Download

What are You Looking For?

        🎯    Free iGaming Online Tools        
Caesar Fikson
onFebruary 16, 2026

Customer Due Diligence Requirements: The 4 Pillars

13 min read

Last Updated on February 21, 2026 by Caesar Fikson

Running an online casino or sportsbook means operating as a financial institution, whether you like it or not. Regulators don’t care that you’re in the gaming business. They care that money flows through your platform, and that makes customer due diligence requirements your legal reality. Ignore them, and you’re looking at hefty fines, license revocations, or worse.

The CDD Final Rule established four core pillars that define how financial institutions, including iGaming operators, must identify and verify customers. These requirements cover everything from collecting basic identity information to identifying the beneficial owners behind legal entity accounts. For compliance officers and operators in the gambling space, understanding these pillars isn’t optional; it’s the foundation of staying operational.

At NowG, we focus on the technical and regulatory frameworks that keep iGaming businesses running smoothly. This guide breaks down each of the four CDD pillars, explains what triggers enhanced due diligence, and walks through the practical compliance steps your operation needs to follow. Whether you’re launching a new platform or tightening your existing AML program, you’ll find the specifics that actually matter here.

What customer due diligence requirements mean

Customer due diligence requirements represent the legal obligations financial institutions must follow to identify and verify who their customers are.

The Financial Crimes Enforcement Network (FinCEN) defines these requirements as a systematic process for collecting specific information about account holders and assessing the risk they represent. For iGaming operators, this means you can’t just take a username and email address and call it done. You need documented proof of identity, address verification, and in many cases, insight into the source of funds flowing through your platform.

The basic definition and legal framework

CDD requirements stem from the Bank Secrecy Act and subsequent anti-money laundering regulations that treat online gambling platforms as financial institutions. You’re required to establish and maintain a written program designed to prevent your platform from being used for money laundering or terrorist financing. The CDD Final Rule, which took effect in May 2018, expanded these obligations to include mandatory identification of beneficial owners for legal entity customers. This rule closed a loophole that previously allowed shell companies to open accounts without revealing who controlled them.

The regulations apply across multiple stages of the customer relationship. You must perform CDD when opening new accounts, when conducting transactions above certain dollar thresholds, and whenever you detect suspicious activity patterns. Your compliance program needs documented procedures for each of these trigger points, and regulators expect you to follow them consistently across all customer segments.

The core components of CDD

CDD breaks down into four distinct but interconnected processes. First, you must verify customer identity using government-issued documents and cross-reference that information against public records or third-party databases. Second, you need to verify the beneficial owners of legal entities, meaning anyone who owns 25% or more of the company or exercises significant control over it. Third, you’re required to understand the nature and purpose of customer relationships to develop appropriate risk profiles. Fourth, you must conduct ongoing monitoring to identify and report suspicious transactions.

The ongoing monitoring requirement means CDD isn’t a one-time checkbox exercise. You’re expected to maintain current information throughout the entire customer lifecycle.

These components work together to create a complete picture of who you’re doing business with. A player who deposits $500 monthly from a verified bank account presents a different risk profile than one making irregular crypto deposits totaling $50,000. Your CDD framework needs to flag these differences and trigger appropriate review procedures based on the level of risk involved.

How CDD differs from simple identity checks

Many operators confuse basic identity verification with full customer due diligence requirements. Checking a driver’s license against a selfie represents Customer Identification Program (CIP) compliance, which is only one component of CDD. The broader CDD framework requires you to go several steps further by assessing transaction patterns, monitoring for unusual activity, and maintaining documentation that proves you understand why the customer does business with you.

Standard identity checks typically stop at confirming the name, date of birth, address, and identification number match across documents. CDD requires you to collect additional information about employment status, anticipated transaction volume, and source of funds for high-value accounts. You also need policies that define when you’ll request updated documentation or conduct enhanced due diligence for customers who trigger specific risk indicators.

The practical difference shows up when regulators audit your program. They won’t just check whether you verified identities at account opening. They’ll examine whether you maintained current information, whether you escalated suspicious patterns to compliance teams, and whether your risk assessments actually match the customer behavior you documented. Your CDD program needs to demonstrate that you actively monitor accounts and adjust risk ratings based on actual activity, not just the initial application data.

Why CDD matters for compliance and risk control

You can’t run a sustainable iGaming operation without proper customer due diligence requirements in place. Regulators view non-compliance as a direct threat to the financial system’s integrity, and they respond with enforcement actions that can shut down your entire operation. The consequences extend beyond legal penalties to include reputational damage that makes it nearly impossible to secure banking relationships or maintain licenses in multiple jurisdictions. Your CDD program represents your first line of defense against both regulatory scrutiny and the financial criminals who specifically target gambling platforms.

The direct legal consequences of poor CDD

Financial institutions that fail to implement adequate CDD programs face penalties that start in the millions and escalate quickly. The Office of the Comptroller of the Currency (OCC) and FinCEN have issued enforcement actions against gambling-adjacent businesses resulting in fines exceeding $100 million for AML program failures. Your state gaming regulator can revoke your license entirely if they determine your due diligence procedures don’t meet minimum standards, which means you lose access to that market permanently.

Regulators don’t distinguish between intentional violations and negligent failures. They evaluate whether your CDD framework could reasonably detect the suspicious activity that occurred.

Beyond the immediate fines, regulatory violations trigger consent orders that force you to implement costly remediation programs under government supervision. You’ll need to hire independent compliance consultants, conduct lookback reviews of historical accounts, and submit to enhanced monitoring for years. These consent orders become public record, which complicates your ability to secure payment processing relationships or expand into new markets where regulators check your enforcement history.

The operational risk angle

Weak CDD practices create vulnerabilities that criminals actively exploit. Money launderers identify platforms with loose verification procedures and use them to process illicit funds through structured deposits and coordinated betting patterns. Your platform becomes the vehicle for layering transactions that obscure criminal proceeds, and when law enforcement traces the money, your business appears in the investigation file.

Poor due diligence also exposes you to fraud losses that directly impact your bottom line. Players who bypass proper identity verification often use stolen payment credentials or engage in bonus abuse schemes that drain your promotional budgets. Without proper CDD, you can’t identify the networks of connected accounts or the beneficial owners orchestrating these attacks. Chargebacks from compromised accounts increase your payment processing fees and risk getting your merchant accounts terminated, which effectively kills your ability to accept deposits.

Who must follow CDD requirements and when they apply

The Bank Secrecy Act defines financial institutions broadly, and that definition includes your iGaming operation whether you’re running a casino, sportsbook, or both. You fall under CDD obligations the moment you accept, transmit, or store customer funds, which means virtually every licensed gambling platform needs a compliant program. The regulations don’t create exemptions for small operators or those serving specific markets. If you’re processing transactions that cross state or international borders, you’re subject to federal customer due diligence requirements regardless of your annual revenue or player volume.

Financial institutions covered under the rule

Banks, credit unions, and securities brokers represent the obvious targets of CDD regulations, but the FinCEN definitions extend far beyond traditional finance. Money services businesses, which include payment processors and cryptocurrency exchanges that facilitate gambling transactions, must implement full CDD programs. Card clubs and casinos fall explicitly under the rule, as do any businesses that provide financial services as part of their core operations.

Your platform triggers coverage if you maintain customer accounts, process deposits or withdrawals, or act as an intermediary for monetary transactions. The regulatory framework treats you identically to a bank when it comes to due diligence obligations, even though your primary business involves entertainment rather than traditional banking. Third-party payment providers you work with also carry CDD obligations, which means you need to verify that your processing partners maintain compliant programs that protect your business from secondary liability.

If you accept deposits above $3,000 in a single transaction or $10,000 in aggregate over 24 hours, you trigger enhanced reporting requirements on top of standard CDD.

Trigger points that activate CDD obligations

You must conduct customer due diligence when opening new accounts, which in gambling terms means the point when a player completes registration and submits identity documents. The account opening process represents your primary opportunity to collect required information and verify beneficial ownership for business entities. Waiting until after the first deposit to begin verification creates compliance gaps that regulators will flag during audits.

Certain transaction thresholds force you to conduct additional due diligence even for existing accounts. Any wire transfer exceeding $3,000 requires you to verify the customer’s identity and retain records of that verification. Transactions structured to avoid reporting requirements trigger automatic suspicious activity reports, which means you need monitoring systems that detect patterns of deposits just below threshold amounts.

Changes in account ownership or control structure require updated CDD procedures. When an existing customer adds authorized users, changes their business structure, or transfers account ownership, you must verify the new parties and update your beneficial ownership records. Detecting unusual activity patterns, such as sudden spikes in transaction volume or geographic anomalies in login locations, also triggers enhanced review requirements even when no specific dollar threshold applies.

The 4 pillars of the FinCEN CDD Final Rule

The CDD Final Rule establishes four specific pillars that define your compliance obligations as a financial institution. These pillars represent distinct but interconnected requirements that work together to create a comprehensive due diligence framework. Your iGaming operation must implement all four pillars simultaneously, and regulators evaluate your program based on how effectively you execute each component. The rule doesn’t allow you to pick and choose which elements to implement based on your business model or customer base.

Pillar 1: Customer identification and verification

You must identify and verify the identity of each customer who opens an account at the time of account opening. This pillar requires you to collect specific identifying information, including name, date of birth, address, and identification number for U.S. persons or passport number for foreign nationals. Your verification procedures need to use documents, non-documentary methods, or a combination of both to confirm that the information provided actually belongs to the person opening the account. For iGaming platforms, this means implementing automated verification systems that cross-reference government databases and validate identity documents against fraud indicators before allowing deposits.

Pillar 2: Beneficial ownership identification and verification

Every legal entity customer triggers mandatory beneficial ownership requirements under this pillar. You must identify and verify individuals who own 25% or more of the entity and at least one person who exercises significant control over it. Your platform needs documented procedures for collecting ownership information through certification forms and verifying those individuals using the same standards applied to natural person customers. This pillar closes the shell company loophole that criminals previously exploited to hide their identities behind corporate structures.

Legal entities include LLCs, partnerships, corporations, and trusts, but exclude publicly traded companies and certain regulated entities already subject to beneficial ownership disclosure requirements.

Pillar 3: Understanding the nature and purpose of customer relationships

You need to develop a customer risk profile based on the information collected during account opening. This pillar requires you to understand what the customer intends to do with the account, which means collecting information about expected transaction volume, source of funds, and business activities. Your risk assessment determines the level of ongoing monitoring you’ll apply to the account and whether enhanced due diligence becomes necessary.

Pillar 4: Ongoing monitoring for suspicious transactions

Your customer due diligence requirements extend throughout the entire customer relationship, not just at account opening. You must conduct ongoing monitoring to identify and report suspicious transactions and maintain current customer information. This pillar requires automated systems that flag unusual activity patterns, periodic reviews of high-risk accounts, and procedures for updating customer information when circumstances change or inconsistencies appear.

Beneficial ownership: how to identify and verify it

Identifying beneficial owners represents the most complex aspect of customer due diligence requirements for legal entity accounts. You need to pierce through corporate structures to identify the real people who ultimately own or control the business, which means looking beyond the authorized signers who open the account. Your platform must collect and verify information about individuals who meet specific ownership thresholds or exercise control over the entity, even when those people never directly interact with your platform. The regulations make you responsible for documenting this ownership chain before you allow any business entity to deposit funds.

Who qualifies as a beneficial owner

The rule defines two categories of beneficial owners you must identify. First, you need to identify each individual who owns 25% or more of the equity interests in the legal entity. This includes direct ownership and indirect ownership through other entities. Second, you must identify at least one individual who exercises significant control over the entity, which typically means a senior officer, director, or manager who makes key decisions about the business operations.

Control doesn’t always follow ownership percentages. Someone with less than 25% ownership might still qualify as a beneficial owner if they exercise management authority or have the power to direct business decisions. Your procedures need to account for authorized signers, executives, and trustees who control how the entity operates regardless of their equity stake.

You can identify up to four individuals in the ownership prong and one in the control prong, but you must always identify at least one beneficial owner even if no single person owns 25% or more.

The certification process

You collect beneficial ownership information using the Certification Form prescribed by FinCEN, which requires the legal entity customer to provide details about each beneficial owner. The form includes name, date of birth, address, and identification number for each individual. Your account opening process needs to present this form at the appropriate time and verify that authorized signers complete it accurately. Keep copies of the completed certification in your compliance records because regulators will review them during examinations.

Verification methods that meet regulatory standards

After collecting the certification, you must verify each beneficial owner’s identity using the same procedures you apply to individual account holders. This means checking government-issued identification documents such as driver’s licenses or passports and confirming that the information matches across sources. Your verification system should use documentary verification, database checks, or both to establish that the person exists and that the identifying information is accurate. The verification standard requires reasonable belief that you know the true identity of each beneficial owner before you allow the entity to transact through your platform.

CDD vs KYC, CIP, SDD, and EDD

Compliance terminology creates confusion because regulatory frameworks use overlapping acronyms that describe related but distinct processes. Your operation needs to understand how customer due diligence requirements fit within the broader anti-money laundering landscape and where CDD differs from similar concepts like KYC, CIP, SDD, and EDD. These terms represent different compliance layers that work together to create your complete AML program. Getting the distinctions wrong leads to compliance gaps that regulators will exploit during examinations.

How KYC relates to CDD

Know Your Customer (KYC) represents the umbrella term for all processes you use to verify customer identities and assess their risk profiles. CDD functions as a specific regulatory requirement within your broader KYC framework, focusing on the four pillars mandated by FinCEN. KYC includes additional elements beyond CDD, such as politically exposed person screening, adverse media checks, and sanctions list monitoring. Your KYC program provides the operational structure that implements CDD obligations along with other risk management practices your business adopts voluntarily or through industry standards.

The practical difference shows up in scope. Your KYC procedures might include behavioral analytics, device fingerprinting, and social media verification to prevent fraud, but these elements don’t satisfy specific CDD regulatory requirements. You need both the regulatory minimum that CDD defines and the additional controls that effective KYC provides.

What CIP covers within the framework

The Customer Identification Program (CIP) represents the first pillar of CDD, focusing exclusively on verifying customer identity at account opening. Your CIP procedures define what documents you’ll accept, which databases you’ll check, and how you’ll confirm that the person opening the account is who they claim to be. CIP stops after identity verification, while CDD continues through beneficial ownership identification, risk profiling, and ongoing monitoring.

CIP gives you the “who,” but CDD requires you to understand the “why” and “what” behind customer relationships.

When SDD and EDD apply

Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD) represent risk-based variations of standard CDD procedures. You apply SDD to low-risk customers who present minimal money laundering exposure, such as small-value recreational players with verified local bank accounts. SDD allows reduced documentation and less frequent monitoring, but you still need policies that define which customers qualify and what simplified procedures you’ll follow.

EDD applies to high-risk accounts that trigger specific red flags, including large transaction volumes, politically exposed persons, customers from high-risk jurisdictions, or unusual activity patterns. Your EDD procedures require additional information collection, more frequent account reviews, and senior management approval for certain transactions. The risk-based approach means you allocate compliance resources proportionally to the actual threat each customer segment presents rather than applying identical procedures across your entire player base.

How to implement CDD requirements step by step

Building an effective CDD program requires methodical execution across multiple operational layers. You can’t simply download a policy template and call yourself compliant. Your implementation needs to address technology infrastructure, staff training, documentation standards, and ongoing monitoring systems that work together as an integrated compliance framework. The goal is creating procedures that scale with your business while maintaining the regulatory standards that keep your license intact.

Build your CDD policy framework first

Start by documenting your written CDD policy that defines how you’ll meet each of the four pillars. Your policy needs specific procedures for collecting customer information, verifying beneficial owners, assessing risk profiles, and conducting ongoing monitoring. Include clear definitions of what triggers enhanced due diligence, how you’ll handle high-risk jurisdictions, and who has authority to approve exceptions. This document becomes your roadmap and the first thing regulators examine during compliance reviews.

Your policy should specify exact data points you’ll collect at account opening, including fields for beneficial ownership information from legal entities. Define your verification methods, whether you’ll use documentary or non-documentary approaches, and what constitutes acceptable proof for each customer type. Document your risk rating methodology and the criteria that move accounts between risk categories.

Implement automated verification systems

You need technology that handles identity verification at scale without creating friction that drives players away. Select verification providers that offer document authentication, database checks, and biometric matching integrated into your registration flow. Your system should automatically flag accounts that fail verification checks or present inconsistent information, routing them to manual review queues before allowing deposits.

Automated systems reduce compliance costs while improving accuracy, but you still need human oversight for edge cases and final decisions on suspicious patterns.

Build monitoring tools that track transaction patterns and flag anomalies based on your risk parameters. Your platform should generate alerts for sudden volume spikes, geographic inconsistencies, or behavior that deviates from the customer’s stated profile. These alerts feed your ongoing monitoring obligation and provide the documentation regulators expect to see during examinations.

Assign clear responsibilities and train your team

Designate a compliance officer with authority to enforce customer due diligence requirements across all business units. This person needs direct access to senior management and budget authority to implement necessary controls. Create escalation procedures that route suspicious activity reports through compliance review before they reach management for final decisions.

Train your customer service, payment processing, and fraud prevention teams on CDD obligations so they recognize red flags during daily operations. Staff who handle account openings need to understand beneficial ownership requirements and when to request additional documentation. Regular training updates keep your team current as regulations evolve and new laundering techniques emerge.

Your next move

Your platform’s survival depends on implementing customer due diligence requirements that meet regulatory standards and protect your license. Start by auditing your current verification procedures against the four pillars outlined in this guide, identifying gaps in beneficial ownership collection, ongoing monitoring, or risk assessment processes. Document every deficiency and create a prioritized remediation plan with specific deadlines and assigned responsibilities for each compliance component.

Build relationships with compliance technology vendors who specialize in gaming platforms and understand the unique challenges of high-volume player verification. Your automated systems need to scale with growth while maintaining the accuracy regulators demand during examinations.

NowG provides the technical intelligence and industry analysis that keeps iGaming operations competitive and compliant. Explore our platform for deep-dive guides on payment processing, regulatory frameworks, and the automation tools that modernize your compliance infrastructure without sacrificing player experience.

Caesar Fikson
onFebruary 16, 2026
Share
Previous Article

What Is Attribution Modeling in Marketing? Models & Metrics

Next Article

What Is a Wagering Requirement? A Simple Guide for Beginners

Caesar Fikson
Author:

Caesar Fikson

I am an iGaming Data Analyst specializing in examining and interpreting data related to online gaming platforms and gambling activities as well as market trends. I analyze player behavior, game performance, and revenue trends to optimize gaming experiences and business strategies.

Read Next

Free iGaming Tools. iGaming marketing and iGaming business promotion.
© 2025 — NowG.net. All Rights Reserved. Privacy Policy

Table of Contents

Index