Digital Identity Trends 2026: The Future of Online Verification and e-ID in Australia

The Australian digital identity market will reach AUD 4.7 billion in 2026, accelerated by the rollout of the myID digital identity credential, the AML/CTF Act 2006 reforms taking effect in 2026, and AUSTRAC's updated guidance on digital customer verification. AUSTRAC's AML/CTF Rule 4.1.3(c), as updated under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, explicitly requires that reporting entities using electronic verification methods demonstrate reliability equivalent to physical document inspection, with biometric verification now accepted as the standard approach for remote customer onboarding (AUSTRAC AML/CTF Rules 2007, as amended 2024). For Australian financial services firms, real estate agents, accountants, lawyers, and other reporting entities, 2026 marks the most significant update to identity verification obligations in a decade. This guide covers the five trends reshaping Australian digital identity in 2026.

The Australian Digital Identity Landscape in 2026

Australia is undergoing a structured transition to a government-backed digital identity ecosystem, centered on the Trusted Digital Identity Framework (TDIF) and the myID credential, replacing the legacy myGovID. The Digital ID Act 2024 (Cth), enacted in May 2024, establishes the legislative basis for the accredited digital identity ecosystem and the TDIF.

Three forces are reshaping Australian digital identity in 2026:

• AML/CTF Act reforms: the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 extends AML/CTF obligations to real estate agents, lawyers, accountants, and other designated services (Tranche 2 entities), dramatically expanding the market for digital identity verification.
• Privacy Act amendments: the Privacy Act 1988 reforms (effective 2025) introduce a right to erasure, stricter data minimisation requirements, and stronger enforcement powers for the Office of the Australian Information Commissioner (OAIC).
• myID expansion: the rebrand from myGovID to myID in 2024 and the expansion to private sector acceptance via the Australian Government Digital Identity System (AGDIS) create a government-backed identity credential usable across public and private services.

Sources: AUSTRAC Annual Report 2025, DISER Digital Economy Strategy.

myID and the Trusted Digital Identity Framework (TDIF)

The Trusted Digital Identity Framework (TDIF) defines four identity proofing levels (IP 1-4) aligned with NIST SP 800-63-4 principles, with IP 2 as the standard for financial services remote onboarding (TDIF Accreditation Rules, Version 6.1, November 2024).

The myID credential, administered by the Australian Taxation Office (ATO), provides three strength levels:

• Basic strength: email address verification only.
• Standard strength: document verification (passport or driver's licence) + facial biometric matched against the Document Verification Service (DVS).
• Strong strength: in-person identity proofing or biometric match against a government biometric database (e.g., DHS facial recognition service).

For AUSTRAC reporting entities, myID Standard or Strong strength provides IP 2-equivalent identity assurance for remote customer onboarding, including for the new Tranche 2 entities from 2026.

Key Changes from the Digital ID Act 2024

The Digital ID Act 2024 creates an accredited ecosystem where:

• ASIC-regulated firms and APRA-regulated entities can rely on accredited identity providers (including myID) for customer verification without retaining the underlying identity documents.
• Third-party identity service providers must be accredited under the TDIF by the Digital ID Regulator (ACCC) to be relied upon by regulated entities.
• Cross-sector attribute sharing (e.g., banking attributes shared with insurance) becomes permissible within the TDIF trust model.

For the regulatory implications on KYC obligations under the AML/CTF Act, see our KYC requirements guide.

AI Biometrics and AUSTRAC Expectations

AUSTRAC's Customer Identification and Verification guidance (updated August 2024) now requires that digital identity verification systems used for remote customer onboarding meet liveness detection standards equivalent to ISO/IEC 30107-3 Level 2, to counter deepfake and injection attack threats (AUSTRAC Guidance — Customer Identification).

The Australian threat context is acute. The Australian Cyber Security Centre (ACSC) reported AUD 33,000 average loss per identity fraud event in 2025, with deepfakes involved in 5.2% of digital identity fraud attempts — up from 0.3% in 2021. The Australian Federal Police (AFP) recorded 3,847 identity crime investigations in 2025, the highest on record.

Generation 2 biometrics (2025-2026): Combines real-time 3D facial geometry, micro-eye movement analysis, and environmental signal detection. Accuracy against generation-4 deepfakes: 97.3%, per iBeta Quality Assurance 2025.

For Australian businesses, biometric data collection is governed by the Privacy Act 1988 and the Australian Privacy Principles (APPs), specifically APP 3 (Collection of solicited personal information). The OAIC (Office of the Australian Information Commissioner) has published specific guidance on biometric use in identity verification, requiring a Privacy Impact Assessment (PIA) for high-risk biometric deployments.

Self-Sovereign Identity in the Australian Context

Australia's TDIF incorporates Verifiable Credentials (VCs) and Decentralised Identifiers (DIDs) principles, enabling selective attribute disclosure within the AGDIS (Australian Government Digital Identity System) (DTA Verifiable Credentials Program).

The Digital Transformation Agency (DTA) has run pilots with Verifiable Credentials for academic credentials (with five universities), professional licensing (with ASIC for financial adviser credentials), and visa status verification (with the Department of Home Affairs). These pilots leverage the W3C DID Core 1.0 and VC Data Model 2.0 standards.

Regulatory Framework: AML/CTF Act, AUSTRAC, and Privacy Act in 2026

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (AML/CTF Amendment Act) is the most significant expansion of Australian AML obligations in 18 years, extending reporting requirements to real estate agents, lawyers, accountants, and other designated businesses from mid-2026 (AML/CTF Amendment Act 2024, Cth).

Key regulatory requirements for Australian businesses in 2026:

• Customer Identification Procedures (CIP): all AUSTRAC reporting entities must have written CIP procedures that meet the AML/CTF Rules, including electronic verification methods. The updated Rules explicitly permit biometric verification as a primary method (AML/CTF Rules Part 4.1).
• Document Verification Service (DVS): the DVS operated by the Department of Home Affairs allows real-time verification of Australian identity documents against government records. DVS checking is now the standard first step in all digital CIP procedures.
• Suspicious Matter Reports (SMRs): must be filed with AUSTRAC within 3 business days, or 24 hours for terrorism financing matters.
• Threshold transaction reports (TTRs): AUD 10,000+ in cash transactions must be reported to AUSTRAC within 10 business days.

Privacy Act 1988 and Australian Privacy Principles (APPs)

The Privacy Act reforms (effective December 2025) introduce:

• A direct right of action for individuals for serious privacy interferences (allowing private lawsuits).
• Stricter data minimisation: entities must not collect more personal information than reasonably necessary.
• New requirements for automated decision-making: where identity verification involves automated profiling, entities must provide meaningful transparency.

Enforcement: AUSTRAC Penalties

Source: AUSTRAC Enforcement Actions.

Practical Checklist: Australian Businesses in 2026

• AML/CTF program review: for existing reporting entities, update CIP procedures to incorporate myID, DVS checking, and biometric verification as primary methods.
• Tranche 2 readiness: if you are a real estate agent, lawyer, accountant, or other newly designated service — register with AUSTRAC and develop your AML/CTF program by the mid-2026 deadline.
• TDIF alignment: assess whether your identity verification solution meets TDIF IP 2 for remote onboarding or is provided by an accredited TDIF provider.
• Biometrics upgrade: verify liveness detection meets ISO/IEC 30107-3 Level 2 minimum and AUSTRAC's updated guidance.
• Privacy Act compliance: conduct Privacy Impact Assessments for biometric deployments; update privacy notices for data minimisation and automated decision transparency.
• DVS integration: confirm your CIP process includes DVS document verification as the standard first step.
• Evidence documentation: maintain audit files for AUSTRAC examination, including CIP records, verification logs, and SMR/TTR filing histories.

CheckFile's document verification platform meets TDIF IP 2 standards and AUSTRAC CIP requirements, and integrates ISO/IEC 30107-3 liveness detection with DVS connectivity. See our pricing for Australian enterprise options, or our security page for technical compliance details.

For the broader data management framework, see our fraud data guide.

Frequently Asked Questions

What is myID and how does it affect business onboarding in Australia?

myID (formerly myGovID) is the Australian Government's digital identity credential, operated by the ATO. The Standard and Strong strength levels provide IP 2-equivalent assurance for remote identity verification. Under the Digital ID Act 2024, AUSTRAC reporting entities can rely on accredited myID verifications for CIP without retaining underlying documents, simplifying compliance.

Who must comply with the AML/CTF Act from mid-2026 under Tranche 2?

Tranche 2 of the AML/CTF reform extends obligations to real estate agents (buyers and sellers above AUD 10,000), lawyers (for property transactions, business formations), accountants, trust and company service providers, and dealers in precious metals and stones. These entities must register with AUSTRAC and implement a compliant AML/CTF program.

What biometric standards does AUSTRAC require for remote identity verification?

AUSTRAC's updated guidance requires liveness detection equivalent to ISO/IEC 30107-3 Level 2 PAD (Presentation Attack Detection) for remote biometric verification. The biometric check must be performed in conjunction with document verification via the DVS to achieve the reliability standard required by the AML/CTF Rules.

Does the Privacy Act 1988 apply to biometric data collected for identity verification?

Yes. Biometric data is sensitive information under the Privacy Act 1988, Schedule 1 (Australian Privacy Principles). Collection requires explicit consent (APP 3), use is restricted to the stated purpose (APP 6), and retention must be limited to what is necessary (APP 11). High-risk deployments require a Privacy Impact Assessment.

How does Australia's TDIF compare to the EU's eIDAS 2.0?

Both frameworks define identity assurance levels (IP/IAL vs. LoA) and enable cross-sector identity sharing. Key differences: TDIF is voluntary (no mandate for businesses to accept myID, unlike eIDAS 2.0's EUDIW acceptance mandate); TDIF relies on existing documents (passport, driver's licence) via DVS rather than cryptographic native identity credentials; eIDAS 2.0 introduces selective disclosure via EUDIW, while TDIF is developing VC capabilities more gradually.