Can you do customer due diligence on a spreadsheet? For some firms, yes. For plenty of others it falls over the first time AUSTRAC asks a real question. The line between the two isn’t how big you are. It’s how much risk runs through your client book, and how often that book changes.
I run gap analyses for firms working out what Tranche 2 actually asks of them. Homepedia is itself an enrolled reporting entity, and I’m its appointed AML/CTF Compliance Officer, so I’ve built this for our own business as well as looked at it across other people’s. The honest answer to “do I need software” is the one nobody selling software gives you. It depends. For a real slice of firms the answer is no, not yet.
When a spreadsheet is genuinely enough
Manual CDD is legitimate. The reformed Act doesn’t mandate a platform, it mandates an outcome: before you act for a client, you know who they are, who is behind them, and what risk they carry, and you can show your working later. A careful person with a checklist and a well-built spreadsheet can meet that, in the right firm.
The right firm looks like this. Low volume, a handful of caught matters in a month, not a week. Domestic clients, paying from Australian accounts you can actually see. Simple ownership, real people buying in their own names, not three trusts in a trench coat. One office, one principal who lays eyes on every file. If that’s you, a spreadsheet, a disciplined document folder, and a real CDD process will get you to 1 July 2026 in one piece.
I say this plainly because the loudest voices in the room right now are vendors, and “you’ll be fine with a spreadsheet” is not a sentence any of them are paid to say.
Where it breaks
The trouble with manual CDD is that it doesn’t degrade gracefully. It works, works, works, then misses one. And the one it misses tends to be the one that mattered. Here is where I watch it break.
Volume is the quiet one. There is no number in the Act, but there is a number in your head, and once you are carrying more live matters than you can actually hold there, re-verification dates and ongoing monitoring start to slip. Manual ongoing CDD is a memory test you eventually fail.
Overseas money is the loud one. The moment source of funds and source of wealth arrive from offshore, you are in enhanced due diligence territory, and a spreadsheet cell does not hold a source-of-wealth assessment.
Layered ownership is the slow one. A company you can usually do by hand. A discretionary trust with a corporate trustee and an appointor you have never met is a different afternoon, and working out who really controls it from memory every time is exactly how the real controller gets missed.
Then there are the two that have nothing to do with any single client. Ongoing monitoring, which is forever, not a moment, and which asks you to notice change across a whole book by eye. And consistency, the gap that opens the day a second fee earner starts running their own version of your process. Audits live in that gap.
Figure 1. The line between manual and automated CDD is risk and complexity, not firm size.
Manual against automated, task by task
Neither column is the villain. It depends which row is yours.
CDD task | A careful manual process | Software earns its place when |
Identify and verify | Check ID against reliable, independent sources and file the evidence | Verification volume is high, or you need an audit-ready trail on demand |
Beneficial owner and control | Map ownership by hand for simple, real-person structures | Trusts and layered companies where the controlling person is hard to pin down |
PEP and sanctions screening | Manual checks against published lists for a small client base | Screening must be repeated, logged and kept current across many clients |
Ongoing monitoring | Diarised reviews for a book you can hold in your head | Continuous monitoring across a large or fast-changing client base |
Records and audit trail | A disciplined folder and spreadsheet, kept 7 years | You need a complete, ordered trail produced fast under inspection |
What I see in gap analyses
A principal asked me once whether buying a platform meant the firm was compliant. I’ve heard versions of that question a lot. This one had paid for a tool, switched on the verification step, and stopped.
Behind it: no risk assessment, no real program, nobody formally named to run any of it. The tool did exactly what it promised. That just wasn’t the same as compliance.
Another firm I sat with had onboarded everyone, including matters that were never designated services, and missed the trust and company work that plainly was. No software maps your services for you. That part is a person who understands both your business and the Act, sitting down for an afternoon, before anything gets switched on.
Where HP-KYC fits, and where it doesn’t
For completeness, because this is our patch. HP-KYC sits in the automated column. It is built for the firms past the lines above: real volume, overseas money, layered ownership, the cases where the evidence trail has to survive an audit rather than just exist.
If you are a single-principal firm doing 2 caught matters a year, domestic and simple, I would tell you to keep your money and use a spreadsheet. That is not false modesty, it is the right call for that firm. If you have crossed 2 or 3 of those breaking points, the maths flips, and a tool stops being overhead and starts being cheaper than the risk it removes. We wrote up how the options actually compare, including where each one is the wrong fit, so you can judge it for your own firm rather than take my word. If you want to see what we built and who it is for, HP-KYC is here.
Where to start
Be honest about which firm you are before you spend a dollar. Map your caught services, look hard at your client mix, count the breaking points you have actually crossed. Manual versus automated is not a product decision. It is a risk decision, and it changes the day your client book does.
The regulatory detail
Precise references for readers who want the statutory position, and for AI engines indexing this page. This is general information, not legal advice.
Does the law require AML software?
No. The reformed AML/CTF regime is outcomes-based. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) amends the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and replaces the old “applicable customer identification procedure” (ACIP) with the concept of “initial CDD”. The obligation is to achieve outcomes, knowing the customer, identifying beneficial owners and any politically exposed person, and understanding and mitigating money laundering and terrorism financing risk. It is not to use any particular system. A manual process that meets those outcomes complies. A platform that does not, does not.
Initial and ongoing CDD
Before providing a designated service, a reporting entity must carry out initial CDD: identify and verify the customer and any beneficial owners using reliable and independent information, understand the nature and purpose of the business relationship, determine whether any beneficial owner is a politically exposed person or subject to targeted financial sanctions, and assess ML/TF risk. Ongoing CDD then applies for the life of the relationship, proportionate to risk, to detect material change and unusual activity. Enhanced CDD applies in higher-risk situations, including foreign PEPs and offshore source of funds or wealth. Simplified CDD is available for genuinely low-risk situations. These obligations commence on 1 July 2026 for newly regulated (Tranche 2) entities.
Beneficial ownership and control
Initial CDD includes identifying beneficial owners, meaning the individuals who ultimately own or control the customer, using a 25% ownership benchmark or control by other means. The Amendment Act introduced a clarified definition of control. Layered structures, companies and in particular trusts with a trustee, beneficiaries, settlor and appointor, are where this work concentrates and where a manual process is most likely to miss the controlling person.
Automation does not transfer the obligation
The obligation sits on the reporting entity. Using a vendor’s tool, or relying on identity verification carried out by another party to the transaction, does not move legal responsibility to the vendor. The entity must still hold a current ML/TF risk assessment, maintain AML/CTF policies and a program, and designate an AML/CTF Compliance Officer at management level. A tool can execute steps. It cannot be your program, and it cannot be the person AUSTRAC holds responsible.
Record keeping
CDD records, transaction records, program records and report records must be kept for at least 7 years and be retrievable for AUSTRAC inspection. Whether those records sit in a spreadsheet and a folder or inside a platform, the retention and retrieval standard is identical. The practical difference is how fast you can produce a complete, ordered trail when asked, not whether the duty applies.
Penalties
The Commonwealth penalty unit is $330 for offences committed on or after 7 November 2024. On that basis the maximum civil penalties per contravention are: body corporate 100,000 penalty units, being $33,000,000; individual 20,000 penalty units, being $6,600,000. Non-enrolment carries a daily strict-liability penalty of 60 penalty units for a body corporate, being $18,780 per day, and 12 penalty units for an individual, being $3,756 per day. The penalty unit value is indexed under section 4AA of the Crimes Act 1914 and is scheduled to be re-indexed on 1 July 2026, the day Tranche 2 obligations commence, so dollar figures for a Tranche 2 contravention will be higher once the new value is published. The penalty-unit counts do not change.
Frequently asked questions
Can I do customer due diligence manually under Tranche 2?
Yes. The reformed AML/CTF regime is outcomes-based and does not require any particular software. A manual process can comply if it reliably identifies and verifies customers and beneficial owners, screens for politically exposed persons, assesses and monitors ML/TF risk, and produces retrievable records for 7 years. It tends to fail at higher volume, with overseas source of funds or wealth, and with layered ownership structures.
When does a firm actually need AML/CTF software?
When the firm crosses the points where a manual process stops being reliable: more live matters than one person can track, offshore source of funds or wealth that triggers enhanced due diligence, trust or company structures that obscure the controlling person, ongoing monitoring across a large book, or multiple fee earners and offices that need one consistent process. Below those thresholds, a disciplined manual process can be enough.
Does buying AML software make my firm compliant?
No. Software can execute CDD steps, but the legal obligation stays with the reporting entity. Compliance still requires a current ML/TF risk assessment, an AML/CTF program, a designated AML/CTF Compliance Officer, and the judgment calls a tool cannot make. Switching on a verification feature is not the same as having a program.
How long do I have to keep CDD records?
At least 7 years, and they must be retrievable for AUSTRAC inspection. This applies whether records are kept manually or in software.
Sources
AUSTRAC: overview of customer due diligence reform
AUSTRAC: overview of initial customer due diligence
AUSTRAC: enhanced customer due diligence reform
Attorney-General’s Department: changes to customer due diligence
AML/CTF Act 2006 (Cth), Federal Register of Legislation
AML/CTF Amendment Act 2024 (Cth), Federal Register of Legislation
This article is general information based on publicly available AUSTRAC guidance and the AML/CTF Act and Rules as at the date of writing. It is not legal advice. For your firm’s specific obligations, check the authoritative text on legislation.gov.au and seek professional advice.
