You must complete initial CDD before you start providing a customer with a designated service. You complete initial CDD by establishing certain matters on reasonable grounds.

If you can’t establish these matters on reasonable grounds, you must not start providing the customer with a designated service.

There are circumstances where you can start providing a designated service before you complete initial CDD. Learn about delayed customer due diligence.

Learn about initial CDD obligations for existing customers. 

What you must establish during initial CDD

You must establish the following matters on reasonable grounds before you start providing your customer with a designated service:

• the identity of the customer
• the identity of any person on whose behalf the customer is receiving a designated service (such as a beneficiary of a trust or foreign equivalent)
• the identity of any person acting on behalf of the customer, and their authority to act
• if the customer isn’t an individual, the identity of any beneficial owners of the customer
• whether the customer, any beneficial owners of the customer, any person on whose behalf the customer is receiving the designated service or any person acting on behalf of the customer is a politically exposed person (PEP), or designated for targeted financial sanctions
• the nature and purpose of the business relationship or occasional transaction
• the source of funds and source of wealth of foreign PEPs, high-risk domestic or international organisation PEPs
• if you’re required to apply enhanced CDD, the customer’s source of funds and source of wealth, if this is relevant to the nature of the customer’s ML/TF risk.

Reasonable grounds

Reasonable grounds is an objective standard. This means that a reasonable person in your position would determine that a matter is established for initial CDD based on the facts, circumstances, and information available. 

This includes all the information and circumstances that you know or could reasonably be expected to have known at the time. 

A ‘reasonable person’ is a legal term. It refers to a hypothetical person who displays reasonable or ordinary behaviour or judgment in the circumstances. 

We expect that you understand and explain how each matter was established in a way that demonstrates a reasonable person would likely reach the same conclusion where they:

• review the same material
• have similar knowledge, experience or training.

You must keep records of how you established each matter on reasonable grounds, for each customer.

How to establish matters on reasonable grounds

As part of establishing the required matters on reasonable grounds, you must:

• if the customer is an individual, take reasonable steps to establish that the customer is who they claim to be
• identify the customer’s ML/TF risk
• collect know your customer (KYC) information that’s appropriate to the customer’s ML/TF risk
• verify KYC information, using reliable and independent data, that’s appropriate to the customer's ML/TF risk.

Establishing the required matters on reasonable grounds will usually consist of the following steps:

1. Collect KYC information from the customer, most commonly using an onboarding form or other onboarding process.
2. Identify the customer’s ML/TF risk based on the KYC information collected. Learn about assigning a customer risk rating.
3. Determine if the customer is a PEP or designated for targeted financial sanctions
4. Determine if you need to apply enhanced CDD.
5. Determine if you can apply simplified CDD or use deemed compliance provisions.
6. Collect additional KYC information as appropriate to the customer’s ML/TF risk, and to mitigate and manage that ML/TF risk.
7. Verify KYC information using reliable and independent data, that’s appropriate to the customer’s ML/TF risk.

You may be able to complete some of these steps at the same time. For example, the information you collect about the customer’s identity and why they’re using your service can help you identify their ML/TF risk. As you better understand their ML/TF risk, it may be appropriate to collect or verify additional KYC information.

In some cases, you may need to collect more KYC information than usual to be able to establish a matter on reasonable grounds. For example, where an individual has a common name and personal details, and you must collect further information to distinguish them from other individuals. 

You must have anti-money laundering and counter-terrorism financing (AML/CTF) policies that set out the circumstances in which you will collect, or collect and verify, kinds of KYC information relating to a customer. 

We expect your policies will set out the:

• types of KYC information you’ll ordinarily collect, or collect and verify, for different kinds of customers to help you establish matters on reasonable grounds
• circumstances that you’ll collect, or collect and verify, information on a customer’s source of funds and source of wealth.

The information you collect and verify must be: 

• sufficient to establish the matters on reasonable grounds
• appropriate to the customer’s ML/TF risk, and
• appropriate to manage and mitigate the ML/TF risks you may reasonably face in providing designated services. 

Initial CDD for different customer types

The following guidance sets out how to complete initial CDD on different kinds of customers. This includes:

• the KYC information that you could collect and verify as part of establishing the required matters for initial CDD on reasonable grounds
• when you may apply simplified CDD measures.

Learn about how to complete initial CDD on:

• individuals
• sole traders
• trusts
• bodies corporate, partnerships and unincorporated associations
• government bodies.

Identifying beneficial owners, persons acting on behalf of your customer and persons on whose behalf your customer is receiving a designated service

You must establish the identity of any:

• beneficial owners of your customer
• person acting on behalf of your customer and their authority to act
• person on whose behalf the customer is receiving a designated service

You do this by collecting and verifying KYC information about these persons.

Our guidance on how to complete initial CDD for different kinds of customers sets out:

• what KYC information you could collect and verify to help you establish these matters on reasonable grounds
• when you may otherwise be compliant with your obligation to establish these matters. 

Beneficial owners

A beneficial owner is an individual who directly or indirectly:

• ultimately owns 25% or more of your customer, or
• otherwise controls your customer. 

Your customer may have more than one beneficial owner. 

 Sometimes, your customer may not have a beneficial owner.  

Learn more about determining ownership and control of a customer.

Nature and purpose of the business relationship or occasional transaction 

Establishing the nature and purpose of the business relationship or occasional transaction helps you to:

• identify and assess the ML/TF risk of providing your customer with a designated service
• develop a baseline of normal or expected activity for the customer, against which you can identify unusual or suspicious activity
• detect if they’re using your services in a way that doesn’t align with that purpose during ongoing CDD. 

Sometimes the nature of the business relationship or transaction will be evident from the transaction itself and your normal interactions with your customers. For example, an individual enquiring about purchasing a diamond necklace for their partner, or a couple seeking conveyancing services to buy a house to live in. 

Other times you may need to ask your customer questions to understand the nature of your relationship. Information that might be relevant includes:

• what they’ll be using your designated services for
• their expected transaction frequency and volume
• how they plan to have your designated services delivered to them, such as online or face-to-face
• whether they’ll use your designated services for business or personal transactions
• nature and details of an individual’s occupation and employment
• the individual’s date of birth (e.g. is the customer a child or likely to be a retiree)
• record of changes of address
• the nature of the relationships between a customer and the person acting for them
• the source of the customer’s wealth and funds for the designated service.

Politically exposed persons

Learn how to establish if an individual is a PEP, and additional CDD obligations that apply to PEPs. 

Persons designated for targeted financial sanctions

Learn how to establish if a person is designated for targeted financial sanctions.

Collecting and verifying KYC information

You must collect KYC information to help you establish matters on reasonable grounds.

The KYC information you collect will help you identify your customer’s ML/TF risk. You can then determine if you need to collect or verify additional KYC information or conduct enhanced CDD. 

We expect you to collect all of the following:

• the minimum KYC information that you must collect for the type of customer you are dealing with
• more KYC information about a customer who is high ML/TF risk than you would for a customer who is low ML/TF risk
• more KYC information about persons associated with a high-risk customer (such as a beneficial owner) than you would of a low-risk customer
• more KYC information from a customer whose request for a designated service seems unusual. For example, KYC information about their occupation, income, countries of citizenship.

Collecting KYC information involves gathering information. This can be done using a customer onboarding process or form. Information can also be gathered from other sources and doesn’t have to be collected directly from the customer. No identification documentation is necessarily required to be gathered at this collection stage, but this may be one way to gather the relevant information. 

Verifying KYC information involves checking reliable, independent source documentation, data or information that confirms the accuracy and truth of the KYC information that was obtained during the collection process.

Collection and verification of identification information can sometimes happen in parallel. For example, if you sight an individual’s identity document and record relevant information instead of requiring them to input their details into an onboarding form.

Learn about KYC information you must collect for different customer types, and examples of independent and reliable data you can use to verify that information.

Verifying KYC information using independent and reliable data

You must verify KYC information you collect, as appropriate to the customer’s ML/TF risk, using independent and reliable data.

You may not need to verify every piece of KYC information. However, we expect you to verify all of the following:

• at least one piece of KYC information for each matter that you’re required to establish, unless an exception in the AML/CTF Rules applies
• more information collected in a high-risk situation than you would in a low-risk situation
• more information about persons associated with a high-risk customer (such as a beneficial owner) than you would of a low-risk customer
• more details from a customer whose request for a designated service seems unusual. For example, information about their occupation, income, countries of citizenship.

Electronic data

You can use third-party digital identity services to verify KYC information, if the data you receive from the digital identity service is reliable and independent. 

When considering whether to use a third-party digital identity service, we expect you to consider: 

• whether the data they use to verify KYC information is independent and reliable
• who maintains the data, such as a government body
• whether the system is secure and kept up to date
• any other factors you determine to be relevant in your circumstances.

Inconsistencies or discrepancies in customer information

When you verify KYC information, you may find inconsistencies with the information you collected. We expect that your AML/CTF policies will outline all of the following:

• how you’ll respond to inconsistent information so that you can appropriately manage and mitigate ML/TF risks. This could include steps to identify and document the reason for the inconsistency
• when you may need to collect more information to be satisfied of a person’s identity, and what information you’ll collect
• what you’ll do if you can’t verify a person’s identity because of inconsistent information.

If there are inconsistencies with the information collected from the customer, you could, for example, do one or more of the following:

• verify the information with independent and reliable data from third parties
• contact issuing authorities to confirm the validity of documents
• ask the customer to explain the discrepancies, such as differences in name spelling or address history, and request supporting evidence if appropriate
• review the reason for the inconsistency, such as a minor administrative error or a potential indicator of ML/TF, like the use of fraudulent documents
• in some circumstances, apply alternative identification procedures.

If you’re concerned about the validity of a document, you can use another independent source to verify the information, such as the Document Verification Service (DVS).

If you can’t establish a matter on reasonable grounds, you must not provide the designated service. You must submit an SMR to us if you reasonably suspect that the customer isn’t who they claim to be.

Circumstances beyond the customer’s control

In some cases, you may not be able to establish an individual’s identity under your normal CDD procedures because the individual can’t do either or both of the following:

• obtain identity information or evidence
• access identity information or evidence because of circumstances beyond their control.

In this situation, you’re considered compliant with your obligations to establish the individual’s identity if you’ve done all of the following:

• implemented AML/CTF policies that mitigate and manage any additional ML/TF risks created in these situations
• taken reasonable steps to establish the individual is who they claim to be, such as applying alternative identification procedures
• identified the customer’s ML/TF risk based on KYC information reasonably available to you before you start providing the designated service
• collected KYC information appropriate to the customer’s ML/TF risk
• taken reasonable steps to verify the KYC information using data reasonably available to you and in a manner appropriate to the customer’s ML/TF risk.

It may be appropriate to collect and/or verify additional KYC information throughout the course of your business relationship. For example, if their ML/TF risk changes.

Learn more about helping customers who don’t have standard forms of identification. 

Simplified CDD when the ML/TF risk is low

Simplified CDD allows you to streamline customer identification and verification for certain low-risk customers. 

Simplified CDD isn’t an exemption from your initial or ongoing CDD obligations. You must still collect all the required KYC information, and collect and/or verify enough KYC information to both:

• identify the customer’s ML/TF risk
• establish matters on reasonable grounds.

When you can apply simplified CDD

You can apply simplified CDD if all the following apply:

• the customer’s ML/TF risk is low
• you’re not required to conduct enhanced CDD
• your AML/CTF policies deal with how you will apply simplified CDD measures.

Learn how to apply simplified CDD on different kinds of customers.

Offences that apply to evasive behaviour

People who try to exploit your services for ML/TF may try to evade identification. We expect you to monitor for this behaviour throughout the CDD process. 

A person may commit a criminal offence if they start to receive a designated service from you and they do any of the following:

• use a false customer name
• do so on the basis of customer anonymity
• are commonly known by 2 or more names, use one of those names and do not disclose the other
• knowingly provide false or misleading information or documents.

A person may also commit a criminal offence of they knowingly provide false or misleading information to you or create a false document 

If you have reasonable grounds to suspect that a person has committed any of these offences, you must report this to AUSTRAC.

Learn more about suspicious matter reports. 

It is also important to note that you may also commit a criminal offence if you start to provide a designated service to a person and any of the following apply: 

• you use a false customer name
• you do so on the basis of customer anonymity.

Nested services relationships

You have additional CDD obligations if you’re providing your designated services as part of a nested services relationship. This includes establishing additional matters on reasonable grounds before you provide your customer with a designated service. 

Learn more in the Rules section 6-25. 

Record keeping

You must keep records to show how you complied with your initial CDD obligations for each customer. As part of this, you must keep sufficient and accurate records of the type and content of the data you collected as part of initial CDD. You must also keep records of your identification of ML/TF risk or other decisions you made as part of initial CDD. You must keep these records for 7 years following the end of the business relationship or 7 years after the date of the last occasional transaction.

You are not required to keep scanned copies or photocopies of identity documents themselves, such as driver's licences.

Learn more about record keeping.

Related pages

• How to complete initial CDD on an individual
• How to complete initial CDD on a sole trader
• How to complete initial CDD on a trust or foreign equivalent
• How to complete initial CDD on a body corporate, partnership or unincorporated association
• How to complete initial CDD on a government body
• Reliance on customer identification by a third party
• Delayed customer due diligence
• Enhanced customer due diligence
• Ongoing customer due diligence
• Transitioning existing customers