What is Tranche 2 AML/CTF reform in Australia?

Tranche 2 expands Australia's AML/CTF regulations to gatekeeper professions — real estate agents, lawyers, accountants, conveyancers, and TCSPs — with compliance obligations starting 1 July 2026. These businesses must enrol with AUSTRAC, implement AML/CTF programs, conduct customer due diligence, and submit suspicious matter reports.

Who needs AML compliance software in Australia?

Under Tranche 2, AML compliance software is needed by real estate agencies, law firms, conveyancing practices, accounting firms, trust and company service providers (TCSPs), and other gatekeeper professions that must comply with AUSTRAC regulations from July 2026.

What KYC checks are required for AML compliance?

Required KYC checks include: identity document verification (passport, driver's licence), biometric face matching, PEP and sanctions screening, proof of address verification (council rates, water bill, strata bill), source of wealth documentation, and ongoing monitoring of business relationships.

What is an SMR (Suspicious Matter Report)?

A Suspicious Matter Report (SMR) is a mandatory report to AUSTRAC when a reporting entity suspects a person may be involved in money laundering, terrorism financing, or other criminal activity. SMRs must be submitted within 24 hours under the AML/CTF Act 2006.

How does AML Workflow use AI?

AML Workflow uses Anthropic's Claude AI models for four key functions: PEP disambiguation (Haiku 4.5), risk assessment generation (Sonnet 4.6), enhanced due diligence analysis (Opus 4.6), and SMR drafting assistance. All AI outputs are marked as drafts requiring human review — the platform never auto-decides compliance outcomes.

High-Risk Customers and Enhanced Due Diligence: A Practical Guide for Australian Reporting Entities

Enhanced Due Diligence guide for high-risk customers — PEPs, complex structures, and high-risk jurisdictions

Under Australia's AML/CTF regime, not every customer relationship carries the same level of money laundering or terrorism financing risk. AUSTRAC requires a risk-based approach — meaning the intensity of your due diligence must match the risk profile of the customer. Standard Customer Due Diligence (CDD) is sufficient for most clients. But when a customer presents elevated risk, Enhanced Customer Due Diligence (ECDD) becomes mandatory — and failing to apply it is a breach of the AML/CTF Act.

This guide explains what makes a customer high-risk, when ECDD is legally required, the step-by-step ECDD process, and how to document your decisions for regulatory scrutiny. For the fundamentals of AML compliance obligations, see our guide to key AML regulations and compliance obligations.

What Makes a Customer High-Risk?

AUSTRAC does not provide an exhaustive list of high-risk customer categories — that would be impossible given the diversity of Australian businesses and their client bases. Instead, the regulator expects each reporting entity to define high-risk indicators in its AML/CTF Program based on its own ML/TF Risk Assessment. However, certain categories are universally treated as elevated risk under the AML/CTF Rules:

1. Foreign Politically Exposed Persons (PEPs)

A foreign PEP is an individual who holds — or has held in the preceding 12 months — a prominent public position in a government body, international organisation, or state-owned enterprise outside Australia. This includes heads of state, ministers, senior judicial officials, military leadership, and board members of state-owned corporations. Family members and close associates of foreign PEPs are also captured.

Foreign PEPs present elevated risk because their position gives them access to government funds, procurement decisions, and regulatory influence that can be exploited for corruption, bribery, or asset misappropriation. Under the AML/CTF Rules, ECDD is mandatory for all foreign PEPs — it is not discretionary.

2. Domestic PEPs and International Organisation PEPs

Domestic PEPs (Australian politicians, senior public servants, judicial officers) and heads of international organisations (UN, World Bank, IMF, etc.) are also subject to enhanced scrutiny, though AUSTRAC permits a slightly more flexible approach than for foreign PEPs. The obligation to apply ECDD to domestic PEPs is triggered by a higher-risk indicator — such as the customer's country of origin, transaction complexity, or involvement of opaque corporate vehicles — rather than being automatic.

3. Customers from High-Risk Jurisdictions

Where a customer — or the source of their funds — is connected to a jurisdiction identified by the Financial Action Task Force (FATF) as having strategic AML deficiencies (the FATF "grey list" and "black list"), ECDD must be applied. Similarly, countries subject to Australian autonomous sanctions or with known high levels of corruption, narcotics trafficking, or terrorism financing activity present elevated geographic risk.

4. Complex and Opaque Corporate Structures

Customers that use multi-layered corporate or trust structures — especially where those structures involve offshore entities in secrecy jurisdictions, bearer share companies, or nominee directors with no economic interest — are inherently high-risk. While many legitimate businesses use complex structures for tax planning or asset protection, the opacity makes them attractive to money launderers seeking to obscure beneficial ownership.

5. Cash-Intensive Businesses and Unusual Transaction Patterns

Customers operating in cash-heavy industries — hospitality, construction subcontracting, retail, vehicle sales — present additional risk where the volume of cash appears inconsistent with the stated business activities. Similarly, transactions that are unusually large, complex, or lack an apparent economic or lawful purpose are red flags requiring enhanced scrutiny.

When Is ECDD Legally Required?

Under Chapter 11 of the AML/CTF Rules, a reporting entity must apply ECDD in any of the following circumstances:

The customer is a foreign PEP (or a family member or close associate of one)
The customer is a domestic PEP or international organisation PEP and there is a higher money laundering risk associated with the customer
The ML/TF risk posed by the customer is high based on your documented risk assessment methodology
The customer or transaction involves a country that the FATF has identified as having strategic AML/CTF deficiencies (FATF grey list or black list)
There is a suspicion of money laundering or terrorism financing, whether or not an SMR has been submitted
The reporting entity has doubts about the veracity or adequacy of previously obtained CDD information

The trigger is objective — if a customer falls into one of these categories, ECDD is not optional. It must be applied before the designated service is provided, and the enhanced measures must be documented. For a broader framework on building your compliance program, read our step-by-step guide to implementing an effective AML program.

The ECDD Process: Step by Step

Step 1: Identify the High-Risk Trigger

The first step is recognising that ECDD is required. This depends on having effective screening tools and a well-trained team that can spot high-risk indicators during onboarding. Automated PEP and sanctions screening is essential — manual Googling is neither reliable nor defensible in a regulatory review. The moment a potential PEP match, high-risk jurisdiction, or other trigger is identified, flag the customer file for ECDD processing.

Step 2: Obtain Senior Management Approval

For high-risk customers — particularly foreign PEPs — you must obtain approval from senior management before establishing or continuing the business relationship. This is a specific requirement under the AML/CTF Rules and cannot be delegated to a junior compliance officer. The approving manager must understand the specific risks presented by the customer and be satisfied that the proposed controls are adequate.

Step 3: Establish Source of Wealth and Source of Funds

This is the core of ECDD and the area where many businesses fall short. You must go beyond simply asking the customer where the funds came from — you must take reasonable measures to corroborate the explanation. This means:

For a PEP claiming wealth from a business career: obtain corporate records, audited financial statements, or public documentation of the business and its sale or dividend history
For funds sourced from an inheritance: obtain a copy of the will, probate documents, or solicitor confirmation
For investment returns: obtain brokerage statements, share sale contracts, or accountant verification
For government salary: obtain employment contracts, pay records, or publicly available salary schedules for the position held

If the source of wealth explanation is inconsistent with the customer's known profile — for example, a mid-level public servant with no other known business interests suddenly purchasing a A$5 million property — the transaction should be escalated and potentially reported.

Step 4: Establish the Purpose and Nature of the Business Relationship

For standard CDD, understanding the purpose of the relationship is a basic requirement. For ECDD, you must go deeper. Document the specific transaction or service, the intended duration of the relationship, the expected volume and value of transactions, and the business rationale. Where the stated purpose is vague, inconsistent, or uneconomic, that is itself a risk indicator.

Step 5: Conduct Enhanced Ongoing Monitoring

High-risk customers cannot be "checked once and forgotten." ECDD requires ongoing monitoring at a higher frequency and intensity than you apply to your standard customer base. This generally means:

Review the customer's risk profile at least annually (more frequently for PEPs and sanctioned-adjacent jurisdictions)
Monitor transactions against the expected pattern documented in Step 4, flagging material deviations
Re-verify identity information if doubts arise or when a material change in circumstances occurs
Review the source of wealth and source of funds for new transactions, not just the first one

Documenting ECDD Decisions

AUSTRAC's enforcement actions consistently highlight one recurring failure: inadequate documentation. Applying ECDD is not enough — you must be able to prove you applied it, when, by whom, and with what conclusions. For each high-risk customer file, your records should include:

The specific trigger that required ECDD (e.g., "identified as foreign PEP via automated screening — match to Minister of [X]")
The senior management approval (name, position, date, and confirmation that the risks were considered)
The source of wealth and source of funds assessment, including what documents were reviewed and what conclusions were reached
The purpose and intended nature of the business relationship
The ongoing monitoring schedule and the date of the last review
Any changes to the customer's risk rating over time

Can You Decline a High-Risk Customer?

Yes. ECDD does not mean you must take on every high-risk customer as long as you do the paperwork. The AML/CTF Act permits reporting entities to decline to provide a designated service where the ML/TF risk cannot be adequately mitigated. In some cases, declining the business is the correct compliance decision — for example, where the source of wealth cannot be established despite reasonable efforts, where the customer is uncooperative with ECDD requests, or where the risk assessment indicates that the residual risk exceeds the business's risk appetite.

If you do decline a customer on AML grounds, document the decision, the specific reasons, and what attempts were made to complete ECDD. Do not tip off the customer that a suspicion of money laundering was a factor — a simple "unable to proceed with this transaction" is appropriate. If the circumstances give rise to a suspicion, an SMR may need to be submitted even though no service was provided.

Technology for ECDD: Beyond the Spreadsheet

Managing ECDD manually — tracking PEP status changes, scheduling ongoing monitoring reviews, updating risk ratings — quickly becomes unmanageable as a business grows. Modern AML platforms automate the ECDD workflow:

Automated PEP and sanctions screening that re-screens your customer base against updated watchlists daily, not when someone remembers to do it
Risk scoring engines that combine multiple risk factors — customer type, geography, transaction patterns, structure — into a dynamic risk rating that updates as inputs change
Ongoing monitoring alerts that notify your AMLCO when a high-risk customer's circumstances change (e.g., a previously clean customer appears in adverse media)
Document management that links source-of-wealth evidence, senior management approvals, and risk reviews to the customer record in an auditable, time-stamped chain

For Australian businesses newly regulated under Tranche 2 — many of which have never managed ECDD processes before — investing in purpose-built compliance technology is significantly cheaper than the cost of a regulatory enforcement action. See our article on the role of risk assessment in AML compliance for more on building your risk framework.

Key Takeaways

ECDD is not discretionary — it is legally required for foreign PEPs, high-risk jurisdictions, and any customer your risk assessment categorises as high-risk
The core of ECDD is corroborating the source of wealth and source of funds — not just asking the question, but verifying the answer with independent documentation
Senior management approval is mandatory before establishing or continuing a high-risk customer relationship
Ongoing monitoring must be more frequent for high-risk customers — annual review is the minimum, not the gold standard
Documentation is your defence — an undocumented ECDD process is indistinguishable from no ECDD process in a regulatory review
You have the right to decline a high-risk customer where the ML/TF risk cannot be adequately mitigated, but document the decision and consider whether an SMR is required