What is Enhanced Customer Due Diligence & How to Conduct It for AML Compliance

Introduction

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML/CTF Act‘), Australian reporting entities must conduct enhanced customer due diligence to manage and mitigate high risks of money laundering and terrorism financing. This rigorous level of customer identification and verification acts as a required safeguard to protect businesses from criminal exploitation when providing a designated service.

Upcoming regulatory changes scheduled to commence on 1 July 2026 make it necessary to understand exactly when enhanced CDD must be applied. This article explains enhanced customer due diligence for reporting entities so you can accurately assess customer risk and implement the required enhanced CDD measures.

Interactive Tool: Check If You Must Conduct Enhanced Customer Due Diligence

Understanding Enhanced Customer Due Diligence for Reporting Entities

The Core Purpose of Enhanced Customer Due Diligence in AML Compliance

Enhanced Customer Due Diligence (ECDD) is a critical component of a reporting entity’s obligations under the anti-money laundering and counter-terrorism financing framework. Its primary function is to detect, disrupt, and prevent money laundering and terrorism financing (ML/TF).

By applying these rigorous measures, your business can identify, assess, and manage high ML/TF risks presented by certain customers. This process gives you a deeper understanding of who your customer is and how they use the designated services you provide. Ultimately, effective ECDD protects your business, the financial system, and the broader Australian community from criminal exploitation.

How Enhanced Measures Differ from Standard Customer Due Diligence

While standard customer due diligence (CDD) establishes a baseline for customer identification, enhanced measures are applied when a higher risk of ML/TF is detected. As a result, ECDD is a more intensive process than initial CDD or simplified CDD.

The key differences include:

• Level of scrutiny: Standard CDD involves foundational identity verification for most customers. ECDD applies a higher level of scrutiny and more detailed monitoring for customers who present an elevated customer risk.
• Information collection: While initial CDD requires collecting and verifying key KYC information, ECDD involves gathering additional details. This can include more in-depth information about a customer’s source of funds or source of wealth.
• Verification process: ECDD requires more rigorous verification of customer information. This may involve using additional independent sources to confirm details or re-verifying information you already hold if doubts arise about its accuracy.

Identifying Triggers for Applying Enhanced Customer Due Diligence

Assessing High Money Laundering & Terrorism Financing Risks

Reporting entities must conduct ECDD when a customer is identified as presenting a high risk of ML/TF. This assessment can occur at different stages of the business relationship.

A high customer risk rating may be determined during the initial CDD process when you first onboard a client. For example, if a new customer has a complex ownership structure involving multiple layers of companies and trusts with no clear purpose, this could indicate a high ML/TF risk, triggering the need for enhanced CDD measures from the outset.

Alternatively, a customer’s risk level can increase over time. Through ongoing CDD, you might detect changes in their behaviour or circumstances that elevate their risk profile, which could be due to:

• System alerts: alerts from your customer monitoring systems;
• KYC changes: changes to their know your customer (KYC) information, such as a new country of residence; or
• Service shifts: a shift in how they use your designated services, like a sudden increase in transaction frequency or value.

When ongoing monitoring reveals that a customer’s ML/TF risk has become high, you must apply enhanced CDD to reassess their profile and implement appropriate controls to manage and mitigate the new level of risk.

Managing Transactions Linked to High-Risk Jurisdictions

Enhanced CDD is mandatory when a transaction involves individuals or entities connected to a high-risk jurisdiction. The Financial Action Task Force (FATF) identifies countries that have weaknesses in their anti-money laundering and counter-terrorism financing regimes, and these are considered high-risk.

This requirement applies if any of the following parties are physically located in or legally formed in a high-risk jurisdiction:

• Your customer;
• The beneficial owner of your customer;
• A person receiving a designated service on the customer’s behalf; or
• An individual acting on behalf of the customer.

These jurisdictions often present a greater risk of criminal activity due to factors like corruption, tax secrecy, or limited regulatory oversight. You might identify a link to a high-risk jurisdiction during initial CDD when reviewing corporate documents, or as part of ongoing monitoring when a customer updates their address or begins transacting with entities in those countries.

Dealing with Foreign Politically Exposed Persons

You must apply enhanced CDD measures when your customer, their beneficial owner, or a person acting on their behalf is a foreign politically exposed person (PEP). A foreign PEP is an individual who holds a prominent public function in a foreign country, such as a senior government official, judge, or military leader.

Foreign PEPs are considered to present a high ML/TF risk because their position and influence can create opportunities for corruption and the misuse of public funds. Furthermore, this elevated risk extends to their family members and close associates.

A foreign PEP can be identified during initial CDD or through ongoing monitoring. For instance, a review of identification documents might reveal a customer’s prominent public role, or you might discover that a director or beneficiary of a customer’s company is a foreign PEP.

Responding to Unusual Transactions & Suspicious Matter Reports

Enhanced CDD is also required in response to specific transactional activities and reporting obligations. You must apply enhanced measures if a customer requests a designated service that involves:

• Unusually large or complex transactions;
• Unusual pattern of transactions; or
• Transactions with no apparent economic or legal purpose.

These situations require a deeper investigation to determine if the activity is consistent with the customer’s profile and circumstances.

Additionally, you must conduct enhanced CDD if you are required to submit a suspicious matter report (SMR) for a customer and you intend to continue providing a designated service to them. The ECDD process helps you reassess the customer’s ML/TF risk and decide whether to continue the business relationship.

It is important to submit the SMR within the required timeframe without waiting to complete the ECDD process. You must also be careful to avoid “tipping off” the customer that a report has been made, as this is a criminal offence.

Key Enhanced Customer Due Diligence Measures to Implement

Collecting & Verifying Additional Customer Information

When a customer presents a high ML/TF risk, reporting entities must collect and verify additional KYC information. This process helps to clarify any gaps or inconsistencies in the customer’s profile, providing a greater level of confidence in their identity. The goal is to build a clearer picture of the customer to better understand and mitigate the specific risks they pose.

The type of additional KYC information collected should be targeted to the nature of the risk. Examples of extra details to gather include:

• Information about the customer’s or beneficial owner’s source of funds and source of wealth.
• Details regarding the customer’s reputation, including their past and present business activities.
• Clarification of complex ownership or control structures to identify all beneficial owners.
• The intended purpose of the business relationship and the reasons for seeking specific designated services.

Verifying this additional information involves checking it against reliable and independent sources. You might need to re-verify details you previously collected to ensure they remain accurate, especially if you have doubts about their authenticity. This could involve using different independent sources or requesting additional identity documents to confirm the customer’s identity and update their risk profile.

Conducting Detailed Transaction Monitoring & Analysis

ECDD often requires more detailed monitoring of a customer’s transactions and behaviour. This level of scrutiny helps to determine if their activity aligns with the stated purpose of the business relationship and what is known about their financial situation. It is a critical step in identifying patterns that might indicate illicit activity that standard monitoring could miss.

Methods for increased monitoring and analysis include:

• Reviewing the customer’s past transactions more closely to better identify and assess their ML/TF risk.
• Increasing the frequency of reviews for the business relationship to assess whether the customer’s risk has changed.
• Manually reviewing unusual, complex, or high-value transactions that may not have a clear economic or lawful purpose.
• Updating automated monitoring triggers to flag additional kinds of transactions or behaviours that are inconsistent with the customer’s profile.

Obtaining Senior Management Approval for High-Risk Relationships

A crucial governance measure within an ECDD program is obtaining approval from senior management before establishing or continuing a high-risk business relationship. This ensures an additional layer of oversight and accountability, confirming that the decision aligns with the organisation’s risk appetite. It is a required step when dealing with high-risk customers, including a PEP.

This process ensures senior managers have direct oversight of the business’s most significant ML/TF risks. It allows them to make informed decisions about whether the entity is equipped to manage and mitigate those risks effectively. Furthermore, approval may also be required before processing certain high-value or complex transactions for these customers.

Establishing Source of Funds & Source of Wealth

Understanding the Difference Between Source of Funds & Source of Wealth

As part of ECDD, reporting entities must understand where a customer’s money comes from. This involves examining both their source of funds and their source of wealth. While related, these two concepts provide different insights into a customer’s financial profile and potential ML/TF risk.

Source of funds refers to how and where a customer obtained the money for a specific transaction. This check helps you confirm that the funds for a particular designated service come from a legitimate origin and that the activity aligns with what you know about the customer. For example, the source of funds for a large property deposit might be the proceeds from the sale of another asset.

Source of wealth provides a broader picture of how a customer has accumulated their total net worth over time. This assessment helps you determine if their overall financial position is credible and consistent with their profile. A customer’s source of wealth could include:

• their employment history;
• business ownership;
• investments; or
• inheritance.

When Source of Wealth Checks Are Mandatory for Reporting Entities

Under the anti-money laundering and counter-terrorism financing framework, establishing a customer’s source of funds and source of wealth on reasonable grounds is a mandatory enhanced CDD measure in several high-risk scenarios. These checks are essential for assessing whether a customer’s financial activities are legitimate.

You must conduct these checks in the following circumstances:

• Politically Exposed Persons (PEPs): It is a requirement to establish the source of funds and source of wealth for any customer or beneficial owner who is a PEP. This also applies to high-risk domestic PEPs and high-risk international organisation PEPs.
• High ML/TF Risk Customers: You must establish the source of funds and source of wealth when it is relevant to the nature of a customer’s high ML/TF risk. This helps to manage and mitigate risks associated with:
  • Customers with complex or opaque wealth structures, such as high-net-worth individuals with unclear income sources.
  • The use of shell companies or intricate trust arrangements that obscure the true beneficial owner.
  • Customers conducting unusually large cash transactions or those whose wealth is derived from multiple jurisdictions.
  • Individuals involved with high-risk jurisdictions.
  • Former PEPs who continue to present a high customer risk due to their ongoing political influence.

Developing & Maintaining Effective ECDD Policies

Defining High-Risk Factors & Escalation Procedures

Your AML/CTF compliance program must contain clear policies, procedures, and controls for applying ECDD. This involves defining what constitutes a high ML/TF risk for your organisation. These definitions should identify specific high-risk factors across different areas of your business.

Key high-risk factors to define in your ECDD program include:

• Customer Types: Categories of customers that present a higher risk, such as certain industries or business structures.
• Designated Services: Specific services you offer that are more susceptible to criminal exploitation.
• Delivery Channels: Methods of service delivery that may increase risk, such as non-face-to-face interactions.
• Geographical Locations: Countries or regions identified as high-risk due to weak AML/CTF regimes or high levels of corruption.

Your policies must also assign clear responsibilities to staff for applying enhanced CDD measures. Furthermore, you need to establish clear escalation procedures. These procedures should outline the steps to take when enhanced measures cannot sufficiently manage and mitigate a customer’s risk, which may include deciding whether to continue providing a designated service or to end the business relationship.

Fulfilling Record Keeping Obligations for Enhanced Measures

Documenting the enhanced CDD measures you apply to a customer is a critical obligation. Proper record-keeping allows you to demonstrate compliance with your CDD obligations and helps build a clear picture of a customer’s evolving ML/TF risk. These records are essential for adapting your ECDD measures and continuing to manage risks effectively.

You must document several key aspects of the ECDD process, including:

• The specific circumstances that required you to conduct enhanced CDD.
• The reasons why you applied particular enhanced CDD measures.
• Any additional KYC information you collected from the customer.
• The methods used to verify the collected information.
• Whether a SMR was submitted regarding the customer.
• Any changes made to the customer’s risk rating as a result of the ECDD process.
• Decisions to apply further measures to mitigate new risks or to cease providing a designated service due to unacceptable risk.

Case Study: AUSTRAC’s Enforcement Against AUSTRAC v Mounties (‘Mounties‘)

Ignoring High-Risk Behaviours Like Bill Stuffing & Minimal Play

AUSTRAC’s proceedings against Mounties in 2025 highlighted systemic failures in the club’s ECDD program, particularly in addressing high-risk customer behaviours. As a result, the club was exposed to significant money laundering risks by not effectively monitoring or acting on suspicious activities at its electronic gaming machines (EGMs).

Two key high-risk behaviours were identified as part of the proceedings:

• Bill stuffing: This practice involves customers inserting cash into an EGM to obtain credit, which is then redeemed for a cheque after little to no gameplay. This can be a method for converting illicit cash into a seemingly legitimate financial instrument.
• Minimal play with large cash inserts: Another red flag was customers inserting large amounts of cash into EGMs or multi-terminal gaming machines and then cashing out after minimal or no play. Ultimately, this activity is inconsistent with genuine gambling and can indicate an attempt to launder money.

These behaviours were identified as significant ML/TF risks that Mounties failed to adequately manage and mitigate.

The Failure to Apply Enhanced Measures to Suspicious Customers

The proceedings also revealed a failure to apply appropriate enhanced measures to the customers exhibiting these high-risk behaviours. Despite identifying suspicious activity, Mounties did not take the necessary steps to manage and mitigate the associated risks, even as these customers collectively reached turnovers exceeding $139 million from EGM play.

According to court documents, the failures in applying ECDD measures to these suspicious customers included:

• Not conducting appropriate source of wealth or source of funds checks to verify that the customers’ gambling activities were consistent with their financial profiles.
• Failing to subject these high-risk customers to a proper senior management review to decide if the business relationship should continue.
• Neglecting to appropriately risk-rate customers who displayed clear indicators of high ML/TF risk.

Key Lessons from the Mounties

The Dangers of Over-Reliance on Third-Party Compliance Vendors

The Mounties serves as a cautionary tale for reporting entities that outsource their AML/CTF obligations. Mounties had engaged a third-party provider, BetSafe Pty Ltd, to create, maintain, and update its AML/CTF program.

However, AUSTRAC alleged that this reliance did not absolve Mounties of its duties under the AML/CTF Act. While engaging third-party providers is permissible, the legal responsibility for compliance remains with the reporting entity.

Passive reliance on an outsourced service without active internal oversight can lead to significant compliance failures. Therefore, reporting entities must ensure that:

• Any third-party service is fit for purpose; and
• They maintain sufficient oversight to manage and mitigate ML/TF risks effectively.

Inadequate Independent Reviews & Lack of Board Training

A significant failure in Mounties‘ governance was the inadequacy of its independent AML/CTF program reviews. Between 2019 and 2023, the reviews conducted by Legal Review Pty Ltd were found to be insufficient.

They did not meet the requirements of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (‘AML/CTF Rules‘) because they were merely desktop exercises. Specifically, the reviews failed to assess the effectiveness of the AML/CTF program as they did not involve any testing or verification of the systems and procedures Mounties used.

Instead, the process was limited to the following actions rather than actively testing the controls:

• Conducting interviews; and
• Reading the program documents.

This lack of rigorous oversight was compounded by a failure in leadership accountability. The Mounties‘ board of directors did not complete the required biennial AML/CTF training as stipulated in their own program. Ultimately, this failure weakened governance and demonstrated a systemic deficiency in the organisation’s approach to its compliance responsibilities.

Conclusion

Robust ECDD is a critical requirement for Australian reporting entities to manage high risks of ML/TF. As highlighted by AUSTRAC’s enforcement actions, failing to implement an effective ECDD program can lead to severe penalties and expose a business to criminal exploitation.

Navigating these complex ECDD obligations requires specialised legal knowledge to ensure your AML/CTF program is compliant. Contact our AML/CTF compliance lawyers at Click Legal today for assistance in developing and reviewing your ECDD framework to protect your business and meet your regulatory requirements.

Frequently Asked Questions