Perpetual KYC: Continuous Customer Monitoring for Australian Institutions 2026
Perpetual KYC for Australian financial institutions: AUSTRAC AML/CTF Act requirements, ASIC expectations, ongoing customer due diligence, and Privacy Act 1988 compliance for pKYC programs.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokPerpetual KYC (pKYC) is the practice of continuously monitoring customer risk profiles throughout the life of a business relationship, rather than relying solely on periodic scheduled reviews. For Australian reporting entities, this approach aligns directly with the obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and AUSTRAC's compliance guidance, which require ongoing customer due diligence as a central element of any AML/CTF program.
This article is provided for informational purposes and does not constitute legal or regulatory advice. Regulatory references reflect the position as of May 24, 2026. Consult qualified legal counsel for advice specific to your organisation.
Australian Regulatory Framework: AML/CTF Act and AUSTRAC
The AML/CTF Act places ongoing customer due diligence obligations on all reporting entities โ financial institutions, remittance dealers, digital currency exchange providers, and other designated services. Part 2 of the AML/CTF Act requires reporting entities to have an AML/CTF program that includes a Part B Customer Due Diligence (CDD) program addressing ongoing due diligence.
AUSTRAC's guidance on ongoing customer due diligence is explicit: reporting entities must monitor their customers' transactions and, where appropriate, update CDD information throughout the relationship. This is not satisfied by periodic reviews alone โ the program must respond to material changes as they occur.
The AML/CTF Amendment Act 2024, which significantly expanded the scope of the AML/CTF regime to include tranche 2 entities (lawyers, accountants, real estate agents), has reinforced the importance of continuous monitoring. Tranche 2 entities are now subject to AUSTRAC oversight for the first time, making pKYC implementation an urgent priority for these newly regulated sectors.
Key Australian AML/CTF Regulatory Bodies
| Authority | Role | Key Instruments |
|---|---|---|
| AUSTRAC | AML/CTF regulator + financial intelligence unit | AML/CTF Act 2006 + AML/CTF Rules |
| ASIC | Financial services conduct regulator | Corporations Act + market integrity |
| APRA | Prudential regulator for banks, insurers, super | CPS 234, AML expectations |
| OAIC | Privacy Act 1988 + APPs | Australian Privacy Principles |
| ATO | Tax compliance | TFN, ABN verification |
AUSTRAC's Threshold Transaction Reports and Suspicious Matter Reports
AUSTRAC requires two primary types of regulatory reports relevant to pKYC:
- Threshold Transaction Reports (TTRs): Filed for cash transactions of A$10,000 or more, or foreign currency conversion of A$10,000 or more. Continuous monitoring helps identify structuring (breaking transactions below A$10,000 to avoid TTR obligations).
- Suspicious Matter Reports (SMRs): Filed when a reporting entity suspects on reasonable grounds that a customer or a transaction is connected to money laundering, terrorism financing, or other serious offences. The SMR must be filed with AUSTRAC within three business days of forming the suspicion (or 24 hours for terrorism financing matters).
For broader context on KYC and AML compliance, see our KYC complete guide for businesses and our AML red flags and suspicious activity indicators guide.
Why Periodic Reviews Are Insufficient Under the AML/CTF Act
AUSTRAC's enforcement actions consistently identify inadequate ongoing monitoring as a primary compliance deficiency. The 2023 enforcement action against a major Australian bank, which resulted in a record A$1.3 billion penalty, included failures in ongoing transaction monitoring and CDD updating.
According to the ACFE 2024 Report to the Nations, manual periodic controls detect only 37% of fraud cases, with a median detection delay of 87 days. In the Australian context โ with a highly internationalised banking system, significant cross-border transaction flows through Asia-Pacific, and growing digital asset activity โ this detection gap creates meaningful legal and reputational risk.
AUSTRAC identifies the following events as mandatory triggers for an off-cycle customer review:
- Suspicious matter detected, whether or not an SMR is filed.
- Customer appears on a new sanctions listing (UN, autonomous Australian sanctions).
- Change in beneficial ownership or corporate structure detected.
- Transaction pattern significantly deviates from the established customer profile.
- Adverse media indicating criminal exposure relevant to AML/CTF risk.
Periodic vs. Perpetual KYC: Australian Regulatory Implications
| Dimension | Periodic KYC | Perpetual KYC (pKYC) |
|---|---|---|
| AUSTRAC examination readiness | Point-in-time evidence | Continuous audit trail |
| SMR trigger detection | Delayed by review gap | Near-real-time |
| Tranche 2 compliance (2024 reforms) | Inadequate for newly regulated entities | Aligned with AUSTRAC expectations |
| Sanctions screening | Periodic batch | Continuous |
| APRA prudential expectations | Minimum standard | Best practice demonstrated |
The Four Pillars of pKYC in the Australian Context
1. Event-Driven Trigger Management
Australian pKYC implementations should define trigger events aligned with AUSTRAC's ongoing CDD guidance. Priority triggers include: DFAT (Department of Foreign Affairs and Trade) consolidated sanctions list match (immediate action); SMR-related suspicious matter detected (mandatory review); and beneficial ownership change in ASIC corporate registry (risk-based review within defined SLA).
2. Continuous Sanctions and PEP Screening
Australia maintains autonomous sanctions regimes under the Autonomous Sanctions Act 2011, targeting countries and individuals beyond UN Security Council sanctions. DFAT updates its consolidated sanctions list regularly. Continuous screening against this list, plus UN sanctions and OFAC lists for cross-border relationships, is essential.
AUSTRAC's guidance identifies Politically Exposed Persons (PEPs) as requiring enhanced ongoing due diligence. This includes domestic PEPs (Australian politicians, senior public officials) and foreign PEPs, and extends to family members and close associates.
3. Transaction Monitoring for Structuring and Unusual Patterns
AUSTRAC places particular emphasis on detecting structuring โ the practice of breaking transactions into amounts below the A$10,000 TTR threshold. Continuous transaction monitoring, integrated with the customer risk profile, is the most effective way to detect structuring and other typologies identified in AUSTRAC's money laundering typology reports.
CheckFile's platform covers over 3,200 document types across 32 jurisdictions, enabling continuous verification for Australian institutions managing cross-border client relationships. For technical integration details, see our document validation API guide.
4. Privacy Act 1988 and Australian Privacy Principles Compliance
Processing customer personal data for AML/CTF purposes is permitted under the Privacy Act 1988 โ Schedule 3, Australian Privacy Principle (APP) 6.2(b) allows use or disclosure of personal information where required or authorised by law. However, the 14 APPs still apply to how the data is collected, stored, secured, and retained.
Key Privacy Act obligations for pKYC:
- APP 1: Have a clearly expressed privacy policy covering pKYC data flows.
- APP 11: Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access โ particularly critical for continuous monitoring systems processing sensitive financial data.
- APP 11.2: Destroy or de-identify personal information that is no longer needed for the purpose for which it was collected โ subject to the AML/CTF Act's seven-year retention requirement taking precedence.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotMinimum Review Frequencies Under Australian AML/CTF Expectations
| Risk Profile | Maximum Document Review | Sanctions Screening | PEP Review |
|---|---|---|---|
| Standard risk | 3 years | Continuous | Semi-annual |
| High risk | 12 months | Continuous (immediate alerts) | Semi-annual |
| PEP (domestic and foreign) | 6 months | Continuous | Continuous |
| Simplified (where applicable) | 5 years | Monthly minimum | N/A |
Implementation Roadmap for Australian Reporting Entities
Step 1: Assess AML/CTF Program Part B Adequacy
Review your current Part B CDD program documentation against AUSTRAC's ongoing CDD guidance. Identify whether your current process relies primarily on periodic reviews, and map the gap to an event-driven pKYC model.
Step 2: Connect to Australian Data Sources
Integrate with: DFAT consolidated sanctions list, ASIC company register, ABN Lookup, VEVO (Visa Entitlement Verification Online) for immigration status, adverse media sources, and internal transaction monitoring outputs.
Step 3: Tranche 2 Readiness
If your organisation is a newly regulated tranche 2 entity (law firm, accounting firm, real estate agent), your AML/CTF program โ including the pKYC component โ must be fully operational and documented. AUSTRAC has signalled that it will actively supervise tranche 2 compliance from the first full year of operation.
Frequently Asked Questions
What does AUSTRAC expect from a perpetual KYC program?
AUSTRAC expects: a documented Part B CDD program that addresses ongoing monitoring; audit logs of all alerts and review decisions; evidence that CDD information is updated when material changes are detected; and training records. During compliance assessments, AUSTRAC will sample customer files to trace the monitoring history from onboarding through ongoing review.
How does pKYC help with Suspicious Matter Report (SMR) obligations?
A pKYC system continuously monitors for events that might constitute grounds for filing an SMR. When the system detects a trigger โ an anomalous transaction, a sanctions match, adverse media โ it queues the matter for human review. The SMR must be filed within three business days of forming the suspicion (24 hours for terrorism financing). A systematic pKYC process creates an audit trail demonstrating that the institution's suspicion-forming process was timely and reasoned.
What AUSTRAC penalties apply for inadequate ongoing monitoring?
AUSTRAC can issue infringement notices, accept enforceable undertakings, or pursue civil penalty orders in the Federal Court. Civil penalties under the AML/CTF Act can reach A$222 million for serious and systemic contraventions by bodies corporate. The 2023 enforcement action against Westpac (A$1.3 billion) and the 2021 CBA action (A$700 million) demonstrate AUSTRAC's willingness to pursue very large penalties for systematic AML/CTF failures.
Do tranche 2 entities (lawyers, accountants, real estate agents) need pKYC?
Yes. Since the AML/CTF Amendment Act 2024 expanded the regime to tranche 2 entities, these organisations must have an AML/CTF program including ongoing CDD obligations. The scale and sophistication of the program should be risk-proportionate โ a small accounting firm will have simpler requirements than a large law firm handling complex international transactions. AUSTRAC guidance for tranche 2 entities is available at austrac.gov.au.
For a complete compliance framework, see our document compliance guide. Visit CheckFile, explore our security architecture, or review our pricing plans to find the right solution for your organisation.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.