AML/CTF Rules 2025: Customer Due Diligence for accounting

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF Rules 2025 Part 6: Customer Due Diligence (CDD), and what it means for accounting

From 1 July 2026, accounting practices in Australia that provide "designated services" must follow new anti-money laundering (AML) laws. A big part of these laws is something called customer due diligence (CDD).

That’s just a formal way of saying: check who your customer really is, record the key details and understand why they are dealing with you.

Let's start by walking through three different scenarios in practice before deep diving into each section.

What does CDD look like for low, medium, and high-risk workflows?

Not all designated services carry the same level of money laundering risk. A local individual tax return client presents very different risks than an international corporate client setting up a local business.

The AML/CTF Rules expect you to tailor your checks to the level of risk.

Here are three practical examples; low, medium, and high risk, to show how workflows change depending on the customer. To learn more about each step, simply click on the links to read the deep dives on that section.

Example scenario 1: Low-risk workflow

A local couple engages your practice to prepare their annual tax returns.

Steps:

• Collect and verify both buyers’ IDs (e.g. driver’s licences checked against an independent source).
• Record their residential addresses and dates of birth.
• Note the purpose of the transaction — individual tax compliance.
• Risk-rate them as low: straightforward profile, Australian bank loan, no PEP/sanctions matches, no offshore links.
• Document the CDD outcome in line with your AML/CTF Program.

Example scenario 2: Medium-risk workflow

A new client, a well-established Australian construction company, approaches your firm for assistance with their end-of-financial-year tax return. The company operates through multiple related entities, including several subsidiaries, and has a history of consistently making large cash payments and deposits.

Steps:

• Identify and verify the company and its Directors. Obtain and verify their ABN, ACN, and the identities of all directors and significant shareholders using reliable, independent documents.
• Note the purpose — Document the nature of the business, its scale, and its operational model. This is key to determining if the cash use is justified.
• Assess the Use of Cash: Ask the client for an explanation and documented policy for their cash handling. For example, they may have a legitimate reason, like it being a legacy business practice from the founder, an older adult, or sub contractors who request this payment for short-notice jobs.
• Risk indicators: client already uses multiple entities; new client relationship, high volume of cash transactions and industry vulnerability.
• Risk-rate them as medium — legitimate commercial objective, but elevated risk due to layered entities, cash transactions and industry vulnerability.
• The firm's AML/CTF Program should clearly define when this medium risk could escalate to high risk, such as if the client's explanations for the cash handling become vague or if the transactions become more unusual.

Example scenario 3: High-risk workflow

An overseas individual, with no prior business in Australian seeks your firm's assistance to register a new Australian company. The individual explains the company will be a property development firm, and they intend to fund a major real estate acquisition with a large sum of money transferred from a trust in a known tax haven.

Steps:

• Identify and verify the individual instructing you to set up the entities. (e.g. driver’s licences checked against an independent source).
• Identify and verify Ultimate Beneficial Owners (UBOs) of the foreign trust
• Understand the Nature and purpose: The firm must be satisfied that the entire arrangement has a legitimate commercial purpose. Is there a logical reason for this specific structure and the use of funds from these jurisdictions? If the explanation is vague or inconsistent, it is a significant red flag..
• Apply enhanced due diligence (EDD):
  
  • Collect evidence of source of wealth (e.g. business records, investment portfolio).
  • Confirm source of funds for this purchase (e.g. offshore account statements).
• Check all parties against PEP and sanctions lists.
• Escalate to senior manager approval before proceeding.
• Risk-rate as high — high risk industry, trust from a known tax haven involved.
• Suspicious Matter Report (SMR): If at any point the firm forms a suspicion that the transaction is related to criminal activity, it must lodge an SMR with AUSTRAC.

Why do we need to check customers?

Accounting services can be exploited to disguise “dirty money” from crime. Criminals may try to use bookkeeping, tax filings, company structures, or audit engagements to make illicit funds look legitimate.

The AML/CTF rules build on what you already do — confirming client authority, verifying source documents, and monitoring use of client accounts. Now you must record identities, assess risk, and complete checks within set timeframes.

What you need to collect and check at the start of the relationship (initial CDD)

You must collect different information depending on who the customer is. Let’s break it down.

If your customer is an individual

Ask for:

• Full legal name and any other names used
• Date of birth
• Residential address

Check identity documents (e.g. driver’s licence, passport, government ID) against independent, reliable sources such as the government ID Match service.

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person is not a PEP and is not on a sanctions list.

If your customer is a person (sole trader)

Ask for:

• Full legal name and any other names used
• Any business name they use
• Business number (ABN or ACN). If they don’t have one, another official ID number will do
• Business address
• What their business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person / business is not a PEP and is not on a sanctions list.

If your customer is a company or partnership

 Ask for everything you’d ask a sole trader, plus:

• Company number (like ACN)
• Registered office address
• Proof the business exists (for example, a company register extract)
• How it is run and who has authority (constitution, partnership agreement, or similar)
• Full names of directors or people in charge
• Details of who owns or controls the business

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the business and all Directors / controllers are not PEPs and are not on a sanctions list.

If your customer is a trust or equivalent 

 Ask for everything you’d ask a company or partnership, plus:

• The name and type of trust (family trust, unit trust, etc.)
• Proof the trust exists (like a trust deed)
• How it is run and who can make decisions
• Names of trustees and people in charge
• Names of beneficiaries (or a description if it’s a large group, like “children of the settlor”)
• Details of who set it up or controls it

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the trust and all trustees / controllers and beneficiaries are not PEPs and are not on a sanctions list.

If your customer is a government body

 Ask for:

• Full name and any other names used
• The country or part of the country where it was set up E.g. The Independent Broad‑based Anti‑corruption Commission (IBAC) is established in Victoria, Australia. Not just "Australia".
• A unique number if they have one
• Main address
• Proof it exists
• Names of the person / people in charge
• What the business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the government body and all people in charge are not PEPs and are not on a sanctions list.

Establishing the identity of persons associated with the customer. I.e. Don’t stop at the first level

Sometimes the customer you see is not the one you’re really dealing with. For example:

• A company may be acting for another business
• Someone might be signing on behalf of the real customer

Example: A small business comes to your firm for bookkeeping and BAS services. The director signs the engagement letter, but your CDD shows the company is owned by a family trust. You must also identify and verify the trustee and key beneficiaries — not just the director who engaged you.

In short, treat any associated person like a mini-customer for KYC purposes, collecting the relevant information depending on their type. 

Beneficial owners: who really owns or controls the customer?

Finding the beneficial owner simply means working out who ultimately owns or controls the business, trust or governing body.

• If the customer is a listed company (like on the ASX), you don’t need to dig deeper – because their ownership is already public.
• If you can’t find out who owns a business after reasonable steps, you must:
  
  • Record what you tried
  • Collect and verify the CEO’s details instead

Knowing the nature and purpose of the business relationship or occasional transaction

This part is about understanding who your customer is, what they do and why they are engaging you - without going overboard on checks when the risk is low.

Low and medium risk customers

For most clients, you only need the basics:

• Confirm the customer’s identity (for individuals, verify their ID).
• Collect enough information to understand the purpose of the relationship or transaction based on their risk.
• Specify the customer’s risk using the KYC information you have.
• Make sure the customer doesn’t fall into a category that requires enhanced due diligence (EDD) - see below.

Example: A local café owner engages your firm for annual tax return preparation. You verify the owner’s ID, confirm the purpose of the engagement (routine compliance work), and note their risk as low. No enhanced due diligence is required.

When enhanced due diligence (EDD) is required

You must dig deeper if there are higher risks. EDD applies if:

• The customer is rated high risk.
• You’ve lodged a suspicious matter report (SMR) but wish to continue to act.
• The customer (or their owner/representative) is a foreign PEP.
• The customer is linked to a high-risk country flagged by FATF.
• The service is provided through a nested arrangement (your service flows through another provider).
• The AML/CTF Rules specifically require it for that type of customer.
• The service or transaction looks unusual - for example:
  
  • No clear legal or business purpose.
  • Very complex or unusually large.
  • A strange or inconsistent transaction pattern.

For example: A new client in their early 20s engages your firm to set up several companies and a discretionary trust, all funded with $5 million transferred from an overseas account . The client gives vague answers about the source of funds, saying only that it is “family money.” Because the structure is unusually complex for their profile and involves offshore funds, you must apply enhanced due diligence — verifying beneficial owners, source of wealth, and source of funds before proceeding.

Extra checks under EDD

In these cases, you must check:

• Where the customer’s wealth (Source of Wealth / SoW) comes from. i.e how the customer built their overall wealth (e.g. business ownership, investments, inheritance) and;
• Where the specific funds (Source of Funds / SoF) for the particular transaction or business relationship come from (e.g. salary, property sale, company profits).

You also need to keep this information up to date whenever you review or refresh the customer’s KYC for ongoing CDD.

When normal ID isn’t possible

Sometimes people can’t provide standard ID, like older adults without a driver’s licence or passport. You can still work with them if you:

• Take reasonable steps to confirm who they are
• Record what you did
• Manage the extra risk

Previous compliance in a foreign country

If your agency is part of an international group, you don’t always need to redo CDD in Australia.

You can rely on CDD already completed by your overseas office if:

• That office was regulated under proper AML/CTF laws aligned with FATF standards.
• The CDD was done correctly (or not required due to low risk).
• You have immediate access to the KYC records and verification data.

Example: Your firm’s New Zealand office recently completed full CDD on a client when setting up an investment company under NZ AML rules. The same client now engages your Australian office for ongoing tax compliance. Because the NZ checks meet FATF standards and your team can access the records, you can rely on that previous CDD instead of repeating the process locally.

What if they're a PEP

PEPs are people with prominent public roles (politicians, judges, senior officials, heads of international organisations).

Because they may have access to public funds or influence, they carry higher ML/TF risk in property deals.

Initial CDD – when you first identify a PEP

If your customer (or their beneficial owner, or someone acting for them) is a PEP, you must go further than standard checks.

• Foreign PEPs – always high risk. You must establish their source of wealth and source of funds.
• Domestic or international organisation PEPs – you must establish source of wealth and funds if their ML/TF risk is assessed as high.
• Special case – if you serve a PEP through an overseas branch in their home country, you can treat them as a domestic PEP instead of foreign, but enhanced checks still apply if the risk is high.
  
  Example: A senior government minister from a Pacific Island nation engages your practice for international tax advice. As a foreign PEP, you must go beyond standard CDD — collecting and verifying evidence of their overall wealth (e.g. career earnings, business interests) and the specific funds being used for the services you’re providing.

Ongoing CDD – keeping PEP checks up to date

PEP status isn’t a one-off check; you must monitor them throughout the relationship.

• Foreign PEPs – always require ongoing reviews.
• Domestic PEPs – review only if the customer’s ML/TF risk is high.
• International organisation PEPs – review only if the customer’s ML/TF risk is high.
• Special case – if you’re dealing with a foreign PEP in their home country through your local branch, treat them as a domestic PEP.
  
  Example: Your firm prepares annual tax returns for a sitting state MP (a domestic PEP). For several years, their affairs have been straightforward — salary, superannuation, and a rental property. Recently, they begin receiving significant consultancy income from overseas entities. Because this changes their risk profile, you must update their KYC records and apply enhanced monitoring to understand the source of those funds.

Providing services before completion of initial CDD (delayed verification)

Timing: can you start before checks are finished?

Normally, you must complete customer due diligence (CDD) before providing any service. However, the Rules recognise there are some low-risk situations where business would grind to a halt if you couldn’t start work straight away. In these cases, you can begin acting for the client and finish CDD later — but only if strict conditions are met.

When delayed CDD is allowed

• The service is provided from your Australian office.
• Delaying verification is essential to avoid interrupting business.
• The ML/TF risk is assessed as low.
• The matter is not one of the “special cases” (such as account openings or market trades).
• Property transactions have their own rules (see below).

What you must still do upfront

Even when using delayed CDD, you can’t just skip checks. Before starting, you must:

• Collect enough ID information to be confident the person is who they say they are.
• Record key KYC details such as beneficial owners, PEP/sanctions screening, and the purpose of the service.
• Complete a risk assessment using the information you already have

What you cannot do until CDD is finished

• Move or transfer money, property, or virtual assets.
• Release funds or assets, other than simply holding them in an account or on deposit.

Deadlines

• For most services: you must complete full CDD within 20 days of starting work.
• For real estate transactions: seller’s agents, buyer’s agents, or professional advisers (lawyers/conveyancers) can delay CDD, but they must complete verification much faster — within 15 days of contract exchange, or by settlement, whichever comes first.

Example 1 – Standard designated service (20 business days)

A client urgently deposits $15,000 into your firm’s trust account to cover upcoming tax obligations for their business. You collect basic ID and risk information immediately but can’t complete verification before accepting the funds. Because the risk is assessed as low, you can hold the money in trust, but you must finish full CDD within 20 business days and cannot release or transfer the funds until checks are complete.

Example 2 – Real estate designated service (15 days or by settlement)

You’re acting for a buyer in a commercial property purchase. The contract is signed late in the day, and settlement is set for the following week. You collect the buyer’s ID upfront and run initial risk checks but haven’t yet completed beneficial ownership verification. Under the real estate rules, you can proceed with the contract exchange, but you must finalise CDD within 15 days or before settlement — whichever comes first.

How reliance works

You can rely on another regulated party to collect and verify a client’s KYC instead of doing it yourself — but only if strict conditions are met. This is common inside reporting groups (e.g., a national firm centralising KYC) or between separate reporting entities working on the same matter (e.g. a commercial real estate agency you share a lot of clients with)

Who you can rely on

• Another Australian reporting entity (including a member of your own reporting group), or
• A foreign equivalent regulated under FATF-aligned CDD and record-keeping laws.

What’s required

• Access to full KYC + verification evidence before service, or within the delay period.
• Clear responsibilities — agreement must spell out who does what.
• Risk appropriate — reliance must make sense for your client, service, and countries involved.
• Regular reviews — at least every 2 years or when risks change.

Timeframes

• Standard accounting services (e.g. company formation, providing a registered office, managing client money): up to 20 business days if using delayed CDD.
• Real estate transactions: stricter — 15 days from exchange or by settlement, whichever is sooner.

Case-by-case reliance (no agreement)

Allowed if low risk, but you must document your reasoning and still ensure you can access full KYC and verification data quickly.

Important: Reliance doesn’t let you skip CDD altogether. You still need to know who your customer is, what the transaction is for, and why it makes sense.

Example 1 – Standard service (20 business days)

Your accounting practice is engaged to establish a discretionary trust with a corporate trustee for a new client. Instead of duplicating effort, you rely on your firm’s Sydney office (part of the same national network) which has already completed KYC and verified the directors under FATF-aligned rules. You enter into a reliance arrangement, obtain copies of the ID and verification data, and document responsibilities for record-keeping. You must complete any outstanding checks within 20 business days.

Example 2 – Real estate service (15 days or settlement)

Your practice is advising a client on GST and capital gains tax for the purchase of a commercial property. The client is also working with a commercial real estate agency you have an established reliance agreement with. Instead of duplicating checks, your firm relies on the agency’s KYC, obtains the verification records, and documents the arrangement. Because it’s a real estate transaction, all verification must be finalised within 15 days of contract exchange or before settlement, whichever comes first.

Ongoing customer due diligence

Ongoing CDD includes active monitoring of those customers who engage in repeat transactions with your firm.

Your obligation is to watch for unusual activity that could trigger a Suspicious Matter Report (SMR)

What to look for

Patterns that don’t fit: A customer who buys or sells multiple properties in a short period without a clear investment or personal reason.

Unusual behaviour: Sudden changes in how transactions are structured (e.g. moving from personal ownership to layered trusts or companies).

Inconsistent funding: Properties purchased with different sources of money each time, including unexplained offshore transfers.

Attempts to obscure ownership: Using nominees or complex arrangements across deals.