From 1 July 2026, Australian real estate agents must conduct customer due diligence on both buyers and sellers in every transaction. CDD is a structured process: collect identity information, assess the customer's ML/TF risk, screen for PEPs and sanctions, determine the appropriate CDD level (simplified, standard, or enhanced), verify identity using reliable sources, establish the nature and purpose of the transaction, and continue monitoring throughout. The depth of verification scales with risk - low-risk individuals get streamlined CDD, while high-risk customers require source of funds, source of wealth, and senior manager approval.
The CDD Process: An Overview Before the Detail
Customer due diligence under the AML/CTF regime is not a single check at the start of a transaction. It is a structured, risk-based process that begins when you first engage with a customer and continues until the business relationship ends. Before diving into the detail of each step, here is the complete CDD process at a glance - from first contact through to ongoing monitoring.
Collect Identity Information
Gather the customer's full name, date of birth, residential address (for individuals), or registration details (for companies, trusts). For non-individual customers, identify beneficial owners and anyone acting on their behalf.
Assess Customer ML/TF Risk
Apply your risk assessment framework to assign a risk rating - low, medium, or high. Consider the customer type, geographic factors, transaction complexity, and delivery channel.
Screen for PEPs and Sanctions
Check whether the customer (or any beneficial owner) is a politically exposed person, subject to sanctions, or appears on AUSTRAC or DFAT watchlists. This step determines whether enhanced CDD is mandatory.
Determine CDD Level
Based on the risk rating and screening results, determine whether to apply simplified CDD (low risk), standard CDD (medium risk), or enhanced CDD (high risk or mandatory triggers).
Verify Identity
Verify the customer's identity using reliable and independent sources - government-issued documents, electronic verification, or a combination. The depth of verification matches the CDD level.
Establish Nature and Purpose
Understand why the customer is engaging your services and what the expected pattern of the business relationship looks like. For real estate - are they buying, selling, investing, or acting on someone else's behalf?
Ongoing Monitoring
Continue to monitor the business relationship throughout. Update CDD if information changes, risk indicators emerge, or the transaction deviates from what was initially expected.
When CDD Must Be Completed: The Timing Rules for Real Estate
The timing of CDD in a real estate transaction depends on which party you are acting for. The rules distinguish between your client - the party you are providing the designated service to - and the opposite party. Understanding this distinction is critical because it determines your CDD deadlines and whether delayed CDD is available.
Seller's Agent (Listing Agent)
Your client is the seller. CDD must be completed before you provide the designated service - that is, before you list the property and begin marketing it. The buyer is the opposite party. You may delay initial CDD on the buyer for up to 15 days after exchange of contracts, provided it is necessary to avoid interrupting the normal course of business and you manage the ML/TF risk during that period.
Buyer's Agent
Your client is the buyer. CDD must be completed before you begin acting for the buyer - before you start searching for properties or negotiating on their behalf. The seller is the opposite party. You may delay initial CDD on the seller for up to 15 days after exchange, subject to the same conditions.
Delayed initial CDD is not a general extension. It is only available for the opposite party - the party you are not directly providing the designated service to. Three conditions must be met: the delay must be necessary to avoid interrupting the normal course of business, you must manage the ML/TF risk during the delay period, and CDD must be completed as soon as reasonably practicable and no later than 15 business days after the transaction is carried out (exchange of contracts). If you cannot complete CDD within 15 days, you must consider whether to file a suspicious matter report.
If you are unable to complete CDD to the required standard - whether because the customer refuses to provide information, documents cannot be verified, or identity cannot be confirmed - you must not provide the designated service. For your client, this means you cannot list the property or begin acting. For the opposite party under delayed CDD, this means you must consider whether continuing the transaction is appropriate and whether the circumstances trigger a suspicious matter reporting obligation under section 41 of the Act.
What You Must Establish for Every Customer: The Six Matters
Regardless of the customer type or risk level, the AML/CTF Rules 2025 require you to establish the following six matters during initial CDD. These apply to every customer in every transaction - the difference between simplified, standard, and enhanced CDD is the depth and rigour with which you establish them.
- The customer's identity - full legal name, date of birth (for individuals), or registration details (for entities)
- Verification of that identity - using reliable, independent source documents or electronic verification
- Beneficial ownership - identifying any person who ultimately owns or controls the customer (particularly for companies and trusts)
- The nature and purpose of the business relationship - why the customer is engaging your services
- The source of funds - where the money for the transaction is coming from (required for standard and enhanced CDD)
- Ongoing monitoring arrangements - establishing how you will continue to monitor the relationship throughout
For enhanced CDD, you must also establish the source of wealth - the origin of the customer's overall wealth, not just the funds for this specific transaction. This is a broader inquiry than source of funds and requires understanding how the customer has accumulated their assets over time.
CDD by Customer Type: What to Collect and Verify
The information you need to collect and how you verify it depends on the type of customer. The AML/CTF Rules 2025 set out specific requirements for each customer type. Here is what to collect and verify for the four most common customer types in real estate transactions.
Individual (Australian Resident) Default: Low
The most common customer type in residential real estate. An Australian resident individual purchasing or selling property in their own name.
- Full legal name (as it appears on identity documents)
- Date of birth
- Residential address (not a PO Box)
- Purpose of the transaction (buying, selling, investing)
- Source of funds for the purchase
- Government-issued photo ID (driver licence or passport)
- A second document confirming name or address (Medicare card, utility bill, rates notice)
- Or electronic identity verification (eIDV) through a reliable provider
Body Corporate (Australian Company) Default: Medium
Companies purchasing property - whether as an investment vehicle, development entity, or for business purposes. Requires identification of the company itself and its beneficial owners.
- Full company name and ACN/ABN
- Registered office address
- Principal place of business
- Names and details of all directors
- Beneficial owners (anyone owning or controlling 25% or more)
- The person authorised to instruct on behalf of the company
- Source of funds for the transaction
- ASIC company extract (current)
- Identity verification for at least one director and any beneficial owner
- Identity verification for the person giving instructions
- Confirmation the instructing person is authorised (board resolution, letter of authority)
Trust Default: Higher
Trusts - including family trusts, unit trusts, discretionary trusts, and self-managed super fund trusts - are common in Australian property transactions but carry higher inherent risk due to their layered ownership structures.
- Full name of the trust
- Type of trust (discretionary, unit, fixed, hybrid, SMSF)
- Name and details of the trustee (individual or corporate)
- Name and details of the settlor (if applicable and not a nominal settlor)
- Names of all known beneficiaries (or classes of beneficiaries for discretionary trusts)
- Any person who has effective control over the trust
- Source of funds for the transaction
- Trust deed (or certified extract confirming trust name, trustee, type, and beneficiaries)
- Identity verification for the trustee (as per individual or company requirements)
- Identity verification for any beneficial owner with 25% or more interest
- Identity verification for the person giving instructions on behalf of the trust
Foreign Individual or Foreign Entity Risk: Assess Carefully
Foreign individuals and entities purchasing Australian property require careful risk assessment. Geographic risk, source of funds complexity, and potential PEP status all elevate the CDD requirements. FIRB approval may also be relevant.
- All information required for the relevant customer type (individual or entity) above
- Country of citizenship or incorporation
- Country of residence or principal place of business
- Tax residency status
- FIRB approval details (if applicable)
- Source of funds - with additional detail on how funds will enter Australia
- Source of wealth (if enhanced CDD is triggered)
- Passport or equivalent government-issued identity document from country of citizenship
- Independent verification of entity registration in country of incorporation
- Enhanced screening for PEPs, sanctions, and adverse media
- Documentary evidence of source of funds
- Consider whether the jurisdiction is on the FATF high-risk or increased monitoring list
Assigning Customer Risk Ratings
Every customer must be assigned a risk rating as part of initial CDD. The risk rating determines the level of CDD that applies - simplified, standard, or enhanced - and influences how closely you monitor the relationship going forward. Your AML/CTF program must document the criteria you use to assign risk ratings, and those criteria must be consistent with your ML/TF risk assessment.
The AML/CTF Rules 2025 do not prescribe specific ratings. Instead, they require you to consider relevant risk factors across several categories. The following framework shows how customer, geographic, and transaction risk factors combine to produce a risk rating.
Risk Rating Framework
Enhanced CDD: When It Is Mandatory
Enhanced CDD is not optional when certain triggers are present. The AML/CTF Rules 2025 set out specific circumstances where enhanced CDD must be applied, regardless of your general risk assessment. If any of these triggers are present, you must apply enhanced measures - including establishing source of funds, source of wealth, and obtaining senior management approval before proceeding.
| Trigger | Enhanced CDD Requirement |
|---|---|
| Foreign Politically Exposed Person (PEP) Current or former senior government, judicial, military, or diplomatic official of a foreign country, or their close associates and family members |
Mandatory. Establish source of funds, source of wealth, and obtain senior management approval before providing the designated service. Ongoing enhanced monitoring required. |
| High-Risk Jurisdiction Customer is from, or funds originate from, a country on the FATF high-risk or increased monitoring list |
Mandatory. Additional verification of identity, source of funds, and purpose of transaction. Consider whether the jurisdiction's AML/CTF framework is adequate. |
| Suspicious Matter Reporting Obligation Arises You form a suspicion about the customer or transaction during CDD |
Mandatory. Apply enhanced CDD immediately. Do not tip off the customer. File a suspicious matter report (SMR) with AUSTRAC. Consider whether to proceed with the transaction. |
| High ML/TF Risk Rating Your risk assessment assigns the customer a high risk rating based on combined risk factors |
Mandatory. Full enhanced CDD including source of funds, source of wealth, enhanced verification, and senior management approval. |
| Nested Designated Service Arrangements A reporting entity provides designated services through your agency on behalf of its own customers |
Mandatory. Identify the arrangement, assess the risks, and apply enhanced CDD to both the intermediary and the underlying customer where possible. |
| Unusual or Complex Transactions Transactions that are unusually large, complex, have no apparent lawful purpose, or follow an unusual pattern |
Mandatory. Investigate the background and purpose of the transaction. Document your findings. Apply enhanced CDD and consider whether a suspicious matter report is warranted. |
| Domestic PEP or International Organisation PEP (Where High Risk) A domestic PEP or PEP of an international organisation assessed as high risk |
Mandatory where high risk. Apply the same enhanced measures as for foreign PEPs - source of funds, source of wealth, senior management approval, and enhanced ongoing monitoring. |
Enhanced CDD is not a one-off check. Once triggered, enhanced monitoring must continue for the duration of the business relationship. Senior management approval is required not just at the outset but also for any decision to continue the relationship if further risk indicators emerge.
Simplified CDD
Where a customer is assessed as low risk, the AML/CTF Rules 2025 permit simplified CDD. This does not mean no CDD - it means a lighter-touch approach to verification. You must still collect identity information, verify identity, and establish the nature and purpose of the relationship. What changes is the depth and extent of the verification measures.
In practical terms, simplified CDD for a low-risk Australian individual might mean accepting a single reliable identity document (rather than requiring two), using electronic identity verification as the primary method, and applying less intensive ongoing monitoring. You are still required to assess the customer's risk and to escalate to standard or enhanced CDD if risk indicators emerge during the relationship.
Simplified CDD is never available where enhanced CDD triggers are present. If any mandatory enhanced CDD trigger applies - foreign PEP, high-risk jurisdiction, suspicion of ML/TF, or any other trigger listed above - you must apply enhanced CDD regardless of how low-risk the customer otherwise appears. Simplified CDD is a floor, not a ceiling - you can always apply more rigorous measures than the minimum required.
Ongoing CDD
CDD does not end once the initial checks are completed. The AML/CTF Rules 2025 require ongoing CDD for the duration of the business relationship. In a real estate context, this means monitoring from the point of engagement through to settlement and beyond (if you maintain an ongoing relationship with the client, such as property management).
Ongoing CDD has four components, each of which must be documented and applied consistently across your agency.
Monitor Transactions
Scrutinise transactions carried out during the business relationship to ensure they are consistent with what you know about the customer, their business, and their risk profile. In real estate, this means monitoring the transaction for changes - unexpected price adjustments, unusual settlement terms, or last-minute changes to purchasing entities.
Review Risk Ratings
Periodically review the customer's risk rating to confirm it remains appropriate. If new information emerges - such as adverse media, a change in the customer's circumstances, or a connection to a high-risk jurisdiction - update the risk rating and apply the corresponding CDD level.
Update KYC Information
Keep customer identity information and CDD records up to date. If a customer's name, address, beneficial ownership, or corporate structure changes, request updated documentation and re-verify as necessary. Outdated records are a compliance gap.
Apply Enhanced CDD Mid-Transaction
If risk indicators emerge during an ongoing transaction - such as a suspicion of ML/TF, a PEP connection discovered after initial CDD, or unusual behaviour - you must escalate to enhanced CDD immediately. Do not wait until the transaction is complete.
Build ongoing CDD checkpoints into your transaction workflow. Schedule a mid-transaction review at key milestones - after the cooling-off period, before settlement, and at any point where new parties or funding arrangements are introduced. This makes ongoing CDD a natural part of your process rather than an afterthought.
CDD Records
The AML/CTF Act requires you to retain CDD records for 7 years following the end of the business relationship or the completion of the last occasional transaction. Records must be stored securely, be readily accessible for AUSTRAC inspection, and be sufficient to demonstrate that you performed CDD to the required standard.
What to Retain
Identity documents - copies of all documents collected during CDD, including government-issued IDs, company extracts, trust deeds, and any documents used for electronic verification.
Risk assessment records - the customer's initial risk rating, the factors considered, any changes to the rating during the relationship, and the rationale for each rating decision.
Screening results - PEP and sanctions screening results, including the date of screening, the databases checked, and the outcome. Retain records even when screening returns no matches.
Enhanced CDD documentation - where enhanced CDD was applied, retain all additional documentation including source of funds evidence, source of wealth inquiries, and senior management approval records.
Ongoing CDD records - documentation of all ongoing monitoring activities, risk rating reviews, KYC updates, and any escalation decisions made during the business relationship.
Building CDD Into Your Transaction Workflow
CDD works best when it is embedded into your existing transaction workflow rather than bolted on as a separate compliance process. The following checklist maps CDD steps to the natural milestones of a real estate transaction, so your team knows exactly when each step must be completed.
- Client engagement (before listing or acting): Collect identity information, perform initial verification, screen for PEPs and sanctions, assign risk rating, determine CDD level, establish nature and purpose of the transaction. Document all steps.
- Opposite party identification (at or before exchange): Collect identity information for the buyer (if you are the listing agent) or the seller (if you are the buyer's agent). Begin verification. If delayed CDD is used, document the reason and set a 15-business-day deadline.
- Mid-transaction review (after cooling-off, before settlement): Review the transaction for consistency with CDD information. Check for changes to parties, funding, or transaction terms. Re-screen if new parties are introduced. Escalate if risk indicators emerge.
- Pre-settlement check: Confirm all CDD is complete for all parties. Verify that delayed CDD (if used) has been finalised within the 15-day window. Ensure source of funds is documented. Confirm no unresolved risk indicators.
- Post-settlement: Finalise CDD records. Archive all documentation in a secure, accessible location. Set the 7-year retention period. Close the CDD file for occasional transactions, or continue ongoing CDD if the relationship continues (e.g., property management).
- Ongoing (if business relationship continues): Schedule periodic KYC reviews, re-screen for PEPs and sanctions at appropriate intervals, update risk ratings if circumstances change, and document all ongoing monitoring activities.
Need CDD Procedures Built for Your Agency?
GateCrown builds complete CDD procedure guides for Australian real estate agencies - including onboarding forms for each customer type, risk rating frameworks, escalation protocols, and documentation templates. Built on AUSTRAC's reform guidance, specific to real estate transactions.
Talk to a Compliance Specialist →How Much Does AML/CTF Compliance Cost for Real Estate Agents? →Complete cost breakdown of setup and ongoing compliance costs.
AUSTRAC Starter Kit vs Professional Compliance Program →Decide which path suits your agency before you spend anything.
AML/CTF Compliance Checklist for Real Estate Agencies 2026 →Every obligation your agency must meet, step by step.
AML/CTF Compliance for Franchise Real Estate Networks →How multi-office and franchise agencies can streamline compliance.
AML/CTF Compliance for Small Real Estate Agencies →A practical guide for agencies with limited resources.
AML/CTF Staff Training Guide for Real Estate Agencies →Who to train, what to cover, how often, and how to document it.
Independent Evaluation Guide for Real Estate Agencies →When and how to conduct your independent review.
The Complete AML/CTF Guide for Real Estate →GateCrown's comprehensive compliance guide.