Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is the process of verifying who your customers are, understanding what they're doing, and watching for red flags.

It's not optional. It's not something you do "when you have time." It's a core requirement under Australia's AML/CTF Act. And from July 1, 2026, Tranche 2 entities (lawyers, accountants, real estate agents) need to get very familiar with it.

Let's break down what CDD actually involves — and why it matters.

The Two Phases of CDD

1. Initial CDD (Customer Onboarding)

Before you provide designated services to a customer, you need to:

Verify their identity (KYC - Know Your Customer):

• Collect reliable ID documents (passport, driver's license)
• Verify those documents are genuine
• Confirm the person is who they claim to be

Identify beneficial owners:

• If your customer is a company or trust, who actually controls it?
• Who owns 25%+ of the entity?
• Who has ultimate control over decision-making?

Screen for PEPs (Politically Exposed Persons):

• Does your customer (or their beneficial owners) hold or recently hold prominent public positions?
• Foreign PEPs require mandatory Enhanced Due Diligence

Screen for sanctions:

• Check DFAT Consolidated List, UN sanctions lists
• If there's a match, you cannot onboard them

Assess ML/TF risk:

• Based on who they are, what they're doing, where they're from
• High-risk customers require Enhanced Due Diligence

2. Ongoing CDD (After Onboarding)

Once you've onboarded a customer, you don't just forget about them. You monitor them continuously:

Watch for unusual transactions:

• Large transactions that don't match their profile
• Structuring (breaking transactions into smaller amounts to avoid thresholds)
• Layering (moving money through multiple accounts)

Watch for unusual behaviours:

• Nervous or evasive when questioned
• Can't explain source of funds
• Rushing transactions
• Asking about reporting thresholds (red flag!)

Update customer information:

• If their circumstances change, update your records
• Re-assess their ML/TF risk if needed

File SMRs when required:

• If you spot suspicious activity, report it to AUSTRAC
• Within 3 business days (or 24 hours for terrorism financing)

What You're Monitoring For

AUSTRAC expects you to monitor customers for activity that might indicate:

Money laundering — Criminals cleaning proceeds of crime

Terrorism financing — Funding terrorist organisations or activities

Proliferation financing — Funding weapons of mass destruction programs

Other serious crimes: Bribery, fraud, tax evasion, drug trafficking, human trafficking, cybercrime, corruption

Red Flags: Unusual Transactions

Here's what "unusual" looks like:

Inconsistent with customer profile:
Customer's a student with no income. They're depositing $100,000 monthly. That's unusual.

Structuring:
Customer makes deposits of $9,500, $9,800, and $9,700 over three days. Each is just under the $10,000 TTR threshold. That's deliberate avoidance. That's suspicious.

Complex transactions:
Funds move through multiple accounts, multiple jurisdictions, multiple entities. Why? What's the legitimate business purpose?

High-risk jurisdictions:
Transactions involving countries with weak AML regimes, high corruption, or known for drug/arms trafficking.

Large cash:
Customer's business normally operates on card payments. Suddenly they're depositing large cash amounts. Where's it coming from?

PEPs or sanctions hits:
Any transaction involving a PEP (especially foreign) or someone on sanctions lists needs extra scrutiny.

Wealth doesn't match circumstances:
Customer claims to be unemployed. They're buying a $3 million property in cash. Something doesn't add up.

Using structures to hide ownership:
Shell companies, offshore trusts, nominee directors. Why? Legitimate privacy, or hiding illicit funds?

Red Flags: Unusual Behaviours

Sometimes it's not what they're doing, it's how they're acting:

Nervous or evasive: Customer gets defensive when you ask basic questions about source of funds.

Coached answers: Responses sound scripted. Like they've been told what to say.

Third-party direction: Someone else is clearly controlling the transaction. Customer seems like a front.

Rushing: "Can we do this quickly? I need to finish today." Why the urgency?

Unwilling to provide info: Basic questions about their business or source of wealth? "I'd rather not say."

Frequent KYC changes: Address changes monthly. Phone numbers change. Names change. What are they hiding?

Trying to influence staff: Offering bribes, gifts, or "incentives" to ignore red flags.

Asking about reporting: "Do you report this to anyone?" "What are the thresholds?" Criminals ask these questions.

How to Respond to Red Flags

You spot unusual activity. Now what?

Step 1: Investigate
Ask the customer for more information. What's the source of these funds? Why the sudden change in activity?

Step 2: Assess
Is there a legitimate explanation? Customer sold their house (that's why there's a large deposit). Business had a big sale (that's why revenue spiked). These can be normal.

Step 3: Document
Record what you found, what the customer said, and your assessment.

Step 4: Decide
Based on your investigation:

• Continue as normal: Legitimate explanation, no further action needed
• Apply Enhanced Due Diligence: Higher risk, need more scrutiny
• File an SMR: Reasonable grounds to suspect ML/TF
• Refuse the transaction: Risk is too high, can't proceed
• Terminate the relationship: Customer won't cooperate or risk is unmanageable

Enhanced Due Diligence (EDD)

Some customers require more than standard CDD. When do you apply EDD?

Mandatory EDD situations:

• Foreign PEPs: Always. No exceptions.
• High-risk jurisdictions: Customers from countries with weak AML regimes (FATF lists)
• Formed a suspicion: You filed an SMR but want to continue the relationship
• Complex ownership: Shell companies, offshore structures, unclear beneficial ownership

What EDD involves:

• Source of funds verification (where'd the money come from?)
• Source of wealth verification (how'd they accumulate their overall assets?)
• Senior management approval before onboarding
• More frequent monitoring
• More detailed record keeping

Simplified CDD (Low-Risk Customers)

Not every customer is high-risk. For low-risk customers, you can apply simplified CDD:

• Less intensive monitoring
• Less frequent KYC updates
• Streamlined verification processes

But only if:

• Your risk assessment confirms they're low-risk
• You're not required to apply EDD
• Your AML/CTF policies allow for simplified CDD

Example of low-risk: Long-standing customer, salaried employee, domestic transactions, no red flags, transparent dealings.

Record Keeping

Everything you do for CDD? Document it. All of it.

You need records showing:

• How you verified customer identity
• How you identified beneficial owners
• How you assessed ML/TF risk
• What monitoring you performed
• What alerts were generated and how you investigated them
• What decisions you made and why

How long do you keep records? Seven years. Minimum.

Why? Because AUSTRAC can audit you at any time. If you can't produce records, you can't prove you did CDD. And if you can't prove it, you're non-compliant.

For Tranche 2 Entities

If you're a lawyer, accountant, or real estate agent, CDD is coming for you on July 1, 2026.

That means you'll need:

• Systems to verify customer identity (KYC software or process)
• Beneficial ownership identification (for companies and trusts)
• PEP screening (access to PEP databases)
• Sanctions screening (DFAT lists)
• Risk assessment frameworks (to categorise customers as low/medium/high risk)
• Transaction monitoring (manual or automated, depending on volume)
• SMR processes (knowing when and how to report)
• Record keeping systems (7 years of data)

Can you build all of that in-house? Maybe. Will it be compliant? That's the question.

Most Tranche 2 entities are either outsourcing CDD (using platforms like ARCaml) or hiring compliance specialists. Because getting CDD wrong isn't just inconvenient — it's a breach that can cost millions.

The Bottom Line

CDD is the core of AML compliance. It's how you know who your customers are, what they're doing, and whether they're using your services for money laundering.

Initial CDD happens at onboarding. Ongoing CDD happens throughout the relationship. Enhanced CDD happens when risk is high.

Get it right, and you protect your business from criminal exploitation. Get it wrong, and AUSTRAC penalises you for facilitating money laundering.

For Tranche 2 entities, July 1, 2026 is the deadline. Start building your CDD processes now. Because on July 2, AUSTRAC expects you to be fully operational.