Neobank and Digital Bank KYC/AML Compliance in Australia 2026: AUSTRAC and AML/CTF Act Guide

Australian neobanks and digital banks operate under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), supervised by AUSTRAC (Australian Transaction Reports and Analysis Centre). Every account-keeping, payment, and lending service is a designated service under section 6 of the AML/CTF Act — meaning every neobank providing these services is a reporting entity with a full suite of AML/CTF programme, customer identification, and reporting obligations. The enforcement record is unambiguous: Crown Resorts was fined AUD $450 million in 2022, Star Entertainment AUD $100 million in 2024, and Binance Australia was deregistered as a Digital Currency Exchange in 2023. The 2024 AML/CTF Amendment Act (Tranche 2) further extended obligations across the ecosystem around neobanks.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

For a broader overview of AML obligations in financial services, see the AML compliance guide for Australian businesses.

The Regulatory Framework for Australian Neobanks

The AML/CTF Act 2006 (Cth) is the primary AML legislation. The AUSTRAC AML/CTF Rules 2007 (as amended) provide detailed compliance requirements. All obliged entities must report to and be supervised by AUSTRAC, which operates as both Australia's financial intelligence unit and its AML/CTF regulator.

For the full text of the AML/CTF Act and AUSTRAC Rules, see legislation.gov.au.

AUSTRAC Registration: Mandatory Before Providing Designated Services

Every neobank providing a designated service must register with AUSTRAC before commencing those services. Registration is done online through the AUSTRAC Online portal. Failure to register is a strict liability offence under section 76 of the AML/CTF Act. AUSTRAC assigns a reporting entity identification number used in all regulatory filings.

Australian neobanks operating in the current market include Up Bank (operating on Bendigo Bank's BaaS platform), Revolut Australia, and Wise Australia. Xinja ceased operations in 2021 after returning its ADI licence, and 86 400 was acquired by NAB in 2021. ASIC (asic.gov.au) holds the corporate and credit licences for entities operating credit services; APRA supervises Authorised Deposit-taking Institutions (ADIs).

The AML/CTF Amendment Act 2024: Tranche 2 Reforms

The AML/CTF Amendment Act 2024 (Tranche 2) extends AML/CTF obligations to lawyers, accountants, real estate agents, and trust and company service providers from 1 July 2026. While these categories are not neobanks themselves, the Tranche 2 reforms affect the ecosystem around digital financial services: neobanks that partner with accountants for SMSF services, or that facilitate property settlement through conveyancing integrations, must assess whether their partners' new obligations affect joint onboarding workflows.

KYC Requirements: Customer Identification Under the AML/CTF Act

The AML/CTF Act requires every reporting entity to have a Part B — Customer Identification Program within its AML/CTF programme. Part B sets the rules for customer identification and verification (CDDV) that must be applied before providing a designated service.

The Document Verification Service (DVS)

Australia's Document Verification Service (DVS) is the government-operated system that allows real-time electronic checks of identity documents against issuing agency databases. A passport check through DVS confirms the document against the Department of Home Affairs database; a driver's licence check confirms against the relevant state or territory roads authority database.

DVS checks are the gold standard for Australian eKYC. Under the Trusted Digital Identity Framework (TDIF), accredited identity providers can use DVS as part of a certified identity verification process. AUSTRAC's guidance explicitly recognises DVS checks as satisfying the electronic verification method for individual CDD.

For neobanks, DVS integration means customer-provided documents can be verified in real time at onboarding without requiring physical document inspection.

Acceptable Identity Documents for Individual Customers

Under Part B of the AML/CTF Rules, a reporting entity must collect and verify a combination of identity information sufficient to confirm a customer's full name and either their date of birth or residential address. Common document combinations for individual customers:

The Tax File Number (TFN) is Australia's equivalent of a national tax identification number. TFNs are not required for AML/CTF identity verification but are required for tax reporting under the Income Tax Assessment Act 1997. Neobanks collecting TFNs must comply with ATO guidance (ato.gov.au) and the Privacy Act's Australian Privacy Principles (APPs) on sensitive financial information.

An ASIC company extract serves as Australia's equivalent of a corporate registry certificate — it is the document used to verify a company's registered name, ACN, and registered address for corporate customer CDD.

Beneficial Ownership and Corporate Customer Verification

For corporate customers, the AML/CTF Rules require identification of the entity itself plus the beneficial owners — individuals who ultimately own or control 25% or more of the entity. The neobank must:

1. Verify the company's existence using an ASIC company extract
2. Identify directors and senior managers
3. Identify and verify each beneficial owner
4. Understand the nature and purpose of the business relationship

Where a corporate structure includes trusts or other opaque vehicles, enhanced scrutiny is required.

AUSTRAC Reporting Obligations

Reporting obligations under the AML/CTF Act fall into three categories. Each has distinct triggers and deadlines.

Threshold Transaction Reports (TTRs)

A TTR must be filed when a customer conducts a cash transaction of AUD $10,000 or more. TTRs must be submitted to AUSTRAC within 10 business days of the transaction. For digital-only neobanks, direct cash handling is limited — but transactions through banking partners, ATM cash-out networks, or Australia Post agency arrangements can cross the threshold.

Suspicious Matter Reports (SMRs)

SMRs have no monetary threshold. A reporting entity must file an SMR within 3 business days of forming a suspicion that a customer is not who they claim to be, that a service is being used for money laundering or terrorist financing, or that a transaction is otherwise suspicious. If the matter involves immediate risk of harm, the filing deadline is reduced to 24 hours.

The obligation to consider filing an SMR arises at the point of suspicion — not after investigation is complete. Delaying filing pending further investigation is a common compliance error that AUSTRAC has identified in enforcement actions.

International Funds Transfer Instructions (IFTIs)

Neobanks that send or receive international funds transfers must report every IFTI to AUSTRAC within 10 business days. There is no minimum dollar threshold for IFTIs — every international transfer triggers the reporting obligation.

Privacy Act Requirements for KYC Data

KYC data collected during customer onboarding constitutes personal information under the Privacy Act 1988 (Cth) and must be handled in accordance with the Australian Privacy Principles (APPs).

Key obligations for neobanks include:

• APP 3 (Collection of solicited personal information): Collect only information that is reasonably necessary for AML/CTF compliance
• APP 6 (Use or disclosure): Use KYC data only for compliance purposes; do not use it for marketing without separate consent
• APP 11 (Security of personal information): Implement technical and organisational measures to protect KYC data from misuse or unauthorised access
• Notifiable Data Breaches (NDB) scheme: Report eligible data breaches to the OAIC (oaic.gov.au) and affected individuals within 72 hours of becoming aware

The Privacy Act Reform 2024 — implementing recommendations from the Attorney-General's review — strengthened the NDB scheme's timeliness requirements and clarified APP 3's data minimisation principle in the context of automated KYC processing.

Open Banking and CDR Integration

Australia's Consumer Data Right (CDR), implemented through the Open Banking regime from 2020, allows accredited data recipients to access customer transaction data from accredited data holders (the major banks) with customer consent. For neobanks accredited as CDR data recipients, CDR data can be used to pre-fill KYC information (e.g., verifying a customer's name and address against existing bank records). This does not replace the AML/CTF verification obligation but can reduce friction in the onboarding process.

Common Compliance Failures and AUSTRAC Enforcement

AUSTRAC's enforcement actions over 2022-2025 establish clear patterns of compliance failure that neobanks should treat as programme design benchmarks.

The common thread across these cases is not a single transaction failure — it is systemic programme inadequacy at the governance level. AUSTRAC has consistently noted that boards and senior management must take ownership of AML/CTF programme design, not delegate it as a technical compliance matter.

Building a Compliant AML/CTF Programme

A compliant AML/CTF programme under the AML/CTF Act has two mandatory components.

Part A: AML/CTF Risk Assessment and Governance

Part A of the programme must be board-approved and address:

• The ML/TF risks posed by the neobank's customer types, products, delivery channels, and geographic exposure
• The policies, procedures, and controls designed to mitigate those risks
• The governance framework, including the roles of the AML/CTF Compliance Officer and the board
• The approach to independent review of programme effectiveness

AUSTRAC requires risk assessments to be reviewed at least every three years and updated whenever a material change occurs in the business. For a scaling neobank, material changes — new products, new markets, new distribution channels — may require more frequent reassessment.

Part B: Customer Identification Programme

Part B documents the specific CDDV procedures for each customer type and product. It must specify:

• What identity information must be collected
• What documents or data sources are acceptable
• How documents will be verified (DVS check, credit bureau, TDIF provider, or other method)
• What triggers enhanced due diligence
• How records are kept

Technology and Verification Infrastructure

At scale, consistent Part B execution requires automated verification. Manual document review cannot sustain the volume, speed, or consistency that AUSTRAC's programme requirements demand.

CheckFile's banking KYC solutions support verification of Australian passports, state and territory driver's licences, and ASIC company extracts, with integration capability for DVS-consistent document verification workflows. Coverage spans 3,200+ document types across 32 jurisdictions.

Data security for KYC infrastructure must satisfy the Privacy Act APPs and the NDB scheme requirements. CheckFile's security architecture is designed for financial sector data protection standards. For programme scoping and pricing, see CheckFile pricing.

Frequently Asked Questions

Does every Australian neobank need to register with AUSTRAC?

Any entity providing a designated service under section 6 of the AML/CTF Act 2006 must register with AUSTRAC before providing that service. Account-keeping, payment services, lending, and digital currency exchange are all designated services. This means virtually every neobank operating in Australia must be registered. Operating as a reporting entity without AUSTRAC registration is a strict liability offence. Registration is free and done through the AUSTRAC Online portal at austrac.gov.au.

What is the DVS and how does it satisfy AML/CTF identity verification requirements?

The Document Verification Service (DVS) is Australia's government-operated system for real-time electronic verification of identity documents against issuing agency databases. A DVS check on a driver's licence confirms the document details against the relevant state roads authority; a passport check confirms against the Department of Home Affairs database. AUSTRAC's guidance recognises DVS checks as satisfying the electronic verification method for individual customer CDD. Neobanks integrating DVS into their onboarding workflow can complete identity verification in real time without requiring physical document inspection.

What are the SMR filing obligations for Australian neobanks?

Suspicious Matter Reports must be filed with AUSTRAC within 3 business days of forming a suspicion relating to a customer's identity, a designated service being used for ML/TF, or any other suspicious matter. If the suspicion involves an immediate risk of harm, the deadline is 24 hours. There is no minimum dollar threshold — the trigger is suspicion, not transaction value. Delaying filing while awaiting the outcome of an internal investigation does not satisfy the obligation.

How does the AML/CTF Amendment Act 2024 (Tranche 2) affect neobanks?

Tranche 2 extends AML/CTF obligations to lawyers, accountants, real estate agents, and trust and company service providers from 1 July 2026. Neobanks are not directly extended — they were already subject to the Act. However, neobanks that operate through or alongside Tranche 2 obliged entities (e.g., providing payment infrastructure to law firms, or integrating with conveyancers for property settlement) should review whether their partner relationships create new compliance touchpoints.

What records must an Australian neobank keep for AML/CTF purposes?

The AML/CTF Act requires reporting entities to keep records of customer identification, verification, and transaction data for at least 7 years from the date the record was created or the business relationship ended. Records must be kept in a form that allows them to be provided to AUSTRAC within 3 business days of a written request. In practice, neobanks should design their data architecture so that CDD records, transaction records, and SMR/TTR/IFTI submissions are retained in a structured, searchable format for the full retention period.