Customer due diligence — known as CDD — is the most day-to-day obligation under the AML/CTF reforms. From 1 July 2026, every accounting firm providing designated services must conduct CDD on their clients. For many accountants, this is the part of compliance that feels most unfamiliar.
The good news is that AUSTRAC's CEO has been explicit: for most small accounting practices, CDD does not need to be complicated. This guide explains exactly what it is, what the four levels mean in practice, and what you actually need to do for each client.
Customer due diligence means knowing who your clients are and understanding the money laundering risks they bring to your business. It involves verifying a client's identity before providing a designated service (initial CDD), monitoring the relationship over time (ongoing CDD), and applying extra scrutiny to high-risk clients (enhanced CDD). For low-risk clients, simplified CDD may apply.
What is Customer Due Diligence?
CDD is the process of identifying and verifying who your clients are, understanding the nature of your relationship with them, and assessing the risk they pose from a money laundering and terrorism financing perspective.
AUSTRAC CEO Brendan Thomas put it simply: "We want accountants to be confident that they know who they're dealing with — and that the person is who they say they are, not a front for a third party or shell company."
Under the AML/CTF Act, CDD is divided into four types — each with different requirements depending on the risk profile of the client:
Initial CDD — What You Need to Collect
Initial CDD must be completed before you begin providing a designated service to a new client. For existing clients you were already serving before 1 July 2026, transitional rules apply — see below.
The information you need to collect and verify depends on the client type:
Individual clients
- Full legal name
- Date of birth
- Residential address
- Identity verification — for example, via driver's licence, passport, or the Document Verification Service (DVS)
Company clients
- Full legal name and ACN/ABN
- Registered address and principal place of business
- Nature of the company's business
- Identity of directors and beneficial owners (any person owning or controlling 25% or more)
- Verification of company registration via ASIC or equivalent
Trust clients
- Full name of the trust
- Identity of the trustee (individual or corporate)
- Identity of the settlor and beneficiaries where reasonably ascertainable
- Nature and purpose of the trust
- A copy of the trust deed where available
AUSTRAC's view on low-risk clients: "Where a customer is low risk, simplified diligence can apply. Very minimal collection of information is required. We're not asking accountants to keep a record of every document — just that they record the fact that they did it." — AUSTRAC CEO Brendan Thomas
Ongoing CDD — Monitoring the Relationship
CDD doesn't stop once a client is onboarded. You must monitor ongoing client relationships to identify changes in risk that may warrant a review or trigger a suspicious matter report.
In practice, ongoing CDD means:
- Periodically reviewing your client's risk rating — at least annually for medium and high-risk clients
- Updating client information when you become aware of changes (new beneficial owners, change of address, new business activities)
- Monitoring for unusual transaction patterns or behaviour inconsistent with the client's known profile
- Re-running identity checks if there is a significant change in the nature of the relationship
- Documenting the fact that reviews were conducted and when
You do not need to re-verify a client's identity every year. The key is that you have a documented process for monitoring and that you act on changes when they occur.
Enhanced CDD — High-Risk Clients
Enhanced CDD applies when a client is assessed as high risk. AUSTRAC requires you to collect additional information and apply greater scrutiny before and during the relationship.
Situations that typically require enhanced CDD include:
- Politically exposed persons (PEPs) — current or former senior government officials, their family members, and close associates
- Clients from high-risk jurisdictions — countries identified by FATF as having weak AML/CTF controls
- Complex or opaque ownership structures — where beneficial ownership is difficult to establish
- Clients with no clear business rationale for the service being requested
- Clients where the source of funds is unclear or inconsistent with their known profile
For enhanced CDD, you must obtain senior management approval before commencing or continuing the relationship, and document the additional steps you took to understand and manage the risk.
Simplified CDD — Low-Risk Clients
Simplified CDD allows a reduced level of scrutiny for clients who present a demonstrably low money laundering risk. It does not mean no CDD — it means less of it, with appropriate documentation.
Simplified CDD may be appropriate for clients such as:
- ASX-listed companies or their subsidiaries
- Australian government bodies
- Regulated financial institutions subject to equivalent AML/CTF obligations
- Long-standing clients with a well-understood and consistent risk profile
Even when applying simplified CDD, you must document why you determined it was appropriate. A blanket policy of applying simplified CDD to all clients is not compliant.
Risk Rating Your Clients
Every client must be assigned a risk rating — low, medium, or high — based on your assessment of their money laundering and terrorism financing risk. This rating determines which level of CDD applies and how frequently you review the relationship.
| Risk Level | CDD Type | Review Frequency | Typical Client Profile |
|---|---|---|---|
| Low | Simplified or Standard | Every 2–3 years | Local sole trader or individual with simple, transparent affairs |
| Medium | Standard | Annually | Private company with standard ownership structure, domestic operations |
| High | Enhanced | Every 6 months or more frequently | PEP, offshore structures, complex trust, high-risk jurisdiction |
What About Existing Clients?
If you had clients before 1 July 2026, you don't need to immediately re-do CDD on all of them. AUSTRAC has introduced the concept of "pre-commencement customers" — existing clients you were already serving when obligations commenced.
For pre-commencement customers, you are not required to complete initial CDD unless one of the following applies:
- A suspicious matter report obligation arises in relation to the client
- There is a significant change in the nature or purpose of the relationship that results in the client's risk being assessed as medium or high
- The client requests a new service materially different from your existing relationship
In practice, this means you should prioritise completing initial CDD for new clients first, and work through your existing client base on a risk-prioritised basis over time.
Don't confuse "pre-commencement" with "exempt." You still have ongoing CDD obligations for all clients from 1 July 2026 — monitoring for suspicious activity, reviewing risk ratings, and updating records when circumstances change. Pre-commencement status only defers the initial CDD requirement.
Record Keeping — What You Must Retain
All CDD records must be kept for a minimum of seven years. This includes:
- Identity documents collected and how they were verified
- Risk assessments conducted for each client
- Records of ongoing monitoring reviews and their outcomes
- Any enhanced CDD conducted and senior management approvals obtained
- Documentation of why simplified CDD was applied where relevant
- Suspicious matter reports lodged with AUSTRAC
AUSTRAC does not require you to keep copies of every identity document — but you must keep a record that you verified the document, what type of document it was, and when you verified it.
"Accountants need to have processes in place to verify that their customers are who they claim to be — and keep records showing how that verification was carried out." — AUSTRAC CEO
How SimpleAML Helps with CDD
SimpleAML is built specifically around the CDD process. For each client, the app guides you through a structured risk profiling workflow — capturing entity type, designated services, beneficial owners, jurisdiction, and risk rating. You can upload identity documents, record verification steps, set review dates, and track ongoing monitoring — all stored securely and exportable at any time.
If AUSTRAC ever reviews your practice, your complete CDD records are there — timestamped, organised, and audit-ready.
Start managing CDD properly today.
SimpleAML guides you through client risk profiling, identity verification, and ongoing monitoring. Free for small accounting firms — no account needed.
Get Compliant FreeFurther reading: Do I need to register with AUSTRAC? · What is an AML/CTF Program? · Key Deadlines for Accountants