Customer Due Diligence Explained: A Plain-English Guide
This overview sets the foundation for understanding why CDD matters, the key principles behind it, and provides an overview of customer risk ratings.
What is Customer Due Diligence?
CDD is your process for understanding who your customers are — both before you start providing them with a designated service, and continued throughout the course of your business relationship. AUSTRAC describes it as more than a regulatory checkbox.
Establish identity
Who they are, who they represent, and whether there's any legal reason you shouldn't be providing the service they've requested.
Identify and assess ML/TF risk
Helps you determine whether a customer presents a money laundering or terrorism financing (ML/TF) risk too high for your business, or whether there are controls that can manage and mitigate the risks effectively.
Gather information for reporting
Ensures you have the right information to make required reports to AUSTRAC — supporting law enforcement and national security investigations.
Your AML/CTF program must include policies outlining how you will conduct CDD. The measures you take must be targeted to the risks of the customer and services you provide, proportionate to the level of risk, effective at managing and mitigating those risks in practice, and ongoing throughout the business relationship.
The four forms of CDD
Initial CDD
Before you begin providing a designated serviceInvolves identifying your customer and any other relevant parties and assessing their ML/TF risk. You collect and verify KYC information that establishes on reasonable grounds who the customer is and the nature and purpose of the business relationship. This helps you establish identity, assess whether the customer is low, medium, or high risk, and decide what further steps are needed.
Simplified CDD
For customers presenting a low level of ML/TF riskUnder simplified CDD, you can collect and verify less information than normal — provided you are satisfied on reasonable grounds that the customer's risk is low. Your AML/CTF policies must outline your simplified CDD measures.
Ongoing CDD
Throughout the entire business relationshipYou must continue to monitor your customers to identify, assess, manage, and mitigate ML/TF risk. This means keeping KYC information up to date, watching for suspicious activity, updating their risk profile when needed, and collecting further information when appropriate.
Enhanced CDD (ECDD)
Where customers present higher ML/TF riskInvolves taking extra steps. Examples include: a customer located or formed in a high-risk jurisdiction; a customer or beneficial owner who is a foreign PEP; and when a suspicious matter report is triggered due to unusual account activity. Enhanced measures may be required during initial checks, ongoing monitoring, or both.
Customer risk ratings
Assessing customer risk is different from your broader ML/TF risk assessment. Customer risk focuses on each individual customer. You assign each customer a risk rating — and update it based on new information through ongoing CDD.
When developing your customer risk rating method, AUSTRAC says to consider: the type of customer (individual, company, trust), the designated services you will provide, the delivery channels used (face-to-face, online, through an agent), and the countries involved. Your method must be documented in your AML/CTF program.
Low Risk
Simplified CDD may apply
Typically an Australian resident seeking a low-risk service that only involves interaction with low-risk jurisdictions — not using a representative.
Medium Risk
Initial and ongoing CDD
May request a medium-risk service, have links to medium-risk jurisdictions, be a low-profile domestic PEP, or be a non-individual with a moderately complex structure.
High Risk
Enhanced CDD required
Non-individual with a complex structure, a foreign PEP, ties to high-risk jurisdictions, or requests a service with no clear lawful or economic rationale.
These examples are a guide only and not exhaustive. Your approach should always be based on your business's broader ML/TF risk assessment.
Suspicious activity to watch for during ongoing CDD
AUSTRAC says to monitor customers for unusual transactions or behaviour, including:
Unusual transactions
Transactions that don't make sense given what you know about the customer — high value transfers, payments to new third parties, or activity with no clear lawful or economic rationale.
Structuring
Transaction patterns that appear designed to avoid reporting to AUSTRAC, such as splitting cash deposits or withdrawals into smaller amounts below the $10,000 threshold for Threshold Transaction Reports (TTRs).
Uncooperative behaviour
A customer who refuses to provide information requested for ongoing CDD, or avoids answering questions about their transactions or business activity.
Key terms
Politically Exposed Person (PEP)
+
Someone who holds a prominent public position in a government body or international organisation — and their immediate family members and close associates. Three types: Foreign PEPs (prominent positions in foreign government), Domestic PEPs (similar positions in Australia — MPs, state governors, High Court justices), and International Organisation PEPs (senior roles in bodies like the UN). You must establish on reasonable grounds any PEPs relating to a customer before providing a designated service. Senior management approval is required to provide a service to a foreign PEP, or a domestic/international PEP assessed as high ML/TF risk.
Targeted Financial Sanctions
+
Legal measures that prohibit dealing with certain individuals or entities. Can include freezing assets or prohibiting provision of funds, goods, or services. You must check the Department of Foreign Affairs and Trade (DFAT) consolidated list before providing a designated service. Breaching Australia's sanctions law can carry penalties of up to 10 years imprisonment. Subscribe to DFAT's mailing list to receive updates when the list changes.
Beneficial Ownership
+
The individual or group of individuals who ultimately own or control an entity such as a company, trust, or partnership. "Own" means holding 25% or more — directly (shares) or indirectly (through another company or trust). "Control" means having the power to make decisions about the entity's finances or operations. You must determine who the beneficial owners are, assess their ML/TF risk, verify their identity, and keep records.
Source of Funds vs Source of Wealth
+
Source of Funds is where the money for a specific transaction came from. Source of Wealth is where the customer's overall wealth came from — how they built up their net worth over time. You must collect this information for high-risk customers, high-risk transactions, and when a customer or their beneficial owner is a foreign PEP. Useful documents include bank statements, payslips, tax returns, inheritance documents, audited financial accounts, and share registries.
Record keeping
Good recordkeeping demonstrates to AUSTRAC that you are meeting your obligations and protects your business if your services are ever misused.
The customer information you collected and how you verified it
How you identified and assessed customer risk
The decisions you made regarding customer risk, and your reasons for them
Key outcomes from regular reviews and monitoring activities
7 years
Minimum retention period for CDD records
Pre-commencement customers
You do NOT need to conduct CDD on existing customers when obligations start
If someone is already your customer when your AML/CTF obligations commence, you are not required to immediately conduct CDD on them.
CDD IS required for pre-commencement customers if:
- →You need to submit an SMR about them
- →There is a significant change in the relationship that increases their risk to medium or high
Disclaimer: Published by GetPost Labs Pty Ltd for educational purposes only. Not legal, financial, or compliance advice. Summary of publicly available AUSTRAC content — original: AUSTRAC Overview of Customer Due Diligence, 6 February 2026. Refer to austrac.gov.au for authoritative guidance. Errors: sumit@getpostlabs.io