As AUSTRAC’s reforms take shape, both newly regulated professions and long-standing reporting entities need to revisit their approach to customer due diligence (CDD).
For lawyers and accountants, CDD will be entirely new.
For financial advisers and wholesale fund managers, the reforms represent a shift from prescriptive rules to a more risk-driven, outcomes-based framework.
What Is Customer Due Diligence (CDD)?
For newly regulated businesses – particularly legal and accounting practices – CDD is one of the most important components of the AML/CTF regime. It sits at the heart of your onboarding, monitoring and risk management processes.
In simple terms, CDD means knowing who your customer is, verifying their identity, and understanding their risk profile before you provide a designated service.
Core elements include:
- Identifying your customer, any person on whose behalf the customer is receiving a designated service (such as a beneficiary of a trust or foreign equivalent), any person acting on behalf of the Customer (and their authority to act (i.e. POA, agent etc)) and, if the Customer isn’t an individual, any beneficial owners of the customer, using reliable and independent documentation or electronic data.
- Assessing and recording the customer’s ML/TF risk.
- Understanding the purpose and intended nature of the business relationship or transaction (including where relevant, source of funds and source of wealth).
- Screening customers for PEP status, sanctions exposure and adverse media.
- Applying enhanced due diligence (EDD) where the customer or service poses higher ML/TF or proliferation financing risk.
- Ongoing monitoring, including spotting unusual transactions, patterns, discrepancies or changes in customer behaviour.
In our experience, many reporting entities deal with identifying their customer (not always the other people required to be identified) but fall short on the remaining obligations.
If you are new to the regime, CDD is not a one-off onboarding activity, it is a lifecycle obligation.
For Those Already Regulated: How Is CDD Changing?
A shift from prescriptive to risk-based CDD
Under the reforms, the traditional Part A / Part B program structure will fall away. AUSTRAC expects CDD to be:
- Flexible
- Proportionate to the actual ML/TF risks of each customer
- Integrated with your internal risk assessment
- Outcome-based, not checklist-based
This means your procedures must reflect your specific customer types, delivery channels and business model, not generic templates.
Enhanced risk assessment requirements
CDD must now be anchored to a documented business-wide ML/TF risk assessment. That assessment must be:
- Tailored
- Reviewed regularly
- Updated when your risk profile changes
Your CDD procedures must demonstrably align with this risk assessment.
Under this, each customer is also required to be risk assessed with both of these assessments driving the CDD that is performed.
Stronger expectations around ongoing monitoring
AUSTRAC is placing more emphasis on:
- Reviewing higher-risk clients more frequently
- Re-verifying identity in certain circumstances
- Monitoring for behavioural or transaction changes
- Escalating suspicious matters promptly and appropriately
CDD is not just an onboarding obligation, it is a continuous risk management function.
Demonstrating why your CDD is adequate
AUSTRAC expects you to show your reasoning, not just your documentation.
You must be able to explain:
- Why the level of CDD applied was appropriate
- How it aligned with the customer’s risk profile
- How enhanced measures were triggered and applied when needed
This links directly to the broader reforms around outcomes-based compliance.
Engaging CDD Outsourced Service Providers – What You Need To Know
Outsourcing components of CDD (such as identity checks) is common and can support efficiency and consistency, but it must be done carefully.
AUSTRAC’s expectations for outsourcing under the AML/CTF Act and Rules are clear: you remain responsible for meeting your obligations, even if a third party performs part of the process.
What we often find is that reporting entities outsource identity checks and think that means CDD is storted. Unfortunately, the identity check is only one part of the CDD requirements which results in significant compliance risks.
Understand what your provider will and won’t do
Different providers offer different components of the CDD process. Most will not:
- Conduct risk assessments
- Perform EDD
- Manage complex structures such as unregulated trusts
- Apply judgement on ML/TF risk triggers
- Decide whether to onboard a higher-risk client
You need to understand precisely which obligations remain with you.
Undertake thorough due diligence on the provider
Before engaging a CDD service, assess them from:
- A service capability perspective (scope, limitations, accuracy)
- Data security and privacy compliance
- System resilience and data storage locations
- Reliability of their verification sources
- Experience with AUSTRAC-regulated entities
A failure by your provider becomes your failure, and compromised customer data damages trust.
Review the contract and ensure strong contractual protections
Your agreement should clearly address:
- The nature of the agency relationship
- Information-sharing obligations
- Service limitations
- Data protection and breach notification requirements
- Escalation pathways
- AUSTRAC reporting impacts
- Rights to audit or review provider performance
Your contract must reflect the AML/CTF outsourcing requirements, not just commercial considerations. AUSTRAC has detailed guidance on this, so ensure you are across the requirements before engaging a provider.
Document your outsourced providers
AUSTRAC will expect to see:
- A documented register of outsourced service providers
- The rationale for selecting each provider
- An assessment of how the arrangement aligns with your ML/TF risk profile
- Evidence of ongoing oversight
Failing to document your outsourcing arrangements is a common compliance gap.
Maintain an ongoing review framework
Your oversight must include:
- Regular performance reviews
- Testing of verification outcomes
- Periodic checks on data security
- Assessment against regulatory developments
- Trigger-based reviews when your business model or customer base changes
Outsourcing is not a “set and forget” arrangement.
Final Thoughts
Whether you are new to AML/CTF or operating under the regime already, CDD is a foundational obligation, and one that AUSTRAC expects to see embedded across the entire customer lifecycle.
For newly regulated professions, this means building CDD capability from the ground up. For existing reporting entities, it means adapting your CDD approach to an outcomes-based, risk-driven model supported by a robust risk assessment.
And for everyone, it means getting outsourcing right. With stronger regulatory expectations and greater scrutiny on governance, your choice of CDD partners and how you oversee them will be critical.