Customer Due Diligence in Saudi Arabia: Key Compliance Guide

Customer Due Diligence, in general, (CDD) involves verifying a client’s identity, understanding their purpose, and assessing their money-related activities to manage risks like money laundering and fraud. In Saudi Arabia, Customer Due Diligence is mandated under the Anti-Money Laundering Law and its Implementing Regulations, enforced by the Saudi Central Bank and other supervisory bodies.

What Is Customer Due Diligence and Why Does It Matter in Saudi Arabia?

Customer Due Diligence in Saudi Arabia is the process that financial institutions and regulated businesses use to verify the identity of their customers, understand their financial activities, and assess the risks they may pose.

Customer Due Diligence in Saudi Arabia helps ensure that banks and other financial institutions only engage with legitimate customers and that suspicious activity is detected early.

The Saudi Central Bank mandates CDD as part of its anti-money laundering (AML) framework. This ensures that all financial transactions meet strict compliance standards, protecting the integrity of the Saudi financial system and helping the country meet international standards set by organizations like the Financial Action Task Force (FATF).

Key Takeaway:

Customer Due Diligence is a vital step for financial institutions in Saudi Arabia to verify who their customers are and manage risks, helping prevent money laundering and other types of financial crimes under the supervision of the Saudi Central Bank.

What is the Difference Between Customer Due Diligence and Know Your Customer?

In Saudi Arabia, the terms Customer Due Diligence (CDD) and Know Your Customer (KYC) are often used together but have distinct meanings and purposes.

• Know Your Customer (KYC) is the initial process of verifying the identity of a customer when opening an account or establishing a business relationship. This includes collecting basic information like name, address, identification documents (such as a national ID or passport), and sometimes understanding the customer's source of income.

• Customer Due Diligence (CDD) goes beyond KYC by continuously assessing the customer’s risk profile throughout the relationship. It includes monitoring transactions, verifying the source of funds, understanding the purpose of transactions, and identifying beneficial owners in corporate accounts. CDD is a broader, ongoing process that ensures institutions manage risks effectively and comply with AML regulations enforced by the Saudi Central Bank.

While KYC is a foundational step, CDD is a continuous responsibility that adapts as new information arises or as the risk level of the customer changes. Both processes are required by Saudi regulations to create a robust defense against financial crime.

Key Takeaway:

KYC is the starting point for verifying customers, while CDD is a wider, ongoing process that continuously evaluates customer risks to ensure compliance with Saudi Central Bank AML requirements.

Core Components of Customer Due Diligence in Saudi Arabia

Effective CDD relies on several essential steps, all of which are mandated by the regulatory framework in Saudi Arabia. These elements must be integrated into a financial institution’s compliance program from the moment a relationship begins and maintained throughout the customer lifecycle.

1. Verifying Customer Identity

The first step is to confirm the true identity of the customer using reliable, independent documents. Financial institutions must collect and verify:

• Full name, nationality, and date of birth
  

• Valid national ID or passport
  

• Address and contact information
  

• Legal status and registration documents for businesses
  

The identity of authorized signatories and beneficial owners (individuals who ultimately own or control a business entity) must also be verified when dealing with legal persons.

This verification must be conducted before any business relationship begins, in accordance with the Saudi AML Law.

2. Understanding the Purpose of the Relationship

Institutions must obtain information to understand the intended nature of the relationship, such as:

• Why the account is being opened
  

• Expected types of transactions
  

• Business activities and source of funds
  

3. Assessing Customer Risk

After identification and profiling, each customer must be assigned a risk rating (low, medium, or high) based on:

• Industry sector (e.g., cash-intensive businesses)
  

• Country of origin or residence
  

• Transaction behavior and volume
  

• Whether the customer is a politically exposed person (PEP)
  

Higher risk customers require enhanced due diligence.

Read more: Sanctions Screening in Saudi Arabia: Regulations, Challenges, and Best Practices

4. Continuous Monitoring of Transactions

CDD doesn’t stop after onboarding. Institutions must monitor all customer activity to ensure it aligns with the expected profile. Monitoring may include:

• Transaction pattern analysis
  

• Flagging unusual or suspicious activity
  

• Updating risk profiles when customer behavior changes
  

5. Record Keeping

All CDD records including identity documents, transaction data, and risk assessments must be kept for no less than 10 years after the relationship ends or the transaction occurs.

Records must be stored in a way that allows prompt retrieval when requested by authorities.

Key Takeaway:

CDD in Saudi Arabia includes identity verification, understanding the purpose of the relationship, risk assessment, ongoing transaction monitoring, and long-term record retention, all regulated by law and enforced by the Saudi Central Bank.

How to Handle High-Risk Customers

Not all customers carry the same level of risk. The Saudi Central Bank requires financial institutions to adopt enhanced due diligence (EDD) when dealing with customers or scenarios that present higher money laundering risks. Here's how institutions should approach these cases.

1. Enhanced Due Diligence for High-Risk Customers

If a customer is assessed as high-risk during onboarding or monitoring, additional checks must be applied. These may include:

• Collecting additional identity or business documentation
  

• Verifying source of funds and wealth
  

• Obtaining senior management approval before establishing the relationship
  

• Conducting more frequent monitoring of account activity
  

Common high-risk categories include:

• Politically Exposed Persons (PEPs): Individuals who hold or have held senior public positions, as well as their family members and close associates.

• Customers from high-risk jurisdictions: Based on FATF grey/blacklists or countries with weak AML controls.

• Cash-intensive businesses or sectors with a history of illicit activity.

2. Verifying Beneficial Ownership for Legal Entities

For corporate or institutional customers, financial institutions must identify and verify the beneficial owners, the individuals who ultimately own or control the entity.

The Saudi Central Bank's AML guidelines state that institutions must:

• Understand the ownership and control structure
  

• Collect official documents confirming ownership percentages
  

• Verify the identity of any person with a 25% or more ownership stake (or lower if deemed high-risk)
  

If beneficial ownership cannot be verified, institutions should refrain from initiating the business relationship and consider filing a suspicious transaction report (STR).

3. Third-Party Reliance and Outsourcing CDD Functions

Saudi regulations allow financial institutions to rely on third parties to perform certain CDD steps, provided:

• The third party is regulated and supervised under AML/CTF laws
  

• The institution retains full responsibility for CDD compliance
  

• The institution can immediately access customer records and data upon request
  

Key Takeaway:

High-risk customers and complex relationships require enhanced due diligence, including deeper identity checks, source of funds verification, and close monitoring, all of which are enforced under Saudi AML law and must never be outsourced without strict controls.

How Technology Is Transforming CDD Practices in Saudi Arabia

The Saudi Central Bank encourages the responsible use of fintech and regtech tools that support AML compliance, provided they meet regulatory and data security standards.

1. Digital Identity Verification

Modern CDD starts with automated identity verification, which uses digital tools to:

• Scan and authenticate national IDs and passports
  

• Perform facial recognition or biometrics to match photos
  

• Cross-check customer data with government databases or watchlists
  

2. Risk-Based Transaction Monitoring

Financial institutions are using AI-powered monitoring systems to track transaction behavior in real time. These systems:

• Detect unusual patterns or behavior (e.g., structuring, large cash deposits)
  

• Automatically flag transactions for further review
  

• Adjust customer risk profiles dynamically based on activity
  

3. Screening Against Watchlists

Technology enables institutions to screen customers instantly against:

• National terrorism and sanctions lists
  

• Global databases such as Interpol, OFAC, and the UN Security Council
  

• Lists of politically exposed persons (PEPs)
  

4. Automation and Case Management

End-to-end compliance platforms help institutions:

• Centralize CDD records
  

• Track the lifecycle of due diligence processes
  

• Manage alerts and investigations through case management dashboards
  

Key Takeaway:

Saudi financial institutions are leveraging technology like AI, digital identity tools, and real-time transaction monitoring to enhance CDD efficiency and accuracy, with the Saudi Central Bank encouraging secure and compliant adoption of these solutions.

CDD Compliance Responsibilities for Financial Institutions in Saudi Arabia

The Saudi Central Bank expects all regulated entities to maintain a robust compliance culture:

Step 1: Assign Accountability

• Appoint a dedicated compliance officer/MLRO.
  

• Ensure board and senior management are ultimately responsible for AML compliance.
  

Step 2: Establish Internal Policies

• Develop CDD policies tailored to the institution’s risk profile.

• Ensure procedures cover onboarding, monitoring, and reporting.
  

• Keep policies aligned with Saudi AML law and Central Bank regulations.
  

Step 3: Conduct Regular Risk Assessments

• Assess customer, geographic, product, and delivery channel risks.
  

• Update risk models and controls regularly based on findings.
  

Step 4: Train Employees

• Provide mandatory AML training to all relevant staff.
  

• Include red flags, CDD/EDD procedures, and STR filing protocols.
  

• Document training and update it regularly.

Step 5: Monitor and Detect Suspicious Activity

• Use monitoring systems to detect unusual transactions.

• Escalate cases internally for review.

• File Suspicious Transaction Reports (STRs) to the Saudi FIU.

Step 6: Keep Records

• Maintain CDD documents and STR filing records for at least 10 years, as per Article 14 of the AML Law.

Step 7: Conduct Independent Reviews

• Perform internal audits or engage external reviewers.

• Test system effectiveness and policy compliance.

• Use audit results to strengthen your AML framework.

Summary of Key Best Practices

1. Verify all customers accurately: Use official IDs, biometrics, and document authentication tools.

2. Understand the customer relationship: Capture the purpose, expected activities, and source of funds.

3. Apply a risk-based approach: Tailor CDD depth based on risk level (e.g., PEPs, cross-border clients).

4. Monitor continuously: Automate transaction monitoring and flag suspicious behavior in real time.

5. Verify beneficial ownership: Especially for entities, disclose and validate controlling parties.

6. Comply with AML law: Align all procedures with national laws and Saudi Central Bank directives.

7. Maintain records: Keep all CDD data, updates, and STRs for at least 10 years.

8. Train your team: Make AML knowledge part of the culture, not just a compliance task.

Simplify Customer Due Diligence Using FOCAL

FOCAL is a purpose-built platform that helps financial institutions carry out Customer Due Diligence (CDD) more effectively. It automatically checks customers against live sanctions databases, watchlists, and politically exposed persons (PEP) lists, alerting teams to any potential risks immediately.

The platform allows you to tailor the onboarding journey based on customer type and risk level. By integrating with trusted data providers like Yakeen and Wathq in Saudi Arabia, FOCAL ensures that identity verification is both accurate and reliable.

FAQs

Q1. What are the KYC requirements in Saudi Arabia?

Financial institutions must confirm a customer’s identity using official documents, understand why they’re opening an account, identify where their funds come from, and keep track of their transactions. All these steps must follow the Saudi Anti-Money Laundering Law and guidance from the Saudi Central Bank.

Q2. Is KYC the same as Customer Due Diligence?

No. KYC focuses on who the customer is, while CDD also looks at how risky the customer might be, monitors their activity over time, and applies extra checks when needed.

Q3. What are the core elements of CDD?

The main steps include verifying the customer’s identity, understanding their business or reasons for the relationship, assessing their risk level, and regularly monitoring their transactions for anything suspicious.

Q4. Can CDD tasks be outsourced in Saudi Arabia?

Yes, but the financial institution is still fully responsible. Any third-party provider must be properly regulated, meet compliance requirements, and remain under the institution’s oversight.