In 2026, Australia's anti-money laundering (AML) and know-your-customer (KYC) framework is more robust and far-reaching than ever. Significant legislative reforms, enhanced regulatory expectations, and evolving financial crime risks mean that any business operating in the financial services, digital assets, or high-risk sectors must have a solid understanding of AML and KYC obligations. This guide provides a deep dive into Australia's AML/KYC regime — what is required, how to comply, and why getting it right is essential for any regulated entity operating in the Australian market.
In This Article
Know Your Customer (KYC) is the process by which a business verifies the identity of its clients. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and associated AUSTRAC rules, entities must collect and verify certain information before establishing a customer relationship. This helps prevent money laundering (ML) and terrorism financing (TF) by ensuring that customers are who they claim to be — and that the business understands the nature and purpose of the relationship it is entering.
According to the AML/CTF Rules (2025), regulated entities in Australia must collect Core KYC Information, which typically includes full legal name, date of birth, residential or business address, and government-issued identity documents. These details must be verified using reliable and independent sources such as passports, driver's licences, or national identity cards. In some cases, electronic verification via trusted databases is acceptable and increasingly preferred by AUSTRAC as a modern, auditable approach.
KYC is closely tied to Customer Due Diligence (CDD). While KYC identifies the customer, CDD assesses the risk they may pose in terms of ML and TF. Based on the customer's profile and transaction behaviour, a business may conduct simplified due diligence, standard CDD, or Enhanced Due Diligence (EDD) for high-risk clients. The level of scrutiny applied must be proportionate to the risk presented — this risk-based approach is the central principle of Australia's AML framework.
The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the principal AML/CTF regulator. It not only oversees compliance but also acts as Australia's Financial Intelligence Unit (FIU). AUSTRAC receives reports of suspicious transactions, enforces regulatory obligations, and guides businesses on compliance best practices through detailed rules, published guidance, and direct engagement with regulated entities.
Several other Australian agencies are involved in AML enforcement and oversight. The Australian Prudential Regulation Authority (APRA) ensures financial institutions remain stable and trustworthy. The Australian Securities and Investments Commission (ASIC) enforces conduct and consumer protection laws in financial services. The Australian Taxation Office (ATO) investigates proceeds of crime and tax evasion. The Australian Criminal Intelligence Commission (ACIC) coordinates criminal intelligence including ML investigations. The Australian Federal Police (AFP) prosecutes serious financial crime, and the Commonwealth Director of Public Prosecutions (CDPP) handles legal proceedings for ML offences.
| Regulatory Body | Primary AML/KYC Role |
|---|---|
| AUSTRAC | Lead regulator — AML/CTF oversight, FIU, suspicious matter report recipient |
| APRA | Financial institution stability and prudential soundness oversight |
| ASIC | Conduct, licensing, and consumer protection in financial services |
| ATO | Tax evasion investigation, proceeds of crime |
| AFP | Criminal investigation and prosecution of serious financial crime |
| ACIC | Criminal intelligence coordination, ML investigation support |
Figure 1: Key Australian regulatory bodies involved in AML/KYC enforcement and their primary roles
The backbone of Australia's AML requirements is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, but significant updates came with the AML/CTF Amendment Act 2024, which takes effect in March 2026. These changes modernise the regime and expand its scope to reflect global best practice and the FATF Mutual Evaluation recommendations that identified gaps in Australia's prior framework.
Figure 2: Four key reforms introduced by the AML/CTF Amendment Act 2024 taking effect March 2026
Alongside the Act, AUSTRAC issues detailed guidance and rules covering KYC and CDD requirements under Part 6 of the AML/CTF Rules, risk-based supervision principles, ongoing customer monitoring obligations, transaction reporting requirements — including suspicious matter reports and threshold transaction reports — and recordkeeping requirements. Regulated entities are expected to follow this guidance actively, not merely satisfy the minimum requirements of the legislation.
Regulated entities must also consider the Privacy Act 1988, which governs the protection of customer data collected for KYC purposes; the Corporations Act 2001, which applies to entities operating as financial service providers; and Commonwealth and state criminal laws that prosecute ML and TF offences. The intersection of these frameworks means that AML/KYC compliance in Australia is not a single-regulator, single-statute obligation — it requires coordination across multiple legal requirements simultaneously.
Under AUSTRAC's guidance, businesses must adopt a risk-based framework. This means assessing customer risk profile based on geography, services, and products; assigning risk categories of low, medium, or high; periodically reviewing risk assessments every three years or when there is a material change; and adjusting due diligence accordingly. The risk-based approach is not a licence to do less — it is a framework for doing the right amount in proportion to the actual risk presented.
Entities must collect and verify identity information for all new customers. For individuals, this includes verified ID documents, residential address, source of funds, and beneficial ownership if applicable. For businesses under Know Your Business (KYB) procedures, entities need to identify the legal name and structure, registered office and principal place of business, directors and Ultimate Beneficial Owners, and the purpose of the business relationship.
When customers are deemed high risk — including politically exposed persons, virtual asset service providers, or customers with large or unusual transaction volumes — additional checks must be performed. EDD requires verifying source of wealth and funds, obtaining senior management approval to onboard or continue the relationship, and increasing the frequency and depth of ongoing monitoring applied to that customer's transactions and behaviour.
Figure 3: Standard CDD vs Enhanced Due Diligence — when each applies and what it requires under AUSTRAC rules
Ongoing Customer Due Diligence (OCDD) ensures that customer behaviour aligns with the established risk profile. Key elements include transaction monitoring systems calibrated to the customer's expected activity, periodic reviews of customer risk, and reverification when risk level increases. Suspicious Matter Reports (SMRs) must be submitted to AUSTRAC within three business days of forming a suspicion — or within 24 hours for terrorism-related suspicions. This reporting obligation applies regardless of whether a transaction has been completed or prevented.
Businesses must keep detailed records for at least seven years after a customer relationship ends. This includes verified identity information, the results of ID checks via the Document Verification Service or other sources, risk assessments and reviews, EDD documentation, and transaction monitoring data including the justification for decisions made in response to alerts. These records must be accessible to AUSTRAC on request and must satisfy the evidentiary standards required for regulatory examination.
AUSTRAC accepts a range of primary and secondary identity documents, as well as electronic verification methods that meet reliability and independence standards. The combination of document type and verification method must provide sufficient certainty about the customer's identity given the risk level of the relationship.
| Evidence Type | Examples | Use Case |
|---|---|---|
| Primary ID — Photo | Australian or foreign passport, driver's licence (including digital), government photo ID | All customers — primary identity verification |
| Secondary Documents | Utility bills, council rates notice, ATO tax statements, birth certificate, citizenship certificate | Address confirmation, supplementary identity proof |
| Minor-Specific | School letters confirming address, parent/guardian documentation | Customers under 18 years |
| Electronic Verification (eKYC) | Document Verification Service (DVS), biometric/facial recognition, government databases | All customers — modern, auditable verification |
Figure 4: Acceptable KYC evidence types and their appropriate use under AUSTRAC rules
When onboarding corporate clients, regulated entities must follow Know Your Business (KYB) procedures — similar to personal KYC but tailored to the structure and ownership of legal entities. Key requirements include company registration details, registered and operational address, the nature and purpose of the business relationship, and identification of directors and beneficial owners. KYB is often more complex than personal KYC because corporate structures can have multiple layers of ownership that must be traced to the natural persons who ultimately control the entity.
A UBO is any person who owns or controls 25% or more of an entity, or who otherwise exercises substantial influence or control over the entity's decisions. To comply with AUSTRAC rules, regulated entities must identify and verify all UBOs using documentation plus reliable data sources, maintain records explaining how UBO control was established and through what ownership structure, and reassess UBO status if significant changes occur in the entity's ownership or control structure. Failure to identify UBOs accurately is one of the most common compliance gaps identified in AUSTRAC examinations.
For regulated businesses implementing or updating their AML programme for the 2026 regime, the following framework represents the minimum viable compliance structure required by AUSTRAC — and the logical sequence in which it should be built.
Figure 5: Seven-step AML/KYC compliance framework for Australian regulated businesses under the 2026 regime
Failing to meet AML/KYC requirements can carry severe consequences for Australian businesses. AUSTRAC's enforcement history demonstrates that non-compliance is treated as a matter of genuine regulatory priority — not a technical infringement that attracts nominal penalties.
Figure 6: Key compliance thresholds and enforcement benchmarks under Australia's AML/KYC regime
Beyond financial penalties, KYC failures create reputational damage that often outlasts any financial penalty. In the age of public enforcement, AUSTRAC publishes details of significant enforcement actions — meaning a compliance failure becomes publicly associated with a business's brand, affecting customer trust, banking relationships, and partner confidence. Operational risks are equally significant: without proper KYC, businesses risk onboarding high-risk customers involved in ML or TF, inviting increased regulatory scrutiny and exposing the organisation to civil and criminal liability.
With the AML/CTF Amendment Act now formally regulating virtual assets, entities dealing with cryptocurrencies, token-based economies, or digital asset services must integrate additional risk controls. These include source-of-funds checks for wallet-originated transactions, wallet address profiling against known risk indicators, and transaction monitoring rules calibrated to the volatility and anonymity characteristics of virtual asset transfers.
New AUSTRAC rules emphasise risk related to financing connected to weapons development and proliferation. Businesses must enhance due diligence when dealing with customers in territories or sectors flagged by international sanctions regimes, applying additional screening against proliferation-specific watchlists and escalating accordingly when risk indicators are present.
AI-driven identity verification, behavioural biometrics, device intelligence, and ongoing risk scoring are more critical to compliance programmes than ever. These tools help businesses comply efficiently and detect illicit activity with a precision that manual review cannot match at scale. AUSTRAC's guidance implicitly supports technology-enhanced compliance by recognising electronic verification methods and outcomes-based assessments of compliance programme effectiveness.
Australia increasingly cooperates with foreign Financial Intelligence Units and AML authorities. This means cross-border data sharing, enhanced suspicious matter reporting, and tighter oversight on foreign-owned entities and correspondent relationships. Businesses with international operations or customer bases must ensure their KYC and ongoing monitoring programmes satisfy not only AUSTRAC's requirements but also the expectations of partner jurisdictions and correspondent financial institutions.
Building and maintaining a compliant AML/KYC programme in Australia's 2026 regulatory environment requires technology that is purpose-built for regulated financial services — not retrofitted from generic software. The compliance infrastructure needed to satisfy AUSTRAC's expectations across customer due diligence, ongoing monitoring, SMR submission workflows, and recordkeeping is significant, and it must evolve as AUSTRAC's rules and guidance evolve.
If you are planning to build or scale your AML/KYC programme for the Australian market, RemitSo provides tailored compliance solutions aligned with AUSTRAC's latest regulatory requirements — enabling regulated operators to manage AML risk effectively while maintaining the operational efficiency needed to compete in Australia's fast-moving financial services landscape. From integrated KYC verification workflows to configurable transaction monitoring and audit-ready recordkeeping, RemitSo's infrastructure is designed for entities that need to operate compliantly and confidently in the Australian market.
KYC is mandatory for all entities that are regulated under the AML/CTF Act 2006 and its 2024 amendments. These include financial services providers, digital currency exchanges, remittance operators, mortgage brokers, and — from March 2026 — real estate agents, accountants, lawyers, and precious metal dealers. Even non-regulated businesses can benefit significantly from implementing KYC to reduce fraud risk and satisfy due diligence requirements imposed by their banking partners, investors, or correspondent financial institutions.
Failure to verify a customer's identity before establishing a relationship is a breach of the AML/CTF Act. You may be legally required to refuse the relationship and potentially report suspicious behaviour to AUSTRAC. Non-compliance can lead to civil penalties in the millions of AUD, enforceable undertakings requiring public remediation commitments, and in serious cases, court-ordered sanctions. Beyond the regulatory consequences, unverified customers represent a direct operational risk — if they are subsequently found to be involved in ML or TF, the business faces liability for having facilitated their activity.
Under AUSTRAC rules, customer risk profiles must be periodically reviewed at least every three years, or whenever there is a material change to the customer's circumstances or behaviour. High-risk customers — including PEPs, VASPs, and those with unusual transaction patterns — must undergo more frequent due diligence review cycles. Reverification of identity documents is required when the existing documents expire or when the risk profile change warrants it. The trigger for reverification should be defined in your AML/CTF programme and applied consistently.
Yes. AUSTRAC explicitly recognises electronic verification as a valid approach to identity verification, provided the data source is accurate, reliable, and independently maintained. The Document Verification Service (DVS), operated by the Department of Home Affairs, is the preferred electronic source for document verification against government records. Biometric identity checks, including facial recognition and liveness detection, are also recognised and increasingly expected for higher-risk customer onboarding. The data must be sourced from a trustworthy provider and the verification outcome must be documented for recordkeeping purposes.
Primary identity documents accepted for KYC verification in Australia include Australian or foreign passports, driver's licences (including digital versions), and government-issued photo ID cards. Secondary documents for address or supplementary identity confirmation include utility bills, council rates notices, ATO tax statements, birth certificates, and citizenship certificates. For minor customers, school letters confirming address are accepted. The combination of documents must be sufficient to verify identity to the standard required by the customer's risk rating under your AML programme.
Politically Exposed Persons are automatically classified as high-risk under AUSTRAC rules, and Enhanced Due Diligence is required for all PEP relationships. This means verifying source of wealth and funds in addition to standard identity information, obtaining senior management approval before onboarding or continuing the relationship, applying enhanced transaction monitoring, and conducting more frequent periodic reviews of the relationship. PEP status applies to current and former senior political figures and their close associates and family members — you must maintain and search against a current PEP database as part of your screening programme.
All AML/KYC records must be retained for a minimum of seven years after the customer relationship ends, per AUSTRAC's recordkeeping requirements. This includes verified identity information, the results of document and electronic verification checks, risk assessments and reviews, EDD documentation, transaction monitoring data, and the justification for decisions made in response to suspicious activity alerts. Records must be stored securely, be retrievable on request by AUSTRAC, and be maintained in a format that preserves their evidentiary integrity for the full seven-year period.
When evaluating KYC solution providers for the Australian market, look for automated document verification with DVS integration, biometric authentication and liveness detection, configurable risk scoring and EDD triggers, PEP and sanctions screening against current watchlists, continuous monitoring with alert management, and audit-ready recordkeeping that satisfies AUSTRAC's seven-year retention requirements. The provider should have direct familiarity with AUSTRAC's rules and guidance — not just generic AML/KYC knowledge — and should be able to demonstrate how their solution maps to the specific obligations of the AML/CTF Act and its 2024 amendments.
