Initial CDD, ongoing CDD, enhanced CDD — the layers that Part 2 of the AML/CTF Act sets out and that staff actually run at the cage, plus simplified CDD for low-risk customers. What gets captured, what triggers enhanced checks, what records are kept, and where the post-31-March-2026 framework sharpens the bar. Working reference for AMLCOs and cage supervisors — not legal advice.
Working reference, not legal advice
CDD obligations turn on Part 2 of the AML/CTF Act and the risk-based posture set in the venue's AML/CTF policies. For a definitive view, talk to an AML lawyer or your external AML consultant.
CDD operates in three core layers — initial, ongoing, enhanced — plus simplified CDD for customers whose ML/TF risk is assessed as low (AML/CTF Act 2006 (Cth) s 31 ↗). Each layer has its own trigger pattern and its own evidence shape:
The layers run together — a customer at baseline can shift to enhanced if their pattern changes, and ongoing CDD is what catches the shift. The structural shape is the venue's AML/CTF policies translating triggers into the right layer.
From 31 March 2026, the AML/CTF reforms reduced the gambling-sector CDD exemption threshold from $10,000 to $5,000. Some existing reporting entities may be able to continue using applicable legacy customer-identification procedures until 31 March 2029 under transitional arrangements. Clubs should confirm whether they are relying on transition, document that position, and be ready to apply the $5,000 post-reform threshold. Regardless of threshold, suspicious or high-risk activity may require enhanced CDD and/or suspicious matter reporting.
What an initial-CDD record actually contains:
The record is retained for seven years after the business relationship with the customer ends (AML/CTF Act 2006 (Cth) s 111 ↗). Inspectors and AUSTRAC reviewers can request the record as part of their assessment of how the program is running.
Customer Due Diligence (CDD) is the set of procedures a reporting entity uses to identify and verify customers, assess the ML/TF risk they present, and monitor the customer relationship over time. The obligations sit in Part 2 of the AML/CTF Act: initial CDD (s 28) at the start of providing a designated service, ongoing CDD (s 30) through the relationship, simplified CDD (s 31) where the ML/TF risk is low, and enhanced CDD (s.32) where it is high or where specified triggers apply. For a gaming venue, the procedures attach to designated-service transactions and to the customer-relationship triggers set out in the venue's AML/CTF policies — not every casual patron interaction.
Initial CDD is triggered at the provision of a designated service, subject to the exemptions in the Act and Rules. For gaming-machine venues, s.39E item 16 exempts items 5 and 6 of Table 3 (gaming-machine play and entry, by way of a gaming machine, outside a casino) without a monetary threshold, and item 17 exempts items 8, 9 and 10 (chip-cash-out, non-EGM payout, EGM payout, by way of a gaming machine, outside a casino) where the designated service involves an amount of less than $5,000. From 31 March 2026 the AML/CTF reforms reduced the gambling-sector CDD exemption threshold from $10,000 to $5,000, and some existing reporting entities may be able to continue using applicable legacy customer-identification procedures until 31 March 2029 under transitional arrangements. Beyond the statutory triggers, the venue's AML/CTF policies set out when ongoing and enhanced CDD apply — atypical buy-in patterns, member-account activations involving holding patron funds, customers from FATF-listed high-risk jurisdictions, and any situation where the AMLCO's risk-based posture indicates higher ML/TF risk. The policies have to specify the triggers; staff have to follow them; the records have to demonstrate the procedures are running.
Five elements. (1) Customer identification — full name, date of birth, residential address. (2) Verification — sighting an acceptable ID document (Australian driver's licence, passport, NSW Photo Card, equivalent), with the document number and issuing authority captured. (3) Beneficial ownership — for any entity-form customer (rare in club settings but possible), identifying the natural persons behind the entity. (4) Politically Exposed Persons (PEP) and sanctions screening — checking the customer against PEP and sanctions data and capturing the result. (5) Risk classification — applying the venue's risk-based methodology to score the customer. The records form the customer file that's retained for seven years after the business relationship with the customer ends (AML/CTF Act s 111).
Enhanced CDD applies where the customer's ML/TF risk is high or where the AML/CTF Act or Rules require it. Section 32 of the Act sets out mandatory triggers including a customer the venue has established on reasonable grounds is a foreign politically exposed person, customers from a FATF-listed high-risk jurisdiction, situations where the venue has formed a suspicion-related view and is continuing the relationship, and nested-services arrangements. The AML/CTF Rules 2025 add senior-manager approval requirements for foreign PEPs and for domestic or international-organisation PEPs where the customer's ML/TF risk is high (r.5-5). Enhanced CDD typically captures additional information — source-of-funds documentation, source-of-wealth where relevant, beneficial-ownership extensions, and the senior-manager approval where required. The post-31-March-2026 framework sharpens documentation expectations on enhanced CDD specifically, because higher-risk customers are where defensibility scrutiny lands.
Ongoing CDD (AML/CTF Act s 30) is the continuous-monitoring layer — the venue keeps track of the customer's activity across the relationship and updates the customer record when patterns change. Triggers for ongoing CDD updates include: significant change in transaction pattern, change in customer profile (employment, residence), expiry of identification documents, periodic review at a frequency appropriate to ML/TF risk per the venue's AML/CTF policies, or a specific event (an alert firing on the customer's transactions). The Act sets the standard as appropriate to ML/TF risk rather than a fixed interval; many programs adopt more frequent reviews for higher-risk customers as a matter of policy. Ongoing CDD is the layer that catches drift between the customer profile captured at the start and the customer's actual activity over time.
PEP (Politically Exposed Person) screening is part of initial CDD and of the ongoing-CDD review. The AML/CTF Rules 2025 recognise three PEP categories, treated differently. A foreign PEP — broadly, an individual in a prominent public function in a country outside Australia, and their close family and close associates — triggers enhanced CDD and senior-manager approval automatically (Rules 2025 rr.6-23 / 5-5). A domestic PEP (the equivalent role in Australia) and an international-organisation PEP (a prominent function in an international organisation) trigger enhanced CDD where the customer's ML/TF risk is high (Rules 2025 rr.6-24 / 5-5). Practical implementation: many venues use a PEP and sanctions screening service at the start of the relationship and periodically afterwards. A PEP match doesn't automatically fail a customer; the response depends on which PEP category the match falls into and on the customer's assessed ML/TF risk.
Three operational paths. (1) Re-explanation — staff explain that the venue's AML/CTF program requires the information for cash transactions over a threshold (or whatever specific trigger applies), and offer the patron the chance to reconsider. (2) Refusal of the designated service — if the customer continues to refuse, the venue can decline the transaction. The patron isn't entitled to designated services without satisfying CDD. (3) Suspicion-formation consideration — refusal of CDD can itself be a suspicion indicator under the AML/CTF Act, and the AMLCO assesses whether the refusal pattern, in combination with other indicators, crosses the SMR threshold. The framing has to stay within the venue's standard CDD procedures so it doesn't accidentally tip off (see /aml-tipping-off-explained).
Five categories, all retained for seven years after the business relationship with the customer ends (AML/CTF Act s 111). (1) The customer identification and verification record — the captured information plus the ID document number and issuing authority. (2) The risk classification — the score or rating applied to the customer at the start of the relationship and at updates. (3) Enhanced CDD records where applicable — source of funds, source of wealth, beneficial ownership documentation, and any senior-manager approval required under the AML/CTF Rules 2025. (4) Ongoing CDD events — periodic reviews, triggered updates, customer-profile changes. (5) PEP and sanctions screening results, including the screening service used, the date, and any matches. The records have to be retrievable on request — accessible to the AMLCO, to AUSTRAC if requested, and to the venue's independent evaluator.
Where the CDD obligations in Part 2 sit alongside the venue's AML/CTF program — its ML/TF risk assessment and AML/CTF policies under Part 1A.
How to frame CDD interactions so they don't accidentally reveal underlying suspicion.
Where the post-31-March-2026 AML/CTF program structure sits — risk assessment, AML/CTF policies, AMLCO designation under Part 1A.
Initial CDD records structured per the venue's AML/CTF policies, ongoing CDD updates triggered by transaction patterns, enhanced CDD captured with source-of-funds documentation, all retained for seven years from the end of the business relationship (s.111). First three months free, no card up front.