When a client’s risk profile raises red flags, complex ownership structures, connections to high-risk jurisdictions, or unusual transaction patterns, standard customer due diligence simply isn’t enough. That’s where an enhanced due diligence checklist becomes essential. For Australian accounting firms navigating TPB requirements or preparing for AUSTRAC’s AML/CTF obligations, having a systematic approach to scrutinising high-risk clients isn’t optional; it’s a regulatory necessity.
The challenge? EDD involves gathering and verifying significantly more information than standard checks, often from multiple sources, while maintaining proper documentation trails. Without a structured process, critical steps get missed, compliance gaps emerge, and your firm becomes exposed to serious regulatory consequences. Many practices still rely on scattered spreadsheets or manual workflows that make consistent EDD nearly impossible to achieve.
This guide walks you through a practical, actionable checklist for conducting enhanced due diligence on high-risk individuals and entities. You’ll learn exactly what triggers EDD requirements, the specific checks you need to perform, and how to document your findings properly. We’ll also show you how StackGo’s IdentityCheck integration helps streamline these verification workflows directly within your existing CRM, eliminating the need for separate compliance software while ensuring PII remains protected. Whether you’re verifying beneficial ownership, screening against sanctions lists, or assessing source of funds, you’ll have a clear framework to follow.
What an enhanced due diligence checklist covers
An enhanced due diligence checklist expands far beyond the basic identity verification you’d perform for standard customers. You’re digging into layers of information that reveal the complete picture of who you’re doing business with, where their money comes from, and whether they pose genuine compliance risks. This means verifying not just the person in front of you, but the entire network of beneficial owners, transaction patterns, and potential regulatory red flags that might indicate money laundering or terrorist financing activity.
Identity verification and beneficial ownership structures
Your EDD checklist must establish the true identity of all parties involved, starting with government-issued identification documents. You’ll collect passports, driver’s licences, or national identity cards, then verify these against authoritative databases rather than simply accepting what’s presented. For companies, trusts, and other legal entities, this process becomes significantly more complex.
Beneficial ownership verification requires you to identify every individual who owns or controls 25% or more of the entity. You’ll trace ownership through multiple layers of corporate structures, examining shareholder registers, trust deeds, partnership agreements, and company constitutions. When you encounter complex structures with offshore entities or nominee arrangements, you need to keep digging until you reach actual human beings who ultimately control the funds.
Documentation requirements include:
- Certified copies of all identification documents for beneficial owners
- Corporate registry extracts showing ownership percentages
- Trust deeds and settlement documents
- Organisational charts mapping ownership structures
- Declarations from senior management confirming beneficial owners
Financial background and source verification
The financial component of your enhanced due diligence checklist demands concrete evidence about where money originates and how wealth accumulated over time. You’re not just accepting vague statements like "business profits" or "inheritance". Instead, you’ll gather specific documentation that proves the legitimate source of funds entering your client relationship.
Enhanced due diligence requires you to verify both the immediate source of funds (where the money is coming from now) and the source of wealth (how the client accumulated their assets over time).
Source of funds verification includes reviewing bank statements showing transaction histories, sale contracts for property or businesses, tax returns demonstrating income levels, and investment account statements. When clients claim inheritance as their wealth source, you’ll examine probate documents, estate valuations, and distribution records. Business sale proceeds require purchase agreements, completion statements, and evidence the buyer actually paid.
For ongoing business relationships, you’ll monitor transaction volumes and patterns against the expected activity your client initially disclosed. Sudden spikes in transaction frequency, large one-off payments without clear business justification, or funds flowing through jurisdictions with no obvious connection to the client’s activities all trigger additional scrutiny.
Sanctions, PEPs, and adverse media screening
Your checklist must include systematic screening against sanctions lists, politically exposed persons databases, and adverse media sources. This isn’t a one-time check during onboarding; you’re running these searches throughout the entire client relationship at regular intervals determined by risk level.
Sanctions screening covers individuals and entities on lists maintained by the United Nations, Australian Department of Foreign Affairs and Trade, US Office of Foreign Assets Control, and European Union. You’ll screen not just your direct client, but all beneficial owners, directors, and authorised signatories against these databases.
Politically exposed persons (PEP) checks identify current or former government officials, heads of international organisations, military leaders, and their immediate family members or close associates. Your checklist should specify the level of connection that triggers enhanced scrutiny, typically extending to parents, children, spouses, and known business partners of PEPs.
Adverse media screening searches news sources, regulatory announcements, and court records for allegations of financial crime, corruption, fraud, or other serious misconduct. You’ll document your search methodology, the sources checked, and any relevant findings that affect your risk assessment.
Documentation and ongoing monitoring protocols
The final component of your checklist covers how you’ll record your findings and maintain current information over time. Australian regulations require you to keep detailed records of every verification step, the evidence collected, and the reasoning behind your risk decisions.
Your documentation framework should include dated records of all searches performed, copies of verified documents, notes from customer interviews explaining unusual circumstances, and formal risk assessments signed off by compliance officers. When you decide to proceed with a high-risk relationship despite red flags, you’ll document the additional controls implemented to mitigate those specific risks.
When you must run EDD in Australia
Australian regulations create specific circumstances that require you to move beyond standard customer due diligence and apply enhanced measures. These triggers stem from both the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and professional obligations under bodies like the Tax Practitioners Board. Understanding exactly when to deploy your enhanced due diligence checklist prevents compliance gaps and ensures you’re allocating resources to genuine risk areas rather than applying blanket procedures across all clients.
High-risk customer categories requiring EDD
You must conduct enhanced due diligence whenever your client falls into designated high-risk categories defined by AUSTRAC guidance. Politically exposed persons (PEPs) trigger mandatory EDD requirements regardless of other factors. This includes current and former senior government officials, heads of state-owned enterprises, high-ranking military officers, and judicial authorities. The PEP designation extends to immediate family members and known close associates, meaning you’ll apply EDD even when these individuals aren’t directly your client.
Foreign PEPs from countries with higher corruption risk demand particularly rigorous scrutiny. Your enhanced due diligence checklist must account for individuals from jurisdictions appearing on Financial Action Task Force (FATF) grey or blacklists, or countries identified by Transparency International as having weak governance standards.
Clients operating in cash-intensive industries automatically trigger EDD requirements. This includes money remittance services, casinos, precious metals dealers, and certain hospitality businesses. Complex corporate structures involving trusts, foundations, or multiple layers of offshore entities also mandate enhanced scrutiny, particularly when beneficial ownership isn’t immediately transparent.
Transaction patterns and geographic triggers
Unusual transaction patterns force you to apply enhanced measures even for clients who initially appeared low-risk. Large one-off transactions without clear business justification, rapid movement of funds through accounts, or transaction volumes inconsistent with the client’s stated business activities all warrant EDD application.
When clients conduct business with, or receive funds from, countries identified on FATF lists or jurisdictions known for weak AML controls, you’re legally required to conduct enhanced due diligence regardless of other risk factors.
Geographic connections trigger mandatory EDD in several scenarios. Clients with business operations, banking relationships, or beneficial owners located in high-risk or sanctioned jurisdictions require enhanced scrutiny. This applies even when the client themselves operates legitimately in Australia but maintains these foreign connections. Countries subject to UN sanctions, FATF countermeasures, or those designated by AUSTRAC as posing elevated risks automatically trigger your enhanced procedures.
Refusal to provide information during standard due diligence also activates EDD requirements. When clients hesitate to disclose beneficial owners, avoid explaining transaction purposes, or provide contradictory information about their business activities, you must escalate to enhanced measures before proceeding with the relationship.
Step 1. Set risk ratings and EDD triggers
Before you can apply your enhanced due diligence checklist effectively, you need a structured framework that determines which clients receive standard due diligence and which require enhanced measures. This means establishing clear risk ratings and specific trigger points that automatically escalate your verification procedures. Without defined criteria, your team will make inconsistent decisions, some high-risk clients will slip through with inadequate scrutiny, and your compliance documentation won’t demonstrate the systematic approach regulators expect.
Create your risk rating matrix
Your risk rating system should categorise clients into at least three tiers: low, medium, and high risk. Each tier corresponds to different levels of due diligence intensity and ongoing monitoring frequency. You’ll assess risk based on multiple factors simultaneously rather than relying on single indicators.
Start by defining the specific characteristics that place clients in each category:
| Risk Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Customer type | Domestic individuals, established local businesses | Foreign individuals, new businesses, trusts | PEPs, complex structures, cash-intensive businesses |
| Geographic exposure | Australia only | Established trading partners (NZ, UK, US) | High-risk jurisdictions, sanctioned countries |
| Transaction volume | Under $50,000 monthly | $50,000-$250,000 monthly | Above $250,000 monthly |
| Product/service | Standard accounting, tax returns | Business advisory, SMSF management | Unusual requests, offshore structures |
Combine these factors using a weighted scoring approach where certain elements carry more significance. Geographic connections to FATF-listed countries or PEP status should automatically push clients into high-risk categories regardless of other factors. Document your scoring methodology clearly so different team members apply consistent criteria across all client assessments.
Your risk rating framework must include both initial assessment criteria and triggers for reassessment, because client circumstances change and previously low-risk relationships can evolve into situations requiring enhanced scrutiny.
Define your EDD trigger conditions
List the exact circumstances that activate your enhanced due diligence checklist. These triggers should be specific enough that staff members can identify them without subjective interpretation. When clients exhibit multiple medium-risk factors simultaneously, you’ll escalate to EDD even if no single characteristic would independently warrant enhanced measures.
Your documented triggers should include:
- Any client with beneficial owners located in high-risk jurisdictions
- Transaction patterns showing unexplained complexity or rapid fund movement
- Refusal or delay in providing standard verification documents
- PEP status for the client, beneficial owners, or immediate family members
- Business activities in cash-intensive or regulated industries
- Adverse media reports alleging financial crime or corruption
- Previous suspicious matter reports filed for this client or related parties
Build these triggers directly into your client onboarding workflow with automated flags that prevent relationship progression until enhanced procedures complete. Staff members shouldn’t need to remember which conditions require escalation; your systems should make the requirement immediately visible when triggers appear during data collection.
Step 2. Verify identity and beneficial ownership
Once you’ve identified clients requiring enhanced due diligence, your verification process must go deeper than standard customer checks. You’ll collect and verify multiple forms of identification, trace ownership through corporate structures, and document every layer of control until you reach actual human beings who ultimately benefit from the relationship. This step forms the foundation of your enhanced due diligence checklist because without knowing exactly who you’re dealing with, all subsequent risk assessments become meaningless.
Individual identity verification requirements
Start by collecting government-issued identification documents from every individual connected to the relationship. You need certified copies of passports, driver’s licences, or national identity cards, along with recent proof of residential address documents dated within the last three months. Utility bills, bank statements, or government correspondence work as address verification, but you cannot accept documents your firm issued or mobile phone bills.
Verify these documents against authoritative databases rather than simply checking they look legitimate. For Australian residents, you’ll use the Document Verification Service (DVS) operated by the Attorney-General’s Department to confirm passport and driver’s licence details match government records. International clients require verification through equivalent systems in their home jurisdictions or certified copies verified by lawyers, notaries, or Australian consular officials.
Physical appearance verification requires you to conduct video calls or in-person meetings where you visually confirm the person presenting identification matches the photograph on their documents, creating dated records of this verification step.
Your enhanced due diligence checklist demands you verify not just the direct client contact but every beneficial owner, director, authorised signatory, and trustee involved in the entity. When clients operate through companies, you’ll verify the identity of anyone holding 25% or more ownership, all directors listed with ASIC, and individuals with actual day-to-day control regardless of their formal title.
Beneficial ownership documentation checklist
Trace ownership structures through multiple layers until you identify all natural persons who ultimately control the entity. You’ll collect these specific documents depending on the legal structure:
For companies:
- Current ASIC company extract showing all directors and shareholders
- Shareholder register with ownership percentages and share classes
- Constitutional documents outlining voting rights and control mechanisms
- Declarations from directors identifying any nominee arrangements
For trusts:
- Complete trust deed showing settlor, trustee, and beneficiaries
- Beneficiary declarations listing all individuals with vesting entitlements
- Trustee appointment documents and any variation deeds
For partnerships:
- Partnership agreement detailing profit sharing and control rights
- Individual partner declarations confirming all parties with beneficial interests
Map these relationships in an organisational chart showing ownership percentages and control flow from the top entity down to individual beneficial owners. When you encounter offshore entities or complex structures with multiple layers, you keep requesting documentation until you reach actual people, not just nominee companies or trustees.
Step 3. Confirm source of funds and wealth
Verifying where money originates represents the most challenging aspect of your enhanced due diligence checklist because clients often provide vague explanations or lack proper documentation. You need concrete evidence showing both the immediate source of funds (where money is coming from right now) and the source of wealth (how they accumulated assets over time). This dual verification prevents you from inadvertently processing proceeds from criminal activity, even when clients present otherwise legitimate-looking documentation.
Document requirements for source of funds verification
Your enhanced due diligence checklist must specify the exact documents you’ll collect based on the claimed fund source. When clients state employment as their income source, you’ll gather recent payslips covering at least three months, employment contracts, and tax returns for the past two years. Bank statements showing salary deposits must match the amounts claimed in these documents.
Business sale proceeds require purchase agreements showing the sale price, completion statements from solicitors, and evidence the purchaser actually transferred funds. You’ll verify these payments appear in bank statements and match the documented transaction terms. For property sales, collect contracts of sale, settlement statements, and mortgage discharge documents proving the transaction completed.
Inheritance claims demand probate documents, the deceased’s will, estate valuations, and distribution statements from executors showing how much each beneficiary received. Investment income requires account statements from financial institutions, buy and sell confirmations for securities, and dividend or interest payment records covering the relevant period.
When documentation gaps appear or explanations seem inconsistent with the client’s known circumstances, you must request additional evidence or conduct interviews to understand the complete financial picture before proceeding with the relationship.
Source of wealth assessment and evidence
Source of wealth verification examines the broader financial history that explains how clients accumulated their current asset position. You’ll collect tax returns spanning five to ten years, showing consistent income patterns that justify their accumulated wealth. Business owners need financial statements, profit and loss accounts, and evidence of business value growth over time.
Employment history documentation should demonstrate career progression matching their wealth level. Senior executives claiming substantial savings need employment records, remuneration statements, and evidence of bonuses or equity compensation received throughout their career. Self-employed clients require business registration documents, client contracts, and banking records showing sustained revenue patterns.
Red flags requiring additional verification
Watch for inconsistencies between stated income and transaction volumes your client proposes. Someone claiming modest employment income but seeking to transfer large sums demands extensive additional verification. Geographic disconnects also trigger scrutiny when funds originate from jurisdictions with no obvious connection to the client’s business activities.
Reluctance to provide documentation, frequent changes to explanations about fund sources, or complex transaction chains involving multiple intermediary accounts all require deeper investigation. You’ll document these concerns formally and either obtain satisfactory explanations with supporting evidence or decline the relationship based on unresolved risks.
Step 4. Run sanctions, PEP, and adverse media checks
This step in your enhanced due diligence checklist requires systematic screening against multiple databases to identify connections to sanctioned entities, politically exposed persons, or individuals with adverse media coverage. You’ll conduct these searches for every individual and entity involved in the relationship, including beneficial owners, directors, and authorised signatories. These checks aren’t optional; Australian regulations mandate them for high-risk clients, and failure to screen properly exposes your firm to serious regulatory consequences including substantial penalties.
Sanctions screening procedures
You must screen all parties against sanctions lists maintained by the United Nations Security Council, Australian Department of Foreign Affairs and Trade (DFAT), US Office of Foreign Assets Control (OFAC), and the European Union. Your screening covers individuals, entities, and vessels that authorities have designated due to terrorism, human rights violations, or threats to international peace.
Conduct these searches using the exact legal names appearing on identification documents, then run variations that account for different spellings, transliterations, or aliases. You’ll search:
- Full legal names (first, middle, last)
- Names with common spelling variations (e.g., Mohamed/Mohammed/Muhammad)
- Reversed name orders (common in Asian naming conventions)
- Business names and trading names for entities
- Previous names from marriage or legal changes
Document each search performed, the database checked, the date, and any matches found. When you identify potential matches, you’ll investigate further using date of birth, nationality, addresses, and passport numbers to confirm whether they represent genuine hits or false positives.
PEP identification and verification
Politically exposed persons checks identify individuals who currently hold or previously held prominent public positions. You’ll screen for heads of state, government ministers, senior civil servants, judicial authorities, military leaders, directors of state-owned enterprises, and senior political party officials. The PEP designation extends to immediate family members (parents, spouses, children, siblings) and known close associates.
PEP screening requires ongoing monitoring throughout the client relationship because individuals can gain or lose PEP status as their political appointments change, and you must update your risk assessment accordingly.
Your searches should specify the jurisdiction scope you’re checking. Domestic Australian PEPs require enhanced scrutiny, but foreign PEPs from high-risk jurisdictions demand even more rigorous procedures. Document the PEP’s position, when they held it, and whether they remain in office or left within the past 12 months.
Adverse media search methodology
Search news sources, regulatory announcements, and court records for negative information about financial crime, corruption, fraud, bribery, or terrorist financing. You’ll check mainstream news outlets, specialised financial crime publications, and regulatory enforcement databases maintained by ASIC, AUSTRAC, and international equivalents.
Your search terms should include the individual’s name combined with keywords like "fraud," "money laundering," "sanctions," "corruption," "bribery," or "criminal investigation." Review results from the past 10 years for comprehensive coverage, focusing particularly on allegations of financial misconduct rather than general negative publicity.
Step 5. Record decisions and monitor continuously
Your enhanced due diligence process doesn’t end once you’ve completed initial verification checks. You must create comprehensive records documenting every decision you made, the evidence collected, and the reasoning behind your risk assessment. Australian regulations require you to maintain these records for seven years after the relationship ends, and they need to demonstrate a systematic approach that any compliance auditor can follow. Beyond documentation, you’ll establish ongoing monitoring procedures that detect changes in client circumstances, transaction patterns, or risk profiles throughout the entire relationship.
Documentation requirements and record retention
Create a dated record for each verification step performed during your enhanced due diligence process. Your file should contain copies of all identification documents collected, verification results from database checks, notes from customer interviews, and written explanations for any unusual circumstances or inconsistencies you encountered. When you decide to proceed with a high-risk relationship despite red flags, document the specific additional controls you’ve implemented and the senior management approval obtained.
Structure your documentation using a standardised template that ensures consistency across all EDD cases:
| Document Type | Required Content | Retention Period |
|---|---|---|
| Identity verification | Certified copies, database results, verification date | 7 years after relationship ends |
| Beneficial ownership | Ownership charts, declarations, supporting documents | 7 years after relationship ends |
| Source of funds/wealth | Bank statements, transaction evidence, interview notes | 7 years after relationship ends |
| Risk assessment | Risk rating, factors considered, approval signatures | 7 years after relationship ends |
| Screening results | Sanctions, PEP, adverse media search records with dates | 7 years after relationship ends |
Your records must show the specific individual who conducted each verification step and the date completed. When screening results produce potential matches, document your investigation process and how you determined whether they represented genuine hits or false positives.
Documentation serves as your evidence that you conducted reasonable due diligence, so incomplete or vague records leave your firm exposed if regulators question your decisions during audits or investigations.
Ongoing monitoring framework and triggers
Set up automated alerts within your systems that flag unusual transaction patterns, changes to beneficial ownership, or updated information requiring reassessment. Your enhanced due diligence checklist should specify monitoring frequencies based on risk ratings: monthly reviews for highest-risk clients, quarterly for high-risk, and annually for medium-risk relationships.
Establish clear triggers that automatically activate re-assessment procedures. These include changes to beneficial ownership or control structures, significant increases in transaction volumes beyond expected activity levels, new business relationships with high-risk jurisdictions, adverse media reports appearing after initial onboarding, or clients requesting services outside their original stated purpose. You’ll also re-screen all parties against sanctions and PEP lists at your defined intervals, documenting each search performed and any status changes detected.
Wrap up and put it into your workflow
Your enhanced due diligence checklist needs to become an embedded part of your client onboarding workflow rather than a separate manual process. Build the risk rating triggers directly into your CRM so the system automatically flags high-risk clients requiring enhanced measures. This eliminates the guesswork and ensures your team applies consistent standards across every relationship assessment.
The documentation requirements, screening protocols, and ongoing monitoring procedures should flow through your existing systems without forcing staff to switch between multiple platforms or maintain separate compliance records. When you integrate EDD verification directly into your everyday workflow, you reduce errors, save time, and maintain the evidence trails regulators expect during audits.
StackGo’s IdentityCheck for AUSTRAC Tranche 2 compliance runs these verification checks within your existing CRM, verifying identities against government databases while keeping PII protected under a separate privacy layer. Your team completes enhanced due diligence without adopting new software or managing multiple tabs across different platforms.
