A Guide to Ongoing Customer Due Diligence OCDD for AML Compliance

Introduction

For reporting entities providing a designated service in Australia, ongoing customer due diligence is a mandatory process to identify, assess, manage, and mitigate money laundering and terrorism financing risks. Mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML/CTF Act‘), this continuous monitoring ensures businesses protect the financial system from criminal exploitation throughout the entire business relationship.

This article explains ongoing CDD obligations for reporting entities so you can effectively monitor your customers and maintain AML compliance.

Interactive Tool: Check If Your Business Meets OCDD & AML Requirements

Understanding Ongoing Customer Due Diligence for Reporting Entities

The Purpose of OCDD in AML Compliance

Ongoing customer due diligence (OCDD) is a continuous process that reporting entities must carry out after a customer has been onboarded. It involves monitoring your customers to identify, assess, manage, and mitigate the risks of money laundering and terrorism financing (ML/TF), as well as proliferation financing, throughout the business relationship. Unlike initial customer due diligence (CDD), which happens at the start of the relationship, the purpose of ongoing CDD is to ensure your understanding of the customer and their risk profile remains current.

Customer circumstances and behaviours can change over time, and criminals may attempt to exploit a business relationship after it has been established. As a result, effective OCDD helps you to:

• detect suspicious activities;
• maintain accurate customer information; and
• manage ML/TF risks by adjusting a customer’s risk rating based on their behaviour and updated information.

The Legal Framework & AUSTRAC Oversight

The legal requirements for OCDD are established under the following legislation:

• AML/CTF Act; and
• Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (‘AML/CTF Rules‘).

These laws mandate that reporting entities implement and maintain robust OCDD systems as a core part of their AML/CTF compliance programs.

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the primary regulator responsible for overseeing compliance with these obligations. Furthermore, AUSTRAC provides guidance to help businesses implement effective OCDD programs and enforces the legal framework.

Failure to comply with OCDD obligations can lead to severe consequences, including:

• formal warnings;
• infringement notices;
• civil penalty orders; and
• criminal charges.

What Your Reporting Entity Must Monitor For

Identifying Unusual Transactions

A core part of OCDD is monitoring for transactions that are inconsistent with what you know about a customer. Furthermore, what is considered unusual depends on the customer’s profile, your business relationship, and the designated services you provide.

Examples of unusual transactions that your reporting entity should monitor include:

• Inconsistent Activity: Transactions that do not align with a customer’s known risk profile, transaction history, or their stated source of funds or wealth.
• Structured Transactions: A pattern of transactions that appears designed to avoid reporting obligations, such as splitting large cash deposits into smaller amounts to stay below the $10,000 threshold.
• Unusual Complexity: Transactions that seem unnecessarily complex for the nature of the business relationship or have no apparent economic or lawful purpose.
• High-Risk Dealings: Transactions involving individuals or entities in high-risk countries or regions, or those involving politically exposed persons (PEPs).
• Large Cash Movements: Significant cash deposits or withdrawals that are out of character for the customer.
• Obscured Ownership: The use of complex legal structures, such as companies or trusts, to conduct transactions for no clear commercial reason or to hide the true beneficial owner.

Spotting Unusual Customer Behaviours

Beyond financial transactions, a customer’s behaviour can also indicate heightened ML/TF risk. These behaviours can manifest during direct interactions or through patterns in how a customer uses your designated services over time.

Consequently, your monitoring should look for behavioural red flags, such as a customer who:

• Appears nervous, defensive, or evasive when asked routine questions.
• Provides answers that seem coached, rehearsed, or directed by a third party.
• Is unable or unwilling to provide a clear explanation for establishing a business relationship or for the purpose of a transaction.
• Frequently changes their know your customer (KYC) information without a logical reason.
• Attempts to influence staff members, for instance, by offering incentives to discourage them from reporting unusual activity.
• Shows an unusual interest in your reporting obligations, transaction limits, or internal processes.
• Uses an agent or third party for transactions without a clear commercial or lawful purpose.

Monitoring for Specific Criminal Offences

Under Section 41 of the AML/CTF Act, you must monitor for transactions and behaviour that could be relevant to the investigation or prosecution of certain crimes. Identifying indicators of these offences is a key part of your OCDD.

Therefore, your monitoring program should be designed to detect activity related to various offences, including:

• Financial crimes: Such as money laundering, financing of terrorism and proliferation financing, taxation-related crimes, bribery and corruption, as well as insider trading and market manipulation.
• Trafficking and crimes against persons: Such as human trafficking and people smuggling, sexual exploitation (including of children), trafficking of illicit substances or arms, and murder or grievous bodily harm.
• Other crimes: Such as fraud (including identity theft and scams), cybercrime, participation in organised crime, and terrorism.

How to Effectively Monitor Your Customers

Implementing Automated & Manual Monitoring Systems

Your approach to customer monitoring can be manual, automated, or a combination of both. Ultimately, the right method depends on the nature, size, and complexity of your business. Therefore, your systems and controls must be appropriate to identify, assess, manage, and mitigate the ML/TF risks you face.

AUSTRAC expects reporting entities to use an automated transaction monitoring system if they cannot effectively monitor transactions manually. This is often the case for businesses that handle a high volume of transactions. Furthermore, transaction monitoring software can identify issues that are difficult to recognise manually, including:

• Unusual patterns or spikes in activity.
• Unusually large transactions.
• Potential structuring of transactions to avoid reporting obligations.
• Transactions involving high-risk jurisdictions or sanctioned individuals.

For smaller businesses or those with lower transaction volumes, manual monitoring can be an effective alternative. A robust manual monitoring process typically involves several key actions, as follows:

• Training personnel to identify and respond to unusual transactions and behaviours.
• Scheduling regular reviews of customer transactions, such as weekly or monthly.
• Comparing a customer’s activity against their known history and profile.
• Assessing a customer’s transactions against those of similar customers.
• Escalating any unusual findings to an AML/CTF compliance officer for further review.

Setting Up Monitoring Alerts & Checking Effectiveness

An effective monitoring system uses alerts to flag transactions and behaviours that require further investigation. In addition, your AML/CTF policies should outline what triggers a review to determine if a suspicious matter report (SMR) is necessary. Without a clear process for reviewing and responding to alerts, it is difficult to demonstrate that you are effectively managing your ML/TF risks.

Alerts could be triggered by various factors, including:

• The size, frequency, or pattern of transactions appears unusual.
• A transaction involves a high-risk country or region.
• A transaction involves a person or organisation on a sanctions list.
• Activity appears structured to avoid threshold transaction reporting.
• The behaviour is inconsistent with the customer’s known ML/TF risk profile.

Under Section 26F(1) of the AML/CTF Act, you must regularly check that your OCDD measures are effective, a requirement typically met by conducting independent AML/CTF program reviews. These checks confirm that your system is operating as intended. As a result, you should verify that you have enough information about your customers to identify unusual activity, that your alerts are functioning correctly, and that your team is responding to them appropriately.

If you identify any problems during these reviews, you are expected to address them promptly. You should also update your monitoring processes to reflect new indicators of criminal activity, whether they are identified through internal intelligence or published by AUSTRAC.

Reviewing & Updating Customer KYC Information & ML/TF Risk

Triggers for Updating Customer Risk Profiles

Under Section 30 of the AML/CTF Act, reporting entities must review and, where appropriate, update their assessment of a customer’s ML/TF risk. Furthermore, this is not a one-off task at onboarding but an ongoing obligation throughout the business relationship.

A reassessment of a customer’s ML/TF risk is required when certain trigger events occur. Ultimately, these events indicate that the initial risk profile may no longer be accurate. Key triggers include:

• Changes to your business: If your business’s own ML/TF risk assessment changes, it could affect how you identify and assess your customers’ risk.
• Changes in customer type: A customer’s circumstances can change, such as if they become a PEP or if there is a change to their corporate structure or beneficial owners.
• Different designated services: The customer may request new products or designated services that carry a different level of ML/TF risk than what you currently provide them.
• New delivery channels: The way you deliver services to the customer might change, for instance, through the involvement of an agent or a shift to online-only interactions.
• Involvement of different countries: The customer’s transactions may begin to involve different countries, particularly those that are considered high-risk.
• Unusual activity: Your transaction monitoring may flag unusual transactions or behaviour that is inconsistent with the customer’s known profile, which requires a risk review.

When & How to Reverify KYC Information

Reporting entities must periodically review and, where necessary, update and reverify their customers’ KYC information. Following the Section 30 requirements mentioned above, the frequency of these reviews must be appropriate to the customer’s assessed ML/TF risk. As a result, higher-risk customers will require more frequent reviews than lower-risk customers.

Certain circumstances automatically trigger the need to review and potentially reverify KYC information, including when:

• You have doubts about the adequacy or truthfulness of the information you previously collected;
• A customer, their beneficial owner, or a person acting on their behalf becomes a foreign PEP; or
• A customer, their beneficial owner, or a person acting on their behalf becomes a domestic or international organisation PEP and their ML/TF risk is assessed as high.

In addition, your AML/CTF program should outline other triggers for collecting additional KYC information. Examples include a sudden and unexplained increase in transaction volumes or becoming aware of significant changes to a customer’s corporate structure.

The process of updating and reverifying information can be integrated into your regular business operations. Practical methods include:

• Asking customers to confirm or update their details during face-to-face or telephone interactions.
• Using a business application to prompt customers to review their information.
• Requesting and verifying new documentation following changes to a customer’s ownership structure or beneficial owners.
• Confirming a customer’s source of funds or source of wealth where appropriate.

Responding to Unusual Transactions & Behaviours

Steps for Reviewing & Escalating Alerts

When your monitoring systems flag unusual activity, you must have a structured process to review and respond. This ensures that potential risks are managed appropriately and consistently. Furthermore, your AML/CTF policies should outline the escalation process for handling these alerts.

A typical response process involves several key steps:

• Review the activity in context: Compare the transaction or behaviour against what you already know about the customer. This includes their assessed ML/TF risk, their transaction history, and the nature of your business relationship, while considering whether the activity has a clear economic or lawful purpose.
• Check existing information: Examine the records you hold for the customer, such as their KYC information, previous interactions, and any past alerts. You should also consider information from linked accounts or services to see if it provides additional context.
• Decide on the next steps: After reviewing the activity and existing information, you must decide on the appropriate action. If you find a legitimate explanation, no further action may be necessary; otherwise, you might need to update the customer’s KYC information, apply enhanced customer due diligence, or escalate the matter to senior management.
• Document your review: It is essential to keep detailed records of the alert, the steps you took to review it, and the decisions you made. This documentation demonstrates how you have complied with your OCDD obligations.

Applying Enhanced Customer Due Diligence

Unusual activity identified during ongoing monitoring can be a trigger for applying enhanced customer due diligence (ECDD). These are additional measures you must take to manage a higher ML/TF risk. As a result, your business must have established procedures in place to identify when these high-risk scenarios occur.

Under Section 32 of the AML/CTF Act, you are required to apply enhanced CDD measures if a designated service involves:

• an unusually large or complex transaction;
• an unusual pattern of transactions; or
• a transaction with no apparent economic or lawful purpose.

Other situations that may trigger ECDD include dealing with a foreign PEP or having a suspicion of money laundering or terrorism financing. When a customer’s behaviour or circumstances change in a way that elevates their ML/TF risk to high, you must apply these more stringent due diligence measures. Ultimately, this could include establishing their source of funds or source of wealth.

Submitting Suspicious Matter Reports

If, after reviewing an unusual transaction or behaviour, you have reasonable grounds for suspicion, you must submit an SMR to AUSTRAC.

As established under Section 41 of the AML/CTF Act, you must file a report if you suspect a customer is not who they claim to be, is planning an ML/TF offence, or if you uncover information relevant to the crimes monitored above.

The timeframe for submitting an SMR is critical. For matters related to terrorism financing, the report must be submitted within 24 hours of forming the suspicion. By contrast, for all other matters, the deadline is three business days.

Best Practices for OCDD Compliance & Record Keeping

Fostering a Culture of Compliance & Staff Training

For your AML/CTF policies to be effective, your staff must understand and implement them correctly. Comprehensive training is essential for creating a culture of compliance where employees are the first line of defence in identifying and managing ML/TF risks.

Key aspects of an effective staff training program include:

• Understanding ML/TF risks: Personnel should be trained to recognise ML/TF risks, typologies, and red flags relevant to your business and the designated services you provide.
• Clear roles and responsibilities: Every relevant staff member must understand their specific duties within the AML/CTF program, particularly concerning OCDD.
• Escalation procedures: Your team needs to be trained on the correct procedures for escalating unusual transactions, behaviours, or other compliance concerns to the appropriate person, such as an AML/CTF compliance officer.
• Leadership commitment: A strong compliance culture starts with leadership, meaning senior management should actively promote the importance of meeting AML/CTF obligations throughout the organisation.
• Continuous education: Provide regular updates and ongoing training to keep staff informed about changes in regulations, AUSTRAC guidance, and new or emerging ML/TF risks.

Meeting Record Keeping Obligations

Under Sections 107 and 111 of the AML/CTF Act, reporting entities have a legal obligation to keep detailed records. This documentation must demonstrate how you have complied with your OCDD obligations for each customer.

Your records must be thorough enough to show a clear audit trail of your compliance activities, which includes keeping records of:

• All customer transactions conducted through your designated services.
• Your identification, analysis, and assessment of each customer’s ML/TF risk.
• Any decisions your business makes about how ongoing CDD is conducted for a particular customer.
• The details of any monitoring alerts, including how you reviewed the activity, the steps taken, the decisions made, and the reasons for your response.

Case Study on AUSTRAC Enforcement Against Airwallex

Suspected Failures in Transaction Monitoring & Reporting

In January 2026, AUSTRAC ordered an external audit of the payment platform Airwallex due to suspected non-compliance with its obligations under the AML/CTF Act. Furthermore, the regulator expressed concerns that Airwallex had not demonstrated an acceptable understanding of its customers and the associated reporting requirements.

The audit, ordered under Section 162 of AML/CTF Act, was initiated to examine several key areas of potential non-compliance. AUSTRAC’s concerns included that Airwallex’s:

• Transaction monitoring program was not properly attuned to the full range of ML/TF risks the business faced;
• OCDD program was inadequate, with the audit notice specifically requiring a review of compliance with Section 36 of AML/CTF Act; and
• Suspicious matter reporting processes were insufficient, with the audit set to evaluate the timeliness of reports and review decisions where matters were escalated but did not result in an SMR being submitted to AUSTRAC.

The Importance of Executive Oversight & Accountability

In announcing the audit, the AUSTRAC CEO highlighted that effective anti-money laundering controls must begin with a company’s leadership. Consequently, boards and senior executives are expected to actively oversee how ML/TF risks are identified, assessed, and managed across their organisation.

AUSTRAC stated that AML/CTF compliance is not a back-office function. Instead, it requires clear accountability, properly authorised staff who can submit reports, and enough resources to support timely and accurate reporting. Ultimately, the audit of Airwallex was set to include a review of the effectiveness of its AML/CTF governance, including oversight from its board and executives.

Conclusion

OCDD is a mandatory process for reporting entities to continuously monitor customers and manage ML/TF risks. This involves identifying unusual activity, keeping KYC information updated, and reassessing customer risk throughout the business relationship to maintain compliance.

Implementing a robust OCDD framework is essential for meeting your AML/CTF obligations. For assistance with developing or reviewing your AML/CTF program, contact our AML/CTF compliance lawyers at Click Legal to ensure your business remains compliant and protected.

Frequently Asked Questions