Customer Due Diligence Checklist for Australian Businesses
Customer due diligence (CDD) is a core obligation under the AML/CTF Act 2006. This guide covers every element of the CDD process — from initial identification through to ongoing monitoring and the 7-year record keeping requirement.
What is Customer Due Diligence (CDD)?
Customer Due Diligence (CDD) — also referred to as Know Your Customer (KYC) — is the process by which reporting entities identify and verify the identity of their customers, understand the nature of their business relationships, and assess the risk they pose of being used for money laundering or terrorism financing.
Under Part 2 of the AML/CTF Act 2006 and the AML/CTF Rules 2007, reporting entities must conduct CDD on customers before providing a designated service. The level of due diligence required depends on the risk profile of the customer and the nature of the service provided.
CDD is not a one-time activity. Reporting entities must also conduct ongoing customer due diligence (OCDD) throughout the business relationship — monitoring transactions, keeping customer information up to date, and re-assessing risk when circumstances change.
Applied to most customers at onboarding — identity verification with one reliable document
Reduced verification for low-risk customers or products where risk is demonstrably low
Additional verification for high-risk customers including PEPs, high-risk jurisdictions, and complex structures
Standard, Simplified, and Enhanced Due Diligence
Standard Customer Due Diligence
Standard CDD applies to the majority of customers. It requires you to identify and verify the customer's identity using reliable, independent documents or data sources before providing the service. For individuals, this typically means a government-issued photo ID. For businesses, it means verifying the entity's registration details and identifying beneficial owners.
Under the AML/CTF Rules, standard verification for an individual requires collecting the customer's full name, date of birth, and residential address, and verifying at least one piece of primary photographic identification (such as a passport or driver's licence). Electronic verification through a government-linked database (DVS) satisfies this requirement.
Simplified Customer Due Diligence
Simplified CDD allows reporting entities to apply reduced verification measures where the risk of money laundering or terrorism financing is demonstrably low. However, simplified CDD is not an exemption from CDD — it is a reduction in the level of verification required.
Simplified CDD may be appropriate for customers that are themselves regulated financial institutions, listed public companies, government bodies, or products that are low-risk by design (such as low-balance prepaid cards with no cash withdrawals).
Simplified CDD cannot be applied where there are any indicators of higher risk. If risk factors are present, you must apply standard or enhanced CDD regardless of the customer type.
Enhanced Customer Due Diligence (EDD)
Enhanced CDD must be applied when the risk assessment indicates a higher risk of money laundering or terrorism financing. Enhanced measures go beyond standard identification to require additional documentation, deeper investigation, and senior management sign-off.
EDD is mandatory in the following circumstances:
EDD measures may include: obtaining additional identification documents, verifying source of funds and wealth, obtaining information about the purpose and intended nature of the relationship, collecting supporting financial documents, and requiring senior management approval before onboarding.
The CDD checklist
Use these checklists to ensure you are collecting and verifying all required information for individual and business customers.
Individual customers
Business customers
Identifying beneficial ownership
For business customers, you must identify and verify the identity of all beneficial owners — any individual who ultimately owns or controls 25% or more of the entity, or who otherwise exercises effective control over the entity's decisions. This prevents criminals from using corporate structures to obscure beneficial ownership of illegal proceeds.
Beneficial ownership identification requires you to look through corporate layers to identify the ultimate natural person controllers. Where a trust is involved, you must identify the settlor, trustee(s), protector, beneficiaries, and any other natural person exercising ultimate control. Where a partnership is involved, you must identify each partner.
Where a customer is unable or unwilling to identify their beneficial owners, you must not provide the designated service. This situation may also warrant lodging a Suspicious Matter Report.
Source of funds and source of wealth
Source of funds refers to the origin of the specific funds being used in a transaction or deposited into an account. Source of wealth refers to how the customer accumulated their overall assets and net worth. Both are relevant to higher-risk customers.
Evidence for source of funds
Evidence for source of wealth
Ongoing Customer Due Diligence (OCDD)
CDD does not stop at onboarding. The AML/CTF Act requires reporting entities to conduct ongoing customer due diligence (OCDD) throughout the business relationship. This means continuously monitoring customer transactions and behaviour, keeping customer information current, and re-screening against sanctions and PEP lists when changes occur.
The frequency and intensity of OCDD should be proportionate to the customer's risk rating. High-risk customers require more frequent monitoring and more comprehensive review. Low-risk customers may be subject to lighter-touch periodic reviews.
When must OCDD be triggered?
Risk-based review frequency
| Risk rating | Review frequency | Re-verification |
|---|---|---|
| Low | Every 3 years | On material change only |
| Medium | Annually | If information outdated |
| High | Every 6 months | Full re-verification each cycle |
| PEP / EDD | Every 6 months or more | Senior management sign-off required |
* These are indicative frequencies. Your AML/CTF program must specify review intervals appropriate to your risk assessment.
Record keeping requirements (7-year retention)
Under Part 10 of the AML/CTF Act, reporting entities must retain CDD and transaction records for a minimum of 7 years. The 7-year period begins from the date the record was made, or — for records relating to a customer relationship — from the date the relationship ended.
Records must be stored in a form that allows them to be accessed and reproduced quickly in response to a request from AUSTRAC or law enforcement. Tamper-evident storage (such as write-once systems or cryptographically signed records) is strongly recommended.
KYC records
Transaction records
AUSTRAC reports
Program records
How IntelliCompli streamlines CDD
Manual CDD is slow, inconsistent, and difficult to audit. IntelliCompli automates the CDD process from onboarding through to 7-year record retention — ensuring your obligations are met with a complete audit trail.
Digital onboarding with KYC
Automated identity verification via Stripe Identity — document OCR, biometric liveness, and DVS/DCS verification — all completed in under 60 seconds.
Risk-based CDD workflows
Automatic routing to standard, simplified, or enhanced due diligence based on configurable risk rules. EDD workflows include senior management approval gates.
Beneficial ownership mapping
Structured capture of corporate structure, directors, and beneficial owners with identity verification for each natural person controller.
Sanctions and PEP screening
Real-time screening at onboarding and ongoing batch rescreening against OFAC, UN, Australian government, and premium PEP database sources.
OCDD scheduling
Automated review scheduling based on customer risk rating. Overdue reviews flagged on dashboard with escalation notifications to compliance officers.
7-year record keeping
All KYC documents, verification records, and screening results stored with tamper-evident audit logs and automatic retention policy enforcement.
Related guides
Disclaimer: This content is provided for general informational purposes only and does not constitute legal, financial, or professional compliance advice. While we endeavour to keep this information accurate and up to date, legislation and regulatory guidance change frequently. You should seek independent legal or compliance advice specific to your circumstances before acting on any information in this guide. See our Privacy Policy for how we handle your data.
Automate your customer due diligence
IntelliCompli handles the entire CDD lifecycle — onboarding, ongoing monitoring, risk-based reviews, and 7-year record retention — so your team can focus on higher-value work.