Customer Due Diligence Checklist by Industry Sector
Complete customer due diligence (CDD) checklist by sector: banking, real estate, legal, accounting.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCustomer due diligence (CDD) is the process by which reporting entities verify the identity of their customers, assess risk, and monitor the ongoing relationship for suspicious activity. In Australia, CDD requirements are set out in the AML/CTF Act 2006 and the AML/CTF Rules, and supervised by AUSTRAC. Different industries face different risk profiles, and the depth of verification required varies accordingly. This article provides a sector-by-sector CDD matrix covering the documents required, applicable due diligence levels, and review frequencies for each regulated sector.
What is customer due diligence (CDD)
Customer due diligence refers to the legal obligation for reporting entities to identify their customers, verify that identity using reliable evidence, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. The AML/CTF Act 2006 sets out these requirements, while AUSTRAC's guidance provides sector-specific direction on implementation.
Three levels of due diligence
Australian AML/CTF regulations define tiered customer due diligence levels, aligned with the risk-based approach recommended by the Financial Action Task Force (FATF):
Simplified verification may apply where the ML/TF risk is assessed as low. The AML/CTF Rules allow reporting entities to use simplified procedures in certain circumstances, such as for low-value designated services or where the customer is a listed public company or government body. Simplified verification reduces the extent of identification requirements but does not eliminate the obligation to identify the customer.
Standard customer identification is the default level. It requires identifying the customer and any beneficial owners, verifying identity using reliable and independent documentation or electronic data, understanding the purpose of the business relationship, and conducting ongoing customer due diligence.
Enhanced Customer Due Diligence (ECDD) applies where there is a higher risk of ML/TF. ECDD requires additional measures such as establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting more intensive ongoing monitoring. ECDD is mandatory for Politically Exposed Persons (PEPs), correspondent banking relationships, and customers connected to high-risk countries identified by the FATF.
| Level | Trigger | Key measures | Review frequency |
|---|---|---|---|
| Simplified | Demonstrably low ML/TF risk, listed companies, government bodies | Reduced verification, identity still required | Every 3-5 years |
| Standard | Default for all designated services | Full identification, document verification, ongoing monitoring | Annual to biennial |
| Enhanced (ECDD) | PEPs, high-risk countries, complex structures | Source of funds/wealth, senior management approval, intensive monitoring | Semi-annual or more frequent |
CDD requirements by sector
The AML/CTF Act defines reporting entities that provide designated services. Each faces distinct risks that shape the scope and depth of due diligence. The table below provides a comparative matrix of requirements across Australian regulated sectors.
| Sector | Supervisor | Default level | Documents required | Sector-specific considerations |
|---|---|---|---|---|
| Banking and ADIs | AUSTRAC / APRA | Standard, frequent ECDD | Photo ID (passport, driver licence), proof of address, ASIC extract, beneficial owner identification | Real-time sanctions screening, transaction monitoring systems |
| Insurance (life) | AUSTRAC / APRA | Standard | Photo ID, proposal form, proof of address | Risk profiling of policyholder, beneficiary identification |
| Real estate agents | AUSTRAC (proposed) | Standard | Photo ID, proof of address, proof of funding | Both buyer and seller verification under proposed reforms |
| Legal professionals | AUSTRAC (proposed) | Standard | Photo ID, proof of address, ASIC extract (corporate clients) | Legal professional privilege considerations |
| Remittance providers | AUSTRAC | Standard, frequent ECDD | Photo ID, proof of address | High-risk sector; transaction monitoring critical |
| Digital currency exchanges | AUSTRAC | Standard | Photo ID, proof of address | Registration requirement with AUSTRAC since 2018 |
For a comprehensive overview of document verification requirements, see our document verification guide.
PEP and sanctions screening
Politically Exposed Persons (PEPs)
PEP identification is a mandatory component of customer due diligence for all reporting entities. Under the AML/CTF Act, a PEP includes any individual who holds or has held a prominent public function: heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned enterprises, and senior officials of international organisations. Family members and known close associates of PEPs are also in scope.
Any business relationship with a PEP triggers ECDD automatically. This includes obtaining senior management approval before establishing or continuing the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.
AUSTRAC guidance distinguishes between domestic PEPs (Australian-based) and foreign PEPs, with foreign PEPs generally presenting higher risk. However, ECDD still applies to all PEPs.
Sanctions screening
Reporting entities must screen customers against the DFAT Consolidated List of persons and entities subject to Australian sanctions. Australia maintains its own autonomous sanctions regime under the Autonomous Sanctions Act 2011, in addition to implementing UN Security Council sanctions. Screening must occur at onboarding and on an ongoing basis.
| Check | Minimum frequency | Source | Action on match |
|---|---|---|---|
| PEP screening | Onboarding + annual refresh | Commercial databases (World-Check, Dow Jones, Moody's) | Apply ECDD, senior management approval |
| DFAT sanctions list | Onboarding + ongoing (daily recommended) | DFAT Consolidated List | Freeze assets, report to DFAT |
| UN sanctions | Onboarding + ongoing | UN Security Council resolutions | Freeze assets, report to DFAT |
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotSector-specific checklists
Financial services (banks, ADIs, payment providers)
Financial services face the most intensive CDD requirements. AUSTRAC's enforcement record โ including AUD 1.3 billion against Westpac and AUD 700 million against CBA โ underscores the consequences of inadequate CDD systems.
Individual clients:
- Valid photo ID (Australian passport, driver licence)
- Proof of address dated within 3 months (utility bill, rates notice, bank statement)
- Source of funds documentation (if ECDD applies)
- PEP and sanctions screening
- Purpose and intended nature of business relationship questionnaire
Corporate clients:
- ASIC extract (current)
- Company constitution or rules
- Register of members / beneficial owners
- Photo ID for directors and beneficial owners
- Group structure chart (complex structures)
- Proof of registered office
- PEP and sanctions screening on all beneficial owners
Real estate (agents, conveyancers)
Real estate agents are currently captured as reporting entities for certain designated services, and the AML/CTF reform program proposes expanding these obligations. Property transactions remain a significant money laundering vector: AUSTRAC's risk assessments identify real estate as a high-risk sector due to the large values involved.
Buyer:
- Photo ID
- Proof of address
- Evidence of source of funds (pre-approval letter, bank statements, gift statutory declaration if applicable)
- Proof of source of wealth (if ECDD applies)
- PEP and sanctions screening
Seller:
- Photo ID
- Proof of address
- Proof of ownership (certificate of title)
Legal professionals (solicitors, barristers)
Under the proposed AML/CTF reforms, legal professionals will be brought within scope as reporting entities for certain designated services, including real property transactions, company formation, and trust administration. Legal professional privilege considerations apply but do not exempt firms from CDD obligations.
Legal sector checklist:
- Photo ID for the client (or authorised representative)
- ASIC extract and constitution (corporate clients)
- Identification of beneficial owners
- Verification that the transaction is consistent with the client profile
- PEP and sanctions screening
- Retention of records for 7 years after the end of the relationship
- Risk assessment documented in the client file
Accountancy and tax advisory
Under the proposed AML/CTF reforms, accountants will be brought within scope as reporting entities. Even before formal designation, industry best practice aligns with FATF recommendations.
Accountancy checklist:
- Photo ID for the principal or directors
- ASIC extract and constitution
- Engagement letter signed by both parties
- Identification of beneficial owners
- Review of unusual transactions (international transfers, cash-intensive activity)
- PEP and sanctions screening
- Annual client file refresh
For a broader enterprise-level due diligence checklist, see our due diligence checklist for businesses.
Ongoing monitoring and review
Customer due diligence does not end at onboarding. Part B of the AML/CTF program requires ongoing customer due diligence, including monitoring transactions and keeping customer identification information up to date.
When to re-verify
Several events should trigger a review of the client file:
- Change in ownership or control: new directors, change in beneficial ownership structure, corporate restructuring
- Unusual transaction patterns: amounts, frequency or destinations inconsistent with the known customer profile
- External events: new sanctions designation, adverse media coverage, change in risk classification of the client's country of residence
- Periodic review deadline: based on risk level (semi-annual for ECDD, annual for standard CDD, 3-5 years for simplified)
Automating CDD processes
Manual verification at scale is expensive and error-prone. Automated document validation enables continuous verification of identity documents, detection of tampered or fraudulent documents, and cross-referencing against official databases. For reporting entities processing hundreds of client files per month, automation reduces processing time by up to 80% while improving audit trail completeness.
Explore our pricing plans designed for different verification volumes.
For a comprehensive overview, see our document verification complete guide.
Frequently asked questions
What is the difference between KYC and customer due diligence?
KYC (Know Your Customer) is a subset of customer due diligence. KYC specifically refers to identifying and verifying a customer's identity. CDD encompasses KYC but extends further: it includes understanding the nature of the business relationship, assessing ML/TF risk, screening for sanctions and PEPs, and conducting ongoing monitoring throughout the relationship.
Do real estate agents need to verify both the buyer and the seller?
Under the proposed AML/CTF reforms, real estate agents will be required to conduct CDD on clients involved in property transactions. Current best practice, aligned with FATF recommendations, is to verify both buyer and seller identity and, for the buyer, establish the source of funds.
How often should CDD records be updated?
The frequency depends on the risk level assigned to the customer. For simplified verification customers, a review every 3 to 5 years is generally acceptable. For standard CDD, an annual review is recommended practice. For ECDD customers, reviews should occur at least every 6 months, with additional reviews triggered by significant events.
Are small firms subject to the same CDD requirements as banks?
Yes, the same underlying AML/CTF Act obligations apply to all reporting entities regardless of size. However, the risk-based approach means that the intensity and extent of measures should be proportionate to the firm's size, nature, and the ML/TF risks it faces. Small firms may have simpler procedures, but they must still identify clients, verify identity, assess risk, and maintain records. AUSTRAC supervises compliance for all reporting entities.
Build a robust CDD framework for your sector
Customer due diligence is a legal requirement, not an optional extra. Non-compliance exposes firms to regulatory fines, civil penalties, and reputational damage. But CDD does not have to be a bottleneck. By structuring your checks according to sector-specific risk profiles and automating document verification, you can maintain full compliance while keeping onboarding efficient. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a fraud detection rate of 94.8%, delivering a 67% cost reduction compared to manual CDD processes. CheckFile.ai helps regulated businesses automate identity and document verification across all sectors. Contact us to discuss how our solution fits your due diligence workflows.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Australian organisations should consult qualified professionals for guidance specific to their obligations under AUSTRAC, ASIC, APRA and the OAIC.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.