AML/CTF · Legal Practice

Know Your Client, Not Just Your Matter: CDD Obligations for Australian Solicitors | AML/CTF Solicitors Australia 2026

Published 9 February 2026Last reviewed June 20265 min readBy Paul Wise

A solicitor's instinct is to know the matter inside out. From 1 July 2026, Australian legal practices that provide designated services also have to know the client — formally, and on the record. That obligation is called customer due diligence (CDD), and it is the part of the AML/CTF regime that touches the most files.

This is a plain-English practice guide, not legal advice. The detail of what your firm must collect should be set in your own AML/CTF Program, based on your risk assessment and current AUSTRAC guidance.

CDD is risk-based — three levels, not one

The regime is deliberately risk-based. You do not apply the same intensity to every client. In broad terms there are three levels:

  • Standard CDD — the default. You identify the client and verify their identity from reliable, independent information before you provide the designated service, and you understand the nature and purpose of the matter.
  • Simplified CDD — a lighter approach available where the money-laundering and terrorism-financing risk is genuinely low. It still requires you to be satisfied the risk is low and to keep monitoring; it is not a free pass.
  • Enhanced CDD (ECDD) — a deeper level for higher-risk clients and matters: closer verification, scrutiny of source of funds and source of wealth, and senior sign-off before proceeding.
The trigger for enhanced CDD is risk, not a fixed list. Common flags include a politically exposed person (PEP), links to a higher-risk jurisdiction, complex or opaque ownership structures, or a matter with no clear legal or commercial purpose. Your program should set out when each level applies, so the call does not depend on which fee-earner happened to open the file.

What to collect — individuals, companies and trusts

The information you gather scales with the type of client. As a general guide to the kind of detail typically expected:

  • Individuals — full name, date of birth and residential address, verified against reliable and independent sources (for example, government-issued identification).
  • Companies — the company's full name and registration details and registered office, plus the people behind it: the beneficial owners (broadly, the individuals who ultimately own or control the company, commonly assessed against a 25% ownership or control threshold) and anyone authorised to act for the company.
  • Trusts — the trust's name and type, and details of the trustee(s), the settlor, and the beneficiaries or class of beneficiaries, so you can see who ultimately benefits and controls the arrangement.

The recurring theme for company and trust clients is looking past the entity to the natural persons behind it — which is exactly where launderers rely on professionals not to look. Treat the items above as the kind of detail required rather than a fixed legal checklist; the precise requirements sit in the AML/CTF Rules and AUSTRAC guidance and should be reflected in your program.

The obligation does not stop at onboarding

CDD is not a one-off gate at the start of a matter. Once a client is onboarded you have an ongoing monitoring obligation: keep your understanding of the client current, watch for activity that does not fit what you know about them, and keep their information up to date. If the risk picture changes — new parties, unusual fund flows, a shift in instructions — you may need to step up to enhanced CDD or review the relationship.

Where the operational burden really lands — and where Veriqua helps

In a typical practice, the work that explodes the compliance overhead is verification at scale: every property settlement means verifying the buyer, the seller, and the beneficial owners behind any corporate trustees, before the matter opens. Multiplied across every conveyancing file, trust formation and company incorporation, that load adds up fast.

Veriqua is built to absorb it. The platform's KYC and customer onboarding is customer-type-aware — individual, company, trust, SMSF and partnership — with identity verification for individuals and ASIC Registry and ABN/trust verification for entities, and a client portal so customers complete identity submission themselves. A beneficial-ownership register captures the ownership chain and tracks the 25% threshold; a customer risk register holds each client's CDD tier, review date and status. Two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

When must a law firm carry out CDD on a client?
Generally before you commence providing the designated service — not after the matter is open or at settlement. AUSTRAC's expectation is that identity is verified and the purpose of the matter is understood before the work begins. There are limited exceptions for situations where verification would interrupt the service, but these are narrow and should be documented in your program.
What is 'simplified CDD' and when can a law firm use it?
Simplified CDD is a reduced-intensity approach available where the ML/TF risk associated with the client or matter is genuinely low. A law firm can apply it where its risk assessment supports a low-risk conclusion — for example, a long-standing client using familiar services with transparent purpose. It still requires ongoing monitoring and cannot be used as a blanket approach across all clients.
What triggers enhanced CDD for a law firm?
Enhanced CDD is triggered by a risk-based assessment, not a fixed checklist. Common triggers include: the client is a politically exposed person (PEP) or a close associate; the matter involves jurisdictions with higher ML/TF risk; the ownership structure is complex or opaque; the source of funds is unclear or inconsistent with what you know about the client; or there is no apparent legal or commercial rationale for the transaction.
Does a law firm need to identify the beneficial owner of a corporate client?
Yes. For corporate clients you need to identify the beneficial owners — broadly, the natural persons who ultimately own or control the company, commonly assessed using a 25% ownership or control threshold. For trust clients you similarly need to look through the trust to identify the trustee(s), settlor and beneficiaries. The beneficial-ownership obligation is one of the areas AUSTRAC has flagged as a priority for legal practices.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at February 2026. It reflects our understanding of the AML/CTF reforms and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. The identification and verification your firm must perform depends on your designated services and your own risk assessment. Please confirm your requirements against current AUSTRAC guidance and the AML/CTF Act and Rules, and with your professional body and advisers, before acting.