5-Step Customer Due Diligence Checklist for AML Compliance

Customer due diligence (CDD) is the foundation of every AML/CTF compliance program. Under Australia's AML/CTF Act 2006, reporting entities must verify who their customers are, understand the nature of their business relationships, and monitor for suspicious activity on an ongoing basis. With Tranche 2 extending these obligations to accountants, lawyers, real estate agents, and other professional service providers, having a clear, repeatable CDD process has never been more important.

This checklist breaks CDD down into five practical steps so you can build a process that satisfies AUSTRAC requirements and protects your business from misuse.

Step 1: Identify the customer

Before you can verify a customer, you need to collect the right identifying information. The information you need depends on whether the customer is an individual or a legal entity.

You must collect this information for every new customer before providing a designated service. Records must be kept for at least seven years under the AML/CTF Act.

Step 2: Verify identity

Collecting information is not enough — you must also verify that the information is accurate. AUSTRAC requires reporting entities to take reasonable steps to verify customer identity from a reliable, independent source. Acceptable verification methods include:

• Document verification — Government-issued photo ID such as an Australian passport, driver's licence, or Medicare card. For international customers, a foreign passport or national ID card.
• Biometric verification — A live selfie matched against the ID document using facial recognition. This is the gold standard for remote onboarding and satisfies enhanced due diligence requirements.
• Electronic verification — Checking identity data against reliable databases such as the Document Verification Service (DVS) or a commercial provider.
• Manual document review — Examining physical or digital copies of identity documents yourself. Acceptable for lower-risk customers where other methods are impractical.

For higher-risk customers — including politically exposed persons (PEPs), high-transaction-volume clients, and customers from high-risk jurisdictions — enhanced due diligence is required. This typically means combining document verification with biometric checks and additional background screening. See our customer due diligence guide for a full breakdown of standard vs enhanced CDD requirements.

Step 3: Identify beneficial owners

When your customer is a company, trust, or partnership, you must identify and verify the individuals who ultimately own or control it. Under the AML/CTF Act, a beneficial owner is any individual who directly or indirectly owns 25% or more of the entity, or who otherwise exercises effective control.

For each beneficial owner, collect and verify the same information you would for an individual customer:

• Full legal name and date of birth
• Residential address
• Nature and extent of their ownership or control
• Government-issued ID verification

Ownership structures can be layered through holding companies and trusts. You must look through all intermediate entities to identify the natural persons at the top of the structure. If no individual meets the 25% threshold, identify the senior managing official who exercises effective control. This is one of the most time-consuming parts of CDD for corporate clients — having a structured process and the right tools makes it manageable. Learn more in our beneficial ownership identification guide.

Step 4: Assess risk level

Not every customer carries the same level of money laundering or terrorism financing risk. Your AML/CTF program must include a risk assessment framework that classifies each customer as low, medium, or high risk based on factors such as:

• Customer type — Is the customer a PEP, a cash-intensive business, or operating in a high-risk sector such as gambling, property, or digital assets?
• Geographic risk — Does the customer have connections to a high-risk or sanctioned jurisdiction? AUSTRAC publishes guidance on countries of concern.
• Service type — Is the service being provided inherently higher risk, such as managing large asset transfers, setting up trusts or company structures, or handling real estate transactions?
• Delivery channel — Are you meeting the customer face-to-face, or is this a fully remote relationship where you cannot physically sight documents?
• Transaction value and frequency — High-value or unusually frequent transactions relative to the customer's stated purpose are a risk indicator.

The risk rating determines the level of due diligence applied: standard CDD for low-to-medium risk customers and enhanced due diligence (EDD) for high-risk customers. Your risk assessment must be documented and reviewed regularly. For a complete framework, see our guide to AML/CTF compliance obligations.

Step 5: Ongoing monitoring

CDD is not a one-time event. The AML/CTF Act requires ongoing monitoring of customer relationships throughout their lifecycle. This means:

1. 1Transaction monitoring — Scrutinise transactions for patterns inconsistent with the customer's known risk profile or the stated purpose of the relationship. Flag anomalies for further review.
2. 2Periodic reviews — Re-verify customer information and update risk ratings at intervals appropriate to the risk level. High-risk customers should be reviewed at least annually; lower-risk customers every two to three years.
3. 3Trigger-based reviews — Immediately re-assess any customer when a significant trigger event occurs: a change in ownership structure, a new high-value transaction, adverse media coverage, or a sanctions list match.
4. 4Suspicious matter reporting — If monitoring reveals activity that gives rise to a suspicion of money laundering or terrorism financing, you must submit a Suspicious Matter Report (SMR) to AUSTRAC within 24 hours for terrorism-related matters or 3 business days otherwise.
5. 5Record keeping — Maintain all CDD records, transaction records, and SMRs for at least seven years. Records must be retrievable and legible.

Common CDD mistakes to avoid

• Relying on a single document — One ID document is often insufficient for higher-risk customers. Use multiple verification methods and cross-reference data sources.
• Skipping beneficial ownership — Failing to identify UBOs behind a corporate structure is one of the most common CDD failures identified by AUSTRAC in enforcement actions.
• Set-and-forget CDD — Completing CDD at onboarding and never reviewing it again is non-compliant. Ongoing monitoring is a legal obligation, not a best practice.
• Inadequate documentation — Every CDD decision must be documented, including why you accepted or rejected a customer and what evidence you relied on. If it is not written down, it did not happen in AUSTRAC's view.

How IntelliCompli helps

IntelliCompli automates every step of this checklist. Our compliance platform covers identity verification, beneficial ownership capture, automated risk scoring, ongoing monitoring with rule-based alerts, and full audit trails — all in a single dashboard built specifically for Australian reporting entities.

• Identity verification — Document and biometric KYC via Stripe Identity at $3 per completed verification, plus free manual review on every plan.
• Beneficial ownership capture — Structured workflows to identify and verify UBOs for companies, trusts, and partnerships.
• Automated risk scoring — Risk ratings calculated automatically based on customer type, geography, service type, and transaction behaviour.
• Ongoing monitoring — Intelligent transaction monitoring with risk-scored alerts and periodic review reminders.
• AUSTRAC reporting — Generate and lodge SMRs, TTRs, and IFTIs directly from the platform.

With Tranche 2 obligations in effect from July 1, 2026, setting up a structured CDD process now is essential. IntelliCompli makes it simple for small and medium professional services firms to meet every obligation without needing a dedicated compliance team.