Customer Due Diligence
in Australia

1. What Is Customer Due Diligence?

Customer due diligence (CDD) is the cornerstone of Australia's anti-money laundering and counter-terrorism financing (AML/CTF) framework. It is the process by which a reporting entity identifies who its customers are, verifies that identity using reliable and independent sources, identifies the beneficial owners of customer entities, understands the purpose and intended nature of the business relationship, and monitors that relationship on an ongoing basis.

The legislative basis for CDD in Australia is found in sections 28 to 35 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act). Section 28 establishes the core obligation: a reporting entity must not provide a designated service to a customer unless the entity has first carried out the applicable customer identification procedure (ACIP). Sections 29 to 31 address pre-commencement and post-commencement procedures and the limited circumstances in which verification may be deferred. Sections 32 to 35 extend the identification requirements to agents, joint customers, beneficial owners, and special customer categories. Section 36 then imposes an ongoing duty of CDD for the duration of the business relationship.

The detailed operational requirements for CDD are prescribed in the AML/CTF Rules 2024, particularly Chapter 4 (customer identification procedures for individuals, companies, trusts, partnerships, and associations) and Chapter 15 (enhanced customer due diligence, ongoing CDD, and PEP identification).

Why Does CDD Matter?

CDD serves a dual purpose. First, it assists reporting entities in understanding who they are dealing with and whether the business relationship presents a money laundering or terrorism financing (ML/TF) risk. Second, it generates the intelligence that allows AUSTRAC and law enforcement agencies to detect and disrupt financial crime. A failure to perform adequate CDD exposes the reporting entity to civil penalties under s175 of the AML/CTF Act, criminal prosecution, and reputational damage. With the expansion of AUSTRAC's regulatory perimeter under Tranche 2, CDD now extends to accountants, lawyers, conveyancers, real estate agents, trust and company service providers, and dealers in precious metals and stones from 1 July 2026.

CDD vs KYC: What Is the Difference?

The terms “CDD” and “KYC” (Know Your Customer) are often used interchangeably, but they are not identical. KYC is a broader concept that encompasses the entire process of knowing your customer, including initial identification and verification, risk assessment, and ongoing relationship management. CDD is the specific set of legal obligations that sit within the KYC framework. Under Australian law, CDD refers to the statutory requirements prescribed by the AML/CTF Act and the AML/CTF Rules. KYC, by contrast, is a general industry term that may include additional due diligence steps that go beyond the minimum legal requirements — for example, reputational due diligence, credit checks, or conflict of interest screening. In this guide, we focus on CDD as defined by Australian legislation.

2. When Must CDD Be Conducted?

The AML/CTF Act prescribes specific trigger points at which CDD must be performed. Getting the timing right is critical, because providing a designated service without completing CDD is a contravention of the Act.

Before Providing a Designated Service (s28)

This is the primary trigger. Before you commence an engagement that constitutes a designated service, you must carry out the applicable customer identification procedure (ACIP). Under Tranche 2, designated services for new reporting entities include preparing financial statements, providing tax advice, managing trusts, acting in real property transactions, providing legal services in connection with financial or real property transactions, and conveyancing. If you are uncertain whether a particular service constitutes a designated service under s6AA of the Act, you should seek legal advice before proceeding.

Ongoing Obligations (s36)

CDD is not a one-off exercise. Section 36 of the AML/CTF Act imposes ongoing customer due diligence obligations for the duration of the business relationship. This includes monitoring transactions conducted through the relationship, updating customer information when changes occur, and periodically reviewing the customer's risk profile. The intensity and frequency of ongoing CDD should be proportionate to the assessed ML/TF risk.

Triggers for Re-verification

Certain events should trigger a CDD review and potential re-verification:

• A suspicion of money laundering or terrorism financing arises, regardless of whether CDD has previously been completed.
• Previously obtained customer information is found to be inaccurate, incomplete, or out of date.
• There is a material change to the customer's circumstances, such as a change in beneficial ownership, control structure, or business activities.
• A significant or unusual transaction occurs that is inconsistent with the customer's known profile.
• Adverse media or new information about the customer comes to your attention.
• A periodic review date is reached under your AML/CTF programme's risk-based schedule.

3. The Three Tiers of CDD

The Australian AML/CTF framework adopts a risk-based approach to CDD. This means that the level of due diligence applied to a customer should be proportionate to the ML/TF risk they present. There are three tiers: standard CDD, simplified CDD, and enhanced CDD (ECDD).

3.1 Standard CDD

Standard CDD is the baseline level of due diligence that must be applied to every customer. It comprises four elements: identifying the customer, verifying that identity using reliable and independent documentation or data, identifying beneficial owners, and understanding the purpose and intended nature of the business relationship. Chapter 4 of the AML/CTF Rules provides “safe harbour” procedures that, if followed, are deemed to satisfy the ACIP. These safe harbour procedures vary depending on the type of customer: individual, company, trust, partnership, or association.

Identification and verification requirements. For an individual customer, you must collect their full legal name, date of birth, and residential address. Verification involves confirming this information against reliable and independent sources — either by sighting original or certified copies of government-issued identity documents, or by matching the information electronically against at least two independent data sources (see section 9 on electronic verification below).

Acceptable documents. The safe harbour procedure for individuals requires either a primary photographic identification document (Australian driver's licence, Australian passport, or state/territory proof of age card) or a primary non-photographic identification document (Australian birth certificate or citizenship certificate) supplemented by a secondary document from a different issuer (Medicare card, pension card, or utility bill showing the customer's name and residential address). The key principle is that the documents must be from different, independent issuers.

The “reliable and independent” test. This is a fundamental concept in Australian CDD law. The AML/CTF Act requires that verification be performed using data or documents that are “reliable and independent.” This means the source of information must be credible, must not be self-asserted by the customer, and must originate from a third party that has no connection to the customer. A government agency is the archetypal reliable and independent source. A self-prepared document — such as a business card or unverified letterhead — is not.

Electronic verification (DVS). Australia's Document Verification Service (DVS) is a national online system that allows reporting entities to verify identity document details against the records of the issuing agency in real time. DVS is widely regarded as one of the most reliable electronic data sources available. Electronic verification using DVS and at least one other independent data source satisfies the safe harbour ACIP for individuals.

Face-to-face vs non-face-to-face verification. For face-to-face clients, documentary verification involves sighting the original document. For non-face-to-face clients, the AML/CTF Rules permit the use of certified copies or electronic verification. Non-face-to-face scenarios carry inherently higher impersonation risk, and your risk assessment may warrant additional measures such as video calls, biometric verification, or supplementary documentation.

3.2 Simplified CDD

A risk-based approach to AML/CTF compliance recognises that not all customers present the same level of ML/TF risk. The AML/CTF Rules allow for simplified CDD in certain lower-risk scenarios. This is not an exemption from CDD — it is a permission to apply reduced measures where the risk assessment justifies it.

Simplified CDD may be appropriate where the customer is:

• An Australian-listed public company, or a majority-owned subsidiary of such a company.
• A regulated entity — such as a bank, insurer, or superannuation fund — that is already supervised for AML/CTF purposes under Australian law.
• A Commonwealth, state, or territory government body.
• A customer involved in a low-value, one-off transaction below the prescribed threshold.

Where simplified CDD applies, you may reduce the extent of identity verification (for example, relying on the entity's ASX listing or APRA registration without requiring individual director verification) and reduce the intensity of ongoing monitoring. However, you must still document your rationale for applying simplified CDD and your assessment of the ML/TF risk. If at any point the risk profile changes, you must revert to standard or enhanced CDD.

3.3 Enhanced CDD (ECDD)

Enhanced CDD is required when the ML/TF risk associated with a customer, transaction, or business relationship is assessed as higher than normal. Chapter 15 of the AML/CTF Rules 2024 prescribes the circumstances that trigger ECDD and the additional measures that must be applied. ECDD is not discretionary in these situations — it is a legal requirement.

High-risk triggers for ECDD include:

• Politically exposed persons (PEPs): If the customer, or a beneficial owner of the customer, is a PEP — whether domestic, foreign, or associated with an international organisation — ECDD must be applied. This extends to family members and known close associates of PEPs.
• Sanctioned and high-risk jurisdictions: If the customer or transaction involves a country identified by the Financial Action Task Force (FATF) as having strategic deficiencies in its AML/CTF regime (the “grey list” and “black list”), ECDD is required.
• Complex or opaque structures: Transactions involving multi-layered corporate structures, nominee arrangements, bearer shares, or entities registered in jurisdictions with limited transparency require enhanced scrutiny.
• Unusual or unusually large transactions: Transactions with no apparent lawful or economic purpose, or that follow unusual patterns of activity, require ECDD.
• New technologies and delivery channels: Products, services, or delivery mechanisms that present novel ML/TF risks may also trigger ECDD.

Additional measures required under ECDD:

• Source of funds: Verifying the origin of the specific funds involved in the transaction or business relationship.
• Source of wealth: Understanding how the customer has accumulated their overall wealth, beyond just the funds for a particular transaction.
• Senior management approval: Obtaining approval from a senior officer or principal of the reporting entity to commence or continue the business relationship.
• Enhanced ongoing monitoring: Increasing the frequency and depth of transaction monitoring and customer reviews.

4. Identifying and Verifying Individuals

Verifying the identity of individual customers is the most common CDD task. The AML/CTF Rules Chapter 4 prescribes the safe harbour procedure for individual identification. Following the safe harbour procedure means you are deemed to have satisfied the ACIP.

Government-Issued Photo ID

The primary method of documentary verification relies on government-issued photo identification. Acceptable documents include an Australian driver's licence (or learner's permit), an Australian passport (current or expired within the preceding two years), a foreign passport, or a state or territory proof of age card. These documents carry strong evidentiary value because they are issued by government authorities following their own identity verification processes.

The Points System Analogy

While the AML/CTF Rules do not use a formal “points system” in the way that some institutions apply for account opening, the underlying logic is similar. You need one primary identification document, supplemented by at least one secondary document from a different issuer. The combination of documents must collectively establish the customer's full name, date of birth, and residential address. Where a primary photographic ID is unavailable, you may use a primary non-photographic document (such as an Australian birth certificate) combined with a secondary photographic document from a different source.

Electronic Verification via DVS

Electronic verification (EV) through the Document Verification Service (DVS) has become the dominant method for verifying individual identity in Australia. DVS allows a reporting entity to submit identity document details electronically and receive a real-time yes/no match result from the issuing agency. When combined with a second independent data source, DVS-based EV satisfies the safe harbour ACIP. Most commercial identity verification providers in Australia use DVS as a core component of their verification technology.

When Standard ID Is Unavailable

Not every customer will have standard identification documents readily available. Customers who are recently arrived in Australia, elderly customers, customers from remote communities, or customers who have experienced family violence may face legitimate barriers to producing standard ID. In these situations, the AML/CTF Rules provide for alternative identification procedures, including reliance on a broader range of documents and referee statements. However, you must document the reasons standard verification could not be completed and the alternative steps taken. The risk assessment for the customer may also need to be adjusted to reflect the reduced level of verification assurance.

5. Identifying and Verifying Entities

Entity verification is more complex than individual verification because it requires identifying both the entity itself and the natural persons who ultimately own or control it. The AML/CTF Rules Chapter 4 sets out safe harbour procedures for each entity type.

Companies

For an Australian company, you must collect the full company name, ACN or ABN, registered office address, and principal place of business. Verification is typically performed by way of an ASIC company extract, which provides a reliable and independent record of the company's registration details, directors, shareholders, and registered address. You must also identify and verify the identity of each beneficial owner — any individual who holds 25% or more of the shares or voting rights, or who otherwise exercises significant control over the company.

Trusts

Trust structures are among the most challenging entity types for CDD purposes. You must identify the full name of the trust, the type of trust (discretionary, unit, hybrid, self-managed superannuation fund), the country of establishment, and the identity of the trustee(s). Verification requires review of the trust deed (or a certified copy or extract) to confirm the trust's existence and structure. You must also identify:

• Trustees — the individual(s) or entity(ies) that hold legal title to the trust property.
• Beneficiaries — named beneficiaries for fixed trusts, or the classes of beneficiaries for discretionary trusts (e.g., “children and grandchildren of the settlor”).
• Settlor — the person who established the trust.
• Appointer or guardian — any person who has the power to appoint or remove the trustee, as this represents a form of effective control.

Partnerships

For partnerships, you must collect the partnership name, ABN (if registered), the country or state of formation, and the identity of the partners. Verification involves reviewing the partnership agreement and identifying any partner who holds a 25% or greater interest or who exercises effective control. Each partner identified as a beneficial owner must be individually verified.

Associations and Foreign Entities

For unincorporated associations, you must identify the association's name, the jurisdiction in which it was established, and the identity of its office bearers. For foreign entities, you must apply the equivalent identification and verification procedures, using reliable and independent documentation from the foreign jurisdiction. Foreign entities often present higher ML/TF risk due to the difficulty of obtaining and verifying overseas records, and your risk assessment should reflect this.

6. Beneficial Ownership

Identifying the ultimate beneficial owners (UBOs) of a customer entity is one of the most important — and practically challenging — aspects of CDD. The concept of beneficial ownership goes beyond legal or registered ownership to ask: who ultimately owns or controls this entity?

The Concept of “Control”

Beneficial ownership is not limited to direct shareholding. It encompasses any mechanism by which an individual exercises ultimate effective control over an entity. This includes control through a chain of ownership (indirect control), control through voting agreements or shareholder agreements, the ability to appoint or remove directors or trustees, and de facto control exercised through influence or informal arrangements. You must look beyond the legal structure to identify the natural person(s) who actually control the entity.

The 25% Threshold (AML/CTF Rules)

The AML/CTF Rules establish a standard threshold of 25% ownership or control for identifying beneficial owners. Any individual who directly or indirectly holds 25% or more of the shares, voting rights, or economic interest in an entity must be identified and verified. However, this is a minimum threshold — your risk-based approach may require you to look further in certain circumstances, particularly where the ownership structure is complex or opaque.

Look-Through Requirements

Where the customer entity is owned by another entity (rather than directly by natural persons), you must look through the chain of ownership to identify the ultimate natural person(s) at the top. This is the “look-through” requirement. For example, if Company A is owned by Company B, which is in turn owned by Individual X, you must identify Individual X as the ultimate beneficial owner. Multi-layered structures require you to trace through each layer until you reach natural persons.

Practical Challenges with Trust Structures

Trusts present particular beneficial ownership challenges. Discretionary trusts, which are extremely common in Australia, do not have fixed beneficiaries — the trustee has discretion to distribute income and capital among a class of potential beneficiaries. This means there may not be an identifiable beneficial “owner” in the conventional sense. The AML/CTF Rules address this by requiring you to identify the trustee(s), the classes of beneficiaries, the settlor, and any person who exercises effective control (such as an appointer). For self-managed superannuation funds (SMSFs), the members and trustees must be identified. Where you cannot identify the beneficial owner after taking all reasonable steps, you must document the steps taken and assess whether the inability to identify the UBO is itself a reason to refuse the engagement or lodge an SMR.

7. Politically Exposed Persons (PEPs)

Politically exposed persons are individuals who hold, or have held, prominent public functions. Because of their position and influence, PEPs may be in a position to misuse public office for private gain, making them a higher ML/TF risk. The AML/CTF Rules require reporting entities to determine whether a customer or beneficial owner is a PEP and, if so, to apply enhanced due diligence.

Definition Under the AML/CTF Act

The AML/CTF Rules define three categories of PEPs:

• Foreign PEPs: Individuals who hold or have held a prominent public function in a foreign country. Examples include heads of state, senior politicians, senior government officials, judicial officials, senior military officers, and senior executives of state-owned enterprises. Foreign PEPs are always treated as high risk under the AML/CTF Rules and require ECDD without exception.
• Domestic PEPs: Individuals who hold or have held a prominent public function within Australia. While the inherent risk profile may differ from foreign PEPs, domestic PEPs must still be identified and subject to appropriate risk-based measures. ECDD must be applied where the risk assessment indicates an elevated ML/TF risk.
• International organisation PEPs: Senior officials of international organisations such as the United Nations, World Bank, International Monetary Fund, or similar bodies.

Family Members and Close Associates

The PEP definition extends to the family members of a PEP (spouse, de facto partner, children, parents, and siblings) and known close associates (individuals known to have close business or personal relationships with the PEP). These individuals may be used as conduits for the proceeds of corruption. Your screening processes must be capable of identifying these connections.

PEP Screening Requirements

PEP screening typically involves checking the customer's details against commercial PEP databases, watchlists, and adverse media sources. Screening should be performed at the point of customer onboarding and periodically thereafter — at minimum, at each periodic review of the customer relationship. Where a PEP is identified, the additional ECDD measures must be applied, including source of wealth verification and senior management approval to commence or continue the relationship.

Enhanced Measures for PEPs

When a customer or beneficial owner is identified as a PEP, you must, at a minimum: establish the source of wealth and source of funds; obtain senior management approval for establishing or continuing the business relationship; apply enhanced ongoing monitoring with a higher frequency and depth of review; and consider whether the nature of the PEP's position creates a heightened risk in the context of the specific services being provided. The PEP status of a customer should be reassessed at each periodic review, as individuals may enter or leave PEP positions over time.

8. Ongoing Customer Due Diligence

CDD is not a one-off exercise performed at onboarding and then forgotten. Section 36 of the AML/CTF Act imposes a duty of ongoing customer due diligence on all reporting entities for the duration of the business relationship. Ongoing CDD assists with compliance obligations by keeping customer information current and enabling the reporting entity to detect changes in risk profile that may require action.

Section 36 Obligations

Under s36, a reporting entity must monitor the business relationship on an ongoing basis. This encompasses monitoring the transactions conducted through the relationship to determine whether they are consistent with the entity's knowledge of the customer, the customer's business, risk profile, and the stated source of funds. It also requires keeping customer information up to date and ensuring that identity documents, beneficial ownership records, and risk assessments remain accurate.

Transaction Monitoring

Transaction monitoring is the process of reviewing transactions to identify those that are inconsistent with the customer's known profile or that exhibit indicators of ML/TF. The nature and intensity of transaction monitoring should be proportionate to the customer's risk rating. For higher-risk customers, transaction monitoring should be more frequent and more detailed. For lower-risk customers, a lighter touch may be appropriate, provided the approach is documented in your AML/CTF programme.

Updating Customer Information

Customer information must be kept current. When you become aware of changes to a customer's circumstances — such as a change of address, a change in directors or beneficial owners, a change in the nature of the business, or a change in the customer's risk profile — you must update your records. The AML/CTF Rules do not prescribe a specific mechanism for detecting changes, but your AML/CTF programme should include procedures for requesting updated information from customers at regular intervals.

Trigger Events for Re-verification

Certain events should automatically trigger a full or partial CDD review: a suspicious transaction or unusual pattern of activity; a change in the nature or scope of services requested; a significant transaction that is inconsistent with the customer's profile; adverse media coverage; a change in ownership, control, or corporate structure; and the scheduled periodic review date under your risk-based programme. Your AML/CTF programme should clearly define these triggers and the procedures to follow when they arise.

9. Electronic Verification and Technology

Technology plays an increasingly central role in CDD. Electronic verification (EV) is now the dominant method for verifying individual identity in Australia, and emerging technologies such as biometric verification and digital identity systems are reshaping how CDD is performed.

Document Verification Service (DVS)

The DVS is a national online system operated by the Australian Government that allows reporting entities (and their authorised agents) to verify the information on an identity document against the records of the issuing agency. For example, a driver's licence number, name, and date of birth can be checked against the state road transport authority's records, and a passport number can be checked against Department of Home Affairs records. DVS returns a simple match or no-match result, providing a high level of assurance that the document details are genuine.

Biometric Verification

Biometric verification technologies — including facial recognition, liveness detection, and fingerprint matching — are increasingly used to supplement document-based and DVS-based verification. Biometric verification can provide additional assurance that the person presenting the identity document is the person to whom it was issued. While the AML/CTF Rules do not currently mandate biometric verification, it is a useful additional measure for non-face-to-face onboarding and for higher-risk customers.

Digital Identity

Australia's digital identity framework, including myGovID and the Trusted Digital Identity Framework (TDIF), is evolving. As digital identity systems mature, they may provide reporting entities with a standardised, government-backed method of verifying customer identity electronically. Reporting entities should monitor developments in this area, as future amendments to the AML/CTF Rules may explicitly incorporate digital identity as an approved verification method.

Safe Harbour Provisions

The AML/CTF Rules Chapter 4 provides safe harbour procedures for electronic verification. If a reporting entity follows the safe harbour EV procedure — matching the customer's details against at least two reliable and independent electronic data sources, at least one of which includes a government-issued identification number — the entity is deemed to have satisfied the ACIP. This provides legal certainty to reporting entities that rely on EV as their primary verification method.

Practical Technology Considerations

When selecting and implementing verification technology, reporting entities should consider: the reliability and coverage of the data sources used; whether the technology provider accesses DVS directly or through an intermediary; data security and privacy obligations under the Privacy Act 1988 (Cth); the audit trail generated by the technology (critical for record-keeping obligations); and the technology's ability to handle non-standard scenarios, such as customers with recently changed names or customers with limited digital footprints.

10. CDD for Specific Professions

While the core CDD framework applies equally to all reporting entities, the practical application varies by profession. Each sector has its own designated services, typical client profiles, and industry-specific risk typologies that shape how CDD is performed.

Accountants and Tax Agents

For accountants, CDD applies when providing designated services such as financial advisory, trust and company formation, and managing client money. Risk typologies include the misuse of client accounts for layering, phantom invoicing, and the exploitation of trust structures for concealment. Accountants must also consider the CDD implications of their backbook — existing clients who have never previously been subject to formal identity verification. A detailed guide is available in our AML/CTF Programme Guide for Accountants.

Lawyers and Law Practices

For lawyers, CDD applies when acting in property transactions, company or trust formation, and financial arrangements. The intersection of CDD with legal professional privilege (LPP) is one of the most complex aspects of Tranche 2. The AML/CTF Act contains specific carve-outs for privileged communications, but the scope of these carve-outs is narrow. Lawyers must carefully analyse which client interactions are subject to CDD and which are protected by LPP. See our AML/CTF Programme Guide for Lawyers for detailed guidance.

Real Estate Agents

For real estate agents, CDD applies to both buyers and sellers in property transactions. Real estate has long been identified as a high-risk sector for money laundering by AUSTRAC, FATF, and international law enforcement agencies. Key risk indicators include properties purchased with cash, offshore buyers, purchases made through complex corporate or trust structures, rapid flipping of properties, and significant discrepancies between the purchase price and the market value. Our AML Compliance Guide for Real Estate Agents covers these requirements in detail.

11. Record Keeping for CDD

Part 10 of the AML/CTF Act establishes comprehensive record-keeping obligations. Proper record keeping is not just a compliance formality — it is the evidence that demonstrates you performed CDD. If you cannot prove you performed it, AUSTRAC will treat it as though you did not.

What Records to Keep

You must retain:

• Copies of all identification documents collected (or, for electronic verification, the verification results, data sources used, and the outcome).
• The verification method used and the date verification was performed.
• Beneficial ownership information and the steps taken to identify and verify beneficial owners.
• Information about the purpose and intended nature of the business relationship.
• Risk assessment records, including the risk rating assigned, the basis for that rating, and any subsequent changes.
• Records of ongoing CDD activities: transaction monitoring records, periodic review dates and outcomes, re-verification records, and any changes to the customer's risk rating.
• PEP and sanctions screening results, including dates of screening and outcomes.
• Any decisions to apply simplified or enhanced CDD, together with the rationale.

Seven-Year Retention

All CDD records must be retained for a minimum of 7 years from the date the business relationship ends or the date the last designated service was provided, whichever is later. This is a firm statutory requirement under Part 10. Records that are destroyed before the seven-year period has elapsed constitute a breach of the Act.

Format and Accessibility

Records may be kept in electronic or physical form, but they must be stored securely, be readily retrievable, and be available for inspection by AUSTRAC upon request. In practice, electronic record keeping is strongly favoured because it enables rapid search, retrieval, and production of records when required. AUSTRAC has broad powers under the AML/CTF Act to compel the production of records, and the ability to produce them promptly is a practical necessity.

12. Common CDD Mistakes

Even with a sound CDD framework, reporting entities regularly encounter practical pitfalls. The following are among the most common mistakes observed in practice:

• Treating CDD as a one-off exercise. Many entities perform CDD at onboarding but fail to implement ongoing monitoring and periodic review processes. Section 36 requires continuous monitoring for the life of the business relationship.
• Failing to verify beneficial owners. Collecting the name of a company director is not the same as identifying beneficial owners. You must look through the ownership chain to identify the natural persons who ultimately own or control the entity.
• Relying on expired or inadequate documentation. Sighting a photocopy of a driver's licence that expired five years ago does not satisfy the reliable and independent test. Identity documents must be current or recently expired (within the time frames prescribed by the AML/CTF Rules).
• Failing to screen for PEPs. PEP screening is not optional. It must be performed at onboarding and at each periodic review. Relying solely on the customer to self-declare their PEP status is insufficient.
• Inadequate documentation of risk assessments. Assigning a risk rating without documenting the basis for that assessment is a common deficiency. Every risk rating must be supported by a written rationale.
• Proceeding with a service when CDD is incomplete. If verification cannot be completed, you must not provide the designated service. Proceeding without completed CDD because of commercial pressure or client urgency is a breach of s28.
• Not adjusting CDD when risk changes. If new information comes to light that elevates the customer's risk profile, you must upgrade from standard to enhanced CDD. Maintaining the same level of CDD after a material change in risk is a failure of the risk-based approach.
• Poor record keeping. Performing CDD but failing to retain adequate records of what was done, when, and by whom is almost as bad as not performing CDD at all. If AUSTRAC cannot see the evidence, the CDD effectively did not happen.