What is Customer Due Diligence (CDD) under Australian AML/CTF law?

Customer Due Diligence (CDD) is the process of identifying and verifying your clients before and during the provision of designated services. Under the AML/CTF Act, CDD requires collecting specific information about the customer, verifying that information against reliable independent sources, and maintaining records of the process.

What information must be collected for CDD on individual clients?

For individual clients, you must collect full name, date of birth, and residential address. At least one of these must be verified against a reliable and independent source, such as a government-issued photo ID, an electronic verification service (DVS check), or a combination of documents.

What CDD is required for companies and trusts?

For companies, you must identify the company name, ABN/ACN, registered address, and the names of directors. You must also identify beneficial owners — individuals who own 25% or more, or who exercise effective control. For trusts, you must identify the trustee(s), settlor, and beneficiaries or class of beneficiaries.

What is the difference between standard CDD and Enhanced Customer Due Diligence (ECDD)?

Standard CDD applies to all clients and involves basic identity verification. Enhanced Customer Due Diligence (ECDD) is required for higher-risk clients — including Politically Exposed Persons (PEPs), clients from high-risk jurisdictions, or clients where the risk assessment indicates elevated ML/TF risk. ECDD requires additional steps including source of wealth and source of funds verification, and senior management sign-off.

Can I rely on electronic identity verification (DVS checks) for CDD?

Yes. Electronic verification via the Document Verification Service (DVS) or an accredited biometric identity verification provider is acceptable under AUSTRAC's AML/CTF Rules. It is generally preferred over manual document collection as it provides a stronger audit trail and is harder to circumvent with forged documents.

How often must CDD be refreshed for existing clients?

CDD must be conducted on an ongoing basis. While there is no fixed re-verification schedule mandated by AUSTRAC, your AML/CTF Program must define a risk-based approach to periodic re-verification. High-risk clients should be re-verified more frequently — at minimum annually. Standard-risk clients are often re-verified every 2-3 years or when there is a material change in the relationship.

Customer Due Diligence Requirements in Australia: What You Must Collect

Customer Due Diligence (CDD) is the cornerstone of AML/CTF compliance. Under Australia's AML/CTF Act, every reporting entity — including accounting firms, lawyers, and real estate agents covered by Tranche 2 — must verify the identity of their clients before providing designated services and maintain ongoing monitoring throughout the relationship.

This guide explains exactly what information must be collected, how it must be verified, and when the bar is raised to Enhanced Customer Due Diligence (ECDD).

CDD for Individual Clients

For individual clients, your CDD process must collect and verify:

Full legal name (as on official ID)
Date of birth
Residential address (not a PO Box)

At least one of these must be verified against a reliable, independent source. Acceptable verification methods include:

Electronic verification via the Document Verification Service (DVS) — checking the document details against government databases
Biometric identity verification matching a selfie to a government-issued document
Physical inspection of an original government-issued photo ID (passport, Australian driver licence)
A combination of documents — e.g., one primary document (birth certificate) plus one secondary document (rates notice for address)

AUSTRAC strongly favours electronic verification as it produces an auditable trail and is more resistant to document fraud.

CDD for Companies

For corporate clients, CDD must cover:

Company name and ACN/ABN
Registered principal place of business
Names of all directors
Beneficial owners — individuals who own 25% or more of the company, or who exercise effective control over it
Verification that the company is incorporated in Australia (ASIC register check)

Identifying beneficial owners is where many firms fall short. The 25% threshold is a floor, not a ceiling — AUSTRAC's guidance makes clear that individuals exercising effective control must be identified even if they hold no formal equity stake. Beneficial owners must then be individually identified using the individual CDD process above.

CDD for Trusts

Trusts are common in Australian accounting engagements. Your CDD for a trust must capture:

The trust deed (or certified extract confirming the trust's name, type, and jurisdiction)
Identity of the trustee(s) — verified as individual or corporate entities
Name of the settlor
Beneficiaries (or class of beneficiaries for discretionary trusts) — named beneficiaries must be individually identified
For SMSFs: both individual and corporate trustees must be verified

When Enhanced Due Diligence (ECDD) Applies

Standard CDD is not sufficient for all clients. ECDD is mandatory when:

The client is a Politically Exposed Person (PEP) or an immediate family member or close associate of a PEP
The transaction or client involves a high-risk jurisdiction (FATF grey or black list countries)
Your risk assessment identifies the client as high risk for ML/TF
An SMR has been submitted or considered in relation to the client

ECDD requires additional steps beyond standard CDD:

Senior management approval to commence or continue the relationship
Source of wealth verification — how did this client accumulate their overall wealth?
Source of funds verification — where did the specific funds in this transaction originate?
Enhanced ongoing monitoring — more frequent and deeper review of transactions
Documentation — all steps must be fully documented in the client file

Ongoing Monitoring Requirements

CDD is not a one-time exercise. Under the AML/CTF Act, reporting entities must monitor their client relationships on an ongoing basis. This means:

Screening clients against PEP and sanctions lists at regular intervals (or in real-time using automated tools)
Re-verifying identity when documents expire or when a material change occurs in the client relationship
Monitoring transactions for patterns inconsistent with the client's known profile
Escalating and documenting any concerns through your SMR workflow

Automate Your CDD with Clear AML

Clear AML's automated KYC/KYB platform handles the full CDD lifecycle — collecting client information, running DVS and biometric verification, screening against all required watchlists, and generating a complete audit-ready risk assessment record. Every CDD action is logged in the immutable audit trail — retained for 7 years, retrievable in seconds.