KYC and AML for Crowdfunding Platforms in Australia: 2026 Compliance

Australian crowdfunding platforms — known as CSF platforms under the Crowd-sourced Funding (CSF) regime — operate in a tightly regulated environment that blends securities law administered by the Australian Securities and Investments Commission (ASIC) with anti-money laundering obligations enforced by AUSTRAC. The legislative foundations were put in place by the Corporations Amendment (Crowd-sourced Funding) Act 2017, which introduced the CSF framework into Part 6D.3A of the Corporations Act 2001, initially for public companies and extended to proprietary companies in 2018. Under this regime, eligible issuers can raise up to A$5 million per year via registered CSF intermediaries, subject to investor protections that include caps and cooling-off rights.

For any platform entering this space in 2026, the compliance picture involves at least three separate frameworks: the CSF rules under the Corporations Act, the AML/CTF programme requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and the privacy obligations under the Privacy Act 1988. This guide explains each layer and how they interact.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date (June 2026). Consult a qualified professional for advice tailored to your specific situation.

Australian Crowdfunding: The CSF Framework and ASIC

ASIC is the primary regulator for CSF intermediaries, responsible for granting and supervising licences, publishing regulatory guidance, and taking enforcement action where platforms fail to meet their obligations. Before a platform can operate, it must obtain an Australian Financial Services Licence (AFSL) with a CSF intermediary authorisation from ASIC — there is no lighter-touch registration pathway.

Issuer eligibility under the CSF regime requires that the company seeking to raise funds be an Australian public or proprietary company with gross assets and annual turnover each below A$25 million. This cap is designed to target genuine early-stage businesses rather than established firms seeking an alternative to a formal prospectus.

The key parameters of the CSF framework in 2026 are:

• Annual raise cap: A$5 million per issuer per 12-month period across all CSF offers, regardless of how many platforms are used.
• Retail investor cap: Each retail investor is limited to A$10,000 per individual CSF offer. If an investor has already invested A$10,000 across all CSF offers in the preceding 12 months, further investment is not permitted until that 12-month window resets.
• Cooling-off period: Retail investors have 5 business days from the date of their application to withdraw their commitment without penalty or reason — a significant investor protection not present in all comparable regimes.
• Offer document: Issuers must prepare a compliant CSF offer document, filed with ASIC, covering financial statements, business description, risk factors, and use of funds.

ASIC's Regulatory Guide 261 (RG 261) is the key operational reference for CSF intermediaries, setting out platform obligations in relation to investor verification, offer document review, gating controls, and ongoing reporting to ASIC.

Australia CSF vs EU ECSP: A Quick Comparison

Both regimes reflect a similar policy intent — enabling retail participation in early-stage capital raises while managing risk through caps and investor disclosures — though the mechanics differ. The EU's passporting framework, which allows a single authorisation to cover all 27 member states, has no equivalent in Australia. For more on how document requirements interact with cross-border compliance, see our document compliance guide.

KYC Requirements for Australian Investors

Because CSF intermediaries are reporting entities under the AML/CTF Act 2006, they must implement a formal KYC programme — described in the AML/CTF framework as the Part B of the entity's AML/CTF Programme — before onboarding any investor.

Standard Customer Due Diligence (SCDD) for individual investors requires platforms to collect and verify:

• Full legal name
• Date of birth
• Residential address

These three data points must be confirmed through an acceptable verification method. AUSTRAC's AML/CTF Rules set out the Identity Verification Standard (IVS), which defines the documents and electronic sources that satisfy this obligation.

Acceptable verification documents for individual investors include:

• Australian passport — the gold-standard primary document, checked against the DVS
• State or territory driver's licence — each state and territory issues its own licence (NSW, VIC, QLD, SA, WA, TAS, NT, ACT), but all are valid nationally for identity verification purposes; all can be verified via the DVS
• Medicare card — accepted as a secondary document to corroborate identity data
• Birth certificate — accepted for name and date of birth verification

Electronic verification via the DVS is the most efficient method for online platforms. The Document Verification Service (DVS), operated by the Australian Government through the Department of Home Affairs, enables real-time checking of identity documents against the records held by the issuing agency — for example, cross-checking a passport number directly against the Department of Foreign Affairs and Trade's passport database, or a driver's licence against the relevant state roads authority. DVS checks satisfy AUSTRAC's electronic verification requirements and are preferable to manual document inspection for online-only platforms.

A common compliance question: the Tax File Number (TFN) issued by the Australian Taxation Office (ATO) is not collected as part of the KYC process under the AML/CTF Rules. However, platforms may need to collect TFNs for investment tax reporting — for instance, when withholding tax applies to investment income. TFN collection is governed by the Privacy Act and the Tax Administration Act, and platforms must only collect TFNs if they have a legal basis to do so.

On investor categorisation: unlike the EU ECSP's knowledge test or the UK FCA's appropriateness assessment, the Australian CSF regime does not impose an income or asset test on retail investors to determine eligibility. Retail investors are simply capped at A$10,000 per offer. Sophisticated investors and professional investors — as defined under sections 708 and 761GA of the Corporations Act — are not subject to these caps.

CheckFile supports over 3,200 document types across 32 jurisdictions, making it well-suited for CSF platforms onboarding investors from Australia and abroad, with DVS-compatible verification workflows and structured AUSTRAC-aligned output records.

KYB: Verifying Business Issuers

Before a CSF offer can be listed on a platform, the intermediary must verify the identity and legal status of the issuing company. Australia's business register infrastructure, though administered at the national level by ASIC, is supplemented by the Australian Business Register (ABR) managed by the ATO.

The two key identifiers for Australian businesses are:

• ACN (Australian Company Number): A unique 9-digit number issued by ASIC to every company registered under the Corporations Act. Platforms can verify an ACN via ASIC's company register at search.asic.gov.au, which also provides current director details, registered office address, and share structure.
• ABN (Australian Business Number): An 11-digit identifier issued by the ATO to all businesses operating in Australia. The ABN Lookup tool at abr.gov.au allows platforms to confirm whether an entity is registered for GST, confirm the entity's legal name, and check its business status.

For KYB, a robust verification pack for a CSF issuer should typically include:

• ASIC company extract (confirming ACN, directors, registered address, and share structure)
• ABN confirmation from the ABR
• Certificate of registration from ASIC (confirming date of incorporation)
• Photo ID for all directors and officers (verified against the DVS or equivalent)
• Self-certified beneficial ownership declaration

Beneficial ownership remains an area of ongoing reform in Australia. As of mid-2026, Australia does not have a comprehensive public UBO registry equivalent to the EU's beneficial ownership registers. ASIC's company register discloses significant shareholders at a headline level — for listed companies, the threshold for disclosure is a 5% holding; for proprietary companies, all shareholders are recorded but information is not always publicly accessible. The Director Identification Number (DIN) system, introduced progressively from 2021 under the Modernising Business Registers programme, requires all company directors to hold a unique DIN, which aids in identity verification across the Australian company register system.

The Australian Government announced intentions in 2023 to establish a public register of beneficial owners of companies, trusts, and partnerships, with implementation expected to progress incrementally. Platforms should monitor ASIC and Treasury announcements on this topic. In the interim, self-certified UBO declarations supported by ASIC extracts and DIN verification represent best practice.

For more on CheckFile's KYB workflows, visit CheckFile's verification solutions.

AML/CTF Obligations: AUSTRAC and the AML/CTF Act 2006

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) is the primary AML legislation in Australia and applies to organisations that provide "designated services" listed in the Act. CSF intermediaries, as AFSL holders providing financial services including the facilitation of fundraising and investor payments, are reporting entities under the AML/CTF Act.

AML/CTF Programme requirements: Every reporting entity must maintain a documented AML/CTF Programme with two required components:

• Part A (General Controls): Covers the entity's risk assessment, Board and senior management oversight, employee due diligence, training programme, and independent audit obligations.
• Part B (Know Your Customer Procedures): Specifies the customer identification and verification procedures the entity will apply. Must be tailored to the entity's risk profile.

Programmes must be reviewed and updated at least annually, or whenever a material change in the business's risk profile occurs.

AUSTRAC registration: All reporting entities must register with AUSTRAC before commencing operations that constitute designated services. Registration is completed via the AUSTRAC Online portal at austrac.gov.au. Failure to register is a criminal offence under the AML/CTF Act.

Reporting obligations to AUSTRAC:

• Suspicious Matter Reports (SMRs): Filed when the reporting entity forms a suspicion that a matter is related to money laundering, terrorist financing, or other serious offences. There is no minimum dollar threshold. The report should be filed as soon as practicable, and within 24 hours when the suspicion relates to terrorism.
• Threshold Transaction Reports (TTRs): Required for physical currency transactions of A$10,000 or more. Must be submitted to AUSTRAC within 10 business days of the transaction.
• International Fund Transfer Instructions (IFTIs): Required for international wire transfers sent or received. Must be reported to AUSTRAC within 10 business days.

PEP and sanctions screening: Platforms must screen investors and issuers against relevant sanctions lists. The primary Australian reference is the DFAT consolidated sanctions list, maintained by the Department of Foreign Affairs and Trade at dfat.gov.au. AUSTRAC publishes regular guidance on sanctions compliance and expects reporting entities to have automated screening processes capable of matching against current lists, including variations in name spelling.

Further guidance on AUSTRAC obligations is available at austrac.gov.au.

Privacy Act 1988 and Australian Privacy Principles

The Privacy Act 1988 governs how organisations collect, use, disclose, and store personal information. It applies to private sector organisations with annual turnover above A$3 million, as well as to certain categories of organisations regardless of size — including those that handle health information or provide certain services to the government. CSF intermediaries operating at any meaningful scale will exceed the turnover threshold and must comply.

The Privacy Act contains 13 Australian Privacy Principles (APPs), several of which are directly relevant to KYC operations:

• APP 3 (Collection): Personal information may only be collected if it is reasonably necessary for the entity's functions or activities. For KYC, this means collecting the minimum data required by the AML/CTF Rules — name, date of birth, address — and not routinely collecting unnecessary additional data such as TFNs without a specific legal basis.
• APP 5 (Notification): At or before the time of collecting personal information, the entity must take reasonable steps to notify the individual of the entity's identity, the purpose of collection, and the individual's rights.
• APP 6 (Use and disclosure): Information collected for KYC purposes may only be used or disclosed for that purpose, or for a directly related purpose, or with the individual's consent. Sharing KYC data with unrelated third parties for marketing is prohibited.
• APP 11 (Security): Organisations must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. For KYC data — which includes identity documents and financial information — this requires encryption at rest and in transit, access controls, and documented data security policies.
• APP 12 and 13 (Access and correction): Individuals have the right to access the personal information an organisation holds about them, and to request correction of inaccurate data.

The Office of the Australian Information Commissioner (OAIC) is the privacy regulator. The OAIC can investigate complaints, conduct audits, and issue determinations that may require organisations to change their practices or pay compensation.

Recent privacy reforms: The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 significantly increased maximum penalties — up to A$50 million for serious or repeated privacy breaches by organisations. Further reforms under the Privacy Act Review (completed in 2023) are working through Parliament as of 2026, with proposals including a direct right of action for individuals, greater controls over targeted advertising, and expanded definitions of sensitive information. Platforms should treat these reforms as likely to increase compliance obligations over the coming years.

Notifiable Data Breaches (NDB) scheme: Under Part IIIC of the Privacy Act, organisations must notify the OAIC and affected individuals of any data breach that is likely to result in serious harm. For KYC data — which, if exposed, could facilitate identity theft — the threshold for notification is likely to be met in most breach scenarios. Platforms must have incident response plans that include breach assessment, containment, and NDB notification procedures.

Retention: The AML/CTF Act requires reporting entities to retain transaction records and KYC records for seven years from the date of the relevant transaction or the end of the customer relationship. The Privacy Act's general principle is that personal information should not be retained longer than necessary — platforms must reconcile these obligations by retaining AML records for the statutory period while deleting data not required for AML purposes once the underlying purpose has been met.

For CheckFile's security infrastructure and data handling practices, see our security page. For platform pricing designed for fintech and compliance teams, visit our pricing page.

Automating KYC/AML Compliance for Australian CSF Platforms

Manual KYC onboarding is a bottleneck at scale. For a CSF platform processing dozens or hundreds of investor applications per day, relying on staff to manually examine identity documents and cross-reference them against the DVS is neither efficient nor consistent. Automation reduces the time from application to approved investor while improving audit-trail quality and reducing human error.

CheckFile's API integrates with DVS-compatible verification workflows, enabling CSF platforms to automate document capture, data extraction, and verification against Australian government databases in real time. With support for 3,200+ document types across 32 jurisdictions, the platform handles verification for both domestic Australian investors and international participants — critical for platforms with a cross-border investor base.

Automated compliance tools also improve AUSTRAC reporting quality. Structured, timestamped verification records generated by API-based KYC workflows map directly to the record-keeping fields required under the AML/CTF Act, making it straightforward to produce records in response to AUSTRAC audits or law enforcement requests.

For sector-specific due diligence considerations and a practical checklist, see our due diligence checklist by sector.

Frequently Asked Questions

Does a crowdfunding platform in Australia need an AFSL from ASIC?

Yes. Any platform operating as a CSF intermediary under the Corporations Act 2001 must hold an Australian Financial Services Licence (AFSL) with a specific CSF intermediary authorisation from ASIC. The AFSL application process requires demonstrating competence, compliance frameworks, adequate resources, and a written AML/CTF programme. As of 2026, approximately 20 platforms held CSF intermediary authorisations from ASIC.

What KYC documents must a CSF intermediary collect from Australian investors?

Under AUSTRAC's AML/CTF Rules, CSF intermediaries must collect and verify each investor's full name, date of birth, and residential address. Acceptable verification documents include an Australian passport, state or territory driver's licence, Medicare card (as a secondary document), or birth certificate. Electronic verification via the Australian government's Document Verification Service (DVS) is accepted and is the most efficient method for online onboarding. TFN (Tax File Number) is not required for KYC but may be collected for investment tax reporting obligations.

What is the investment limit for retail investors under the Australian CSF regime?

Retail investors are limited to A$10,000 per CSF offer under Part 6D.3A of the Corporations Act 2001. Additionally, if they have already invested A$10,000 across all CSF offers in the preceding 12 months, they cannot invest more until that period resets. Sophisticated and professional investors (as defined under the Corporations Act) are not subject to these caps. Retail investors also have a 5-business-day cooling-off period during which they can withdraw their application without penalty.

When must a CSF intermediary file a Suspicious Matter Report (SMR) with AUSTRAC?

An SMR must be filed with AUSTRAC when the reporting entity forms a suspicion that a matter is related to money laundering, terrorist financing, or other serious offences — there is no minimum dollar threshold. The report should be filed as soon as practicable after forming the suspicion, and no later than 24 hours after forming a suspicion related to terrorism. Common triggers include funds from unknown sources, investors who provide false identity information, unusual investment patterns inconsistent with stated purpose, or individuals appearing on DFAT sanctions lists.

Does Australia have an equivalent to the EU's beneficial ownership (UBO) register?

As of 2026, Australia does not have a comprehensive public beneficial ownership registry equivalent to the EU's UBO registers. However, ASIC's company register requires disclosure of directors and shareholders for Australian companies. The Australian Government announced plans in 2023 to establish a public register of beneficial owners of companies, trusts, and partnerships, with implementation expected progressively. For KYB purposes, platforms should rely on ASIC company extracts, director ID verification (via the Director Identification Number system introduced in 2021), and self-certified beneficial ownership declarations from issuers.

---

Regulatory information in this article is based on rules in force as of June 2026. Check AUSTRAC, ASIC, and the OAIC regularly for updates to crowdfunding and AML rules in Australia.