Enhanced Due Diligence for TCSPs: A 2026 Guide

Trust and company service providers (TCSPs) must apply enhanced customer due diligence (ECDD) when a client or arrangement presents elevated money laundering or terrorism financing (ML/TF) risk. Under the AML/CTF Act 2006 — and the Tranche 2 reforms taking effect on 1 July 2026 — ECDD goes beyond standard identity verification, requiring TCSPs to investigate source of wealth, the purpose of the structure, and the beneficial ownership chain in greater depth. With 58 days until the Tranche 2 deadline, understanding exactly when and how to apply ECDD is one of the most practical steps a TCSP can take right now.

What Is Enhanced Due Diligence Under the AML/CTF Act?

Standard customer due diligence (CDD) covers the basics: verifying a client's identity, understanding the nature of the business relationship, and identifying beneficial owners. Enhanced due diligence applies a higher level of scrutiny to clients, transactions, or structures that carry greater inherent risk.

The AML/CTF Act 2006 requires reporting entities — including TCSPs from 1 July 2026 — to apply a risk-based approach to compliance. ECDD is the mechanism for managing risk that exceeds your standard risk tolerance. AUSTRAC's guidance makes clear that ECDD is not discretionary when elevated risk is identified: it is a compliance obligation built into your AML/CTF programme.

Which TCSP Clients Trigger ECDD?

Not every client requires enhanced scrutiny, but TCSPs routinely encounter circumstances that do. Common ECDD triggers include:

• Politically exposed persons (PEPs) — foreign or domestic, current or former, including close associates and family members
• High-risk jurisdictions — clients connected to countries the Financial Action Task Force (FATF) has identified as having strategic AML/CTF deficiencies
• Complex ownership structures — arrangements involving multiple layers of trusts, offshore entities, or nominee arrangements that obscure beneficial ownership
• Unexplained wealth — where a client's assets are inconsistent with their disclosed occupation or business activity
• Correspondent relationships with foreign TCSPs — where your firm acts as a conduit for another service provider's client base
• Clients subject to sanctions — including UN, Australian Government, and other applicable regimes

Your AML/CTF programme must document the risk triggers that prompt ECDD, and your staff must be trained to recognise them during onboarding and throughout the ongoing client relationship.

What Does ECDD Involve in Practice?

ECDD is not a single action — it is a deepened process applied across the customer lifecycle. For a TCSP, a thorough ECDD process involves:

1. Senior management approval — high-risk relationships must receive sign-off from a principal, compliance officer, or designated decision-maker before the service commences
2. Source of wealth verification — obtaining and verifying evidence of how the client acquired the assets being placed into the structure, not just the source of funds for a single transaction
3. Source of funds verification — tracing the specific origin of assets or funds being managed, held, or transferred
4. Enhanced beneficial ownership mapping — going beyond a standard ownership chart to verify each beneficial owner's identity and the legitimacy of the ownership chain, particularly where nominee arrangements are involved
5. Purpose and intended nature of the structure — documenting the legitimate commercial or personal rationale in detail
6. Adverse media screening — searching credible sources for negative news, regulatory actions, or legal proceedings involving the client or connected parties
7. Ongoing enhanced monitoring — setting a higher frequency of transaction review and relationship reassessment, not a one-off check at onboarding

How Does ECDD Differ From Standard CDD?

Standard CDD establishes who the client is. ECDD asks why, how, and whether the risk is acceptable — then documents every step of that reasoning. In practical terms:

Standard CDD includes: - Identity verification - Beneficial owner identification - Understanding the nature and purpose of the relationship - Ongoing monitoring at a standard frequency

ECDD adds: - Senior management approval before commencing the service - Source of wealth and source of funds verification - Deeper beneficial ownership investigation, including verification of nominees - Adverse media and PEP/sanctions screening - More frequent and detailed ongoing monitoring - Enhanced record-keeping with a documented rationale for every risk decision

The key distinction is proportionality and depth. The greater the risk, the more robust the process must be.

What Records Must TCSPs Keep for ECDD?

Under the AML/CTF Act 2006, reporting entities must retain customer due diligence records for seven years. For ECDD clients, AUSTRAC's expectation goes further in terms of quality and detail:

• Decision records — document who approved the relationship, when, and on what basis
• Risk rating rationale — record the specific triggers that prompted ECDD and how each was assessed
• Verification evidence — keep copies of, or references to, source of wealth documents, beneficial ownership evidence, and adverse media search results
• Review records — log each periodic reassessment, what was examined, and any change to the risk rating
• Escalation records — if an ECDD client later generates a suspicious matter report, the ECDD file will form part of AUSTRAC's assessment of your compliance programme

A well-documented ECDD file is your strongest defence in the event of an AUSTRAC audit or enforcement inquiry.

How Can AMLify Help TCSPs Manage ECDD?

AMLify's compliance platform is built for the operational reality of a TCSP practice. Rather than maintaining manual checklists or paper files, TCSPs using AMLify can:

• Automatically flag clients for ECDD based on configurable risk criteria, including PEP status, jurisdiction, and structure type
• Generate structured ECDD checklists tied to each client's individual risk profile
• Record and store approval workflows with timestamps and decision notes
• Set calendar-based review triggers so high-risk clients are reassessed on schedule
• Integrate adverse media and sanctions screening directly into the onboarding workflow

If you're building or updating your AML/CTF programme before the 1 July 2026 Tranche 2 deadline, explore how AMLify supports TCSPs or review our full feature set.

Key Takeaways

• ECDD is mandatory, not optional — when a TCSP client or engagement presents elevated ML/TF risk, enhanced due diligence is a compliance obligation under the AML/CTF Act 2006
• Common ECDD triggers for TCSPs include PEPs, high-risk jurisdictions, complex ownership structures, nominee arrangements, and correspondent relationships with foreign TCSPs
• ECDD requires senior management approval, source of wealth and funds verification, deeper beneficial ownership investigation, adverse media screening, and heightened ongoing monitoring
• Records must be kept for at least seven years; ECDD files should document the rationale for every risk decision in sufficient detail to satisfy an AUSTRAC audit
• With 58 days until 1 July 2026, TCSPs should finalise their ECDD triggers, checklists, and approval workflows as a priority

Frequently Asked Questions

Q: Does every TCSP client need enhanced due diligence?

No. ECDD is triggered by elevated risk, not applied universally. Your AML/CTF programme must set out the specific risk criteria that prompt ECDD — typically including PEPs, high-risk jurisdictions, complex structures, and unexplained wealth patterns. Standard clients who present no elevated risk indicators do not require the additional steps of an ECDD process, though all clients require at least standard CDD.

Q: When must ECDD be completed — before or after onboarding?

The AML/CTF Act 2006 requires that you not commence providing a designated service until sufficient customer due diligence has been completed under your risk-based programme. For ECDD clients, this means elevated risk must be identified and assessed before or at the point of commencing the service, not retrospectively. Senior approval should be obtained before the relationship begins, or as soon as ECDD triggers are identified during an ongoing relationship.

Q: What is the penalty for failing to apply ECDD when required?

Failure to comply with your AML/CTF programme — including failing to apply ECDD where required — can expose a TCSP to civil penalties under the AML/CTF Act 2006. AUSTRAC has the power to issue infringement notices, accept enforceable undertakings, and seek civil penalty orders in the Federal Court. Penalties for serious or systemic non-compliance can reach tens of millions of dollars. AUSTRAC may also publicise enforcement actions, creating significant reputational risk for the firm and its principals.

Q: Must a TCSP file a suspicious matter report if ECDD raises concerns?

Yes. If your ECDD process — or any subsequent monitoring — causes you to form a suspicion that a matter relates to proceeds of crime or the financing of terrorism, you are required to submit a suspicious matter report (SMR) to AUSTRAC. Filing an SMR does not automatically mean the relationship must be terminated, but you should seek legal advice on whether to continue and how to manage the ongoing risk appropriately.

Q: How often should ECDD clients be reviewed?

Your AML/CTF programme should specify the review frequency for each risk tier. For ECDD clients — those presenting the highest risk — annual review is a common baseline, but your programme may require more frequent review when specific events occur: a material change in the client's structure, a change of beneficial ownership, a new adverse media result, or an unusual transaction pattern. Review frequency must be documented, consistently applied, and defensible to AUSTRAC if examined.

This is general information only and not a substitute for legal advice.