KYC Guide: Identity Verification for Australian Reporting Entities

Know Your Customer — KYC — is the process of verifying the identity of customers before and during a business relationship. Under the AML/CTF Act, it forms the centrepiece of customer due diligence (CDD): the set of procedures reporting entities must conduct to understand who they are dealing with, what risks that customer presents, and whether the business relationship should proceed.

KYC matters for two interconnected reasons. First, it is a direct legal obligation — the AML/CTF Act requires customer identification and verification before a designated service is provided, with limited exceptions. Second, it is the enabler of everything else in your AML/CTF Program. You cannot assess a customer's risk without knowing who they are. You cannot monitor their transactions effectively without a baseline understanding of their expected behaviour. You cannot file a meaningful SMR without accurate customer data.

The KYC obligation under the AML/CTF Act applies to all customers of all reporting entities, with certain limited exceptions for low-risk scenarios. The specific requirements vary by customer type — individuals, sole traders, companies, trusts, and partnerships each have different verification requirements — but the principle is consistent: collect reliable information, verify it against independent sources, and document the outcome.

A KYC failure is not just a regulatory risk — it is a practical risk. Criminals exploit weak KYC processes specifically to establish accounts and relationships that can then be used to move illicit funds. Strong KYC is your first line of defence.

The AML/CTF Rules set out a two-step customer identification procedure: first, collecting identifying information; second, verifying that information against a reliable and independent source.

For individual customers, the minimum identifying information required is: full legal name, date of birth, and residential address. Additional information may be required depending on the customer's risk profile — for example, nationality, occupation, source of funds, and source of wealth for higher-risk customers.

Verification must confirm the customer is who they say they are. Under the AML/CTF Rules, verification can be achieved by: checking the customer's information against a government-issued document (passport, driver licence, birth certificate), checking against a reliable and independent data source such as the Document Verification Service (DVS), obtaining certified copies from a person authorised to certify them, or using a combination of documents and data sources.

The key principle is independence: the verification source must be separate from the customer themselves. A customer's own statement that they are who they say they are is not verification. A third-party database or government document that corroborates their claim is.

Record-keeping is integral to the KYC process. Under the AML/CTF Act, reporting entities must retain records of their customer identification procedures for seven years. These records must be complete enough to allow AUSTRAC to reconstruct what was collected and verified, and when. A customer identification record that simply notes "passport verified" without recording the document details is inadequate.

The AML/CTF Rules specify the types of documents that can be used to verify customer identity. Documents are categorised by reliability: primary documents provide the highest level of assurance, secondary documents are used as supporting evidence.

Primary documents for Australian residents include: an Australian passport (current or expired within two years), an Australian state or territory driver licence or photo card, an Australian birth certificate, and an Australian citizenship certificate. These documents are issued by government authorities and contain high-security features making forgery difficult.

Secondary documents include: Medicare cards, utility bills (gas, electricity, water, internet), bank statements, ATO correspondence, and local council rates notices. These are used to supplement primary document verification — typically to confirm residential address where the primary document does not contain an address.

For foreign nationals, acceptable documents include a foreign passport (with any applicable visa documentation), foreign driver licences from certain countries, and other government-issued identity documents. Foreign documents present additional challenges — language barriers, unfamiliar security features, and difficulty verifying authenticity. For higher-risk foreign customers, biometric verification against a live selfie is standard practice.

The Document Verification Service (DVS) is a government-run database that allows organisations to check whether key details on identity documents match government records in real time. DVS integration is now standard practice for digital KYC — it allows an entity to verify an Australian passport or driver licence in seconds without handling a physical document. DVS checks are widely accepted by AUSTRAC as meeting the verification requirement for standard-risk customers.

The AML/CTF Act's risk-based approach means not every customer requires the same level of due diligence. The Rules establish three tiers: simplified CDD for lower-risk customers, standard CDD for the majority, and enhanced due diligence (EDD) for higher-risk customers.

Simplified CDD applies where the ML/TF risk is assessed as low. Common examples include: listed companies on recognised exchanges (beneficial ownership is publicly disclosed), government entities and bodies, and regulated financial institutions. Simplified CDD allows entities to collect less information and apply less intensive ongoing monitoring.

Standard CDD applies to the majority of individual and corporate customers. It requires the full identification and verification procedure, an assessment of the purpose of the business relationship, and ongoing monitoring appropriate to the customer's risk profile.

Enhanced due diligence is required where the assessed risk is higher than standard. Common EDD triggers include: politically exposed persons (PEPs), customers from high-risk jurisdictions on FATF's grey or black lists, unusual or complex ownership structures, customers whose source of funds is unclear, and customers seeking higher-risk services such as large cash transactions.

EDD goes beyond standard KYC. It typically requires: source of funds documentation (where did the specific transaction funds come from?), source of wealth information (how did the customer accumulate their overall wealth?), senior management approval before the business relationship is established or continued, and more frequent and intensive ongoing monitoring. EDD is not a one-time exercise — it requires ongoing scrutiny proportionate to the assessed risk level.

One of the most fundamental KYC rules under the AML/CTF Act is timing: customer identification and verification must be completed before a designated service is provided, not after. This is a hard rule — not a guideline.

There are limited exceptions in the AML/CTF Rules for specific low-risk scenarios. For example, a remittance provider sending funds on behalf of an unverified customer may complete verification within a short period in defined circumstances. These exceptions are specific and narrow — they do not create a general permission to onboard customers first and verify later.

The "complete before providing" rule creates a practical challenge for businesses with urgent customer needs. A real estate agent, for example, may feel pressure to allow a buyer to proceed before KYC is complete. This pressure must be resisted — proceeding before KYC completion is a breach of the AML/CTF Act regardless of the commercial inconvenience.

Ongoing CDD — the obligation to update and refresh customer information over time — is the other timing dimension. Customer risk profiles change: a low-risk customer may become a PEP, their source of funds may change, or their transaction patterns may become inconsistent with their stated purpose. The AML/CTF Act requires entities to monitor customer information on an ongoing basis and to re-verify identity where material changes occur. Higher-risk customers should be reviewed more frequently — annually is a common standard for high-risk, with lower-risk customers reviewed on a longer cycle.

For corporate and trust customers, the KYC obligation extends beyond the entity itself to the individuals who ultimately own or control it — the ultimate beneficial owners (UBOs). This is one of the most complex aspects of customer due diligence.

Under the AML/CTF Rules, a beneficial owner is an individual who owns or controls 25% or more of the customer, either directly or indirectly through intermediate entities. For a simple two-shareholder company, identifying beneficial owners is straightforward. For a corporate structure with multiple layers of intermediate companies — perhaps including offshore holding vehicles or trust structures — mapping beneficial ownership to actual natural persons requires careful analysis of each layer.

Where no individual can be identified as owning 25% or more (common in widely-held companies or complex group structures), the entity must identify and verify the senior managing officials who effectively control the entity — typically the CEO, managing director, or equivalent.

Trust structures present particular challenges. A trust is not a legal entity — it is a relationship between a trustee (who holds the assets) and beneficiaries (who benefit from them). For a discretionary trust, the trustee has discretion over distributions and the beneficiary class may be broad. The AML/CTF Rules require identification of the trustee (individual or corporate, requiring KYC or KYB respectively), the settlor, and the beneficiaries (or the class of beneficiaries where discretion applies).

The purpose of beneficial ownership verification is to prevent the use of corporate structures to anonymise the true owner of funds. Without it, a company with no identified natural person owner could move unlimited funds without any individual being accountable.

The shift from paper-based to digital KYC has transformed the speed and consistency of customer verification. Manual document review — examining a photocopy of a passport and deciding whether it looks genuine — is inherently inconsistent and time-consuming. Digital KYC automates and standardises the process, improving both customer experience and compliance outcomes.

Modern digital KYC involves several integrated components. Document capture uses optical character recognition (OCR) to extract data from identity documents photographed or scanned via a mobile device. Document authentication checks security features, expiry dates, and document integrity against known templates for thousands of document types globally. Database verification (including Australia's DVS) cross-checks extracted data against government records in real time. Biometric verification captures a live selfie and compares it to the document photo using facial recognition and liveness detection — confirming that the person presenting the document is physically present, not using a stolen document.

Australian reporting entities have access to several integrated digital KYC services. GreenID (Equifax) is the most widely used domestic provider, offering DVS-connected verification of Australian documents. International providers including Sumsub, Trulioo, and Jumio offer global document coverage for businesses with cross-border customer bases.

AUSTRAC accepts electronic verification as meeting the verification requirement for standard-risk customers where the electronic service uses reliable, independent data sources and the outcome is documented. For higher-risk customers, biometric verification adds an additional layer of assurance. The key is documentation — the outcome of every digital KYC check must be stored in the customer record with a clear indication of what was checked and what the result was.

The AML/CTF Act imposes a seven-year record retention obligation on all reporting entities. Records that must be retained include: all transaction records (amount, date, currency, parties), all customer identification records (information collected and the verification outcome), copies or extracts of identity documents, the entity's AML/CTF Program and all revisions to it, staff training records, independent audit reports, and all AUSTRAC reports filed (SMRs, IFTIs, TTRs).

Record retention is not just about keeping files — it is about keeping them in a form that is complete, accurate, accessible, and capable of being produced to AUSTRAC on request. Records stored in email threads, staff members' personal drives, or on paper in filing cabinets are technically compliant if they meet the content requirements, but practically problematic when AUSTRAC requests them.

The integrity of records is equally important. Customer identification records that have been modified after the fact — even innocently to correct an error — create an audit trail problem. Best practice is to maintain an immutable record of the original KYC outcome and to create a separate updated record with a notation explaining the correction.

Access controls matter. Customer compliance records contain sensitive personal information. Only staff with a legitimate operational need should have access to them. Access to SMR records must be particularly restricted — knowing that an SMR has been filed on a customer would constitute tipping off if disclosed to a person involved with or associated with the customer.