Understanding Initial Customer Due Diligence for AML Compliance

Introduction

Initial customer due diligence is a mandatory process for Australian reporting entities to identify a customer and assess their customer risk before they provide a designated service. Under the upcoming anti-money laundering and counter-terrorism financing reforms commencing on 1 July 2026, businesses must transition to an outcomes-based framework to establish identity, screen any politically exposed person, and mitigate risks to meet AUSTRAC requirements.

This article explains initial CDD obligations for reporting entities so you can collect and verify know your customer (KYC) information properly. It outlines how to complete initial CDD, identify a beneficial owner, and understand when you can delay initial CDD or apply simplified customer due diligence before starting a business relationship.

Interactive Tool: Check Your Initial Customer Due Diligence & AML Compliance

What is Initial Customer Due Diligence for Australian Reporting Entities?

The Core Purpose of Initial CDD

Initial customer due diligence (CDD) is the process reporting entities must use to understand who their customers are before providing them with a designated service. This process forms the foundation of your anti-money laundering and counter-terrorism financing (AML/CTF) obligations and continues throughout the business relationship.

The core purpose of initial CDD is to act as a critical safeguard for your business. It serves three main functions:

• Establishing identity: It helps you confirm who your customers are, who they might be acting on behalf of, and whether there are any legal reasons you cannot provide the requested service.
• Assessing risk: It allows you to identify and assess the money laundering and terrorism financing (ML/TF) risks involved in providing a designated service to a particular customer. This helps you determine if a customer’s risk profile is too high for your business or if you can implement controls to manage the risks.
• Gathering information for reporting: It ensures you collect the necessary KYC information to make required reports to AUSTRAC. These reports are vital for law enforcement and national security investigations.

Transitioning from ACIP to the New AML Framework

Australia’s AML/CTF regime is transitioning from the previous framework of Applicable Customer Identification Procedures (ACIP), which was outlined in the AML/CTF Rules (‘Rules’). The new requirements for CDD are now established directly within the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML/CTF Act’).

This shift introduces an outcomes-based framework, which focuses on the effectiveness of the CDD measures a business takes—often tested through independent AML/CTF program reviews—rather than simple procedural compliance. Furthermore, a significant terminology change is the replacement of ‘ACIP’ with the phrase “collection and verification of KYC information”.

For some businesses, a transitional period is in place as follows:

• Eligible entities: Reporting entities that were enrolled with AUSTRAC on 30 March 2026 and had compliant ACIP in their AML/CTF program may be able to continue using those procedures.
• Applicable timeframe: This transitional period runs from 31 March 2026 to 31 March 2029.

Key Matters to Establish Before Providing Designated Services

Identifying the Customer & Beneficial Owners

Before providing a designated service, reporting entities must establish the identity of the customer on reasonable grounds. This CDD obligation extends to identifying any person acting on behalf of the customer and any individual on whose behalf the customer is receiving the service, such as a trust beneficiary.

For non-individual customers like companies or trusts, you must also identify any beneficial owners. A beneficial owner is an individual who ultimately owns or controls the customer, including anyone who:

• Directly or indirectly owns 25% or more of the customer; or
• Otherwise exercises control over the customer’s finances or operations.

Identifying the ultimate beneficial owner can require looking through multiple layers of ownership. For instance, if your customer is a company owned by another company, you must follow the chain of ownership until you identify the individual or individuals who ultimately own or control it. Once identified, you must collect and verify their KYC information to establish their identity.

Screening for Politically Exposed Persons & Targeted Financial Sanctions

A critical step in CDD is determining whether the customer or their beneficial owner is a politically exposed person (PEP) or is subject to targeted financial sanctions. This screening must be completed before you provide a designated service. A PEP is an individual who holds a prominent public position, along with their immediate family and close associates, who may pose a higher risk for financial crimes.

You are also required to check if the customer, any beneficial owners, or anyone acting on their behalf is named on a targeted financial sanctions list. Australian sanctions law prohibits dealing with designated individuals or entities, which includes a ban on making assets available to them, either directly or indirectly. You can check the consolidated list published by the Department of Foreign Affairs and Trade to meet this obligation.

Understanding the Nature & Purpose of the Business Relationship

Reporting entities must collect information to understand the nature and purpose of the business relationship or occasional transaction. This involves asking why the customer is seeking your services, which helps to establish a baseline of their normal or expected activity. Understanding this purpose is essential for identifying unusual or suspicious behaviour during ongoing CDD.

The information you gather will depend on the customer and the service, but it might include details about:

• The intended use of the designated services.
• The customer’s expected transaction frequency and volume.
• Whether the services will be used for personal or business purposes.
• The nature of an individual’s occupation or a company’s commercial activities.
• The source of the customer’s wealth and the funds for the designated service.

How to Collect & Verify KYC Information Effectively

Establishing Identity on Reasonable Grounds

When conducting CDD, you must establish a customer’s identity on “reasonable grounds.” This is an objective standard, meaning a reasonable person in your position would conclude that the customer’s identity is properly established based on the facts and information available at the time.

Your business must be able to explain how you reached this conclusion. Therefore, it is a requirement to keep records that demonstrate how each matter was established on reasonable grounds for every customer. This documentation should be clear enough that another person with similar training and knowledge would likely reach the same conclusion after reviewing the material.

Using Independent & Reliable Data Sources

Collecting and verifying KYC information are distinct but related processes. Collection involves gathering details directly from the customer, often through an onboarding form. In contrast, verification is the process of confirming that the collected information is accurate by checking it against reliable and independent data sources.

To verify KYC information, you can use a variety of sources, including:

• Government records and official registers;
• Trusted documents from reliable sources; and
• Third-party digital identity services.

When using electronic or digital identity services, you must consider whether the data is reliable, independent, secure, and up-to-date. If you discover inconsistencies during verification, your AML/CTF policies should outline the steps to resolve them.

Resolving these inconsistencies may involve:

• Using other independent data;
• Contacting issuing authorities; or
• Asking the customer for clarification and supporting evidence.

Ultimately, if you cannot resolve the discrepancies, you must not provide the designated service.

Applying Alternative Identification Procedures for Vulnerable Customers

Some individuals may face barriers to providing standard identification due to circumstances beyond their control. In these situations, you can use alternative identification procedures. This flexible approach is designed to support financial inclusion for vulnerable customers while still managing ML/TF risks.

Individuals who may require a flexible approach include those affected by:

• Natural disasters.
• Family and domestic violence.
• Homelessness.
• Recent migration or refugee status.
• Living in remote areas.

When using alternative procedures, you must still take reasonable steps to be satisfied the person is who they claim to be. This involves assessing the customer’s ML/TF risk as low and implementing controls to mitigate any additional risks.

Alternative identification options can include:

• Accepting a referee statement from a person in a position of trust;
• Using recently expired identification; or
• Relying on correspondence from a government authority.

Assessing Customer ML/TF Risk & Tailoring Your Approach

Assigning Customer Risk Ratings

As part of your CDD obligations, you must assess the ML/TF risk for each individual customer. This customer risk assessment is distinct from the broader ML/TF risk assessment for your entire business. Based on the KYC information collected, you must assign each customer a risk rating, such as low, medium, or high.

Your method for determining and recording these ratings must be documented in your AML/CTF program. Several factors influence a customer’s risk profile, including:

• Customer type: Whether the customer is an individual, a company with a complex ownership structure, or a trust.
• Designated services: The specific services the customer will use and the level of risk associated with them.
• Delivery channels: How the customer interacts with your business, such as face-to-face, online, or through an agent.
• Geographic factors: The countries involved in the business relationship, including where the customer is located or where funds will be sent.

For example, an Australian resident seeking a low-risk service locally would likely be rated as low risk. In contrast, a customer with a complex, multi-layered corporate structure or ties to high-risk jurisdictions would require a higher risk rating.

How Risk Ratings Influence CDD Measures

The customer risk rating you assign during initial CDD directly determines the level of due diligence required for that customer. Your AML/CTF policies must outline the specific measures you will take for each risk level to manage and mitigate ML/TF risks effectively, and if you need assistance structuring these, you can speak with our AML/CTF compliance program lawyers. Ultimately, this risk-based approach ensures your compliance efforts are proportionate to the identified risks.

A customer’s rating dictates which form of CDD is appropriate, as follows:

• Low-risk customers: May qualify for simplified customer due diligence (SCDD), which allows for a more streamlined identification process.
• Medium-risk customers: Will require standard initial CDD measures.
• High-risk customers: Mandate the application of enhanced customer due diligence (ECDD), which involves taking extra steps to verify information and understand the customer’s circumstances.

Understanding When Your Business Can Delay Initial CDD

General Requirements for Delaying Verification

Reporting entities can only delay completing CDD in very limited situations. Before providing a designated service, you must determine on reasonable grounds that delaying the process is essential to avoid interrupting the ordinary course of business. Furthermore, you must establish that there is a low ML/TF risk in doing so.

Your AML/CTF policies must clearly outline the specific circumstances in which a delay is permissible. In addition, these policies should detail the procedures for managing and mitigating any risks that arise from the delay, such as how you would handle returning funds if the customer is later found to be outside your risk appetite. Ultimately, inconvenience for you or the customer is not a sufficient reason to delay initial CDD.

It may be considered essential to delay verification to avoid business interruption in situations such as:

• Time-critical services where an exchange rate or interest rate must be locked in on the day of the request.
• Allowing a customer to open an account online when their identity cannot be verified immediately.
• Assisting customers in emergencies, like natural disasters or family violence, who do not have access to their identification documents.

Specific Scenarios Permitting Delayed Initial CDD

The AML/CTF Act and its associated Rules specify a few scenarios where you may begin providing a designated service before all initial CDD is complete. In all cases, the outstanding verification must be completed as soon as reasonably practicable within the required timeframes.

Permitted scenarios include:

• Designated services in Australia: For most designated services provided in Australia, you may delay verifying certain KYC information. However, you must complete the full initial CDD process within 20 business days and before you transfer any money, property, or virtual assets on behalf of the customer.
• Opening an account: A financial institution can open an account and allow deposits before completing initial CDD. Full verification must be completed within 20 business days and before any funds are made available to the customer.
• Rapid financial market transactions: For certain transactions on a declared financial market that must be performed quickly, initial CDD must be completed within five business days of providing the service.
• Real estate transactions: If you are a real estate agent, legal practitioner, or conveyancer, you may be able to delay initial CDD on the other party to the transaction. Verification must be completed by the earlier of 28 days after the contract exchange or at least three days before the agreed settlement day.

Record Keeping Requirements & Penalties for Non-Compliance

Maintaining Accurate CDD Records for Seven Years

Reporting entities must maintain clear, complete, and accurate records that demonstrate how they have complied with their CDD obligations for every customer. Under Section 111 of the AML/CTF Act, these records must be kept for seven years after the business relationship ends or seven years following the date of the last occasional transaction.

The records you are required to keep include:

• Customer information: The data you collected and how you verified it.
• Risk assessment process: The steps you followed to identify and assess the customer’s ML/TF risk.
• Risk decisions: Any decisions made regarding the customer’s risk and the reasons behind them.
• Review outcomes: Key outcomes from any reviews and monitoring activities conducted during initial CDD.

It is not a requirement to keep scanned copies or photocopies of identity documents. However, you must record the type and content of the data you collected.

Civil Penalty Provisions & Evasive Behaviour Offences

The amended AML/CTF Act makes initial CDD requirements subject to direct civil penalty provisions. As a result, AUSTRAC can take regulatory action for non-compliance.

Failing to meet your obligations can result in significant civil penalties, with actionable failures including:

• Identity verification: Not identifying and verifying a customer’s identity before providing a designated service.
• Sanctions screening: Failing to screen for PEPs and targeted financial sanctions.
• Risk assessment: Neglecting to assess the ML/TF risk of a customer.
• Record keeping: Not keeping adequate records of the initial due diligence and risk identification process.

In addition to regulatory penalties for reporting entities, there are criminal offences for customers who exhibit evasive behaviour. A person may commit an offence if they receive a designated service while:

• Acting anonymously: Using a false name or acting anonymously.
• Undisclosed aliases: Using one name without disclosing other names they are commonly known by.
• Misleading information: Knowingly providing false or misleading information or documents.

If you have reasonable grounds to suspect a person has committed one of these offences, you must submit a suspicious matter report to AUSTRAC.

Conclusion

CDD is a foundational AML/CTF obligation for reporting entities, requiring you to identify customers, beneficial owners, and assess their ML/TF risk before providing a designated service. This involves collecting and verifying KYC information, screening for high-risk individuals like PEPs, and keeping detailed records to comply with AUSTRAC requirements and avoid significant penalties.

Navigating the complexities of these CDD obligations requires careful planning and expert guidance to ensure your business is protected. If you need assistance with your AML/CTF program or require fractional general counsel support, contact our AML/CTF compliance lawyers at Click Legal today to ensure your compliance framework is robust and effective.

Frequently Asked Questions