The gap between what CDD is supposed to do and what it can deliver at scale is where most compliance exposure sits. Not in the absence of policy — in the distance between a written control and a consistently executed one.
The gap between what CDD is supposed to do and what it can actually deliver at scale is where most of the industry's compliance exposure sits. Not in the absence of policy, the FCA's April 2026 multi-firm review found most firms had AML policies in place. In the distance between a written control and a consistently executed one.
That distance is structural. The same challenges appear in the ICAEW's supervision data from 2025. They don't persist because institutions lack intent. They persist because the systems, data, and processes that CDD depends on were not designed for the regulatory standard that now applies to them.
What follows is an account of where those gaps sit and why they are difficult to close.
CDD depends on accurate, current, accessible customer data. The systems that hold it were largely built before those three requirements existed in the same sentence.
Customer records decay between reviews. Information collected at onboarding is accurate at that moment. By the next periodic review, beneficial ownership structures may have changed, source of funds may have shifted, and the risk profile on file no longer reflects the actual relationship.
The ICAEW's 2024/25 supervision report, covering 1,185 monitoring reviews, found that 11.6% of firms were not updating CDD throughout the duration of client relationships. In some cases, changes had been considered but not documented, which regulators treat as equivalent to no review at all. ICAEW Supervision Report 2024/25
Fragmented systems make it harder to catch this in time. Customer data distributed across separate business lines, legacy platforms, and branches prevents a unified view before a decision needs to be made. Bain & Company's research found relationship managers at major banks describing hours spent weekly resolving screening alerts generated not by genuine risk but by inconsistent or incomplete data across systems.
Ultimate beneficial ownership verification is where this pressure is most acute. Multi-layered corporate structures with holding companies across multiple jurisdictions require verification at each level. Where public registry data is limited, common in MENA markets and several emerging economies - firms work from investigative techniques and direct enquiry rather than database queries. The standard applies regardless of what the data infrastructure supports.
Most CDD processes depend substantially on manual effort. Applications reviewed by hand, screening results assessed individually, documents requested and filed by people. At modest volumes, this is manageable. As client bases grow, the throughput required outpaces what manual execution can sustain.
False positives are the most visible pressure point. Rule-based sanctions and PEP screening tools generate alerts at high volume - many of them incorrect matches triggered by common names, shared addresses, or incomplete data fields.
One set of Bain interviews with bank compliance teams found staff flagging clients because of the name of their street. Each alert requires the same review time regardless of whether it reflects genuine risk. Compliance teams working through false positive queues are not doing the work that requires their judgment — they are doing the work that automation has not yet taken on. Bain & Company | Banking Compliance Research
Audit trails carry similar pressure. The FCA found that some firms had no version control on their documentation, making it impossible to evidence a history of reviews or policy changes. A team can complete every required step and still be unable to demonstrate it at inspection if the process left no traceable record. That is a documentation design problem with direct regulatory consequences.
Staffing the manual workload creates its own constraints. Qualified compliance professionals are scarce and expensive relative to demand. Adding headcount without changing the underlying process moves the cost but not the throughput ceiling. And staff who are new to CDD roles generate higher escalation rates and are less likely to catch the edge cases that experienced reviewers would flag.
CDD requirements differ across jurisdictions in ways that matter operationally, not just technically. Acceptable forms of identity verification vary by market. Digital ID frameworks recognised under eIDAS in the EU don't yet have equivalents in most other regions. GDPR restricts cross-border data sharing in ways that directly constrain verification for customers with cross-border structures.
The pace of rule change adds a second layer. Policies written to reflect one version of the regulations may be outdated before they are fully implemented. The UK's Money Laundering Regulations were amended in January 2024 with respect to domestic PEPs.
The FCA's subsequent multi-firm review found some firms had not updated their policies to reflect that change by the time of the review — months after it took effect. The policy gap was not from lack of effort; update cycles simply take time that regulatory amendments do not wait for. FCA Multi-Firm AML Review 2026
Regulators have shifted what they are measuring. The question is no longer whether a policy exists, but whether it is being followed and whether it works in practice.
The Law Society's enforcement data found that 83% of its enforcement outcomes in one reporting period involved insufficient CDD across firms that had written frameworks in place. Consistent execution against a documented standard is the current test. Law Society Enforcement Data
The EU's forthcoming AML Regulation (AMLR) and the new Anti-Money Laundering Authority (AMLA) will raise the standard further. The AMLR introduces standardised CDD data requirements, event-driven EDD triggers, and a supervisory methodology explicitly designed to assess whether controls work operationally. Compliance by 2027–28 will require system upgrades that most institutions are still in the planning stages for.
CDD creates friction with clients. Some of that friction is inherent to the purpose — verifying identity, understanding the source of funds, and confirming that a business relationship makes sense given what is known about the customer. The challenge is calibrating it correctly.
Source of wealth requests are the most common point of breakdown. High-net-worth individuals and corporate clients frequently view detailed enquiries into the origins of their assets as disproportionate to the relationship.
The FCA's 2024 PEP review found evidence in both directions: some firms were requesting information disproportionate to the actual risk of the individual, while others were accepting assertions rather than documentation. FCA PEP Review 2024
The Law Society's enforcement data showed that 69% of firms that failed source of funds requirements had the obligation but could not produce adequate evidence from clients who had it. Law Society Enforcement Data
The problem is not that clients are unwilling to comply. It is that the request often is not framed in a way that makes compliance feel proportionate or straightforward. The Law Society provides template language for client care letters that positions source of funds requests as a statutory obligation rather than a discretionary enquiry — firms that use structured, explained requests get more complete responses than firms that send open-ended forms.
Proportionality matters in both directions. Asking more than the risk level requires produces friction that damages the relationship and, where the FCA is watching, can itself attract scrutiny. The design question is how to ask precisely what the actual risk profile of the client warrants — not the same exhaustive checklist for everyone.
Crypto assets and decentralised finance present a regulatory coverage gap. Transaction tracking across blockchain-based assets requires tooling that traditional payment monitoring was not built to provide. CDD requirements for virtual asset service providers remain inconsistent across jurisdictions, leaving compliance teams working from principles-based guidance in a technical environment that existing AML frameworks were not designed to address.
Real-time payment rails create a timing problem. Instant payments are irrevocable once funds have moved, they cannot be recalled. Compliance screening systems built around batch cycles cannot match the time window available when settlement occurs in seconds. The mismatch is structural and there is no clean solution under current architectures.
AI offers genuine efficiency in CDD: automated identity checks, faster adverse media screening, risk scoring without manual input. It also introduces risks that require active management.
Machine learning models trained on historical data can replicate historical patterns of exclusion — screening out legitimate customers at higher rates in certain demographic or geographic groups because the training data reflects past bias. FATF identified this explicitly in its 2021 guidance on new technologies for AML/CFT. FATF Guidance on New Technologies 2021
The FCA and the Bank of England have both flagged a related concentration risk: a significant portion of the sector uses the same 3 or 4 AI vendors. A model failure or regulatory action affecting one of them has sector-wide implications. FCA / Bank of England AI Concentration Risk
FATF also identified a self-reinforcing dynamic worth naming: firms often avoid piloting new compliance technologies because a failed pilot could attract supervisory criticism, surface gaps in an existing programme, or generate new regulatory expectations. The rational response to that incentive structure is to stay with manual processes known to be inadequate. That dynamic is real and it slows progress at an industry level.
The conditions that make CDD difficult are not unique to any sector, firm size, or geography. Data infrastructure that was not built for current regulatory requirements. Manual processes that cannot sustainably scale. Rules that change faster than operational systems can be updated. Client relationships where the information CDD needs is not easy to obtain. And a technology landscape that creates new compliance surface area as fast as it removes old bottlenecks.
ACAMS has articulated the underlying position clearly: CDD executed well is not a regulatory cost. It is a source of reliable information about who customers are, how their risk profile changes, and what that means for the relationship.
Firms that build CDD around that purpose, generating accurate, current, auditable customer intelligence find that the compliance requirement and the business requirement are the same thing.
The operational gap between that standard and what current systems deliver is where the work sits. Closing it takes better data infrastructure, more targeted automation, and clearer process design, not more policy pages.
ALPINE CLM systematizes your CDD methodology — configuring risk frameworks, automating review triggers, and generating a complete, immutable audit trail so the gap between written policy and consistent execution is closed by design.
