Customer Due Diligence (CDD) Explained: What Tranche 2 Entities Must Do

Customer due diligence is the backbone of your AML/CTF compliance. Under Tranche 2, every reporting entity must verify the identity of their clients before providing designated services. Here's how it works.

What is Customer Due Diligence (CDD)?

CDD is the process of identifying and verifying the identity of your clients, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring. It's governed by sections 28–36 of the AML/CTF Act 2006.

In practical terms, CDD means:

• Collecting identity information from your client
• Verifying that information using reliable, independent sources
• Understanding why the client needs your services
• Keeping records of the identification and verification process
• Monitoring the relationship on an ongoing basis

When must you perform CDD?

CDD is required:

• Before providing a designated service — you must verify identity before commencing the engagement
• When there is a suspicion of ML/TF, regardless of the transaction value
• When you doubt previously obtained identification information
• Periodically for existing business relationships (ongoing CDD)

CDD for different entity types

Individuals

For an individual client, you need to collect and verify:

• Full legal name
• Date of birth
• Residential address

Verification must use reliable and independent documentation. The standard approach is:

• Primary photographic ID: Australian driver's licence, passport, or proof of age card
• Supporting document: A second document from a different source (e.g., Medicare card, utilities bill, bank statement)

Alternatively, you can use electronic verification (e-Verification) by matching the person's details against trusted data sources.

Companies

For a company, you need:

• Full company name and any business names
• ACN/ABN
• Registered office address
• Principal place of business
• Directors (identify and verify at least one)
• Beneficial owners — anyone who ultimately owns 25%+ or exercises control

Verification is typically done through ASIC company searches.

Trusts

Trusts require more scrutiny because of their potential for misuse:

• Full name of the trust
• Type of trust (discretionary, unit, hybrid, self-managed super fund)
• Country of establishment
• Name and verification of the trustee(s)
• Name and verification of the settlor (if applicable)
• Identification of beneficiaries (named beneficiaries, or class of beneficiaries for discretionary trusts)
• Beneficial owners — who has effective control

Partnerships

For partnerships:

• Full name of the partnership
• Country and state of registration
• ABN (if applicable)
• Identify and verify each partner (or at least the partners with authority to transact)
• Beneficial ownership of 25%+ must be identified

Enhanced Customer Due Diligence (ECDD)

Standard CDD isn't always enough. Enhanced CDD (ECDD) applies when:

• The client is a Politically Exposed Person (PEP) — a person who holds or has held a prominent public function (domestic or foreign)
• The client is from or the transaction involves a high-risk jurisdiction (FATF grey or black list)
• The transaction or engagement is unusually complex or has no apparent economic purpose
• Your risk assessment identifies the client as high risk

ECDD means additional measures such as:

• Senior management approval for the engagement
• Enhanced source of wealth and source of funds verification
• More frequent ongoing monitoring
• Additional identity verification steps

Ongoing CDD

CDD is not a one-off exercise. Section 36 of the AML/CTF Act requires ongoing customer due diligence throughout the business relationship:

• Monitor transactions to ensure they are consistent with the client profile
• Keep information current — update client details when circumstances change
• Trigger reviews when transactions are unusual or inconsistent
• Schedule periodic reviews — annually for standard clients, more frequently for high risk

If ongoing CDD reveals information that contradicts the original risk assessment, you must reassess the client's risk rating and consider whether further action is needed.

PEP and sanctions screening

Every client should be screened against:

• DFAT consolidated sanctions list — Australia's sanctions regime under the Autonomous Sanctions Act 2011
• FATF high-risk and non-cooperative jurisdictions
• PEP databases — to identify politically exposed persons

Screening should be performed at onboarding and periodically during the relationship. ComplyAU automates this with real-time screening against DFAT and FATF lists.

Record keeping for CDD

All CDD records must be retained for 7 years from the date the last service was provided or the business relationship ended (whichever is later). Records include:

• Copies of identification documents (or references to electronic verification results)
• The verification method used and when it was performed
• Risk assessment records and any risk rating changes
• Ongoing CDD activities and review dates
• Screening results (PEP, sanctions, adverse media)

Practical tips for small practices

1. Build CDD into your intake process: Don't treat it as a separate compliance task. Make client identification part of onboarding.
2. Use digital tools: Electronic verification is faster and more reliable than manual document checks.
3. Create checklists: A simple CDD checklist for each entity type ensures you don't miss steps.
4. Document everything: If you can't prove you did it, AUSTRAC will assume you didn't.
5. Don't over-complicate: A solo accountant's CDD process will be simpler than a large law firm's. Scale to your risk profile.