Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Compliance9 min read

KYC: The Complete Guide for Australian Businesses

What is KYC? Definition, legal obligations, process steps and best practices for Australian businesses.

CheckFile Team
CheckFile Teamยท
Illustration for KYC: The Complete Guide for Australian Businesses โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

KYC โ€” Know Your Customer โ€” is a mandatory regulatory process requiring businesses to verify the identity of their clients before establishing a business relationship and on an ongoing basis thereafter. In Australia, KYC obligations are set by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), enforced by AUSTRAC (Australian Transaction Reports and Analysis Centre).

For further reading, see How to Prepare for Regulatory Audits.

Non-compliance is catastrophically costly. Westpac was penalised AUD 1.3 billion in 2020 for over 23 million AML/CTF contraventions, while Commonwealth Bank paid AUD 700 million in 2018 for systematic failures in transaction monitoring and customer due diligence. Understanding KYC is not optional for reporting entities โ€” it is the foundation of lawful operation.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.

What Is KYC?

KYC (Know Your Customer) requires businesses to verify the identity of their clients before establishing a business relationship, as mandated by the AML/CTF Act 2006 in Australia. Failure to comply results in severe penalties: AUSTRAC civil penalties can reach AUD 28.2 million per contravention for body corporates.

KYC is the process by which businesses identify and verify the identity of their customers, understand the nature of their business relationships, and assess the associated money laundering and terrorist financing risks. AUSTRAC defines the applicable customer due diligence (CDD) measures in the AML/CTF Rules.

As of March 2026, the AML/CTF Act 2006 remains the primary legislative framework governing KYC in Australia, supplemented by the Proceeds of Crime Act 2002 (Cth) and the Counter-Terrorism Financing Act 2006. AUSTRAC takes a risk-based approach, meaning reporting entities must calibrate the intensity of their KYC measures to the level of money laundering risk each customer presents.

KYC encompasses three core elements:

  • Customer identification: collecting personal data (name, date of birth, address, nationality)
  • Identity verification: confirming that individuals are who they claim to be using reliable, independent documentation
  • Risk assessment: classifying customers by risk profile and applying proportionate due diligence measures

Which Businesses Must Comply with KYC in Australia?

KYC obligations apply to all "reporting entities" providing "designated services" under the AML/CTF Act. The scope extends well beyond traditional banks.

Sector Examples of Reporting Entities
Banking and credit Banks, building societies, credit unions (ADIs)
Financial services Investment firms, financial advisers, superannuation funds
Insurance Life insurance companies and intermediaries
Remittance Money transfer operators, international funds transfer providers
Digital currency Digital currency exchange (DCE) providers registered with AUSTRAC
Gambling Casino operators, online wagering providers, TABs
Bullion Dealers in precious metals and stones
Tranche 2 (incoming) Lawyers, accountants, real estate agents, TCSPs

There are thousands of reporting entities in Australia subject to AML/CTF obligations. Since 2018, AUSTRAC has been the AML/CTF supervisor for DCE providers under the AML/CTF Act.

On the CheckFile platform, over 840,000 KYC dossiers have been processed for banking clients, revealing an identity fraud rate of 5.1% โ€” meaning roughly 1 in 20 onboarding applications contains fraudulent or manipulated identity documents (CheckFile platform data, March 2026). Automated verification reduces average banking KYC onboarding from days to 3.8 minutes while maintaining a 94.8% fraud detection recall rate.

The Four Steps of KYC Due Diligence

Step 1: Customer Identification Programme

Before establishing any business relationship, reporting entities must collect identifying information. For individuals, this means full name, date of birth, residential address, and โ€” where applicable โ€” Tax File Number (TFN). For corporate entities, this extends to ACN/ABN, registered address, nature of business, and the identity of directors and beneficial owners.

Reporting entities must verify the identity of any beneficial owner holding more than 25% of shares or voting rights, as required under the AML/CTF Rules.

Step 2: Customer Due Diligence (CDD)

Standard CDD requires verifying identity using reliable, independent source documents or data. The Australian 100 point identity check system provides a framework for assessing the strength of identity evidence. Acceptable primary documents include an Australian passport, state or territory driver licence, or Australian citizenship certificate. Secondary documents include a Medicare card, Centrelink card, or utility bill dated within three months. Digital verification using electronic identity checks โ€” including the Document Verification Service (DVS) โ€” is fully acceptable under AUSTRAC's guidance.

Step 3: Enhanced Customer Due Diligence (ECDD)

ECDD is mandatory for higher-risk customers and relationships. The AML/CTF Act mandates ECDD in specific circumstances, including:

  • Customers identified as Politically Exposed Persons (PEPs) or their family members and known close associates
  • Business relationships or transactions involving high-risk third countries (as identified by FATF)
  • Correspondent banking relationships
  • Transactions with no apparent economic or legal purpose

ECDD for PEPs requires establishing the source of wealth and source of funds, in addition to standard identity verification.

Step 4: Ongoing Monitoring

KYC is not a one-time event. The AML/CTF Act requires reporting entities to keep customer information up to date and monitor business relationships on an ongoing basis. High-risk customers typically warrant annual reviews; standard-risk customers may be reviewed less frequently based on the entity's risk assessment. Any unusual transaction or change in customer circumstances triggers an immediate reassessment.

Risk Level Review Frequency Due Diligence Standard
Low risk Every 5 years Simplified CDD permissible
Standard risk Every 3 years Standard CDD required
High risk / PEP Annually Enhanced CDD mandatory

Explore further

Discover our practical guides and resources to master document compliance.

Explore our guides

Suspicious Matter Reporting (SMR)

Any reporting entity that forms a suspicion on reasonable grounds that a transaction or customer may be related to money laundering, terrorism financing, or other serious offences must submit a Suspicious Matter Report (SMR) to AUSTRAC. AUSTRAC received over 350,000 SMRs in the year ending June 2024. Failure to report is a serious offence under the AML/CTF Act, carrying criminal penalties.

Tipping off a suspect that an SMR has been filed is also a criminal offence under the AML/CTF Act.

KYC Documents: What to Collect and Accept

The Australian 100 point identity check system provides a structured framework for assessing identity evidence:

For individuals, standard acceptable documents include:

  • Primary documents (70 points each): Australian passport, Australian citizenship certificate, Australian birth certificate
  • Secondary documents (40 points each): Australian driver licence, Medicare card
  • Tertiary documents (25 points each): Utility bill, bank statement, ATO correspondence

For businesses, standard requirements include an ASIC company extract, constitution (or confirmation of replaceable rules), and identification of beneficial owners. Our KYB guide for business document verification covers the additional checks required when onboarding corporate clients.

Consequences of Non-Compliance

AUSTRAC's enforcement record demonstrates that KYC failures attract severe sanctions:

  • Civil penalties: Up to AUD 28.2 million per contravention for body corporates
  • Criminal prosecution: For serious offences under the AML/CTF Act
  • Enforceable undertakings: Binding remediation requirements
  • Remedial directions: Mandatory corrective action
  • Reputational damage: AUSTRAC enforcement actions are publicly reported

Our KYC requirements for 2026 provides a detailed breakdown of the regulatory changes businesses need to prepare for.

Automating KYC: eKYC in Practice

Manual KYC processes are slow, expensive, and error-prone. Industry data indicates that manual KYC onboarding can take 30 to 90 days for complex corporate clients, with document collection accounting for 60% of that time. Aggregated data from our enterprise clients shows that automated KYC reduces average onboarding to 3.8 minutes for banking customers โ€” a 4.5x speedup compared to semi-automated workflows โ€” while maintaining a fraud detection recall of 94.8%. Electronic KYC (eKYC) platforms cut these timelines dramatically.

CheckFile's automated document verification solution processes over 200 document types across 195 countries in under 10 seconds, with tamper detection and liveness checks built in. Explore our pricing plans designed for businesses of all sizes.

KYC and AML: Understanding the Relationship

KYC and AML are often used interchangeably, but they are distinct. KYC is the customer identification and verification layer โ€” a component of a broader AML programme. AML encompasses the full suite of controls required to detect, prevent, and report money laundering: transaction monitoring, SMR filing, staff training, risk assessments, and governance frameworks. Our AML compliance guide explains how KYC fits within a complete AML programme.

For a comprehensive overview, see our document compliance complete guide.

Go further

To dive deeper into this topic, explore our complete guide on document verification.

Frequently Asked Questions

What is KYC in banking?

KYC in banking is the mandatory process by which banks and other financial institutions verify the identity of their customers before opening accounts or providing services. Under the AML/CTF Act, Australian banks must collect proof of identity (meeting the 100 point check), verify its authenticity, assess money laundering risk, and monitor the relationship on an ongoing basis. Failure to comply can result in civil penalties of up to AUD 28.2 million per contravention.

What documents are required for KYC in Australia?

For individuals, standard KYC documents follow the 100 point identity check system: a primary document such as an Australian passport or citizenship certificate (70 points), supplemented by secondary documents such as a driver licence (40 points) and a utility bill or bank statement (25 points). For businesses, you need an ASIC company extract, details of directors, and identification of beneficial owners holding more than 25% of the entity.

What is KYC in crypto?

KYC in crypto means the same thing as in traditional finance: digital currency exchange providers must verify the identity of their users before allowing them to trade or hold assets. Since 2018, AUSTRAC-registered DCE providers in Australia are subject to the full AML/CTF Act requirements, including CDD, ECDD for high-risk users, and ongoing transaction monitoring.

What is the difference between KYC and AML?

KYC (Know Your Customer) is the identity verification and risk assessment process applied at customer onboarding and throughout the relationship. AML (Anti-Money Laundering) is the broader framework of controls โ€” of which KYC is one element โ€” designed to prevent, detect, and report money laundering and terrorist financing. Every reporting entity needs both: KYC to know who its customers are, and AML controls to monitor what those customers do.

How long does KYC take?

For individuals with standard documentation, digital KYC can be completed in under two minutes. For corporate clients requiring beneficial ownership verification and enhanced due diligence, the process typically takes between three and fifteen business days depending on the complexity of the corporate structure and the jurisdictions involved.

Stay informed

Get our compliance insights and practical guides delivered to your inbox.

Explore further

Discover our practical guides and resources to master document compliance.

Related articles

Compliance12 min

Money Laundering Typologies in Australia: Schemes and Document Red Flags

Key money laundering typologies under Australia's AML/CTF Act 2006, AUSTRAC obligations, SMR filing requirements, and document-based red flags for Australian obliged entities.

Read
Compliance11 min

AML Red Flags: Suspicious Activity Indicators for Australian Compliance Teams

Complete guide to AML red flags under Australian law: AML/CTF Act 2006, AUSTRAC and SMR obligations. Transaction-based, customer, geographic and sector-specific indicators for Australian compliance teams.

Read
Compliance9 min

SOC 2 Compliance for SaaS in Australia: Document Security, Controls and Audit Readiness

Complete guide to SOC 2 compliance for Australian SaaS companies: AICPA SSAE 18, AUSTRAC, ASIC, AML/CTF Act 2006, Privacy Act 1988 and Australian Privacy Principles. Document security and Type II audit preparation.

Read