Customer Due Diligence (CDD) is the backbone of AML/CTF compliance. If you're a Tranche 2 business — an accountant, lawyer, conveyancer, real estate agent, or jeweller — you must verify who your customers are before providing designated services.
This guide breaks down exactly what CDD involves, with practical checklists you can use today.
The Three Levels of CDD
Under the reformed AML/CTF Act, there are three levels of due diligence. The level you apply depends on the risk the customer presents:
| Level | When to Apply | Effort Required |
|---|---|---|
| Initial CDD | Every new customer, before providing services | Standard |
| Ongoing CDD | Throughout the customer relationship | Periodic |
| Enhanced CDD (ECDD) | High-risk customers or trigger events | Intensive |
Initial CDD Checklist
You must complete initial CDD before providing any designated service. Here's what to verify for each customer type:
Individual Customers
- Collect full legal name (as per government ID)
- Collect date of birth
- Collect residential address (not PO Box)
- Verify identity using government-issued photo ID:
- Australian driver's licence, OR
- Australian passport, OR
- Foreign passport with valid visa
- Consider Electronic Identity Verification (EIV) for faster processing
- Verify the person is who they claim to be (match photo to person)
- Screen against DFAT consolidated sanctions list
- Check for Politically Exposed Person (PEP) status
- Assign a risk rating (low / medium / high)
- Record all CDD information and store securely
Companies (Bodies Corporate)
- Collect full company name and ACN/ABN
- Verify company exists using ASIC records
- Collect registered office address
- Identify directors (full names, DOBs)
- Identify beneficial owners (anyone who owns or controls 25%+):
- Direct shareholders
- Indirect shareholders (through other entities)
- Anyone who exercises control through other means
- Verify identity of at least one director (using individual CDD process)
- Verify identity of all beneficial owners
- Screen all directors and beneficial owners against sanctions/PEP lists
- Assess the company's source of funds and nature of business
- Assign a risk rating
- Document the ownership and control structure
Trusts
- Collect full trust name and type (family, unit, discretionary, etc.)
- Obtain a copy of the trust deed (or relevant extracts)
- Identify and verify the trustee(s):
- If individual trustee: follow individual CDD
- If corporate trustee: follow company CDD
- Identify the settlor (person who established the trust)
- Identify beneficiaries:
- Named beneficiaries: verify identity
- Class of beneficiaries (e.g., "children of the settlor"): document the class
- Identify anyone who has power to appoint/remove trustees
- Screen key parties against sanctions/PEP lists
- Assess source of trust funds
- Assign a risk rating
Partnerships & Associations
- Collect partnership/association name and ABN
- Identify all partners (or office holders for associations)
- Verify identity of at least one partner/office holder
- Identify beneficial owners (25%+ interest)
- Screen against sanctions/PEP lists
- Assign a risk rating
Customer Risk Rating
Every customer must receive a risk rating. This determines the level of ongoing monitoring and CDD they require.
Risk Factors to Consider
Higher Risk Indicators:
| Category | Higher Risk |
|---|---|
| Customer type | Complex structures, foreign entities, trusts with opaque ownership |
| Geography | Customer or funds connected to FATF high-risk countries (North Korea, Iran, Myanmar) or grey-list countries |
| Transaction | High-value, cash-intensive, no clear economic purpose |
| Behaviour | Reluctance to provide information, using intermediaries, urgency without explanation |
| Industry | Cash-intensive businesses, crypto, gambling, precious metals |
| PEP status | Domestic or foreign PEP, or close associate/family of a PEP |
Lower Risk Indicators:
| Category | Lower Risk |
|---|---|
| Customer type | Individual, Australian resident, simple structure |
| Geography | Australia, NZ, UK, Canada, other low-risk jurisdictions |
| Transaction | Consistent with customer profile, regular pattern |
| Behaviour | Cooperative, transparent, provides documentation willingly |
| Relationship | Long-standing, well-known in the community |
Suggested Rating Scale
| Rating | Description | Review Frequency |
|---|---|---|
| Low | Australian resident, simple structure, standard transactions | Every 2 years |
| Medium | Some risk factors but manageable — e.g., moderate value, some overseas connections | Annually |
| High | Multiple risk factors — PEP, high-risk jurisdiction, complex structures, large cash | Every 6 months or more frequently |
Ongoing CDD Checklist
CDD doesn't stop after onboarding. You must monitor the relationship continuously:
- Monitor transactions for consistency with customer's known profile
- Update CDD information when circumstances change:
- Change of address
- Change of directors or beneficial owners
- Change in nature of business
- Marriage, name change
- Conduct periodic reviews based on risk rating:
- Low risk: review every 2 years
- Medium risk: review annually
- High risk: review every 6 months
- Re-screen against sanctions and PEP lists at each review
- Reassess risk rating when new information emerges
- Watch for trigger events that require immediate review:
- Unusual transaction patterns
- Negative media coverage
- Law enforcement inquiries
- Information suggesting the customer's risk has changed
Enhanced CDD (ECDD) Checklist
When a customer is rated high risk or when specific triggers occur, you must apply enhanced measures:
- Senior management approval to establish or continue the relationship
- Source of funds verification — documentary evidence of where the money comes from
- Source of wealth verification — how the customer accumulated their overall wealth
- Increased monitoring frequency — more regular transaction reviews
- Additional background research:
- Internet searches and media checks
- Professional reference checks
- Industry database checks
- More detailed record keeping of all ECDD measures applied
- Consider whether to file an SMR based on findings
- Document your decision to continue or exit the relationship
ECDD Triggers
Apply ECDD when any of these occur:
- Customer is a PEP (or family/close associate of a PEP)
- Customer is from or connected to a FATF high-risk jurisdiction
- Transaction has no apparent economic purpose
- Customer's behaviour raises red flags (see SMR guide)
- You receive a request from AUSTRAC to apply ECDD
- The transaction involves new or unusual technology or payment methods
- The customer is in a high-risk industry (cash-intensive, crypto, gambling)
PEP Screening
A Politically Exposed Person (PEP) is someone who holds (or has recently held) a prominent public function. PEPs are considered higher risk because their position could be abused for money laundering.
Who is a PEP?
Domestic PEPs:
- Federal/state/territory parliamentarians
- Senior government officials
- Senior military officers
- Judges
- Heads of state-owned enterprises
Foreign PEPs:
- Heads of state, ministers, parliamentarians
- Senior government or military officials
- Senior judicial officials
- Senior executives of state-owned enterprises
PEP Associates:
- Immediate family members (spouse, children, parents, siblings)
- Close business associates
- Persons who jointly own property or businesses with a PEP
PEP Screening Process
- Screen customer name against PEP databases at onboarding
- Screen against DFAT sanctions list (mandatory)
- Re-screen at every periodic CDD review
- If match found → apply ECDD procedures
- If PEP confirmed → obtain senior management approval to proceed
- Document all screening results (positive and negative)
Sanctions Screening
Screening against the DFAT Consolidated Sanctions List is mandatory for all customers.
DFAT Screening Checklist
- Screen customer's full name (including aliases/alternate names)
- Screen beneficial owners and directors for entity customers
- Screen at onboarding (before providing services)
- Re-screen periodically (at each CDD review)
- Re-screen when DFAT updates the list (check regularly)
- If match found → do not proceed with the transaction
- Report confirmed matches to DFAT and consider filing an SMR
- Document all screening results
Current FATF High-Risk Jurisdictions (February 2026)
- North Korea — call for countermeasures
- Iran — call for countermeasures
- Myanmar — call for countermeasures
Additional countries are on the FATF grey list (under increased monitoring). Check AUSTRAC's guidance for the current list.
Transitional Rules for Existing Customers
If you had customers before 1 July 2026, you don't need to complete initial CDD on day one:
| Customer Risk | CDD Deadline |
|---|---|
| New customers (from 1 July 2026) | Before providing any designated service |
| Existing customers (before 1 July 2026) | By 30 March 2029 |
However, during the transitional period you must still:
- Assess and manage ML/TF risks for existing customers
- File SMRs if you form a suspicion
- Apply ECDD if high-risk indicators emerge
Record Keeping
All CDD records must be kept for 7 years from the date the record was created, or 7 years after the business relationship ends (whichever is later).
Records to keep:
- Copies of all identification documents
- CDD verification results (including EIV results)
- Risk ratings and risk assessment rationale
- Sanctions and PEP screening results
- ECDD measures applied and outcomes
- Ongoing monitoring records
- Any decisions to exit a customer relationship
Common CDD Mistakes to Avoid
| Mistake | Why It Matters |
|---|---|
| Verifying identity after providing services | CDD must be completed before designated services |
| Not identifying beneficial owners | A fundamental breach — ownership structures can hide criminals |
| Using expired ID documents | Expired documents don't satisfy CDD requirements |
| Applying the same CDD to all customers | Risk-based approach means higher risk = more checks |
| Not re-screening for sanctions updates | Sanctions lists change — a customer cleared today may not be tomorrow |
| Relying on photocopies alone | You should sight the original document or use EIV |
| Not documenting your risk assessment rationale | If AUSTRAC asks, you need to explain why you assigned a particular rating |
AML Mate automates CDD with built-in client management, risk scoring, sanctions/PEP screening, and document tracking. Run a free compliance check to see what your business needs, or start your 14-day free trial.