Skip to content

Customer due diligence (CDD) — what you must collect and verify

What you must do to identify and verify every party to a designated service.

Customer due diligence is the operational core of the AML/CTF regime. Before — or at the time of — providing a designated service, you must identify the customer and verify that identity using reliable and independent sources.

For individuals, you must collect and verify:

  • Full name
  • Date of birth
  • Residential address

Verification is typically done via the Document Verification Service (DVS) against a passport, driver's licence, Medicare card, or birth certificate. A single primary photographic document, or a combination of non-photographic documents, will satisfy the requirement.

For companies, you must collect and verify:

  • Full company name and ACN
  • Registered office address
  • Names of directors (and verify their identity)
  • Names of beneficial owners (and verify their identity)

Verification is done against the ASIC register and identity documents for each natural person.

For trusts, you must collect:

  • Trust name and type (discretionary, unit, testamentary, charitable, etc.)
  • The trust deed (or a certified extract)
  • Names of trustees, settlor, appointor, and beneficiaries (or class of beneficiaries)
  • Identity verification of the trustee, and beneficial-owner verification of the controlling parties

For partnerships, associations, and government bodies, separate but analogous requirements apply.

The 15-day buyer CDD window. Where a buyer is introduced after the agency relationship has commenced (for example, after a property is listed), you have 15 days from when you start providing the designated service to that buyer to complete CDD. The clock runs in calendar days, not business days, and missing it is a standalone contravention.

CDD comes in three intensities. Standard CDD is the default. Simplified CDD is permitted for low-risk customer categories — listed public companies, government bodies — and reduces the verification burden. Enhanced CDD (ECDD) is mandatory for higher-risk situations and requires significant additional steps.

Verification records must be retained for seven years from the end of the customer relationship and must be retrievable in a form that AUSTRAC can audit.

Most agencies will run identification and verification on every individual director, every beneficial owner, and every trustee involved in every transaction, every time, on a seven-year retention schedule.

What to do next: Build a CDD checklist for each customer type (individual, company, trust) and embed it as a mandatory step in your listing and buyer-engagement workflows.

Up next · Your Obligations
Threshold transaction reports (TTRs)

When you must report a cash transaction to AUSTRAC.

Sources

  1. AML/CTF Act 2006 (Cth) Part 2 Division 4
  2. AML/CTF Rules 2025 Part 5

This is general guidance for Australian real estate professionals. It does not constitute legal advice. Consult a qualified AML/CTF practitioner before relying on it for your agency.

Back to Your Obligations