Conducting Customer Due Diligence (CDD)

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

CDD helps you understand who your customers are and the money laundering (ML), terrorism financing (TF), and proliferation financing (PF) risks they may bring to your business.

As currently drafted, the proposed AML/CTF Act establishes the following CDD obligations:

• Initial CDD (Section 28)
• Ongoing CDD (Section 30)
• Enhanced CDD (Section 32)
• Simplified CDD (Section 31)

The information you collect and verify to complete CDD will depend on the ML/TF/PF risk profile of the customer, with enhanced due diligence (EDD) being applied in higher risk scenarios and simplified due diligence being available in low risk scenarios.

In this article, we’ll walk through what each obligation entails, provide examples where necessary, and share best practices or common approaches taken.

Note that the new AML/CTF rules have not been finalised yet, so this article is based on the current proposals. This article is for guidance only, and we recommend you speak to a professional to understand your business risks and the appropriate approach.

Stage 1: Initial CDD

Initial CDD involves verifying customer identity and assessing their risk level before providing services. Businesses must establish if the customer, any beneficial owner, or agent (Section 28(2)):

• Is who they claim to be, based on reliable and independent documents (e.g., passports, driver’s licences, reputable electronic databases).
• Is subject to targeted sanctions, as published by the Department of Foreign Affairs and Trade (DFAT) and other international or extraterritorial sanctions, e.g. the United States Office of Foreign Assets Control (OFAC) lists.
• Is a current or former politically exposed person (PEP) or a relative/close associate of a PEP.

Customer Identification Program (CIP)

To comply with Section 28, businesses must implement a structured CIP, which involves:

• Gathering identity documents such as passports, driving licences or government-issued IDs.
• Cross-checking details with reputable sources (e.g. credit bureaus, government registries).
• Identifying beneficial ownership structures and verifying corporate customers.

Risk-based CDD levels

Businesses should apply risk-based CDD levels:

• Initial CDD - (section 28) Required for most individuals and businesses in low- or medium-risk jurisdictions.
• Simplified Due Diligence - (section 31) Applied to regulated entities, listed companies and government-supervised institutions.
• Enhanced Due Diligence (EDD) - (Section 32) Required for high-risk individuals, PEPs and transactions involving high-risk jurisdictions or industries.

Stage 2: Ongoing Customer Due Diligence (Ongoing CDD)

Continuously monitor and manage risks throughout the client relationship

Ongoing CDD requires businesses to continuously monitor and manage risks throughout the customer relationship (Section 30). This includes:

• Monitoring transactions and behaviours for suspicious activity.
• Updating customer risk profiles in response to significant events.
  • Example 1: A client who was previously considered low risk engages their law firm for a new business venture that involves international trade with high-risk jurisdictions.
  • Example 2: A long-time client, previously purchasing residential properties, suddenly starts acquiring multiple commercial properties under newly formed corporate entities.
  • Example 3: For an accountant, a business client expands into cryptocurrency investments.
• Reviewing, updating and re-verifying information as needed.
  • Example: A client changes their primary residence to a high-risk country, requiring re-verification of their source of wealth and funds.

Ongoing monitoring & compliance checks

To remain compliant, businesses should establish continuous transaction monitoring with:

• Alerts for suspicious activities.
• Regular customer data reviews to update risk assessments.
• Investigation and escalation protocols for high-risk transactions.

Many companies use transaction monitoring technology but for smaller businesses or those with lower volumes of transactions, a spreadsheet may work too.

Step 3: Enhanced Due Diligence (EDD) for high-risk customers only

For high-risk customers, businesses must conduct additional verification and scrutiny (Section 32), including:

• Deeper identity verification and transaction monitoring. For example, conducting biometric verification and document analysis.
• Additional scrutiny for PEPs, high-risk industries or high-risk jurisdictions. For example, reviewing a new client's overseas subsidiaries and ownership structures to detect shell company and PEP risks.
• Verification of the source of funds and/or wealth to prevent illicit activities. For example, requesting bank statements, tax records or audited financials to prove their source of funds.

Operationalising KYC and CDD

1. Structuring a CDD Standard Operating Procedure (SOP)

A well-defined SOP ensures consistent CDD implementation. Key elements include:

• Objective - define the purpose and scope of the SOP.
• Regulatory compliance - align procedures with applicable AML laws.
• Step-by-step guidelines - detail each verification stage and escalation procedure.
• Roles & responsibilities - assign specific compliance tasks to designated personnel.
• Escalation & reporting - outline procedures for reporting suspicious activities.

2. Implementing an effective CDD framework

What needs to be done?

• Clearly define roles for compliance teams, frontline staff and risk officers.
• Establish documented workflows for each level of due diligence.
• Implement efficient data collection and management practices.
• Consider using a centralised KYC platform for collaboration.

When should it be done?

• At onboarding: Apply appropriate due diligence before providing services.
• During ongoing monitoring: Update customer profiles when risk factors change.
• Regulatory updates: Revise SOPs to align with evolving AML laws.
• Internal audits: Periodically assess compliance effectiveness.

How should it be implemented?

• Train staff on compliance requirements and best practices.
• Establish clear data collection and storage protocols.
• Design SOPs to be scalable and adaptable.
• Assign compliance oversight teams to ensure implementation and reporting.

3. Enhancing CDD compliance with technology

AML is now considered to need at least some use of technology. Here are some examples of what helps ease the burden of AML. 

• Automated document collection and verification - streamline the onboarding process by digitising document collection, verification and follow-up requests.
• Smarter risk profiling - centralise and make consistent customer risk assessments by using real-time, embedded risk assessment questionnaires associated with each client.
• Comprehensive audit trail - maintain a secure, easily accessible record of all KYC actions to ensure compliance and facilitate audits.
• Collaborative workflow management - look for solutions that allow for coordination between compliance teams, legal teams and frontline staff by centralising case management in a single platform.
• Real-time PEP and sanctions screening - subscribe to lists or use technology solutions, which include the subscriptions, to continuously monitor customer profiles against global watchlists

For a full analysis of AML technology, read the AML Tech Buyer's Guide

4. Special considerations for pre-commencement customers

Pre-commencement customers (customers you already work with before the legislation comes into effect) do not require initial or ongoing CDD unless:

• A suspicious matter report (SMR) is needed (Section 36).
• A significant change in the nature of the business relationship occurs, increasing the ML/TF/PF risk to medium or high (see examples above in Stage 2: Ongoing CDD)

This approach helps reduce regulatory burdens while ensuring proper oversight of customers whose risk profiles change over time.

5. Handling complex KYC cases

Some customer types require additional considerations. For example:

KYC for trusts

• Identify and verify the trust’s beneficial owners and controlling parties.
• Collect and analyse the trust deed, registration details and relevant documentation.
• Implement risk-based monitoring for ongoing compliance.

KYC for businesses

• Verify company registration, shareholder details and ownership structures.
• Conduct enhanced due diligence on corporate entities operating in high-risk industries.
• Monitor for suspicious transactions or discrepancies in financial activity.

KYC for self-managed super funds (SMSFs)

• Collect and verify:
  • Superannuation fund name
  • Australian Business Number (ABN)
  • Trustees/principal members’ full names
• Verify the superannuation fund’s status through the Australian Taxation Office (ATO) superfund lookup.
• If the fund is not registered on the ATO, request a certified copy of the fund trust deed and apply standard due diligence procedures.

KYC for public entities

• Validate entity legitimacy via official records and government verification - proof of public status.
• Identify any links to PEPs or sanctioned individuals/entities.

6. Avoiding common pitfalls in CDD

Conducting CDD can be overwhelming, but Australian companies have the benefit of being able to learn from others. Based on international feedback, these are the most common pitfalls in CDD:

• Over-reliance on all manual processes - delays onboarding and increases errors.
• Lack of continuous monitoring - reduces the ability to detect emerging risks.
• Failure to update SOPs - leads to non-compliance with evolving regulations.
• Fragmented data management - leads to inefficiencies in verification and monitoring.
• Lack of leadership buy-in - Without executive support, CDD initiatives struggle to gain traction and resources.
• Pushback from clients - Customers may resist providing the required documents, slowing down onboarding.
• Limited resources & expertise - Understaffed or undertrained teams can’t effectively implement or enforce SOPs.
• Poor integration with existing systems - Disconnected workflows create bottlenecks and compliance gaps.
• Inconsistent risk-based approach - Applying CDD measures inconsistently leads to regulatory and reputational risks.

Related articles:

• A step-by-step guide to enrolling and registering with AUSTRAC
• How to create an AML/CTF program
• Reporting groups for law and accounting firms