Insurance KYC Compliance in Australia 2026: AUSTRAC, ASIC, and AML/CTF Act

Australian life insurance companies and financial product intermediaries are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). AUSTRAC (Australian Transaction Reports and Analysis Centre) is the federal financial intelligence unit and AML/CTF regulator, responsible for supervising compliance and receiving suspicious matter reports (SMRs) and threshold transaction reports (TTRs) from insurance entities. APRA (Australian Prudential Regulation Authority) oversees the prudential soundness of life insurers under the Life Insurance Act 1995 and the Insurance Act 1973 for general insurers.

Australia's AML/CTF framework is undergoing significant reform in 2024-2026. The AML/CTF Amendment Act 2024 extends the AML/CTF regime to tranche-2 entities (lawyers, accountants, real estate agents), but for insurance companies already covered under the existing framework, the reforms primarily tighten existing requirements rather than introducing entirely new obligations.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice tailored to your situation.

Why Insurance Companies Are Reporting Entities Under the AML/CTF Act

Section 5 of the AML/CTF Act defines "designated services" provided by reporting entities. Life insurance companies providing investment-linked and whole-of-life policies are explicitly included as providers of designated services. The Financial Action Task Force (FATF) has identified Australian life insurance products — particularly investment-linked policies and annuities — as moderate-to-high risk for money laundering.

AUSTRAC's 2023 insurance sector assessment found that approximately one-third of life insurance companies reviewed had inadequate customer identification procedures, particularly for beneficial ownership of corporate policyholders. For a broader overview of document compliance frameworks, see our document compliance guide.

Which Insurance Products Are "Designated Services" Under the AML/CTF Act?

The dividing line is whether the product is a "life policy" with a financial investment component or surrender value. Products satisfying this threshold are "designated services" requiring a full AML/CTF program.

Core AML/CTF Obligations for Australian Insurers

1. AML/CTF Program

Under Section 85 of the AML/CTF Act, every reporting entity must adopt and maintain an AML/CTF program. The program has two parts:

• Part A: customer due diligence — risk assessment, customer identification, ongoing customer due diligence, employee training, independent review
• Part B: applicable customer identification procedures — the specific documentation and verification methods for each type of customer

Programs must be assessed against AUSTRAC's AML/CTF Rules 2007 and updated when risk profiles or business activities change.

2. Customer Identification (Know Your Customer)

Rule 7.1 of the AML/CTF Rules sets out the customer identification procedures for individuals and legal entities. Australian insurers must:

1. Collect identifying information before providing a designated service:
   • Individuals: full name, date of birth, residential address, contact details
   • Australian passport, state/territory driver's licence, or other AUSTRAC-approved document
2. Verify identity using reliable, independent sources — at minimum, photographic identity or biometric matching
3. Collect and verify Tax File Number (TFN) for superannuation and investment-linked products (TFN is not technically an AML/CTF requirement but is required under tax law for these products)
4. Identify beneficial owners of corporate entities: individuals with direct or indirect control of 25% or more of the company
5. Cross-reference ASIC registries: the ASIC Connect portal for company registrations and the national beneficial ownership registry (being developed post-AML/CTF reform)

3. Ongoing Due Diligence

Insurers must monitor customer transactions and relationships on an ongoing basis. AUSTRAC expects life insurers to:

• Maintain updated customer risk profiles
• Screen customers against AUSTRAC watchlists and OFAC/UN sanctions lists
• Review customers whose circumstances materially change (e.g., nomination of an overseas beneficiary from a high-risk jurisdiction, large ad hoc lump-sum payments)

4. Reporting to AUSTRAC

Australian life insurers must file:

• Suspicious Matter Reports (SMRs): when the insurer has reasonable grounds to suspect that a transaction is related to money laundering or serious crime — within 3 business days of forming the suspicion
• Threshold Transaction Reports (TTRs): for cash transactions of AUD $10,000 or more — within 10 business days
• International Funds Transfer Instructions (IFTIs): for electronic funds transfers to or from overseas — within 10 business days

Reports are lodged through AUSTRAC Online.

APRA's Role and the Australian Equivalent of Solvency II

APRA supervises the prudential soundness of Australian life insurers under the Life Insurance Act 1995. While Australia does not have a direct equivalent to the EU's Solvency II framework, APRA's Life and General Insurance Capital (LAGIC) standards set capital adequacy requirements that share the risk-based philosophy of Solvency II.

Key APRA requirements that complement AML/CTF compliance:

• Prudential Standard LPS 510 (Governance): requires a board-approved risk management framework that should encompass AML/CTF risk
• Prudential Standard LPS 220 (Risk Management): requires a Risk Management Strategy addressing all material risks, including financial crime risk
• Fit and Proper requirements (LPS 520): key function holders must be assessed for competence and integrity, reinforcing the AUSTRAC obligation to designate an AML/CTF compliance officer

APRA and AUSTRAC coordinate enforcement where an insurer faces both prudential and AML/CTF concerns. The two regulators share a Memorandum of Understanding (MoU) on supervisory cooperation.

Privacy Act 1988 and Australian Privacy Principles

When Australian insurers collect and process personal information for KYC purposes, they must comply with the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). Relevant requirements for insurance KYC:

• APP 3 (Collection): personal information must only be collected where reasonably necessary for a purpose that is directly related to the insurer's functions
• APP 5 (Notification): customers must be notified of the collection of their personal information and its purposes — AML/CTF requirements constitute a lawful purpose under the Privacy Act
• APP 11 (Security): personal information must be protected from misuse, interference, loss, and unauthorised access
• APP 12 (Access): individuals have the right to access their personal information held by the insurer, subject to limited exceptions including ongoing investigation of suspected financial crime

The Tax File Number (TFN) is subject to the Tax File Number Rule 2015 and can only be collected with consent and for specified tax-related purposes. Its use for AML/CTF identification is restricted.

Unlike the EU's GDPR regime, the Australian Privacy Act does not currently require mandatory data breach notification to the regulator within 72 hours. However, the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act) requires notification to the OAIC (Office of the Australian Information Commissioner) and affected individuals when there is likely to be serious harm.

Enhanced Due Diligence in the Australian Insurance Context

AUSTRAC expects enhanced customer due diligence in higher-risk situations:

• Politically Exposed Persons (PEPs): AUSTRAC defines foreign PEPs under Section 9.1 of the AML/CTF Rules — these require enhanced due diligence and ongoing monitoring
• High-risk jurisdictions: FATF grey and blacklisted countries, plus AUSTRAC-designated high-risk jurisdictions for money laundering or terrorist financing
• Non-face-to-face customers: remote identity verification requires additional verification steps using biometric matching or VEVO (for visa holders)
• Large or complex corporate structures: chains of ownership or control through multiple entities require deeper beneficial ownership analysis

For PEPs, senior management approval is required before establishing or continuing the business relationship. Source of wealth and funds must be assessed and documented. See our enhanced due diligence guide.

Automated KYC for Australian Insurers

Australian insurance companies can use automated document verification to meet AUSTRAC's customer identification requirements at scale. CheckFile supports Australian document verification including:

• Australian passports (including the new next-generation passport)
• State and territory driver's licences (all formats, all states and territories)
• ASIC company extract processing for corporate beneficial ownership
• ImmiCard and foreign passport verification for non-citizens

Key benefits for Australian insurance compliance teams:

• AUSTRAC audit trail: complete, timestamped verification log for examination
• Integration: compatible with Australian life insurance administration platforms
• Privacy Act compliance: data handling consistent with APPs, with consent management
• Ongoing monitoring support: regular re-screening of customer lists against updated watchlists

Explore our pricing options and API documentation.

AUSTRAC Enforcement and Penalties

AUSTRAC has the power to impose civil penalties, seek court-ordered civil penalties, and pursue criminal prosecutions under the AML/CTF Act. Key enforcement powers:

• Civil penalties: AUSTRAC can pursue civil penalty proceedings in the Federal Court for serious contraventions — penalties can reach AUD $22.2 million per contravention for corporations
• Enforceable undertakings: AUSTRAC can accept undertakings from entities to remediate compliance failures without formal litigation
• Annual compliance reports: required from all reporting entities, with false or misleading reports constituting a separate offence
• Public disclosure: AUSTRAC publishes details of enforcement actions, creating significant reputational risk

AUSTRAC has pursued some of the world's largest AML enforcement actions — the AUD $1.3 billion penalty against a major Australian bank in 2018 and subsequent corporate sector actions have put all financial services firms, including insurers, on notice about the severity of AML non-compliance.

Frequently Asked Questions

Are general insurance companies reporting entities under the Australian AML/CTF Act?

No — general insurance (home, motor, public liability, workers' compensation) is not a "designated service" under Schedule 1 of the AML/CTF Act and is not subject to AUSTRAC reporting obligations. Only life insurance products with an investment or surrender value component are covered.

How does Australia's AML/CTF framework differ from AMLD6?

Key differences: (1) Australia's framework applies specifically to designated services (products with investment value), while AMLD6 applies broadly to all life insurance in the EU; (2) Australia does not have an equivalent to Solvency II — APRA's LAGIC standards play a similar but distinct prudential role; (3) AUSTRAC enforces AML/CTF separately from APRA's prudential supervision, creating a dual-regulator environment; (4) Australia does not yet have a standalone beneficial ownership register for companies (in development post-2024 AML/CTF reform).

What is the difference between an SMR and a TTR in Australia?

A Suspicious Matter Report (SMR) is filed within 3 business days of forming a suspicion about a potential financial crime — no minimum dollar threshold. A Threshold Transaction Report (TTR) is filed within 10 business days of any cash transaction of AUD $10,000 or more — regardless of suspicion. Both are filed through AUSTRAC Online.

Does the Privacy Act prevent insurers from retaining KYC documents for seven years?

The AML/CTF Act requires retention of customer identification records for seven years after the end of the business relationship. The Privacy Act permits retention where legally required; the seven-year AML/CTF requirement is the applicable legal basis for this extended retention period.

What VEVO checks are required for non-citizen insurance applicants?

For non-citizens applying for life insurance products, AUSTRAC recommends verifying immigration status through VEVO (Visa Entitlement Verification Online) to confirm work rights and residency status. This is particularly important for enhancing the reliability of address and identity verification for visa-holder customers.