Industry

A comprehensive guide to KYC in Australia

Non-compliance with KYC in Australia can lead to severe penalties and sanctions. Read how Persona helps businesses comply with identity requirements.

An image of a license, it represents kyc in australia.
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Businesses offering designated services in Australia are subject to the country’s KYC requirements under the AML/CTF Act.
  • While KYC requirements differ depending on whether you are verifying an individual or entity, verification processes follow the FATF’s risk-based approach to AML.

Money laundering is a major concern for governments around the world. If your business operates or serves customers in multiple countries, it’s critical to ensure you meet the AML and KYC requirements of each jurisdiction

Below, we take a closer look at how KYC works in Australia by digging into the Australian AML/CTF Act and its requirements, as well as specific recommendations you can use to ensure you stay compliant with Australian regulations.

What is KYC?

Know Your Customer (KYC) refers to the processes that a business — often a financial institution — takes to verify an individual’s identity and determine whether or not that individual is legally allowed to open an account, use its services, or otherwise be a customer. 

Criminals may attempt to open accounts with financial institutions using fake, stolen, or synthetic identities to launder illicitly obtained funds. Because KYC makes this step, among others, more difficult for criminals, it’s an integral part of anti-money laundering efforts around the world. This includes Australia, where it’s estimated that organized crime and money laundering costs the country $60.1 billion (AUD) each year.

KYC in Australia

In Australia, AML and KYC are regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC), a government agency comparable to FinCEN in the United States. AUSTRAC is responsible for ensuring required institutions comply with the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act

AML/CTF Act requirements

The law, first passed in 2006 and since enhanced multiple times, requires regulated businesses that provide designated services to meet six key requirements:

  1. Enroll and register with AUSTRAC
  2. Develop and maintain an internal AML/CTF program
  3. Conduct customer due diligence (CDD), including identity verification
  4. Conduct ongoing due diligence
  5. Report suspicious activity and transactions
  6. Maintain activity and transaction records

It’s important to note that the AML/CTF Act requires all regulated businesses to complete CDD and KYC before providing a designated service to a customer. 

Reliable and independent

AUSTRAC does not specify how businesses must verify a customer’s identity, other than suggesting that the exercise can include collecting documents, electronic data, or a mix of both. AUSTRAC does state, however, that businesses are responsible for ensuring that the data or documentation collected for verification is “reliable and independent.”

Reliable and independent documentation includes:

  • An original primary photographic identification document, such as a driver’s license, passport, or government-issued proof of age card.
  • An original primary non-photographic identification document, such as a birth certificate, citizenship certificate, Pensioner Concession Card, Health Care Card, or a Commonwealth Seniors Health Card.
  • An original secondary identification document, such as a notice from the Australian Taxation Office or other government agency, current student card, or utility bill dated within the last 90 days that shows the individual's name and address.

Reliable and independent electronic data must be:

  • Accurate
  • Secure
  • Up-to-date
  • Comprehensive
  • Verified from a reliable, independent source
  • Maintained by a government body under legislation
  • Able to be additionally authenticated
Free white paper
See how experts evaluate KYC solutions

What are designated services in Australia?

Designated services are specific services that carry a high risk of being used for money laundering. Any business offering these services to its customers must comply with AML and KYC requirements.

As outlined in Section 6 of the AML/CTF Act, gambling services, bullion trading services, and many common financial services are considered designated services, which include, but are not limited to, any business that:

  • Takes deposits
  • Issues checks or debit cards
  • Accepts electronic fund transfers
  • Provides remittance services
  • Exchanges foreign or digital currency
  • Provides loans
  • Handles investments
  • Issues life insurance policies
  • Issues traveler’s checks, money orders, or postal orders 
  • Issues stored value cards 
  • Prepares payroll for other businesses

With this in mind, Australian KYC requirements apply to most financial institutions, including banks, fintech companies, credit unions, lenders, insurers, broker/dealers, cryptocurrency exchanges, casinos, trusts, and financial planners. 

KYC in Australia for individuals

When the customer is an individual, regulated businesses must collect and verify, at a minimum, the individual’s full legal name and either their date of birth or residential address. 

Regulated businesses in Australia are required to take a risk-based approach to AML and KYC whereby the customer’s risk profile dictates what and how much information is collected and verified, as well as what forms of verification are needed. A customer deemed to be at a greater risk of money laundering should be subject to a more stringent identity verification process.

KYC in Australia for entities

When the customer is an entity, such as a business or a trust, the rules are a little different. In these cases, AUSTRAC notes that a regulated business must “collect information so that you are reasonably satisfied the customer actually exists.” 

For corporate customers, this includes collecting and verifying the company’s full name and Australian Company Number (ACN) or Australian Registered Body Number (ARBN). Regulated businesses must also determine whether it is registered with Australian Securities & Investments Commission (ASIC) as a public or proprietary company.

The company’s beneficial owners must also be identified. This includes any individual that owns 25% or more of the entity, directly or indirectly, as well as anyone who has control over the entity’s finances, business decisions, or operations. AUSTRAC further defines control via “trusts, agreements, arrangements, understandings, policies, or practices.”

Types of KYC verification

The AML/CTF Act gives businesses flexibility to design the verification processes that best align with their risk profile. 

Most typically, it will include some combination of government ID verification, document verification, and database verification. Other methods, such as selfie verification, and video KYC can also be included.

Document Verification Service (DVS)

Businesses that collect Australian individuals’ or beneficial owners’ government-issued IDs or documents can verify the authenticity of those documents through the Document Verification Service (DVS).

The DVS is maintained by the Australian Department of Home Affairs, which acts as an issuing database. The service compares information from the collected ID or document against the original record to determine whether or not there is a match. AUSTRAC notes that the system is an effective means of identifying forged, stolen, or out-of-date documents.

Documents that can be verified using the DVS include:

  • Birth certificates
  • Centrelink concession cards
  • Certificates of registration by descent
  • Change of name certificates
  • Citizenship certificates
  • Driver’s licenses
  • ImmiCards
  • Marriage certificates
  • Medicare cards
  • Passports
  • Visas
  • Death certificates
  • Aviation and Maritime security identification cards
  • Address details from the Australian Electoral Commission (AEC) 

KYC solutions with Persona

Here at Persona, we understand the importance of complying with KYC regulations — whether your business operates in Australia, the United States, or anywhere else in the world. 

That’s why we’ve designed our Verifications solution to be fully customizable. Build the KYC process that makes sense for you, based on the jurisdictions you operate within and the unique realities of your business. Leverage government ID verification, document verification, database verification, selfie verification, and other common methods.

Enrich your understanding of customer risk with Reports, which integrates with multiple authoritative and issuing database sources across 40+ countries, including the Document Verification Service (DVS) in Australia, for maximum coverage. Quickly and easily check customers against watchlists, checklists, sanctions lists, PEP databases, adverse media, and more.

Interested in learning more? Learn how Lime leveraged Persona’s suite of identity tools to comply with KYC regulations in each jurisdiction it operates in — including Australia. Start for free or get a demo today.

Frequently asked questions

What is the AUSTRAC registry?

Businesses offering certain designated services must register with AUSTRAC before providing these services to customers. This includes any business providing remittance services, as well as any business acting as a digital currency exchange. The registration process can take up to 90 days, and businesses are forbidden from providing services prior to registration.

To register, you need to provide information about the services your business provides, the structure of your business, and the contact details of your business. You’ll also need to provide:

  • Names and contact information of key personnel
  • Your most recent financial statements
  • Business registration numbers (ABN or ACN)
  • Registration details 

An official police document — such as a National Police Certificate, National Police History Check, or foreign equivalent — is also required for AUSTRAC registration.

What penalties do businesses face if they fail to comply with KYC requirements in Australia?

If a business is found to be non-compliant with KYC requirements, AUSTRAC can take a number of enforcement actions. These include:

  • Civil penalty order: Court-ordered fines of up to 100,000 penalty units. For offenses committed after July 1, 2020, penalty units cost $275 AUD each.
  • Enforceable undertaking: A written commitment to AUSTRAC that your business will take (or not take) specific actions in order to become compliant with the AML/CTF Act.
  • Infringement notices: Public notices about how a company has breached portions of the AML/CTF Act.
  • Remedial directions: Instructions to take specific actions in order to become compliant with the law.
  • Written notice: To either appoint an external auditor or undertake a money laundering risk assessment.

What is alternative documentation as it relates to Australian KYC?

AUSTRAC acknowledges that some members of society may face structural barriers that make it difficult for them to obtain the standard identification documents that are typically used for KYC. This may include Aboriginal and Torres Strait Islander peoples, domestic violence survivors, homeless individuals, prisoners, refugees and asylum seekers, those impacted by natural disasters, and more. 

In cases like this, the agency allows businesses to take a risk-based approach in accepting alternative documentation for KYC purposes. Such alternative documentation may include:

  • Referee statements
  • Government correspondence
  • Community ID
  • Indigenous organization membership card
  • Customer self-attestation

Continue reading

Continue reading

Know Your Employee (KYE): How identity verification fits in the picture
Know Your Employee (KYE): How identity verification fits in the picture
Industry

Know Your Employee (KYE): How identity verification fits in the picture

A thorough Know Your Employee (KYE) process helps you verify the identity, credentials, and background of new and existing employees to control for fraud.

Data subject access requests for the GDPR
Data subject access requests for the GDPR
Industry

Data subject access requests for the GDPR

Learn about data subject access requests (DSARs) for the GDPR and individuals’ rights to access their personal data.

Online KYC during user onboarding
Online KYC during user onboarding
Industry

Online KYC during user onboarding

Many businesses need to have a KYC process for onboarding new users. Learn what's required, common steps, and more.

Global KYC: A KYC breakdown by countries
Industry

Global KYC: A KYC breakdown by countries

Learn how KYC regulations differ by country.

What is eKYC?
Industry

What is eKYC?

Take a look at the different signals that eKYC can take advantage of and review the benefits that eKYC offers both businesses and their customers.

How to evaluate your KYC compliance
Industry

How to evaluate your KYC compliance

Learn what types of businesses are subject to KYC regulations, what it means to be KYC compliant, how to evaluate your compliance, and more.

Ready to get started?

Get in touch or start exploring Persona today.