KYC for Payment Service Providers in Australia: AUSTRAC, AML/CTF Act 2026

Payment service providers (PSPs) operating in Australia are subject to rigorous anti-money laundering and counter-terrorism financing (AML/CTF) obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), enforced by the Australian Transaction Reports and Analysis Centre (AUSTRAC). PSPs also require licensing under the Corporations Act 2001 and the Australian Financial Services (AFS) licensing regime administered by the Australian Securities and Investments Commission (ASIC). In 2026, the AML/CTF landscape is transforming under the AML/CTF Amendment Act 2024, which extends obligations to a broader range of Tranche 2 entities (lawyers, accountants, real estate agents) and modernises the existing regime — with phased compliance dates through to 31 March 2026 and beyond for designated service providers including PSPs.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for your specific situation.

Which PSPs Are Subject to KYC Requirements in Australia?

Under the AML/CTF Act, PSPs are captured as Reporting Entities when they provide designated services listed in Table 1 of Section 6:

All reporting entities must enrol with AUSTRAC before providing any designated service. Failure to enrol is a strict liability offence under s. 76 of the AML/CTF Act. AUSTRAC maintains a public Register of Reporting Entities (formerly the Remittance Sector Register and the Digital Currency Exchange Register).

Digital currency exchange (DCE) providers must additionally register on AUSTRAC's DCE Register and meet specific KYC obligations for virtual asset transfers above AUD $1,000.

The Regulatory Framework: AML/CTF Act 2006 and 2024 Amendments

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) The AML/CTF Act is Australia's primary AML/CTF legislation. It requires reporting entities to: enrol with AUSTRAC, develop and implement an AML/CTF program (Part A: risk assessment and systems, Part B: customer due diligence), conduct ongoing customer due diligence (OCDD), report threshold transactions, suspect matter, and international fund transfers. Source: AML/CTF Act 2006, austrac.gov.au

AML/CTF Amendment Act 2024 The most significant reform to Australian AML/CTF law in 17 years, this Act: (1) modernises the customer due diligence framework; (2) expands the scope to Tranche 2 entities; (3) introduces beneficial ownership verification obligations aligned with FATF Recommendation 10; and (4) streamlines the AML/CTF program requirements into a single integrated program. Key compliance dates for PSPs extend to 2026 and beyond. Source: Attorney-General's Department, ag.gov.au

Privacy Act 1988 and Australian Privacy Principles (APPs) The Privacy Act 1988 and its 13 Australian Privacy Principles govern how PSPs collect, hold, use, and disclose personal information gathered in KYC processes. APP 3 limits collection to what is reasonably necessary; APP 6 restricts use and disclosure; APP 11 requires security of personal information. The Office of the Australian Information Commissioner (OAIC) can investigate and impose civil penalty orders. Source: Privacy Act 1988, oaic.gov.au

ASIC Licensing PSPs providing payment services that constitute financial products (purchased payment facilities, investment products with payment features) must hold an Australian Financial Services Licence (AFSL) or operate as an authorised representative. ASIC also supervises compliance with the Corporations Act 2001 in relation to unfair contract terms and dispute resolution. Source: ASIC, asic.gov.au

For an overview of KYC/AML compliance, see our AMLD6 compliance guide for obliged entities.

KYC Requirements for Australian PSPs: Customer Identification

Customer Identification Program (CIP)

Under the AML/CTF Rules 2007 and the updated requirements under the 2024 Amendment Act, reporting entities must apply customer identification procedures (CIP) before — or as soon as practicable after — providing a designated service. The CIP must be risk-based and proportionate to the risk profile of each customer and service.

For individual customers, the standard CIP under AML/CTF Rule 4.2 requires collecting and verifying:

Australia's Document Verification Service (DVS) operated by the Department of Home Affairs provides real-time verification of Australian government-issued documents. PSPs are strongly encouraged to integrate DVS for electronic CIP.

For corporate customers (companies and trusts), the AML/CTF Rules require:

• Company name, registered number (ACN), and registered address
• Identification of beneficial owners: individuals who hold directly or indirectly ≥ 25% of the company's issued shares or voting rights, or who otherwise control the company
• Verification of trustee details and trust deed for trust structures
• Identification of acting partners for partnerships

The AML/CTF Amendment Act 2024 strengthened beneficial ownership verification requirements, aligning Australia with FATF Recommendation 25.

Enhanced Customer Due Diligence

AUSTRAC guidance identifies situations requiring enhanced customer due diligence (ECDD):

PEPs in the Australian context include: current and former (within 12 months) senior Australian and foreign government officials, judicial officers, senior military officers, ambassadors, senior executives of state-owned enterprises, and senior officials of international organisations — together with their immediate family members and close associates.

Ongoing Customer Due Diligence (OCDD)

Reporting entities must conduct ongoing due diligence throughout the customer relationship:

AUSTRAC Reporting Obligations

Suspicious Matter Reports (SMRs)

Reporting entities must submit a Suspicious Matter Report (SMR) to AUSTRAC when they have reasonable grounds to suspect that a matter may be related to money laundering, terrorism financing, tax evasion, or a serious crime:

• Completed transactions: file within 3 business days
• Attempted or proposed transactions: file within 24 hours
• Confidentiality: the customer must not be informed ("tipping off" is a criminal offence under AML/CTF Act s. 123)

Source: AUSTRAC SMR guidance, austrac.gov.au

Threshold Transaction Reports (TTRs)

PSPs must file a TTR within 10 business days of any transaction involving the transfer of physical currency of AUD $10,000 or more (or the foreign currency equivalent) in a single transaction.

International Funds Transfer Instructions (IFTIs)

PSPs that send or receive international wire transfers must report every IFTI to AUSTRAC — there is no minimum threshold. The report must be filed within 10 business days of sending or receiving the instruction. Source: AUSTRAC IFTI guidance

AUSTRAC Enforcement: Penalties

AUSTRAC has demonstrated a willingness to impose very large civil penalties for systemic AML/CTF failures:

• Civil penalties: the AML/CTF Act provides for penalties of up to AUD $222 million per contraventions or the greater of AUD $21 million, three times the benefit obtained, or 10% of annual turnover
• Enforceable Undertakings: AUSTRAC may accept an enforceable undertaking with remediation commitments as an alternative to penalty proceedings
• External Compliance Audits: AUSTRAC can require reporting entities to fund independent external compliance audits
• Criminal prosecution: directors and senior officers can face personal criminal liability for systematic failures to maintain AML/CTF programs

Notable AUSTRAC enforcement actions include settlements of AUD $1.3 billion (2020) and AUD $450 million (2022) against major Australian financial institutions for systemic AML/CTF compliance failures.

Automating KYC for Australian Payment Service Providers

Automated document verification is essential for Australian PSPs processing high volumes of customer onboarding. CheckFile delivers:

• Verification of Australian passports, driver's licences, and Medicare cards with DVS integration
• Non-face-to-face identity verification via biometric liveness checks and document OCR
• Automated beneficial ownership identification and verification for corporate and trust structures
• DFAT Consolidated List and UN sanctions list screening
• AUSTRAC-compliant audit trails retained for seven years minimum

To strengthen your risk-based approach to AML customer segmentation, CheckFile assigns risk indicators adapted to the Australian regulatory context — PEP classification, FATF jurisdiction risk, and virtual currency exposure. See our pricing guide for API access options.

For a comprehensive compliance framework, see our document compliance guide.

Frequently Asked Questions

Does a foreign PSP operating digitally in Australia need to enrol with AUSTRAC?

Yes, if the foreign PSP provides designated services to customers located in Australia, it is captured as a reporting entity and must enrol with AUSTRAC. AUSTRAC's guidance is clear that physical presence in Australia is not required — providing designated services to Australian residents is sufficient to trigger obligations.

What is the Document Verification Service (DVS) and is it mandatory?

The DVS is an Australian Government service that allows organisations to verify the authenticity of government-issued identity documents in real time. While DVS use is not legally mandatory, AUSTRAC strongly encourages its use as part of electronic CIP. Failure to use DVS (or an equivalent reliable source) may mean CIP fails to meet AUSTRAC's risk-based expectations, particularly for non-face-to-face customer onboarding.

How does the AML/CTF Amendment Act 2024 affect existing PSP compliance programs?

Existing reporting entities (PSPs already enrolled with AUSTRAC) must review and update their AML/CTF programs to comply with the amended beneficial ownership verification requirements, updated ongoing customer due diligence standards, and modernised program structure. AUSTRAC has indicated a phased transition approach through 2026, with education and support before intensive enforcement.

How long must Australian PSPs retain KYC records?

The AML/CTF Act requires reporting entities to retain records for a minimum of 7 years from the date the record was created or the transaction occurred. This is longer than the 5-year minimum in many comparable jurisdictions.

Are Buy Now Pay Later (BNPL) providers subject to AML/CTF obligations in Australia?

BNPL products that qualify as purchased payment facilities may trigger reporting entity status under the AML/CTF Act. The regulatory treatment of BNPL is also evolving under proposed reforms to the National Consumer Credit Protection Act. PSPs offering BNPL products should obtain specific legal advice on whether their products trigger AML/CTF enrolment obligations.