AML/CTF Rules 2025: Customer Due Diligence for law firms

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF Rules 2025 Part 6: Customer Due Diligence (CDD), and what it means for law firms

From 1 July 2026, Australian law firms that provide "designated services" must follow new anti-money laundering (AML) laws. A big part of these laws is something called customer due diligence (CDD).

That’s just a formal way of saying: check who your customer really is, record the key details and understand why they are dealing with you.

Let's start by walking through three different scenarios in practice before deep diving into each section.

What does CDD look like for low, medium, and high-risk workflows?

Not all designated services carry the same level of money laundering risk. A conveyancing client with a local bank loan presents very different risks than a corporate client structuring offshore trusts.

The AML/CTF Rules expect you to tailor your checks to the level of risk.

Here are three practical examples; low, medium, and high risk, to show how workflows change depending on the customer. To learn more about each step, simply click on the links to read the deep dives on that section.

Example scenario 1: Low-risk workflow

A local couple instructs your firm to complete a straightforward conveyance on their first home.

Steps:

• Collect and verify both buyers’ IDs (e.g. driver’s licences checked against an independent source).
• Record their residential addresses and dates of birth.
• Note the purpose of the transaction — owner-occupied property purchase.
• Risk-rate them as low: straightforward profile, Australian bank loan, no PEP/sanctions matches, no offshore links.
• Document the CDD outcome in line with your AML/CTF Program.

Example scenario 2: Medium-risk workflow

 An Australian business owner instructs your firm to set up a new company that will acquire a small operating business (share sale).

Steps:

• Verify the Director's ID and collect company KYC information. (ACN once issued, registered office, directors, controllers/beneficial owners).
• Note the purpose — company establishment and acquisition of an existing business (designated services: organising a legal person; preparing/carrying out a business acquisition).
• Risk indicators: client already uses multiple entities; part of the purchase price will be gifted by an overseas relative; funds will pass through your trust account pending completion.
• You apply ongoing monitoring requirements:
  • Flag them for repeat transaction review (expect further acquisitions)
  • Collect additional information on the incoming overseas transfer (counterparty details, payment route, reason for gift), but do not perform full SoW/SoF unless risk increases.
• Risk-rate them as medium — legitimate commercial objective, but elevated risk due to layered entities, third-party offshore funding and use of trust account.

Example scenario 3: High-risk workflow

An overseas client with no prior Australian footprint asks your firm to establish a discretionary trust and a holding company to acquire 40% of the shares in a private Australian tech start-up.

Steps:

• Identify and verify the individuals instructing you to set up the entities. (e.g. driver’s licences checked against an independent source).
• Confirm intended roles — who will act as trustee(s), directors, appointor, and who the beneficiaries will be.
• Trace proposed ownership/funding: the client explains that funding will flow from a company in Singapore, ultimately controlled by two individuals in Hong Kong.
• Verify the individuals/entities with Ultimate Beneficial Ownership
• Understand the Purpose and Rationale of the clients request for service.
• Apply enhanced due diligence (EDD):
  • Obtain evidence of Source of Wealth (e.g., business ownership records, sale of assets, investment portfolio) to understand how the individuals generated their wealth.
  • Confirm Source of Funds for the planned acquisition (e.g., offshore bank statements showing available capital, supporting documents for the remittance).
  • Screen all proposed parties (beneficial owners, directors, trustees) against PEP and sanctions lists. 
• Governance: escalate for senior manager approval before proceeding, given the complex cross-border structure and offshore funding.
• Risk-rate: High — no Australian nexus, offshore ownership and control, non-resident funding, and use of layered entities to acquire assets.

Why do we need to check customers?

Legal services can be exploited to disguise “dirty money” from crime. Criminals may use trusts, companies, or property transactions to make illicit funds look legitimate.

The AML/CTF rules build on what you already do — verifying client authority, running conflict checks, and holding funds in trust. Now you must record identities, assess risk, and complete checks within set timeframes.

What you need to collect and check at the start of the relationship (initial CDD)

You must collect different information depending on who the customer is. Let’s break it down.

If your customer is an individual

Ask for:

• Full legal name and any other names used
• Date of birth
• Residential address

Check identity documents (e.g. driver’s licence, passport, government ID) against independent, reliable sources such as the government ID Match service.

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person is not a PEP and is not on a sanctions list.

If your customer is a person (sole trader)

Ask for:

• Full legal name and any other names used
• Any business name they use
• Business number (ABN or ACN). If they don’t have one, another official ID number will do
• Business address
• What their business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person / business is not a PEP and is not on a sanctions list.

If your customer is a company or partnership

 Ask for everything you’d ask a sole trader, plus:

• Company number (like ACN)
• Registered office address
• Proof the business exists (for example, a company register extract)
• How it is run and who has authority (constitution, partnership agreement, or similar)
• Full names of directors or people in charge
• Details of who owns or controls the business

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the business and all Directors / controllers are not PEPs and are not on a sanctions list.

If your customer is a trust or equivalent 

 Ask for everything you’d ask a company or partnership, plus:

• The name and type of trust (family trust, unit trust, etc.)
• Proof the trust exists (like a trust deed)
• How it is run and who can make decisions
• Names of trustees and people in charge
• Names of beneficiaries (or a description if it’s a large group, like “children of the settlor”)
• Details of who set it up or controls it

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the trust and all trustees / controllers and beneficiaries are not PEPs and are not on a sanctions list.

If your customer is a government body

 Ask for:

• Full name and any other names used
• The country or part of the country where it was set up E.g. The Independent Broad‑based Anti‑corruption Commission (IBAC) is established in Victoria, Australia. Not just "Australia".
• A unique number if they have one
• Main address
• Proof it exists
• Names of the person / people in charge
• What the business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the government body and all people in charge are not PEPs and are not on a sanctions list.

Establishing the identity of persons associated with the customer. I.e. Don’t stop at the first level

Sometimes the customer you see is not the one you’re really dealing with. For example:

• A company may be acting for another business
• Someone might be signing on behalf of the real customer

Example: A client instructs your firm to establish a family trust for estate planning. The trustee company director signs your engagement letter. During CDD you discover the trustee company is itself wholly owned by another company registered in the Cayman Islands, which is ultimately controlled by two siblings based in Singapore. You must identify and verify those offshore individuals as the ultimate beneficial owners, not just the local director who first approached you.

In short, treat any associated person like a mini-customer for KYC purposes, collecting the relevant information depending on their type. 

Beneficial owners: who really owns or controls the customer?

Finding the beneficial owner simply means working out who ultimately owns or controls the business, trust or governing body.

• If the customer is a listed company (like on the ASX), you don’t need to dig deeper – because their ownership is already public.
• If you can’t find out who owns a business after reasonable steps, you must:
  
  • Record what you tried
  • Collect and verify the CEO’s details instead

Knowing the nature and purpose of the business relationship or occasional transaction

This part is about understanding who your customer is, what they do and why they are engaging you - without going overboard on checks when the risk is low.

Low and medium risk customers

For most clients, you only need the basics:

• Confirm the customer’s identity (for individuals, verify their ID).
• Collect enough information to understand the purpose of the relationship or transaction based on their risk.
• Specify the customer’s risk using the KYC information you have.
• Make sure the customer doesn’t fall into a category that requires enhanced due diligence (EDD) - see below.

Example: A local couple engages your firm to draft wills and enduring powers of attorney. Both are salaried employees with straightforward financial circumstances. You verify their IDs, note the purpose of the engagement (estate planning for personal use), and record their risk as low.

When enhanced due diligence (EDD) is required

You must dig deeper if there are higher risks. EDD applies if:

• The customer is rated high risk.
• You’ve lodged a suspicious matter report (SMR) but wish to continue to act.
• The customer (or their owner/representative) is a foreign PEP.
• The customer is linked to a high-risk country flagged by FATF.
• The service is provided through a nested arrangement (your service flows through another provider).
• The AML/CTF Rules specifically require it for that type of customer.
• The service or transaction looks unusual - for example:
  
  • No clear legal or business purpose.
  • Very complex or unusually large.
  • A strange or inconsistent transaction pattern.

For example: A client asks your firm to set up a complex trust and company structure to handle funds from several overseas relatives. While estate planning is a normal service, the use of multiple offshore entities and unclear funding sources makes the matter unusually complex for their profile. Because of the structure and cross-border funding, you must apply enhanced due diligence (EDD).

Extra checks under EDD

In these cases, you must check:

• Where the customer’s wealth (Source of Wealth / SoW) comes from. i.e how the customer built their overall wealth (e.g. business ownership, investments, inheritance) and;
• Where the specific funds (Source of Funds / SoF) for the particular transaction or business relationship come from (e.g. salary, property sale, company profits).

You also need to keep this information up to date whenever you review or refresh the customer’s KYC for ongoing CDD.

When normal ID isn’t possible

Sometimes people can’t provide standard ID, like older adults without a driver’s licence or passport. You can still work with them if you:

• Take reasonable steps to confirm who they are
• Record what you did
• Manage the extra risk

Previous compliance in a foreign country

If your agency is part of an international group, you don’t always need to redo CDD in Australia.

You can rely on CDD already completed by your overseas office if:

That office was regulated under proper AML/CTF laws aligned with FATF standards.
The CDD was done correctly (or not required due to low risk).
You have immediate access to the KYC records and verification data.

Example: Your London office recently completed full CDD on a corporate client when setting up a holding company under UK AML laws. Six months later, the same client instructs your Sydney office to restructure its Australian subsidiaries. Because the London checks were carried out under FATF-aligned regulations and your Sydney team has full access to the KYC records and verification data, you can rely on the previous CDD instead of repeating it.

What if they're a PEP

PEPs are people with prominent public roles (politicians, judges, senior officials, heads of international organisations).

Because they may have access to public funds or influence, they carry higher ML/TF risk in property deals.

Initial CDD – when you first identify a PEP

If your customer (or their beneficial owner, or someone acting for them) is a PEP, you must go further than standard checks.

• Foreign PEPs – always high risk. You must establish their source of wealth and source of funds.
• Domestic or international organisation PEPs – you must establish source of wealth and funds if their ML/TF risk is assessed as high.
• Special case – if you serve a PEP through an overseas branch in their home country, you can treat them as a domestic PEP instead of foreign, but enhanced checks still apply if the risk is high.
  
  Example: A current state premier engages your firm to establish a family trust. As a domestic PEP, you must identify and verify them as part of CDD. If your risk assessment rates the matter as high risk — for example, because of the size of the funds being contributed or links to high-risk jurisdictions — you must also establish their source of wealth (e.g. declared assets, investments) and the source of funds being contributed to the trust.

Ongoing CDD – keeping PEP checks up to date

PEP status isn’t a one-off check; you must monitor them throughout the relationship.

• Foreign PEPs – always require ongoing reviews.
• Domestic PEPs – review only if the customer’s ML/TF risk is high.
• International organisation PEPs – review only if the customer’s ML/TF risk is high.
• Special case – if you’re dealing with a foreign PEP in their home country through your local branch, treat them as a domestic PEP.
  
  Example: Your firm has acted for a local councillor (a domestic PEP) on routine personal matters such as wills and conveyancing. Initially, their ML/TF risk was assessed as low. A few years later, they instruct you to set up a complex trust structure involving significant funds from associates overseas. Because the new matter raises their ML/TF risk, you must update their KYC records and apply enhanced ongoing monitoring.

Providing services before completion of initial CDD (delayed verification)

Timing: can you start before checks are finished?

Normally, you must complete customer due diligence (CDD) before providing any service. However, the Rules recognise there are some low-risk situations where business would grind to a halt if you couldn’t start work straight away. In these cases, you can begin acting for the client and finish CDD later — but only if strict conditions are met.

When delayed CDD is allowed

• The service is provided from your Australian office.
• Delaying verification is essential to avoid interrupting business.
• The ML/TF risk is assessed as low.
• The matter is not one of the “special cases” (such as account openings or market trades).
• Property transactions have their own rules (see below).

What you must still do upfront

Even when using delayed CDD, you can’t just skip checks. Before starting, you must:

• Collect enough ID information to be confident the person is who they say they are.
• Record key KYC details such as beneficial owners, PEP/sanctions screening, and the purpose of the service.
• Complete a risk assessment using the information you already have

What you cannot do until CDD is finished

• Move or transfer money, property, or virtual assets.
• Release funds or assets, other than simply holding them in an account or on deposit.

Deadlines

• For most services: you must complete full CDD within 20 days of starting work.
• For real estate transactions: seller’s agents, buyer’s agents, or professional advisers (lawyers/conveyancers) can delay CDD, but they must complete verification much faster — within 15 days of contract exchange, or by settlement, whichever comes first.

Example 1 – Standard designated service (20 business days)

A new client asks your firm to set up a family trust and urgently transfer funds into your trust account so they can complete an investment. You collect and record their ID and risk-rate them upfront, but you haven’t yet verified all trustees and beneficiaries. Because this is a designated service and time-sensitive, you may begin, but you cannot release or move funds until CDD is complete. You must finalise the outstanding checks within 20 business days.

Example 2 – Real estate designated service (15 days or by settlement)

Your firm is acting in a property purchase for a buyer. You collect the buyer’s ID and risk-rate them upfront, but you don’t yet have full verification of beneficial ownership. Because this is a real estate matter, you can rely on the delayed CDD rule — but you must complete the missing checks within 15 days of contract exchange or by settlement (whichever comes first).

How reliance works

You can rely on another regulated party to collect and verify a client’s KYC instead of doing it yourself — but only if strict conditions are met. This is common inside reporting groups (e.g., a national firm centralising KYC) or between separate reporting entities working on the same matter (e.g. a commercial real estate agency you share a lot of clients with)

Who you can rely on

• Another Australian reporting entity (including a member of your own reporting group), or
• A foreign equivalent regulated under FATF-aligned CDD and record-keeping laws.

What’s required

• Access to full KYC + verification evidence before service, or within the delay period.
• Clear responsibilities — agreement must spell out who does what.
• Risk appropriate — reliance must make sense for your client, service, and countries involved.
• Regular reviews — at least every 2 years or when risks change.

Timeframes

• Standard legal services (e.g. company/trust set-up, managing client money): up to 20 business days if using delayed CDD.
• Real estate matters (e.g. conveyancing): stricter — 15 days from exchange or by settlement, whichever is sooner.

Case-by-case reliance (no agreement)

Allowed if low risk, but you must document your reasoning and still ensure you can access full KYC and verification data quickly.

Important: Reliance doesn’t let you skip CDD altogether. You still need to know who your customer is, what the transaction is for, and why it makes sense.

Example 1 – Standard service (20 business days)

A client engages your firm to establish a new company. The client’s accountant (also a reporting entity) has already collected and verified the director’s and shareholder’s KYC. You can rely on the accountant’s verification — provided you have a formal agreement and access to the records — but you must still document your own risk assessment. For standard services, you have up to 20 business days to obtain the full verification evidence.

Example 2 – Real estate service (15 days or settlement)

Your law firm has an ongoing relationship with a commercial property agency, and you often act for the same clients in large transactions. Under a written reliance arrangement, the agency collects and verifies KYC on buyers and sellers at exchange. Your firm relies on their verification, provided you always receive the records within 15 days of contract exchange or before settlement, whichever comes first.

Ongoing customer due diligence

Ongoing CDD includes active monitoring of those customers who engage in repeat transactions with your firm.

Your obligation is to watch for unusual activity that could trigger a Suspicious Matter Report (SMR)

What to look for

Patterns that don’t fit: A customer who buys or sells multiple properties in a short period without a clear investment or personal reason.

Unusual behaviour: Sudden changes in how transactions are structured (e.g. moving from personal ownership to layered trusts or companies).

Inconsistent funding: Properties purchased with different sources of money each time, including unexplained offshore transfers.

Attempts to obscure ownership: Using nominees or complex arrangements across deals.