Customer Due Diligence for Accounting Firms: What Australia’s New AML Laws Actually Require

If you’ve been trying to get your head around customer due diligence and what it means for your accounting firm, you are not alone.

CDD generated more live questions than any other topic in our AML Accountants Forum series. Most of them came down to the same underlying anxiety: how much do I actually have to do, and on who?

This post gives you a clear, practical answer. No fluff. No fear-mongering. Just what the law requires, who it applies to, and where the real work sits.

What is customer due diligence?

Customer due diligence (CDD) is one of the core obligations under Australia’s reformed AML/CTF Act, which takes effect for accounting firms on 1 July 2026.

CDD comes down to three things.

Identify. Who is this person or entity?

Verify. Are they who they say they are?

Understand. Why are they coming to you, and what is the nature of the relationship?

It is not a one-time exercise. CDD is an ongoing obligation that continues throughout the life of the designated service you are providing. But it only applies when you are providing a designated service in the first place. That distinction matters more than almost anything else in this framework.

Not all clients trigger CDD obligations

Tax returns. BAS preparation. Bookkeeping. Payroll. None of these are designated services under the AML/CTF Act.

If you are doing someone’s annual tax return and nothing else, you have no AML obligation in relation to that client. No CDD. No PEP screening. No sanctions check.

The obligation only applies when you provide one of the nine designated services. For most accounting firms, the ones you will encounter most often are acting as a registered office holder, setting up a new company or trust, and certain services related to managed investments and superannuation.

Until a client receives a designated service from your firm, they are not in your AML process. The common scenarios table further down shows how this plays out across the services most accounting firms provide.

Do you need to go back and verify your existing client base?

No. And this is the single biggest anxiety-reducer in the entire framework.

Your existing clients as at 1 July 2026 do not need to be retrospectively verified. They only enter your AML process when one of three things happens after that date.

• You provide them with a designated service
• Something suspicious arises that warrants a suspicious matter report
• Key information about them changes in a material way

This is what is known as pre-commencement customer relief. It is in the legislation and it means you are not required to CDD your entire client base from scratch on 1 July.

That said, do not let familiarity substitute for compliance. Long-standing clients who have never been formally verified are actually a higher-risk scenario, not a lower one. If something feels off, act on it.

The six mandatory matters CDD requires you to collect

The Act specifies six mandatory matters for customer due diligence. Understanding all six helps you see how the pieces connect, particularly when it comes to beneficial ownership and screening obligations.

1. Verify the identity of your customer. Using government-linked sources, whether that is a passport database, driver licence database, or company registry.

2. Identify beneficial owners. The individuals who ultimately own or control the entity, tracing through any layers of structure to get to real people.

3. Identify third parties. Authorised representatives or anyone else acting on behalf of the customer in relation to the designated service.

4. Screen for PEPs and sanctions. Two separate and distinct mandatory obligations, each required at onboarding for every designated service client.

5. Understand the nature and purpose of the relationship. Why is this client coming to you, what are they doing, and does it make sense?

6. Keep that information updated. Throughout the life of the designated service, not just at the point of onboarding.

Technology handles the heavy lifting on most of these. Verification, screening, and record-keeping are exactly what purpose-built platforms are designed to do.

Standard CDD vs Enhanced CDD

The level of CDD you are required to perform depends on the risk rating you assign to the client. That rating comes from your risk assessment process and directly determines how much ongoing monitoring is required.

Standard CDD for low and medium risk clients

For low-risk clients, you are performing standard identity verification, standard beneficial ownership checks, and reviewing the relationship every three years.

For medium-risk clients, the process is slightly more elevated with a two-year review cycle and closer scrutiny on the information collected.

The vast majority of your clients will sit at low or medium risk.

Enhanced CDD for high risk clients

High-risk clients require significantly more work across four key areas.

Senior manager approval. The AMLCO or a senior manager must sign off on every high-risk client. In a small firm where the AMLCO and the senior manager are the same person, that is fine. You still need to document the sign-off.

Source of funds and source of wealth verification. Not just asking the client where their money comes from, but verifying it through independent sources like bank statements, audited accounts, or land registry records. A client email explaining the origin of funds is not sufficient.

Enhanced identity verification. Beyond standard checks, this can include secondary independent data, professional register searches, and higher scrutiny on beneficial ownership structures.

Enhanced ongoing monitoring. Reviewing the client’s information annually, with AMLCO sign-off each year.

An international PEP automatically triggers high-risk status. A domestic PEP does not automatically push someone to high risk, but it is a factor that warrants closer scrutiny and potentially a manual uplift of their rating.

Enhanced CDD and ongoing monitoring are only required when the client is receiving an ongoing designated service. If you set up a company for a client and you are not their registered office holder, that is a one-off transaction. You do the initial CDD, complete your risk assessment, and that is the end of it unless something changes.

PEP screening, sanctions screening, and adverse media

PEP and sanctions screening are mandatory obligations for every designated service client at onboarding. Adverse media screening is required for high-risk clients as part of Enhanced CDD.

PEP screening identifies whether your client, their beneficial owners, or connected parties holds or has held a government position. International PEPs are automatically high risk. Domestic PEPs are a risk factor requiring professional judgement.

Sanctions screening carries different consequences entirely. It is a criminal offence to provide services to a sanctioned entity. Sanctions lists are maintained by the Department of Foreign Affairs and Trade and linked to UN and US designations. You will almost certainly never encounter a sanctioned entity in your practice, but the check is mandatory.

Adverse media screening looks for negative news coverage, regulatory action, fraud history, or other reputational risks. This is an Enhanced CDD requirement triggered when a client is rated high risk.

Outsourcing these checks to a technology provider is permitted, but outsourcing does not transfer the obligation. The responsibility remains with your firm.

Beneficial ownership: where the complexity lives

Beneficial ownership is where most of the real complexity sits, particularly for trusts and layered company structures. The six mandatory matters require you to identify beneficial owners for every designated service client, so getting this right matters.

The rule is that you need to identify and verify anyone who holds 25% or more ownership of the entity, or exercises control over it. It is an “or”. Control matters just as much as ownership percentage.

For companies

If there are four shareholders each holding 25%, you need to CDD all four. If there is a holding company sitting above them, trace through to the individuals who ultimately own or control that structure. ASIC extracts are a practical starting point.

For discretionary trusts

Trust structures require more care because the roles within a trust carry very different levels of control, and your CDD obligations follow that control.

The settlor

The settlor generally does not need to be fully verified unless they are alive and either have significant ongoing control over the trust, or provided a material contribution of $10,000 or more.

You must still collect their name and address from the trust deed as part of the trust’s structural profile.

If the settlor is deceased: You cannot verify a deceased person. For a testamentary trust created by a will, record the name and sight the Grant of Probate or the Will. No further verification is required.

If the settlor is a nominal settlor: In many family trusts, a family friend or accountant settles the trust for $10 and has no further involvement. Collect their name from the deed. Verification is not required unless the trust is rated high risk or they provided a material contribution and retain influence.

Beneficiaries

Beneficiaries are the people for whom the trust is held. But holding a beneficial interest is not the same as having control. In most discretionary trusts, beneficiaries have no guaranteed entitlement to anything. The trustee decides who gets what and when. That absence of control is directly relevant to your CDD obligations.

Most trust deeds define beneficiaries in two ways.

Primary beneficiaries are typically named explicitly in the deed. This is usually the spouse, children, and sometimes a family company or SMSF. If someone is explicitly named as a primary beneficiary, collect their name and identifying details as part of the trust’s structural profile.

General beneficiaries are defined as a class. Typical deed language looks like “the children, grandchildren, and remoter issue of the primary beneficiaries.” This class can include dozens or hundreds of people. You are not required to identify and verify every person in that class. Record the class description from the deed.

Where individual verification becomes required for a beneficiary is when one of the following applies.

• They are explicitly named in the deed as a primary beneficiary
• They receive what your firm judges to be material distributions from the trust
• They individually hold 25% or more of the beneficial interest

For a standard family discretionary trust, most beneficiaries sit in the general class, have zero control, and require no individual verification beyond recording the class description. Your priority is the trustee, then the appointor, then any named primary beneficiaries.

The material distribution threshold requires professional judgement. AUSTRAC has not defined a specific dollar figure. Address this in your firm’s risk assessment policy so you have a documented, defensible position.

How ongoing monitoring actually works

Ongoing monitoring does not mean watching clients every day. It means having a structured review cycle based on their risk rating and re-examining the file when something triggers a review.

The periodic review cycles are every three years for low-risk clients, every two years for medium-risk, and annually for high-risk clients.

Sanctions screening runs continuously in the background against your client list. If a client appears on a sanctions list or a PEP match comes through, that triggers a review regardless of where you are in the periodic cycle.

You do not need to track document expiry dates. The obligation is periodic review based on risk, not passport renewal dates.

Common scenarios at a glance