⚡ Direct Answer: Customer Due Diligence (CDD) in Australia is the process by which reporting entities identify their customers, verify that identity, understand the nature of the business relationship, and assess the money laundering and terrorism financing risks associated with each customer. CDD is a mandatory obligation under the AML/CTF Act, required before providing designated services and on an ongoing basis throughout the relationship.
What is CDD and Why Does It Matter?
Customer Due Diligence is at the heart of any effective AML/CTF compliance framework. Without knowing who your customers are, you cannot identify suspicious behaviour, assess risk, or report to AUSTRAC with confidence. CDD is the mechanism through which businesses gain the information they need to fulfil their broader AML/CTF obligations.
AUSTRAC’s guidance is clear: you must conduct initial CDD on customers before you start to provide designated services, and you must conduct ongoing CDD throughout the relationship to monitor customers and manage their evolving risk profile.
Poor CDD is one of the most common reasons AUSTRAC takes enforcement action. Businesses that apply generic, tick-box CDD without properly understanding their customers are exposing themselves — and the financial system — to significant risk.
Initial CDD: What You Must Do Before Providing Services
Before providing designated services to a new customer, you must:
- Verify the customer’s identity using reliable and independent documents, data, or information. For individuals, this typically means verifying full name, date of birth, and residential address.
- Verify the identity of any beneficial owners — the individuals who ultimately own or control a company, trust, or other entity.
- Understand the nature and purpose of the customer’s intended business relationship with you.
- Assess the ML/TF risk associated with the customer and assign a risk rating.
- Identify whether the customer is a Politically Exposed Person (PEP) or associated with a PEP.
- Screen the customer against relevant targeted financial sanctions lists.
You are not required to make copies of identification documents — but you must keep records of what steps you took to verify identity and what information the customer provided.
Three Tiers of CDD: Standard, Simplified, and Enhanced
Standard CDD
Standard CDD applies to the majority of customers. It involves the verification steps described above, with a level of rigour proportionate to the assessed risk. Standard CDD must be completed before providing designated services.
Simplified CDD
Simplified CDD applies in limited, prescribed circumstances where the ML/TF risk is demonstrably low. For example, it may apply to certain government bodies, listed entities on regulated exchanges, or customers in lower-risk product categories. The conditions for applying simplified CDD are set out in the AML/CTF Rules and must be met before simplification is applied.
Simplified CDD is not simply doing less — it is a formal step that requires you to have assessed and documented why simplified treatment is appropriate.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) is required for higher-risk customers and must involve additional scrutiny beyond standard CDD. AUSTRAC expects entities to apply EDD when:
- The customer is assessed as high-risk based on your risk assessment
- The customer is a Politically Exposed Person (PEP) or a family member or close associate of a PEP
- The customer is from or based in a high-risk country or jurisdiction
- The transaction type or service is assessed as higher risk
- The customer’s ownership or control structure is complex and opaque
- The source of funds or wealth is unclear or inconsistent with the customer’s known profile
EDD measures may include obtaining additional information about the source of funds and wealth, conducting more frequent transaction monitoring, requiring senior management approval before providing services, and applying closer scrutiny to the customer’s explanations.
Ongoing CDD: Monitoring the Relationship
CDD is not a one-time exercise. Ongoing CDD requires you to monitor your customers throughout the relationship to detect and manage changes in their risk profile. This includes:
- Transaction monitoring — reviewing customer transactions to identify patterns that are inconsistent with the customer’s known profile or with what you would expect given the nature of the relationship
- Reviewing and updating CDD information when circumstances change (e.g., change in business ownership, source of funds, or unusual transaction behaviour)
- Re-verifying customer identity when existing information becomes inadequate or out of date
- Updating customer risk ratings when new information suggests the risk has changed
If your ongoing CDD reveals something suspicious, you have an obligation to consider whether a Suspicious Matter Report (SMR) is required.
CDD for Different Customer Types
CDD requirements differ depending on the type of customer:
- Individual customers: verify full name, date of birth, and residential address using reliable sources.
- Companies and corporations: verify the entity’s registration and identify ultimate beneficial owners (individuals who own or control 25% or more of the entity).
- Trusts: identify the trust and verify the identities of trustees, settlors, and beneficiaries.
- Partnerships: verify the partnership and identify the key partners.
- Government bodies: may qualify for simplified CDD in certain circumstances.
- Non-profit organisations: may carry elevated risk and require more detailed CDD.
Record Keeping for CDD
You must keep records of your CDD processes and findings. Under the Act, records must include:
- Details of the verification process (what information was obtained and how it was verified)
- Customer identification information
- Customer risk rating and any updates to it
- Records of EDD measures applied to high-risk customers
- Records of PEP and sanctions checks
CDD records must be retained for at least 7 years from the date of record creation. Records must be accessible and retrievable if requested by AUSTRAC.
Frequently Asked Questions
What is the difference between CDD and KYC?
KYC (Know Your Customer) is the process of verifying a customer’s identity — it is one component of CDD. CDD is broader: it encompasses identity verification (KYC) plus risk assessment, understanding the purpose of the relationship, PEP and sanctions screening, and ongoing monitoring.
When must CDD be completed?
Initial CDD must be completed before you start to provide designated services to a customer. If you cannot complete CDD satisfactorily, you must not commence the provision of services and must consider whether an SMR is required.
Can I rely on CDD conducted by a third party?
Yes, in certain circumstances. The Act permits reliance on CDD conducted by certain third parties, but you must assess whether the third party is properly conducting the CDD, record those assessments, and retain records for 7 years. You remain responsible for compliance.
Do I need to re-do CDD for existing customers?
Under the 2026 reforms, you may need to update CDD for some existing customers to meet new requirements. Additionally, ongoing CDD means you should be reviewing and updating customer information regularly, particularly for higher-risk customers.
What happens if I can’t verify a customer’s identity?
If you cannot satisfactorily verify a customer’s identity, you must not commence or continue providing the designated service. You should also consider whether the circumstances give rise to an SMR obligation.
📣 Need help with AML/CTF compliance?
👉 Get expert help with your CDD framework: contact us
👉 Read the complete AML compliance guide: AML Compliance Australia – Complete Guide (2026)
👉 Download our AML checklist: AML Compliance Checklist for Australian Businesses
👉 Read more: