Most people picture identity verification as the passport-photocopy moment at the front desk. Under Tranche 2 it is a sequence, and the photocopy is the small part of it. You collect what you need to know about the customer, check it against data you can trust, work out who is actually behind them, and rate the risk. That rating decides how hard you have to look. Miss a step and the gap surfaces later, usually in the file you cannot defend.
The obligation has a name: initial CDD. Collect and verify, before you provide the service, using reliable and independent data. A scanned ID and a ticked box is identification. That is not verification, and it is not enough.
Here is the workflow we run, start to finish.
Figure 1. Identity verification under Tranche 2 runs as a sequence: collect KYC, verify it, find who controls the customer, then rate the risk and match the checks to it.
Step 1: Confirm the work is caught, and do this first
Before anything else, check that the job in front of you is a designated service that brings the customer into scope. If it is, the timing rule is simple. You complete initial CDD before you provide that service, not after. There are limited exceptions that allow verification to be delayed in low-risk situations, but treat verify first as the default. For a Tranche 2 firm, every customer you take on from 1 July 2026 gets the full initial CDD treatment.
Step 2: Collect the KYC information
What you collect depends on who the customer is. The minimum is not the same for a person, a company and a trust.
Customer type | Collect at minimum | Also establish |
Individual | Full name, plus date of birth or residential address. Any other known names, and a unique identifier where they have one, such as a passport number. | That the person is who they claim to be. |
Company | Full registered name, whether it is proprietary or public, and its ACN or ARBN. | Its beneficial owners: individuals who own 25% or more, or control it. |
Trust | Trust name and type, and an ABN if it has one. | Every beneficiary or class of beneficiaries, the trustee and their authority to act, and the beneficial owners. |
For an individual you want enough to tell them apart from someone with a similar name. For a company, the registered name and company number. A trust is the heavy one: you establish the trust itself, then the people standing behind it.
Step 3: Verify against reliable, independent data
Collecting is not verifying. You confirm the information against reliable and independent sources: documents, electronic data, or a mix of both. A third-party digital identity service counts, as long as the data it returns is reliable. You do not have to verify every field. You verify at least one piece of KYC information for each matter you are required to establish, more when the risk is higher, and more about the people connected to a high-risk customer. This is the heart of customer due diligence.
Step 4: Work out who is actually behind the customer
For any company or trust, the name on the contract is rarely the whole story. A beneficial owner is the individual who ultimately owns 25% or more of, or controls, the customer. If the owner of a company is another company, you follow the chain until you reach a real person, and you establish that person’s identity too. This is the step the front-desk version skips. It is also the one that matters most in property and legal work, where layered trust and company structures are normal.
Step 5: Screen for PEPs and other red flags
Check whether the customer or a beneficial owner is a politically exposed person. A foreign PEP triggers enhanced due diligence on its own. So does anything that does not add up: a service with no clear economic purpose, funds arriving from a higher-risk country, a structure that looks built to obscure rather than to operate.
Step 6: Rate the risk, then match the checks to it
Everything you have collected feeds a customer risk rating, which is the output of your risk assessment. A low rating, an Australian resident buying a home to live in, gets standard CDD. A high rating triggers enhanced due diligence: source of funds, source of wealth, senior sign-off. The rating is the whole point. It tells you how hard to look at this particular customer, rather than treating everyone the same.
Step 7: Record it, then keep watching
Write down what you collected, what you verified, how you verified it, and the rating you reached. Then set up ongoing monitoring, because initial CDD is the front gate, not the finish line. Tooling earns its place here by tying each customer’s rating to the checks that follow and holding the evidence trail in one place.
The regulatory detail
Where this sits in the Act
Initial CDD is set out in the reformed Act at sections 26F and 28, with the customer-type detail in Part 6 of the AML/CTF Rules 2025. The 2024 Amendment Act replaced the old applicable customer identification procedures (ACIP) with the term initial CDD. The obligation is to collect and verify KYC information, and to understand the ML/TF risk of providing the service, before you provide it.
What you must verify
You verify using independent and reliable data. You need not verify every field, but you must verify at least one piece of KYC information for each matter you are required to establish, unless an exception in the Rules applies. Higher risk means more verification, including more on the beneficial owners standing behind a high-risk customer.
Beneficial owners
A beneficial owner is an individual who directly or indirectly owns 25% or more of, or controls, the customer. Where ownership runs through other entities, you follow that chain to the individuals at the end of it. A customer can have several beneficial owners, or none.
Timing and delayed CDD
You complete initial CDD before providing the designated service. Limited exceptions allow verification to be delayed in specific low-risk circumstances, but the default is to verify first. For a Tranche 2 business, any customer you enter a business relationship with on or after 1 July 2026 receives full initial CDD.
Common questions
What is initial CDD?
It is the reformed name for the identity checks you complete before serving a customer: collect KYC information, verify it against reliable and independent data, and assess the customer’s ML/TF risk. It replaced ACIP under the 2024 Amendment Act.
When do I have to verify a customer’s identity?
Before you provide the designated service, with limited exceptions that allow delayed verification. For Tranche 2 firms, this applies to every customer taken on from 1 July 2026.
What information do I need to collect?
For an individual, full name plus date of birth or residential address as a minimum. For a company, the registered name and ACN or ARBN. For a trust, the trust details plus its beneficiaries, trustee and beneficial owners.
Can I use a digital identity service?
Yes, as long as the data it returns is reliable and independent. Many firms verify electronically and keep the result on the customer file.
Why do I have to find the beneficial owner?
Because the customer on paper is often not the person who controls the money. Finding the individual who ultimately owns 25% or more, or controls the customer, is where most laundering risk actually sits.
What happens if the customer is high-risk?
A high rating triggers enhanced due diligence. You establish source of funds and source of wealth, look harder at the structure, and get senior sign-off before going ahead.
Sources
AUSTRAC, Overview of initial customer due diligence (Reform)
AUSTRAC, Initial CDD for individuals (Reform)
Attorney-General’s Department, Changes to customer due diligence
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
