Customer Due Diligence for Accounting Firms: A 2026 Guide

Australian accounting firms that provide designated services under the AML/CTF Act 2006 must conduct customer due diligence (CDD) before — or in narrow circumstances, immediately after — commencing a new client relationship. With just 50 days until the Tranche 2 deadline of 1 July 2026, understanding what CDD requires, when it applies, and how to document it properly is now an immediate operational priority for every accounting practice in Australia.

Which Accounting Services Trigger CDD Obligations?

Not every service an accounting firm provides will be a "designated service" under the AML/CTF Act 2006. Under the Tranche 2 reforms, CDD obligations are most likely to arise when your firm is providing:

• Tax agent services that involve facilitating the buying or selling of real property, businesses, or legal arrangements
• Bookkeeping and financial management services that involve handling client funds, operating accounts, or controlling financial transactions on a client's behalf
• Company secretarial and registered agent services, including managing registered office obligations or acting as a director or public officer
• Services relating to legal arrangements, such as establishing, operating, or managing trusts, partnerships, or other structures on a client's behalf
• Accounting services directly connected to real property transactions or the management of complex entity structures

The unifying thread is whether the service involves managing or moving a client's money, assets, or legal structures — or establishing arrangements that could be misused to conceal the origin or destination of funds. If your firm's engagement fits that description, CDD is required.

What Does Standard CDD Require?

Standard CDD — often called "know your customer" (KYC) — requires your firm to complete five core steps before commencing a designated service:

1. Identify the customer — collect the client's full legal name and date of birth (for individuals), or registered business name and ACN/ABN (for entities)
2. Verify the customer's identity — confirm identity using reliable, independent documents or data sources, such as a passport, driver licence, Medicare card, or ASIC company extract
3. Identify beneficial owners — determine who ultimately owns or controls the customer, applying the standard 25% ownership threshold for corporate entities
4. Verify beneficial owners — take reasonable steps to verify the identity of each beneficial owner identified
5. Understand the nature and purpose of the relationship — document what services you are providing, why the client needs them, and the expected nature of ongoing activity

AUSTRAC expects a risk-based approach throughout: clients assessed as higher-risk require more thorough verification and documentation; lower-risk clients may qualify for a simplified process. The depth of your CDD should be proportionate to the risk you have identified.

When Is Enhanced Due Diligence Required?

Enhanced due diligence (EDD) applies when your risk assessment identifies an elevated risk of money laundering or terrorism financing. For accounting firms, the most common EDD triggers include:

• Politically exposed persons (PEPs) — clients who are, or are closely associated with, senior government officials in Australia or overseas, including their family members and close associates
• High-risk jurisdictions — clients with ownership, operations, or funds connected to countries identified by FATF as high-risk or subject to increased monitoring
• Complex or opaque structures — clients using multiple layers of companies, trusts, nominees, or bearer instruments where the ultimate ownership is difficult to establish
• Unexplained wealth or unusual transaction patterns — activity that appears inconsistent with the client's stated business purpose or declared financial profile
• Clients introduced through higher-risk intermediaries — particularly where the introducing party is located in a jurisdiction with weak AML/CTF controls

EDD typically requires you to collect additional information about the client's source of funds and source of wealth, apply more intensive ongoing monitoring, and obtain senior management sign-off before establishing or continuing the relationship. AMLify's risk-scoring engine identifies EDD triggers automatically during onboarding, prompting your team to collect the right information before the engagement begins — explore these capabilities at /features.

Can Simplified Due Diligence Apply to Any Accounting Clients?

Yes — for clients assessed as presenting a low risk of money laundering or terrorism financing, simplified due diligence (SDD) is available. Common examples where SDD may be appropriate include:

• ASX-listed companies and their wholly owned subsidiaries, where ownership and control are publicly disclosed on a regulated exchange
• Australian government bodies — federal, state, or local government entities
• APRA-regulated financial institutions that are themselves subject to robust AML/CTF obligations

Simplified does not mean absent. You must still identify the client and understand the nature of the relationship — SDD simply permits reduced verification steps and less intensive ongoing monitoring. Critically, your decision to apply SDD must be documented in your AML/CTF programme and justified against your risk assessment. Blanket application of SDD across a client category without documented justification will not satisfy AUSTRAC.

When Must CDD Be Completed?

Timing is important and often misunderstood. Under the AML/CTF Act 2006, CDD must generally be completed before you commence providing a designated service. There is a limited statutory exception: where it is genuinely not practicable to complete CDD first, you may do so as soon as practicable after commencing — provided you have assessed the risk and it is not unreasonably elevated.

In practice, this means three things:

1. Build CDD into your onboarding workflow so it is completed before the engagement letter is signed and work begins
2. Do not treat the post-commencement exception as routine — AUSTRAC expects it to apply only in genuinely exceptional circumstances, not as a workaround for slow client onboarding processes
3. Decline or pause the engagement if you cannot complete CDD, the exception does not apply, and proceeding would expose the firm to unacceptable risk

How Does Ongoing Monitoring Work for Accounting Clients?

CDD is not a one-time exercise at the start of a client relationship. Ongoing monitoring is a continuing obligation that requires your firm to:

1. Keep client records current — update identity information, beneficial ownership details, and the stated purpose of the relationship whenever material circumstances change
2. Review transaction and service activity — periodically check that the services you are providing and the financial activity you are observing remain consistent with your understanding of the client
3. Re-apply CDD when risk changes — if a client's risk profile escalates (for example, they acquire interests in a high-risk jurisdiction or significantly restructure their entity arrangements), refresh the CDD file
4. Report suspicious matters — if monitoring reveals activity that raises a suspicion of money laundering, terrorism financing, or related offences, a Suspicious Matter Report (SMR) must be submitted to AUSTRAC, regardless of whether the matter is ultimately confirmed

The frequency and intensity of ongoing monitoring should reflect the client's risk rating. A risk-based monitoring schedule lets you concentrate effort on higher-risk clients without treating routine tax engagements as high-stakes surveillance exercises. See how AMLify structures monitoring schedules for accounting practices at /industries/accountants.

Key Takeaways

• CDD must be completed before commencing a designated service — the post-commencement exception is narrow and should not be used as a routine fallback
• Standard CDD covers five steps: identify the customer, verify identity, identify beneficial owners, verify those owners, and document the nature and purpose of the relationship
• Enhanced due diligence is required for PEPs, clients connected to high-risk jurisdictions, complex structures, and unusual transaction patterns — and requires senior management approval
• Simplified due diligence is available for genuinely low-risk clients such as listed companies and government bodies, but must be documented and justified in your AML/CTF programme
• Ongoing monitoring is a continuous obligation — keep records current, review activity against client profiles, and submit Suspicious Matter Reports to AUSTRAC when required

Frequently Asked Questions

Q: Do accounting firms need to apply CDD to existing clients, not just new ones?

Yes. While your immediate focus will be on applying CDD to new client relationships from 1 July 2026, you will also need to apply CDD to existing clients when you provide a designated service after that date, or when their risk profile changes materially. AUSTRAC expects regulated entities to develop a plan for progressively applying CDD to existing client bases, prioritising higher-risk relationships first. AMLify's client triage tools help you identify and prioritise which existing clients need the most urgent attention.

Q: What identity documents can accounting firms accept to verify a client?

For individuals, acceptable verification documents typically include an Australian passport, driver licence, Medicare card, or foreign passport. For entities, an ASIC company extract, trust deed, partnership agreement, or equivalent official document establishes the entity's legal identity. Electronic identity verification through an approved data source provider is also acceptable and is often faster for high-volume client onboarding. Your AML/CTF programme should specify your firm's approved verification methods and the standard of evidence required for each customer type.

Q: What should an accounting firm do if a client refuses to provide identity documents?

If a client refuses to provide the information needed to complete CDD, you must not commence — or must cease — providing the designated service. In some circumstances, the refusal itself may give rise to a suspicion of money laundering or terrorism financing, in which case you may be required to submit a Suspicious Matter Report to AUSTRAC. Importantly, you must not "tip off" the client by disclosing that a report has been or will be made. Seek legal advice if you are uncertain whether a particular refusal triggers a reporting obligation.

Q: How long must CDD records be kept?

Under the AML/CTF Act 2006, customer due diligence records must be retained for seven years from the date the relevant relationship ends or the transaction is completed — whichever is later. Records must be kept in a form that allows them to be retrieved and provided to AUSTRAC within a reasonable timeframe upon request. Cloud-based platforms like AMLify maintain compliant record retention and retrieval systems so that your firm's obligations are met without manual file management.

Q: What are the penalties for failing to have CDD procedures in place after 1 July 2026?

From 1 July 2026, accounting firms providing designated services without an AML/CTF programme — which must include CDD procedures — will be in breach of the AML/CTF Act 2006. AUSTRAC has broad enforcement powers including infringement notices, enforceable undertakings, and civil penalties that can reach into the tens of millions of dollars for serious or systemic failures. Proactive compliance before the deadline is significantly less costly than remediation after an AUSTRAC examination or a referral for civil penalty proceedings.

This is general information only and not a substitute for legal advice.

Related articles