't rely on the RBO alone
The "reasonable measures" language is critical. Simply downloading an RBO extract is not verification. You need to evidence the steps you took to confirm the human behind the structure.
Ongoing monitoring
CDD isn't an event — it's a process. Section 35(3) of the CJA requires ongoing monitoring of the business relationship, including scrutiny of transactions and keeping CDD data up to date.
In practice, that means:
- Periodic refresh cycles based on risk rating (annual for high risk, up to 3 years for low risk)
- Event-driven reviews on material changes (new product, significant transaction, media alert)
- A clear audit trail of each review
Common Central Bank findings
Irish firms consistently fall short in the same places:
- CDD completed after business relationship started (violates Section 33(2))
- Beneficial owner identified but not verified
- PEP status not screened at onboarding and ongoing
- Source of funds confused with source of wealth
- Risk ratings that never change, regardless of client behaviour
- No documented rationale for applying simplified CDD
- Ongoing monitoring reduced to an annual tick-box
The CDD file checklist
A defensible Irish CDD file in 2026 contains, at a minimum:
- Risk assessment and resulting risk rating (with rationale)
- Customer identity evidence (and verification source)
- Beneficial ownership identity and verification evidence
- PEP screening result (dated) and ongoing screening cadence
- Purpose and intended nature of the relationship (evidenced, not assumed)
- Source of funds and, where EDD applies, source of wealth documentation
- Senior approval (for EDD cases)
- Ongoing monitoring log with dated entries
- A record of training completion by the person who did the CDD
Training the team
CDD failures are almost always training failures. Staff either don't know the rules, or they know the rules but haven't seen a realistic scenario that teaches them to apply them under pressure.
Our AML training course dedicates a full module to CDD and EDD, built around real Irish enforcement cases. Book a 15-minute demo to see how it works.