KYB Guide: Verifying Business Customers Under the AML/CTF Act

Know Your Business (KYB) is the process of verifying the identity, structure, and legitimacy of corporate and trust customers. While KYC focuses on individual identity — confirming that a person is who they claim to be — KYB adds layers of complexity: verifying the legal entity itself, understanding its ownership structure, identifying the natural persons who ultimately own or control it, and assessing the legitimacy of its business activities.

Corporate customers present different AML/CTF risks than individuals. A company can be created and dissolved quickly. Its ownership can be obscured through multiple layers of intermediate entities or nominee shareholders. It can be registered in a jurisdiction with limited public disclosure requirements, making beneficial ownership opaque. These features make companies attractive vehicles for money laundering — they provide a veneer of legitimacy while concealing the identity and intentions of the true principals.

Under the AML/CTF Act, the customer due diligence obligations for corporate customers are more extensive than for individuals. At minimum, an entity must collect and verify: the company's legal name, ABN or ACN, registered address, and company type. It must also identify and verify the directors, identify any beneficial owners above the 25% threshold, and verify those beneficial owners as individuals through KYC procedures.

The complexity of KYB scales with the complexity of the ownership structure. A simple two-director, two-shareholder company requires relatively straightforward verification. A multi-layered corporate group with offshore holding companies, nominee arrangements, and trust structures may require extensive investigation before the true beneficial owners can be identified.

For Australian companies, the starting point is ASIC — the Australian Securities and Investments Commission. ASIC maintains a searchable public register of all registered Australian companies containing: the company's ACN, registered office address, principal place of business, company type (Pty Ltd, Ltd, etc.), date of registration, company status (registered, deregistered, under administration), and the names and addresses of all current and former directors and secretaries.

An ASIC company extract — available directly from ASIC Connect or via services like CreditorWatch — provides a detailed snapshot of the company's registered information. This is the foundation of corporate KYB for Australian entities.

The verification process for an Australian company involves: confirming the company exists and is in good standing (registered, not deregistered or under external administration), collecting the company's ACN and registered address, identifying all current directors and verifying each director as an individual using KYC procedures, identifying all shareholders and their percentage holdings, and applying the 25% beneficial ownership threshold to determine which shareholders require individual verification.

Where the company's shares are held by another company rather than individuals, the analysis must continue up the ownership chain until natural persons are identified. Each intermediate entity requires its own verification, and each ultimately-identified natural person requires KYC.

Documentation is as important as the information collected. The customer file should contain: the ASIC extract or equivalent, the names and verification outcomes for each director and beneficial owner, the ownership diagram showing the structure and percentage holdings, and the rationale for the beneficial owner determination.

Trusts present some of the most complex beneficial ownership questions in corporate KYB. A trust is not a separate legal entity — it is a legal relationship under which a trustee holds property for the benefit of beneficiaries. Because a trust has no separate legal personality, its compliance obligations fall on the trustee and — for AML purposes — on any reporting entity that provides designated services to the trustee in the trust's capacity.

The key components of a trust for KYB purposes are: the settlor (the person who established the trust and contributed its initial assets — typically relevant only for high-risk customers, as settlors often have no ongoing role), the trustee (who controls the trust assets and is the reporting entity's customer — if an individual, they require KYC; if a company, they require KYB), the beneficiaries (who benefit from the trust assets — their identification requirements depend on the trust type), and the trust deed (the document that establishes and governs the trust).

Discretionary (family) trusts are the most common trust type encountered in business KYB. In a discretionary trust, the trustee has discretion over distributions to a class of beneficiaries. Because beneficiaries in a discretionary trust do not have a fixed entitlement, identifying and verifying every potential beneficiary is often impractical. The AUSTRAC approach for discretionary trusts is to identify the class of beneficiaries (e.g., "the Smith family group") and verify the trustee and settlor as the primary controlling parties, with enhanced scrutiny where high-risk indicators exist.

Unit trusts allocate fixed percentage interests to unitholders, similar to shareholders in a company. Unitholders above the 25% threshold must be identified and verified. Where a unitholder is itself a company or trust, the analysis continues up the chain.

The trust deed is a critical document. It establishes the trustee's identity and powers, the beneficiary class, and any restrictions on distributions. It should be collected and reviewed as part of corporate KYB for any trust customer.

The 25% beneficial ownership threshold — the point at which an individual must be identified and verified as a beneficial owner — is the cornerstone of corporate KYB. But applying it in practice requires understanding what "owns or controls 25% or more" actually means across different ownership structures.

Direct ownership is simple: if an individual holds 30% of the shares in a company directly, they are a beneficial owner. Indirect ownership requires a more nuanced calculation. If Company A owns 60% of the customer company, and Individual X owns 50% of Company A, then Individual X indirectly controls 30% of the customer (60% × 50% = 30%) and must be identified and verified.

Control — not just ownership — can also trigger beneficial ownership obligations. An individual who controls a majority of the directors, has veto rights over major decisions, or otherwise effectively controls the entity may be a beneficial owner regardless of their nominal shareholding. Common control arrangements include: persons with contractual rights to appoint or remove directors, persons with disproportionate voting rights, and shadow directors whose instructions are routinely followed by the board.

Where no individual can be identified as owning or controlling 25% or more — common in widely-held companies or complex group structures — the obligation shifts to identifying the senior managing officials: the CEO, managing director, CFO, or other persons who effectively manage the entity's day-to-day operations.

Nominee arrangements — where shares are held by a nominee on behalf of an undisclosed beneficial owner — are a significant red flag. Where a customer's ownership structure includes nominees, enhanced due diligence should be applied and the actual beneficial ownership must be pursued.

For standard-risk business customers, collecting source of funds information may not be required at onboarding. But for higher-risk corporate customers — those with complex ownership structures, PEP-connected beneficial owners, unusual business activities, or high transaction values — source of funds and source of wealth become important EDD components.

Source of funds refers to the origin of the specific transaction funds: where did the money that will be used in this particular transaction come from? For a corporate customer, this might be business revenue, a capital injection, a loan, or asset sales. Source of funds documentation typically involves bank statements, audited accounts, sale proceeds documentation, or loan agreements.

Source of wealth is a broader concept: how did the entity (and its controlling individuals) accumulate their overall wealth? For a corporate customer, this involves understanding the nature and history of the business, its revenue model, and the origins of its capital. A company claiming to be a technology startup that has received large cash deposits would trigger source of wealth enquiries.

The distinction matters because source of funds addresses the immediate transaction risk, while source of wealth addresses the broader relationship risk. A customer may have a legitimate source of funds for a specific transaction while their overall wealth profile remains unexplained. EDD requires both to be addressed for higher-risk relationships.

Documentation of source of funds and source of wealth assessments should be kept in the customer file. The assessment should note what was collected, what the entity concluded about plausibility, and whether any anomalies were identified and investigated.

KYB at onboarding is the starting point, not the end point. Corporate customers must be subject to ongoing monitoring — periodic reviews that reassess their risk profile and update their customer record.

The triggers for re-verification and enhanced review include: a material change in the company's directors or shareholders (ASIC changes), a change in the company's business activities or revenue model, a material change in transaction patterns inconsistent with the customer's stated purpose, new information suggesting beneficial ownership has changed, new adverse media about the company or its principals, and periodic review intervals based on the customer's risk tier (typically annual for high-risk, biennial for medium-risk).

ASIC change notifications can be monitored through services that alert when a company's director, shareholder, or address information changes. For higher-risk corporate customers, automated ASIC monitoring provides a mechanism for detecting material changes without manual periodic searches.

It is also important to monitor for changes in the customer's beneficial owners' PEP status. A customer's beneficial owner may become a PEP after onboarding — for example, if they are appointed to a public office. Ongoing PEP database screening of beneficial owners is therefore required, not just screening at the point of onboarding.

The customer file should record all periodic review outcomes, including the date of review, what was checked, what was found, and whether any changes to the risk rating or CDD requirements were made.

Manual KYB — searching ASIC, collecting documents, chasing directors for identification documents, mapping ownership structures by hand — is time-consuming and inconsistent. For businesses with significant corporate customer volumes, automation is essential.

Australian KYB technology typically integrates with ASIC Connect to pull company data automatically, with CreditorWatch or similar services for combined ASIC data, credit risk indicators, court judgements, and payment defaults. This provides a comprehensive initial risk assessment of an Australian corporate customer in seconds, rather than the hours required for manual research.

For beneficial ownership, automated tools can map ownership structures to a configurable depth — tracing intermediate entities to identify natural person beneficial owners. For simple structures, this is fully automated. For complex structures with offshore intermediate entities or trusts, human review is still required to make final determinations.

Director and beneficial owner KYC is automated using the same digital KYC tools used for individual customer onboarding. DVS verification, biometric checks, and sanctions and PEP screening can all be triggered automatically from the corporate KYB workflow, significantly reducing the turnaround time for corporate onboarding.

The most important capability for ongoing monitoring is automated ASIC change detection. Services that alert compliance teams when changes are filed with ASIC for monitored companies mean that KYB is maintained in real time, rather than relying on periodic manual reviews to catch changes.