Resolving issues with CDD arrangements and liability

Entering into an ongoing customer due diligence (CDD) arrangement with a reliable third party that complies with the AML/CTF Act and Rules provides you with a ‘safe harbour’ from liability where an isolated or occasional breach of the identification and verification requirements is identified.

What is an isolated or occasional breach?

An isolated or occasional breach is one that occurs rarely, and the impacts are minor or immaterial. Such breaches should be easily resolved by routine communications between the reporting entity and the reliable third party. These isolated or occasional breaches should not suggest or reveal more broader or substantial ongoing or systemic identification compliance issues. 

Examples of isolated or occasional breaches may include: 

  • a small number of exceptional and easily rectified data entry errors concerning a customer’s identification and verification information
  • inadvertently carrying out a customer identification procedure to a lower standard than required by a reporting entity’s risk assessment for a small number of customers whose risk rating may be on the cusp of two risk assessment categories (e.g. Medium-High). 

If you are not confident that the third party will remediate the breach as soon as practicable, you should stop relying on customer identification and verification under the CDD arrangement.

You must undertake an appropriate due diligence assessment on the relied-on third party prior to entering in to a CDD arrangement, and undertake further assessments and reviews at least every two years and in response to any material changes affecting the reliable third party, to ensure that the identification procedure is conducted to the standard outlined in the CDD arrangement.

If assessments on the relied-on third party reveal that its processes and procedures are insufficient or inadequate, and the CDD arrangement no longer meets the requirements of the AML/CTF Act and Rules, the safe harbour protection available under the CDD arrangement ceases to apply from the point you knew, or objectively should have known, that this was the case. This means you may be exposed to liability under section 32 of the AML/CTF Act if you continue the CDD reliance arrangement.

Examples of insufficient identification processes and procedures

Examples of insufficient or inadequate identification processes and procedures:

  • regular errors in KYC information that do not improve with routine communication with the relied-on third party
  • repeated or systemic customer identification procedure failures by the relied-on third party in contravention of the CDD arrangement
  • ongoing failure by the relied-on third party to respond to a request to provide verification information without delay
  • a significant change in the relied-on third party’s ML/TF or other serious crime risk profile that means it is no longer reasonable to believe that the CDD arrangement meets the requirements of the Act and Rules
  • adverse media reporting or information about deficiencies concerning the relied-on third party that means that a reasonable person would consider the CDD arrangement no longer meets the requirements of the AML/CTF Act and Rules.

Circumstances for automatic suspension of the CDD arrangement


If you believe that the circumstances of a CDD arrangement have changed after completing a regular assessment, and that the CDD arrangement no longer meets the requirements of the AML/CTF Act and Rules, you must cease relying under the arrangement until the requirements are met.

For what period of time should you suspend or cease the CDD arrangement?

The arrangement will not have legal effect again until you consider that there are reasonable grounds to believe that all of the shortcomings have been remediated and the requirements of the AML/CTF Act and Rules are being met.

  • During the period of suspension, you must undertake your own ACIP and processes. You cannot rely on the CDD arrangement entered into with the relied-on third party.

Both parties to the CDD arrangement are encouraged to take a proactive and considered approach to assessing and amending the CDD arrangement in accordance with changes in the circumstances.

CDD arrangements will automatically resume once you are satisfied on reasonable grounds that the requirements of the AML/CTF Act and Rules are being met. You should document the basis on which you are reasonably satisfied.

If you cannot resolve your concerns or issues with the relied-on third party 

If you believe that the relied-on third party is no longer able to meet the requirements as set out in the CDD arrangement, despite efforts to remediate identified issues, you must terminate the CDD arrangement and cease relying on the relied-on third party, if you have not already done so.

Responsibilities to rectify the verification of customers identified under a defective CDD arrangement 

You may become aware that a CDD arrangement no longer meets the requirements of the AML/CTF Act and Rules after you have onboarded a number of customers under the arrangement.

In some cases these shortcomings may mean that there are doubts about the adequacy or veracity of the previously obtained documents or information, and you cannot be reasonably satisfied that the customer is the person they claim to be. These doubts may not relate to any suspected wrongdoing by the customer, but could arise due to the practices of the relied-on third party. Whatever the reason for the doubts, you must re-verify any affected customers’ identities as soon as practicable.

Re-verification may be carried out under the CDD arrangement if the shortcomings in the CDD arrangement have been remediated and the reliable third party is capable of re-verifying the affected customer faster than you could yourself.

What time period is considered reasonably practicable will depend on the circumstances. If a large number of customers are affected you should contact AUSTRAC to discuss your proposed remediation arrangements.

If only a subset of customers are affected, only that subset needs to be reverified. For example, if a CDD arrangement was operating as intended for individual customers but there were shortcomings when carrying out identification procedures for corporate customers, only those affected corporate customers will need to be reverified.

Related legislation

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 12 Mar 2024
Page ID: 682

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.