Vendor Due Diligence Checklist: Australian Third-Party Risk Assessment Guide

Vendor due diligence is the structured, documented process of evaluating a supplier or third-party service provider before entering into a commercial relationship and at regular intervals throughout that relationship. It covers financial health, legal standing, regulatory compliance, cybersecurity posture, ESG practices and supply chain exposure. In Australia, vendor due diligence obligations arise from a layered federal framework: the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), AUSTRAC reporting requirements, the Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), APRA Prudential Standard CPS 230 (effective July 2025), and the Modern Slavery Act 2018 (Cth) for organisations with annual Australian revenue of AUD 100 million or more.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For advice on your specific situation, consult a qualified professional.

What Is Vendor Due Diligence in Australia?

Vendor due diligence (VDD) is a formal, risk-based assessment of a third party — supplier, outsourced service provider, technology partner or subcontractor — designed to identify, measure and document the risks that party introduces to the commissioning organisation. It goes beyond administrative supplier onboarding to cover the complete risk profile: financial, legal, operational, technological and ethical dimensions.

VDD sits within the broader framework of Third-Party Risk Management (TPRM). For a comprehensive overview of the TPRM lifecycle, see our dedicated article: Third-Party Risk Management — Complete TPRM Guide.

Conflating a basic supplier onboarding process with structured due diligence is the most common source of regulatory exposure for Australian organisations — it creates documentary gaps that AUSTRAC compliance assessments and APRA prudential reviews identify first during examinations.

Australian Regulatory Framework (AML/CTF Act 2006, AUSTRAC, ASIC, Privacy Act, APRA CPS 230)

Five primary frameworks govern vendor due diligence obligations for Australian organisations in 2026, each with distinct scope and enforcement mechanisms.

AML/CTF Act 2006 and AUSTRAC Obligations

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) is Australia's primary AML/CTF statute. It applies to "reporting entities" providing "designated services" listed in Part A and Part B of the legislation, including banks, credit providers, securities dealers, payment service providers, remittance dealers and digital currency exchange providers. Reporting entities must enrol with AUSTRAC, adopt and maintain an AML/CTF programme, conduct customer identification and verification procedures, and submit threshold transaction reports (TTRs) and suspicious matter reports (SMRs).

AUSTRAC is both the financial intelligence unit and the AML/CTF regulator, with enforcement powers that include civil penalty proceedings and injunctions. The scale of potential penalties was illustrated by the record AUD $1.3 billion settlement with CommBank (2018) and the AUD $1.3 billion penalty against Westpac (2020) for systemic AML/CTF failures — the largest corporate penalty in Australian history at that time (AUSTRAC).

A significant regulatory change is imminent: the AML/CTF Tranche 2 reforms, which are being implemented through 2024–2026, will extend AML/CTF obligations to "professional services" entities — lawyers, accountants, real estate agents and trust and company service providers — for the first time. Organisations in these sectors, as well as any business that engages them as vendors, should factor these expanded obligations into their vendor due diligence programmes.

ASIC and the Corporations Act 2001

The Australian Securities and Investments Commission (ASIC) regulates Australian companies, financial markets and financial services under the Corporations Act 2001 (Cth). ASIC maintains the Australian company register, from which you can obtain a current company extract confirming a vendor's ACN (Australian Company Number), registered address, directors, officeholders and current status (registered / deregistered / in administration).

Every Australian company is assigned a 9-digit ACN by ASIC at incorporation. A vendor's ACN — distinct from its Australian Business Number (ABN) — allows direct verification of its current legal status, registered officers and any charges or encumbrances registered with ASIC.

The ABN (Australian Business Number) is an 11-digit identifier assigned by the Australian Business Register (ABR). ABN registration status, goods and services tax (GST) registration and any business names are all verifiable via the public ABN Lookup tool at abr.business.gov.au. Confirming ABN registration is a foundational step: suppliers without a valid ABN are required by law to have 47% tax withheld from payments — a compliance exposure that affects the commissioning organisation.

Privacy Act 1988 and the Australian Privacy Principles (APPs)

The Privacy Act 1988 (Cth) applies to Australian Government agencies and private sector organisations with annual turnover exceeding AUD $3 million, as well as smaller organisations in prescribed categories (health service providers, tax file number recipients and others). The Office of the Australian Information Commissioner (OAIC) enforces the Act.

Where a vendor processes personal information on behalf of the commissioning organisation, the Privacy Act requires that the organisation take reasonable steps to ensure the recipient will handle the information consistently with the APPs. APP 11 requires entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. The Privacy Act Review 2024 is implementing significant amendments, including lowering the small business exemption threshold and expanding the notifiable data breach scheme.

APRA Prudential Standard CPS 230: Operational Risk Management (Effective July 2025)

APRA Prudential Standard CPS 230, which takes effect for banks, insurers and superannuation funds from 1 July 2025, establishes comprehensive requirements for operational risk management — including third-party service provider risk. Under CPS 230, APRA-regulated entities must maintain a complete register of material service providers, conduct structured due diligence before engaging any material third party, assess the third party's financial resilience, operational capability and information security posture, and implement contractual provisions covering audit rights, sub-contracting controls and exit plans.

CPS 230 introduces a specific obligation to manage concentration risk: where multiple critical business services depend on a single third party or a small number of providers, the regulated entity must have documented risk management controls and tested contingency arrangements (APRA).

Modern Slavery Act 2018 (Cth)

The Modern Slavery Act 2018 requires Australian entities with consolidated annual revenue of AUD $100 million or more to submit an annual Modern Slavery Statement to the Australian Border Force (ABF) online register. The statement must describe the entity's actions to assess and address modern slavery risks in its operations and supply chains. Vendor due diligence for supply chain partners — particularly those operating in higher-risk sectors or geographies — is a direct compliance obligation under this Act.

Our platform analysis of 45,000+ vendor files shows 14.2% contain blocking errors — expired documents, ABN/ACN mismatches, or UBO identity discrepancies — that manual review processes consistently fail to catch.

7-Step Vendor Due Diligence Checklist for Australian Businesses

This checklist covers the complete vendor assessment cycle from initial onboarding through ongoing monitoring. It is applicable across sectors and should be calibrated to the risk tier assigned to each vendor. For a broader checklist covering all business due diligence scenarios, see: Due Diligence Checklist for Businesses — Complete Guide.

Step 1 — Identity Verification and Initial Qualification

• Collect legal identity documents: ASIC company extract (within 3 months), ACN confirmation, registered office address
• Verify ABN via the ABR Lookup (abr.business.gov.au): confirm active ABN, GST registration status and any registered business names
• Identify and verify all ultimate beneficial owners (UBOs) or persons with significant control — cross-reference against ASIC records for directors and officeholders
• Confirm no active insolvency proceedings via ASIC's insolvency register, the Australian Financial Security Authority (AFSA), or the ASIC published notices
• For foreign vendors: collect equivalent incorporation documents, directorship register and local regulator confirmation

Step 2 — Legal and Regulatory Compliance Checks

• Verify current company status via ASIC company extract — confirm the company is registered and not in administration, liquidation or deregistration
• Obtain most recent audited financial statements or financial report lodged with ASIC
• Check for any charges or encumbrances registered with ASIC (Personal Property Securities Register (PPSR) for goods and equipment)
• Confirm sector-specific licences and registrations: AUSTRAC enrolment (where applicable), AFS Licence (AFSL) issued by ASIC, ACL (Australian Credit Licence), relevant professional registrations
• For AML/CTF Tranche 2 entities (post-reform): confirm AUSTRAC enrolment status for lawyers, accountants, real estate agents engaged as vendors

Step 3 — Sanctions, PEP and Adverse Media Screening

• Screen all directors and UBOs against Australia's autonomous sanctions list (administered by the Australian Sanctions Office (ASO)), the UN consolidated list and OFAC SDN list
• Check Politically Exposed Person (PEP) status for all directors, significant shareholders and UBOs
• Run adverse media search covering past 5 years: fraud, bribery, money laundering, regulatory sanctions, AFP (Australian Federal Police) investigations
• Screen against ASIC enforcement actions, AUSTRAC compliance assessments and ACCC enforcement history

Step 4 — Financial Health Assessment

• Review three most recent sets of annual financial statements: profit and loss, balance sheet, cash flow statement
• Calculate key ratios: current ratio, debt-to-equity, EBITDA margin, days sales outstanding
• Assess customer concentration risk — flag if a single customer exceeds 25% of revenue
• Check the Personal Property Securities Register (PPSR) for any registered security interests over the vendor's assets that could affect continuity of service

Step 5 — Operational and Technology Risk Assessment

• Review Business Continuity Plan (BCP) and Disaster Recovery (DR) documentation
• Verify ISO 27001, SOC 2 Type II, Essential Eight maturity assessment, or equivalent for vendors handling sensitive or personal data
• Map sub-contractors and sub-processors — identify concentration risk where a single sub-supplier underpins multiple critical vendor relationships
• For APRA CPS 230 regulated entities: verify the vendor's compliance with sub-contracting requirements, documented exit plans and data portability provisions
• Confirm contractual audit rights, material incident notification obligations and regulatory access provisions

Step 6 — ESG and Modern Slavery Assessment

• Obtain signed supplier code of conduct or equivalent ethical trading policy
• Review vendor's Modern Slavery Statement (mandatory for vendors with AUD $100M+ annual consolidated revenue) or equivalent due diligence documentation for smaller vendors
• Assess supply chain geography for elevated risk of forced labour, child labour or unsafe working conditions
• Collect environmental policy, sustainability report or carbon disclosure documentation where relevant to procurement criteria or ASIC climate-related disclosure obligations

Step 7 — Scoring, Documentation and Ongoing Monitoring

• Assign an overall risk tier (Low / Medium / High / Critical) based on evidence from Steps 1–6
• Assemble a timestamped vendor dossier with all collected documents, check results and scoring rationale
• Set review frequency: annually for medium-risk, semi-annually for high-risk, event-triggered for critical
• Configure monitoring alerts for material trigger events: director changes, insolvency filings, new sanctions, AUSTRAC enforcement actions, ASIC actions, data breaches, CPS 230 trigger events

Organisations that formalise these 7 steps in a documented process reduce average per-file processing time by 60% and reduce audit-identified non-conformities by a factor of three, based on aggregated data from our platform at CheckFile.

Key Risk Categories

Every vendor presents a composite risk profile. The table below maps the principal risk categories, key alert indicators and relative priority by type of commissioning organisation operating in Australia.

For APRA-regulated entities, CPS 230 (effective July 2025) reclassifies ICT and concentration risk as critical-priority categories with mandatory documentation, exit plan requirements and notification obligations for vendors designated as material service providers.

A weighted scoring matrix template, calibrated for Australian regulatory requirements, is available in our Document Verification Guide.

Automating Vendor Due Diligence

Automation of vendor due diligence addresses three simultaneous pressures: the increasing volume of vendors requiring assessment, the growing complexity of overlapping regulatory frameworks, and the need for an auditable evidence trail that can withstand AUSTRAC, APRA or OAIC scrutiny.

Our analysis of 45,000+ vendor files shows 14.2% contain blocking errors on our platform — expired certificates, ABN/ACN discrepancies, or documents bearing indicators of tampering. Manual review processes, constrained by time and inconsistent checker training, fail to identify these errors in more than 40% of cases.

CheckFile automates the verification layer at each step of the checklist: OCR extraction of identity and registration data, cross-document consistency checks, cryptographic validation of official certificates, and daily-refreshed sanctions and PEP screening. The platform produces a timestamped, electronically signed vendor dossier that serves directly as audit evidence during AUSTRAC compliance assessments, APRA prudential reviews or OAIC investigations.

The AML/CTF Tranche 2 reforms introduce a significant expansion of the regulated population in Australia. Organisations engaging lawyers, accountants and real estate agents as vendors — and those in these sectors themselves — will need to reassess their vendor due diligence frameworks against the new AUSTRAC obligations. Automated platforms that can be updated to reflect regulatory changes reduce the risk of compliance gaps emerging during transition periods.

For lending, leasing and asset finance teams processing high volumes of vendor and borrower dossiers, our dedicated module at /solutions/financement-leasing reduces per-file processing time by an average of 78%. Technical details on our security infrastructure are available at /securite. Review plans and pricing at /tarifs.

Automation does not remove human accountability from the final risk decision — it redirects compliance officer time from manual data gathering to analysis of complex, high-risk cases where professional judgement is genuinely needed.

Frequently Asked Questions

What is vendor due diligence and why is it required in Australia?

Vendor due diligence is a structured assessment of a supplier covering its financial, legal, regulatory and operational standing. In Australia, it is required by several overlapping frameworks: the AML/CTF Act 2006 and AUSTRAC regulations for reporting entities, APRA Prudential Standard CPS 230 (from July 2025) for banks, insurers and superannuation funds, the Privacy Act 1988 and APPs where vendors process personal data, and the Modern Slavery Act 2018 for organisations with AUD $100M+ revenue. Failure to conduct and document adequate due diligence exposes organisations to AUSTRAC civil penalties, APRA prudential action, OAIC enforcement, and public reporting requirements.

What are the AUSTRAC Tranche 2 reforms and how do they affect vendor due diligence?

The AML/CTF Tranche 2 reforms extend AUSTRAC reporting obligations to "professional services" entities — including lawyers, accountants, real estate agents and trust and company service providers — for the first time. These reforms are being implemented through 2024–2026. The practical impact for vendor due diligence is twofold: organisations in these sectors will need to adopt formal AML/CTF programmes, and organisations that engage them as vendors will need to verify their AUSTRAC enrolment status and AML/CTF programme adequacy as part of due diligence. Commissioning organisations that have not already done so should update their vendor risk assessment frameworks to reflect these expanded obligations.

How does APRA CPS 230 change third-party risk management for Australian financial institutions?

APRA Prudential Standard CPS 230, effective 1 July 2025, establishes comprehensive operational risk management requirements for APRA-regulated banks, insurers and superannuation funds, including a mandatory third-party risk management framework. Key changes include: a requirement to maintain a register of all material service providers; pre-engagement due diligence for all material third-party arrangements; ongoing monitoring with at least annual formal review for critical service providers; mandatory contractual provisions covering audit rights, sub-contracting controls and exit plans; and explicit concentration risk management where multiple critical services depend on the same provider. Institutions that previously applied vendor due diligence inconsistently or only to IT vendors need to reassess their coverage against the full scope of CPS 230.

How often should vendor due diligence be renewed for Australian businesses?

Review frequency depends on the risk tier assigned to the vendor and applicable regulatory obligations. Under APRA CPS 230, at least annual formal review is required for material service providers. AUSTRAC guidelines expect ongoing monitoring of reporting relationships on a risk-sensitive basis. In practice, most Australian compliance programmes apply semi-annual reviews for high-risk and critical vendors, annual reviews for medium-risk vendors, and event-triggered reviews for all vendors when material changes occur — such as a director change, acquisition, security incident, sanctions listing, or AUSTRAC or ASIC enforcement action.

What documents must be collected for an Australian vendor due diligence file?

The minimum document set for an Australian vendor includes: ASIC company extract (within 3 months), ABN verification printout from ABR Lookup, most recent audited financial statements, current professional indemnity and public liability insurance certificates, and any sector-specific licences or registrations. For APRA CPS 230 material service providers, add: business continuity plan, most recent penetration test or information security audit report, ISO 27001 certificate or Essential Eight assessment, sub-processor list, and a signed service agreement with audit rights and exit plan provisions. For vendors processing personal data, add a signed data processing agreement that addresses APPs 11 and 12 obligations. For vendors in scope of the Modern Slavery Act, add their current Annual Modern Slavery Statement.