Customer Due Diligence (CDD) | Firm Verify Help
Prepared with reference to AUSTRAC guidance current as at May 2026. Requirements are evolving — seek legal or compliance advice before relying on this document for specific decisions.
Contents
1. What is CDD and when does it apply?
Customer Due Diligence (CDD) is the process of identifying and verifying who you are providing a designated service to, understanding the purpose of the engagement, and assessing the associated ML/TF risk. It is a legally enforceable obligation under the AML/CTF Act 2006.
Core rule: CDD must be completed before you begin providing a designated service. You cannot start work and complete verification concurrently or afterwards.
CDD applies when you provide any of the following designated services:
- Creating or restructuring a company, trust, partnership or other legal arrangement
- Arranging director, trustee, secretary, or nominee shareholder appointments
- Providing a registered office or principal place of business address
- Assisting with real estate, equity/debt financing, or legal arrangement transactions
- Receiving, holding, or managing client money or property
CDD does not apply to:
- Tax return preparation and BAS services (not designated services)
- Pre-commencement clients (existing clients before 1 July 2026), unless a trigger event occurs
- Clients to whom you provide only non-designated services
2. Identity verification
Identity verification must be completed for the customer, any person acting on their behalf, and any person on whose behalf the designated service is received. The required information varies by entity type.
Verifying individuals
| Information to collect | How to verify |
|---|---|
| Full legal name | Government-issued photo ID (driver's licence or passport) |
| Date of birth | Government-issued photo ID |
| Residential address | Utility bill, bank statement (not older than 3 months), or government record |
| Electronic verification | Document Verification Service (DVS) via Firm Verify / BGLiD — checks against government databases in real time |
For minors (under 18)
Where a minor is a beneficiary or party to a designated service, verification is still required. Acceptable documents include birth certificate, Medicare card, or student ID where a driver's licence or passport is not available.
Verifying companies
| Information to collect | How to verify |
|---|---|
| Full legal name | ASIC company search |
| ACN / ABN | ASIC and ABN Lookup |
| Registered address | ASIC company search |
| Directors | ASIC company search — verify identity of all current directors as individuals (see above) |
| Beneficial owners | Shareholders register — identify anyone with 25%+ ownership or effective control (see Section 3) |
| Type and status | ASIC search — confirm company type (Pty Ltd, Ltd etc.) and registration status (registered, deregistered, etc.) |
Foreign companies
For companies incorporated overseas, collect the equivalent information from the relevant national business register. Coverage for electronic verification of overseas entities varies — confirm current capabilities in Firm Verify with BGL.
Verifying trusts
A trust is a legal arrangement, not a separate legal entity. AUSTRAC requires you to identify and verify the key parties to the trust — not just the trustee who engages you.
| Party | Required | Notes |
|---|---|---|
| Trustee(s) | ✓ | Verify as an individual or company. For a corporate trustee, also verify directors and beneficial owners of the trustee company. |
| Settlor | ✓ | The person who established the trust by contributing the initial settlement sum. Cannot be omitted even if the settlor has no current involvement. |
| Named beneficiaries | ✓ | Individually identified and verified. A refusal to provide ID for a named beneficiary must be escalated to the Compliance Officer. |
| Class beneficiaries | ◐ | Risk-based approach. Where the class is small and identifiable, individual verification may be required. Where the class is broad (e.g. "all children of the settlor"), a documented risk assessment is generally sufficient unless distributions have been made or are proposed to specific individuals. |
| Appointor / protector | ◐ | Where present, identify and verify. Appointors hold power to remove and replace trustees — they can exercise effective control regardless of formal ownership. |
| Trust deed | ✓ | Obtain and review the trust deed. If the client cannot produce the deed, treat this as a red flag and escalate. |
| Trust ABN / name | ✓ | Verify via ABN Lookup. |
◐ = risk-based, documented approach required ✓ = always required
SMSF trustees: An SMSF is a trust. If you create or restructure an SMSF (or arrange trustee appointments), CDD applies to the fund as the customer — including identifying and verifying all individual and/or corporate trustees, the trust deed, and member/beneficiary details. See the SMSF scenario in Section 7.
3. Beneficial ownership
A beneficial owner is any individual who ultimately owns or exercises effective control over a customer. Identifying beneficial owners is mandatory for companies, trusts, and other legal arrangements — not just the entity that engages you directly.
| Who qualifies | Definition |
|---|---|
| 25%+ shareholder | Any individual who directly or indirectly holds 25% or more of the shares or voting rights in a company. |
| Effective controller | Any individual who exercises control through other means — including veto rights, shareholder agreements, right to appoint/remove directors, or de facto control — regardless of their equity stake. AUSTRAC focuses on actual control, not just formal ownership percentage. |
| Trust settlor | Always a beneficial owner for CDD purposes, even if they have no ongoing role in the trust. |
| Trust beneficiary | Named beneficiaries. Class beneficiaries are assessed on a risk basis. |
| Appointor | Holds power to remove and replace trustees — treated as exercising effective control. |
Layered structures
When a company is owned by another company, you must look through each layer to identify the ultimate individual beneficial owners. There is no maximum depth — continue until you reach a natural person or a listed public company (which has reduced beneficial ownership requirements).
Only one of our shareholders is our client
Your CDD obligation extends to all beneficial owners of the entity — not just your direct client. You can request identity information from the entity rather than approaching the second shareholder directly. Document what you requested, what was provided, and why your approach was reasonable.
4. Risk assessment
Every client must be assigned an ML/TF risk rating before you provide a designated service. The risk rating determines the level of CDD required and the intensity of ongoing monitoring. Your AML/CTF program must document your risk rating methodology.
Risk factors to consider
| Factor | Lower risk indicators | Higher risk indicators |
|---|---|---|
| Customer type | Australian resident individual, established local business, regulated entity (bank, AFSL holder) | Foreign nationals, PEPs, cash-intensive businesses, complex layered structures |
| Country of origin | Australia, New Zealand, UK, Canada, other FATF-compliant countries | FATF grey or black list countries, countries with known corruption, secrecy jurisdictions |
| Service type | Registered office for a long-standing client entity, routine director appointment | Large one-off property transaction, complex offshore trust restructure, nominee arrangements |
| Transaction profile | Consistent with known business, industry benchmarks, disclosed income | Unexplained large transactions, structuring patterns, offshore flows |
| Source of funds | Documented salary, known business revenue, inheritance with records | Cannot be explained, inconsistent with lifestyle, offshore without documentation |
Low risk clients — Simplified CDD
Simplified CDD applies to customers your risk assessment identifies as low risk. Most Australian resident individuals and established local businesses will fall here.
|
Individual — Simplified CDD
|
Company / Trust — Simplified CDD
|
High risk clients — Standard to Enhanced CDD
Clients assessed as medium or high risk require additional steps beyond simplified CDD.
|
Standard CDD — medium risk
|
Enhanced CDD — high risk
|
PEP and sanctions screening applies to all clients. This is not a feature of enhanced CDD only. AUSTRAC requires that initial CDD establishes, on reasonable grounds, whether any relevant party is a PEP or designated for targeted financial sanctions — for every new client, regardless of risk rating.
Politically Exposed Persons (PEPs)
A PEP is a person who holds or has held a prominent public position in a government body or international organisation, or an immediate family member or known close associate of such a person.
| PEP type | Required CDD level | Notes |
|---|---|---|
| Foreign PEP | Enhanced CDD — mandatory | Automatically treated as high ML/TF risk under the AML/CTF Act. Senior manager approval required before proceeding. |
| Domestic PEP | Risk-based — at minimum Standard CDD | Not automatically high risk, but requires documented risk assessment. Err toward Standard CDD as a minimum and document your reasoning. |
| Former PEP | Risk-based | PEP status does not automatically end when the person leaves public office. Apply a risk-based judgment and document it. |
| Close associate / family | Risk-based | 'Close associate' is defined broadly and can include persons with a close personal or business relationship. When in doubt, apply a conservative approach and document your reasoning. |
5. Enhanced Due Diligence (ECDD)
ECDD applies when you assess a customer as high ML/TF risk, or when specific circumstances require it regardless of the overall risk rating.
When ECDD is mandatory
| Circumstance | Why it's high risk |
|---|---|
| Foreign PEP | Automatically classified as high risk by the AML/CTF Act |
| High-risk jurisdiction | FATF grey/black list countries, countries with known deficient AML/CTF regimes or high corruption |
| Complex or unusual structure | Layered corporate or trust structure with no apparent commercial rationale |
| Unexplained wealth or transactions | Asset base or transaction profile inconsistent with known income or business activity |
| High-risk industry | Cash-intensive businesses, construction, property development in high-risk jurisdictions, foreign government contracting |
| Overall high-risk rating | Your risk assessment concludes the customer presents high ML/TF risk for any reason |
What ECDD involves
1 |
All standard CDD steps firstComplete identity verification, beneficial ownership, PEP/sanctions screening, and risk assessment as per standard CDD. |
2 |
Senior manager approvalObtain explicit approval from a senior manager before proceeding with the designated service. This approval must be documented. |
3 |
Enhanced source of wealth documentationCollect and document evidence of the source of the client's wealth — not just the source of funds for the specific transaction. This may include salary records, business financials, inheritance documentation, or property sale records. |
4 |
Adverse media screeningScreen the client and key associated individuals against adverse media sources. Firm Verify Tier 2 and above include adverse media screening via BGLiD. |
5 |
Increased monitoring frequencyHigh-risk clients require more frequent review of their transactions and relationship profile throughout the engagement. |
6. Ongoing monitoring
CDD is not a one-time event at onboarding. From 1 July 2026, ongoing monitoring obligations apply to all clients to whom you provide designated services — including pre-commencement clients.
What ongoing monitoring requires in practice
| Activity | What it means |
|---|---|
| Keep information current | Update client records when you become aware of changes — director appointments, trustee changes, new beneficial owners, address changes, or changes in business activity. |
| Monitor for red flags | Be alert to transactions, instructions, or behaviour inconsistent with your knowledge of the client. Trust your professional judgment — if something doesn't make sense, ask. |
| Review risk ratings | Reassess the client's ML/TF risk rating when circumstances change. A client who enters a new business line, acquires overseas assets, or comes into association with a PEP may need their risk rating elevated. |
| Periodic reviews | Your AML/CTF program should set a review frequency for each risk tier. Low risk clients may be reviewed every 2–3 years; high risk clients may require annual or more frequent review. Annual re-verification of identity documents is not required unless circumstances change or your risk assessment warrants it. |
| Trigger-event reviews | Certain events automatically trigger a CDD review: an SMR obligation arises, a significant change in the nature or purpose of the relationship occurs, or the client's ML/TF risk rating changes to medium or high. These triggers also apply to pre-commencement clients. |
| Record keeping | All CDD records — including initial verification, risk assessments, updates, and the reasoning behind decisions — must be retained for a minimum of 7 years. |
7. Example scenarios
Scenario 1
New client onboarding — sole trader setting up a Pty Ltd
Situation: A new client asks you to set up a Pty Ltd company for their consulting business and act as registered office.
CDD steps required:
- Verify the client as an individual: name, DOB, residential address, government-issued ID.
- Screen for PEP status and targeted financial sanctions.
- Assess ML/TF risk: Australian resident, clean professional background, no adverse indicators — likely low risk.
- Apply Simplified CDD: one government ID, address confirmed, no PEP or sanctions hits.
- Document the purpose of the engagement: company formation for legitimate consulting services.
- Once the company is formed, record its details (ACN, registered address, directors) in the client file.
- You are now providing a registered office service (item 9) — ongoing monitoring applies from this point.
Scenario 2
Offshore ownership — Australian company with a foreign parent
Situation: A long-standing client, an Australian Pty Ltd, asks you to help set up a new subsidiary. You discover the Australian company is 60% owned by a company incorporated in a FATF grey-list country.
Risk indicators present:
- Foreign ownership from a high-risk jurisdiction
- Layered corporate structure (foreign parent → Australian Pty Ltd → new subsidiary)
- Beneficial owner through the foreign parent is unknown to you
CDD steps required:
- Look through the corporate structure to identify the ultimate individual beneficial owners behind the foreign parent company.
- Verify those individuals: name, DOB, address, and passport or national ID.
- Screen all identified individuals for PEP status and sanctions.
- Assess ML/TF risk: high-risk jurisdiction and layered structure elevate this to high risk — apply Enhanced CDD.
- Obtain senior manager approval before proceeding.
- Collect source of wealth documentation for the beneficial owners.
- Run adverse media screening.
- Document all steps and decisions. If the beneficial owners cannot be identified or refuse to engage, decline the engagement and consider whether an SMR is warranted.
Scenario 3
Complex trust structure — discretionary family trust with offshore elements
Situation: A new client asks you to review and update a discretionary family trust deed. The trust has a corporate trustee, a settlor who lives overseas, and a list of named and class beneficiaries.
CDD steps required:
- Obtain and review the trust deed. If it cannot be produced, treat this as a red flag.
- Verify the corporate trustee as a company: ASIC search, ACN, registered address.
- Verify all directors of the corporate trustee as individuals.
- Identify and verify the beneficial owners of the corporate trustee (25%+ shareholders).
- Verify the settlor — collect name, DOB, address, and a certified government-issued ID if overseas.
- Verify all named beneficiaries individually.
- For class beneficiaries: document your risk-based approach — if the class is identifiable and small, verify individually; if broad, document your assessment.
- Screen all identified parties for PEP status and sanctions — the overseas settlor may warrant closer scrutiny.
- Determine whether the deed update constitutes a structural change (restructure → designated service) or administrative amendment. Document your reasoning.
Scenario 4
SMSF clients — new fund with corporate trustee
Situation: An existing tax client asks you to set up a new SMSF with a new corporate trustee. The fund will have two individual members.
CDD steps required:
- The SMSF is the customer — it is a trust and a designated service (creation of a legal arrangement, item 6).
- Verify the corporate trustee as a company: ASIC search, ACN, registered address.
- Verify both directors of the corporate trustee as individuals (name, DOB, address, photo ID). If these are your existing clients, a prior verified identity record can be linked — you do not need to re-verify if the verification is current and adequate.
- Verify the members/beneficiaries: in an SMSF, members are also the beneficial owners — verify each member as an individual.
- The settlor is often a nominal party who contributes a small initial settlement sum. Verify them as an individual.
- Screen all parties for PEP status and sanctions.
- Assess ML/TF risk: typically low risk for a straightforward domestic SMSF with verified Australian resident members.
- Document the purpose: retirement savings fund for the two members.
- Note: SMSF administration and annual tax compliance are not designated services. Only the creation/restructuring events trigger CDD.
Reusing prior verification: If the directors/members are already verified in your system under an adequate prior CDD record, you can link that record to the new SMSF without repeating identity checks — provided the record is still current and you confirm the individual's role in the new entity.