Standard customer due diligence isn’t always enough. Certain clients, transactions, and business relationships carry a level of risk that demands a closer look, and that’s precisely when enhanced due diligence is required. For Australian businesses operating under AML/CTF obligations (or preparing for upcoming AUSTRAC reforms), understanding these triggers isn’t optional. Getting it wrong means regulatory exposure, potential penalties, and reputational damage that’s hard to walk back.
Enhanced Due Diligence (EDD) goes beyond collecting a name and verifying an ID. It requires deeper investigation into the source of funds, the nature of a business relationship, and the specific risk factors a client presents. The challenge for most firms, particularly in accounting, legal, and financial services, is that EDD obligations are scattered across legislation, guidance notes, and regulatory updates. Knowing exactly when to escalate from standard CDD to EDD can feel unclear, especially when your team is juggling compliance across multiple systems that don’t talk to each other.
That’s where a platform like StackGo fits in. Our IdentityCheck integration lets you verify identities across 200+ countries directly from your existing CRM, keeping compliance workflows where your team already works. But verification is just one piece of the puzzle. You still need to know when to apply a higher standard of scrutiny. This article breaks down the specific triggers, risk indicators, and regulatory scenarios that require enhanced due diligence under Australian AML/CTF rules, so you can act with confidence when it counts.
What enhanced due diligence means in AML
Enhanced Due Diligence (EDD) is a higher level of scrutiny applied to customers, transactions, or business relationships that present elevated risk. Under Australia’s AML/CTF framework, administered by AUSTRAC, EDD sits above Standard Customer Due Diligence (CDD) and requires your business to gather more detailed information before and during a relationship, not just at the point of onboarding.
EDD is not a one-time check. It is an ongoing obligation that continues for as long as the high-risk relationship exists.
How EDD differs from standard CDD
Standard CDD covers the basics: verifying a customer’s identity, understanding the nature of the business relationship, and monitoring transactions. EDD goes further by requiring you to investigate the source of a customer’s funds, understand beneficial ownership structures, and apply closer scrutiny to the purpose and expected nature of transactions.
The distinction matters because a customer can pass standard CDD checks and still present significant risk. A politically exposed person (PEP), for example, may hold a valid passport but carry substantial corruption risk due to their role. Standard checks alone won’t surface that level of exposure.
The legal basis in Australia
Understanding when enhanced due diligence is required means knowing where the obligation sits in law. AUSTRAC’s AML/CTF Rules set out specific obligations for reporting entities. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, businesses must apply a risk-based approach to customer due diligence, and EDD is a required component whenever a customer or transaction falls into a high-risk category as defined by your AML/CTF programme.
Your AML/CTF programme must document how you identify those high-risk categories and what additional measures you take in response. AUSTRAC expects your programme to be a living document, updated as your customer base, products, and risk environment evolve.
Why enhanced due diligence matters for compliance
Compliance with AML/CTF obligations is not just a regulatory box to tick. AUSTRAC actively supervises reporting entities and has the authority to issue significant civil penalties, enforceable undertakings, and public warnings for failures in your due diligence programme. If your business cannot demonstrate that it identified high-risk relationships and responded appropriately, you carry real legal exposure.
The cost of getting it wrong
Failing to apply EDD where it is required leaves your business open to facilitating financial crime without even knowing it. Regulators do not require intent for a breach to occur. They require evidence that your programme was adequate, documented, and consistently applied.
A weak AML/CTF programme is treated as a systemic failure, not an isolated oversight, and penalties reflect that.
How EDD protects your business
Beyond avoiding penalties, applying EDD correctly gives your business a defensible compliance position. When AUSTRAC reviews your programme, they want to see that you understood your risk environment, escalated appropriately, and kept clear records of every decision. A well-run EDD process is direct evidence that your business takes its obligations seriously, and that matters when regulators are deciding how to respond to a problem.
When enhanced due diligence is required: key triggers
Understanding exactly when enhanced due diligence is required starts with identifying the specific risk factors that push a customer or transaction above the standard threshold. AUSTRAC does not give you a rigid checklist, but it does identify categories of elevated risk that should trigger EDD in any compliant programme.
If a customer or transaction falls into one of these categories, applying standard CDD alone puts your business in breach of its AML/CTF obligations.
High-risk triggers you need to know
Several factors consistently flag the need for EDD. Politically Exposed Persons (PEPs), meaning individuals who hold or have held prominent public roles, require EDD by default due to their corruption risk. Transactions involving high-risk jurisdictions, particularly those on FATF’s grey or black lists, also mandate escalation. Other common triggers include:
- Customers with complex or opaque ownership structures, such as layered trusts or shell companies
- Non-face-to-face customer relationships where identity verification carries inherent uncertainty
- Cash-intensive or high-value transactions that lack a clear commercial explanation
- Business relationships in high-risk industries such as crypto, gambling, or international remittance
What you must check and document during EDD
Knowing when enhanced due diligence is required is only half the obligation. You also need to know what to collect and how to record it. AUSTRAC expects your EDD process to produce a clear, auditable trail that demonstrates you understood the risk and took proportionate action.
Your records need to show not just what you checked, but why you decided to escalate in the first place.
Core information you must gather
Your EDD process must go well beyond standard identity verification. You need to collect evidence of the source of funds, including bank statements, tax records, or business financials that explain where the customer’s money originates. You must also verify beneficial ownership, identifying every individual who ultimately owns or controls the entity you are dealing with.
Documentation standards AUSTRAC expects
Your records must be specific, dated, and signed off by an appropriate person within your business. Vague notes do not satisfy regulatory requirements. AUSTRAC expects you to document the rationale behind your risk assessment, the steps you took, the information you collected, and any ongoing monitoring decisions you made as the relationship continued.
How to run EDD in a practical workflow
Understanding when enhanced due diligence is required only helps if your team can act on it consistently. A practical EDD workflow gives your staff clear decision points and defined responsibilities at every stage, from initial screening through to ongoing monitoring.
Build a risk-based trigger checklist
Your workflow should start with a structured screening step that flags high-risk indicators before onboarding begins. Map each trigger, such as PEPs, high-risk jurisdictions, and complex ownership structures, to a specific escalation action. Make sure every staff member handling client intake knows what to do when a flag appears. A simple internal checklist, reviewed at least annually, keeps your team consistent and your programme audit-ready.
Your checklist is only useful if your team applies it every time, not just when something looks suspicious.
Keep records in your existing system
Once EDD is triggered, document every step directly in your CRM or case management tool. Log what information you collected, who reviewed it, and what decision was made.
Consistent documentation is what separates a defensible programme from one that fails under scrutiny. Using a platform like StackGo’s IdentityCheck means verification outcomes write back automatically to your existing system, reducing administrative gaps in your compliance records.
Key takeaways and next steps
Knowing when is enhanced due diligence required comes down to recognising the right triggers, acting on them consistently, and keeping clear, auditable records of every decision. The specific risk factors, whether a PEP, a high-risk jurisdiction, or a complex ownership structure, must translate into documented action, not just internal awareness.
Your AML/CTF compliance programme only holds up under scrutiny if your team applies EDD consistently and records the outcome in your existing systems. Manual processes and disconnected tools create gaps that regulators will find. Platforms like StackGo close those gaps by running identity verification directly inside your CRM, writing results back automatically so your records stay complete without extra admin.
If your firm is preparing for AUSTRAC’s Tranche 2 reforms, now is the right time to review how your EDD process actually works in practice. See how IdentityCheck supports AUSTRAC Tranche 2 AML/CTF compliance and test whether it fits your existing workflow.
