Practitioners must be ready to conduct Customer Due Diligence (CDD) by 1 July 2026.
In practice, CDD will usually take the form of client due diligence. Under the AML/CTF regime, practitioners will need to carry out:
Before providing a designated service, your Program must outline how you will:
- Establish the client’s identity
- Understand the nature and purpose of the business relationship or transaction, and
- Assess the client’s money laundering and terrorism financing (ML/TF) risk.
This involves collecting and verifying Know Your Client (KYC) information using reliable, independent data that’s appropriate to the client’s risk level. In some cases, this may include information about the client’s source of wealth and funds.
Your Program must also describe how you will monitor client activity to detect unusual transactions or behaviours, and how you will review relationships for any significant changes that may affect ML/TF risk. This may include collecting and verifying additional KYC information—such as the client’s source of wealth and funds - where needed.
Examples of ‘unusual transactions or behaviours’ include:
- Instructions that do not make commercial sense
- Sudden changes to instructions or funding arrangements
- Unusual payment methods
- Reluctance to provide identification or comply with CDD, combined with urgent instructions
- Services with no clear economic or legal purpose
- Unusually large or complex transactions, or
- Unusual transaction patterns (s30(5)).
For clients or transactions that pose a higher ML/TF risk, your Program must specify enhanced CDD measures. These apply to situations such as:
- Those identified as ‘unusual transactions or behaviours’s 30(5)
- Foreign politically exposed person (PEP)
- High-risk domestic or international PEP
- High-risk jurisdiction client.
Enhanced CDD typically involves obtaining and verifying detailed information about the client’s source of wealth and source of funds.
If a client presents a low ML/TF risk and enhanced CDD is not required, your Program may allow for simplified CDD procedures.
The level of CDD required will depend on the client’s risk profile.
Solicitors already undertake Verification of Identity (VOI), which will assist in meeting both CDD and “know your client” (KYC) obligations. Before providing a designated service, your AML/CTF Program must set out procedures for:
- Establishing the client’s identity
- Understanding the nature and purpose of the business relationship or transaction, and
- Assessing the money laundering and terrorism financing (ML/TF) risk.
This includes collecting and verifying KYC information using reliable, independent sources appropriate to the level of ML/TF risk. In some cases, you may also need to obtain information about the client’s source of wealth and funds.
Existing clients (those who are clients as at 1 July 2026) will not require initial or ongoing CDD unless:
- A suspicious matter report must be filed in relation to that client, or
- There is a significant change in the nature or purpose of the business relationship that increases the ML/TF/PF risk to medium or high (s36).
If either occurs, the practitioner must complete initial CDD, and the client will no longer be considered a pre-commencement client.
Practice tip:
Start to consider your clients in a different way when you onboard them:
- Who are your clients? ie: are they individuals, businesses, corporate entities, trusts, cash intensive business, investors etc.
- Who are your ultimate clients? (eg: understand beneficial owners)
- Are they local or based overseas – start to collect this information (country) as part of your onboarding process.
- How are they onboarded? – in person or online
- How are your services to be provided?
- Whether files are up to date – this is important for ongoing CDD, recording keeping and accountability.
- Whether the services provided and/or the client are vulnerable to ML/TF exploitation.
- When necessary, their source of funds and wealth.