A comprehensive guide to KYC in Australia
If you plan to launch or expand financial services in Australia, understanding Australia's evolving Know Your Customer (KYC) and Know Your Business (KYB) requirements is critical. While the country supports innovation, its robust regulatory regime also maintains clear guardrails.
Australia’s fintech and financial services markets are among the most regulated in the world with heavy penalties for noncompliance. As of July 2023, the penalty for noncompliance is up to AUD $6.26 million AUD for individuals and AUD $31.3 million for corporations per violation.
The country’s primary regulator, the Australian Transaction Reports and Analysis Centre (AUSTRAC), takes enforcement seriously. Comparable to FinCEN in the US, AUSTRAC has imposed millions of dollars in anti-money laundering and counter-terrorism financing (AML/CTF) fines. In one instance, AUSTRAC issued a AUD $1.3 billion penalty for one company alone in 2020 — the largest civil penalty in Australian corporate history.
What’s more, Australia’s AML/CTF regulations are continually expanding:
On November 29, 2024, Australian Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (Amendment 2024), which amends the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
On August 29, 2025, Australia announced the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (AML/CTF Rules 2025), which will begin to go into effect on March 31, 2026.
Together, these changes represent the largest update to Australia’s AML/CTF regime in recent years. Notably, they expand AML/CTF responsibilities to include higher-risk services such as real estate professionals, lawyers, accountants, trust and company service providers, and dealers in precious stones and metals (“Tranche 2 entities”). The reforms are expected to increase the number of reporting entities from 17,000 to 90,000.
To navigate Australia’s evolving KYC and KYB landscape, you need to understand the key requirements, who enforces compliance, and how to streamline your processes as you grow. Let’s take a closer look.
How does Australia differ from the US when it comes to KYC and KYB compliance?
Australia takes a more prescriptive and centralized approach to KYC and KYB than the US. AUSTRAC directly oversees KYC, KYB, customer due diligence (CDD), and reporting obligations for all regulated sectors, including banks, fintechs, remitters, and digital currency exchanges, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act, s. 212; last amended in 2024).
In contrast, the US takes a more principle-based approach. The Bank Secrecy Act (BSA) is the main federal AML law and is enforced by FinCEN and various regulators. US regulations are more fragmented and tend to leave implementation details to each institution.
We’ve outlined the key differences below:
| Requirement | Australia | United States | Legal basis |
| Supervision | Centralized: AUSTRAC is a single national regulator with uniform guidance for most reporting entities (AML/CTF Act, s. 212). | File within 3 business days, whenever there are reasonable grounds to suspect money laundering or terrorist financing, regardless of transaction amount. | FTRA Art. 4; Reporting Regulation Art. 3 |
| Onboarding | Prescriptive: Australia’s AML/CTF Rules (Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007) spell out exactly which customer details and verification methods you must use, including specific lists of accepted documents and safe-harbor electronic checks (AML/CTF Rules, 4.2.3, 4.2.11, 4.2.13). | Flexible: FinCEN's Customer Due Diligence Rule mandates collection of key data (including name, date of birth, address, and TIN) but allows more flexibility for verification methods (31 CFR §1020.220). | FTRA Art. 4-2, ED-FTRA Art. 8-2, FTRA Art. 10-2(1) |
| Suspicious activity reporting timelines | Three business days, or 24 hours if it involves terrorism (AML/CTF Act, s. 41(2)). | 30 calendar days (31 CFR §1020.320). | ED-FTRA, Arts. 10-3, 10-10 |
| Record retention | At least seven years (AML/CTF Act, s. 107(2)). | Five years (31 CFR §1010.430). | ED-FTRA, Art. 11 |
In short, Australia’s AML/CTF regime removes much of the ambiguity found in US law. While this can simplify compliance if you know the rules, it also means failing to meet a requirement, like missing a data field or verification step, may result in penalties or regulatory scrutiny.
What are the customer identification requirements in Australia?
You’re required to collect detailed information for both individuals and businesses under Australia’s KYC and KYB rules. These rules are administered by AUSTRAC and set out in the AML/CTF Act and Rules.
AML/CTF Act requirements
The law, first passed in 2006 and since enhanced multiple times, requires regulated businesses that provide designated services to meet six key requirements:
Enroll and register with AUSTRAC
Develop and maintain an internal AML/CTF program
Conduct customer due diligence (CDD), including identity verification
Conduct ongoing due diligence
Report suspicious activity and transactions
Maintain activity and transaction records
It’s important to note that the AML/CTF Act requires all regulated businesses to complete CDD and KYC before providing a designated service to a customer.
KYC in Australia
For KYC, you’ll need to collect and verify at minimum (AML/CTF Rules, 4.2.3):
Legal name
“Any other names the customer is commonly known by” (Rules 2025 6-1(2))
Date of birth
Residential address
You must verify the customer’s name and either their date of birth or address using government-issued documents or independent electronic sources (AML/CTF Rules, 4.2.6, 4.2.11, 4.2.13).
AUSTRAC publishes separate guidance for individuals who may not have standard forms of identification, such as refugees, victims of domestic violence, and people experiencing homelessness.
KYB in Australia
For KYB, you’re required to collect and verify the following details (AML/CTF Rules, 4.3.3; Rules 2025, 6-2):
Company name, as registered by the Australian Securities and Investments Commission (ASIC)
Australian Company Number (ACN) or equivalent for foreign companies, such as Australian Registered Body Number (ARBN) or similar identification number by a foreign body
Addresses of both the principal place of business and any registered office
KYC information for beneficial owners (including full name, date of birth, and residential address) holding 25% or more of the business (AML/CTF Rules, 4.12.1-4) or any individuals who govern the entity either directly or indirectly (Rules 2025, 6-2(2)(i))
Type of business — whether the company is registered by ASIC as private or public. If it’s private, you’ll need to collect the name of each company director.
The new 2025 rules outline additional requirements (Rules 2025, 6-2(2)):
Evidence of customer’s existence
Information about the ownership and control structure
Information about the nature of business or operations
For trusts, partnerships, and other entities, you’ll need additional documents such as trust deeds or partnership agreements (AML/CTF Rules, 4.4, 4.5, 4.6; AML/CTF Rules 2005, 6-2, 6-3, 6-4). See AUSTRAC’s high-level reference guide for other types of entities, such as cooperatives, governments, and agents.
What documents and methods can you use for identity verification?
To comply with Australia’s AML/CTF Rules, you must verify customer identity using approved documents or reliable electronic data sources. The accepted forms and methods are designed to ensure you have strong evidence the customer is who they claim to be.
Accepted verification methods
The new amendment and rules emphasize an outcome-based verification approach rather than providing a fixed list of documents. They state that a “reporting entity must…take reasonable steps to establish that the customer is the person the customer claims to be” and “collect…[and] verify, using reliable and independent data…the KYC information…as is appropriate to the ML/TF risk of the customer” (Amendment 2024, s. 28(3), Rules 2025, 5-2(2)).
It’s helpful to understand what previous AML/CTF Rules considered to be “reliable and independent.” They required you to verify KYC information in one of two ways:
Document-based verification: Verify a customer’s name and either their date of birth or address by providing (a) one primary photographic ID document or (b) a combination of primary non-photographic ID and secondary documents (AML/CTF Rules, 4.2.11). We’ll list accepted documents in the next section.
Electronic safe harbor: Verify a customer’s name and either their date of birth or residential address against at least two “reliable and independent electronic data” sources (AML/CTF Rules, 4.2.13–4.2.14). An example of “reliable and independent electronic data” is Australia’s Document Verification Service (DVS), which is managed by the Department of Home Affairs.
For KYB information, you can verify information using reliable and independent documentation, electronic data, or a combination of both (AML/CTF Rules, 4.3.10-13).
Accepted documents for individuals
Below are examples of accepted identification documents. More can be found on AUSTRAC’s website.
| ID type | Accepted documents |
| Primary photographic ID | Australian or foreign passport Australian driver’s license (physical or digital) Government-issued proof-of-age or national identity card |
| Primary non-photographic ID | Birth certificate Citizenship certificate (Australian or foreign, with certified translation if not in English) Concession card (Australian social security benefits card) |
| Secondary ID documents (for name and address verification) | Recent utility bill (within three months) Government-issued notices (within 12 months), such as a social benefit payment or tax bill For minors under 18, school-issued notices (within three months) |
Accepted documents for businesses
For businesses, the following documents will suffice for verification:
ASIC company extract or official registry search (AML/CTF Rules, 4.3.3, 4.3.8)
Certified copy of trust deed (for trusts) (AML/CTF Rules, 4.4.15)
Partnership agreement or association rules (AML/CTF Rules, 4.5, 4.6)
What’s required for customer due diligence (CDD) in Australia?
Customer due diligence (CDD) is core to Australia’s AML/CTF regime. You’re expected to assess the risk of each customer and implement controls appropriate to their risk level (AML/CTF Act, s. 36; Amendment 2024, s. 28(3), 23C), going beyond just collecting documents.
Once you’ve verified your customer’s identity, you’re required to:
Establish whether customers and beneficial owners are politically exposed persons (PEPs) or designated for targeted sanctions: This includes domestic and foreign PEPs, as well as their close associates and family members (AML/CTF Rules, 4.13.1; Rules 2025, 6-7(2)).
Identify and verify all beneficial owners: For businesses, you must determine who ultimately owns or controls 25% or more of the entity, or otherwise exercises effective control. This applies to companies, trusts, partnerships, and associations (AML/CTF Rules, 4.12.1–4.12.4; Rules 2025, 6-8).
Assign and document a risk rating: You must classify customers into risk categories (such as low, medium, or high) based on your internal risk assessment and document the rationale in your AML/CTF program (AML/CTF Act, s. 36, Amendment 2024, s. 28(3), 26N).
In practice, this requires tailoring your ongoing monitoring and reverification frequency to each customer’s risk level.
What’s required for enhanced due diligence (EDD)?
Enhanced due diligence (EDD) is triggered when you identify a customer, transaction, or relationship as presenting a higher risk of money laundering or terrorism financing. AUSTRAC refers to EDD as enhanced customer due diligence (ECDD), and requires it when customers are foreign PEPs, operate in high-risk countries, or have complex ownership structures or suspicious behaviors. The new rules further stipulate that ECDD must be applied for customers who request services that have no apparent economic or legal purpose or involve unusually complex or large transactions (Rules 2025, 6-20).
If you determine that a customer is high risk, you’re required to apply EDD measures, which include (AML/CTF Rules, 4.13.3, 15.9-11):
Obtaining senior management approval: Before establishing or continuing a relationship with a high-risk customer, such as a current or previous PEP, you must get explicit approval from your senior management team (Rules 2025, 5-5).
Establishing the source of funds (SOF) and source of wealth (SOW): You must collect evidence to confirm where a customer’s funds come from and how they accumulated their wealth, such as pay stubs, bank statements, or audited financials (Rules 2025, 6-21(3)).
Conducting enhanced ongoing monitoring: You’ll need to review transactions more frequently and scrutinize unusual or complex patterns. You may need to set stricter monitoring rules, increase the frequency of reviews, or request additional documentation (Amendment 2024, s. 30; Rules 2025, 6-35).
Reverifying customer information more often: AUSTRAC expects you to reverify customers whenever they become a PEP or at a frequency appropriate for their risk levels (AUSTRAC guidance, “ongoing customer due diligence,” 2023; Rules 2025, 6-24).
EDD may also be required if a trigger event (such as a sudden change in activity) raises new concerns about a customer’s risk profile. By applying robust EDD procedure, you can spot red flags early and demonstrate to regulators that you’re actively managing AML/CTF risks within your business.
Is ongoing KYC and KYB monitoring required in Australia?
Ongoing KYC and KYB monitoring is required in Australia’s regulatory framework. After you’ve onboarded your customers, you need to ensure their information stays accurate and up to date and continually monitor transactions for suspicious activity or changes in risk profile.
Australia’s AML/CTF Act requires you to keep your CDD information “up to date” and to reassess customers if their circumstances change. The latest amendment requires you to reassess ML/TF risk at least:
Once every three years (Amendment 2024, 26D(1))
Every two years if you serve the customer as part of nested services (Rules 2025, 6-25, 6-26)
You’re also expected to determine the appropriate frequency based on your internal risk assessment, customer type, and industry best practice (AML/CTF Act, s. 36; Amendment 2024, 30; AML/CTF Rules, 6.1.2–6.1.3; Rules 2025, 6-35).
For customer risk profiles, you’re expected to update them “whenever there are changes in [the customer’s] circumstances” or if you identify a suspicious pattern of behavior. For example, if a customer becomes a PEP, moves to a high-risk jurisdiction, or begins to make large, complex, or unusual transactions, you need to reassess their risk and reverify their information (AML/CTF Rules, 4.13.1, 6.1.2; Rules 2025, 6-35).
In practice, this means you should:
Regularly review and update customer data, especially for high-risk and PEP customers (AUSTRAC guidance).
Conduct periodic reviews at intervals set by your risk-based AML/CTF program. For example, that could mean annually for high-risk customers and on a trigger basis for others (AUSTRAC guidance).
Immediately update records and review risk categories when you detect changes in customer behavior, ownership, or geographic footprint (AML/CTF Act, s. 36).
If you fail to maintain up-to-date records or miss signs of elevated risk, AUSTRAC may issue a formal warning, audit, or significant financial penalty (AML/CTF Act, s. 162, 175, 191)
What do I need to report to regulators in Australia?
Australia requires you to file several types of reports with AUSTRAC, depending on the nature and risk of the transaction. Reporting obligations are a core pillar of Australia’s AML/CTF regime and apply to all “reporting entities” offering designated services.
You must submit the following reports:
Suspicious Matter Reports (SMRs): If you suspect on reasonable grounds that a transaction or attempted transaction may be related to money laundering, terrorism financing, or other criminal activity, you must file a Suspicious Matter Report with AUSTRAC within three business days, or within 24 hours if you suspect terrorism-related activity (AML/CTF Act, s. 41(2)).
Threshold Transaction Reports (TTRs): You’re required to report any cash transaction of AUD $10,000 or more (including cash in, cash out, and series of related transactions) within 10 business days of the transaction (AML/CTF Act, s. 43(2)).
International Funds Transfer Instructions (IFTIs): If you facilitate international fund transfers (either incoming or outgoing), you must report each instruction to AUSTRAC within 10 business days, regardless of amount (AML/CTF Act, s. 45(2)).
Annual compliance report: Most reporting entities must also submit an annual AML/CTF compliance report by March 31 each year, disclosing the state of their compliance program, training, and audit activities (AML/CTF Act, s. 47; Rules 2025, 9-9).
If you fail to report on time, AUSTRAC can impose significant civil penalties and order an audit. In serious cases, AUSTRAC may restrict your ability to offer financial services.
What are Australia’s record-keeping and data retention requirements?
No matter your business model, Australia’s AML/CTF framework requires you to keep comprehensive records of every step in your KYC, KYB, and CDD processes. These records are crucial for audits and regulatory reviews. They also protect your organization if a transaction or relationship is later flagged as suspicious.
According to the amended AML/CTF Act, you must keep all records for at least seven years, which include (AML/CTF Act, s. 106-118):
Records of transactions
Records of customer identification procedures
Records of electronic funds transfer instructions
Records of corresponding banking relationships
Internal AML/CTF program
You can keep these records electronically or in hard copy, as long as they’re accessible and legible for the full retention period. AUSTRAC expects you to have robust systems in place to ensure data integrity, privacy, and timely retrieval. Failure to meet record-keeping requirements is a serious compliance breach and may result in civil penalties or regulatory action.
Who are Australia’s financial regulators, and what do they regulate?
Australia enforces a multi-layered approach to AML/CTF, with AUSTRAC serving as the country’s financial intelligence unit and primary AML/CTF regulator. However, depending on your products and services, you may need to comply with requirements from several other agencies as well.
Here are the primary regulators and their roles:
Australian Transaction Reports and Analysis Centre (AUSTRAC): Oversees and enforces AML/CTF obligations for all reporting entities, including banks, fintechs, digital currency exchanges, and remittance services. AUSTRAC receives all statutory reports and issues sector-specific guidance (AML/CTF Act, s. 212).
Australian Prudential Regulation Authority (APRA): Regulates prudential standards for banks, insurance companies, credit unions, and superannuation funds. APRA’s requirements are a complement, not a replacement, for AUSTRAC’s AML/CTF obligations.
Australian Securities and Investments Commission (ASIC): Supervises financial services and credit providers, market conduct, and consumer protection.
Reserve Bank of Australia (RBA): Regulates payments, settlement systems, and certain financial market infrastructures.
Australian Sanctions Office (ASO) of Department of Foreign Affairs and Trade (DFAT): Administers Australia’s sanctions regime, including UN Security Council and autonomous sanctions. It maintains the Consolidated List of sanctioned individuals and entities. You’re required to screen all customers and transactions against this list and comply with DFAT’s asset‑freezing and sanctions obligations.
State and territory regulators: Oversee niche sectors, such as gambling and lotteries, with additional licensing or consumer protection rules.
If you operate a digital currency exchange or remittance business, you must register with AUSTRAC and comply with the same AML/CTF standards as banks and other financial institutions, including regular renewals (AML/CTF Act, Part 6A).
Australia’s centralized approach means most AML/CTF duties are enforced at the federal level by AUSTRAC, but other regulators may set parallel requirements around licensing, prudential risk, or consumer protection.
What are the main regulations in Australia that fintechs should pay attention to?
Australia has a well-developed, evolving regulatory landscape for KYC, KYB, and AML/CTF. If you’re planning to launch or expand financial services in Australia, you’ll need to pay close attention to several key statutes, rules, and regulatory trends:
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act; last amended 2024): This is the core of Australia’s AML framework. It applies to all “reporting entities” that provide designated services, including banks, fintechs, digital currency exchanges, payment companies, and remitters. The Act spells out your responsibilities for customer identification, due diligence, ongoing monitoring, regulatory reporting, and record retention.
Part 6A (Digital Currency Exchange Register): If you operate a digital currency exchange, you’re required to register with AUSTRAC and renew every three years. This section also sets out ongoing compliance obligations (AML/CTF Act, Part 6A, s. 76H(1)(c)).
AML/CTF Rules Instrument 2007 (AML/CTF Rules) and AML/CTF Rules 2025 (Rules 2025): These rules provide step-by-step guidance for how to fulfill your obligations under the Act. They cover exactly what information to collect for individuals and businesses (KYC and KYB), accepted verification methods, requirements for beneficial owner checks, enhanced due diligence triggers, and more.
Privacy Act 1988: Any personal information you collect and store as part of KYC/KYB must also comply with Australia’s data protection law, including principles around use, storage, and data subject rights.
APRA and ASIC standards: Depending on your business model, you may need to meet further prudential or licensing requirements. APRA regulates banks and insurers for solvency and risk, while ASIC oversees financial services providers and markets.
Australia regularly updates its AML/CTF regime. It publishes current industry consultations and “Future Law Compilation” for laws that are due to go into effect. Given this evolving regulatory landscape, it’s critical to build a flexible compliance program and keep up with the latest developments from AUSTRAC and other regulators.
How Persona can help
Staying compliant in Australia requires navigating a web of evolving regulations, managing sensitive data, and maintaining ongoing KYC and KYB processes. Requirements vary by sector and enforcement is split across multiple regulators, which makes compliance complex.
Persona simplifies this complexity with a flexible, unified platform built for end-to-end identity management. With Persona, you won’t need to stitch together separate tools for individual checks, document collection, ongoing monitoring, and case management. Instead, you can do it all in one secure, seamless platform.
Interested in learning more? Start for free or get a demo today.
FAQs
What are designated services in Australia?
Toggle description visibility
Designated services are specific services that carry a high risk of being used for money laundering. Any business offering these services to its customers must comply with AML and KYC requirements.
As outlined in Section 6 of the AML/CTF Act, gambling services, bullion trading services, and many common financial services are considered designated services, which include, but are not limited to, any business that:
Takes deposits
Issues checks or debit cards
Accepts electronic fund transfers
Provides remittance services
Exchanges foreign or digital currency
Provides loans
Handles investments
Issues life insurance policies
Issues traveler’s checks, money orders, or postal orders
Issues stored value cards
Prepares payroll for other businesses
With this in mind, Australian KYC requirements apply to most financial institutions, including banks, fintech companies, credit unions, lenders, insurers, broker/dealers, cryptocurrency exchanges, casinos, trusts, and financial planners.
How does Australia’s KYC framework compare to the UK, EU, or Singapore?
Toggle description visibility
Each of these regions are FATF-aligned, risk-based, and allow remote and electronic verification. Australia’s acceptance of electronic data and DVS is comparable to:
The UK’s use of electronic verification (eIDV)
The EU’s new AMLR (EU) 2024/1624 recognizes trusted e-ID solutions
Singapore’s MAS Notice 626 sets explicit controls for non-face-to-face CDD
Operationally, the biggest differences are in the details: The UK leans on JMLSG for “how” to do e-verification, the EU harmonizes rules directly via regulation, and Singapore prescribes granular safeguards for remote onboarding.
Persona can support your KYC and KYB programs across these regimes with configurable verification flows, helping teams calibrate assurance with conversion.
How long must KYC and KYB records be kept in Australia?
Toggle description visibility
You must keep KYC and KYB records for seven years after the relationship ends. The same retention period applies to transaction records as well as internal AML program documentation (AML/CTF Act, ss. 107, 113, plus reliance record retention in s. 114).
What are the thresholds for reporting cash transactions in Australia?
Toggle description visibility
If you facilitate a transaction that involves AUD $10,000 or more in physical currency (or foreign equivalent), you must file a Threshold Transaction Report (TTR) with AUSTRAC within 10 business days (Act s. 43(2)).
For more information, see AUSTRAC guidance on “Reporting transactions of $10,000 and over: Threshold transaction reports (TTRs)."
Do Australian KYC rules apply to crypto exchanges?
Toggle description visibility
Yes, digital currency exchange (DCE) services are designated services, so they must adhere to the AML/CTF rules (AML/CTF Act, s. 6, Table 1, item 50A). DCEs must register with AUSTRAC and renew the registration every 3 years.
For more information, see AUSTRAC's guidance on “Digital currency exchange providers.”
What are the rules for remote identity verification in Australia?
Toggle description visibility
Remote identity verification is permitted using “reliable and independent” electronic data. This includes the Document Verification Service (DVS) maintained by Australia’s Department of Home Affairs (AML/CTF Rules 2025, ss. 6‑8(1)(e), 6‑10(d)(iii); AML/CTF Rules, 4.10).
Persona is approved as an Identity Service Provider (IDSP) and can integrate with DVS. For more information, see AUSTRAC's guidance on “reliable and independent documentation and electronic data” and “reliance on customer identification procedures by a third party.”
Is electronic KYC (eKYC) verification allowed in Australia, and what methods are accepted?
Toggle description visibility
Yes, you may verify identity using “reliable and independent” electronic data, including the Document Verification Service (DVS) maintained by Australia’s Department of Home Affairs (Rules 2025, s. 6‑8(1)(e), 6‑10(d)(iii); AML/CTF Rules, 4.10).
For more information, see AUSTRAC's guidance on “reliable and independent documentation and electronic data.”
Can Australian businesses use third-party KYC providers or RegTech platforms for customer onboarding?
Toggle description visibility
Yes, Australia allows businesses to use third-party providers for customer identification procedures (AML/CTF Act, s. 37A, s. 38), as long as certain conditions are met (Rules 2025, Part 6, Div. 8, ss. 6‑29–6‑31).
Persona can act as your KYC provider in Australia. For more information, see AUSTRAC's guidance on “reliance on customer identification procedures by a third party.”
Do Australian KYC obligations apply to foreign digital businesses serving Australian customers?
Toggle description visibility
Yes, KYC obligations apply if the service is provided through an Australian entity or to an Australian resident (AML/CTF Act, s. 6(6)). Many offshore digital businesses fall in scope once they actively service Australian customers or run Australian operations.
Persona can support cross-border onboarding, so foreign businesses can serve Australian customers while meeting Australian standards. For more information, see AUSTRAC's guidance on “the geographical link requirement.”