What's the difference between CDD, KYC and KYB - and when does each apply?
CDD is the umbrella obligation under the Act; KYC verifies individuals and KYB verifies legal entities/arrangements.
These three terms get used interchangeably in conversation, but they're not the same thing. Getting the distinction right matters - especially when a customer asks "do I have to KYC the person holding a Power of Attorney?" or "do I need to KYC every director of a company?" The honest answer in most of those cases is "you need to identify them as part of your CDD - which usually does mean running KYC, but not always."
Here's how the three sit together.
CDD - Customer Due Diligence
CDD is the umbrella obligation under the AML/CTF Act. It's the work you do to understand who your customer is and what risk they bring, before you provide them with a designated service and throughout the relationship.
AUSTRAC describes CDD as having three core elements that work together:
- Identification - establishing who the customer is, who's acting on their behalf, who owns or controls them (if not an individual), and whether anyone in that picture is a PEP or sanctions target.
- Verification - confirming that identification information using reliable and independent sources.
- Ongoing monitoring - watching transactions and behaviour for the duration of the relationship and reviewing/updating what you know about the customer over time.
Initial CDD is the work done before you start providing the designated service. Ongoing CDD continues for as long as the relationship exists.
CDD is the legal obligation. KYC and KYB are the operational steps you use to meet parts of it.
KYC - Know Your Customer
KYC is industry shorthand for the identification-and-verification work you do on an individual person. AUSTRAC's term for the data set is KYC information - the details you collect (name, date of birth, address, etc.) and verify against acceptable sources.
For most customers who are individuals, you'll run a full KYC: collect the required information and verify it through a government register, the Document Verification Service, an accredited digital identity provider, or original/certified copies.
You also need to KYC certain individuals connected to a non-individual customer - directors, trustees, beneficial owners, the representative engaging with you. The depth varies with their role and the customer's risk rating, but for most of these people the standard answer is yes, you need to run full KYC.
KYB - Know Your Business
KYB is industry shorthand for the equivalent work on a non-individual customer entity - a company, trust, partnership, association, government body, or foreign equivalent. The KYB step verifies the entity itself exists as claimed and unwraps its ownership and control structure.
A KYB on its own is rarely the end of the job. Once you've verified the entity, you almost always end up running KYC on a set of individuals associated with it: directors, the representative, beneficial owners, controllers. KYB plus the linked KYC work together to meet the CDD requirement for a non-individual customer.
Where it gets confusing - identification without full KYC
AUSTRAC's initial CDD rules require you to establish certain matters "on reasonable grounds" - including the identity of any person acting on behalf of the customer, and their authority to act. That language is about establishing identity, not about running the same full KYC verification you'd run on the customer.
In most cases you do still run KYC on the person acting - because verifying identity through a reliable source is the practical way to establish it on reasonable grounds. But there are a handful of scenarios where the obligation is narrower: you confirm the person's identity and you sight a document(s) that gives them authority, but you don't treat them as the underlying customer.
The clearest examples:
- Power of Attorney / Enduring Power of Attorney - confirm the attorney; sight the POA/EPA document; capture the principal's identity details for the record, but don't treat the principal as the customer for KYC purposes.
- Administrator under a guardianship or tribunal order - confirm the administrator; sight the appointment instrument.
- Executor under a Grant of Probate - confirm the executor; sight the Grant (or Letters of Administration where there's no will).
- Court-appointed trustee or receiver - confirm the appointee; sight the order of appointment.
- Government representatives/officer holders - confirm authority; evidenced through a delegation instrument, employment letterhead, or formal agency authority.
In each case, the appointee is acting on behalf of someone else (a principal who can't act for themselves, or an estate). The CDD work focuses on who is exercising the authority and that the authority is valid - which is identification plus document review, rather than a full KYC of the underlying principal.
This sits inside AUSTRAC's general requirement to identify "any person acting on behalf of the customer, and their authority to act" - see Overview of initial customer due diligence (Reform).
Quick reference
- Term: CDD - Customer Due Diligence; What it covers: The whole obligation - identification, verification, ongoing monitoring; Applies to: Every customer relationship; Source: AML/CTF Act, Part 2
- Term: KYC - Know Your Customer; What it covers: Identification and verification work on an individual; Applies to: Individual customers, plus directors / representatives / beneficial owners of non-individual customers; Source: Industry term; AUSTRAC uses "KYC information"
- Term: KYB - Know Your Business; What it covers: Identification and verification work on a non-individual entity; Applies to: Companies, trusts, partnerships, associations, government bodies; Source: Industry term; AUSTRAC describes it through customer-type guides
- Term: Identification only (no full KYC); What it covers: Confirming who a person is and their authority to act; Applies to: Attorneys under a POA/EPA, administrators, executors, court-appointed trustees or receivers, government representatives; Source: AUSTRAC initial CDD - matters to establish
The rule of thumb
In most cases you need to verify your customer via KYC (or KYB plus the linked individual KYCs). The exceptions are narrow and well-defined - they cover people acting on someone else's behalf in a recognised legal capacity, and they require you to sight the document that proves the authority. If you're unsure whether a given person falls into the "identification only" category or needs full KYC, the safer default is to run full KYC and document why.
Related entries
- "For POA/EPA/Administrators/Executors, on whom is KYC conducted?" (Section 2)
- "When our customer is a sole trader, who do we need to KYC?" (Section 1)
- "When our customer is an Australian Pty Ltd company, who do we need to KYC?" (Section 1)
- "When a discretionary trust is involved, who needs to be KYC'd?" (Section 3)
- "What does 'reasonable grounds' actually mean?" (Section 1)
AUSTRAC sources
- Overview of customer due diligence (Reform)
- Overview of initial customer due diligence (Reform)
- Initial customer due diligence guides by customer type (Reform)
- Overview of ongoing customer due diligence (Reform)
- Enhanced customer due diligence (Reform)
Related articles
- Does easyAML accept externally-provided VOI evidence (KYC done by another provider)?
- Glossary: Key Terms & Definitions
- Pre-commencement customers - what CDD obligations apply, and the risks of not completing initial CDD
- What's the recommended pricing language for cost-disclosure to end-clients?
- Do we need to identify beneficial owners behind a publicly listed company or government body customer?