AUSTRAC Tranche 2 reforms are coming — accountants, lawyers, conveyancers, real estate & dealers are being brought into the AML/CTF regime.
AMLCompliant
BlogAm I captured? — free check
AML/CTF · Tranche 2 guide

Customer Due Diligence (CDD/KYC): A Practical Guide for Tranche 2 Entities

9 min read · General information, not legal advice · Updated 2026-06-12

Key takeaways

  • CDD/KYC is a three-part, ongoing process: identify the customer, verify them with reliable independent sources, then monitor the relationship and transactions over time.
  • Tranche 2 obligations commence on 1 July 2026 and apply to real estate, precious metals and stones dealers, and certain professional service providers when they provide specified designated services.
  • Risk-rate every customer and let that rating drive effort: standard CDD for most, enhanced due diligence (EDD) for higher-risk situations such as PEPs, opaque structures, or higher-risk jurisdictions.
  • Record what you verified and when; CDD records feed your reporting (SMRs and TTRs) and the seven-year record-keeping obligation.
  • This is general information, not legal advice. Your exact obligations depend on the designated services you provide, so confirm with AUSTRAC or a qualified adviser.

You are the person who has just been handed responsibility for AML/CTF at a real estate agency, a law or conveyancing practice, an accounting firm, a trust and company service provider, or a business that deals in precious metals and stones. From 1 July 2026, when tranche 2 obligations commence, you will need a working customer due diligence (CDD/KYC) process in place. Right now you are deciding what "good enough" actually looks like, and how to build it without over-engineering it.

This guide walks through the decision you face: how to identify and verify your customers, how to risk-rate them, and when enhanced due diligence (EDD) applies. It is general information only, not legal advice, and your exact obligations depend on the specific designated services you provide. Always confirm against AUSTRAC guidance and, where needed, a qualified adviser.

What customer due diligence (CDD/KYC) actually is

Customer due diligence, often called KYC (know your customer), is the set of steps you take to understand who your customer is, what they are doing with you, and whether their use of your services makes sense. It is one of the core obligations of a reporting entity under Australia's AML/CTF regime, administered by AUSTRAC.

CDD is not a one-off form at sign-up. It has three connected jobs:

  • Identify the customer (and, where relevant, any beneficial owners and people acting on their behalf).
  • Verify that they are who they say they are, using reliable and independent information.
  • Understand and monitor the relationship on an ongoing basis, so you can spot activity that does not fit what you would expect.

That last point is what trips up first-timers. CDD includes ongoing customer due diligence and transaction monitoring across the life of the relationship, not just at onboarding.

Who and what this applies to

Tranche 2 refers to the reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extend Australia's AML/CTF regime to new sectors, the so-called tranche 2 entities. The new obligations are due to commence on 1 July 2026.

The newly captured sectors are:

  • Real estate professionals involved in buying and selling property.
  • Dealers in precious metals and precious stones.
  • Certain professional service providers, including lawyers, conveyancers, accountants, and trust and company service providers.

The important nuance: these obligations bite when you provide specified designated services, not simply because of your job title. An accountant who only prepares a tax return is in a different position to one who, for example, helps set up a company structure or manage client money. Your first task is to map which of your activities are designated services, because that determines whether CDD applies and to whom. Because the exact boundaries are set in the rules, treat the detail here as a starting point and confirm scope as the AUSTRAC rules are finalised.

The steps to take: identify, verify, risk-rate

Build your CDD process around a clear sequence. For a standard, lower-risk customer it looks like this:

  • Collect identity information. For an individual, that is typically full name, date of birth, and residential address. For a company or trust, you also need to understand the structure and identify the beneficial owners, the people who ultimately own or control it.
  • Verify the information. Use reliable and independent sources, such as government-issued identity documents or a reputable electronic verification service. Record what you relied on and when.
  • Identify who you are really dealing with. Establish whether the customer is acting on their own behalf or for someone else, and check for beneficial owners and any agents authorised to act.
  • Risk-rate the customer. Assign a money laundering / terrorism financing risk rating based on factors such as customer type, the service provided, delivery channel, and any geographic or jurisdictional risk. Your AML/CTF program's risk assessment should define how you score these.
  • Decide the level of due diligence. Most customers get standard CDD. Higher-risk customers get enhanced due diligence (covered below). Where genuinely low risk and permitted, simplified measures may be appropriate.
  • Monitor on an ongoing basis. Keep customer information current, watch transactions for activity that is unusual or inconsistent with what you know, and re-rate risk when circumstances change.

The key mindset shift: CDD is risk-based. You are not applying identical effort to every customer, you are applying proportionate effort driven by your risk assessment.

When enhanced due diligence (EDD) applies

Enhanced due diligence is the deeper level of scrutiny you apply when the risk is higher. As a compliance lead, you need a written trigger list so EDD is consistent and not left to individual judgement on the day.

Common situations that should trigger EDD include:

  • The customer or a beneficial owner is a politically exposed person (PEP), particularly a foreign PEP.
  • There are links to higher-risk jurisdictions or sanctioned countries.
  • The customer structure is unusually complex or opaque, making beneficial ownership hard to establish.
  • The transaction is unusually large, unusual in pattern, or has no apparent economic or lawful purpose.
  • Anything that, against your risk assessment, scores as high risk.

EDD typically means taking additional measures: collecting more information, verifying that information through additional sources, understanding the source of funds or wealth where appropriate, applying closer ongoing monitoring, and obtaining senior approval to establish or continue the relationship. The exact EDD measures expected will be set out in the rules, so confirm the specifics as the AUSTRAC rules are finalised.

How CDD fits into your wider obligations

CDD does not stand alone. If you are a reporting entity, it sits inside a broader set of obligations that you build once and run continuously:

  • Enrol with AUSTRAC via AUSTRAC Online.
  • Develop and maintain an AML/CTF program, covering governance, a documented ML/TF risk assessment, and your policies, procedures, systems and controls.
  • Conduct CDD/KYC, including ongoing CDD and transaction monitoring (the subject of this guide).
  • Report suspicious matters (SMRs) and threshold transactions involving physical currency of AUD 10,000 or more (TTRs).
  • Keep records, generally for seven years.
  • Appoint an AML/CTF compliance officer (AMLCO) to own the program.

Your CDD records feed directly into reporting and record-keeping, so design them to be findable and auditable from day one. Non-compliance can attract significant civil and criminal penalties, which is reason enough to get the foundations right rather than retrofit them later.

Common mistakes first-timers make

If you are standing up CDD for the first time, these are the traps worth avoiding:

  • Treating CDD as a one-off. Onboarding checks without ongoing monitoring leave a gap that grows over time.
  • Stopping at the named customer. Failing to identify beneficial owners or agents acting on behalf of the customer is a frequent weakness, especially with companies and trusts.
  • Applying the same effort to everyone. A risk-based regime expects proportionality. Flat, one-size-fits-all checks waste effort on low risk and under-cook high risk.
  • No written EDD triggers. If your team cannot point to a clear list of what makes a customer high risk, EDD will be inconsistent.
  • Verifying but not recording. If you cannot show what you relied on and when, you cannot demonstrate compliance later.
  • Building CDD in isolation. CDD should align with your risk assessment, your monitoring rules, and your reporting workflow, not sit in a separate spreadsheet nobody updates.

A practical onboarding checklist

Use this as a starting baseline for a standard-risk customer, then adapt it to your designated services and risk assessment:

  • Confirm the activity is a designated service that triggers CDD.
  • Collect identity details (individual: name, date of birth, address; entity: structure and beneficial owners).
  • Verify identity against reliable, independent sources and record the evidence and date.
  • Identify beneficial owners and anyone acting on the customer's behalf.
  • Screen against relevant PEP and sanctions considerations.
  • Assign a risk rating using your documented factors.
  • Apply standard, simplified, or enhanced measures based on that rating.
  • Set the customer up for ongoing monitoring and a review trigger.
  • File records so they are retrievable for the seven-year retention period.

One practical note: an audit-ready template kit, with a CDD/KYC procedure, a customer risk-rating matrix, an onboarding checklist, and an EDD trigger sheet, can save a first-time compliance lead a lot of blank-page time. It gives you a defensible structure to tailor rather than inventing the wording and the scoring model from scratch. Whatever you adopt, make sure it reflects your own designated services and risk assessment, because a template is a head start, not a substitute for thinking through your own risk.

Frequently asked questions

What is the difference between CDD and KYC?
In practice the terms are used interchangeably. KYC (know your customer) usually refers to the identify-and-verify steps at onboarding, while CDD (customer due diligence) is the broader obligation that also includes risk-rating, ongoing monitoring, and enhanced due diligence where required. Under Australia's AML/CTF regime, CDD is the formal obligation and includes ongoing CDD.
When do tranche 2 CDD obligations start?
The new obligations for tranche 2 entities are due to commence on 1 July 2026, under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024. That gives newly captured sectors a defined window to enrol with AUSTRAC, build an AML/CTF program, and stand up a working CDD process. Confirm timing and detail against AUSTRAC as the rules are finalised.
Does CDD apply to every client of an accountant or lawyer?
Not automatically. The obligations apply when you provide specified designated services, not simply because of your profession. The same firm may provide some services that are captured and others that are not, so the first step is mapping which of your activities are designated services. Because the boundaries are set in the rules, confirm scope as the AUSTRAC rules are finalised.
When do I need to apply enhanced due diligence?
EDD applies when the money laundering or terrorism financing risk is higher. Common triggers include politically exposed persons (PEPs), links to higher-risk or sanctioned jurisdictions, complex or opaque ownership structures, and transactions with no apparent economic or lawful purpose. EDD generally means collecting and verifying more information, understanding source of funds where appropriate, and applying closer monitoring.
How long do I have to keep CDD records?
Records are generally required to be kept for seven years. That includes the identity information you collected and the evidence you relied on to verify it. Design your record-keeping so these documents are retrievable, because they support your reporting obligations and demonstrate compliance if AUSTRAC asks.
What else do I need besides CDD to be compliant?
CDD is one part of being a reporting entity. You also need to enrol with AUSTRAC, develop and maintain an AML/CTF program with a documented risk assessment, report suspicious matters (SMRs) and threshold transactions of AUD 10,000 or more in physical currency (TTRs), keep records, and appoint an AML/CTF compliance officer (AMLCO). This is general information, not legal advice.

Sources

This article is general information only and is not legal or compliance advice. Your obligations depend on the designated services you provide. Confirm your position with AUSTRAC (austrac.gov.au) or a qualified adviser.

The Complete AML/CTF Kit

Get your AML/CTF program sorted — without the consultant bill

Audit-ready, editable Word templates for Australian Tranche 2 reporting entities — AML/CTF program, ML/TF risk assessment, CDD/KYC, SMR & threshold registers, record-keeping and an AUSTRAC enrolment checklist. Instant download.

Get the Complete AML Kit — $197Am I captured? — free check