1. What Is CDD and Why Does It Matter?
Customer Due Diligence (CDD) is the process of verifying who your clients are before you provide them with a designated service. Under AML/CTF Tranche 2, real estate agents become "reporting entities" — meaning AUSTRAC requires you to know who you're dealing with, assess the risk they pose, and keep records proving you did. The obligations are set out in the AML/CTF Act 2006 and the AML/CTF Rules 2025.
In plain English: Before you list a property or facilitate a sale, you must check that the person is who they say they are, they're not on a sanctions list, and they're not a politically exposed person (PEP) who requires extra scrutiny. AUSTRAC's customer due diligence guidance provides the official framework for these checks.
Why should you care?
CDD isn't optional paperwork. Failure to perform adequate CDD can result in penalties of up to $19.8 million for businesses and personal criminal liability for the Licensee in Charge. AUSTRAC has indicated it will focus on whether agencies have systems in place, not just documents in a drawer.
2. When Must You Perform CDD?
You must complete CDD before providing a designated service. You can use AUSTRAC's eligibility checker to confirm whether your services are captured. For real estate, this means:
Before listing a property (Seller/Vendor)
Verify the vendor's identity before signing the agency agreement. This applies to every listing, not just suspicious ones.
Before the buyer signs a contract (Buyer)
Verify the purchaser's identity before or at the point of signing the contract of sale. For private sales, this is straightforward.
At auction (Special rules)
Vendor CDD must be done before auction day. Buyer CDD can be completed within a reasonable period after the auction — typically before settlement.
When suspicion arises (Any time)
If at any point something doesn't feel right — inconsistent information, reluctance to provide ID, unusual payment methods — you must escalate and potentially file a Suspicious Matter Report (SMR) with AUSTRAC within 24 hours.
What's NOT covered?
Property management, residential leasing, and holiday lettings are not designated services under Tranche 2. You don't need to perform CDD on tenants. Only transactions involving the sale, purchase, or transfer of real estate are captured.
3. Who Do You Need to Verify?
This is where most agents get confused. You need to verify:
| Party | What to verify | When |
|---|---|---|
| Individual seller | Identity (photo ID + secondary document) | Before signing agency agreement |
| Individual buyer | Identity (photo ID + secondary document) | Before or at contract signing |
| Company (seller or buyer) | Company identity (ASIC extract) + all directors + beneficial owners (25%+ shareholders) | Before providing service |
| Trust (seller or buyer) | Trust deed + trustee identity + settlor + appointor + named beneficiaries | Before providing service |
| SMSF | Trust deed + all individual trustees or corporate trustee directors + members | Before providing service |
| Foreign entity | Equivalent company/trust documents from country of origin + beneficial owners | Before providing service (higher risk — likely triggers EDD) |
The "Beneficial Owner" Rule
You must identify every individual who ultimately owns or controls 25% or more of a company or trust involved in the transaction. This means looking behind the company name to find the real humans. If a company is owned by another company, you keep going until you reach individuals. This is the requirement that catches most agencies off guard.
4. What Documents to Collect
For Individuals
You need one primary document + one secondary document:
| Primary (Photo ID) | Secondary (Supporting) |
|---|---|
| Australian passport (current or expired within 2 years) | Medicare card |
| Australian driver's licence (with photo) | Birth certificate or citizenship certificate |
| Foreign passport with valid visa | Utility bill (less than 3 months old) |
| ImmiCard | Government-issued letter (Centrelink, ATO) |
For Companies
- ASIC company extract (current)
- Certificate of registration
- Full names of all directors
- Details of all shareholders holding 25% or more (the beneficial owners)
- Individual ID verification for each beneficial owner
For Trusts
- Full copy of the trust deed (or certified extract)
- Identity of all trustees (individual ID or company verification)
- Identity of the settlor
- Identity of the appointor (if any)
- Details of named beneficiaries (or class of beneficiaries for discretionary trusts)
5. CDD by Entity Type — Quick Reference
| Entity Type | Verify | Complexity |
|---|---|---|
| Individual | Photo ID + secondary document | Low |
| Sole trader | Individual ID + ABN verification | Low |
| Company | ASIC extract + directors + beneficial owners (25%+) | Medium |
| Trust (family/discretionary) | Trust deed + trustee + settlor + appointor + beneficiary class | High |
| SMSF | Trust deed + all trustees/directors + all members | High |
| Partnership | Partnership agreement + all partner IDs | Medium |
| Foreign company | Country-of-origin registration + directors + beneficial owners | High (likely EDD) |
6. When Enhanced Due Diligence (EDD) Is Triggered
Standard CDD isn't always enough. When the risk is elevated, you must perform Enhanced Due Diligence (EDD) — deeper checks and additional documentation.
Politically Exposed Person
Customer or beneficial owner is a current or former senior government official, judge, military leader, or their close associate/family member.
High-Risk Country
Customer, funds, or beneficial owner connected to a country identified by FATF as high-risk or under increased monitoring.
Cash Over $10,000
Transaction involves cash payments of $10,000 or more (also triggers a Threshold Transaction Report to AUSTRAC).
Complex Structures
Ownership involves multiple layers of companies, trusts, or nominees that make it difficult to identify the ultimate beneficial owner.
Inconsistent Information
Information provided doesn't match, customer is reluctant to provide documents, or there's no clear economic purpose for the transaction.
Unusually High Value
Transaction is significantly above market value for the area, or customer shows no concern about price or terms.
What does EDD actually involve?
- Obtaining additional identification documents
- Verifying the source of funds or wealth
- Conducting more detailed background research
- Senior management sign-off on the business relationship
- Increasing the frequency of ongoing monitoring
- Documenting the rationale for proceeding with the transaction
7. Ongoing CDD Obligations
CDD isn't a one-time tick box. You have ongoing obligations throughout the business relationship. AUSTRAC's real estate program starter kit outlines how to build ongoing monitoring into your AML/CTF program:
- Monitor for changes: If a client's circumstances change (new directors, different beneficial owners, address change), you need to update your records.
- Periodic re-screening: Run sanctions and PEP checks at regular intervals, not just at onboarding. Lists are updated frequently.
- Transaction monitoring: Watch for unusual patterns — a vendor who lists and withdraws repeatedly, a buyer who makes multiple purchases in quick succession, or any transaction that doesn't make commercial sense.
- Trigger-based reviews: If new information comes to light that changes the risk profile, re-assess the customer immediately.
8. Auctions — The Special Case
Auctions create a practical challenge: you don't know who the buyer will be until the hammer falls. Here's how CDD works:
| Party | When to verify | Notes |
|---|---|---|
| Vendor | Before auction day | Same as any listing — verify at the point of signing the agency agreement |
| Winning buyer | As soon as reasonably practicable after the auction | Ideally before settlement. Document why there was a delay. |
| Other bidders | Not required | You only need to verify the successful purchaser |
AMLTranche handles this automatically
AMLTranche includes auction-specific CDD workflows with automatic business-day deadlines. The system tracks the "reasonable timeframe" window and sends reminders to complete buyer verification after the sale.
9. Record Keeping — The 7-Year Rule
AUSTRAC requires you to keep all CDD records for a minimum of 7 years after the business relationship ends or the transaction is completed. This is a core requirement of your AML/CTF program. Records must include:
- Copies of identification documents
- Verification results (electronic or manual)
- Sanctions and PEP screening results
- Risk assessments for each customer
- Any Enhanced Due Diligence documentation
- Records of ongoing monitoring and re-screening
- Suspicious Matter Reports (if filed)
The audit trail trap
Spreadsheets and paper files are not enough. AUSTRAC expects a tamper-proof, time-stamped audit trail that proves when each check was performed, by whom, and what the result was. If you're audited in 2033 for a transaction in 2027, "I think we checked their ID" won't satisfy the regulator. You need a system record.
10. Five Common Mistakes to Avoid
Mistake 1: Only verifying buyers, not sellers
Under Tranche 2, you must verify both parties. Many agents assume CDD is only about checking where the money comes from (buyers), but sellers can also be involved in laundering — for example, selling property purchased with illicit funds.
Mistake 2: Accepting expired documents
An expired passport can be used as primary ID only if it expired within the last 2 years. Expired driver's licences are generally not acceptable. Always check the expiry date.
Mistake 3: Not identifying beneficial owners
If a company or trust is buying, you can't just verify the person signing the contract. You must identify everyone who owns or controls 25% or more of the entity. This is the requirement most agencies will struggle with.
Mistake 4: Doing CDD after the service is provided
CDD must be completed before you provide the designated service (with the auction exception). Verifying a vendor after the property has already been listed is non-compliant.
Mistake 5: No system — just a folder
Photocopying a driver's licence and putting it in a manila folder is not CDD. You need a documented process, screening against sanctions and PEP lists, a risk assessment, and a time-stamped audit trail. A folder proves nothing in an audit.