Know Your Supplier (KYS): Vendor Verification Checklist for Australian Procurement
Australia-specific KYS guide: AUSTRAC, AML/CTF Act 2006, ASIC, and Privacy Act compliance. 12-step vendor verification checklist, ABN/ACN checks, red flags, automation.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokKnow Your Supplier (KYS) is the structured due diligence process used by Australian procurement and compliance teams to verify the legal identity, beneficial ownership, sanctions profile, and bank account details of suppliers before and during a commercial relationship. In Australia, supplier verification obligations are shaped by a distinct regulatory architecture: AUSTRAC (Australian Transaction Reports and Analysis Centre) enforces the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), while ASIC (Australian Securities and Investments Commission) and the ATO (Australian Taxation Office) maintain the commercial and tax registries used in vendor verification.
Australia's AML/CTF framework is currently undergoing its most significant reform since 2006, with the AML/CTF Amendment Act 2024 expanding the scope of reporting entities to include lawyers, accountants, real estate agents, and trust and company service providers โ a "Tranche 2" expansion that took effect from 31 March 2026. This expansion directly increases the number of entities required to perform enhanced due diligence on vendors.
Australian procurement teams that automate their KYS process reduce manual processing time by 83% and cut the cost per supplier dossier by 67% (CheckFile platform data, internal analysis 2026).
What Is Know Your Supplier (KYS) in Australia?
KYS is the procurement-side equivalent of Know Your Customer (KYC) under the AML/CTF Act โ applying the same customer due diligence rigour to vendors that reporting entities must apply to their customers. For non-reporting entities, KYS draws on the same principles as the best-practice framework established by AUSTRAC guidance.
A complete Australian KYS programme covers:
- Legal entity verification (ABN, ACN, ASIC company extract)
- Beneficial ownership identification under the AML/CTF Act and Corporations Act 2001 definition of significant influence
- Sanctions screening against the Australian Autonomous Sanctions list, OFAC SDN list, and UN Security Council consolidated list
- PEP checks for company officers, directors, and beneficial owners
- Adverse media screening for AUSTRAC enforcement, ASIC banning orders, and ATO non-compliance
- Bank account ownership verification (BSB and account number matching to ABN/ACN)
As of 31 March 2026, the AML/CTF Amendment Act 2024 expands reporting entity obligations to lawyers, accountants, and real estate professionals, requiring them to apply AUSTRAC-standard customer due diligence to their vendor relationships (AUSTRAC โ AML/CTF reforms).
Australian Regulatory Framework for KYS
AML/CTF Act 2006 (as amended 2024): Australia's primary AML/CTF statute, administered by AUSTRAC. Reporting entities must implement AML/CTF programmes covering customer identification, verification, and ongoing due diligence. The 2024 amendment (Tranche 2) extends these obligations to designated non-financial businesses and professions (DNFBPs) from March 2026.
AUSTRAC guidance on third-party due diligence: AUSTRAC's compliance resources include sector-specific guidance, risk indicators, and red flags for third-party due diligence that procurement teams can apply directly to vendor verification.
ASIC (Australian Securities and Investments Commission): maintains the ASIC company register, the source of authoritative information on company registration, registered agents, directors, and shareholders. The ASIC Connect database is the primary source for vendor entity verification.
Privacy Act 1988 + Australian Privacy Principles (APPs): the collection and use of personal information in KYS processes must comply with the 13 Australian Privacy Principles under the Privacy Act 1988, overseen by the OAIC (Office of the Australian Information Commissioner). The current Privacy Act review is expected to strengthen obligations around cross-border data transfers and consent.
Modern Slavery Act 2018 (Commonwealth): entities with consolidated revenue above A$100 million must submit annual modern slavery statements disclosing supply chain due diligence efforts. The Australian Border Force modern slavery register is publicly searchable.
| Regulation | Threshold | Primary KYS Obligation |
|---|---|---|
| AML/CTF Act 2006 (as amended 2024) | Reporting entities (inc. Tranche 2 from March 2026) | CDD on customers and third parties in scope |
| Corporations Act 2001 | All companies | ASIC company extract and beneficial ownership |
| Privacy Act 1988 + APPs | All organisations | Privacy compliance in verification processes |
| Modern Slavery Act 2018 | >A$100M consolidated revenue | Annual supply chain due diligence statement |
KYS Verification Checklist: 12 Required Steps
Steps 1โ4: Legal Entity Verification
| Document | Official Source | Review Frequency |
|---|---|---|
| ASIC company extract | ASIC Connect | On onboarding + annually |
| Company constitution | ASIC / company records | On onboarding |
| Beneficial ownership / significant persons | ASIC register | On onboarding + on change |
| ABN and GST registration | ABN Lookup | On onboarding and before each significant payment |
Steps 5โ6: Bank Account Verification
Authenticating BSB and account number against the ABN/ACN holder is the primary defence against payment diversion fraud โ a category where the Australian Cyber Security Centre reports consistent year-on-year increases. Business Email Compromise (BEC) attacks represented 31% of supplier fraud documented on our platform. Verification must be repeated for every communicated banking change, using an independently confirmed communication channel.
Steps 7โ9: Sanctions, PEP, and Adverse Media Screening
Screening must cover the Australian Autonomous Sanctions List (administered by DFAT), the UN Consolidated List, and the OFAC SDN list. PEP definitions under AUSTRAC guidance include Australian and foreign politically exposed persons. Adverse media searches should cover AUSTRAC enforcement actions, ASIC banning orders and disqualifications, and ATO large market compliance actions.
Steps 10โ12: Sectoral and Operational Checks
Depending on the supplier's sector: Australian Business Licence and Information Service (ABLIS) registrations, professional indemnity and public liability insurance, WorkCover / state workers' compensation compliance, and any APRA-regulated activity licences.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRisk Scoring Model
| Risk Tier | Criteria | Review Cycle |
|---|---|---|
| Low | Australian-registered, <A$50K/year, non-regulated sector | Annual |
| Medium | Foreign-registered, A$50KโA$500K/year, or regulated sector | Semi-annual |
| High | >A$500K/year, FATF grey/black-list jurisdiction, or regulated services | Quarterly + EDD |
| Critical | Strategic supplier, operations in sanctioned territories | Continuous monitoring |
The CheckFile Document Risk Index scores supplier dossiers in high-transaction sectors at an average of 6.2/10, justifying systematic automation to maintain verification completeness across large Australian vendor portfolios.
KYS vs KYC vs KYB: Key Differences in Australia
| Process | Target | Primary Australian Context |
|---|---|---|
| KYC (Know Your Customer) | Customers, account holders | ADIs, brokers (AUSTRAC AML/CTF programme) |
| KYB (Know Your Business) | Business partners, distributors | B2B onboarding, ASIC-regulated entities |
| KYS (Know Your Supplier) | Vendors, subcontractors, service providers | Procurement, supply chain, accounts payable |
For the complete business entity verification process, see our guides on KYB business document verification and the vendor due diligence checklist.
Red Flags in Australian Vendor Verification
Australian compliance professionals identify these as high-priority warning signals:
- Banking change notification by email only, no call-back verification to the ABN-registered phone
- Vendor ABN cancelled or not currently registered
- ASIC extract shows directors who are disqualified from managing corporations
- ABN Lookup shows GST registration as cancelled or never held (for a supplier issuing tax invoices)
- Beneficial owner or director on the Australian Autonomous Sanctions List or DFAT adverse notice list
- Invoice address in a different state from the ASIC registered office with no operational explanation
- Refusal to provide a current ASIC company extract or ABN Lookup confirmation
Modern Slavery Act Considerations
For KYS purposes, the Modern Slavery Act 2018 creates reporting obligations that effectively require supply chain due diligence as a documented programme. Key practical implications:
- Annual modern slavery statements must describe the actions taken to assess and address modern slavery risk in the supply chain
- Risk-based due diligence on higher-risk suppliers (by geography, industry, or workforce profile) is expected
- Statements are published on the Australian Border Force modern slavery register and are publicly searchable
Automating Your Australian KYS Process
Managing KYS manually for a portfolio of 100 active vendors means 200โ300 individual verifications per year โ a volume that grows faster than procurement headcount in most organisations.
CheckFile automates the full KYS workflow: document collection, verification against ASIC, ABR (Australian Business Register), DFAT sanctions lists, and OFAC, plus PEP screening and audit trail generation that meets AUSTRAC record-keeping requirements. See the document verification guide for the full methodology.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice under Australian Commonwealth or state law. Consult a qualified Australian compliance professional for advice specific to your situation.
Frequently Asked Questions
What is Know Your Supplier (KYS) in Australia?
KYS in Australia is the due diligence process by which procurement teams verify the legal identity (ASIC company extract, ABN), beneficial ownership, sanctions profile (Australian Autonomous Sanctions List, OFAC), and bank account details of their suppliers โ aligned with AUSTRAC AML/CTF programme requirements and the Modern Slavery Act 2018 supply chain due diligence obligations.
Is KYS mandatory under Australian law?
Directly mandatory for AUSTRAC reporting entities (ADIs, broker-dealers, and from March 2026, lawyers, accountants, and real estate agents) under the AML/CTF Act. The Modern Slavery Act imposes supply chain due diligence obligations on entities with revenue above A$100 million. All companies are prohibited from dealing with DFAT-sanctioned entities. The Privacy Act 1988 creates obligations for the collection and use of personal data in KYS processes.
What is the difference between ABN and ACN in vendor verification?
The ABN (Australian Business Number) is a unique 11-digit identifier for all businesses, trusts, and other entities. It can be verified for free via ABN Lookup. The ACN (Australian Company Number) is a 9-digit number issued by ASIC specifically to companies registered under the Corporations Act 2001. For KYS, both should be verified โ the ABN confirms GST registration status, while the ACN confirms the company's ASIC registration and current status.
What documents should I collect for vendor KYS in Australia?
The core Australian KYS document set includes: ASIC company extract (<3 months), ABN Lookup confirmation, company constitution (if applicable), beneficial ownership / significant persons disclosure, bank account letter on company letterhead (with BSB and account), public liability and professional indemnity insurance certificates, and any APRA-regulated activity licences. Each document must be verified against the authoritative source.
What is AUSTRAC's role in supplier due diligence?
AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's financial intelligence and AML/CTF regulator. It enforces the AML/CTF Act, which requires reporting entities to conduct customer due diligence and implement AML/CTF programmes. AUSTRAC's published guidance โ including typologies, risk indicators, and red flags โ provides the baseline framework for supplier due diligence even for non-reporting entities seeking best-practice compliance.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.