Getting your AML customer due diligence checklist right isn’t optional, it’s the foundation of your compliance programme. For Australian accounting firms, the stakes are particularly high with AUSTRAC’s evolving requirements and the TPB’s ongoing scrutiny of client verification practices.
Yet many firms still rely on scattered processes, manual checks, and disconnected systems that create gaps in their compliance workflows. A missed step or incomplete record can mean regulatory penalties, reputational damage, or worse, facilitating financial crime without realising it.
This guide breaks down the essential CDD steps you need to follow in 2026. We’ll cover everything from initial customer identification through to ongoing monitoring, with practical guidance you can apply whether you’re refining existing processes or building them from scratch.
At StackGo, we’ve built our IdentityCheck integration to help regulated businesses like accounting firms perform identity verification directly within their existing CRM, no new software to learn, no disconnected tabs. This guide reflects what we’ve learned helping firms streamline their compliance workflows while meeting their regulatory obligations.
What CDD means under AUSTRAC and FATF
Customer Due Diligence (CDD) is the process you follow to verify customer identities, understand their business relationships, and assess the money laundering risk they present to your firm. Under Australian law, AUSTRAC sets the framework for how you implement CDD, while the Financial Action Task Force (FATF) provides the international standards that inform these requirements.
Your CDD obligations aren’t one-size-fits-all. AUSTRAC requires you to apply a risk-based approach, which means you adjust the depth and frequency of your checks based on each customer’s specific risk profile. High-risk customers demand enhanced scrutiny, while lower-risk relationships may require only standard verification.
The risk-based approach means you allocate your compliance resources where they matter most, focusing more attention on customers who present elevated money laundering or terrorism financing risks.
The three CDD levels you need to understand
AUSTRAC defines three tiers of customer due diligence that you apply depending on the risk assessment. Simplified Due Diligence (SDD) applies to low-risk customers where you can reduce verification requirements, though this rarely applies to accounting firms given the nature of your services. Standard Customer Due Diligence represents your baseline, covering identity verification, beneficial ownership identification, and ongoing monitoring.
Enhanced Due Diligence (EDD) kicks in when you’re dealing with politically exposed persons (PEPs), customers from high-risk jurisdictions, or complex corporate structures. You’ll need to collect additional information, conduct more frequent monitoring, and obtain senior management approval for establishing or continuing the relationship.
What AUSTRAC specifically requires from you
Your aml customer due diligence checklist must address AUSTRAC’s core requirements: verify customer identity using reliable and independent documents, data, or information; understand the purpose and nature of the business relationship; and conduct ongoing monitoring to ensure transactions align with what you know about the customer.
AUSTRAC requires you to collect this information before providing a designated service, not after. You cannot onboard a client, complete their tax return, or handle their compliance work until you’ve satisfied your CDD obligations. The only exception is where delaying services would interrupt normal business and the money laundering risk is low, but you must complete verification as soon as practicable.
How FATF standards influence your approach
FATF Recommendation 10 sets the global benchmark for CDD, requiring financial institutions and designated non-financial businesses (which includes accountants) to identify and verify customer identity, understand ownership and control structures, and conduct ongoing due diligence. Australia implements these standards through the AML/CTF Act, meaning FATF requirements directly shape your compliance obligations.
When FATF updates its standards or identifies new risks, AUSTRAC typically follows with updated guidance or regulatory expectations. Your CDD processes need enough flexibility to adapt to these evolving requirements without rebuilding your entire compliance programme from scratch.
Step 1. Set your CDD scope and risk approach
Before you collect a single document or run any checks, you need to define which services trigger CDD obligations and how you’ll assess risk across your client base. This foundational step determines everything that follows in your aml customer due diligence checklist, from the intensity of verification to the frequency of ongoing reviews.
Your scope definition prevents compliance gaps where clients slip through without proper verification because someone assumed "that service doesn’t count". Risk categorisation ensures you’re not treating every client identically, which wastes resources on low-risk relationships while potentially missing red flags in high-risk ones.
Define which services require CDD
You must identify every designated service you provide under the AML/CTF Act. For accounting firms, this typically includes preparing or lodging returns, providing advice on taxation matters, and managing client funds. The critical test is whether the service falls under your regulated activities as defined by AUSTRAC.
Create a simple matrix that maps each service you offer to CDD requirements. List the service, note whether CDD is required, and specify any timing considerations. For example:
| Service | CDD Required | Timing |
|---|---|---|
| Tax return preparation | Yes | Before lodgement |
| BAS lodgement | Yes | Before first lodgement |
| Business advisory (no funds) | No | N/A |
| Trust account management | Yes | Before accepting funds |
Build your risk assessment framework
You need a documented [risk scoring system](https://stackgo.io/resources/aml-ctf-risk-assessment/) that categorises clients based on factors like entity type, transaction patterns, industry sector, and geographic connections. High-risk indicators include cash-intensive businesses, clients with complex ownership structures, and relationships involving high-risk jurisdictions identified by FATF.
Your risk framework should automatically flag customers requiring Enhanced Due Diligence, ensuring senior staff review these relationships before onboarding proceeds.
Assign risk scores systematically. A basic framework might score clients 1-5 across categories like entity complexity (sole trader = 1, multi-tier trust = 5), industry risk (standard professional services = 1, money remittance = 5), and geographic exposure (Australian only = 1, operations in high-risk jurisdictions = 5).
Step 2. Verify identity and customer details
Once you’ve categorised your client’s risk level, you need to collect and verify their identity documents according to AUSTRAC’s standards. This step forms the backbone of your aml customer due diligence checklist, ensuring you know who you’re dealing with before providing any designated services.
Your verification process must confirm the person’s full legal name, date of birth, and residential address using documents from reliable and independent sources. You cannot rely solely on information the customer provides without corroboration, no matter how trustworthy they seem.
Collect acceptable identification documents
You need to collect documents that meet AUSTRAC’s verification requirements for individuals and entities. For individuals, acceptable documents include Australian driver’s licences, passports, birth certificates, and Medicare cards. Each document type carries different weight in AUSTRAC’s verification framework.
The safest approach uses original documents wherever possible. If you accept certified copies, ensure the certifier is authorised under the AML/CTF Act (lawyers, police officers, or accountants with over two years’ experience). Digital verification through a trusted service provider offers a faster alternative, provided the service meets AUSTRAC’s electronic verification standards.
AUSTRAC requires you to sight the original document, verify it against an independent source, or use an electronic verification service that compares customer details against government databases.
Apply the 100-point identification check
Build a simple scoring system that totals 100 points from verified documents. Your verification template should track:
| Document Type | Points | Document Number | Verification Date |
|---|---|---|---|
| Passport | 70 | ||
| Driver’s licence | 40 | ||
| Medicare card | 25 | ||
| Birth certificate | 70 |
You must verify at least one primary photographic document (passport or driver’s licence) plus one secondary document showing the customer’s residential address. Record the document numbers, issuance dates, and expiry dates in your client file, ensuring this information remains accessible for AUSTRAC audits but protected from unauthorised access.
Step 3. Check ownership, sanctions, and red flags
After verifying individual identities, you must investigate the ownership structure behind corporate clients and trusts, then screen all parties against sanctions lists and political exposure databases. This step in your aml customer due diligence checklist uncovers hidden risks that standard identity checks miss, particularly money laundering attempts using complex corporate structures or shell companies.
Your investigation needs to identify who ultimately owns or controls the entity, not just the directors listed on ASIC records. You’re looking for individuals holding more than 25% ownership or exercising effective control through other means like voting rights or senior management authority.
Identify beneficial owners and control structures
You must trace ownership through each layer of the corporate structure until you reach natural persons who hold the ultimate beneficial interest. For companies, request a current extract from ASIC showing shareholders and directors, then verify beneficial ownership declarations signed by appropriate officers.
Trust structures require particular scrutiny because beneficial ownership often differs significantly from the trustee arrangements shown in public records.
Document each beneficial owner’s name, date of birth, and residential address in your client file. Where ownership sits behind another corporate entity, continue tracing until you identify natural persons. Create a simple ownership chart showing:
| Entity Level | Entity Name | Ownership % | Beneficial Owner |
|---|---|---|---|
| Client | ABC Trust | 100% | XYZ Pty Ltd |
| Parent | XYZ Pty Ltd | 100% | John Smith |
| Ultimate | John Smith | 100% | John Smith |
Screen against sanctions and PEP lists
Run every beneficial owner, director, and signatory through sanctions databases maintained by the Australian Department of Foreign Affairs and Trade, the United Nations, and other relevant authorities. You cannot provide services to individuals or entities on these lists without specific authorisation.
Check whether any party qualifies as a Politically Exposed Person under AUSTRAC’s definition. PEPs include heads of state, senior politicians, high-ranking military officers, and executives of state-owned corporations. Family members and close associates of PEPs also require enhanced scrutiny.
Flag suspicious patterns and indicators
Watch for red flags like reluctance to provide ownership information, unnecessarily complex structures for simple operations, or frequent changes in beneficial ownership without commercial justification. Customers operating in high-risk industries (money remittance, precious metals, gambling) warrant additional scrutiny regardless of their ownership transparency.
Step 4. Run ongoing due diligence and recordkeeping
Your aml customer due diligence checklist doesn’t end after onboarding. You must monitor customer activity throughout the relationship, updating your risk assessment whenever circumstances change and maintaining detailed records that prove your compliance efforts to AUSTRAC auditors.
Ongoing due diligence catches red flags you missed during initial verification and identifies changes in customer behaviour that warrant investigation. Your recordkeeping creates the audit trail that demonstrates you’ve met your obligations under the AML/CTF Act.
Schedule risk-based monitoring reviews
You need to set review frequencies based on each customer’s risk category. High-risk clients require reviews every 12 months, standard-risk clients every 24 months, and low-risk clients every 36 months. Calendar these reviews systematically rather than waiting for memory or chance encounters to trigger them.
During each review, verify the customer’s identity documents remain current, confirm beneficial ownership hasn’t changed, and assess whether transaction patterns align with their stated business activities. Document your findings in the client file, noting any changes that affect their risk score.
Your monitoring system should automatically flag clients approaching their review date and escalate cases where you identify suspicious activity or material changes in risk profile.
Create a simple tracking template that records:
| Client Name | Risk Level | Last Review | Next Review | Changes Noted |
|---|---|---|---|---|
| ABC Pty Ltd | High | 2025-02-15 | 2026-02-15 | None |
| XYZ Trust | Standard | 2024-06-10 | 2026-06-10 | New beneficial owner |
Maintain compliant records and audit trails
You must retain all CDD documentation for seven years after the relationship ends or the transaction completes. Store identity documents, beneficial ownership declarations, risk assessments, and monitoring notes in secure systems that prevent unauthorised access while remaining readily retrievable for AUSTRAC requests.
Your records must show what you verified, when you verified it, and which staff member conducted each check. Include document reference numbers, verification dates, and the method used (original sighting, certified copy, or electronic verification).
Next steps
Your aml customer due diligence checklist needs to work in practice, not just sit in a compliance manual gathering dust. You’ve now got the complete framework for compliant customer onboarding, but the real challenge lies in implementing these steps consistently across every client relationship without creating bottlenecks in your workflow or overwhelming your team.
Manual processes inevitably create compliance gaps. Spreadsheets become outdated, staff members forget critical steps, and important documents languish in email threads rather than secure client files. You need a system that runs your CDD verification directly inside your existing CRM, automatically collecting documents, running checks, and maintaining audit trails without forcing your team to learn new software or juggle multiple tabs.
StackGo’s IdentityCheck for AUSTRAC Tranche 2 handles identity verification, beneficial ownership checks, and ongoing monitoring within your practice management system. Create a free account and run your first verification check to test whether it fits your firm’s compliance requirements.
