Initial CDD for a trust (Reform)

Learn what you need to do for initial customer due diligence (CDD) if your customer is a trust. We have other guides for when your customer is an individual, body corporate, unincorporated association, partnership, sole trader or government body.

On this page

Read this guidance in conjunction with our guidance on: 

  • initial CDD, which sets out your initial CDD obligations
  • enhanced CDD, which sets out your enhanced CDD obligations.

Matters you must establish

This section refers to the Act sections 28 and 32.

If your customer is a trust, you must establish the following matters on reasonable grounds:

  • the identity of the trust
  • the identity of any person on whose behalf the trust is receiving the designated service. This includes all beneficiaries of the trust or, if they can’t be individually identified, each class of beneficiaries
  • the identity of any person acting on behalf of the customer and their authority to act. This includes any trustee of the trust and other representative that will engage with you in relation to your designated services
  • the identity of any beneficial owners of the customer. This includes the identity of all individual trustees (established above) and the beneficial owners of trustees who are not individuals (e.g. corporate trustees), settlors, appointors, guardians, protectors and any other individual with control over the trust including, in some cases, beneficiaries
  • if any of the above persons are a politically exposed person (PEP) (where they are an individual) or designated for targeted financial sanctions (TFS)
  • the nature and purpose of the business relationship or occasional transaction.

Why these matters are so extensive

Trusts are used for a range of legitimate purposes. Trusts are also commonly used by money launderers to place, layer and integrate the proceeds of crime. They do this to disguise the illicit origins of these proceeds and the individuals who control them. 

Our National Money Laundering Risk Assessment 2024 rated trusts as a high national money laundering risk and assessed the poor transparency of trusts as one of Australia’s key national vulnerabilities to criminal exploitation. 

Just because trusts are nationally high risk, does not mean every trust will be a high ML/TF risk customer for your business. This will depend on all the circumstances, including the complexity of the trust and its ability to disguise the identity of individuals who own and control it. 

Learn more at assigning customer risk ratings

You must establish the matters above to make sure that the trusts you deal with remain transparent. You can do this by following the steps below to help ensure that your business knows the identity of the trust, and the persons who control, own and benefit from it. 

If you don’t do this, you may be in breach of your anti-money laundering and counter-terrorism financing (AML/CTF) obligations. You’ll also leave your business vulnerable to being exploited by criminal groups that disguise their activities behind trust structures.

What this guidance covers

This guidance provides examples of the baseline information that could be collected and verified as part of establishing each matter for a trust that that doesn’t: 

  • receive the designated service from a permanent establishment you have overseas (for example, a foreign branch or subsidiary of an Australian company)
  • trigger enhanced CDD
  • trigger any additional collection of information based on their money laundering, terrorism financing and proliferation financing risks. We refer to these as ML/TF risks.

You could collect information using a customer onboarding form. This is an online or paper form that you ask new customers to complete.

This guidance outlines examples of the following:

  • independent and reliable data that could be used to verify information – where this guidance refers to documents, you could obtain either an original or a reliable copy of the document or extract from that document. If these documents have expired, it may be appropriate to collect and/or verify additional information.
  • circumstances where collection or verification requirements can be reduced or delayed. 

It’s important to note that you’re not required to keep copies of these documents under your record keeping obligations and can instead record details of these documents. Learn more about record keeping.

You could establish these matters by:

  • collecting and verifying different information (unless this guidance specifies that collection or verification must occur), or
  • using other independent and reliable data to that specified in this guidance

Additional requirements

You must also identify the customer’s ML/TF risk and may need to collect and verify additional information to meet the following requirements: 

  • to establish a matter on reasonable grounds
  • to identify the ML/TF risk of the customer, based on know your customer (KYC) information reasonably available to you. Learn about assigning customer risk ratings.
  • to resolve any discrepancies that arise while providing information
  • collect and verify additional KYC information as appropriate to the ML/TF risk of the customer, particularly if this risk is medium or high. 

You must apply enhanced CDD measures for some customers. Learn more in enhanced CDD.

Customer identity

This section refers to the Act sections 28(2)(a) and (3) and the Rules section 6–3(2).

You must establish the identity of the trust. 

Collect information

You must collect the following information. 

The trust’s full name 

The name of the trust, for example: 

  • My Family Discretionary Trust
  • Trapezoid Unit Trust
  • the Estate of Jane Citizen. 

Kind of trust or equivalent

For example, a discretionary trust, bare trust, unit trust a deceased estate or other kinds of trusts or equivalent. 

Any business names of the trust

This means any names the trust uses to carry on a business.

Any other names the trust is commonly known by

Some trusts may not have any other names.

Unique identifier for the trust, if any

Trusts generally don’t have to register with a government body when they are created in Australia, so may not have a unique identifier in all cases.

Ask the individual representing the trust whether it has a unique identifier such as: 

Address of the principal place of business or operations of the trust

For example, this is usually the physical location where the trustee of the trust typically conducts their activities. 

If the trust operates as a business, this is usually the principal place of business. 

If the trust doesn’t operate as a business, this is usually the place from which the trust is administered, which will often be the residential address of each trustee.  

Evidence of the trust’s existence

Evidence that the trust exists as a legal arrangement. 

This is generally the trust deed or an equivalent instrument, a will, or letter of administration. Some trusts may appear on a government register.

Information about the powers that bind and govern the trust

This refers to the trust deed or other legal authority that defines the governance and running of the trust. 

This information also provides the legal framework that underpins the powers, rights and duties of those who have defined roles in relation to the trust.

Examples of defined roles include trustees, appointors, settlors, protectors, guardians, office holders and beneficiaries. 

You could also collect information on the country’s laws under which the trust was established.

This information can also help identify beneficial owners.

Individuals responsible for the governance and executive decisions of the trust

The full name of the individual, or each member of the group, with primary responsibility for governance and executive decisions of the trust.

For most trusts, this will typically be all the trustees, appointors, guardians and protectors. For a bare trust, this will usually be the beneficiaries. For a corporate trustee, it could be the individuals on the board of the corporate trust. 

Verify information

You could verify the information above, except for the principal place of business, by obtaining all of the following:

  • the trust deed and amendments like deeds of variation
  • information on any unique identifiers from the relevant database, such as ABN information on the Australian Business Register ABN Lookup

Alternatively, other examples of reliable and independent documents and data you could use to verify this information include: 

  • letters or documents from the trust’s professional services firms (from a person who doesn’t play a role in the trust). For example, an independent professional service provider such as a lawyer or accountant for the trust, not the trustee
  • ABN information on the Australian Business Register ABN Lookup
  • information about foreign trusts from a foreign registration body, if applicable. 

Nature and purpose of the business relationship

This section refers to the Act section 28(2)(f) and the Rules sections 6–3(6) and 6–9.

You must establish the nature and purpose of the business relationship with the trust.

Collect information 

You must at least collect information about the nature of the trust’s activities. 

This information could either be collected in an onboarding form or determined from your initial engagement with the customer’s representatives.

This includes information on:   

  • the general commercial activity or sector the trust operates in. Such as wealth management, legal services, remitting money, superannuation administration or self-managed super fund.
  • If not engaged in commercial activity, the purpose of the corporate body, partnership or unincorporated association – including being set up for managing personal assets, or a social or charitable purpose such as a tennis club or wildlife rescue association. 

We also expect you to collect information on the reasons the customer is seeking your services and the nature of the services they’re seeking. Without this information, it will be difficult to establish the nature of the business relationship or occasional transaction on reasonable grounds.

This can provide a good starting point to determine whether the: 

  • way your services are used is inconsistent with the stated nature of the business relationship or occasional transaction
  • behaviour of your customer or associated persons is unusual.

This is relevant to determining your customer’s risk rating during initial and ongoing CDD. See assigning risk ratings

Verify information

You won’t need to verify the information you’ve collected on the nature and purpose of the business relationship or occasional transaction if all the following apply:

  • you aren’t required to apply enhanced CDD measures in relation to the customer
  • you’ve identified the trust’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service
  • you’ve collected KYC information about the nature and purpose of the business relationship or occasional transaction that is appropriate to the ML/TF risk of the customer. 

This means that, in practice, after establishing the identity of the customer, you’ll generally only need to verify information you collected on the matter if any of the following apply: 

  • you are required to apply enhanced CDD
  • you have doubts about the adequacy and veracity of the information your customer provided.

If you’re required to verify information on this matter, you must do this by using reliable and independent data. 

For example:

  • the trust deed – to verify the purpose of the trust

  • evidence of trust activity, such as disbursements to beneficiaries – to verify that activities align with the stated purpose of the trust

  • business records such as letters from the customer’s lawyer or accountant or business activity statements

  • viewing publicly available information about the customer from third parties. Such as reliable third-party websites that provide information on their business or operations 

  • searches of the ACNC register of charities and ATO’s register of deductible gift recipients – to verify whether the trust is a charity or engaged in purposes related to the public good.

Simplified verification for certain matters

This section refers to the Act section 31 and the Rules section 6–17. 

There are certain circumstances where you’ll have been taken to have established the following matters:

  • the identity of any person acting on behalf of the customer and their authority to act. This is typically any trustee of the trust who engages with you in relation to the designated service
  • the identity of any person on whose behalf the customer is receiving a designated service. This is typically the beneficiaries of the trust
  • the identity of any beneficial owner of the customer. This may include any trustee, settlor, appointor, guardian or protector of the trust, or any other individual who retains control over it. In the case of a bare trust, this may include a beneficiary.

A matter mentioned above will be taken to be established where all of the following apply:

  • you’ve identified the customer’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service
  • the customer’s ML/TF risk is low and enhanced CDD doesn’t apply to them
  • you’ve collected KYC information about the matter, as appropriate to the customer’s ML/TF risk
  • there are no reasonable grounds for you to doubt the adequacy or veracity of that KYC information.

If this is satisfied, you don’t need to verify the information you collected on the matter. 

Persons on whose behalf the customer is receiving the designated service

This section refers to the Act section 28(2)(b) and the Rules sections 6–3(3), 6–5, 6–6(2) and 6–34.

You must identify each beneficiary of the trust unless this isn’t possible. 

Collect information

You must at least collect information about the identity of each beneficiary of the trust or equivalent. 

You must at least collect information that you would be required to collect if they were your customer. For example, if the beneficiary is a company, you must at least collect the KYC information that’s required to be collected for customers that are bodies corporate.

Learn about collecting information about: 

If you can’t identify each beneficiary of the trust because of the nature of the trust, you must instead collect a description of each class of beneficiary. 

This could be because there are:

  • an extremely high number of beneficiaries, or
  • no named beneficiaries.

For example, there may be secondary beneficiaries based on their relationship to a primary beneficiary, such as a spouse, children, or future descendants. 

For a charitable trust, the class of beneficiaries is the general class of persons who will benefit from the objects of the trust.

For a trust that’s a managed investment scheme with an extremely high number of beneficiaries, the class or classes of beneficiaries are the categories of investors who are beneficiaries of the scheme.  

Verify information

You can verify information about a beneficiary’s identity in the same way you would verify information about them if they were your customer. 

Learn about verifying information collected about: 

To verify information about the class of beneficiaries, you could use: 

  • the trust deed
  • evidence of trust activity, such as disbursements to beneficiaries. 

Persons acting on behalf of the customer

This section refers to the Act section 28(2)(c) and the Rules sections 6–3(4) and 6–5.

You must establish the identity of any person acting on behalf of the customer and their authority to act, on reasonable grounds. 

This includes any trustee of the trust or other representative who engages with you on behalf of the trust in relation to your designated services. 

The information you’re required to collect and verify to establish the identity of the trust, particularly the trust deed, may help you establish that a trustee has authority to act. 

Collect information 

You must at least collect information about the identity of both of the following where they engage with you in relation to designated services:

  • the trustees of the trust
  • other representatives of the trust (for example, an agent of a trustee). 

For example, for a trust with a corporate trustee, this would include: 

  • the corporate trustee – noting this is a trustee to the trust
  • the individual representative of the corporate trustee who engages with you – noting that this is the representative of the trustee and, by extension, the trust. 

You can determine whether a person is acting on behalf of a trust from:  

  • the way they engage with your services. Such as seeking the service in the name of a trust and not their own name
  • if they indicate your services aren’t for them
  • customer onboarding processes. Where you can ask if the person is acting on behalf of another person or will have a person act on their behalf.

If a trust is seeking your services on behalf of another person, the customer will be that other person. You must identify who this customer is. You can use the practical guides we’ve provided depending on if they’re an individual, body corporate, unincorporated association, partnership, sole trader, trust or government body.

If a trust is interacting with you through a particular representative, you must collect information on both of the following:

You could also collect information on the reason for granting the authority to act. For example, in the context of real estate purchases, a representative may provide that they have been hired under an agency agreement to help broker the purchase of property.

This provides a good baseline from which you can establish related ML/TF risk and whether the behaviour of the representative is unusual through the course of your business relationship with the customer. 

Verify information

This section refers to the Act section 28(3) and the Rules section 6–19. 

You’re taken to have established the identity of the trust’s representative and their authority to act if all of the following are satisfied:

  • you’ve established on reasonable grounds the authority of the person to act on behalf of the trust

  • you determine on reasonable grounds that any additional ML/TF risk associated with the person representing the trust is low 

  • you’ve collected KYC information about the representative and their authority to act, as appropriate to the customer’s ML/TF risk

  • there are no reasonable grounds for you to doubt the adequacy or veracity of that KYC information.

This will allow you to establish the identity of the relevant representative without verifying the information you’ve collected on this matter.

However, in the case of trusts you may be required to verify the trustee’s identity under another matter, e.g. as a beneficial owner of the trust unless a separate exception applies.

If you need to verify information, you could verify:

Reliable and independent data establishing a trustee’s authority to act will typically include the trust deed and instrument of appointment. 

For other representative arrangements, the data gathered would depend on the nature of the authority to act, and could include, for example: 

  • a power of attorney – a document granting the person power of attorney
  • employees – written confirmation from their employer that they’re authorised to act
  • general appointments – a letter, agency agreement or other authorisation from the customer establishing that the agent has authority to act on their behalf, or confirmation from a reliable third party. For example, a legal practitioner, accountant or other professional who isn’t the person acting on behalf of the customer in relation to the designated service. 

When you don’t need to check beneficial owners

This section refers to the Act sections 28(2)(d)(e) and 31 and the Rules section 6-7 and 6–18.

The beneficial owners of a trust may include any individual:

  • trustees or the individual beneficial owners of corporate trustees
  • settlors, appointors, guardians, protectors
  • with control over the trust (typically including beneficiaries in a bare trust).

You don’t need to establish the identity of the trust’s beneficial owners if the trust is low ML/TF risk, enhanced CDD doesn’t apply to it and the trust is, or is controlled by, any of the following:

  • a government body
  • an entity subject to regulatory oversight by a prudential, insurance, or investor protection regulator through registration or licensing requirements
  • a corporation or association of homeowners in a strata title or community title scheme.

To determine this, collect information from one of the trust’s representatives as to whether the trust fits into any of the above categories.

You could verify this information by obtaining reliable and independent data to:

  • establish that a relevant entity above controls the customer. Learn more about beneficial ownership and control
  • determine if the customer is, or is controlled by, a government body. Learn more about identifying a government body
  • determine if the customer is, or is controlled by, a corporation or association of homeowners in a strata title or community title scheme. Learn more about establishing the identity of a body corporate or unincorporated association above.

To determine if the customer, or an entity that controls them, is subject to regulatory oversight as outlined above, you could also ask for information on all of the following: 

  • the regulator they’re registered or licensed with. For example, the Australian Prudential Regulation Authority (APRA)
  • the capacity in which they’re registered or licensed. For example, to provide superannuation-related services
  • any unique licensing or registration number. 

You may also be able to determine this based on information you have collected on other matters. 

For example, information you have collected on the nature of the customer’s business could tell you whether the customer is any of the following: 

  • a bank (and therefore subject to prudential regulatory oversight)
  • an insurer (and subject to insurance regulatory oversight) or
  • a financial services business (subject to the Australian Financial Services Licencing laws). 

Depending on the regulator they’re registered or licensed with, you could verify this information by: 

  • For banking, insurance and superannuation businesses – checking their registration details on the APRA website.
  • For Australian Financial Services or credit licensees, registered auditors and liquidators and self-managed super fund services – search ASIC’s professional services registers

In these circumstances, you’ll also be taken to have established whether any beneficial owner of the trust is a politically exposed person (PEP) or person designated for targeted financial sanctions (TFS)

You’ll still need to verify the identity of, and conduct PEP and TFS checks on all of the following persons (you will only need to complete a PEP check on individuals): 

  • the trust (no PEP check required)
  • each representative of the trust – including all trustees or other representative that will engage with you in relation to your designated services
  • each person on whose behalf the trust is receiving the designated service – including all beneficiaries of the trust unless you can’t identify them.

Identifying beneficial owners

This section refers to the Act section 28(2)(d) and the Rules section 6–3(5).

You must establish the identity of all beneficial owners of your customer. 

Collect information

You must also at least collect the following information about the:

  • control structure of the trust
  • identity of any settlor, appointor, guardian or protector of the trust

On the control structure, we expect you to collect information on the:

  • duties, rights and entitlements for administering the trust
  • control and decision-making processes for administering the trust. 

You could collect this by asking a representative of the trust, for example, for information on:

  • the identity of any individual settlor, appointor, guardian or protector. Learn more about establishing the identity of an individual
  • the type of trust – noting this information will have been collected to establish the identity of the trust
  • how decisions are made and how the trust is administered or controlled
  • who is responsible for administering the trust and what their duties are
  • if there are any other persons who control the trust (other than the trustee, settlor, appointor, guardian and protector of the trust).

Verify information 

To verify information about the ownership and control structure of the customer, you can cross reference with:

  • the trust deed
  • letters or documents from the trust’s professional services firms
  • a copy of all trustee resolutions
  • the memorandum of trust.

Based on the information collected, you’ll need to verify the identity of any individual who owns or controls the trust. Learn more about determining ownership and control.

You verify the identity of a beneficial owner in the same way you would verify the identity of an individual.

Politically exposed persons and sanctions

You must establish if the trust, any beneficial owner of the trust, or any person acting on their behalf or receiving a service on the trust’s behalf, is a person designated for targeted financial sanctions (TFS).

You must also establish whether any of these persons, if they are individuals, are a politically exposed person (PEP)

You’ll need to check all the following persons, unless an exemption mentioned above applies (you will only need to complete a PEP check on individuals): 

  • the trust
  • all trustees to the trust and any representative who engages with you to in relation to designated services
  • all identifiable beneficiaries to the trust
  • all individual settlors, appointors, guardians, protectors and any other individual with control over the trust.

Collect information

You could ask a representative of the trust, in an onboarding form, whether any of the individuals referred to above are a PEP. 

In the onboarding form, you could specify that a PEP includes the following:

  • a foreign PEP
  • a domestic PEP
  • an international organisation PEP.

If the customer confirms that one of the individuals mentioned above are a PEP, they could then provide the details of the individual and a description of their role. For example, Australia’s High Commissioner to New Zealand.

For TFS, you’ll have already collected information about the identity of the customer and any person acting on their behalf, which will be enough to complete the verification steps outlined below. 

If you’ve information that a person is subject to TFS, don’t deal with their assets without a permit from the Australian Sanctions Office. Criminal penalties may apply if you do. Further information is on the Australian Sanctions Office website.

Delay verification

In practice, you would typically complete PEP and TFS verification after you’ve collected information about the identity of the customer and any person acting on their behalf. 

This helps you conduct accurate PEP and TFS searches. 

Ordinarily, you would need to verify this information before you start providing a designated service. 

In some circumstances you may be able to delay verification where carrying them out would interrupt the ordinary course of business and other conditions are met. 

Learn more about delayed verification for CDD

Verify PEP information

You could verify the information provided by: 

  • checking the individual’s background using reliable and independent online sources, including government websites and other official data sources, and in the media
  • using databases and reports from third-party providers that provide PEP screening services.

You could make sure any service you use satisfies both of the following: 

  • reflects the definition of PEP in the Act and Rules
  • allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if an individual is a PEP.

Verify sanctions information

You can use the Department of Foreign Affairs and Trade’s Consolidated List to search for persons and entities listed for TFS under Australian sanctions laws. 

Sanctions listings change often, so always check for the most recently published list.  

A person may have variations in the spelling of their name, particularly non-English names changed into English. You may need to check alternative spellings or use a service that allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if a person is subject to TFS

At the end of this process, you may not be satisfied you’ve established a matter on reasonable grounds. If this is the case, you’ll need to take further action, which may include collecting and verifying additional information, until this level of satisfaction is reached. 

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 17 Oct 2025
Page ID: 1309

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.