What is KYC (Know Your Customer) in Australia?

What is KYC (Know Your Customer) in Australia?

📌 Meta Description: KYC (Know Your Customer) in Australia is the process of verifying customer identity as part of AML/CTF compliance. Learn what KYC requires, how it differs from CDD, and what AUSTRAC expects from reporting entities.

âš¡ Direct Answer:  KYC (Know Your Customer) in Australia refers to the identity verification process that reporting entities must complete before providing designated services. It is a core component of Customer Due Diligence (CDD) under the AML/CTF Act, overseen by AUSTRAC. KYC involves verifying a customer’s identity using reliable and independent documents, data, or information — and understanding who beneficial owners are for companies and trusts.

What is KYC and Why Is It Required?

KYC is the foundation of Australia’s AML/CTF compliance framework. Before a reporting entity provides a designated service, it must know who its customer is. Without verified identity information, it is impossible to assess risk, monitor behaviour, or report suspicious activity meaningfully to AUSTRAC.

The requirement is not simply about collecting an ID document. The AML/CTF Act requires businesses to conduct a process of verification — to confirm that the identity claimed by the customer is genuine, using reliable and independent sources. This protects businesses from being used as unwitting vehicles for money laundering or terrorism financing.

KYC vs CDD: What Is the Difference?

These terms are often used interchangeably, but they have distinct meanings in the Australian regulatory context:

  • KYC (Know Your Customer): Refers specifically to the process of identifying and verifying a customer’s identity. It answers the question: “Who is this person or entity?”
  • CDD (Customer Due Diligence): A broader process that encompasses KYC but also includes risk assessment, understanding the nature and purpose of the business relationship, beneficial ownership identification, PEP screening, sanctions screening, and ongoing monitoring.

In practice, KYC is what most people think of first — collecting and verifying identity documents. But under AUSTRAC’s framework, KYC is just one piece of a larger CDD obligation.

What Does KYC Require in Australia?

Under the AML/CTF Act and Rules, the KYC process requires reporting entities to:

For Individual Customers

  • Verify the customer’s full name
  • Verify date of birth
  • Verify residential address
  • Use reliable and independent documentary evidence or electronic verification methods

Common identity verification documents include Australian passports, driver’s licences, Medicare cards (as a secondary document), and government-issued photo IDs. Electronic verification through approved identity verification services is also widely accepted.

For Companies and Corporations

  • Verify the company’s legal name and ACN/ABN
  • Confirm registration with ASIC or an equivalent foreign regulatory body
  • Identify and verify the beneficial owners — individuals who own or control 25% or more of the company
  • Understand the company’s ownership and control structure

For Trusts

  • Verify the name of the trust
  • Identify and verify the trustee(s)
  • Identify the settlor(s)
  • Understand the nature of the trust and the beneficiary class
  • For high-risk trusts: obtain and verify additional information about the beneficial owners

Electronic KYC and Digital Verification

Australian reporting entities can use electronic means to conduct KYC verification — and indeed this has become the dominant approach for many businesses, particularly fintechs and digital currency exchanges.

Electronic KYC (eKYC) methods include:

  • Verification through accredited identity verification services that cross-reference data against government or commercial databases
  • Biometric verification (facial recognition combined with document verification)
  • Document OCR (Optical Character Recognition) combined with database checks
  • Video verification calls for customers in higher-risk scenarios

When using eKYC, reporting entities should ensure the method is sufficiently reliable and independent for the risk level of the customer. Higher-risk customers may require additional or in-person verification.

When Must KYC Be Completed?

KYC must be completed before providing a designated service to a new customer. If KYC cannot be satisfactorily completed — for example, because the customer’s identity cannot be verified — the reporting entity must not commence providing the service and should consider whether an SMR is required.

Additionally, KYC information must be kept up to date. If existing customer information becomes inadequate or out of date (for example, a customer changes their name or address), the information must be updated.

Risk-Based Approach to KYC

Australia’s AML/CTF regime requires a risk-based approach to KYC. This means the depth and rigour of the KYC process should be proportionate to the assessed ML/TF risk of the customer:

  • Low-risk customers: Standard KYC verification is typically sufficient.
  • Medium-risk customers: Standard KYC with enhanced transaction monitoring.
  • High-risk customers: Enhanced Due Diligence (EDD) — additional KYC steps, source of funds verification, senior management approval, and more frequent monitoring.

This means a cryptocurrency exchange customer sending large volumes of funds internationally will be subject to far more rigorous KYC than a customer making a small deposit in a low-risk environment.

Record Keeping for KYC

Reporting entities are not required to make copies of identity documents under the AML/CTF Act — but they must keep records of what steps were taken to verify identity and what information was provided by the customer. These records must be retained for at least 7 years and must be retrievable on request by AUSTRAC.

Frequently Asked Questions

Is KYC mandatory for all Australian businesses?

KYC obligations apply to reporting entities — businesses that provide designated services under the AML/CTF Act. Not all businesses are reporting entities. However, with the Tranche 2 reforms commencing 1 July 2026, the number of regulated businesses is expanding significantly.

What is biometric KYC?

Biometric KYC uses facial recognition technology to match a customer’s selfie against the photo on their identity document, combined with document verification. It is increasingly common in fintech and cryptocurrency businesses and can be an AUSTRAC-compliant verification method when the technology is reliable and appropriate to the risk level.

Can I accept a Medicare card for KYC?

Medicare cards are generally not accepted as a standalone primary verification document in Australia — they do not include a photo. However, they can be used as a secondary document to support primary verification, such as alongside a driver’s licence

What if a customer refuses to provide KYC information?

If a customer refuses to provide sufficient information for KYC verification, you must not provide the designated service. You should also consider whether the refusal constitutes a suspicious circumstance requiring an SMR.

📣 Need help with AML/CTF compliance? 

👉 Get expert help designing your KYC/CDD framework: contact us

👉 Read the complete AML compliance guide: AML Compliance Australia – Complete Guide (2026)

👉 Learn about Customer Due Diligence: What is KYC (Know Your Customer) in Australia?

👉 Read more:

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by