Overview of customer due diligence (Reform)

Customer due diligence (CDD) involves understanding who your customers are before you start providing them with designated services, and throughout the course of a business relationship. 

On this page

This page refers to the Act section 26F and Part 2.

Customer due diligence overview

Flowchart showing customer due diligence steps: conduct initial CDD before providing a designated service by collecting and verifying KYC information and identifying ML/TF risk; conduct ongoing CDD during the service by monitoring customers; you must apply enhanced CDD to high risk customers and in other circumstances, you may be able to apply simplified CDD for certain low-risk customers.

CDD serves 3 purposes, to ensure your business:

  • establishes the identity of your customers and that they’re who they claim to be, knows whether they’re acting on behalf of another person, and determines that there’s no legal barrier to providing them with the designated service requested
  • identifies and assesses the money laundering, terrorism financing and proliferation financing (we refer to these as ML/TF risks) involved in providing designated services to the customer, enabling you to appropriately manage and mitigate these risks
  • obtains the information it requires to make reports to us, which helps law enforcement and national security agencies investigate criminal activity.

The 3 core elements of CDD—identification, verification and monitoring—work together so that your business builds knowledge of the customer that’s crucial from an anti-money laundering and counter-terrorism financing (AML/CTF) perspective.

Your AML/CTF program must include policies to conduct CDD both: 

  • in accordance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act)
  • to enable you to appropriately manage and mitigate the ML/TF risks you face.

Initial customer due diligence

You must complete initial CDD before you start providing a designated service to your customer. 

Initial CDD is about identifying your customers and other specified persons and identifying your customers’ ML/TF risk.

Initial CDD helps you decide what you need to do to manage and mitigate the ML/TF risks involved in providing that customer with a designated service. 

You generally do this by collecting and verifying know your customer (KYC) information.

The information you collect and verify will be different depending on the kind of customer you have, and their ML/TF risk. 

Learn more about: 

Ongoing customer due diligence

After you conduct initial CDD, you must monitor your customers so that you can identify, assess, manage and mitigate their ML/TF risks over time. 

You do this by doing all of the following: 

  • keeping their KYC information up to date and re-verifying it where appropriate
  • monitoring for unusual transactions and behaviours and criminal activity
  • updating their ML/TF risk as you know more about them and how they use your services
  • collecting or verifying additional KYC information where appropriate.

Learn more about ongoing customer due diligence.

Enhanced customer due diligence

Enhanced CDD means taking additional steps to identify your customer and other specified persons, and to identify, manage and mitigate their ML/TF risks. You must conduct enhanced CDD either:

  • when the customer’s ML/TF risk is high, or
  • in other specified circumstances.

You may need to apply enhanced CDD measures during initial CDD, ongoing CDD, or both. 

Learn more about enhanced CDD.

Politically exposed persons

A politically exposed person (PEP) is an individual who holds a prominent public position. They can be a target for bribery and corruption because they hold positions of power and influence. 

You have additional CDD obligations if you’re dealing with a PEP. This includes establishing on reasonable grounds if a customer and other specified persons are PEPs before you start providing a customer with a designated service. 

Learn more about PEPs.

Persons designated for targeted financial sanctions

You must establish on reasonable grounds if a customer and other specified persons are designated for targeted financial sanctions before you start providing a customer with a designated service. 

You can’t deal with assets owned or controlled by a person designated for targeted financial sanctions. You also can’t make assets available to them. 

Learn more about persons designated for targeted financial sanctions.

Relying on customer identification by another business

There are limited circumstances where you can rely on KYC information that has been collected and verified by another reporting entity or a foreign business subject to AML/CTF regulation. This is called ‘reliance’.

Learn more about reliance on customer identification by a third party.

Circumstances where you can complete initial CDD after starting to provide a service

There are specific circumstances where you can start providing a designated service before you complete initial CDD. 

Learn more about delayed initial customer due diligence.

Other circumstances where you’re considered compliant with your CDD obligations

If you were a reporting entity before 31 March 2026, in most circumstances you won’t need to conduct initial CDD again.

Learn more about transitioning existing customers.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 16 Oct 2025
Page ID: 1303

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.