KYC for Online Marketplace Sellers in Australia 2026

Regulatory disclaimer: This article is for informational purposes only and does not constitute legal advice. Marketplace compliance requirements involve multiple overlapping regulatory regimes; consult qualified legal counsel or a compliance specialist before making operational decisions.

Australian online marketplace operators face a convergence of regulatory demands in 2026 that would have seemed unimaginable only a few years ago. The ATO's Sharing Economy Reporting Regime (SERR), operational since January 2023, now requires electronic distribution platforms (EDPs) to report all seller transaction data to the Australian Taxation Office every year. Simultaneously, marketplaces that facilitate payments as a designated service must register with AUSTRAC under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and any platform collecting seller personal information is subject to the Privacy Act 1988 and the Australian Privacy Principles (APPs).

This guide is written for compliance teams, legal counsel, and operators running online marketplaces — from gig economy platforms to peer-to-peer goods marketplaces — who need to understand exactly what they must collect from sellers, when to report it, and how to avoid penalties that can reach into the tens of millions of dollars.

ATO Sharing Economy Reporting Regime: Australia's Platform Reporting Rules

The Sharing Economy Reporting Regime was introduced by the Treasury Laws Amendment (2021 Measures No. 6) Act 2022 and is Australia's domestic answer to the kind of platform data-sharing frameworks seen internationally. Where the European Union deployed DAC7 to capture platform seller data flowing through its member states, Australia's SERR gives the ATO (Australian Taxation Office) a mechanism to match platform-reported income against individual and business tax returns.

Key Dates

The regime was phased in across two tranches:

• 1 January 2023: SERR obligations began for ride-sharing platforms (Uber, DiDi, Ola) and short-term accommodation platforms (Airbnb, Stayz). First annual report due 31 January 2023 covering activity from 1 July 2022 to 31 December 2022.
• 1 July 2023: SERR extended to all electronic distribution platforms facilitating services or the sale of goods in Australia. Annual reports due 31 July each year, covering the preceding financial year (1 July to 30 June).

What Is an Electronic Distribution Platform?

An EDP is defined broadly: any website, internet portal, gateway, store, or online application through which sellers offer services or goods to buyers and through which payments are facilitated. This captures:

• Peer-to-peer marketplaces for goods (eBay Australia, Facebook Marketplace operators, Gumtree-style platforms)
• Freelance and gig platforms (Airtasker, Freelancer.com)
• Short-term rental and accommodation platforms
• Ride-sharing and transport services
• Food delivery platforms facilitating individual couriers
• Any hybrid platform where the operator stands between seller and buyer for payment purposes

Platforms that merely advertise goods or services without facilitating transactions — such as pure classifieds where payment occurs off-platform — are not EDPs for SERR purposes. However, any involvement in payment processing, escrow, or settlement brings a platform squarely within scope.

What Must Be Reported?

Each annual SERR report lodged with the ATO must include the following data for every seller who received a payment through the platform:

• Full legal name (individual or entity)
• Date of birth (for individuals)
• Australian Business Number (ABN) or Tax File Number (TFN)
• Address (Australian or overseas)
• Bank account details (BSB and account number) used for disbursement
• Total gross payments made to the seller during the reporting period
• Number of transactions

Unlike the EU's DAC7, which only requires reporting above certain seller thresholds (for example, 30 transactions or €2,000 in proceeds), Australia's SERR has no de minimis threshold. Every seller who receives any payment through an EDP must be reported to the ATO, regardless of the amount. A seller who earns AUD 10 in a year on your platform must appear in your annual report just as a seller who earns AUD 500,000 must.

Who Must Report and What Transactions: SERR vs DAC7

The table below compares Australia's SERR with the EU's DAC7 regime — a useful reference for multinational platforms operating in both jurisdictions.

For multinational platform operators, SERR and DAC7 obligations can be cumulative. A platform serving both Australian and EU sellers must comply with both regimes independently. See our article on global KYC requirements for 2026 for a broader overview.

Seller Documentation: What to Collect from Australian Sellers

Collecting the right documentation is foundational to SERR compliance, AUSTRAC obligations, and good KYC hygiene. The documentation requirements differ between individual sellers and business sellers.

Individual Sellers

Important — TFN handling: The Tax File Number is treated as sensitive information under the Privacy (Tax File Number) Rule 2015. Platforms may collect a seller's TFN for the purpose of ATO reporting under SERR, but must store it securely, not disclose it except as permitted, and not use it for any purpose other than that for which it was collected.

Business Sellers

ABN Verification: A Critical Step

For business sellers, ABN verification is not optional — it is a compliance requirement with direct financial consequences. Under the Pay As You Go (PAYG) withholding rules, if a seller does not quote a valid ABN, the platform is obligated to withhold tax at the top marginal rate of 47% from all payments made to that seller. This is not a penalty imposed on the seller; it is a withholding obligation imposed on the platform.

ABN verification must be performed in real time using the ABN Lookup service maintained by the Australian Business Register. The lookup confirms:

• Whether the ABN is valid and currently active
• The legal entity name registered to the ABN
• The GST registration status
• The main business activity

Platforms should automate ABN verification at onboarding and periodically re-verify, as ABNs can be cancelled or suspended.

CheckFile's document verification platform supports ABN verification alongside identity document checks, enabling a single automated workflow for seller onboarding.

AUSTRAC and the AML/CTF Act: When Marketplaces Are Designated Service Providers

While SERR is primarily a tax reporting regime, AUSTRAC regulation under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) creates additional and more demanding obligations for marketplaces that provide certain financial services.

What Makes a Marketplace a Designated Service Provider?

Section 6 of the AML/CTF Act sets out a table of "designated services" that trigger registration and compliance obligations. For marketplace operators, the critical question is whether the platform provides any of the following:

• Stored value facilities: Operating digital wallets, prepaid accounts, or any mechanism that holds funds on behalf of sellers pending disbursement
• Electronic funds transfer services: Facilitating payments between buyers and sellers where the platform processes or clears funds
• Issuing and redeeming payment instruments: Operating gift cards, loyalty currency convertible to cash, or similar instruments

Many modern marketplaces — particularly those with embedded wallets, instant payout features, or "marketplace banking" functionality — will fall within one or more of these categories. Pure pass-through platforms that use third-party payment processors (Stripe, PayPal, Braintree) without holding funds themselves are less likely to be designated service providers, but the line is not always clear and legal advice is essential.

AUSTRAC Registration

If your marketplace provides a designated service, you must register with AUSTRAC before providing that service. Registration is done through the AUSTRAC Online portal at austrac.gov.au. Operating a designated service without being registered is a strict liability offence.

AML/CTF Program Requirements

Registered reporting entities must implement a written AML/CTF Program comprising two parts:

Part A — Identification and management of ML/TF risks: A risk assessment of the business, including customer types, products, services, and geographies. For a marketplace, this includes assessing the risk that sellers may be using the platform to launder proceeds of crime.

Part B — Customer identification program (CIP): Under sections 51–67 of the AML/CTF Act, reporting entities must verify the identity of customers (in the marketplace context, sellers) before providing a designated service. For individuals, this requires verifying name, date of birth, and residential address. For companies, it requires verifying the entity name, ACN, and the identity of beneficial owners.

The AML/CTF Act also requires ongoing transaction monitoring, suspicious matter reporting (SMRs) to AUSTRAC, threshold transaction reports (TTRs) for cash transactions of AUD 10,000 or more, and seven-year record keeping.

Document Verification Service (DVS)

Australia's Document Verification Service (DVS) is a government-run database check that allows businesses to verify Australian identity documents (passports, driver's licences, Medicare cards) against source records held by issuing agencies. DVS is the gold standard for online identity verification in Australia and is widely accepted by AUSTRAC as meeting CIP requirements for remote onboarding.

CheckFile's KYC verification solutions integrate with the DVS for Australian document checks, ensuring that seller identity verification meets AUSTRAC standards without adding friction to the onboarding experience.

Privacy Act 1988 and the Australian Privacy Principles

Every marketplace collecting personal information from sellers must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Oversight of the Act is vested in the Office of the Australian Information Commissioner (OAIC).

Who Is Covered?

The Privacy Act applies to:

• All Australian Government agencies
• Private sector organisations and not-for-profit organisations with an annual turnover of more than AUD 3 million
• Any organisation (regardless of turnover) that trades in personal information, holds health information, or is a contractor to the Australian Government

Most marketplace operators with meaningful transaction volumes will exceed the AUD 3 million threshold and must comply fully with the APPs.

Key Australian Privacy Principles for Marketplaces

APP 3 — Collection of solicited personal information: Platforms must only collect personal information that is reasonably necessary for one or more of their functions or activities. In the context of KYC, this means collecting the minimum documentation sufficient to meet SERR, AUSTRAC, and PAYG obligations. Collecting excessive data without a legitimate purpose breaches APP 3.

APP 5 — Notification: When collecting personal information, platforms must take reasonable steps to notify individuals about the collection, including why it is being collected, who it may be disclosed to (including the ATO under SERR), and any overseas disclosure.

APP 6 — Use and disclosure: Personal information collected for KYC and SERR reporting must only be used or disclosed for those purposes, or for directly related secondary purposes the seller would reasonably expect.

APP 8 — Cross-border disclosure: If a marketplace uses an overseas verification provider or stores data on overseas servers, it is responsible for ensuring the recipient protects the information in accordance with APP standards. Standard contractual clauses or processor agreements are required.

APP 11 — Security: Platforms must take reasonable steps to protect seller personal information from misuse, interference, loss, and unauthorised access. Given that marketplaces collect identity documents, TFNs, and bank account details, this means robust encryption, access controls, and retention and deletion policies.

For a broader comparison of privacy regimes across jurisdictions — including how the APPs compare to the EU's GDPR, California's CCPA, and Brazil's LGPD — see our article on data privacy compliance.

Privacy Impact Assessments

While not mandated by the Privacy Act for private sector entities in all circumstances, conducting a Privacy Impact Assessment (PIA) before deploying a new seller onboarding system is strongly encouraged by the OAIC and is best practice under the Privacy Act's accountability principle (APP 1).

Penalties for Non-Compliance

Australian marketplace compliance failures can attract severe financial consequences across three separate regulatory regimes.

ATO SERR Penalties

Failure to lodge a SERR report by the due date (31 July each year), lodging an incorrect or incomplete report, or failing to maintain required records can attract:

• Administrative penalties: Up to AUD 25,000 per reporting year for failure to report
• Failure to withhold PAYG tax (47% rate) where no ABN is provided results in the platform becoming liable for the tax that should have been withheld
• Voluntary disclosure before ATO detection generally results in significantly reduced penalties

AUSTRAC Penalties

Non-compliance with AML/CTF Act obligations — including failure to register, failure to implement an AML/CTF program, and failure to report suspicious matters — can attract:

• Civil penalty orders: Up to AUD 315,000 per contravention for corporate entities (2023 penalty unit amounts)
• Criminal penalties: Intentional or reckless contraventions can attract criminal prosecution
• AUSTRAC has demonstrated willingness to pursue large penalties: the Westpac AML/CTF case resulted in a AUD 1.3 billion settlement in 2020, and Commonwealth Bank was fined AUD 700 million in 2018, signalling that no entity is too large to be pursued

Privacy Act 1988 Penalties

Following the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2022, maximum penalties for serious or repeated interference with privacy increased dramatically:

• For companies: the greater of AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period
• For individuals: AUD 2.5 million

The OAIC has also gained enhanced investigative and enforcement powers, including the ability to conduct own-motion investigations and seek orders from the Federal Court.

These penalty levels make privacy compliance a board-level issue for any marketplace operating in Australia.

Automating Marketplace KYC in Australia

The volume, complexity, and cost of manual KYC processes make automation essential for any marketplace operating at scale. A seller onboarding workflow for an Australian marketplace must:

1. Verify individual identity via the DVS or manual document review (passport, driver's licence)
2. Collect and verify ABN via the ABN Lookup API for business sellers
3. Collect TFN in accordance with the Privacy (Tax File Number) Rule 2015 restrictions
4. Verify bank account details (BSB and account number) for SERR reporting and PAYG withholding compliance
5. Screen against sanctions and PEP lists if the marketplace has AUSTRAC obligations
6. Store collected data in compliance with APP 11 security requirements and seven-year AML/CTF record-keeping obligations
7. Generate annual SERR reports in the format required by the ATO

CheckFile's document verification platform supports the full Australian identity document set — including passports, state and territory driver's licences, Medicare cards, and ASIC company extracts — and can be integrated into seller onboarding flows via API or no-code workflow tools. Visit our solutions page to see how the platform handles Australian KYC workflows, or review our pricing to understand the cost model.

The economics of automation are compelling. Manual document review typically costs AUD 15–40 per seller check and introduces inconsistency and delay. Automated verification via CheckFile reduces per-check cost while improving accuracy and audit trail quality, both of which are essential when AUSTRAC or the ATO conducts a compliance review.

For a comprehensive walkthrough of building a document compliance programme, see our document compliance guide.

Frequently Asked Questions

Does the ATO SERR apply to my marketplace if my platform is based overseas but has Australian sellers?

Yes. SERR applies to any electronic distribution platform that facilitates transactions involving services provided in Australia or assets located in Australia, regardless of where the platform operator is incorporated or based. If Australian buyers are transacting with sellers through your platform, SERR obligations apply. Overseas platforms must appoint an Australian contact and lodge reports with the ATO. The ATO actively pursues overseas platforms that ignore their obligations through exchange-of-information arrangements with foreign tax authorities.

What happens if a seller refuses to provide their ABN or TFN?

If a business seller does not provide a valid ABN, the platform must withhold 47% of any payments made to that seller under the PAYG withholding rules and remit that amount to the ATO. If an individual seller does not provide a TFN, platforms must still include that seller in SERR reports using the available identifying information. Withholding obligations apply differently to TFN non-provision than to ABN non-provision — consult the ATO's guidance for your specific situation.

Are peer-to-peer goods marketplaces (like classified listing platforms) within SERR scope?

Whether a classifieds or peer-to-peer marketplace is an EDP depends on whether it facilitates payments. A platform that simply lists goods and redirects buyers and sellers to arrange payment independently (cash on pickup, direct bank transfer) is not facilitating payments and is likely outside SERR scope. However, if the platform processes, holds, or clears payments at any point — including through an integrated payment gateway — it is likely an EDP. Given the AUD 25,000 penalty exposure, platforms in a grey area should seek a private ruling from the ATO.

How does AUSTRAC enforcement differ from ATO SERR enforcement?

The ATO's SERR regime is primarily a tax compliance and data-collection mechanism — penalties are administrative and calibrated to the reporting failure. AUSTRAC enforcement is based on Australia's financial crime framework and is considerably more serious: AUSTRAC has the power to conduct regulatory audits, issue remedial directions, seek court-ordered civil penalties, and refer matters to the AFP (Australian Federal Police) for criminal investigation. A marketplace with both ATO and AUSTRAC obligations must treat them as separate compliance streams with separate governance.

Does the Privacy Act 1988 restrict how long we can keep seller identity documents?

Yes. APP 11.2 requires organisations to take reasonable steps to destroy or de-identify personal information that is no longer needed for any purpose for which it may be used or disclosed. This obligation must be balanced against the AML/CTF Act's seven-year record-keeping requirement and the ATO's five-year record-keeping requirement under SERR. In practice, this means setting a retention period of seven years for KYC and transaction records (satisfying all three regimes) and establishing automated deletion processes after that period unless a dispute or investigation requires longer retention.

---

This article is for informational purposes only and does not constitute legal advice.