Money and matters: A lawyer’s guide to navigating Tranche 2 Part 7 - CDD in law firms

In our previous article, we discussed the importance of risk assessments in law firms. Here, we'll go deep into another crucial aspect of AML compliance: Customer Due Diligence (CDD) procedures.

With the introduction of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (AML/CTF Bill 2024), understanding and implementing robust CDD processes is more critical than ever. As of October 2024, law firms have just 18 months or so to change how they do business fundamentally.

But first, what’s the difference between Customer Due Diligence (CDD) and Know Your Customer (KYC)

Simply, CDD is the overarching process used to meet AML/CTF laws and includes:

• Understanding the nature and purpose of a business relationship
• Identification and verification of beneficial owners and controlling parties
• KYC (individual identity verification)
• Politically exposed person (PEP) and sanctions list screening
• Ongoing monitoring of transactions and business activities

Note that KYC is a subset of CDD, focused on identity verification. However, Australia's AML/CTF Bill 2024 uses "initial customer due diligence" to encompass both traditional KYC and broader CDD elements. For the purposes of this article, we will use the term CDD to refer to the entire process and KYC to refer to individual or entity identity verification. 

The basics: What is CDD and why does it matter?

CDD is a fundamental process that helps law firms understand who their clients are and the nature of their business. As Amy Bell, CEO of Teal Compliance, global AML expert and Chair of The UK Law Society’s Economic Crime Task Force explained in a recent webinar,

 "The point of [AML] is to protect both the economy and society. And to do that is really simple. The aim is to work out, ‘How much research do I need to do on this particular client to be comfortable that they're not a criminal?’” 

It’s this objective that drives CDD practices that allow you to effectively:

1. Know your customers are who they claim to be
2. Feel comfortable that they are not criminals or undertaking criminal activities
3. Assess and avoid potential risks - be it financial, reputational, legal or other
4. Comply with regulatory requirements, and
5. Protect your firm's reputation and society at large.

Key components of CDD for law firms

Initial CDD

According to the AML/CTF Bill 2024 (Division 2, Section 28.) a reporting entity, which includes law firms, “must not commence providing a designated service to a customer without establishing on reasonable grounds each of the following matters:

The identity of the customer 

1. The identity of any person on whose behalf the customer is receiving the designated service
2. The identity of any person acting on behalf of the customer and their authority to act 
3. For non-individual customers, the identity of any beneficial owners
4. Whether the customer, beneficial owners, or related parties are politically exposed persons or persons designated for targeted financial sanctions
5. The nature and purpose of the business relationship or occasional transaction 
6. Any other matters specified in the AML/CTF Rules”

What does that mean in practice?

You need to understand (and evidence) that you know the identity of who you’re dealing with. There are several parts that make up this understanding.

Understanding the identity of the customer

In practice, this can look like:

• Collecting “reliable and independent data” that verifies the customer is who they say they are. This usually includes the customer's full name, date of birth, and current address. This is the KYC part of CDD.
• For individuals: Collecting name, date of birth and address and checking name and either date of birth or address against 2x electronic sources (e.g. drivers licence registry or Medicare) or certified ID documents
• For companies: Verifying company registration details, business address, and registration numbers

Understanding who else you may be dealing with, who could benefit from the transactions and if any of them are criminals.

This addresses situations where the customer is acting as an intermediary. In practice this means you’ll need to:

1. Verify if the customer is acting for another
   1. If yes:
      1. Conduct KYC on that individual
      2. Verify their authority to act  (e.g., power of attorney, board resolution) and the documents’ authenticity
2. For businesses:
   1. Identifying and verifying individuals who own 25% or more of the entity and are therefore ultimate beneficial owners (UBOs)
   2. Identify and verify beneficial controlling parties e.g. CEO
   3. Initially screen UBOs and controlling parties for:
      1. politically exposed person (PEP) status
      2. sanctions list inclusion
3. Have in place processes for ongoing screening:
   1. Monitor for PEP/sanction list changes
   2. Take appropriate action if status changes
4. Conduct enhanced due diligence (ECDD) procedures for identified PEPs and other high risk customers
   1. Understand the customer-beneficiary relationship

Understanding what “normal” looks like for each customer so you can manage by exception

In practice, this can look like:

• Asking about the customer's business activities or employment
• Understanding expected transaction or service patterns
• Documenting the purpose of the business relationship or specific transaction

How that translates to running your firm

CDD in law firms isn't a one-size-fits-all approach. As Amy points out, diversity in firms, their size and clientele necessitates tailored CDD strategies.

“What a local firm does is going to be different to what a multinational firm does. It's all about knowing your clientele and your services. No one-size-fits-all."

Ultimately, the goal is to maintain a robust, risk-appropriate CDD process that evolves with changing client profiles and regulatory requirements.

Taking a risk-based approach to CDD

The AML/CTF Bill 2024 Section 28(3), emphasises a risk-based approach to CDD. Firms must:

• “take reasonable steps to establish that the customer is who they claim to be.” That means conduct KYC
• Assess money laundering and terrorism financing risks. That’s understanding what they’re doing and why they’re doing it.
• Collect appropriate information. Self explanatory, and 
• Verify it using reliable, independent sources. This references government databases, verified documents and business registries.

The depth of these checks varies with the perceived risk level of each client. For more details on taking a risk-based approach see the previous article, Get the basics right: Risk assessments in law firms.

Not one and done.

The AML/CTF Bill 2024 Section 30 highlights that ongoing monitoring is crucial. Firms must continuously scrutinise: 

• client transactions and behaviours for anomalies
• reassess risks when significant changes occur, and 
• update CDD information periodically. 

This applies to both new and pre-existing clients. Special attention should be paid to unusually large, complex, or pattern-breaking transactions.

“Criminals can be very patient and may easily pass initial checks by providing seemingly legitimate documentation. In fact, initially, the UK defined CDD with a set of fixed requirements.

But by taking the same approach to every client and transaction, criminals soon worked out how to evade the process.”

In practice, this often means: 

• Implementing automated transaction monitoring systems that trigger additional reviews and potential suspicious matter report (SMR) submission when risk thresholds (volume, amount or patterns) are exceeded.
• Conducting regular staff training to recognise red flags
• Conducting regular risk reassessments triggered by significant changes such as:
  • change in business structure or UBOs
  • introduction of new services, jurisdictions or industries
• Periodic requests for updated verification documents
• Base-lining risk assessments of pre-existing clients to flag against in the future if needed. 

Are there any exemptions?

Section 29 introduces limited exemptions from immediate CDD compliance. Entities can start services before completing CDD if:

• Circumstances specified in the AML/CTF Rules are met
• It's essential for business continuity
• Policies exist to complete CDD promptly
• Additional risk is low
• Risk mitigation measures are in place

While these provisions offer some operational flexibility, they are likely temporary. The expectation is that as Tranche 2 reporting entities adapt to the new requirements, they will gradually align with international standards. 

What about verification of identity (VOI) or other similar activities? 

While VOI and KYC share some similarities, VOI is specific to property transactions and is narrower in scope than AML requirements. AML rules use a risk-based approach and are more flexible in what is considered acceptable for identification and verification.

Simply conducting VOI checks does not meet the broader obligations under AML regulations. In this article, we explain the similarities and differences. For a fuller explanation read VOI vs KYC; everything you need to know. 

There are challenges, but opportunities to learn from others.

Challenges

Implementing CDD procedures in line with the new legislation can present challenges, particularly for smaller firms. Common issues include:

• Resource constraints
• Difficulty verifying international clients
• Difficulty conducting complex CDD
• Balancing client confidentiality and CDD requirements
  Keeping up with regulations

Opportunities

Almost every law firm, in every country, conducts CDD and has overcome these challenges. Here’s how:

Leverage technology 

Use holistic AML case management systems to streamline the workflow and ensure compliance with legislative requirements.

Ask an expert

Don’t go it alone. There is a large group of consultants and training providers in Australia already. Work with them to get it right from the start. 

Adopt a risk-based approach 

Focus on higher-risk clients and matters. See Get the basics right: Risk assessments in law firms for more information.

Conduct regular and relevant training

From unique fake Spotify streams to mundane property and luxury goods sales, criminals are always looking for new ways to clean their crime-fuelled gains. 

Continuous training, contemporary money laundering examples and real-time guidance can help reinforce best practices and keep AML considerations top of mind for everyone.

Don’t forget your people

Much like cyber-security, AML is now everybody’s concern. Cultivate a culture of compliance where every member of the team understands the importance of CDD, their role in the process, and the specific requirements outlined in the legislation.

Summary

Remember, effective KYC is not just about compliance—it's about protecting your firm, your clients, and the integrity of the legal profession as a whole.

Learn from others, stay updated on evolving criminal tactics, balance technology with human elements, view CDD as risk protection and feedback through industry bodies or direct to the Governor General to make the bill work in practice.