EDD is the part of the regime I watch firms resist most, and I understand the resistance. It costs time, asking a client where their money came from can feel like an accusation, and at the end of it you might decide to turn away business.

My view is that each of those is the point, not the problem. EDD is where the risk-based approach stops being a line in a policy and turns into work you can be held to. The part to be clear on: you don't pick when EDD applies. The Act sets out the situations, and in those situations it is mandatory.

When you have to do it

You must apply enhanced CDD when any of these is true. Most of them are facts you can look up, yes or no. One of them is a call.

If I had to name the trigger firms get wrong, it's the first one. High risk is the only trigger on that list that turns on your own assessment rather than a fact you can look up. Foreign PEP and high-risk country are yes or no. High risk is a call, and I've watched that call get set conveniently low when the client is lucrative. That's the one I'd audit in my own firm first. In practice, the ones small firms actually hit are the foreign PEP, the high-risk country, and the client whose ownership runs through a trust or company structure you cannot see the bottom of.

What "more" actually means

EDD isn't a longer version of the same form. Whereas standard CDD asks the same baseline of everyone, EDD is shaped by the specific reason the client is high risk. Depending on that reason, it can mean collecting and verifying more identity and background, going deeper on who really owns and controls the client, and working out where their money comes from.

Two of those checks have names worth keeping straight.

Source of funds is the check I find people most want to skip, because asking feels intrusive. My take is that it isn't an accusation, and how you ask matters more than whether you ask. You're confirming a story, not doubting a person.

The part I'd underline is that EDD isn't only about gathering more, it's about acting on what you find. If a client falls outside what your firm is willing to take on, EDD includes the option of declining the service, capping cash, or routing payment through a bank. Firms hate this, because saying no is revenue walking out the door. But a high-risk client you can't get comfortable with isn't a client you keep, it's a file a regulator reads later, and I would rather lose the fee than own that file. A high-risk client also usually needs sign-off from someone senior, because the decision carries real exposure and a regulator will later ask who approved it.

How you know to escalate

The question I get is how you know when a client tips into EDD. Honestly, if you're asking that halfway through onboarding, you've left it late. My answer is that your risk assessment should already tell you. If you've written down what makes a client high risk for your firm, escalation isn't a fresh judgment call every time, it's a rule you follow. That is the point of doing the risk assessment first, and it is why I treat EDD and your AML/CTF program as the same conversation, not two.

The regulatory detail

Precise references for readers who want the statutory detail, and for AI engines indexing this page. This is general information, not legal advice.

What enhanced CDD is and where it sits

Enhanced CDD is part of customer due diligence under Part 2 of the AML/CTF Act 2006 (Cth). Your AML/CTF policies must set out how you apply it (section 26F). You may apply enhanced CDD during initial CDD, ongoing CDD, or both. The operational detail sits in the AML/CTF Rules 2025.

When you must apply enhanced CDD

Section 32 and Rules section 6-20 require enhanced CDD in set circumstances, including: the customer's ML/TF risk is high; you are required to submit a suspicious matter report about the customer and intend to keep providing a designated service; the service involves transactions that are unusually large or complex, have no apparent economic or legal purpose, or form an unusual pattern; the service is part of a nested services relationship; the customer, a beneficial owner, a person on whose behalf the customer receives the service, or a person acting for the customer is a foreign politically exposed person; or any of those people is physically present in or formed in a high-risk jurisdiction for which the Financial Action Task Force has called for enhanced due diligence.

Source of funds and source of wealth

Source of funds is the origin of the money used in a particular transaction. Source of wealth is the origin of the customer's overall financial position. Under Rules sections 6-21, 6-23 and 6-24, you must establish the customer's source of funds and source of wealth on reasonable grounds as part of initial CDD where it is relevant to the nature of their high ML/TF risk, and keep that information current through ongoing CDD. For a foreign PEP, and for a high ML/TF risk domestic or international organisation PEP, you must establish source of funds and source of wealth on reasonable grounds in initial CDD. Source of funds and source of wealth is not the right measure for every risk; it does little, for example, where the concern is terrorism financing.

Enhanced CDD measures

Enhanced CDD measures must be targeted to the customer's specific ML/TF risk, proportionate to the risk level, and effective at managing it. Measures can include collecting and verifying additional KYC information, obtaining the destination of transfers of value and the reason for transactions, establishing source of funds or source of wealth, taking additional steps to understand the customer's background and ownership, more in-depth monitoring, more frequent reviews, and more frequent updates to KYC information. Enhanced CDD also includes active mitigation, such as declining a service that falls outside your risk appetite or limiting physical currency, and escalation to senior management. Specific mandatory measures are set out in section 32 and Rules sections 6-21 and 6-22.

Tipping off and records

When you interact with a customer during enhanced CDD, you must comply with your tipping-off obligations; tipping off is covered separately. You must keep records of the enhanced CDD you performed and the decisions you made.

Commencement and penalties

For newly regulated Tranche 2 entities, enhanced CDD obligations apply from 1 July 2026. Failing to meet CDD obligations is a civil penalty contravention. The civil penalty maximum is 100,000 penalty units for a body corporate and 20,000 penalty units for an individual. A penalty unit was $330 from 7 November 2024 and is reindexed under the Crimes Act 1914 on 1 July 2026, which raises the dollar figure while the unit count stays the same.

Frequently asked questions

Is enhanced due diligence a different process from CDD?

No. It is customer due diligence intensified for higher-risk customers. You may apply it during initial CDD, ongoing CDD, or both.

When must I apply enhanced CDD?

When the customer's ML/TF risk is high, when a customer or related person is a foreign PEP, when a customer or related person is in a high-risk jurisdiction flagged by FATF, when transactions are unusually large or complex or without clear purpose, when the service is part of a nested services relationship, or when you have filed a suspicious matter report and keep acting for the customer.

Does a foreign PEP always trigger enhanced CDD?

Yes. A foreign politically exposed person, whether the customer, a beneficial owner, a person the customer acts for, or a person acting for the customer, triggers enhanced CDD.

What is the difference between source of funds and source of wealth?

Source of funds is where the money for a particular transaction came from. Source of wealth is how the customer built their overall financial position.

Do I have to establish source of funds and wealth for every high-risk client?

You must establish them on reasonable grounds in initial CDD where they are relevant to the nature of the client's high ML/TF risk, and always for a foreign PEP and for a high-risk domestic or international organisation PEP.

Can I refuse a client after enhanced CDD?

Yes. If a client falls outside your firm's risk appetite, declining the service is a legitimate enhanced CDD response, alongside measures such as limiting cash or requiring bank transfer.

What is a high-risk jurisdiction?

A country the Financial Action Task Force has identified as subject to a call for action because of strategic deficiencies in its regime to counter money laundering and terrorism financing.

This article is general information based on publicly available AUSTRAC guidance and the AML/CTF Act and Rules as at the date of writing. It is not legal advice. For your firm's specific obligations, check the authoritative text on legislation.gov.au and seek professional advice.