What to do after your risk assessment and AML program are finished
What to do after your risk assessment and AML program are finished
You've completed your AML program and Risk Assessment, but what comes next?
A significant part of your ongoing obligations is Customer Due Diligence (CDD). This means verifying your customers' identities and applying a risk rating based on your AML program before you begin any engagement.
What does client onboarding involve under Tranche 2?
Client onboarding under the AML/CTF framework covers seven key steps:
Customer Identification
Customer Verification
Beneficial Ownership (for KYB)
Customer Risk Rating
Level of Due Diligence
Ongoing Monitoring
Suspicious Matter Reporting
What is some of the information you need to collect?
For individuals, you'll need to collect:
Full legal name
Date of birth
Residential address
Government-issued photo ID
Country of citizenship and residence
Source of wealth and source of funds (if enhanced due diligence applies)
For companies and businesses, you'll need:
Registered business name and ABN/ACN
Type of entity (company, trust, partnership)
Trust deed and trustee verification, where applicable
Business address and nature of activities
Beneficial owners (those with significant ownership or control of the entity)
Directors, secretaries and authorised signatories
ASIC/ABRS register search
Example of a client onboarding workflow:
Step 1: Initial Scope & Contact | Step 2: KYC/KYB Checks BEFORE Engagement | Step 3: Verify Identity & Beneficial Ownership | Step 4: Apply Your Risk Assessment Matrix |
Before anything else, determine whether the services you're proposing to provide are designated services under the AML/CTF Act. | All identity verification checks should be completed before signing any letter of engagement or commencing work. Your AML/CTF obligations require initial customer due diligence to be completed before you begin providing a designated service in most cases. Note: if you have existing clients at the time your obligations commence, you are not required to immediately perform full due diligence on them. | For individuals, collect and verify name, date of birth and address. For businesses, identify and verify the entity itself, along with all beneficial owners and any controllers. Beneficial ownership captures both those with significant ownership interests and those who exercise effective control over an entity. | Score the client against your documented risk matrix, taking into account factors such as business type, industry, geographic risk, PEP and sanctions status, and transaction complexity. From this, assign a Low, Medium or High risk rating. |
Step 5: Determine Level of Due Diligence | Step 6: Enhanced Due Diligence (EDD) | Step 7: Document & Retain Records |
Your risk rating drives this decision:
| Where EDD is required, you may need to obtain source-of-wealth and source-of-funds information and develop a thorough understanding of the purpose and nature of the business relationship. A senior manager must approve your business starting to provide a designated service, or continuing a business relationship, where the customer or their beneficial owner is a foreign PEP or an international organisation PEP assessed as high ML/TF risk.
Senior manager approval is also required where a person was previously a PEP and their former status still presents a high ML/TF risk. This approval obligation cannot be delegated and must be met personally by the appointed senior manager. Enhanced ongoing monitoring also applies to these relationships, meaning more frequent reviews and greater transaction scrutiny. | Document every step taken and the reasoning behind each decision. You are required to retain all KYC/KYB documents for seven years after the relationship ends. Your records should capture what information was collected, from what source, and what verification was conducted. Maintain a dated audit trail of every onboarding decision, including your risk rating outcome and the level of due diligence applied. All records must be stored in a format that can be produced promptly if AUSTRAC requests them. If a suspicious matter arises, you must report it to AUSTRAC within 24 hours where it relates to terrorism financing, or within 3 business days for all other matters. Where a transaction involves physical currency of $10,000 or more, a Threshold Transaction Report must be submitted within 10 business days. |
How technology can support customer due diligence
Without the right systems in place, compliance can quickly become inconsistent and difficult to evidence. Common problems with manual processes include:
Documents collected by email with no formal verification
Inconsistent checks depending on who is conducting the onboarding
No documented risk rating or PEP/sanctions screening
Records scattered across email, shared drives and paper files
No alerts for monitoring reviews or re-verification triggers
Time-consuming manual reports and spreadsheets
Technology addresses each of these issues by enabling:
Consistent digital collection of all required KYC/KYB fields
Automated identity verification and document checks
Integrated PEP, sanctions and adverse media screening at onboarding
Structured risk rating with a documented, auditable output
Centralised records with timestamps and a full audit trail
Automated monitoring alerts and review reminders
Choosing a provider
When evaluating compliance technology, consider the following:
Is the software comprehensive? Does it cover both onboarding and ongoing compliance?
What pricing models are available? Consider subscription versus pay-as-you-go options
Is the software built specifically for the Australian regulatory environment?
Can it integrate with your existing systems?
Personr brings it all together
Personr is built to cover the full compliance lifecycle for Tranche 2 firms. It offers digital client onboarding that collects all required KYC and KYB information through a structured workflow, automated identity verification, and PEP and sanctions screening integrated at the point of onboarding.
Personr also provides a risk rating workflow that produces a documented output, centralised records with a full audit trail, ongoing monitoring alerts and review reminders, and AUSTRAC enrolment tracking and reporting support.
The goal is simple: every client your firm onboards goes through exactly the same compliant process, every time, with a complete record you can produce on request.
Staff Training & Due Diligence
In addition to Customer Due Diligence, regulated businesses must ensure staff are trained. This is an obligation under the act, and one that seems to be missed.
The AML/CTF Act requires all relevant staff to be trained. AUSTRAC mandates that any personnel involved in activities related to your AML/CTF obligations must have a clear understanding of:
Your responsibilities under the AML/CTF Act
Applicable rules and regulations
The Money Laundering, Terrorism Financing and Proliferation Financing risks specific to your business
Training must be provided upon commencement of employment or engagement, and on an ongoing basis throughout. This is critical to ensure your personnel possess the knowledge and skills needed to meet your AML/CTF obligations, and can effectively implement your AML/CTF program to identify, manage and mitigate ML/TF/PF risks.
