The layman's guide to AML/CTF Rules 2025: Part 6 - Customer due diligence

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF programs under Australia’s AML/CTF Rules 2025

Part 6 of the AML/CTF Rules sets out what firms must do for customer due diligence (CDD). It’s about knowing your customer at the start and throughout the relationship.

Key points

• Identify & verify: Confirm who your customer is before doing business.
• Beneficial ownership: Find out who really owns or controls the entity.
• Purpose & nature: Understand why the relationship exists and what activity to expect.
• Ongoing checks: Monitor transactions, refresh details if risk or behaviour changes.
• Enhanced checks (EDD): Stricter steps for high-risk cases (PEPs, complex structures, foreign links).
• Simplified checks: Allowed only for low-risk customers with clear justification.
• Timing & reliance: Verification is usually upfront, but some limited delays and reliance on others’ CDD are permitted.
• Record-keeping: Keep evidence of every step — AUSTRAC can ask for it.

In short: Part 6 turns “know your customer” into a structured, risk-based process, with higher expectations when risk is higher.

Useful terms

• ML/TF: Money laundering and terrorism financing risks.
• KYC information: Information you collect and (where required) verify to identify a customer.
• Source of wealth (SoW) and source of funds (SoF): Information about where a customer’s wealth and the specific funds for a transaction come from.
• Politically exposed person (PEP): A person with a prominent public function. The Rules refer to foreign PEPs, domestic PEPs and international organisation PEPs.
• Designated services: The specific regulated services listed in the Act.
• Governing body: The internal group or individual responsible for overseeing your AML/CTF program.
• Independent evaluation report: A written report produced after an independent evaluation of your AML/CTF program e.g. an audit conducted by an AML consultancy.

Useful links

• The Act
• The AML/CTF Rules 2025
• Explanatory Statement

Designated services 

• Tranche 1 - table 1
• Tranche 2- Schedules 3 and 6

Division 1 - Initial customer due diligence

6-1: Customer is sole trader

A sole trader is an individual who owns and operates a business. An example of a sole trader is a self-employed plumber, electrician, or freelance web developer. 

Collect at least:

• Full name
• Any business/trading names and any other names they’re known by
• A business identifier (e.g. ABN). If none, another unique ID (if issued)
• Principal business address
• What the business does (to capture the nature and purpose of the relationship/transaction). E.g. if you are an accountant working with a plumber:
  
  • Nature = residential plumbing services
  • Purpose = managing their bank account and cash takings

6-2 Customer is body corporate, partnership or unincorporated association

These are businesses or organisations that act as a legal or contractual entity, rather than an individual or sole trader. Examples include:

• Body corporate: An Australian company registered with ASIC.
• Partnership: Two or more people running a business together, e.g., a law or accounting firm.
• Unincorporated association: A group formed for a common purpose without company registration, e.g., a local sporting club.

Collect at least:

• Full name
• Any business name they use and other names they’re known by
• Any unique identifier (e.g. ABN/ACN)
• Principal business/operations address and registered office address (if applicable)
• Evidence that the entity exists (e.g., ASIC registration certificate)
• How the entity is governed and who can legally bind it (e.g., constitution, partnership agreement, or reference to the Corporations Act 2001 rules)
• Full name, and if applicable, director ID, of each person responsible for the customer’s governance and key decisions.
• KYC information of the individual(s) with beneficial ownership and/or control of the customer,
  • e.g. directors, shareholders of a company, or the partners of a partnership.
• What the business/operations are (nature/purpose)

6-3 Customer is trust or foreign equivalent

A trust is an arrangement where one or more trustees hold assets for the benefit of one or more beneficiaries. Examples include family trusts, discretionary trusts, and unit trusts. A foreign equivalent may include foundations or other fiduciary arrangements.

Collect at least:

• Full name 
• The type of trust (discretionary/bare/unit, etc.)
• Any business name they use and other names they’re known by
• Any unique identifier (if any)
• Principal business/operations address
• Evidence that the trust exists, how it is governed, and its ownership and control structure (e.g. trust deed)
• Full name of the person(s) with primary governance/executive responsibility
• Beneficiaries’ identities, or if that’s not possible due to the trust type, a description of each beneficiary class. 
  
  • e.g. a discretionary trust whose beneficiaries are the children of the main trustees.
• KYC information of the identities of the trustee, settlor, appointor and guardian/protector (if any) and any other beneficial owners
• What the business/operations are (nature/purpose)

6-4 Customer is government body

A government body is an organisation established by law to carry out official functions, such as a department, agency, local council, or statutory authority.

Collect at least:

• Full name and any other commonly known names
• The country or part of a country under which it was established 
  
  • E.g. The Independent Broad‑based Anti‑corruption Commission (IBAC) is established in Victoria, Australia, not just Australia
• Any unique identifier (if any)
• Principal business/operations address
• Evidence that the body exists (e.g., legislation, charter, official website)
• Full name of the individual(s) with primary governance/executive responsibility
• What the business/operations are (nature/purpose) 

6-5 Establishing the identity of persons associated with the customer

You must also identify certain people connected to your customer if they’re not individuals, such as:

• Someone on whose behalf the customer is using a service (e.g. a company is the named client, but it’s really acting for another business).
• Someone acting on behalf of the customer (e.g. another company signing documents or handling funds for your client).
• Beneficial owners

Collect at least:

• The same type of KYC information you would normally collect if that associated person were your direct customer - using the rules for companies (6-2), trusts (6-3), or government bodies (6-4).

In short, treat any associated person like a mini-customer for KYC purposes, collecting the relevant information depending on their type. 

6-6 Person on whose behalf the customer is receiving the designated service

This section explains when and how you need to identify the person on whose behalf a customer is receiving a service.

Specifically, when you’re providing a designated service, you often need to know if your customer is acting for someone else(paragraph 28(2)(b) of the Act).

• Not required for customers’ customers: You don’t need to identify every customer’s customer—only the person on whose behalf the customer is acting.
• Customers who are not trusts or foreign equivalents:
  
  • If the customer is an individual, company, partnership, or other entity (but not a trust or foreign equivalent) and the service isn’t a life policy or sinking fund, it’s enough to verify the customer’s identity.
• Customers who are trusts or foreign equivalents:
  
  • If the service is provided through a foreign permanent establishment, you must establish:
    
    • The identity of the beneficiaries or, if not possible,
    • A description of each class of beneficiaries (e.g., discretionary trust with beneficiaries listed as “all children of the main trustees”)
    • E.g. a trustee of a trust receives a service on behalf of the trust’s beneficiaries. You may need to record who the beneficiaries are or describe their class.

You should focus on the person or group the customer is acting for, not every end-user, and adjust your checks depending on whether the customer is a trust, foreign equivalent, or other type of entity.

6.7 Beneficial owners of the customer

Normally, you must identify the beneficial owners of your customer, the people who ultimately own or control it.

Exception for listed companies:

• If the customer is a listed public company subject to public disclosure rules (e.g., ASX, NZX, LSE), you don’t need to collect additional ownership information. These rules already make ownership transparent.
• You’re also considered to have checked whether any beneficial owner is a:
  PEP (politically exposed person), or
• Designated person on any sanctions lists

For listed companies with transparent ownership, you can rely on public disclosures rather than investigating who owns shares behind the scenes.

6-8 Beneficial owners and senior manager, for bodies corporate, partnerships and unincorporated associations

The rules have set out how you can meet your CDD obligations if you cannot identify the beneficial owner after taking all reasonable steps above.

 1. If you can’t identify them after reasonable steps. 

You are still considered compliant if you:

• Took all reasonable steps to identify the beneficial owners, but couldn’t,
• Document what steps you took and any difficulties,
• Collected information about the CEO or equivalent senior managing official, and
• Verified that information to a level appropriate to the customer’s ML/TF risk.

2. If there are genuinely no beneficial owners

Some entities (like unincorporated associations) don’t have “owners”. In this case, you treat the CEO (or equivalent) as the key person and record their identity.

6.9 The nature and purpose of the business relationship or occasional transaction

This section explains how to understand your customer and their transactions without overdoing verification for low-risk cases. You need enough information to confirm: who they are, what they do, and why they are engaging you.

You are considered compliant for low/medium risk cases:

• The customer does not require enhanced due diligence (EDD) under section 32 of the Act or Division 4 of the Rules.
• Identify the ML/TF risk of the customer using reasonably available KYC information before providing the service.
• Collect information about the nature and purpose of the business relationship or transaction that matches the customer’s risk.
• If the customer is an individual, you verify their identity.

When does EDD apply?

Under section 32 of the Act and Division 4 of the Rules, you must go further when the risk is higher. EDD applies if:

• The customer is high risk,
• You’ve filed a suspicious matter report, but still want to continue the relationship,
• The customer (or their owner/representative) is a foreign PEP,
• The customer is tied to a high-risk country flagged by FATF,
• The service is part of a nested relationship (your service flows through another provider),
• The AML/CTF Rules specify that the customer type,
• Or the service requested is unusual, e.g. no clear business/legal purpose, unusually complex or large, or a strange transaction pattern.
• You may need to confirm the source of the customer’s wealth and funds, particularly in high-risk situations or when dealing with virtual assets or large amounts of cash.

6-10 Individual cannot provide satisfactory evidence regarding a matter

If a customer can’t provide proof of ID, you can still engage with them, but you must do extra checks, document your process and manage the higher risk.

Sometimes an individual customer can’t give you the documents you’d normally use to prove their identity (e.g. passport, driver’s licence). This could be because they cannot obtain it or cannot access it due to reasons beyond their control, e.g. older adults, refugees. 

How to conduct CDD for an individual without a standard ID:

1. Identified the ML/TF risk based on whatever KYC information is reasonably available.
2. Collect as much KYC information as is appropriate for that risk.
3. Verify that information using reliable, available data. E.g. government letters, referee statements.
4. Your AML/CTF policies set out how you’ll mitigate any extra risks caused by not having the usual documents.

6-11 Previous compliance in a foreign country

You don’t always need to redo CDD when providing a service to a customer in Australia if:

• A group entity has already served the customer overseas, and
• The foreign office was regulated under proper AML/CTF laws that implement FATF-style CDD and record-keeping requirements, and
• Those rules were followed, meaning:
  
  • Either the previous CDD was not required due to low risk, or
  • The previous CDD was fully completed under the foreign laws

Access to records

You must hold or have immediate access to the KYC information and verification data collected by the foreign office.

You can rely on previous foreign CDD instead of starting from scratch, as long as it meets the standards and you can access the records. 

Division 2 — Providing services before completion of initial customer due diligence (delayed CDD)

6.12 - Delayed verification - various designated services provided in Australia

Normally, you must complete CDD before providing a service. But in some low-risk situations, you can start the transaction and verify the customer later if strict conditions are met.

When delayed CDD applies

• The service is provided from your Australian office, and
• Delaying is essential to avoid interrupting business, and the ML/TF risk is low, and
• It’s not one of the special cases (accounts - see 6-13, market trades - see 6-14, real estate - see 6-32).

What you must do before starting

• Check the person is who they say they are (for individuals) e.g. collect ID documents
• Do a risk assessment using the information you already have.
• Collect the key KYC details (ID, who they act for, beneficial owners, PEP/sanctions, nature/purpose of service).

What you cannot do until CDD is complete

• Move or transfer money, property, or virtual assets for them.
• Release assets, except to hold in an account or deposit.

Time limit

You must complete CDD within 20 business days of starting the service. Note this excludes real estate - see 6-32, accounts - see 6-13, market trades - see 6-14. 

Example

A client needs urgent trust account set up today. You can start work straight away, but you must finish CDD checks within 20 business days. You cannot transfer funds on their behalf until checks are complete.  

6.13 and 6-14 Delayed verification - Opening accounts,  taking deposits and certain financial market transactions

These provisions mainly apply to financial institutions, not Tranche 2 entities. Law firms, accountants, and real estate agencies generally will not be opening deposit accounts or trading securities/derivatives on markets, so the detail isn’t directly relevant. For completeness, here’s a summary:

6-13: Opening an account / taking a deposit

• You can start the service before full CDD (i.e. open the account), but only if you don’t transfer or release money/virtual assets until CDD is complete (holding funds is ok).

6-14: Urgent financial market trades

• If market conditions mean a trade must be executed immediately, you can do it before CDD is complete.
• Limits apply: can’t involve managed investment schemes, can’t accept physical cash/virtual assets up front and can’t let customers withdraw, resell or refund until CDD is done.
• Full CDD must be completed within 5 business days.

6.15 - Delayed initial customer due diligence - service provided in foreign country

If you’re providing a designated service through one of your overseas branches, you can delay CDD if:

• The country’s AML/CTF laws follow FATF standards, and those laws allow for delayed initial CDD
• You comply with that country’s CDD and verification rules

You must still follow section 29 of the Act — meaning CDD must be completed as soon as practicable, business interruption must be avoided, and ML/TF risks must be managed.

Division 3 -Simplified customer due diligence

6.16 - Simplified customer due diligence requirements generally

If a customer is low risk and doesn’t trigger any requirements for enhanced due diligence, you can apply simplified CDD. 

Simplified CDD isn’t a free pass; you still have to follow the Rules and internal AML/CTF policies. 

6-17 Simplified initial customer due diligence for certain matters

Sometimes you can use a lighter version of customer checks called Simplified Due Diligence (s 31 in the Act.) You can do simplified CDD if:

• The customer is an individual, and you’ve done a basic ID check to ensure the person is who they say they are, and;
• You’ve assessed the customer’s risk using information you already have.
• You’ve collected additional KYC information based on the risk you have just identified
• Nothing looks suspicious or unreliable.
• Enhanced due diligence doesn’t apply
• You follow the Rules

Example: Simplified CDD for a low-risk customer

A property holding company wholly owned by an Australian government department is looking to sell a commercial property with a reporting entity.

• This customer is considered low ML/TF risk (companies wholly owned by government bodies are generally low risk).
• The reporting entity then applies simplified due diligence.

What they do check:

• Verify the identity of the government department as the customer and collect proof of ownership, e.g. ASIC extract confirming government ownership
• Check whether the department or its senior officials are PEPs or under sanctions.

What they don’t need to verify:

• The identity of every controller authorised to act on behalf of the department.
• Whether anyone else is “behind” the department.
• Any “beneficial owners” (since it’s not an individual and ownership is already clear).

6-18 Simplified initial customer due diligence for identity of beneficial owners

You don’t always need to dig deep to identify every beneficial owner. If the customer is low risk (section 31 allows simplified CDD) and is one of the following:

• A government body, or controlled by one.
• An entity under active regulatory supervision, such as one licensed or registered with APRA or ASIC (Note: companies registered with ASIC and self-managed super funds registered with ATO do not count).
• An owners corporation/strata or community title scheme.

If these conditions apply, the entity is treated as low-risk and the reporting entity is taken to have complied with beneficial owner obligations.

6-19 Person acting on behalf of customer

If your customer is an organisation (not an individual) and someone is acting on its behalf, you can treat the identity checks as complete if:

• You’ve confirmed the person has the authority to act for the organisation (e.g. director, authorised agent, lawyer).
• You’ve assessed the risk of ML/TF from that arrangement and decided it’s low.
• You’ve collected KYC details about the representative, appropriate to the customer’s risk level.
• You have no reason to doubt the information you’ve collected is accurate.

Division 4 - Enhanced customer due diligence 

6-20 Enhanced customer due diligence required when customer seeks unusual services

You must apply enhanced customer due diligence (ECDD) if a customer asks for services that look unusual or suspicious.

That includes services that:

• Have no clear business or legal reason – e.g. a law firm is asked to set up a complex trust structure for no apparent purpose.
• Are unusually large or complex – e.g. an accounting firm is asked to move funds through multiple-layered entities for a single property purchase.
• Follow an unusual pattern – e.g. a real estate client repeatedly buying and selling property within short timeframes without a clear commercial reason.

6-21 Establishing source of wealth and source of funds when enhanced due diligence required in certain circumstances

When you have to apply enhanced customer due diligence (ECDD) under the the Act, for example, because the customer is high-risk, you’ve filed a suspicious matter report (SMR) but are still providing services, or the customer has a connection to a high-risk jurisdiction, then you must go further and check:

• Where the customer’s wealth (Source of Wealth / SoW) comes from. how the customer built their overall wealth (e.g. business ownership, investments, inheritance) and;
• Where the specific funds (Source of Funds / SoF) for the particular transaction or business relationship come from (e.g. salary, property sale, company profits).

You also need to keep this information up to date whenever you review or refresh the customer’s KYC for ongoing CDD.

6-22 Enhanced customer due diligence requirements for certain virtual asset services

This section only applies to virtual asset service providers (VASPs). But for completeness, here’s the summary.

If you’re in the crypto business and a customer uses cash to fund or withdraw, you can’t stop at an ID check - you must dig into where the cash came from (source of funds) and, longer term, their overall source of wealth too.

Division 5 - Politically exposed persons (PEPs)

6-23 Matters for initial customer due diligence - politically exposed person

If you find that your customer (or their beneficial owner, or someone acting/benefiting on their behalf) is a politically exposed person (PEP), you need to go further with CDD. PEPs are higher-risk, e.g. bribery and corruption because of their potential access to public funds and influence.

You must establish source of wealth and source of funds if:

• The person is a foreign PEP (always treated as high risk), or
• The person is a domestic PEP or an international organisation PEP, and the ML/TF risk is high.

Special case: If you are providing services through a foreign branch, and the person is a PEP in that same country, you may treat them as a domestic PEP instead of a foreign PEP. In that case, enhanced checks only apply if the ML/TF risk is high.

6-24 Ongoing customer due diligence - politically exposed person

You can’t just check PEP status once at onboarding - you need to keep monitoring.

• When you must re-check and update KYC:
• Foreign PEPs — always trigger a review.
• Domestic PEPs — trigger a review only if the customer’s ML/TF risk is high.
  International organisation PEPs — trigger a review only if the customer’s ML/TF risk is high.

Special case: If you’re dealing with a foreign PEP in their home country, but your service is provided at your local branch in that country, treat them as a domestic PEP (same as in 6-23). 

Division 6 - Nested services relationships

6-25 and 6-26 Matters for initial customer due diligence and ongoing customer due diligence - nested services relationship

The “nested services” rules are mainly aimed at financial institutions (like remitters or fintechs) that provide services to other businesses’ customers using another institution’s systems. These scenarios will be rare for Tranche 2 entities. An edge case example is if a firm handles client money in a way that effectively supports another business’s customers e.g. a law firm operating a pooled trust account for a fintech’s end-users.

For completeness, this section essentially says that if you are providing services as part of a nested relationship then:

6-25 Initial due diligence

You must dig deeper into the customer’s structure, reputation, jurisdictions, AML systems, and whether they allow risky practices like dealing with shell banks. The focus is on whether they can properly run AML checks on their own customers.

6-26 Ongoing due diligence

You must reassess their risk and refresh their KYC:

• Every 2 years (both risk assessment and KYC).
• Whenever you start providing a new type of designated service in that nested relationship.

Division 7—Transferred customers

6-27 Initial customer due diligence - transferred customer

If you take on customers because another reporting entity sold or transferred part of its business to you, you don’t have to redo their initial customer due diligence (CDD).

Your reporting entity is taken to have completed initial CDD for that customer if:

1. The customer came to you because of a business transfer (e.g. acquisition, merger, restructure, or compulsory transfer under law).
2. You’ve obtained copies of all the AML/CTF records the previous entity held on that customer (as required under sections 107 (Transaction records to be retained), 108 (Customer-provided transaction documents to be retained), 111 (Retention of records of customer due diligence), 114 (Retention of information if initial customer due diligence taken to have been carried out by a reporting entity) of the Act).

Important

• This relief only applies to the initial CDD.
• You must still carry out ongoing CDD (section 30 of the Act) - monitoring transactions, refreshing KYC when needed, and reassessing risks.

6-28 Ongoing customer due diligence - transferred pre-commencement customer

If you acquire another reporting entity’s business, you don’t need to redo all the ongoing CDD checks for their pre-commencement customers (customers they already worked with before AML/CTF laws applied to them.), i.e. customers of a law firm onboarded before July 2026.

You’re treated as having complied with ongoing CDD requirements if:

1. The customer came to you because of a business transfer (sale, restructure, or compulsory transfer).
2. The customer was a pre-commencement customer of the old entity.
3. You obtained copies of their AML/CTF records from the prior entity.
4. You monitor the relationship for any major changes that could increase the customer’s risk to medium or high.

This section stops applying if:

• A suspicious matter report (SMR) obligation arises, or
• The relationship changes in a way that raises the customer’s risk to medium/high, so you must refresh and re-verify their KYC.

Division 8 - Reliance on collection and verification of KYC information

6-29 Requirements for agreement or arrangement on collection and verification of KYC information

You can rely on someone else to collect and verify customer identification instead of doing it yourself - but only if they are properly regulated and you have a formal agreement in place. This is often seen within reporting groups or between reporting entities in different industries dealing with the same entity.

It does not apply to ‘outsourcing’ or carrying out CDD through agency arrangements under section 37 of the Act.

Who you can rely on:

• Another reporting entity in Australia (including a member of your reporting group), or
• A foreign equivalent regulated under laws that implement FATF CDD and record-keeping standards.

What the agreement must include:

1. Risk-appropriate – suitable for your business and risks, considering:
   
   1. How large/complex the other party is, what services they provide, who their customers are and how they deliver services.
   2. The countries they operate in or are based in.
2. Access to KYC information – you must be able to get all the customer’s KYC details:
   
   1. Before you provide the service, or
   2. If delayed verification rules apply (s 29 of the Act), within the permitted time frame (up to 15 business days for real estate transactions and 20 business days for other typical Tranche 2 services).
3. Verification evidence – you must be able to get copies of the documents/data used to verify KYC (e.g. ID documents, registry checks) immediately or as soon as practicable.
4. Clear responsibilities – the agreement must clearly state who does what, including record-keeping.

Note
Reliance doesn’t remove accountability - your firm is still liable even if the is CDD is inadequate.

6-30 Regular assessment of agreement or arrangement 

If a reporting entity is relying on another entity’s KYC under a CDD arrangement (section 37A of the Act), it must regularly check that the arrangement is still valid and effective.

What’s required:

1. Check against the rules – your assessment must confirm that the agreement still complies with all the requirements in section 6-29 (e.g. access to KYC data, clarity of responsibilities, risk-appropriateness).
2. How often –
   
   1. Assessments must be carried out at least every 2 years, and
   2. More frequently, if your business faces higher ML/TF risks.
3. Trigger events – you must also reassess if there’s a significant change that could affect whether the agreement is still valid (e.g. the reporting entity changes ownership, stops being regulated, or shifts operations to a high-risk country).

6-31 Requirements for reliance on collection and verification of KYC information

 Unlike 6-29, which applies when you have a written reliance agreement (e.g. with a reporting group member), this covers situations where you rely on another reporting entity’s KYC without an agreement on a case-by-case basis. 

If you want to rely on another person (e.g. a reporting group member or outsourced KYC provider) to collect and verify customer ID information without a contract, certain conditions must be met.

Who you can rely on:

• Another reporting entity in Australia, or
• A foreign equivalent (an entity regulated under laws that implement FATF Recommendations on CDD and record-keeping).

What you must ensure:

1. Risk-appropriate – relying on this party must make sense given your ML/TF risks. Consider:
   
   1. How large and complex their business is,
   2. What services they provide and to what types of customers,
   3. How they deliver those services (online, in-person, through intermediaries),
   4. The ML/TF risks in the countries where they operate.
2. Access to KYC information – you must have reasonable grounds to believe you can get:
   1. All KYC information before you start providing the service (or within the allowed delay period under s 29 of the Act), and
   2. Copies of the verification evidence (e.g. ID documents, registry checks) immediately or as soon as practicable if you ask.
3. Document your reasoning – you must keep a written record explaining why you concluded that these conditions are satisfied

Division 9 - Real estate transactions

6-32 Delayed initial customer due diligence—real estate transactions

If you are doing work related to the brokering or assisting with the sale, purchase, or transfer of real estate, you can start work before finishing ID checks in these cases:

When delayed CDD is allowed:

• Seller’s agent can delay initial CDD for the buyer/transferee.
• Buyer’s agent can delay initial CDD for the seller/transferor.
• Professional service providers (e.g., lawyers or conveyancers) acting for the buyer/transferee can delay initial CDD for their client.

This only applies if the work is done through your Australian office.

Deadline: You must complete the missing ID checks within 15 days of contract exchange, or by settlement - whichever comes first.

6-33 Initial customer due diligence - real estate transactions 

For property transactions, the law allows some flexibility in how CDD is shared between reporting entities involved in the same real estate transaction. This helps reduce duplication of initial CDD when multiple reporting entities (e.g., real estate agents and lawyers/conveyancers) are involved.

A real estate agency, law firm, or other reporting entity is treated as having met its CDD obligations within this arrangement if:

1. The service is only real estate related
   
   1. You’re brokering a sale/purchase/transfer (table 5, item 1), or
   2. You’re assisting a person with a property transaction (table 6, item 1).
2. The service is provided in Australia.
3. Basic ID steps are done up front
   
   1. If the customer is an individual, you’ve taken reasonable steps to check they are who they claim to be.
   2. You’ve risk-rated the customer using available KYC info.
   3. You’ve collected the KYC information that matches the risk.
4. You are part of a reliance arrangement
   
   1. Another participating reporting entity in the same transaction will collect and verify the customer’s KYC within 15 days of contract exchange.
   2. The arrangement lets you access that KYC information and the verification data before settlement.
   3. The arrangement clearly documents who is responsible for what, including record-keeping.

What this arrangement does not do

• It does not remove the obligation to verify the customer’s identity. Each reporting entity must still confirm who the customer is.
• It does not remove the obligation to understand the nature and purpose of the business relationship or occasional transaction. These may differ for each reporting entity.

Example (Law firm)
Law Firm A acts for the buyer. It verifies the buyer’s identity upfront and collects KYC info. Conveyancer Firm B, acting for the seller, completes verification of the seller’s KYC within 15 days under a written reliance arrangement. Law Firm A can rely on this arrangement as long as it obtains the KYC records and verification data before settlement, and the responsibilities are documented.

Example (real estate agency)

A real estate agency brokers a sale. It confirms the buyer’s identity, assesses ML/TF risk, and collects basic KYC information. Under a formal reliance arrangement with the buyer’s lawyer, the lawyer completes verification of beneficial ownership within 15 days. The agency can rely on this verification as long as it obtains the KYC records before settlement.

Division 10 - Life policies and sinking fund policies

6-34 Initial customer due diligence - life policies and sinking fund policies

This section is not relevant to Tranche 2 entities however for completeness here’s the summary:

If you’re providing a life policy or sinking fund policy (items 37 or 38 of table 1 in the Act), you meet your CDD obligation regarding “persons on whose behalf the service is provided” if you:

• Collect the full name of anyone who may be entitled to receive a payment under the policy, or
• If you can’t name them individually (e.g. the policy allows payments to “children of the policyholder”), collect a description of the class of persons who may benefit.

Division 11 - Ongoing customer due diligence

 6-35 Monitoring for unusual transactions and behaviours

To meet your ongoing CDD obligation (s 30(2)(a) of the Act), you must actively monitor your customers for unusual activity that could trigger a Suspicious Matter Report (SMR).

This includes:

• General suspicious behaviour
• Watch for any transactions or patterns that suggest the customer is not who they say they are, is hiding information, or may be linked to crime or terrorism (s 41(1)(d)–(j) of the Act).
• Serious criminal activity
• Specifically monitor for behaviours linked to serious offences, such as:
  
  • Money laundering, terrorism financing, or proliferation financing.
  • Sanctions breaches.
  • Organised crime, trafficking (people, drugs, arms, stolen goods), human exploitation.
  • Corruption, bribery, fraud, scams, identity theft.
  • Counterfeiting (money, products), piracy, forgery.
  • Tax crimes, insider trading, market manipulation.
  • Environmental crime, robbery, kidnapping, cybercrime.
  • Serious violence (murder, grievous harm).
  • Smuggling and customs offences.
  • Any other high-risk crimes flagged in your AML/CTF program. 

Division 12 - Keep open notices

6-36 - 6-41

A keep open notice forces a financial institution to leave a suspicious customer’s account running so authorities can track their activity. It’s a covert investigation tool, tightly controlled, and not something Tranche 2 firms would normally encounter. But for completeness, here’s the summary:

Who can issue one?

Senior officers, such as a Superintendent of the AFP or State/Territory Police, or senior staff in anti-corruption commissions (e.g. IBAC in Victoria, CCC in Queensland).

What must the notice contain?

• The issuing agency’s name.
• The senior officer’s details.
• The reporting entity’s name.
• Customer details (name, DOB/ABN/ACN, address, account details, wallet address, etc.).
• The start date of the notice.
• A declaration that keeping the account open will assist a serious offence investigation.

Supporting documents

Any extra material needed to help the reporting entity identify the customer(s).

Extensions

• Extension notices can be issued (Form 2).
• Further extensions require an application to the AUSTRAC CEO (Form 3).

Division 13 - Transitional

This section is mainly about grandfathering rules for customer identification checks done before 31 March 2026. This is unlikely for most Tranche 2 entities.

It essentially states that you don’t need to start from scratch if you already did proper AML checks before 31 March 2026 - whether in Australia or overseas.

6-42 Initial customer due diligence - previous carrying out of applicable customer identification procedure 

If you carried out customer ID checks before 31 March 2026 (under the old version of the Act), you can rely on those checks. You don’t have to redo them - they are treated as meeting today’s requirements.

6-43 Initial customer due diligence - service provided in a foreign country

If you provided services to a customer through an overseas office before 31 March 2026, and you complied with that country’s AML laws (which follow FATF standards), you don’t have to re-do customer ID under Australian law.