Australia’s Tranche 2 AML/CTF reforms significantly expand the regime. They bring lawyers, conveyancers, accountants, real-estate professionals, trust and company service providers, and other gatekeeper professions into the AML/CTF framework for the first time.

But the reforms also update the requirements for existing reporting entities - including financial services, remittance providers and gambling operators - meaning every reporting entity must refresh its approach to Customer Due Diligence (CDD).

This guide explains how to perform CDD on individuals under the updated Tranche 2 framework. It focuses purely on individual customers and outlines the practical steps you must now take.

1. What You Must Establish

When onboarding an individual, you must establish the following matters on reasonable grounds:

1. The identity of the customer
2. The identity of any person acting on their behalf and the nature of their authority
3. The identity of any person for whom the customer is acting
4. Whether any relevant individual is a Politically Exposed Person (PEP)
5. Whether any is subject to Targeted Financial Sanctions (TFS)
6. The nature and purpose of the business relationship or occasional transaction
7. The customer’s ML/TF risk and any additional KYC information required to address it

These obligations apply to all reporting entities - new and existing - under Tranche 2.

2. Establishing the Customer’s Identity

2.1 Collecting baseline information

You must collect enough personal information to uniquely identify the individual. This generally includes:

• Full legal name
• Any other names (former names, aliases, anglicised names)
• Date of birth
• Residential address
• Unique identifier (passport number, driver licence number, national ID number)

This can be gathered through your onboarding form - digital or paper.

2.2 Verifying identity

You must then verify:

1. That the person exists, and
2. That they are who they claim to be.

Accepted verification methods include:

Primary photographic ID

• Passport
• Driver licence
• Government-issued photo card
• National identity card

Non-photographic + secondary documents

• Birth certificate, citizenship certificate or concession card
• PLUS a secondary document such as:
  • ATO notice
  • Council rates notice
  • Utility bill
  • Government correspondence

Confirming the person matches the document

You can verify this:

• In person
• Over video call
• With biometric technology
• Through a certified ID verification provider

If inconsistencies appear, they must be resolved before you can be satisfied on reasonable grounds.

3. Understanding Nature and Purpose

You must understand why the customer is engaging your service and what their expected activity will look like.

Collect information such as:

• Reason for the service
• Type and scale of expected interactions
• Occupation
• Source of funds or wealth (where relevant)

Most low-risk customers do not require verification of this information unless something is inconsistent, unusual or triggers enhanced CDD.

4. Individuals Acting on Behalf of the Customer

If someone interacts with you on the customer’s behalf, you must:

1. Identify the representative
2. Understand their authority to act
3. Assess any ML/TF risks associated with that arrangement

Evidence of authority could include:

• Power of attorney
• Agency agreement
• Letter of authority
• Employer confirmation
• Confirmation from an independent professional

If no representative exists, you do not need to establish this matter.

5. Individuals Receiving Services on Behalf of Someone Else

If the person engaging you is receiving the service for another person, that other person is your true customer.
You must identify and verify that person and apply CDD to them.

Special rules apply to certain life-policy services.

6. Politically Exposed Persons (PEPs) and Sanctions

You must establish whether:

• The customer
• Any representative
• Any person on whose behalf they act

is a PEP.

You must also check all relevant individuals against Australia’s Targeted Financial Sanctions regime.

For PEPs, collect and verify information about the person’s role and the nature of the public function they hold.
For sanctions, you must check against the most current DFAT Consolidated List.

If someone is subject to sanctions, you generally cannot provide a service without a specific legal permit.

7. Determining ML/TF Risk

CDD must be risk-based. After collecting baseline information, you must:

1. Assign a customer risk rating
2. Identify any inconsistencies requiring further information
3. Apply enhanced CDD where needed
4. Document your reasoning

Triggers for enhanced CDD may include:

• PEP status
• High-risk occupations
• High-risk jurisdictions
• Large cash transactions
• Unexplained wealth
• Complex or unusual behaviour
• Suspicion of ML/TF/PF
• Sanctions indicators

Enhanced CDD typically involves verifying source of funds and source of wealth.

8. Practical Examples

Example 1 - A Solicitor Assisting a First-Home Buyer

Sophie is a 29-year-old nurse who contacts a law practice to assist with purchasing her first home.
During onboarding, she completes the firm’s digital CDD form, providing her full name, current address, date of birth and confirming she has never used a previous or alternative name.

The firm asks Sophie to upload her passport, which they verify using their identity verification system. During a brief video call, the solicitor visually confirms that Sophie’s face matches the passport image, and the system’s biometric match provides additional assurance.

To understand the nature and purpose of the relationship, the firm asks Sophie why she is seeking their services. She explains that she has received pre-approval from her bank and needs a solicitor to manage the conveyance. Her occupation and expected transaction behaviour are consistent with someone in her demographic and income range.

A routine PEP and sanctions screen returns no concerns.
With no inconsistencies, unusual behaviour, or high-risk indicators, the firm assesses Sophie as low ML/TF risk and completes CDD.

Example 2 - An Accountant Establishing a Family Trust Through a Representative

Marcus, a small business owner, wants to set up a family trust for tax planning and asset protection. He instructs his long-time accountant, but the initial information and documentation for the trust will be provided by his financial adviser, Claire.

When onboarding begins, the accounting firm identifies that Claire is acting on Marcus’s behalf. They request evidence of her authority. Claire provides a signed letter from Marcus authorising her to liaise directly with the accountant for the purpose of establishing the trust. The firm cross-checks Marcus’s digital signature against previous correspondence, confirming the authority is legitimate.

They then identify and verify Marcus, who provides his driver licence and Medicare card. The accountant uses a secure portal to sight the documents and checks the licence number against independent data sources.

To understand the nature and purpose of the business relationship, the firm asks about the intended activities of the trust—such as investing retained earnings and holding long-term assets. This helps shape the risk assessment and future monitoring expectations.

PEP/TFS screening of both Marcus and Claire shows no flags.
The arrangement is straightforward, no unusual behaviour is detected, and the firm records the CDD obligations as satisfied.

Example 3 - A Real-Estate Agent Facing a High-Risk Cash Purchase

A real-estate agency is approached by Adam, who is 20 years old and keen to buy a $1.2 million townhouse. He states he intends to pay the deposit in cash and complete the remainder by bank transfer.

At first glance, the agent notices a potential mismatch between Adam’s youthful age, his declared occupation (“gig worker”), and the sizeable transaction. When completing the standard onboarding form, Adam provides his full identification details and uploads his passport and driver licence, which the agency verifies through a third-party provider.

The agent asks Adam to explain how he obtained the funds. His answer is vague—he mentions family money but cannot initially provide documents. Given the risk indicators, the agency assigns a high ML/TF risk rating and triggers enhanced CDD.

After several follow-ups, Adam produces a set of documents showing he recently received a substantial payout from a deceased relative’s estate, including a solicitor’s letter and a certified copy of the grant of probate. These documents independently confirm the source of his funds and wealth.

A PEP and sanctions check is conducted as part of the risk-based procedure (results: no matches).
With adequate explanation of the unusual circumstances now supported by reliable evidence, the agency completes its CDD obligations and documents the enhanced measures taken.

Example 4 - A Conveyancer Dealing With a Customer Acting for Someone Else

Priya contacts a conveyancer because she is organising the sale of a property owned by her elderly father, who has mobility issues and lives in another state. In the initial conversation, Priya clarifies that she will be acting on his behalf for most of the transaction.

The conveyancer requests documentation showing Priya’s authority. She provides a scanned copy of an enduring power of attorney, which the firm verifies by checking the issuing jurisdiction and ensuring it includes financial decision-making powers. To be confident that Priya is the true representative, the firm also verifies her identity using a driver licence and a Medicare card.

They then identify Priya’s father (the actual customer) and request primary identification documents from him. Because the father cannot attend in person, the conveyancer arranges a supervised video verification process using a secure link, allowing the father to display his passport and answer standard verification questions.

The conveyancer screens both Priya and her father for PEP and TFS status—no matches.
With the authority, identities and nature/purpose of the transaction established (sale of long-held family property), the conveyancer records the risk as moderate and completes CDD.

Example 5 - A Financial Adviser Spotting an Inconsistency Early

Julian seeks advice from a licensed financial adviser regarding a new investment product. He provides his details via an onboarding form, stating his occupation as “junior chef” with an annual income of approximately $55,000.

When verifying his identity, the adviser notices Julian is using a foreign passport and an Australian driver licence. Both documents check out, but during the discussion Julian talks casually about “multiple investment properties” he already owns.

This inconsistency between declared income and claimed assets prompts the adviser to explore further. Julian explains he inherited several properties two years earlier but had not thought to report this in the onboarding form.

The adviser asks for additional evidence due to the risk indicator, and Julian provides certified copies of probate documents and land titles. The adviser verifies these documents through independent registries and reassesses the customer’s ML/TF risk as elevated but explainable.

PEP and sanctions screening returns no concern. With the inconsistency resolved through additional verification, the adviser completes CDD and records the reasoning in the customer file.

Example 6 - An Individual Joining an Online Investment Platform

Lina, a 37-year-old software engineer, registers for an online investment platform that offers access to Australian and overseas ETFs. The platform is transitioning into Tranche 2 compliance and has updated its onboarding flow to meet the new CDD obligations.

When Lina signs up, she completes a streamlined digital form that collects her full name, residential address, date of birth, and a declaration of any previous names. She uploads her passport, and the platform’s automated verification service cross-checks the document number and confirms her identity, including a biometric match performed through a short selfie video.

To understand the nature and purpose of her intended relationship with the platform, Lina is asked about her investment objectives. She states she wants to “build a balanced long-term portfolio” and expects to invest between $2,000 and $5,000 per month using salary savings. This information aligns with her occupation, income bracket and expected transaction profile.

During routine screening, the system performs PEP and sanctions checks. A possible match is found against a foreign PEP with a similar surname. The platform’s compliance team manually reviews the alert and quickly determines the match is false—Lina’s details differ significantly across date of birth, nationality and middle names.

However, a mild inconsistency emerges: Lina lists her employment as “software engineer”, but when linking her bank account she chooses an account associated with a small company bearing her surname. The platform contacts her for clarification. Lina explains she operates a side business building niche productivity apps, and the linked account is a simple business account she uses for receiving app-store revenue. She provides her ABN details, which the platform verifies through a government register.

With the inconsistency resolved, and no indicators suggesting elevated ML/TF risk, the platform assigns Lina a low risk rating and completes CDD. Her account is activated, and the platform documents all steps taken, as required under the updated record-keeping rules.

Need Help?

If you need help with setting up your CDD procedures for Tranche 2, bronID is here to help. You can schedule a call or book a demo on the following link.

‍