Customer Due Diligence (CDD): A Practical Guide for Australian Businesses

Customer Due Diligence — commonly referred to as CDD — is one of the most important obligations under Australia's AML/CTF Act. It is the process of verifying who your customers are, understanding the nature of their business, and assessing the money laundering and terrorism financing risks they present. For the thousands of businesses entering the AML/CTF regime under Tranche 2 from 1 July 2026, understanding CDD is essential.

What Is Customer Due Diligence?

CDD is the process of identifying and verifying your customer's identity before you provide a designated service. It goes beyond simply collecting a driver's licence. CDD requires you to:

• Identify the customer (collect their name, date of birth, address, and other identifying information)
• Verify their identity using reliable, independent documentation
• Understand the purpose and intended nature of the business relationship
• Assess the ML/TF risk the customer presents
• Monitor the relationship on an ongoing basis

CDD is not a one-time checkbox exercise. It is an ongoing obligation that continues throughout the customer relationship.

When Is CDD Required?

You must conduct CDD:

• Before providing a designated service to a new customer. You cannot proceed with the service until CDD is complete, except in limited circumstances where it can be completed as soon as practicable after the service has commenced.
• When you have doubts about previously obtained customer identification information
• When a transaction is suspicious, regardless of whether it involves a designated service
• Periodically during the relationship, particularly for ongoing or repeat clients, to ensure information remains current
• When the customer's risk profile changes — for example, a change in ownership structure, a significant increase in transaction volume, or the introduction of new parties

Standard CDD

Standard CDD is the baseline level of due diligence that applies to all customers. It involves:

For Individual Customers

Collect and verify the customer's full name, date of birth, and residential address using at least one primary identification document and, where necessary, a secondary document.

Acceptable primary ID documents:

• Australian passport (current or expired within the last 2 years)
• Australian driver's licence or learner's permit
• Australian proof-of-age card
• Foreign passport (must include a photo)
• ImmiCard issued by the Department of Home Affairs

Acceptable secondary ID documents:

• Medicare card
• Australian birth certificate or birth extract
• Centrelink concession card
• Australian citizenship certificate
• Utility bill or rates notice (for address verification)

You must sight the original document or a certified copy. Recording the document type, number, and issuing authority is mandatory.

For Companies

• Verify the company's full name and ABN/ACN using an ASIC search
• Identify the directors and shareholders
• Identify the beneficial owners — see below
• Understand the company's ownership and control structure

For Trusts

• Obtain and review the trust deed
• Identify the trustee (individual or corporate)
• Identify the beneficiaries (or class of beneficiaries for discretionary trusts)
• Identify the settlor and appointer
• Identify beneficial owners of the trust

Enhanced Due Diligence (EDD)

Enhanced due diligence applies when the customer or transaction presents a higher than normal ML/TF risk. Situations that trigger EDD include:

• The customer is a politically exposed person (PEP) — a person who holds a prominent public position (domestic or foreign), or a close associate or family member of such a person
• The customer is from or connected to a high-risk jurisdiction identified by the FATF or DFAT
• The customer uses complex ownership structures (multiple layers of companies, trusts, or nominee arrangements)
• The transaction involves unusually large amounts or has no clear economic rationale
• The customer is reluctant to provide identification or provides inconsistent information
• A third party is providing funds or instructions on behalf of the customer

EDD measures may include:

• Obtaining additional identification documents or independent verification
• Conducting source of funds and source of wealth checks
• Obtaining senior management approval before establishing or continuing the relationship
• Increasing the frequency of ongoing monitoring
• Seeking independent legal or compliance advice

Beneficial Ownership: The 25% Threshold

Identifying the beneficial owner is one of the most important aspects of CDD for entities (companies and trusts). The beneficial owner is the individual who ultimately owns or controls 25% or more of the entity.

For companies, this means tracing through the ownership chain to find natural persons (individuals) who hold 25% or more of the shares or voting rights, or who exercise control through other means.

For trusts, you must identify individuals who hold a beneficial interest of 25% or more, as well as the trustee, appointer, and settlor.

Where no individual meets the 25% threshold, you must identify the individuals who exercise effective control over the entity — typically the senior managing officials or directors.

Beneficial ownership identification can be complex, particularly for multi-layered structures. If a customer is unwilling or unable to provide beneficial ownership information, this is itself a red flag.

Ongoing CDD

CDD does not end after onboarding. Ongoing CDD requires you to:

• Monitor transactions for consistency with the customer's known profile and risk rating
• Update customer information at regular intervals and whenever there is a material change
• Re-verify identification if you have reason to doubt the accuracy of existing records
• Reassess risk ratings periodically and in response to triggers (e.g., unusual transactions, changes in ownership, adverse media)

For existing customers being transitioned under the Tranche 2 reforms, there is a 3-year transition period (31 March 2026 to 30 March 2029) to bring existing client relationships into compliance with the new CDD requirements. This does not mean you can wait three years — it means you should prioritise higher-risk clients and work systematically through your client base.

Record Keeping: The 7-Year Rule

All CDD records must be retained for a minimum of 7 years from the date the record was created or the relationship ended, whichever is later. This includes:

• Copies of identification documents collected
• Verification records (how and when identity was verified)
• Risk assessment records
• Transaction records related to designated services
• Ongoing monitoring notes and any updated information
• Suspicious matter reports and related documentation

Records must be stored securely, be retrievable within a reasonable timeframe if requested by AUSTRAC, and be maintained in a way that preserves their integrity.

Common CDD Mistakes

• Collecting ID but not verifying it — Photocopying a licence is not CDD. You must verify the information against a reliable source.
• Skipping beneficial ownership — Identifying the company is not enough. You must identify the natural persons who ultimately own or control it.
• No ongoing monitoring — CDD at onboarding is a starting point, not the finish line.
• Inconsistent processes — Every client should go through the same CDD process. Ad hoc approaches create gaps.
• Poor record keeping — If you cannot produce your CDD records seven years later, AUSTRAC will treat it as non-compliance.

Build CDD Into Your Workflow

Effective CDD should not be a separate compliance exercise that interrupts your business. It should be integrated into your client onboarding and engagement workflow. The best approach is to make CDD a standard part of how you take on new clients and manage existing relationships.

ComplyReady provides digital CDD workflows tailored to your industry — with guided identity verification, beneficial ownership identification, risk assessment, and secure record keeping that meets AUSTRAC's seven-year retention requirement.

Ready to simplify your AML/CTF compliance? Try ComplyReady free for 14 days.