Managing compliance to Australia’s AML/CTF Act standards can often feel like you’re navigating a maze of regulatory obligations. For many reporting entities, the compliance regulatory focus tends to fall on high-profile failures like transaction monitoring breaches or suspicious matter reporting (SMR). However, the importance of also getting customer due diligence (CDD) right shouldn’t be underestimated.
Customer due diligence is not merely an administrative chore; it is the cornerstone of your risk assessment and compliance program. Get this right and every subsequent control, from risk rating to monitoring will become a whole lot easier.
This article outlines the requirements set by AUSTRAC, and provides a practical framework for mastering all types of due diligence to help ensure your compliance is built on solid ground.
What is customer due diligence?
Customer due diligence is about the checks you carry out to ensure your customer is who they say they are, and identifying any risks involved from doing business with them. Once a customer is onboarded it also involves keeping an eye out for unusual activity or changes in their circumstances throughout your business relationship.
Checks can include reviewing official documents with your customers name, birth date, and residential address to confirm their identity. And identifying risks can involve understanding whether your client is a politically exposed person (PEP), their geographical location, or type of transactions.
The purpose of these checks is to ensure you’re not dealing with someone hiding behind a false identity or using your business to move illicit funds.
Getting customer due diligence right means you have reliable customer data from the start, which gives your AML program the information it needs to function effectively. That’s why establishing a risk based approach that is tailored to your business can make all the difference.
Building a robust customer due diligence process
Under the AML/CTF Act, every reporting entity, from banks and casinos, (and from July 2026) real estate agents, law firms and accountants must carry out CDD before providing a designated service.
AUSTRAC requires entities to apply different levels of CDD depending on the risk involved and where you are at in your customer relationship. Understanding the different levels and types of CDD is essential for both compliance and operational efficiency.
Initial customer due diligence
Carry out initial customer due diligence before you start providing a designated service to your customer.
Requirements
Collect and verify information on your customer, the beneficial owner(s), and any person acting on behalf of your customer. Establish they are who they claim to be, and whether they are subject to sanctions or are a politically exposed person.
Identify customer
Data to be obtained to identify a customer includes:
- the person’s full name
- the person’s date of birth
- if the person is not the customer, the person’s relationship to the customer
- the person’s address or registered office
- nature and purpose of the proposed business relationship
- any information prescribed by regulations.
Remember, CDD isn’t complete without context which is why understanding the nature and purpose of the proposed business relationship is an important part of the identification process. Understand why the customer is engaging with your business, for example, what kind of services they want, why they are wanting that kind of service, where their funds are coming from, and whether the activity fits their profile.
Verify information
You can use either reliable and independent documents and/or electronic data to verify the identity of your medium or low risk customers.
If you are using documentary verification, verify identity face to face or ensure copies of documents provided are certified by a trusted referee.
If using electronic data to verify information, use at least two independent and reliable matching electronic sources (the name and date of birth must be verified from two sources, or if using one source, the name, date of birth AND address must be verified).
Photographic identification which AUSTRAC advise can be used is:
- a driver’s licence or permit from Australia or overseas
- an Australian passport
- a government proof of age card issued in Australia
- a foreign passport issued by a foreign government or the United Nations
- international travel documents issued by a foreign government or the United Nations
- a national identity card used by a foreign government or the United Nations.
Non-photographic identification which AUSTRAC advise can be used is:
- an Australian birth certificate, birth extract or citizenship certificate
- a foreign birth certificate or citizenship certificate
- a government issued concession card, such as a pensioner card, a health care card, or a seniors health care card.
An original secondary form of identification which can be used is:
- a notice from the Australian Taxation Office or other government agency that contains the person’s name and residential address, issued in the past 12 months
- a municipal council rates notice or a utilities bill that contains the person’s name, residential address, issued in the past three months
- for a person aged under 18, a letter from a school principal issued in the past three months that details the person’s name, residential address and when they attended the school, or a student card if available.
Determine risk
As you review and verify identity information, decide on the level of money laundering and terrorist financing risk involved. Collect sufficient information to determine whether enhanced customer due diligence (ECDD) needs to be carried out on the customer.
Initial CDD at a glance
Enhanced customer due diligence
Carry out ECDD when you determine the customer’s ML/TF risk is high and you need to take additional, robust steps to identify and manage the higher risk.
Some ECDD triggers include:
- A person is located or was formed in a high-risk jurisdiction.
- The designated service is part of a nested service relationship.
- An individual is a foreign politically exposed person.
- Customer is a high money laundering/terrorism financing risk.
- If you think you’ve found something suspicious and are looking at submitting a subject matter report (SMR)
- The designated service involves unusual patterns or transactions.
- Your customer has a trust or another vehicle for holding personal assets.
- Your customer is a non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.
- Your customer has a company with nominee shareholders or shares in bearer form.
- Your customer is a company with one or more nominee directors.
- Your customer has a business relationship with a limited partnership with a nominee general partner.
- A business relationship with a customer that involves new or developing technologies or products that allow anonymity.
- You consider that the level of risk involved is such that enhanced CDD should apply.
Requirements
Additional steps you may take for high-risk customers are ensuring you obtain:
- Supplementary identity documents.
- Photographs of customers holding their photo identity documents to confirm the documents belong to them.
- Information about your customer’s source of wealth or source of funds.
- Information about other people involved in the designated service.
- Data on why the customer is seeking your service or product.
- Information on the customer or beneficial owners reputation.
- Information on the destination of transfers of value.
- Information on the customers online profile including public social media accounts.
You may also look to verify or re-verify certain customer information and conduct a more detailed monitoring and analysis of transactions and behaviours.
You can still offer designated services to customers needing enhanced CDD, but you must have AML/CTF policies in place to manage and reduce the related ML/TF risks.
And remember, record all the information you gather, the steps you take, and the decisions you make. This will help prove your process was followed and decisions made were based on evidence not assumptions.
Ongoing customer due diligence
Initial CDD is only half the battle. Money launderers can and do still conduct illicit activity after initial onboarding, so ongoing monitoring becomes critical in helping spot changes in customer behaviour, risk levels, or transaction patterns over time.
Requirements
Systematically apply ongoing checks so that you can ensure your customer’s activities and/or transactions are consistent with the information and data you have previously acquired.
This involves:
- Monitoring transactions and behaviour for suspicious activity.
- Responding appropriately and completing checks at the necessary level if the nature and purpose of your relationship with the customer changes.
- Ensuring you have up to date identity and verification records on your customer, beneficial owner, and/or ultimate beneficial owner.
- Regularly reviewing the type of CDD that was conducted for onboarding and whether the level of risk has changed and CDD checks need to be redone.
- If you spot anything suspicious file a SMR.
The frequency of ongoing due diligence may vary depending on the level of risk you have decided your customer poses. Medium to high-risk customers require more frequent monitoring, around every 6 months and low-risk customers every 24 months.
You must keep records that show how you complied with your obligations under the AML/CTF Act. This includes keeping records of customer transactions, your identification, analysis and assessment of your customers risk, and any decisions your business makes about how you carry out ongoing CDD on the customer.
Simplified CDD
Simplified customer due diligence relates to certain customers that have been identified as low-risk. These types of customers have often already been subject to scrutiny, such as government entities, local authorities or public service agencies.
While you can reduce the level of due diligence you carry out, you will still need to collect and verify your customers identity as you would for initial CDD so you can establish your customers risk level.
Requirements
You can apply simplified CDD if all the following apply:
- the customer’s ML/TF risk is low
- you’re not required to conduct enhanced CDD
- your AML/CTF policies deal with how you will apply simplified CDD measures.
What you won’t need to do is dig deep into beneficial ownership, or corporate structures due to the customers low-risk public status.
Delayed CDD
Normally, you shouldn’t start work until your client is verified. But if the work is essential and the risk of money laundering or terrorism financing is low, you can begin before CDD is complete.
However, you must complete initial CDD as soon as possible after starting to provide services and take steps to manage any risks caused by the delay.
Requirements
AUSTRAC advise you may be able to start providing a designated service to a customer before you complete initial CDD if the designated service is any of the following:
- provided at or through a permanent establishment in Australia
- a financial institution opening an account or allowing deposits
- a certain financial market transaction that must be performed rapidly
- a real estate transaction
- provided in a foreign country.
The length of time you can delay initial CDD will depend on the type of product or service being offered but should always occur before you:
- transfer, or allow or facilitate the transfer of money, property or virtual assets for or on behalf of the customer
- otherwise make money, property or virtual assets available to the customer (other than holding it in an account or on deposit from the customer).
Quick CDD checklist
There are different elements to each type of customer due diligence but there are common factors to getting the foundations right. Apply a risk-based approach appropriate to your business and ask yourself:
- Have we clearly defined when and how each type of CDD must be performed?
- Do we document the measures we take when conducting due diligence?
- Do we document the decisions we make when dealing with enhanced, simplified or delayed due diligence?
- Do we have procedures for identifying and verifying customers and beneficial owners?
- Do we collect and store identity and verification records?
- Is our CDD documentation complete and can records be easily accessed?
- Do we review and update customer information regularly?
- Are our risk ratings for each customer documented and applied consistently?
- Do we know what ‘red flags’ we should look out for?
- Do we know the nature and purpose of our client relationships?
While this list of questions isn’t exhaustive, if you can answer ‘yes’ to all of these, you’re on your way to establishing a robust CDD framework.
Conclusion: Make customer due diligence your bedrock
In the complex world of AML/CTF it isn’t always easy to get compliance right. However, invest in robust risk-based identification processes and maintain customer profiles through ongoing monitoring and you’ll create a strong foundation for success.
A foundation which will provide downstream benefits when it comes to dealing with transaction analysis, reporting, risk assessments, and audits.
With the introduction of tranche 2 around the corner now’s the perfect time to build or review your processes. If you’re unsure where to start, get in touch with our expert team for guidance, because when your CDD is strong, everything else in your AML framework becomes that much easier.
Frequently asked questions
What is the difference between know your customer (KYC) and customer due diligence (CDD)?
KYC and CDD are often used interchangeably but there are clear differences.
- KYC is about the information collected: the name, address, date of birth and ID documents.
- CDD is the broader process of identifying the customer, verifying the information, assessing their Money Laundering/Terrorism Financing (ML/TF) risk, and monitoring that risk over time.
Which customers require higher due diligence?
There are a range of customers who require a higher level of due diligence. These include customers:
- Who have a trust or another vehicle for holding personal assets.
- Who are a non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.
- Who have a company with nominee shareholders or shares in bearer form.
- Who are a politically exposed person (PEP).
- Who have a company with one or more nominee directors
- Who have a business relationship with a limited partnership with a nominee general partner.
- Who want to carry out complex, unusually large transactions or an unusual pattern of transactions that appear to have no lawful or economic purpose.
- Who have a business relationship with a customer that involves new or developing technologies or products that allow anonymity.
- Who you consider that the level of risk involved is such that enhanced CDD should apply.
Do I have to carry out initial customer due diligence on existing customers?
You don’t have to carry out initial customer due diligence or ongoing due diligence on existing customers (also called pre commencement customers) unless you file a suspicious matter report about them, or you believe their risk level has changed to medium or high. However, you must carry out ongoing risk assessment on client transactions so you can identify and record any material findings or changes that indicate elevated risk.
Can we use a third-party to assist in completing our CDD obligations?
Yes, you can use third-parties to assist in completing CDD. This can be a cost-effective way to help manage compliance but ensure you do your due diligence and look for an AML outsourcing company that can provide the level of support you want as well as have the required technology to help run ID checks and store your records.
I have a customer with no appropriate form of ID. What should I do?
There can be a range of reasons why a customer doesn’t have standard ID documentation. AUSTRAC have provided a list of alternative identification options which include the following:
- a referee statement.
- government correspondence, including documents from state or territory corrective services.
- confirming an individual’s identity with reputable organisations or bodies known to them.
- a community ID or organisation membership card for Aboriginal and Torres Strait Islander peoples.
- recently expired identification.
- an individual’s self-attestation of their identity.
About the author
Nicolas Charles
Nick has a background in financial services for nearly 10 years. During his time in retail finance and banking, he was directly involved in the application of AML verification and compliance, which gave him valuable skills for his current role as Head of Operations and Finance at tic company.
