Regulatory Updates

The 3-Year CDD Transition Window: Should You Switch to New Rules Now or Wait Until 2029?

AUSTRAC is giving existing operators until March 2029 to adopt the new initial CDD framework — but the choice of when to switch has real operational consequences.

Compliance Desk
11 min read
The 3-Year CDD Transition Window: Should You Switch to New Rules Now or Wait Until 2029?

Photo by mohammadhridoy_11

On 31 March 2026, Australia's overhauled AML/CTF Rules took effect. Among the most significant changes: the replacement of the old Applicable Customer Identification Procedures (ACIP) framework with a new, risk-based Customer Due Diligence (CDD) regime.

But AUSTRAC didn't demand an overnight switch. Existing reporting entities — those enrolled with AUSTRAC on or before 30 March 2026 — have been given a three-year transition window to move from ACIP to the new initial CDD obligations. The window runs from 31 March 2026 to 30 March 2029.

During that period, operators can choose to keep using ACIP for onboarding new customers, or switch to the new initial CDD framework at any time. There's a catch, though: whichever approach an operator selects, they must follow it fully. No mixing and matching.

The question every remittance operator should be asking right now is: should we switch early, or run out the clock?

What's Actually Different Between ACIP and the New CDD

Before diving into the timing decision, it helps to understand what's changing.

The Old World: ACIP

Under the previous rules, customer identification was largely a prescriptive, checklist-driven process. The AML/CTF Rules specified exactly what documents and information were required for different customer types — individuals, companies, trusts, associations. Operators followed the steps, collected the documents, and were considered compliant if the checklist was complete.

ACIP was straightforward, which was its strength. But it was also rigid. It didn't adapt well to different risk profiles. A low-risk customer sending $200 to a family member went through essentially the same identification process as a high-risk customer sending $50,000 through a complex corridor. The rules didn't require — or particularly encourage — operators to think about the why behind the identification steps.

The New World: Risk-Based Initial CDD

The new CDD framework flips the approach. Instead of prescribing exactly which documents to collect, it requires operators to:

  1. Collect and verify information about the customer's identity — using methods appropriate to the risk level of the customer and the service being provided
  2. Understand the potential risks involved in providing designated services to that customer
  3. Take reasonable steps based on what is reasonably available to the reporting entity at the time

The key phrase is "reasonable steps." The new framework doesn't hand operators a checklist. It expects them to design their own CDD processes, calibrated to their risk assessments. A low-risk customer may require minimal verification. A high-risk customer may require enhanced due diligence that goes well beyond what ACIP ever demanded.

This is more flexible — but it also puts more responsibility on the operator to justify their approach. If AUSTRAC questions an operator's CDD process, "we followed the checklist" is no longer a complete answer. The operator needs to demonstrate that their process is risk-appropriate and that their risk assessment is sound.

Key Structural Differences

AspectACIP (Old)Initial CDD (New)
ApproachPrescriptive — follow the checklistRisk-based — design your own process
Document requirementsSpecified per customer typeDetermined by risk assessment
Risk calibrationMinimal — one-size-fits-mostCore requirement — must vary by risk level
Ongoing obligationsLimitedComprehensive (new ongoing CDD applies immediately)
Regulator expectationProcess complianceOutcome effectiveness
FlexibilityLow — rigid proceduresHigh — operator designs approach
Operator burdenLower (follow the rules)Higher (justify your approach)

The Critical Point: Ongoing CDD Is Not Optional

Before going further, every operator needs to understand one non-negotiable element: the transition window applies only to initial CDD.

Ongoing CDD obligations under the new rules are mandatory for all reporting entities from 31 March 2026. There is no grace period for ongoing CDD. None.

This means that even if an operator continues using ACIP for onboarding new customers, they must simultaneously comply with the new ongoing CDD requirements for all customers — including those onboarded under the old ACIP rules.

Ongoing CDD under the new framework requires reporting entities to:

  • Continuously monitor customer activity against their risk profile
  • Update customer information when triggers arise (changes in transaction patterns, adverse media, changes in customer circumstances)
  • Re-assess the risk profile of customers on a periodic basis
  • Apply enhanced measures where ongoing monitoring reveals increased risk

This is a material compliance obligation that takes effect immediately regardless of the transition path chosen for initial CDD.

The Case for Switching Early

There are compelling reasons to adopt the new initial CDD framework sooner rather than later.

1. Alignment with Ongoing CDD

Since ongoing CDD under the new rules is mandatory from day one, an operator who continues using ACIP for initial CDD is effectively running two parallel compliance frameworks — the old prescriptive approach for onboarding and the new risk-based approach for ongoing monitoring. That's operationally messy.

Switching to the new initial CDD framework creates a single, consistent approach to customer due diligence across the entire customer lifecycle. Staff training, policy documentation, and technology systems all align around one methodology.

2. Better Risk Management

The risk-based approach is genuinely better at identifying high-risk customers early. Under ACIP, a customer who presented valid identification documents was onboarded, full stop. Under the new CDD, an operator can — and should — apply enhanced scrutiny to customers who present higher risk indicators, even if their documents are technically valid.

For remittance operators, where customers may be sending funds to high-risk jurisdictions or through complex corridor routes, this flexibility is valuable. It allows operators to ask more questions and gather more information where the risk warrants it — without applying the same heavy process to every low-value, low-risk transaction.

3. Regulatory Posture

AUSTRAC has made clear that its 2025–26 priorities focus on substantive risk management, not just compliance box-ticking. An operator that has already adopted the new CDD framework demonstrates proactive alignment with the regulator's expectations. If AUSTRAC conducts a sector review or audit, being on the new framework is a stronger position than running out the ACIP clock.

4. Technology Readiness

Many modern compliance technology platforms — identity verification services, transaction monitoring systems, risk scoring tools — are already built around risk-based CDD principles. Switching to the new framework may actually simplify technology integration, especially for operators looking to upgrade or replace legacy systems.

5. Competitive Positioning

As the industry moves toward risk-based CDD, operators who switch early will have their processes refined and tested well before the March 2029 deadline. Operators who wait will face a compressed implementation timeline, competing for compliance consultant and technology vendor capacity with every other entity switching at the last minute.

The Case for Waiting

There are also legitimate reasons to stay on ACIP during the transition period.

1. Familiarity and Stability

ACIP is a known quantity. Staff are trained on it. Processes are documented. Technology is configured around it. For operators with limited compliance resources, the disruption of switching to a new framework mid-cycle may outweigh the benefits — especially if the existing ACIP processes are working effectively.

2. Lower Short-Term Cost

Switching to risk-based CDD is not free. It requires:

  • Redesigning customer onboarding processes
  • Updating or replacing AML/CTF programs and policies
  • Retraining staff on the new approach
  • Potentially reconfiguring or upgrading technology systems
  • Conducting new risk assessments to determine appropriate CDD levels for different customer types

For smaller operators, these costs — both financial and in terms of management attention — may be significant. Deferring the switch allows costs to be spread over a longer period.

3. Regulatory Guidance Will Improve

AUSTRAC is continuing to publish guidance on the new CDD framework. Operators who wait will benefit from a more mature body of regulatory guidance, industry practice, and potentially even enforcement decisions that clarify how the new rules are being interpreted. Early movers bear the risk of building processes that later guidance reveals to be insufficient or over-engineered.

4. Avoiding the "Messy Middle"

One legitimate concern about switching early is the transition of existing customers. When an operator moves to the new initial CDD framework, they need to consider how to apply the new ongoing CDD requirements to customers who were onboarded under ACIP. If customer records are incomplete or inconsistent under the old framework, the transition could surface gaps that create compliance risk.

Waiting allows operators to clean up legacy customer data gradually, so that when the full switch occurs, the customer base is in better shape.

The Messy Middle: What to Avoid

Regardless of timing, there's one approach that creates maximum risk: half-switching.

The transitional rules are explicit: an operator must follow either ACIP or the new initial CDD obligations in full. Mixing elements of both — using ACIP identification documents but applying new-style risk assessments, or using risk-based procedures without the full risk assessment framework — is non-compliant under both regimes.

Operators who start transitioning but don't complete the process, or who apply the new framework inconsistently across customer types, are in a worse position than those who simply stay on ACIP.

Critical Compliance Deadline: 1 July 2026

Regardless of the transition path chosen, there's a hard deadline that applies to every operator relying on the ACIP transitional arrangement:

By 1 July 2026, reporting entities must:

  • List the classes of customers to which they will continue to apply ACIP
  • State the date when they will stop applying ACIP to each class

This must be documented in the operator's AML/CTF program. Failure to meet this deadline means the operator can no longer rely on the transitional rule — and must immediately comply with the new initial CDD obligations.

Additionally, existing reporting entities must notify AUSTRAC of their AML/CTF compliance officer by 30 May 2026.

A Practical Decision Framework

Here's a simplified way to think about the timing decision:

Switch early if:

  • Your compliance team is well-resourced and ready to manage the transition
  • You're already planning to upgrade your AML/CTF technology stack
  • Your customer base includes significant high-risk segments that would benefit from risk-based onboarding
  • You want a single, consistent CDD framework across initial and ongoing obligations
  • You plan to grow or expand into new corridors in the next 12–24 months

Wait if:

  • Your compliance resources are limited and other reform obligations (ongoing CDD, compliance officer notification) are consuming available capacity
  • Your ACIP processes are well-documented, consistently applied, and working effectively
  • Your customer base is relatively low-risk and homogeneous
  • You want to benefit from additional AUSTRAC guidance before redesigning processes

Don't do this:

  • Don't half-switch — commit to one approach and follow it fully
  • Don't ignore the 1 July 2026 documentation deadline
  • Don't assume the transition window means you can ignore ongoing CDD — that obligation is live now

What To Do Now

  1. Document your transition plan by 1 July 2026. Whether you're switching now or later, your AML/CTF program must include a list of customer classes and the date you'll stop applying ACIP to each. This is mandatory for reliance on the transitional rule.

  2. Implement ongoing CDD immediately. This is not optional and not subject to transition. Review your ongoing monitoring processes against the new requirements and address any gaps.

  3. Notify AUSTRAC of your compliance officer by 30 May 2026. This is a separate obligation with a tight deadline.

  4. Assess your readiness for the full switch. Even if you're planning to wait, start planning now. A three-year runway sounds generous, but designing, testing, and implementing a new CDD framework takes time — especially if technology changes are involved.

  5. Seek advice on your specific service model. The interaction between initial CDD, ongoing CDD, and the specific risk profile of remittance services means there's no one-size-fits-all answer. An AML/CTF compliance consultant familiar with the remittance sector can help map the right approach for your business.

Key Dates

DateEvent
31 March 2026New AML/CTF Rules take effect; ongoing CDD mandatory for all
30 May 2026Deadline to notify AUSTRAC of AML/CTF compliance officer
1 July 2026Deadline to document ACIP transition plan in AML/CTF program
31 March 2026 – 30 March 2029Transition window for initial CDD (ACIP permitted)
30 March 2029Transition ends — full initial CDD compliance required

The three-year transition window is a genuine concession to operational reality. But it's not an invitation to do nothing. Ongoing CDD is already mandatory, the documentation deadline is weeks away, and the operators who start planning now — whether they switch early or late — will avoid the compressed, high-pressure implementation that inevitably comes from leaving it to 2029.

Is your AML/CTF program updated for the 2026 reforms? Build yours free with the AML/CTF Program Builder →

Customer Due DiligenceAml Ctf ReformAUSTRACcomplianceCdd Transition
Was this article helpful?