By the end of this tutorial, you'll have walked through a complete Ongoing Customer Due Diligence (OCDD) review — also known as a KYC Refresh — in BNDRY. You'll understand what triggers the review, which parts of the platform are involved at each stage, and what the process looks like as an auditable record when it's done.
We'll follow one canonical path end to end. The details of your organisation's AML/CTF programme will vary, but the shape of the process in BNDRY is the same every time.
Before you start
Before working through this tutorial, make sure the following are in place:
- You have access to BNDRY with a role that allows you to open Workspaces and run automations. If you're unsure, check with your administrator.
- The entity you'll be working with already exists in BNDRY as an Individual, Company, or Trust record with a risk rating assigned.
- Your tenant has at least one OCDD or KYC Refresh form template configured. If it hasn't been set up yet, contact your BNDRY administrator.
- If you'd like background on what OCDD requires under the AML/CTF Act before diving in, AUSTRAC's guidance is a useful starting point.
One Workspace per review cycle. Each time you conduct an OCDD review on an entity, you create a new Workspace for that specific process. A Workspace represents a single review instance — not an ongoing relationship. Over time, an entity will accumulate multiple OCDD Workspaces, each one a self-contained record of a single review. All of them remain visible from the entity profile.
Why OCDD reviews happen
OCDD — or ongoing customer due diligence — is the obligation to periodically refresh your knowledge of a customer. Unlike ECDD, which is triggered by a specific risk event, OCDD is primarily driven by the passage of time. Your AML/CTF programme will define the review frequency for each risk tier; typical schedules are:
- High Risk — annually, and sometimes more frequently
- Medium Risk — every two years
- Low Risk — every three years
Time isn't the only trigger. A review may also be warranted when there's a material change to an entity's profile — new ownership, a change in product usage or transaction behaviour, or a new screening match. High-Risk entities that have recently completed ECDD may also be placed on a more frequent OCDD cadence as part of that process.
Your organisation's AML/CTF programme sets the authoritative schedule. BNDRY's entity profile shows each entity's current risk rating, prior review history, and accumulated compliance activities — use these to determine when a review is overdue.
Phase 1 — Identify the review and locate the entity
Start by identifying which entity is due for review. You may be working from an internal schedule, a risk team instruction, or a compliance calendar maintained outside BNDRY.
Open the entity's profile. Before going any further, take a moment to review what's already there: their current risk rating, the date of their most recent review (visible in the Activity Log), any prior screening results, linked entities such as directors or ultimate beneficial owners (UBOs), and the history of prior compliance activities.
This is the advantage of having everything on the entity profile. You're not reconstructing a history from email threads — it's already there. Note anything that warrants closer attention during this review: lapsed document expiry, a pending screening match, or changed entity details since the last review.
Phase 2 — Open an OCDD Workspace
From the entity profile, open a new Workspace and select your OCDD or KYC Refresh form template. Give the Workspace a name that identifies the process — most teams include the review type and the date, such as "OCDD — Annual Review — June 2026".
The Workspace is now the container for this specific review cycle. Forms completed and documents collected here are linked to this entity and retained as part of the audit trail.
Set the Workspace status to In Progress. If other team members need to collaborate on this review, they can access the Workspace directly. Workspace statuses give everyone a shared view of where the process is up to.
Phase 3 — Re-run the verification and screening automations
Before filling out any forms, re-run the automated checks relevant to your OCDD process from the entity profile. OCDD isn't just about collecting updated information — it's also about confirming the entity's current status against authoritative sources.
The automations most commonly used during an OCDD review are:
| Automation | What it does in an OCDD context | Where the result goes |
|---|---|---|
| PEP and Sanctions screening | Re-checks the entity against global PEP lists, sanctions lists, adverse media, and regulatory enforcement datasets. New matches since the last review will surface here. Runs against individuals, companies, and trusts. | Activity Log on the entity; screening tags applied or updated |
| Document Verification (DVS) | Re-verifies the entity's Australian government-issued identity documents — passports, driver licences, Medicare cards, birth certificates — against the Document Verification Service. Particularly relevant when documents have expired or are approaching expiry since the last review. | Verification result logged as an Activity on the entity |
| Company Verification (KYB) | For company or trust entities, re-verifies against ASIC, CreditorWatch, and GBG datasets. Retrieves current ownership structure and directorship information — useful for surfacing changes to UBOs or control structure since the last review. | Business verification extract stored against the entity; linked individual entities updated |
| Agentic Identity Research | An AI-powered automation that searches the web for adverse media and PEP information beyond structured data providers. Useful where the entity is high-profile or where structured screening hasn't surfaced a match your team suspects may exist. | Structured research summary stored as an Activity Log |
Each automation result writes back to the entity's Activity Log as a structured, timestamped record. You don't need to manually save or copy results anywhere — they're captured automatically and will be visible on the entity profile long after this Workspace is resolved.
Agentic Identity Research is an early-release feature. Contact your BNDRY administrator or the BNDRY team to enable it for your tenant.
Phase 4 — Collect updated information through the Workspace forms
With the automated checks done, work through the OCDD forms inside the Workspace. The goal here is different from ECDD — you're refreshing and reconfirming existing information, not investigating a specific risk event. Forms are typically lighter than an ECDD set and focus on changes since the last review.
A typical OCDD form set covers:
- Updated identity details — current address, contact information, and any changed personal or business circumstances
- Renewed identity documents — where existing documents have expired or are close to expiry
- Changed circumstances — beneficial ownership changes, new roles or associations, changes in business activity or product use
- Source of Funds or Source of Wealth refresh — where your programme requires periodic re-attestation, particularly for High-Risk entities
- Compliance team findings — your team's assessment of any material changes and their risk implications
If some of this information needs to come directly from the entity, use BNDRY's external portal. Generate a temporary access link from the Workspace, specify which forms the entity should see, set an expiry time, and send it. The entity opens a branded, secure portal — no account required — and submits the information directly. Their submission routes back into the Workspace and is stored against the entity profile.
Any organisation-specific data points that sit outside the standard form fields — internal review cycle flags, tier classifications, or programme-specific annotations — can be captured using Custom Fields on the entity profile.
Phase 5 — Update the entity record and resolve the Workspace
Once the forms are complete and the team has reviewed the findings, update the entity record and close out the review. This typically means:
- Updating any entity profile fields that have changed — address, contact details, ownership structure, document records
- Confirming or updating the entity's risk rating to reflect the conclusion of the review
- Completing any custom fields relevant to the review outcome
- Setting the Workspace status to Resolved
Resolving the Workspace closes this OCDD instance. The record — every form submission, every document collected, every status change — is now permanently attached to the entity profile with full timestamps and user attribution.
The entity's Activity Log is the first place to look when preparing for an audit or reviewing what was done during an OCDD review. It shows a chronological feed of everything logged during the process — check runs, form submissions, screening results — all in one place and all timestamped.
What you've learned
You've walked through the shape of a complete OCDD review in BNDRY. You know that the entity profile is the anchor — the accumulated history of prior reviews, screening results, and compliance activities is already there when you start. You know that each review gets its own Workspace, that automated checks are re-run from the entity profile and their results accumulate on it, that the Workspace holds the forms and documents for this specific cycle, that the external portal handles information requests without email, and that resolving the Workspace produces an auditable record. That's the full loop. Every OCDD review you run in BNDRY follows the same shape.
See also
These articles cover the individual BNDRY features used throughout this process in more depth.
Comments
0 comments
Article is closed for comments.