Enhanced Due Diligence. Managing Higher Risks

Not all customers present the same risk. Some are straightforward — local residents, transparent business, normal transactions. Others? Red flags everywhere.

That's where Enhanced Due Diligence (EDD or ECDD) comes in.

Standard CDD vs Enhanced Due Diligence

Standard Customer Due Diligence (CDD) is your baseline:
Verify identity. Check for PEPs and sanctions. Assess ML/TF risk. Monitor the relationship.

Enhanced Due Diligence (ECDD) is when you crank everything up:
More verification. Deeper checks. Source of funds verification. More frequent monitoring. Senior management approval.

Think of CDD as the standard security check. ECDD is the full pat-down, background check, and ongoing surveillance.

When AUSTRAC Requires ECDD

ECDD isn't optional for certain situations. AUSTRAC says you must apply ECDD when:

1. You're filing a Suspicious Matter Report (SMR)
If you suspect a customer's involved in money laundering or terrorism financing, you file an SMR. But you don't just stop there — you also apply ECDD to that customer going forward. More monitoring. More scrutiny. More documentation.

2. The customer (or their beneficial owner) is a foreign PEP
Foreign politically exposed persons are mandatory ECDD. Not domestic PEPs (they're recommended but not mandatory). Not associates of PEPs (same). But foreign PEPs? AUSTRAC requires enhanced measures.

Why? Because foreign PEPs have access to power and resources that create corruption risks. They might be laundering bribes. They might be moving state assets illegally. You need to know where their money comes from.

3. Your risk assessment says they're high-risk
Your AML program should have a risk assessment framework. When a customer scores high-risk based on your criteria, ECDD applies.

What Makes a Customer High-Risk?

AUSTRAC doesn't give you a checklist. But these typically elevate risk:

1. High-risk jurisdictions

Customer from (or transacting with) FATF grey/black list countries.

Weak AML, corruption, sanctions.

Examples: Afghanistan, Myanmar, North Korea, Iran, Yemen.

2. Complex ownership structures

Shell companies. Offshore trusts. Nominee directors.

Deliberately obscuring beneficial ownership.

3. Cash-intensive business

Restaurants, car washes, casinos, construction, jewelry.

Large cash is normal (and easy to manipulate).

4. Unusual transaction patterns

Doesn't match customer profile.

Bakery wiring $500k overseas. Student receiving regular $20k deposits.

5. Refusal to provide information

Evasive about source of funds. Won't identify beneficial owners.

Aggressive when questioned.

6. Adverse media

Negative news linking to financial crime, corruption, organized crime.

7. Industry sector

Higher ML/TF risk sectors.

Arms, precious metals, virtual assets, money services.

What ECDD Actually Involves

AUSTRAC doesn't specify exact measures (risk-based). But here's what it typically means:

1. More extensive identity verification

Standard CDD: Check driver's license.

ECDD: Driver's license + address verification (rates/utility bill) + confirm employment + verify DOB against birth certificate.

2. Source of funds and wealth verification

Standard: "Where's your money from?" "My job."

ECDD: "Show employment contract, 6 months payslips, tax returns, bank statements. Explain buying $3M property on $80k salary."

Verify financial activity matches their stated income.

3. Senior management approval

Standard: Customer service rep onboards.

ECDD: Senior management (or AML officer) must approve. Reviews file. Signs off. Takes responsibility.

4. Increased monitoring frequency

Standard: Annual review.

ECDD: Quarterly or monthly for highest-risk. Watch for pattern changes, unusual activity.

5. More detailed transaction monitoring

Standard: Automated alerts over thresholds.

ECDD: Manual review. Question unusual payments. Verify commercial purpose. Lower alert thresholds.

6. Enhanced screening

Standard: PEP and sanctions lists.

ECDD: PEP, sanctions, adverse media, regulatory databases, court records, criminal records (where legal).

7. More comprehensive documentation

Standard: ID documents, basic info.

ECDD: Everything. Source of funds evidence. Beneficial ownership docs. Org charts. Business plans. Financial statements. Contracts. Anything helping understand/mitigate risk.

Example: Foreign PEP Scenario

Let's walk through a real scenario:

The Customer: XYZ Consulting Pty Ltd wants to engage your accounting services to set up a discretionary trust. The beneficial owner is disclosed as Mr. Ahmed, who was previously the Minister of Energy in a Middle Eastern country.

ECDD Triggers:
1. Foreign PEP (mandatory ECDD)
2. High-risk jurisdiction (that country's on FATF's grey list)
3. Complex structure (discretionary trust controlled by former foreign official)

What you do:

• Verify Mr. Ahmed's identity — Passport, visa, address verification in both Australia and home country
• Source of wealth verification — How did a government minister accumulate enough wealth to invest in Australia? Request financial statements, tax records, evidence of legitimate income
• PEP screening — Confirm his political role, when it ended, whether there's any adverse media about corruption or illicit enrichment
• Understand the business purpose — Why set up a discretionary trust in Australia? What's the legitimate purpose? What assets will it hold?
• Senior management approval — Your AML officer reviews everything and decides: proceed, request more information, or decline the engagement
• Enhanced monitoring — If onboarded, quarterly reviews at minimum. Any significant activity gets scrutinized.

If anything doesn't check out — source of funds is suspicious, PEP screening reveals corruption allegations, business purpose doesn't make sense — you file an SMR and likely decline the engagement.

The Westpac Lesson

Westpac's $1.3 billion penalty? Key failure was inadequate ECDD for high-risk customers.

They allowed frequent transactions to Philippines and Southeast Asia (known child exploitation risk) without ECDD.

• No source of funds checks
• No questioning unusual patterns
• No increased monitoring

AUSTRAC's message: High-risk indicators? ECDD isn't optional.

Apply it, or face consequences dwarfing the cost of proper compliance.

Common ECDD Mistakes

1. Treating ECDD as one-time check

ECDD is ongoing. Customer doesn't become lower risk after initial checks.

2. Not documenting reasoning

Need records showing why you applied ECDD, what measures, how you assessed risk.

AUSTRAC asks for this in audits.

3. Applying ECDD inconsistently

Similar risk profiles need similar ECDD treatment.

Inconsistency suggests risk assessment isn't actually risk-based.

4. Senior management rubber-stamping

Not a formality. Must actually review file, understand risk, make informed decision.

5. Not escalating when new risks emerge

Customer was standard CDD at onboarding.

Six months later, adverse media links them to corruption.

Escalate to ECDD immediately.

Can You De-escalate from ECDD?

Yes. But carefully.

Risk factors no longer present?

• Foreign PEP no longer in office (sufficient time passed)
• High-risk jurisdiction improved AML regime
• Suspicious activity had legitimate explanation

You can reduce to standard CDD.

But document the decision. Senior management approves. Continue monitoring for re-emerging risk.

ECDD Under Tranche 2

For lawyers, accountants, and real estate agents entering the AUSTRAC regime in July 2026, ECDD is going to be a learning curve.

Real estate: That foreign buyer offering cash for a $5 million penthouse? ECDD required. Source of funds, beneficial ownership, senior management approval — all of it.

Accountants: Client asking you to set up multiple trusts with offshore links? ECDD required. You need to understand the structure, verify the purpose, and document everything.

Lawyers: Managing a trust account for a foreign PEP's property transaction? ECDD required. You're verifying source of funds, understanding the transaction, and monitoring for suspicious activity.

The old approach — "They're paying, we'll do the work" — doesn't fly anymore. High-risk customers mean enhanced measures, or you don't take them on at all.

Technology Helps (But Judgment Is Key)

ECDD is resource-intensive. Manual source of funds verification, enhanced screening, continuous monitoring — it adds up.

Platforms like ARCaml can streamline ECDD by:

• Automating PEP and sanctions screening against multiple databases
• Flagging high-risk jurisdictions automatically
• Setting up enhanced monitoring alerts
• Collecting source of funds documentation through structured workflows
• Storing ECDD evidence for AUSTRAC audits
• Tracking senior management approvals

But technology can't replace human judgment. You still need someone reviewing the evidence, assessing whether the explanation makes sense, and deciding whether to proceed.

The Bottom Line

ECDD isn't about making compliance harder. It's about matching your effort to the risk.

Low-risk customers? Standard CDD is fine. But high-risk customers — foreign PEPs, complex structures, high-risk jurisdictions, suspicious activity — they need the full treatment. More checks. More documentation. More oversight.

Because when something goes wrong with a high-risk customer — when they turn out to be laundering money, or connected to terrorism financing, or using your services to hide proceeds of crime — AUSTRAC's first question will be: Did you apply enhanced due diligence?

Make sure the answer is yes.