Enhanced Due Diligence in Australia: AUSTRAC & AML/CTF Act Compliance Guide

Enhanced Customer Due Diligence (ECDD) is the most intensive tier of customer verification required under Australian law when a business relationship presents elevated risk of money laundering or terrorism financing. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) as substantially reformed by the AML/CTF Amendment Act 2024, ECDD is a mandatory legal obligation for Australian reporting entities — not a discretionary risk management choice. The 2024 reforms, together with the AUSTRAC Transitional Rules 2026, represent the most significant overhaul of the Australian AML/CTF framework in nearly two decades, including the long-anticipated Tranche 2 expansion that brings lawyers, accountants, and real estate agents into the regime from 1 July 2026.

For a broader overview of the AML compliance landscape, see our document compliance guide.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references reflect the AML/CTF Act framework as of May 2026, including the AML/CTF Amendment Act 2024 and the AUSTRAC Transitional Rules 2026. Consult a qualified legal or compliance professional for guidance specific to your organisation.

What Is Enhanced Customer Due Diligence (ECDD) Under Australian Law?

ECDD is the most demanding of three customer due diligence tiers established by the Financial Action Task Force (FATF) and implemented in Australian law through the AML/CTF Act 2006 and AML/CTF Rules 2007 (Chapter 4). The three tiers are:

• Simplified due diligence: applicable only where risk is demonstrably low for specific customer categories recognised under the AML/CTF Rules
• Standard Customer Due Diligence (CDD): the baseline identification and verification required for most business relationships (AML/CTF Act s. 32; AML/CTF Rules Chapter 4)
• Enhanced Customer Due Diligence (ECDD): mandatory additional measures applied where higher risk is identified (AML/CTF Act s. 37B; AML/CTF Rules Chapter 4)

A question raised consistently by Australian compliance professionals — including at AUSTRAC-sponsored industry forums — is whether ECDD is limited to the specific categories named in the AML/CTF Rules or applies more broadly. The answer is broader. The risk-based approach embedded in the AML/CTF Act requires reporting entities to apply ECDD whenever their own AML/CTF programme's risk assessment identifies elevated risk, regardless of whether a named statutory category is present. Treating ECDD as a checklist confined to foreign PEPs and correspondent banking relationships leaves firms exposed to AUSTRAC enforcement where other elevated-risk circumstances exist.

FATF Recommendation 10 requires ongoing due diligence throughout the business relationship; Recommendation 12 mandates specific ECDD measures for Politically Exposed Persons.

When Is ECDD Required? AML/CTF Act Triggers

The AML/CTF Act (s. 37B) and AML/CTF Rules (Chapter 4) establish the circumstances requiring ECDD. The AML/CTF Amendment Act 2024 introduced new ECDD requirements for PEPs, which came into force in March 2026 under the AUSTRAC Transitional Rules.

The Tranche 2 reforms: The AML/CTF Amendment Act 2024 expanded the AML/CTF regime to approximately 100,000 additional entities — the "Tranche 2" entities including legal practitioners, accountants, real estate agents and agents, trust and company service providers, and dealers in precious metals and stones. These entities become subject to the full AML/CTF Act obligations, including ECDD requirements, from 1 July 2026. The AUSTRAC Transitional Rules 2026 provide a phased compliance pathway, but reporting entities in these sectors should treat their ECDD frameworks as a priority implementation task for the first half of 2026. For lawyers and accountants in particular, the intersection of AML/CTF obligations with professional confidentiality duties requires careful analysis.

The ECDD Process: 7 Steps for AUSTRAC Compliance

A defensible ECDD process follows seven sequential steps. Deficiencies in any of these are a primary focus of AUSTRAC compliance assessments and enforcement investigations.

Step 1 – Enhanced identity verification

Standard CDD identification must be supplemented with additional independent sources. For individuals, this means verifying against an Australian passport or state/territory driver licence, combined with an ATO Tax File Number (TFN) where appropriate, plus a second corroborating document. For companies, an ASIC company extract confirming the Australian Business Number (ABN) or Australian Company Number (ACN) is required, together with constitutional documents. Verification against AUSTRAC-approved electronic verification services may satisfy identity requirements, but the adequacy of those services must be assessed under the reporting entity's AML/CTF programme.

Step 2 – Beneficial ownership verification

ECDD requires going beyond the customer's self-declaration. For companies, this means mapping the full ownership structure to identify all individuals who ultimately own or control 25% or more of the entity — referencing ASIC company extracts and, where relevant, trust deeds for trustee structures. For Self-Managed Superannuation Funds (SMSFs), the relevant individuals are the trustees. The AML/CTF Amendment Act 2024 strengthened beneficial ownership verification requirements, and Tranche 2 entities should expect AUSTRAC to scrutinise beneficial ownership documentation closely.

Step 3 – Source of funds (SOF) verification

Source of funds refers to the origin of the specific money involved in the transaction or relationship. Documentary evidence is required: bank statements, sale proceeds documentation, loan agreements, payroll records, or superannuation fund statements. A bank statement alone, without documentation explaining why those funds are present, is insufficient for ECDD purposes.

Step 4 – Source of wealth (SOW) verification

Source of wealth addresses how the customer has accumulated their total wealth over time — distinct from source of funds. For PEPs and high-net-worth customers, this requires salary history, business valuations, inheritance documentation, or multi-year tax assessments. Both SOF and SOW are required for a complete ECDD file for PEPs. Conflating the two concepts is a recurring finding in AUSTRAC compliance assessments.

Step 5 – Senior management approval

The AML/CTF Rules require Board-level or equivalent senior management approval before establishing a business relationship with a PEP, and before continuing a relationship where a customer is subsequently identified as a PEP. This approval must be documented, attributed to a named senior individual, dated, and retained in the ECDD file.

Step 6 – Enhanced ongoing monitoring

ECDD relationships require more intensive transaction monitoring: lower alert thresholds, more frequent review cycles, and heightened scrutiny of any deviation from the established customer profile. For PEPs, profile reviews should occur at least every six months. Any material change in risk profile — new political appointment, corporate restructuring, sanctions listing, move to a high-risk jurisdiction — must trigger immediate reassessment.

Step 7 – AUSTRAC reporting and record retention

Where monitoring identifies suspicious matters, a Suspicious Matter Report (SMR) must be filed with AUSTRAC under AML/CTF Act s. 41. Transactions of AUD $10,000 or more in physical currency require a Threshold Transaction Report (TTR) filed with AUSTRAC under AML/CTF Act s. 43. Records must be retained for seven years from the date of the transaction, or seven years after the end of the business relationship, whichever is later (AML/CTF Act s. 107).

ECDD Documentation: What Australian Reporting Entities Must Collect

The following table sets out the documentation typically required by customer category. The risk-based approach requires adaptation to specific circumstances.

For a sector-by-sector due diligence checklist, see our customer due diligence checklist by sector.

Standard CDD vs Enhanced CDD (ECDD): Key Differences

Ongoing Monitoring and Suspicious Matter Reporting

Ongoing monitoring under Australian law is a continuous obligation embedded in every reporting entity's AML/CTF programme. For ECDD customers, this means:

• Scheduled periodic reviews: at minimum every six months for PEPs; at least annually for other ECDD-designated customers — more frequently where risk indicators warrant
• Real-time transaction monitoring: automated detection of transactions that deviate from the established customer profile, with timely human review of all flagged activity
• Event-triggered reviews: any material change — political appointment, corporate restructuring, sanctions designation, movement to a high-risk jurisdiction — must trigger immediate reassessment regardless of the scheduled review cycle
• Suspicious Matter Reporting: where monitoring identifies suspicious matters, an SMR must be filed with AUSTRAC without tipping off the customer. The AML/CTF Act prohibits disclosure of the fact that an SMR has been filed (AML/CTF Act s. 123)
• Threshold Transaction Reporting: any transaction in physical currency of AUD $10,000 or more must be reported to AUSTRAC via a TTR within the prescribed timeframe

The scale of AUSTRAC's enforcement programme illustrates the consequences of inadequate ECDD controls. The landmark AUSTRAC v Commonwealth Bank of Australia (2018) resulted in an AUD $700 million penalty — then the largest corporate penalty in Australian history. That record was surpassed when AUSTRAC v Westpac (2020) resulted in an AUD $1.3 billion penalty. The AUSTRAC Annual Report 2024 reported over 880 million transaction reports submitted, reflecting the volume of financial intelligence that AUSTRAC analyses. According to the ACFE 2024 Report to the Nations, only 37% of fraud cases are detected through manual controls — a figure that reinforces the inadequacy of manually driven monitoring programmes at scale.

Privacy law and ECDD data collection: The collection of sensitive personal information for ECDD purposes is subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), administered by the Office of the Australian Information Commissioner (OAIC). APP 3 requires that reporting entities collect only the personal information that is reasonably necessary for the ECDD purpose. APP 5 requires customers to be notified of the collection purpose at or before the time of collection. The OAIC's guidance on APP compliance for financial services entities is available at oaic.gov.au.

For a full picture of Australian AML obligations, see our anti-money laundering compliance guide.

Automating ECDD with CheckFile

Manual ECDD processes are resource-intensive, inconsistent, and prone to documentation gaps. The collection of supporting documents, verification of their authenticity, cross-referencing with PEP and sanctions lists, beneficial ownership mapping, and seven-year archiving — each step creates operational risk when handled through disconnected workflows. AUSTRAC expects reporting entities to maintain systems and controls proportionate to their AML/CTF risk exposure, and the 2024 reforms raise the bar on what "proportionate" means for larger and more complex businesses.

CheckFile automates the critical steps of the ECDD workflow:

• Document authenticity verification across more than 3,200 document types in 32 jurisdictions, with deepfake detection and tamper analysis covering Australian identity documents including passports and state/territory driver licences
• Structured data extraction (OCR and semantic validation) that feeds directly into customer records, eliminating manual re-keying and reducing transcription error
• Cross-document consistency checks — verifying that names, dates, addresses, and reference numbers are coherent across all documents in the ECDD file, including ASIC extract cross-referencing and beneficial ownership mapping support
• Compliant archiving with full audit trails of actions and decisions, retained for the legally required seven-year period under AML/CTF Act s. 107

The platform integrates via API with document management systems, PEP and sanctions screening tools, and existing CRM infrastructure. Explore our solutions for banking and KYC, our approach to security, and our pricing.

To learn more about how CheckFile supports ECDD programmes in Australia, visit CheckFile.ai.

Frequently Asked Questions

How do the 2024 Tranche 2 reforms affect my ECDD obligations?

The AML/CTF Amendment Act 2024 is the most significant change to the Australian AML/CTF framework since 2006. For Tranche 2 entities — legal practitioners, accountants, real estate agents, trust and company service providers, and dealers in precious metals and stones — the reforms mean that from 1 July 2026, your business is subject to the full AML/CTF Act obligations for the first time, including the obligation to enrol with AUSTRAC, develop an AML/CTF programme, conduct customer due diligence and ECDD for high-risk customers, and file SMRs and TTRs. AUSTRAC has published a Tranche 2 implementation guide to assist new reporting entities. For Tranche 1 entities (banks, financial services providers, remitters, digital currency exchange providers), the 2024 reforms strengthen existing ECDD requirements — particularly for PEPs, VASPs, and correspondent banking — with the new ECDD rules for PEPs applying from March 2026.

Does ECDD apply only to foreign PEPs, or to domestic Australian PEPs as well?

The AML/CTF Act and AML/CTF Rules 2007 (as amended by the 2024 reforms) extend ECDD obligations to both foreign PEPs and domestic Australian PEPs. Domestic PEPs include senior Commonwealth, state, and territory government officials: Ministers, members of Parliament, senior public servants, senior members of the judiciary, and senior military officers, together with their family members and known close associates. Reporting entities should maintain a current definition of domestic PEP categories within their AML/CTF programme.

What is the difference between source of funds and source of wealth for ECDD purposes?

Source of funds (SOF) addresses the specific money involved in the transaction or relationship: where did this particular capital originate? Source of wealth (SOW) addresses the customer's overall financial position: how was their total wealth accumulated over time? Both are required for a complete ECDD file for PEPs and elevated-risk customers. A customer may have a legitimate SOF (proceeds from an ASX share sale) while their overall SOW remains unclear — in which case the ECDD file is incomplete without documenting both. Conflating the two is a common gap identified in AUSTRAC compliance assessments.

How long must ECDD records be retained?

Under AML/CTF Act s. 107, records must be retained for seven years from the date of the relevant transaction, or seven years after the end of the business relationship, whichever is later. This applies to all ECDD documentation including identity verification documents, beneficial ownership records, source of funds and source of wealth documentation, senior management approval records, and monitoring records. AUSTRAC may request access to these records during a compliance assessment or enforcement investigation.

What are the penalties for ECDD non-compliance in Australia?

Following the AML/CTF Amendment Act 2024, AUSTRAC can impose civil penalties of up to AUD $222 million per contravention for body corporates under AML/CTF Act s. 175A. Criminal prosecution for money laundering under Criminal Code Act 1995 s. 400 carries a maximum penalty of 25 years imprisonment. AUSTRAC also has the power to accept enforceable undertakings, issue infringement notices, and apply to the Federal Court for injunctions. The AUSTRAC v Commonwealth Bank (AUD $700 million, 2018) and AUSTRAC v Westpac (AUD $1.3 billion, 2020) penalties illustrate the scale of enforcement consequences for systematic ECDD failures.

Do the Australian Privacy Principles (APPs) limit what I can collect for ECDD purposes?

Yes, but in a calibrated way. APP 3 requires that personal information collected for ECDD purposes be reasonably necessary for the AML/CTF purpose — you cannot collect more sensitive data than the risk level warrants. APP 5 requires customers to be notified of the collection purpose. However, the Privacy Act 1988 includes provisions recognising that collection under a legal obligation (such as the AML/CTF Act) provides a valid basis for that collection — meaning the primary obligation is proportionality, not obtaining additional consent. The OAIC's guidance at oaic.gov.au provides detailed advice for financial services entities navigating ECDD and APP compliance simultaneously.

---

Regulatory references and sources

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) — legislation.gov.au
• AML/CTF Amendment Act 2024 — legislation.gov.au
• AUSTRAC — Guidance and resources for reporting entities — austrac.gov.au
• AUSTRAC — Tranche 2 implementation — austrac.gov.au
• AUSTRAC Annual Report 2024 — austrac.gov.au
• ASIC — Company search and registry — asic.gov.au
• OAIC — Australian Privacy Principles guidance — oaic.gov.au
• Privacy Act 1988 (Cth) — legislation.gov.au
• FATF Recommendations 10 and 12 — FATF
• ACFE Report to the Nations 2024