- CDD is mandatory for all clients; EDD is mandatory for PEPs, high-risk countries and complex structures
- Beneficial ownership must be established to the natural person level (≥25% threshold under AMLD)
- PEP and sanctions screening must be completed before onboarding, not after
- Every step must be documented and retained for 5 years
Client onboarding for regulated businesses involves a sequence of mandatory compliance steps that must be completed before the business relationship commences (or, in limited circumstances, during it). Regulators consistently find that onboarding failures are the most common root cause of AML enforcement actions: missed beneficial owners, unverified PEP status, missing source of wealth documentation, and incomplete risk assessments.
Use this checklist for both individual and corporate clients. Work through it sequentially — later steps build on earlier ones.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
Part 1: Individual clients (natural persons)
Identity verification
- ☐ Full legal name confirmed from government-issued identity document
- ☐ Date of birth confirmed and recorded
- ☐ Current residential address confirmed (utility bill, bank statement, government letter < 3 months)
- ☐ Identity document checked for validity and signs of tampering
- ☐ For non-face-to-face: certified copy or digital verification (Onfido, Veriff, etc.) completed
- ☐ Copies of identity documents retained
PEP and sanctions screening
- ☐ Name screened against current sanctions lists (UN, EU, OFAC, national)
- ☐ Name screened against PEP databases
- ☐ Adverse media search conducted
- ☐ Close associates and family members screened if any PEP match identified
- ☐ Screening result documented (match or no match, date and provider)
- ☐ False positives resolved and documented with rationale
Risk assessment
- ☐ Customer risk score assigned using firm risk assessment criteria
- ☐ Risk factors documented: jurisdiction, PEP status, products sought, delivery channel, business nature
- ☐ EDD triggered if risk score is high (see EDD checklist below)
Part 2: Corporate clients (legal entities)
Entity verification (KYB)
- ☐ Full legal name and registration number confirmed from company registry
- ☐ Registered address confirmed
- ☐ Certificate of Incorporation / Registration obtained
- ☐ Articles of Association / Constitution obtained
- ☐ Current directors list obtained and verified
- ☐ Latest filed accounts obtained (for financial profile)
- ☐ Regulatory licences confirmed where applicable (FCA, ECB, etc.)
Beneficial ownership (UBO)
- ☐ All persons owning or controlling ≥25% of shares or voting rights identified (AMLD threshold)
- ☐ UBO structure traced through all intermediate entities to the natural person level
- ☐ UBO identity verified (same individual checklist as Part 1)
- ☐ Where UBO is <25% or ownership is unclear: senior managing official identified and verified
- ☐ Ownership structure diagram prepared and retained
- ☐ Company registry cross-checked for consistency with stated ownership
PEP and sanctions screening (corporate)
- ☐ Entity name screened against sanctions lists
- ☐ All UBOs and directors screened against PEP and sanctions lists
- ☐ Adverse media search on entity and key persons
- ☐ Results documented
Part 3: Enhanced Due Diligence (high-risk clients)
- ☐ Source of Wealth established with supporting documentation
- ☐ Source of Funds established for initial transactions
- ☐ Purpose of business relationship documented in detail
- ☐ Senior management approval obtained before proceeding
- ☐ Enhanced monitoring frequency set in transaction monitoring system
- ☐ Periodic EDD review date scheduled (typically 12 months)
Before you proceed: Business relationship must not commence until CDD is complete. In limited circumstances (legal services, urgent transactions) CDD can be completed during the relationship — but this requires documented justification and must be completed as soon as practicable.
Part 4: Documentation and record-keeping
- ☐ Complete onboarding file assembled: identity docs, verification results, risk assessment, screening results
- ☐ Onboarding decision documented: approved / declined / escalated
- ☐ File retained in system with 5-year retention flag
- ☐ Ongoing monitoring parameters set based on risk score
See also: KYB Compliance Guide — EDD Guide — PEP Screening Guide
Frequently Asked Questions
Generally, CDD must be completed before establishing a business relationship or carrying out an occasional transaction. There are limited exceptions for specific sectors where CDD can be completed during the relationship — but this requires documented justification and must be completed as soon as practicable. Never allow a transaction to complete without at least partial CDD in place.
Under EU AML Directives, the standard threshold is 25% of shares or voting rights. However, firms should note: this is a minimum — a risk-based approach may require tracing ownership at lower thresholds for higher-risk clients. Some jurisdictions have also reduced the threshold to 10% for enhanced scrutiny.
Yes. Screening must cover the entity itself, all beneficial owners, and all directors/senior managing officials where UBO cannot be identified. Screening only the entity name misses the most common PEP risk, which typically relates to individuals rather than the entity itself.
Refusal to provide CDD information is itself a red flag. You must not proceed with the business relationship and should consider whether the refusal requires a SAR. Document the refusal and your decision-making. Do not apply pressure to obtain information through alternative means that bypass CDD requirements.
At a minimum: when your risk assessment triggers re-verification (change in risk profile, trigger events, high-risk periodic review). In practice: at defined intervals aligned with risk — typically annually for high-risk, every 3 years for medium-risk, every 5 years for low-risk. More frequent for clients with PEP status.
HubSecure guides clients through digital onboarding, collects documents, runs identity verification, triggers PEP/sanctions screening automatically, prompts analysts through each checklist item, enforces EDD when triggered, and assembles the complete onboarding file with timestamps and an immutable audit trail — typically reducing onboarding time from days to hours.
See HubSecure in action
Join compliance teams across Europe replacing spreadsheets with a platform built for regulated work.
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.