40 FATF 40 Recommendations
10

Recommendation 10 · Group D · Preventive Measures

Former: R.5

Customer due diligence (CDD)

Recommendation 10 prohibits anonymous and fictitious-name accounts. It requires financial institutions to identify and verify their customers — and the natural persons who ultimately own or control them — at four trigger points: starting a business relationship, occasional transactions above the threshold, when ML/TF is suspected, and when prior identification data is doubted. CDD is the operational backbone of every AML/CFT program.

Who must comply?

  • Banks and credit institutions
  • Securities firms, brokers and asset managers
  • Insurance companies (life and other investment-related products)
  • MVTS providers and money changers
  • Virtual Asset Service Providers (VASPs)
  • Any other entity defined as a financial institution under FATF standards

Key requirements

  1. 1

    Identify the customer

    Obtain the customer's name, date of birth or constitution, address, ID/tax number, and the nature of their business. For legal persons, obtain incorporation documents and identify directors and senior managers.

  2. 2

    Verify the identity

    Confirm the identification information using reliable, independent source documents, data or information — official IDs, public registries, biometric checks, etc. Identification alone is not enough; verification must always follow.

  3. 3

    Identify the beneficial owner

    Take reasonable measures to identify the natural person(s) who ultimately own or control the customer (≥25% threshold is a common indicator) and verify their identity. This applies to legal persons and legal arrangements such as trusts.

  4. 4

    Understand the purpose and intended nature of the relationship

    Document why the customer wants the relationship, what products and channels they will use, and the expected volume and source of funds — the foundation for ongoing monitoring.

  5. 5

    Conduct ongoing due diligence

    Continuously scrutinise transactions to ensure they are consistent with the customer's profile and update CDD information whenever circumstances or risks change. Periodic reviews are required for higher-risk relationships.

  6. 6

    Apply CDD at four trigger points

    Recommendation 10 mandates CDD when: (1) starting a business relationship, (2) carrying out occasional transactions above USD/EUR 15,000 or wire transfers covered by Recommendation 16, (3) there is a suspicion of ML/TF regardless of any threshold, and (4) the institution doubts the veracity of previously obtained CDD data.

  7. 7

    Risk-calibrated CDD

    Under Recommendation 1, institutions may apply enhanced due diligence (EDD) for higher-risk customers (PEPs, complex structures, high-risk countries) and simplified due diligence (SDD) for lower-risk customers — but never zero diligence.

  8. 8

    Refuse, terminate or report

    If CDD cannot be completed, the institution must not open the account, must not perform the transaction, must terminate the relationship, and must consider filing a Suspicious Transaction Report (STR) under Recommendation 20.

Practical example

Example: opening a corporate account at a Mexican SOFOM

A SOFOM ENR receives a request to open a credit line for a holding company. CDD requires: (1) acta constitutiva and tax ID of the company, (2) IDs and CURPs of all shareholders with ≥25% participation, (3) chain-of-control diagram if the holding is owned by another entity, (4) identification of the natural-person beneficial owner at the top of the chain, (5) source-of-wealth declaration, (6) screening of all parties against UN, OFAC and Mexican blocked-persons lists, (7) PEP screening. If a shareholder is a PEP, the file escalates to senior management for approval (Recommendation 12). The full file is kept for at least 10 years (Recommendation 11).

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

En México la Recomendación 10 se materializa en dos regímenes paralelos según el tipo de sujeto obligado:

LFPIORPI Art. 18 Fr. I — DDC para actividades vulnerables

Quienes realizan actividades vulnerables (inmobiliarias, joyerías, notarios, fintechs, etc.) deben identificar al cliente, conservar el expediente 10 años (Art. 18 Fr. IV reformado en julio 2025) y, cuando el cliente sea persona moral, identificar al beneficiario controlador (Art. 18 Fr. III).

KYC: qué es y cómo funciona en México

Art. 95 Bis LGOAAC + DCG CNBV — DDC para SOFOMes ENR

Las SOFOMes ENR aplican DDC conforme a las Disposiciones de Carácter General de la CNBV. El expediente debe incluir identificación documental, perfil transaccional declarado, cotejo de listas y aprobación documentada de inicio de relación.

KYC para SOFOM ENR: expediente del cliente

Perfil transaccional y monitoreo continuo (Art. 18 Fr. X reforma 2025)

La reforma de julio 2025 elevó a obligación legal la construcción de un perfil transaccional declarado al inicio de la relación y la detección automática de operaciones fuera de perfil. Aplica a todas las actividades vulnerables del Art. 17 LFPIORPI.

Perfil transaccional: qué es y cómo construirlo

KYC digital — Llave MX, CURP biométrica, PUI

México avanza hacia la verificación remota de identidad mediante la Llave MX (cuenta única ciudadana), la CURP biométrica y la Plataforma Única de Identidad (PUI). Estas infraestructuras son referencias futuras para la verificación documental exigida por la Recomendación 10.

Llave MX: qué es y para qué sirve

Milestones

  1. 1990

    Original Recommendation 5 — basic customer identification rules

  2. 2003

    CDD framework expanded to include beneficial ownership and ongoing monitoring

  3. 2012

    Renumbered as Recommendation 10 with risk-based calibration

  4. 2019

    Explicit application to virtual asset service providers

  5. 2025

    October 2025 update reinforces beneficial ownership thresholds and verification standards

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 18 R.18 Internal controls & foreign branches 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 10, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org