Customer due diligence for real estate: a plain-English guide

When a buyer walks into your office for the first time, what do you actually have to do under the new AML/CTF rules? That question — "what does CDD really require?" — is the most common one we hear from agency principals.

This post answers it in plain English. No jargon, no dense legislation summaries. Just a clear explanation of what customer due diligence involves and how it applies to your day-to-day work.

What is customer due diligence?

Customer due diligence — CDD — is the process of identifying your clients and verifying that they are who they say they are. It is the cornerstone of Australia's AML/CTF framework, and from 1 July 2026, it applies to every client involved in a real estate sale or purchase where your agency is providing a designated service.

CDD has one core purpose: know your customer. If you cannot confirm who you are dealing with, you cannot assess the risk they pose, and you cannot spot suspicious behaviour.

The AML/CTF regime covers four distinct types of CDD. They are not interchangeable — each applies in different circumstances. Let's work through each one.

1. Initial CDD: the first step with every client

When it applies: Before you start providing a designated service to a customer — in practice, before you formally act as their agent in a property transaction.

Initial CDD applies to every client in a designated service transaction: your vendor clients, your buyer clients, and anyone acting on behalf of a buyer or seller. If someone tells you they are acting for another party, you need to identify both people.

What to collect (for individuals)

For individual clients, you must collect:

Information	Required
Full legal name	Yes — as it appears on their identity document
Date of birth	Yes
Residential address	Yes — a physical address, not a PO Box
Whether acting for another party	Yes — if so, identify the other party too

These four fields are the minimum for individual clients. Companies, trusts, and other entities have different requirements beyond the scope of this guide — if you deal with complex structures, seek specific guidance.

What to collect vs. what to verify — a critical distinction

How to verify identity

AUSTRAC requires verification using reliable and independent means. There are several acceptable methods — and importantly, no single method is mandatory. All of the following satisfy the requirement when properly performed:

Physical inspection — you inspect the original identity document in person (for example, at a meeting or open home) and confirm the client's face matches the photo.
Video call — a live video call where you can see the client and their document simultaneously, and confirm the face matches the ID.
DVS (Document Verification Service) — electronic matching against issuing-authority records via the Department of Home Affairs. Confirms the document is current and not reported lost or stolen.
Accredited third-party electronic verification — providers that access DVS or equivalent authoritative data sources.
Biometric verification — comparing the client's appearance against their photo ID using biometric technology.

DVS is not mandatory. An agent physically inspecting a passport at a listing appointment satisfies the verification requirement just as DVS does. What matters is that you use a reliable, independent method — and that you record what you did, when, and by what method.

Acceptable identity documents

Primary photographic ID (preferred — one is sufficient):

Australian driver's licence
Australian passport
Foreign passport
State-issued proof of age card

This list is based on AUSTRAC's standard guidance. Note that the definition of acceptable photographic identification is not entirely closed — the AML/CTF Rules allow for other documents — but the four above are the standard documents AUSTRAC names and accepting anything outside this list requires a positive risk-based decision by your agency.

If a client has no photographic ID: You need a combination: one primary non-photographic document (birth certificate, citizenship certificate, or Centrelink/DVA concession card) plus one secondary document (a government-issued document showing name and address, a utility bill less than three months old, or an ATO notice less than 12 months old).

What to record

You do not need to keep copies of identity documents. You must record:

Document type, number, issuing authority, and expiry date
Who verified the document, when, and by what method

2. Ongoing CDD: maintaining what you know

When it applies: Throughout the business relationship — from initial CDD to the completion of the transaction and beyond.

Ongoing CDD means you must monitor your clients to identify, assess, and manage ML/TF risks over time. In a real estate transaction, the relationship is typically transaction-based, but that still means:

Staying alert to changes in client circumstances or behaviour that could affect risk
Updating client information if it changes during the transaction
Treating new red flags as triggers to review what you know about a client

Ongoing CDD is proportionate to the nature and duration of the relationship. For a straightforward residential sale completed over a few weeks, the ongoing obligation is relatively light. For longer or more complex transactions, it is more active.

3. Enhanced CDD: when more is required

Some clients and transactions require a deeper level of scrutiny. AUSTRAC calls this enhanced CDD (ECDD).

ECDD is triggered when any of the following apply:

The customer is a foreign Politically Exposed Person (PEP) — a senior foreign government official, politician, judge, military officer, or state-owned enterprise executive, or their family or close associates
A Suspicious Matter Report has been or will be filed in relation to the client
Your agency's risk assessment rates the client as high risk
The client is from a high-risk jurisdiction (countries on the FATF grey or black list)
The transaction involves a high-risk country
The transaction involves complex ownership structures with no clear legitimate purpose

When ECDD is triggered, you must go further than standard CDD. The additional measures required include (but are not limited to):

Senior management approval for the relationship or transaction
Enhanced ongoing monitoring throughout the relationship
Additional identity verification steps
Source of funds and source of wealth verification
Understanding the purpose of the transaction

ECDD is not optional when a trigger applies. If one of the above circumstances exists, standard CDD is insufficient.

4. Simplified CDD: a streamlined option for low-risk scenarios

Not every client presents the same level of risk. AUSTRAC recognises this and allows for a streamlined CDD process — simplified CDD — in genuinely low-risk situations.

Important: simplified CDD is not an exemption from CDD obligations. You must still collect all required customer information. What simplified CDD allows is a lighter-touch approach to verification steps where your risk assessment supports it.

Whether simplified CDD applies to a specific client is determined by your agency's own risk assessment — not by a client's characteristics alone. Your program must document when and how simplified CDD is used. This is not a decision to make ad hoc for individual clients.

For further guidance on AUSTRAC's simplified CDD framework, see AUSTRAC's CDD guidance.

A real-world example: the first meeting

Real-world example

Let's put this together with a concrete scenario.

A buyer contacts your office about a property listed at $850,000. This is their first enquiry, and they want to make an offer. Before you formally act as their buyer's agent, you need to complete initial CDD.

You ask them to bring a driver's licence or passport to the appointment. At the meeting, you inspect the licence in person, confirm their face matches the photo, and record the document details — number, expiry, and that you inspected it on this date.

You also ask whether they are buying in their own name or on behalf of someone else. They confirm it is their own name. You note their full name, date of birth, and residential address.

That is initial CDD complete. The buyer has been identified and verified using a reliable method. You can now act as their agent.

If during the transaction you discover the buyer is a foreign PEP — say, a relative of a senior overseas government official — that triggers enhanced CDD, and you would need to take the additional steps outlined above.

Putting it all together

CDD is not a one-off form. It is an ongoing obligation that runs across the lifecycle of every client relationship in a designated service transaction. The four types — initial, ongoing, enhanced, and simplified — form a complete picture:

CDD type	When	Purpose
Initial	Before providing designated service	Establish who the client is
Ongoing	Throughout the relationship	Stay informed as circumstances change
Enhanced	When risk triggers are present	Go deeper for higher-risk clients or transactions
Simplified	For low-risk clients (per your risk assessment)	Streamline verification steps where warranted

Source: AML/CTF Act 2006·As of March 2026

The key habits to build: collect the right information before you start, verify it using an acceptable method, record what you did, and stay alert throughout the transaction.

AML Simple guides you through CDD for every client — collecting the right information, prompting the right verification steps, and keeping compliant records throughout the transaction.

58 days until obligations commence

1 July 2026

AML Simple guides you through CDD — start free

Collect the right information, verify using an acceptable method, and keep compliant records for every client — guided step by step.

Get AUSTRAC ready