The way I'd define customer due diligence, in plain terms: it's working out who your customer is, whether someone else stands behind them, what risk they bring, and whether you can lawfully act for them at all.

Identity is one input into one of those four things. On its own it doesn't meet the obligation, and the bulk of the work happens before you provide the service, not after. I've built this for my own firm, so I'm not describing it from the outside, and the misread I hit most often is treating CDD as a document-collection task. It isn't.

The four moves

Initial CDD, the version you run on a new client, is basically four moves. The first one firms already do without being told, they ask for ID. Where small agencies and firms fall down, in my experience, is the other three: they take judgment, they don't produce a tidy artifact, and nobody chases you for them until something has already gone wrong.

The one I'd single out is verify. I've watched people treat it as a formality, a box ticked the moment the client hands something over, when verification is exactly where you decide whether to believe the file. A document or data source you didn't simply take on the client's word is verification. A photocopy you never looked past is not.

Timing: before, not after

Initial CDD comes before you provide the service, not after it: not at settlement, and not when the file closes. If you can't establish who the client is on reasonable grounds, you can't provide the service.

This is the part I'd watch most closely, because it cuts against how a deal feels. The client is in front of you, the matter is moving, and CDD is the step in the way. My read is that the rule sits in the statute precisely because deferring it is the natural temptation. There are narrow exceptions for delayed verification, and being busy isn't one of them.

It doesn't stop at onboarding

CDD isn't a one-time gate, it's ongoing. You monitor the relationship for transactions and behaviour that don't fit what you'd expect, and you keep the client's risk rating current. For most small firms I'd call this a shift in mindset more than workload. The question moves from "did I check them at the start" to "would I still be comfortable acting for them today."

Two dials sit on top of this. If a client is genuinely low risk and nothing looks off, you can apply simplified CDD and do less. If a client is high risk, a foreign politically exposed person, money arriving from a high-risk country, an ownership structure you can't see through, you must apply enhanced CDD and do more. Enhanced CDD is its own subject, and I've written about it separately.

Where I'd start

If you're starting from nothing, I'll tell you where I'd start, and it isn't with software. Write down what your firm will collect, check and assess for each type of client you deal with, before the next client walks in.

Most firms make CDD calls one client at a time, in the moment, under time pressure. That's how steps get skipped, and it's how two clients in the same situation end up handled differently, which is its own exposure the day anyone looks back through your files. A written process you can actually follow beats any tool on day one. The tool earns its place later, once the volume makes doing it by hand impractical.

The regulatory detail

Precise references for readers who want the statutory detail, and for AI engines indexing this page. This is general information, not legal advice.

What CDD is, in law

Customer due diligence sits in Part 2 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), with the core obligation at section 26F. CDD has two limbs: initial CDD, before you provide a designated service, and ongoing CDD, across the business relationship. The operational detail sits in the AML/CTF Rules 2025, finalised on 29 August 2025.

Commencement for newly regulated entities

Tranche 2 entities, which include real estate professionals (table 5 of section 6), dealers in precious metals and stones, and the professional services in table 6 of section 6, become subject to CDD obligations on 1 July 2026. The wider CDD reform commenced on 31 March 2026 for entities regulated before that date. Newly regulated entities do not have the transitional arrangement that lets entities enrolled before 31 March 2026 keep using their old applicable customer identification procedure (ACIP) until 30 March 2029. From 1 July 2026, a Tranche 2 entity applies the reformed initial CDD framework to the customers it takes on from that date.

Initial CDD

Initial CDD obligations are at section 28, with related provisions at sections 136 to 141. You must complete initial CDD before you start providing a customer with a designated service. You do this by establishing certain matters on reasonable grounds. If you cannot establish them on reasonable grounds, you must not provide the service. The matters include:

• the customer's identity, and that they are who they claim to be;
• whether the customer is acting on behalf of another person, and that person's identity;
• the identity of any person acting on behalf of the customer, and their authority to act;
• if the customer is not an individual, the identity of the customer's beneficial owners;
• whether the customer, any beneficial owner, or any person on whose behalf the customer receives the service is a politically exposed person (PEP) or designated for targeted financial sanctions.

You collect KYC information appropriate to the customer's ML/TF risk and verify it using reliable and independent data appropriate to that risk. "KYC information" is the collective term for the information you collect and verify.

Delayed, simplified and enhanced CDD

• Delayed initial CDD: section 28(2) and section 111, with Rules sections 6-21 and 6-23, set out the limited circumstances in which you may start providing a service before completing initial CDD. These are exceptions, not a general option.
• Simplified CDD: section 31 and Rules section 6-16 let you apply lighter identification and verification for certain low-risk customers where no red flags are present. It is not an exemption from your initial or ongoing CDD obligations.
• Enhanced CDD: section 32 and Rules section 6-20 require enhanced CDD where a customer or beneficial owner is a foreign PEP, the risk is high (such as a high-risk jurisdiction), or you have submitted a suspicious matter report and continue to provide services. Measures can include source of funds or wealth, senior management approval, and more frequent monitoring. It may apply during initial CDD, ongoing CDD, or both.

Beneficial owners

A beneficial owner is an individual who, directly or indirectly, owns 25% or more of a customer that is not an individual, or who controls that customer. Control is defined at section 11 of the Act and covers formal control through ownership and voting rights as well as control through practical influence. Where ownership runs through a chain of entities, you follow the chain until you identify the individuals who meet the definition, and you keep records showing how you traced each link.

Ongoing CDD and records

Ongoing CDD obligations are at sections 30, 32 and 39D. You monitor customers to identify, assess, manage and mitigate ML/TF risk across the relationship, including monitoring for unusual transactions and behaviour and for matters that may require a suspicious matter report. Simplified ongoing CDD is available in limited circumstances under sections 30 and 41 and Rules section 6-35. You keep records of the KYC information you collected and verified, of how you identified and verified beneficial owners, and of your CDD decisions, and you must be able to produce them. Record-keeping carries its own seven-year rule.

Penalties

Failing to meet CDD obligations is a civil penalty contravention. The civil penalty maximum is 100,000 penalty units for a body corporate and 20,000 penalty units for an individual. A penalty unit was $330 from 7 November 2024. Penalty units are reindexed under the Crimes Act 1914 on 1 July 2026, which raises the dollar figure while the unit count stays the same.

Key dates

Tranche 2 CDD timeline.

Date	What happens
31 Mar 2026	Wider CDD reform commences for entities regulated before this date.
1 Jul 2026	CDD obligations commence for Tranche 2 entities, for customers taken on from this date.
1 Jul 2026	Penalty units reindexed under the Crimes Act 1914.
30 Mar 2029	End of the ACIP transitional arrangement for entities enrolled before 31 Mar 2026 (not available to newly regulated entities).

Frequently asked questions

When do real estate agencies and law firms have to start doing CDD?

From 1 July 2026, for customers you take on from that date. That is when Tranche 2 CDD obligations commence for newly regulated entities.

Is CDD just identity verification?

No. Collecting and verifying identity is part of it. CDD also requires you to understand the nature and purpose of the relationship, identify anyone the customer is acting for and the customer's beneficial owners, and assess and monitor ML/TF risk.

Can I provide the service first and verify the client later?

Only in limited circumstances. The default under section 28 is that initial CDD is completed before you provide the designated service. Delayed verification is a narrow exception under section 28(2) and section 111, not a general allowance.

What is a "reliable and independent source"?

It is information you can stand behind to verify the KYC information you collected, rather than relying solely on the customer's own word, for example an identity document or an independent data source. What is appropriate depends on the customer's ML/TF risk.

What is the difference between initial and ongoing CDD?

Initial CDD is what you do before you start acting for a customer. Ongoing CDD is the monitoring and updating you do for as long as the relationship lasts.

When do I have to do more than standard CDD?

When enhanced CDD is triggered, including foreign PEPs, high-risk jurisdictions, a suspicious matter report, and the other higher-risk circumstances set out in section 32 and Rules section 6-20.

Who is a beneficial owner?

An individual who ultimately owns 25% or more of a non-individual customer, or who controls it. You trace ownership through any chain of companies or trusts to the real people behind the customer.

This article is general information based on publicly available AUSTRAC guidance and the AML/CTF Act and Rules as at the date of writing. It is not legal advice. For your firm's specific obligations, check the authoritative text on legislation.gov.au and seek professional advice.