Customer verification doesn’t end once someone becomes a client. Under Australian law, regulated entities must perform ongoing customer due diligence AUSTRAC requirements throughout the entire business relationship, not just at onboarding. This means continuously monitoring transactions, reassessing risk profiles, and keeping customer information current.
For accounting firms, financial services providers, and other reporting entities, these obligations are about to become more demanding. The AML/CTF reforms moving through Parliament will expand who must comply and raise expectations around how businesses track and respond to suspicious activity.
This guide breaks down what ongoing customer due diligence actually involves, how it differs from initial verification, and what your business needs to do to stay compliant. We’ll also cover how StackGo’s IdentityCheck integration helps businesses embed these verification workflows directly into their existing CRM, reducing manual effort while maintaining audit-ready compliance records.
What AUSTRAC means by ongoing CDD
Ongoing customer due diligence (OCDD) refers to the continuous monitoring and verification of your existing customers throughout your business relationship with them. AUSTRAC expects you to maintain an active understanding of who your customers are, what they do, and whether their behaviour aligns with the risk profile you originally assigned. This isn’t a one-off annual review but an ongoing obligation that requires you to track changes in customer circumstances and respond to red flags as they emerge.
How it differs from initial verification
Initial customer due diligence happens when you first onboard a client. You collect identification documents, verify their identity, and assess their risk level based on what you know at that moment. Ongoing customer due diligence AUSTRAC requirements go further by demanding you revisit and update that initial assessment whenever circumstances change. You might discover a customer has moved into a higher-risk jurisdiction, started dealing in larger amounts, or shifted their business activities into areas you hadn’t originally anticipated. OCDD ensures your compliance measures evolve alongside your customer’s profile.
Your responsibility doesn’t end when verification passes. You must actively monitor customer activity and update their records when material changes occur.
When OCDD obligations begin
Your OCDD responsibilities start immediately after onboarding and continue until the business relationship ends. AUSTRAC doesn’t prescribe a fixed review schedule, but you must respond to triggers like unusual transaction patterns, changes in business structure, or exposure to high-risk countries. The upcoming reforms will likely tighten these expectations, requiring more structured monitoring systems rather than ad hoc responses. Your business needs a clear process for identifying when a customer’s risk profile has changed and what steps you’ll take to verify new information.
What you must monitor for under OCDD
Your ongoing customer due diligence AUSTRAC obligations require you to track several specific indicators throughout the customer relationship. You must monitor transaction behaviour, customer circumstances, and any red flags that suggest higher risk or potential money laundering activity. AUSTRAC expects you to identify patterns that deviate from what you originally documented during initial verification, responding to changes rather than waiting for scheduled reviews.
Transaction patterns and thresholds
You need to watch for unusual transaction volumes, sudden spikes in activity, or transfers to and from high-risk jurisdictions. This includes monitoring whether your customer’s transactions align with their stated business purpose and expected account activity. Pay attention to structuring behaviour (breaking up large amounts to avoid reporting thresholds), frequent cash deposits, or transactions inconsistent with the customer’s industry or income profile.
Your monitoring systems must flag deviations from normal patterns, not just record transactions after the fact.
Changes in customer circumstances
Your responsibility extends beyond transactions to material changes in the customer’s profile. You must update records when customers change business structure, move to different countries, or alter their ownership arrangements. Monitor for shifts in beneficial ownership, changes to directors or partners, and any reputational issues that emerge through media reports or sanction lists. These changes may require you to reassess risk ratings and conduct enhanced due diligence.
How to run an OCDD process step by step
Your ongoing customer due diligence AUSTRAC process needs a clear framework that fits into your existing workflows without creating compliance bottlenecks. You must establish trigger points that prompt reviews, conduct risk reassessments when those triggers activate, and document everything in a way that survives regulatory scrutiny. The process should operate continuously rather than relying on arbitrary annual dates that might miss critical changes in between scheduled reviews.
Establish monitoring triggers
Your first step involves defining specific events that require you to review a customer’s profile. These triggers include threshold breaches (such as transactions above certain amounts), geographic changes, ownership restructures, or adverse media mentions. Build these triggers into your transaction monitoring systems so alerts generate automatically rather than depending on manual checks. Your triggers should reflect the risk categories you’ve assigned to different customer segments, with higher-risk clients subject to more frequent and detailed monitoring.
Review and reassess risk
When a trigger activates, you must conduct a fresh risk assessment that examines the customer’s current circumstances against their original profile. Verify whether beneficial ownership remains accurate, check sanction lists and adverse media, and determine if the transaction pattern makes sense for their stated business purpose. Document why you’ve maintained or adjusted their risk rating, noting any enhanced due diligence measures you’ve applied for elevated risks.
Updating KYC and customer risk over time
Your ongoing customer due diligence AUSTRAC obligations require you to treat customer information as dynamic rather than static. You must refresh KYC data whenever material changes occur and periodically reassess risk ratings based on accumulated transaction history and external factors. This means maintaining accurate records that reflect your customer’s current circumstances, not outdated snapshots from initial onboarding.
When to refresh customer information
Material changes trigger mandatory updates to your customer records. You must collect new identification documents when customers change their legal structure, beneficial ownership shifts, or they relocate to different jurisdictions. Changes in business activity, such as entering new industries or product lines, also require fresh verification. Your systems should prompt reviews when sanctions screening returns new matches or when adverse media coverage emerges about your customer or their associates.
Stale customer data creates compliance gaps that regulators will identify during audits.
Adjusting risk ratings
Risk assessments must evolve as you gather more information about customer behaviour. Review and adjust risk categories when transaction volumes increase significantly, when customers begin dealing with high-risk counterparties, or when their activity no longer matches their stated business purpose. Document your reasoning whenever you elevate or reduce a customer’s risk rating, noting what specific factors influenced your decision and what enhanced measures you’ve applied for higher-risk profiles.
Common pitfalls and a practical checklist
Most businesses struggle with ongoing customer due diligence AUSTRAC compliance because they treat it as a periodic task rather than a continuous process. You need to avoid common mistakes that create regulatory exposure and build a systematic approach that catches changes before they become audit findings. Your compliance framework must balance thoroughness with efficiency, preventing gaps without overwhelming your team with unnecessary reviews.
Frequent compliance failures
Many businesses fail by relying on fixed annual reviews instead of responding to actual triggers. You might miss critical changes that occur between scheduled checkpoints, leaving months of unaddressed risk exposure. Another common error involves inadequate documentation of why you maintained or adjusted a customer’s risk rating, making it impossible to demonstrate your reasoning during [regulatory examinations](https://stackgo.io/identitycheck/austrac-aml-ctf-essentials-webinar-2-your-aml-ctf-obligations/).
Waiting for scheduled reviews instead of monitoring triggers creates compliance blind spots that regulators will identify immediately.
Businesses also struggle with inconsistent monitoring across different customer segments, applying thorough checks to some clients while neglecting others based on informal judgements rather than documented risk criteria.
Essential verification checklist
Your OCDD process requires specific ongoing actions:
- Monitor transaction patterns against expected activity baselines
- Screen customers against updated sanctions lists quarterly at minimum
- Verify beneficial ownership whenever corporate structures change
- Document all risk rating adjustments with clear justification
- Update identification documents when customers relocate or restructure
- Review adverse media and reputational risks for high-risk clients
Key takeaways and next steps
Your ongoing customer due diligence AUSTRAC obligations require continuous monitoring rather than periodic checkpoints. You must establish trigger-based systems that flag material changes in customer circumstances, respond to transaction anomalies, and update risk ratings whenever evidence demands reassessment. The upcoming reforms will intensify these expectations, making automated compliance workflows more valuable than manual processes.
Businesses that integrate verification directly into their existing CRM avoid the inefficiencies of jumping between platforms. StackGo’s IdentityCheck handles Tranche 2 compliance inside your everyday software, running ongoing checks without creating additional administrative burden. Your team maintains audit-ready records while customers experience seamless verification throughout the relationship.
Start by documenting your current monitoring triggers, identifying gaps where customer changes might go unnoticed, and establishing clear responsibilities for responding to alerts. Your OCDD framework should operate continuously, capturing risk changes as they occur rather than discovering them months later during scheduled reviews.
