Customer Due Diligence (CDD) is the process of verifying who your client is and assessing the risk they pose before you provide them with a service. It is a core requirement of AML/CTF compliance and is often referred to as KYC — Know Your Customer.
This article provides general information only and is not legal advice.
Why CDD is required
Anti-money laundering laws exist to prevent criminals from using legitimate businesses, including real estate agencies and law firms, to move or conceal illegally obtained money. CDD is how you demonstrate that you know who you're dealing with and that you've assessed whether that relationship presents a money laundering risk.
Without CDD, you have no defensible basis for the transactions you facilitate on a client's behalf.
What CDD involves
CDD is not a single action. It is a process with three connected elements:
1. Identity verification
Confirm that your client is who they say they are. This means:
Collecting government-issued identity documents (e.g., passport, driver's licence)
Verifying those documents using a reliable, independent source
Workflow handles this by sending your client a secure verification link. The client completes the process on their device.
2. Risk assessment
Once identity is confirmed, assess the level of money laundering risk the client and their transaction represents. The risk assessment considers factors such as:
Whether the client is a Politically Exposed Person (PEP) — someone who holds or has held a prominent public position, which can create an elevated risk of corruption or bribery
The transaction value and whether it's consistent with the client's known background
The client's country of origin or residence, particularly if they are from a high-risk jurisdiction
Whether the client is an individual or an entity (company, trust, SMSF)
The outcome of the risk assessment is a rating: Low, Medium, or High risk. This rating determines the level of due diligence required.
3. Ongoing monitoring
CDD doesn't end once the initial check is done. For ongoing client relationships, you are required to periodically review the client's risk profile to ensure it remains accurate and up to date.
Standard CDD vs. Enhanced Due Diligence (EDD)
The level of due diligence required depends on the risk rating:
Standard CDD applies to most clients — those rated low or medium risk. It involves identity verification and a risk assessment using your standard template.
Enhanced Due Diligence (EDD) applies to high-risk clients. It requires additional scrutiny — for example, verifying the source of funds, obtaining senior sign-off before proceeding, or applying more frequent review periods.
Workflow flags when EDD may be required based on the risk assessment outcome.
CDD for entities (companies)
When your client is an entity rather than an individual, standard identity verification is not enough. You also need to verify the entity itself and identify the beneficial owners — the real individuals who ultimately own or control it.
This is called KYB (Know Your Business) and is a form of CDD applied to non-individual clients. Workflow handles KYB automatically when you add an entity client type to a case.
How Workflow facilitates CDD
Workflow is structured to guide you through each element of CDD for every case:
CDD element | How Workflow handles it |
Identity verification | Sends a secure verification link to the client; automatically checks documents against authoritative sources |
Risk assessment | Guides you through a template-based questionnaire; calculates a risk score and rating |
Ongoing monitoring | Sets review periods based on risk rating; flags when a client is due for review |
Record keeping | Stores all checks, assessments, and documents for 7 years in line with AUSTRAC requirements |
Related articles