Know Your Supplier (KYS): Vendor Verification and Compliance in Australia

Know Your Supplier (KYS) refers to the structured due diligence process organisations apply to vendors, contractors, and supply chain partners before and throughout a business relationship. In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), the Modern Slavery Act 2018 (Cth), and the Privacy Act 1988 together create overlapping obligations to scrutinise third-party relationships. AUSTRAC — Australia's financial intelligence and AML/CTF regulator — has significantly increased enforcement activity, making robust KYS controls a compliance priority for Australian reporting entities.

According to AUSTRAC's Annual Report 2024-25, financial crime risks flowing through third-party and vendor relationships remain a key enforcement focus. The Australian Cyber Security Centre (ACSC) reports that Business Email Compromise (BEC) targeting accounts payable departments caused over $84 million in reported losses in the 2023-24 financial year. A structured KYS programme is among the most effective controls to reduce this exposure.

What KYS Covers and Why It Is Required in Australia

A robust KYS programme addresses three risk dimensions: legal identity (ACN/ABN, ASIC company extract, beneficial ownership), financial standing (ASIC-published financials, credit checks via illion or Equifax, absence of insolvency proceedings), and regulatory reputation (AUSTRAC sanctions screening, adverse media, Politically Exposed Persons connections).

The AML/CTF Act 2006, administered by AUSTRAC, requires reporting entities — including authorised deposit-taking institutions, securities dealers, remittance providers, bullion dealers, and gambling service providers — to identify and verify the identity of customers and, in specific circumstances, beneficial owners. The AML/CTF Rules (Compilation No. 6, 2022) specify the customer identification and verification procedures. AUSTRAC can impose civil penalties of up to $18 million per contravention for serious non-compliance, and criminal penalties apply for the most severe cases.

The Modern Slavery Act 2018 (Cth) requires entities with annual consolidated revenue of AUD $100 million or more that are based or operating in Australia to submit an annual Modern Slavery Statement describing risks of modern slavery in their operations and supply chains, and the actions taken to address those risks. The Australian Border Force administers the register of statements, publicly accessible at modernslaveryregister.gov.au.

The Privacy Act 1988, including the Australian Privacy Principles (APPs), governs the collection, use, storage, and disclosure of personal information in the KYS process. The APP 3 (collection of solicited personal information) and APP 11 (security of personal information) are particularly relevant to KYS programmes.

The 5-Step KYS Verification Process in Australia

Step 1 – Document collection. Before engaging a new supplier, collect: a current ASIC company extract (from ASIC Connect), ABN verified via the Australian Business Register (ABR), the most recent filed financial accounts (via ASIC for proprietary companies with turnover > AUD $50m), a beneficial ownership declaration, and banking details with a bank-stamped letter confirming BSB and account number.

Step 2 – Identity and registration verification. Search the supplier's ASIC company status on ASIC Connect to confirm registration, active status, and officeholder details. Verify ABN and GST registration on the ABR portal. Check for insolvency, liquidation, or administration via ASIC's published notices and AFSA Insolvency Notices.

Step 3 – Sanctions and PEP screening. Screen against the Australian Sanctions List (DFAT), UN Security Council lists, and OFAC SDN list for USD transactions. For reporting entities under the AML/CTF Act, Politically Exposed Persons (PEPs) screening is required under AML/CTF Rule 4.1.2 (Chapter 4). Use screening tools with daily update feeds that integrate both Australian and international sanctions.

Step 4 – Modern slavery and ESG due diligence. For suppliers in higher-risk sectors or geographies, conduct a modern slavery risk assessment aligned with the Australian Border Force Modern Slavery guidance. For entities with Modern Slavery Act reporting obligations, supplier assessments form a core component of the annual statement. Integrate an ESG supplier questionnaire aligned with the UN Guiding Principles on Business and Human Rights.

Step 5 – Ongoing monitoring. Configure automated alerts for ASIC status changes (director resignations, strike-offs), ASIC published insolvency notices, and updates to the DFAT Australian Sanctions List. Any request to change banking BSB/account details must trigger an independent callback verification. The ACSC's BEC advisory specifically identifies payment redirection targeting AP departments as a priority threat for Australian organisations.

False Supplier Fraud in Australia: Practical Controls

On r/Australia, AUSfinance forums, and industry compliance channels, practitioners regularly ask: "Our supplier says they've changed banks. How do we verify this safely?"

Controls recommended by the ACSC align with global best practice:

1. Callback verification. Confirm any banking change by calling a phone number from your systems — never a number provided in the change request email.
2. Dual approval. All payment routing changes require two approvers, including a senior Finance officer.
3. Automated account validation. Use an automated document verification service that cross-checks account holder identity against ABN/ACN records. CheckFile supports over 3,200 document types in 32 jurisdictions, including Australian company documents.

The AML/CTF Act 2026 reforms (AML/CTF Amendment Act 2024, effective 31 March 2026) expanded the reporting entity base to include lawyers, accountants, real estate agents, and trust and company service providers — significantly extending the reach of KYS obligations into professional services supply chains.

For more on detecting document fraud patterns, see our analysis of AI-powered document fraud detection.

KYS, KYC and KYB in the Australian Context

• KYC (Know Your Customer): Mandatory for reporting entities under the AML/CTF Act 2006. Covers customer identification, beneficial ownership, and suspicious matter reporting (SMRs) to AUSTRAC.
• KYB (Know Your Business): Applied during B2B customer onboarding to verify a business entity's ASIC status, ABN, beneficial ownership, and compliance standing. See our KYB onboarding guide.
• KYS (Know Your Supplier): Applied to vendors and sub-contractors; covers supply chain risk, modern slavery obligations, and ASIC-related compliance. Particularly relevant given the AML/CTF Act 2024 expansion.

Privacy Act 1988 and KYS Data

The collection of personal information about supplier representatives and beneficial owners in the KYS process triggers Privacy Act obligations for organisations with annual turnover above AUD $3 million (or those that handle health information, Commonwealth contracts, or certain credit information). Key requirements:

• APP 3: Only collect personal information directly relevant to the KYS purpose; inform individuals at collection
• APP 5: Provide a collection notice explaining why you are collecting the information and how it will be used
• APP 11: Protect supplier personal information with reasonable security measures
• APP 6: Only use or disclose KYS data for the primary purpose of collection (or a directly related secondary purpose)

The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act and can investigate complaints from supplier representatives whose data is mishandled.

Building and Retaining the KYS Compliance File

The AML/CTF Act (section 107) requires reporting entities to retain identification documents for seven years from the date the relevant customer relationship ends. For non-reporting entities subject to the Modern Slavery Act, records supporting the annual statement should be retained for at least the current reporting period plus five years. Privacy Act APP 11.2 requires that personal information no longer needed for the purpose of collection be destroyed or de-identified.

A compliant KYS file should include:

• ASIC extract and ABN verification with timestamps
• DFAT/OFAC/UN screening results with date and system version
• Modern slavery risk assessment and supplier responses
• Beneficial owner declarations and verification records
• Identity of staff who conducted and approved each verification step
• Change log for all banking routing updates with callback evidence

CheckFile stores all verification records in a tamper-evident audit trail meeting ISO 27001 standards. View our pricing plans for supplier verification workflows adapted to Australian compliance requirements.

Frequently Asked Questions

Does KYS apply to Australian SMEs, or only large entities?

The Modern Slavery Act reporting obligation applies to entities with AUD $100 million or more in annual consolidated revenue. The AML/CTF Act applies to reporting entities regardless of size. For SMEs, privacy and fraud prevention obligations under the Privacy Act (turnover > AUD $3m) and practical pressure from large customers requiring supply chain compliance certifications make KYS relevant. The AML/CTF Act 2024 reforms also bring more professional service providers into the reporting entity category from March 2026.

How do I verify the beneficial ownership of an Australian supplier?

Under the Corporations Act 2001, shareholders holding 5% or more of a public company must be disclosed in the substantial shareholding register (available on ASIC Connect). For private companies, directors must maintain a shareholder register; request a copy from the supplier. Under the AML/CTF Act 2024 reforms, reporting entities will have enhanced beneficial ownership verification requirements for their own clients — which indirectly increases supplier expectations.

What is the difference between supplier qualification and KYS in Australia?

Supplier qualification assesses technical capability, quality assurance, and commercial terms — typically managed by Procurement. KYS focuses on legal identity, financial standing, beneficial ownership, and regulatory risk (AUSTRAC, sanctions, modern slavery). Both complement each other within an integrated vendor management framework.

How often should KYS be renewed for Australian suppliers?

Best practice is annual re-verification for all active suppliers, plus immediate re-verification at any triggering event: director changes, banking detail modifications, contract renewals, or adverse media alerts. For high-risk suppliers (FATF-flagged jurisdictions, extractive industries with modern slavery risk, AML/CTF Act expanded-sector suppliers from 2026) continuous monitoring with automated alerts is recommended.

How does the Modern Slavery Act affect smaller companies in our supply chain?

The Modern Slavery Act 2018 (Cth) mandates statements only from entities with AUD $100m+ revenue. However, the annual statement must describe risks in the supply chain, including risks in smaller suppliers. This means reporting entities must conduct due diligence on their suppliers regardless of those suppliers' own reporting obligations. Queensland's proposed state-level modern slavery legislation may extend formal obligations further.

---

This article is for informational purposes only and does not constitute legal advice. Australian regulatory obligations vary by industry and company size. Consult qualified legal counsel for advice specific to your compliance programme.