A Complete Guide to Customer Due Diligence CDD under the AML Regime

Introduction

Customer due diligence is a core requirement under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML/CTF Act‘) that requires reporting entities to collect and verify accurate customer information before they provide a designated service. By establishing customer identification and assessing money laundering and terrorism financing risk, businesses can implement the necessary compliance controls to protect themselves from criminal exploitation.

With new CDD requirements extending to lawyers, accountants, and real estate agents on 1 July 2026, understanding these CDD obligations is essential for both existing and newly regulated businesses. This article provides an overview of customer due diligence for reporting entities, explaining how to conduct initial CDD and ongoing CDD to effectively manage customer risk.

Interactive Tool: Check If Your Business Meets CDD & AML/CTF Requirements

What is Customer Due Diligence for Reporting Entities?

Establishing Customer Identity & Legal Barriers

Customer due diligence (CDD) is the process reporting entities use to understand who their customers are. The primary functions of this customer identification step include:

• Establishing and verifying a customer’s identity to confirm they are who they claim to be; and
• Determining if the person is acting on behalf of someone else.

Beyond simple identification, these due diligence requirements help confirm that there are no legal barriers to providing a designated service. This ensures that a business does not engage with individuals or entities it is prohibited from dealing with, such as those subject to targeted financial sanctions.

Identifying & Assessing ML/TF Risks

A critical purpose of CDD is to identify and assess the money laundering and terrorism financing (ML/TF) risk associated with providing a designated service to a customer. This risk assessment allows reporting entities to understand the potential for their services to be misused for criminal activity.

Based on this assessment, a business can determine if a customer’s financing risk is too high for its risk appetite. Furthermore, it informs what controls are necessary to manage and mitigate any identified risks effectively, forming a key part of an effective AML program and overall compliance.

Gathering Information for AUSTRAC Reporting

The CDD process ensures that reporting entities collect the correct and accurate customer information needed to make required reports to AUSTRAC. This know your customer (KYC) information is fundamental to Australia’s anti-money laundering and counter-terrorism financing regime.

These reports provide vital intelligence to law enforcement and national security agencies. As a result, the information gathered through CDD supports investigations that detect and disrupt serious criminal activities, both in Australia and internationally.

Understanding Customer Risk Ratings for Your Business

The Difference Between Customer Risk & Business Risk

Assigning a customer risk rating is a distinct process from conducting a broader ML/TF risk assessment for your entire business. A business-level risk assessment evaluates the overall risks associated with your products, services, delivery channels, and customer base.

In contrast, a customer risk rating focuses specifically on the ML/TF risk associated with providing designated services to each individual customer. This case-by-case assessment helps determine if a customer fits within your business’s risk appetite and what level of CDD is required.

Factors Influencing Customer Risk Ratings

To assign customer risk ratings consistently, you must develop a clear method documented in your AML/CTF program. This system should be based on factors identified in your business’s ML/TF risk assessment. Key factors to consider for each customer include:

• The type of customer: Whether they are an individual, a company, a trust, or another type of entity.
• The designated services provided: The nature of the services the customer is seeking from your business.
• The delivery channels used: How the customer interacts with you, such as face-to-face, online, or through an agent.
• The countries involved: The locations where the customer resides or where funds and services will be sent, received, or conducted.

Examples of Low Medium & High Risk Profiles

Your risk rating method should guide staff in determining whether a customer poses a low, medium, or high risk. The following examples illustrate what different risk levels can look like in practice:

• Low-Risk Customers: These customers typically present few, if any, risk indicators. An example is an Australian resident who is not using a representative and is seeking a service that your business has already assessed as low risk, with all interactions confined to low-risk jurisdictions.
• Medium-Risk Customers: These customers may have some features that increase their risk profile. This could include a customer requesting a service you have assessed as medium-risk, having links to medium-risk jurisdictions, or being a low-profile domestic politically exposed person. Non-individual customers with a multi-layered but not overly complex control structure may also fall into this category.
• High-Risk Customers: High-risk customers display strong indicators of risk or complexity and will require enhanced due diligence. Examples include a foreign politically exposed person, a customer with ties to high-risk jurisdictions, or a non-individual customer with an unusually complex and multi-layered control structure. Furthermore, a customer requesting a service that lacks a clear lawful or economic rationale would also be considered high-risk.

Essential CDD Terminology & Concepts for Reporting Entities

Politically Exposed Persons PEPs & Targeted Financial Sanctions

A politically exposed person (PEP) is an individual who holds a prominent public position in a government body or an international organisation. Due to their influence, PEPs and their immediate family members and close associates can present a higher risk for financial crimes like bribery and corruption. Therefore, reporting entities must establish on reasonable grounds if a customer is a PEP before providing a designated service.

There are three distinct types of PEPs that your business should be aware of:

• Foreign PEPs: individuals who hold a prominent public position in a foreign country, such as a head of state, ambassador, or high-ranking military officer.
• Domestic PEPs: individuals with similar prominent roles within Australia, such as a member of parliament, a senior government official, or a justice of the High Court.
• International Organisation PEPs: individuals in senior roles at public international organisations, like the head, deputy head, or a board member of the United Nations.

In addition to identifying PEPs, reporting entities must also screen for targeted financial sanctions. These are legal measures that prohibit dealing with specific individuals or entities designated under Australian sanctions law.

Consequently, your AML/CTF policies must detail how your business will avoid making assets available to, or dealing with assets controlled by, a designated person or entity. You can check for designated persons using the consolidated list published by the Department of Foreign Affairs and Trade. Ultimately, breaching these laws is a serious criminal offence that can result in significant fines and imprisonment.

Identifying Beneficial Owners

A beneficial owner is an individual who ultimately owns or controls a customer entity, such as a company, trust, or partnership. Understanding who the beneficial owner is plays a critical role in preventing the misuse of financial services for criminal activities.

To accurately identify these individuals, you must consider two key concepts:

• Ownership: holding 25 per cent or more of the entity, which can be either direct or indirect through other companies or arrangements; and
• Control: having the power to make decisions about the entity’s finances or operations.

Furthermore, your CDD obligations require you to:

• determine who the beneficial owners of your customer are;
• assess the ML/TF risk posed by each beneficial owner;
• check whether any beneficial owner is a PEP or subject to targeted financial sanctions;
• verify the identity of each beneficial owner; and
• keep records of the steps taken to identify and verify them.

Establishing Source of Funds & Source of Wealth

Understanding where a customer’s money comes from is a key component of CDD, particularly for high-risk customers. This involves examining both the source of funds and the source of wealth. Reporting entities must collect this information for high-risk customers, during high-risk transactions, or when a customer or their beneficial owner is a foreign PEP.

Source of funds and source of wealth are distinct concepts:

• Source of funds: refers to the origin of the specific money used for a particular transaction, and verifying this helps confirm that the funds are from a legitimate source and align with the customer’s known business or commercial activities.
• Source of wealth: describes the origin of a customer’s total net worth, providing a broader picture of the economic activities that have contributed to their overall financial position to help you assess if their activity is consistent with their background.

You can use various documents to verify this information, including:

• financial records, such as bank statements, pay slips, or tax returns;
• legal documents, like wills or divorce settlements; and
• business records, such as audited financial accounts or sale agreements.

An Overview of the Four Forms of CDD

Initial & Simplified CDD Measures

Initial CDD must be completed before you provide a customer with a designated service. This process involves collecting and verifying KYC information to establish on reasonable grounds who the customer is and the nature and purpose of the business relationship. Ultimately, the goal of initial CDD is to identify the customer and any relevant parties, and to conduct an initial assessment of their ML/TF risk.

For customers who are assessed as presenting a low level of ML/TF risk, you may be able to apply simplified CDD. This is a streamlined approach that allows you to collect and verify less information than you would under standard initial CDD. Furthermore, your anti-money laundering and counter-terrorism financing (AML/CTF) program must outline the specific measures for simplified CDD and when they can be applied, ensuring you are still satisfied on reasonable grounds that the customer’s financing risk is low.

Ongoing & Enhanced CDD Requirements

Once a customer relationship is established, you have an obligation to conduct ongoing CDD. This third form of CDD requires you to monitor your customers throughout the business relationship to identify, assess, and manage any ML/TF risks. Key components of ongoing CDD include:

• Keeping customer KYC information current and accurate.
• Monitoring transactions and behaviour for any suspicious activities.
• Updating a customer’s risk profile if their circumstances change.
• Collecting further information when appropriate to mitigate risk.

The final form of CDD is enhanced due diligence (EDD), which involves taking extra steps for customers who present a higher ML/TF risk. EDD is mandatory in certain situations, including when a customer or their beneficial owner:

• is a foreign PEP; or
• is from a high-risk jurisdiction.

As a result, these additional measures are required to effectively manage and mitigate the elevated financing risk these customers pose.

Record Keeping Requirements for Reporting Entities

What Customer Information Must Be Kept

Reporting entities must maintain clear, complete, and accurate records of their CDD activities. These records are essential for demonstrating compliance with your AML/CTF obligations. In addition, good record-keeping protects your business if your services are ever misused for criminal purposes.

Your records must document the entire CDD process, including:

• The customer information you collected and the methods used to verify it.
• The steps taken to identify any beneficial owners of a customer.
• How you identified and assessed each customer’s ML/TF risk.
• The decisions made regarding customer risk and the reasons for those decisions.
• The outcomes of ongoing monitoring, including any alerts that were generated and how they were investigated.

The Seven Year Retention Rule

A core component of your record-keeping obligations is the retention period for all CDD documents. You are required to keep these records for a minimum of seven years. This rule ensures that a complete history of your compliance activities is available for independent AML/CTF program reviews.

Retaining these records helps to demonstrate to AUSTRAC that you are meeting your obligations under the AML/CTF regime. Furthermore, these records can provide critical information to AUSTRAC and other law enforcement authorities during investigations into money laundering, terrorism financing, and other serious crimes.

Preparing Tranche 2 Entities for the 2026 Reforms

Who is Affected by the July 2026 Deadline

New AML/CTF rules will extend to a new group of businesses, known as Tranche 2 entities. These reforms are scheduled to take effect on 1 July 2026.

The businesses that will be required to comply with CDD obligations from this date include:

• lawyers;
• accountants; and
• real estate agents.

Essential Systems to Implement Now

To prepare for the July 2026 deadline, newly regulated entities must begin establishing the necessary compliance frameworks, often with the assistance of AML/CTF compliance lawyers.

Key systems and processes that Tranche 2 entities should focus on building include:

• Identity verification: Implement a process or software to verify customer identity. This is a fundamental KYC step that involves collecting and confirming the authenticity of identification documents like passports and driver’s licences.
• Beneficial ownership identification: Develop procedures to identify the beneficial owners of any customer that is a company or trust, applying the ownership and control thresholds outlined earlier.
• PEP screening: Integrate a system for screening customers and beneficial owners against PEP databases to manage the elevated financing risks associated with these individuals.
• Sanctions screening: Establish a process to screen customers against the DFAT consolidated list to ensure compliance with targeted financial sanctions.
• Risk assessment frameworks: Create a framework to assess and categorise customers as low, medium, or high ML/TF risk. This assessment will guide the level of due diligence required for each customer relationship.
• Transaction monitoring: Set up a system for monitoring customer transactions. Depending on the volume of transactions, this may be a manual or automated process designed to detect unusual activity that is inconsistent with a customer’s profile.
• Suspicious matter reporting (SMR) processes: Document clear procedures for identifying and reporting suspicious matters to AUSTRAC. Staff must understand when a report is required and the timeframes for submission.
• Record keeping systems: Ensure you have a system in place to securely store all CDD records for the mandatory seven-year period. These records must be complete and accessible to demonstrate compliance.

Conclusion

CDD is a fundamental obligation for reporting entities under Australia’s AML/CTF regime, requiring businesses to identify customers, assess their risk, and monitor their activities. With these requirements extending to lawyers, accountants, and real estate agents from 1 July 2026, implementing a robust compliance framework is essential for both new and existing entities to manage financing risk and meet their legal obligations.

Understanding and implementing these CDD requirements is critical for compliance. If you need assistance with your AML/CTF program or have questions about your obligations, contact our AML/CTF compliance lawyers at Click Legal today to ensure your business is protected and fully compliant.

Frequently Asked Questions