Customer Due Diligence: How Australian SMEs Should Verify Client Identity

Key Takeaways

• Verify customer identity from reliable and independent sources before you provide a designated service.
• For non-individual customers, understand the structure and identify the beneficial owners who ultimately control it.
• Higher-risk customers and circumstances call for enhanced due diligence, including screening for politically exposed persons.
• Ongoing due diligence means keeping information current and watching for activity that does not fit the customer.
• Recording how you verified is as important as the verification itself.

1. 1.In Brief
2. 2.Step 1: Identify and verify the customer
3. 3.Step 2: Understand non-individual customers
4. 4.Step 3: Apply a risk-based approach
5. 5.Step 4: Conduct ongoing customer due diligence
6. 6.Step 5: Record what you did
7. 7.What Tranche 2 means for newly captured firms
8. 8.Practical tips for SMEs
9. 9.Frequently Asked Questions

Customer due diligence is where the AML/CTF regime meets your front desk. This guide sets out what an Australian SME must do to verify identity, understand who is really behind a customer and keep watching over time, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). It also flags what changes for firms newly captured by the Tranche 2 reforms from 1 July 2026.

In Brief

Due diligence is generally completed before a designated service is provided. Identity is verified from reliable and independent sources. For entities, you identify the beneficial owners behind them. The work does not stop at onboarding. It is ongoing.

Step 1: Identify and verify the customer

Collect identifying information, then verify it. For an individual that usually means full name and either date of birth or residential address, confirmed against reliable and independent sources. Government-issued documents and reputable electronic verification services are the common routes.

Verification is more than collection. Holding a copy of a licence does not confirm the person is who they say they are. The standard is information that is reliable and independent of the customer's own word for it.

Step 2: Understand non-individual customers

Where the customer is a company, trust, partnership or other entity, the work expands. You need to understand the structure and identify the beneficial owners, meaning the individuals who ultimately own or control it. For a company that can mean tracing shareholdings. For a trust it means understanding the trustees, settlor and beneficiaries.

This is where the regime earns its purpose. Layered structures are used to hide control, so finding the natural persons behind an entity is the point, not a formality.

Step 3: Apply a risk-based approach

Customers do not all carry the same risk, and the regime is built around that. The depth of due diligence should track the risk in front of you. Most customers are handled with standard measures. Higher-risk ones call for enhanced due diligence.

Enhanced measures can include checking the source of funds, gathering more on the customer and applying closer scrutiny to the relationship. Politically exposed persons are a standard trigger here. So are opaque structures, unusual circumstances and links to higher-risk jurisdictions. Put the effort where the risk sits rather than treating every customer the same.

Step 4: Conduct ongoing customer due diligence

Onboarding is the start, not the finish. The Act requires ongoing due diligence with two limbs. Keep customer information current, so what you hold reflects the customer as they are now. And monitor transactions and behaviour, so activity that does not fit gets noticed.

This monitoring is what feeds suspicious matter reporting. Verify once at onboarding and never look again, and you will not see the thing that should have prompted a report. Our review of common gaps in starter kits notes that weak ongoing monitoring is one of the most frequent failures.

Step 5: Record what you did

Document the process. Record what you collected, how you verified it, what you concluded about beneficial ownership and risk and what ongoing monitoring you applied. The Act sets retention periods for these records.

Good records do two jobs. They show compliance if AUSTRAC asks, and they give your own team a reference point when a customer's later activity needs to be measured against what you first understood. Our anti-money laundering practice page covers how we design onboarding.

What Tranche 2 means for newly captured firms

From 1 July 2026 the Tranche 2 reforms bring lawyers, accountants, conveyancers, real estate professionals, dealers in precious metals and stones and trust and company service providers into the regime. If that is you, customer due diligence is one of the first things to build, because much of it has to run from the day you start providing a designated service. The customer identification and verification steps in this guide, including beneficial ownership and PEP screening, sit at the centre of the program you will need in place.

Practical tips for SMEs

• Build a simple intake form that captures the right information from the start.
• Decide in advance which sources you will treat as reliable and independent.
• For entity customers, ask for the ownership structure up front rather than chasing it later.
• Set a trigger for reviewing customer information, whether a periodic check or a change in the relationship.
• Keep verification records with the customer file, not scattered across systems.

Frequently Asked Questions

When must I verify a customer's identity?

Generally before you provide the designated service. Verification at the start of the relationship is the default, with limited exceptions under the Rules.

What counts as reliable and independent information?

A source that does not simply repeat the customer's own assertion. Government-issued identity documents and reputable electronic verification services are common. The source has to provide genuine, independent confirmation.

What is a beneficial owner?

The individual or individuals who ultimately own or control a customer. For a company, the natural persons behind the shareholdings. For a trust, those who control or benefit from it. Identifying them is core to due diligence on non-individual customers.

What is enhanced customer due diligence?

Extra measures for higher-risk customers or situations. It can include checking the source of funds, gathering more information, screening for politically exposed persons and monitoring the relationship more closely than a standard customer.

Do I really need to monitor customers after onboarding?

Yes. Ongoing due diligence means keeping information current and watching for activity that does not fit. That monitoring is what lets a suspicious matter be identified and reported.

This is general information, not advice on your situation. If you would like help designing customer due diligence procedures, get in touch or call (07) 3519 5616.

This article is for general information purposes only and does not constitute legal advice and should not be relied on as such. While we take reasonable care to ensure the accuracy of the information provided, we make no representations or warranties as to its completeness, currency or reliability. We accept no liability for any loss or damage arising directly or indirectly from the use of, or reliance on, this website's content. You should always seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.