A comprehensive guide to KYC in Australia
Money laundering is a major concern for governments around the world. If your business operates or serves customers in multiple countries, it’s critical to ensure you meet the AML and KYC requirements of each jurisdiction.
Below, we take a closer look at how KYC works in Australia by digging into the Australian AML/CTF Act and its requirements, as well as specific recommendations you can use to ensure you stay compliant with Australian regulations.
What is KYC?
Know Your Customer (KYC) refers to the processes that a business — often a financial institution — takes to verify an individual’s identity and determine whether or not that individual is legally allowed to open an account, use its services, or otherwise be a customer.
Criminals may attempt to open accounts with financial institutions using fake, stolen, or synthetic identities to launder illicitly obtained funds. Because KYC makes this step, among others, more difficult for criminals, it’s an integral part of anti-money laundering efforts around the world. This includes Australia, where it’s estimated that organized crime and money laundering costs the country $60.1 billion (AUD) each year.
KYC in Australia
In Australia, AML and KYC are regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC), a government agency comparable to FinCEN in the United States. AUSTRAC is responsible for ensuring required institutions comply with the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act.
AML/CTF Act requirements
The law, first passed in 2006 and since enhanced multiple times, requires regulated businesses that provide designated services to meet six key requirements:
Enroll and register with AUSTRAC
Develop and maintain an internal AML/CTF program
Conduct customer due diligence (CDD), including identity verification
Conduct ongoing due diligence
Report suspicious activity and transactions
Maintain activity and transaction records
It’s important to note that the AML/CTF Act requires all regulated businesses to complete CDD and KYC before providing a designated service to a customer.
Reliable and independent
AUSTRAC does not specify how businesses must verify a customer’s identity, other than suggesting that the exercise can include collecting documents, electronic data, or a mix of both. AUSTRAC does state, however, that businesses are responsible for ensuring that the data or documentation collected for verification is “reliable and independent.”
Reliable and independent documentation includes:
An original primary photographic identification document, such as a driver’s license, passport, or government-issued proof of age card.
An original primary non-photographic identification document, such as a birth certificate, citizenship certificate, Pensioner Concession Card, Health Care Card, or a Commonwealth Seniors Health Card.
An original secondary identification document, such as a notice from the Australian Taxation Office or other government agency, current student card, or utility bill dated within the last 90 days that shows the individual's name and address.
Reliable and independent electronic data must be:
Accurate
Secure
Up-to-date
Comprehensive
Verified from a reliable, independent source
Maintained by a government body under legislation
Able to be additionally authenticated
What are designated services in Australia?
Designated services are specific services that carry a high risk of being used for money laundering. Any business offering these services to its customers must comply with AML and KYC requirements.
As outlined in Section 6 of the AML/CTF Act, gambling services, bullion trading services, and many common financial services are considered designated services, which include, but are not limited to, any business that:
Takes deposits
Issues checks or debit cards
Accepts electronic fund transfers
Provides remittance services
Exchanges foreign or digital currency
Provides loans
Handles investments
Issues life insurance policies
Issues traveler’s checks, money orders, or postal orders
Issues stored value cards
Prepares payroll for other businesses
With this in mind, Australian KYC requirements apply to most financial institutions, including banks, fintech companies, credit unions, lenders, insurers, broker/dealers, cryptocurrency exchanges, casinos, trusts, and financial planners.
KYC in Australia for individuals
When the customer is an individual, regulated businesses must collect and verify, at a minimum, the individual’s full legal name and either their date of birth or residential address.
Regulated businesses in Australia are required to take a risk-based approach to AML and KYC whereby the customer’s risk profile dictates what and how much information is collected and verified, as well as what forms of verification are needed. A customer deemed to be at a greater risk of money laundering should be subject to a more stringent identity verification process.
KYC in Australia for entities
When the customer is an entity, such as a business or a trust, the rules are a little different. In these cases, AUSTRAC notes that a regulated business must “collect information so that you are reasonably satisfied the customer actually exists.”
For corporate customers, this includes collecting and verifying the company’s full name and Australian Company Number (ACN) or Australian Registered Body Number (ARBN). Regulated businesses must also determine whether it is registered with Australian Securities & Investments Commission (ASIC) as a public or proprietary company.
The company’s beneficial owners must also be identified. This includes any individual that owns 25% or more of the entity, directly or indirectly, as well as anyone who has control over the entity’s finances, business decisions, or operations. AUSTRAC further defines control via “trusts, agreements, arrangements, understandings, policies, or practices.”
Types of KYC verification
The AML/CTF Act gives businesses flexibility to design the verification processes that best align with their risk profile.
Most typically, it will include some combination of government ID verification, document verification, and database verification. Other methods, such as selfie verification, and video KYC can also be included.
Document Verification Service (DVS)
Businesses that collect Australian individuals’ or beneficial owners’ government-issued IDs or documents can verify the authenticity of those documents through the Document Verification Service (DVS).
The DVS is maintained by the Australian Department of Home Affairs, which acts as an issuing database. The service compares information from the collected ID or document against the original record to determine whether or not there is a match. AUSTRAC notes that the system is an effective means of identifying forged, stolen, or out-of-date documents.
Documents that can be verified using the DVS include:
Birth certificates
Centrelink concession cards
Certificates of registration by descent
Change of name certificates
Citizenship certificates
Driver’s licenses
ImmiCards
Marriage certificates
Medicare cards
Passports
Visas
Death certificates
Aviation and Maritime security identification cards
Address details from the Australian Electoral Commission (AEC)
KYC solutions with Persona
Here at Persona, we understand the importance of complying with KYC regulations — whether your business operates in Australia, the United States, or anywhere else in the world.
That’s why we’ve designed our Verifications solution to be fully customizable. Build the KYC process that makes sense for you, based on the jurisdictions you operate within and the unique realities of your business. Leverage government ID verification, document verification, database verification, selfie verification, and other common methods.
Enrich your understanding of customer risk with Reports, which integrates with multiple authoritative and issuing database sources across 40+ countries, including the Document Verification Service (DVS) in Australia, for maximum coverage. Quickly and easily check customers against watchlists, checklists, sanctions lists, PEP databases, adverse media, and more.
Interested in learning more? Learn how Lime leveraged Persona’s suite of identity tools to comply with KYC regulations in each jurisdiction it operates in — including Australia. Start for free or get a demo today.
Businesses offering certain designated services must register with AUSTRAC before providing these services to customers. This includes any business providing remittance services, as well as any business acting as a digital currency exchange. The registration process can take up to 90 days, and businesses are forbidden from providing services prior to registration.
To register, you need to provide information about the services your business provides, the structure of your business, and the contact details of your business. You’ll also need to provide:
Names and contact information of key personnel
Your most recent financial statements
Business registration numbers (ABN or ACN)
Registration details
An official police document — such as a National Police Certificate, National Police History Check, or foreign equivalent — is also required for AUSTRAC registration.
If a business is found to be non-compliant with KYC requirements, AUSTRAC can take a number of enforcement actions. These include:
Civil penalty order: Court-ordered fines of up to 100,000 penalty units. For offenses committed after July 1, 2020, penalty units cost $275 AUD each.
Enforceable undertaking: A written commitment to AUSTRAC that your business will take (or not take) specific actions in order to become compliant with the AML/CTF Act.
Infringement notices: Public notices about how a company has breached portions of the AML/CTF Act.
Remedial directions: Instructions to take specific actions in order to become compliant with the law.
Written notice: To either appoint an external auditor or undertake a money laundering risk assessment.
AUSTRAC acknowledges that some members of society may face structural barriers that make it difficult for them to obtain the standard identification documents that are typically used for KYC. This may include Aboriginal and Torres Strait Islander peoples, domestic violence survivors, homeless individuals, prisoners, refugees and asylum seekers, those impacted by natural disasters, and more.
In cases like this, the agency allows businesses to take a risk-based approach in accepting alternative documentation for KYC purposes. Such alternative documentation may include:
Referee statements
Government correspondence
Community ID
Indigenous organization membership card
Customer self-attestation