CDD Tiers
Understanding the three tiers of Customer Due Diligence under AUSTRAC Tranche 2 — when each applies and what is required.
Customer Due Diligence (CDD) is the process of identifying your customers, verifying their identity, and assessing their money laundering and terrorism financing (ML/TF) risk. The AML/CTF Act requires you to apply a risk-based approach — the level of CDD must be proportionate to the assessed risk.
The three CDD tiers
Note on terminology: AUSTRAC's program starter kits refer to the middle tier as "Initial CDD." In Verifia and throughout this documentation, we use the term "Standard CDD" for the same concept. The requirements are identical.
Simplified CDD (Low Risk)
For customers assessed as low risk, you may apply reduced verification measures. Simplified CDD is not "no CDD" — you must still identify and verify the customer, but the depth and breadth of verification can be reduced.
When it may apply:
- Customer is a well-known, established individual or entity with a clear profile
- Transaction type is routine and consistent with the customer's known business
- No risk indicators are present (no PEP status, no adverse media, no high-risk jurisdictions)
- Customer is based in Australia or another low-risk jurisdiction
What is required:
- Collect basic identity information (full name, date of birth, address)
- Verify identity using at least one reliable and independent source (e.g., a single government-issued document)
- Document the rationale for applying simplified CDD
- Continue to monitor the relationship for changes in risk
Review cycle: Every 3 years (or sooner if risk indicators emerge)
Important: Simplified CDD cannot be applied to customers who are PEPs, are from high-risk jurisdictions, or present any elevated risk indicators. If in doubt, apply standard CDD.
Standard CDD (Medium Risk)
Standard CDD is the default tier for most customers. It applies when there are no strong indicators of either low or high risk.
When it applies:
- Default tier for customers who do not qualify for simplified or enhanced CDD
- Standard transaction types and values for your industry
- No elevated risk indicators, but insufficient basis for simplified CDD
What is required:
- Collect full identity information
- Verify identity using multiple reliable and independent sources (e.g., government-issued photo ID plus a secondary document)
- For entity customers: identify beneficial owners (see Beneficial Ownership below)
- Assess the purpose and intended nature of the business relationship
- Screen against sanctions lists and PEP databases
Review cycle: Every 2 years
Enhanced CDD / ECDD (High Risk)
For customers assessed as high risk, you must apply enhanced scrutiny. ECDD involves deeper investigation and requires senior manager approval before the business relationship can proceed.
When it applies:
- Customer is a Politically Exposed Person (PEP), or a close associate or family member of a PEP
- Customer or transaction is connected to a FATF-identified high-risk jurisdiction
- Transaction involves unusually large amounts, complex or unusual structures, or has no apparent economic purpose
- Adverse media or negative screening results are identified
- Industry-specific high-risk indicators are present (see your industry guide)
- Your risk assessment or monitoring identifies the customer as high risk
What is required:
- Everything in Standard CDD, plus:
- Source of funds — establish where the money for this specific transaction is coming from (e.g., bank loan, savings, business income)
- Source of wealth — understand how the customer accumulated their overall wealth
- Adverse media screening — check for negative news coverage, regulatory actions, or criminal proceedings
- Enhanced beneficial ownership analysis — deeper investigation of ownership and control structures
- Senior manager approval — a senior member of your organisation must review the ECDD findings and formally approve proceeding with the customer
- Enhanced ongoing monitoring — more frequent reviews and closer scrutiny of transactions
Review cycle: Every 12 months
How risk determines CDD tier
Customer Information
│
v
┌──────────────┐
│ Risk Rating │
│ Engine │
└──────┬───────┘
│
┌────┼────────────────┐
│ │ │
v v v
LOW MEDIUM HIGH
│ │ │
v v v
Simplified Standard Enhanced
CDD CDD CDD (ECDD)Verifia automatically determines the CDD tier based on the customer's risk rating. The risk rating considers:
- Customer-level factors — nationality, residency, PEP status, entity type and complexity, occupation or industry
- Transaction-level factors — value, payment method, purpose, and geographic connections
- Industry-specific factors — risk indicators specific to your industry (e.g., property value thresholds for real estate, the $10,000 physical currency threshold for precious metals)
You can always upgrade the CDD tier (e.g., apply standard CDD to a low-risk customer) if you consider it appropriate. You should never downgrade below what the risk assessment indicates.
Ongoing CDD
CDD is not a one-time activity. Throughout the business relationship, you must conduct ongoing customer due diligence:
- Keep information current — update customer details when they change (e.g., change of address, change of directors for a company)
- Monitor the business relationship — ensure transactions are consistent with your knowledge of the customer, their business, and their risk profile
- Scheduled reviews — review customer files at the intervals specified by their CDD tier (3 years / 2 years / 12 months)
- Triggered reviews — reassess immediately when a trigger event occurs:
- Suspicious transaction or activity is flagged
- Sanctions or PEP screening produces a new match
- Adverse media is identified
- The customer's circumstances change materially
- You become aware of information that may affect the customer's risk rating
If a customer's risk level changes, Verifia automatically updates the CDD tier and adjusts the review schedule accordingly.
Beneficial ownership
For entity customers (companies, trusts, partnerships), you must identify the beneficial owners — the natural persons who ultimately own or control the entity.
Companies
- Identify all natural persons who own or control 25% or more of the issued capital or voting rights
- If no person meets the 25% threshold, identify the persons who exercise effective control (e.g., senior managing officials)
Trusts
- Identify the settlor, trustee(s), beneficiaries (or classes of beneficiaries for discretionary trusts), and appointor/guardian
- For corporate trustees, also identify the beneficial owners of the trustee entity
Complex structures
- For multi-layered structures (e.g., a trust holding a company that holds another entity), trace ownership and control through all layers until you reach the natural persons at the top
- Document the full ownership chain
Verifia's UBO Entity Penetration module uses AI to parse trust deeds and company structures (via ASIC integration), automatically identifying beneficial owners and calculating ownership percentages through multiple entity layers.
When you cannot complete CDD
If you cannot satisfactorily complete CDD — for example, the customer refuses to provide required identity documents or source of funds information — you must:
- Not proceed with providing the designated service
- Consider whether to file an SMR — the customer's refusal or inability to provide information may itself be suspicious
- Document the decision — record why CDD could not be completed and what action was taken
Verifia provides a structured "Refuse Service" workflow that documents the decision, creates an audit trail, and optionally triggers an SMR assessment.
Reliance on third-party CDD
In some circumstances, you may be able to rely on CDD performed by another reporting entity (e.g., a bank or another professional). However:
- You remain legally responsible for the CDD — reliance does not transfer your obligations
- You must be satisfied that the other entity applied adequate CDD measures
- You must be able to obtain copies of the CDD records promptly on request
- You should document your basis for reliance