Customer Due Diligence

This article discusses the Customer Due Diligence process and the solution that DEX Regulatory Suite provides to support the Customer Due Diligence process.

CDD lookingglass

Customer Due Diligence

In recent years, issues such as money laundering, terrorist financing, fraud, corruption and sanctions legislation have received full attention, because these crimes have a major impact on our society. Because these crimes are manifested through our financial system, legislation has been developed for financial institutions to prevent and combat these crimes. DNB and the AFM supervise financial institutions.


Literally, Customer Due Diligence means 'due diligence for the customer'. This means that financial institutions must know their customers well to ensure that no financial crimes are committed. Some important things a financial institution should know about its customer in the context of CDD are:

  • Who is the customerCDD people
  • Why does the customer want to use your services and is this appropriate?
  • Involve the client with risk-increasing activities that increase the risk of money laundering, terrorist financing, fraud, corruption, tax avoidance/evasion and sanctions legislation.
  • Research must be of high quality: CDD has become a broad field with many risks that must be taken into account. How do you ensure that everyone touches on all elements of the CDD investigation?
  • Research must be reproducible: this means that decision-making must be well documented, but a third party must also be able to establish how the client's relevant risk classification has been determined (3rd party, such as DNB and AFM).
  • Research must be carried out with sufficient speed: the commercial process will be frustrated if it is not carried out quickly enough.
  • Implementation of new developments: how do you ensure that new legislation and regulations are implemented immediately. Think, for example, of new developments in the field of tax avoidance and evasion.
  • Monitoring risks: how do you ensure that specific risks at the customer can be monitored in a timely manner?
  • Is it clear to the organizations which risks are run in the customer portfolio and is the CDD policy adjusted periodically?

The Customer Due Diligence process is developed by financial institutions to know their clients and not to establish relationships with persons who could damage trust in the financial company. When a company falls under the scope of a law or regulation (Wwft, SW, AMLD) and a relationship is entered into with a potential customer, a CDD investigation must be performed. A CDD study is a risk assessment and risk assessment in accordance with the guidelines of relevant legislation.

Without CDD, companies expose themselves to fraud and fines for non-compliance with the requirements set out in laws and regulations. Failure to comply with laws and regulations can result in large fines for companies, not to mention possible reputational damage.


Implementation CDD

Financial organizations develop CDD and Sanctions policies on the basis of legislation and regulations. This policy describes how financial institutions want to implement CDD legislation and regulations.

Implementing the developed policy seems simple, but practice shows otherwise. In addition, developments in this area follow each other in rapid succession and it is important to adapt the CDD processes quickly. But why is implementing policy so difficult now?

The Wwft and Sanctions Act consist of abstract descriptions in which it is not stated how the CDD investigation should be carried out. Many organizations have difficulty translating CDD policy into practical implementation. However, it is crucial to get this right right away. When the policy has been implemented and adjustments have to be made, this often means remedial work. This is time consuming and therefore costs a lot of money.

A few points are listed below that a good methodology must meet:

DEX Data Explorers has developed DEX Regulatory Suite for Customer Due Diligence (CDD). The software supports organizations that fall under the Wwft to properly implement their CDD policy. The solution is designed in such a way that someone who has less experience with conducting CDD research can still carry out a good investigation. The process is shown in the next section.


DEX Regulatory Suite CDD Process

In the CDD process, an institution collects a lot of information, which is often recorded in a rather unstructured way, for example in a Word file. DEX CDD supports the entire CDD process for Natural Persons (NP) and Non Natural Persons (NNP, business entities).

The diagram below briefly shows the CDD process.

 CDD process

The CDD process is explained below per process step.

Create customer profile

The term Know Your Customer (KYC) means that you know who your customer is. That is why every CDD study starts with creating a customer profile. This is the basis of good customer research. The better this is carried out, the better the risks can be determined at the customer. The customer profile includes the following elements:

  • Recording general data of the relation data;
  • Recording relationship image: who is the customer, what activities does the customer perform, nature and purpose of the relationship, what services are offered, source of assets/resources and the customer's transaction profile;
  • Scope of research: exactly what and who are being investigated and why. Who are the UBOs, who are the associated parties, are there environmental factors to take into account;

When the customer profile has been drawn up (based on supporting documentation), you basically already know a lot about the customer. Now it is important that a risk assessment must be made of the customer in relation to the risks specified in the law (money laundering, terrorist financing, fraud, corruption and sanctions legislation). This is done by conducting the basic research.

DEX RS for CDD records the files, the different aspects of the CDD file can be maintained.


Basic research

In the basic research, risk indicators have been identified for Natural persons and Non-natural persons to be able to detect risks as specified in the Wwft and Sanctions Act. The following risk indicators apply to the NP and NNP.

Natural Persons

Non-Natural Persons

Geographical Risk

Geographical Risk

Sector Risk

Sector Risk

Transaction Risk

Transaction Risk

Product/service risk

Product/service risk

PEP risk

PEP risk

Transaction Risk

Transaction Risk

Third Party Risk

Third Party Risk

Negative Signals Risk

Negative Signals Risk


Structure Risk


Legal Form Risk

Basic questions have been developed for each risk indicator. When the customer profile is properly drawn up, the basic questions of the risk indicators can be answered. By answering these questions it becomes clear whether there are risks at the customer that need to be further investigated.

DEX RS shows the customer's risk profile based on the answers given.

Example of determining geographical risk

A Private Limited Company (BV) that wants to become a customer of your organization has activities in a high-risk country, Syria. The analyst can indicate in the basic research that the client has activities in Syria.

Syria is a high risk country, but why is this country a high risk? In a database, it is worked out per country whether the country concerned has risk-increasing factors in the area of ​​the risks specified in the Wwft and SW (money laundering, terrorist financing, fraud, corruption, sanctions legislation).

Syria is a high-risk country where all risks (listed in the Wwft and SW) apply. This means that it must be investigated whether the aforementioned risks can be mitigated for the potential customer. By filling in Syria in the basic questions, follow-up questions are automatically triggered in the field of money laundering, terrorist financing, corruption/fraud and sanctions legislation. By answering these questions it becomes clear whether the geographic risk has been mitigated enough to enter into a business relationship.


If none of the basic questions results in a medium or high risk, it is determined that there are no risk-increasing factors and the customer can be classified in the low risk category.

In that case, the investigation is completed. When there is a 'hit' on one of the basic questions, in-depth questions must be answered, i.e. the follow-up research.

Follow-up research

The in-depth questions are automatically selected depending on which questions are triggered in the basic survey. The example below shows which questions are triggered based on the increased Geographical risk.


This makes it clear to everyone within the organization which follow-up research must be carried out for the risks that are triggered in the basic research.

Below are some of the follow-up questions that have been selected on the basis of identified risks.


Assess risk based on the conducted research

After the basic research has been carried out and possibly also the follow-up research, the final conclusion can be drawn up. In this final conclusion it should be made clear which risk classification is advised and why it is advised. It is then important that the risk classification is accepted by an authorized employee(s). This data is all logged, so that everything is reproducible.


Determine how the risks are managed

In the previous step, the final conclusion was established and the risk classification was accepted. The risk classification is already a kind of management measure. The higher the risk, the more often the customer must be analyzed for changes in the customer situation that could influence an increased risk.

Additional management measures may also be required. For example, if new annual figures will be released soon and the organization would still like to receive this, a management measure can be introduced.

In DEX Regulatory Suite for CDD, the control measures can be recorded and monitored for proper compliance. This completes the CDD process.


Output, management information, recording documentation

With DEX RS for CDD, an entire file can be easily exported to Excel.


DEX RS for CDD has a number of predefined management reports, with which, for example, the progress of the handling of follow-up actions can be followed. It is also possible to easily add your own reports.


It is also possible to archive underlying documentation, for example identification documents or transaction overviews, in the system. In this way, an easily accessible archive is built up per file.

Benefits of DEX Regulatory Suite for CDD

Below we list some key benefits of DEX Regulatory Suite for CDD:

  • System where a full CDD search for both the NP and the NNP can be performed.
  • The system supports the process; someone without much CDD experience is guided through the study.
  • Source documentation can be stored with the study, bundling the conducted study with all relevant documentation.
  • Changes in SIRA, Policy, processes can be implemented directly in the system so that the organization remains compliant.
  • Database of DEX Regulatory Suite CDD is kept up to date.
  • The performed exam can be saved as a report
  • All data is logged.
  • The control measures can be monitored for correct and timely implementation.
  • Management reports can be retrieved from the system. Types of reports are:
    • Distribution of the risk classifications with regard to the customer portfolio
    • Which risk indicators occur most frequently in the customer portfolio (important input SIRA)
    • Insight into the CDD workflow activities
    • Insight into progress of control measures


Norwin van Harmelen and Addition Knowledge House

DEX RS for CDD was developed in a collaboration between Norwin van Harmelen and Addition Knowledge House.

Norwin van Harmelen has many years of experience in setting up, implementing and managing Due Diligence processes. Based on this experience, Norwin developed the process that underpins DEX Regulatory Suite for CDD.

Addition Knowledge House ( is a DEX Regulatory Suite reseller. Addition Knowledge House provides the Additionfollowing services related to DEX Regulatory Suite:

Every situation is unique. That is why Addition Knowledge House is happy to discuss with you how we can optimally support your process.


DEX Regulatory Suite

DEX Regulatory Suite is the solution of DEX Data Explorers marketed by Addition Knowledge House. In addition to DEX RS for CDD, there are modules of DEX Regulatory Suite that support various regulatory reports. DEX Regulatory Suite supports the following regulations:

Available solutions

DEX Regulatory Suite supports the following regulations:DEXRS logo large

  1. EMIR
  2. SFTR
  3. MiFID ii
  4. CRD iv (COREP, FINREP, Funding Plans, Asset Encumbrance, Supervisory Benchmarking Portfolio)
  5. AnaCredit
  6. Residential Real Estate
  7. Deposit Guarantee Scheme
  8. Social Economic Reports
  9. Dutch Digital Reporting (DRA)
  10. Solvency
  11. IORP ii
  12. Country Risk
  13. Financial assessment scheme (FTK)
  14. Premium pension institutions (PPI)
  15. Tax reporting (VIA, Fatca)
  16. MESRAP
  17. Monthly Security Reporting


Addition Knowledge House and DEX Regulatory Suite

Addition Knowledge House ( is a reseller of DEX Regulatory Suite. Addition Knowledge House delivers the following services with regards to DEX Regulatory Suite:

  • implementation support
  • maintenance
  • business process outsourcing