KYC Obligations in Australia — Complete 2026 Guide

Regulatory Framework

Australia has an AML/CTF regime undergoing significant modernisation, with major reforms adopted in 2024-2025 to align with FATF recommendations. The foundational text is the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), complemented by the AML/CTF Rules (application rules issued by the minister and AUSTRAC). The AML/CTF Act was significantly amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extended the scope to non-financial professions (lawyers, accountants, real estate agents, dealers in precious metals and stones — the "Tranche 2 entities"), addressing a gap long criticised by the FATF.

AUSTRAC (Australian Transaction Reports and Analysis Centre) serves as both the financial intelligence unit (FIU) and the AML/CTF regulatory and supervisory authority. AUSTRAC receives and analyses transaction reports, supervises reporting entities through compliance examinations, and has extensive sanctioning powers, including the ability to impose substantial civil penalties. AUSTRAC has demonstrated its willingness to use its powers fully, with record sanctions against major Australian financial institutions.

The Australian framework is complemented by the Financial Transaction Reports Act 1988 (FTR Act), which governs certain additional reporting obligations, and by sanctions administered by the Department of Foreign Affairs and Trade (DFAT) via Australian Autonomous Sanctions and implementation of UN Security Council sanctions.

Australia is a founding member of the FATF and the Asia/Pacific Group on Money Laundering (APG). FATF mutual evaluations have been a key driver of recent reforms, particularly the extension to non-financial professions.

Who Must Comply

The AML/CTF Act defines reporting entities, substantially expanded since the 2024 amendment:

Authorised deposit-taking institutions (ADIs): commercial banks, building societies, credit unions, supervised by APRA
Insurance companies: life insurers, for life insurance and superannuation products
Securities dealers and managed investment schemes: brokers, fund managers, investment companies
Remittance service providers: international money transfer operators, registered with AUSTRAC
Digital currency exchange providers: crypto-asset exchange platforms, registered with AUSTRAC since 2018
Gambling services providers: casinos, betting operators, online gaming operators
Bullion dealers: precious metals dealers
Lawyers and conveyancers (Tranche 2 — since 2025): for certain financial and real estate transactions
Accountants (Tranche 2 — since 2025): for financial advisory and structuring transactions
Real estate agents (Tranche 2 — since 2025): for real estate transactions
Dealers in precious metals and stones (Tranche 2 — since 2025): for significant transactions
Trust and company service providers (Tranche 2 — since 2025): trust and company service providers

The inclusion of Tranche 2 entities represents one of the most significant AML reforms in Australian history and aligns the country with international standards.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

Customer identification and verification obligations (applicable customer identification procedures — ACIP) are detailed in the AML/CTF Rules, Part 4.1 to 4.16:

Customer identification: for natural persons, minimum data includes full name, date of birth, and residential address. Verification relies on a points of identification system: the customer must provide documents totalling at least 100 points. The points system is unique to Australia:

Australian passport: 70 points
Australian driver licence: 40 points
Australian birth certificate: 70 points
Medicare card: 25 points
Utility bill (proof of address): 25 points

The typical combination is a passport (70 points) + driver licence (40 points) = 110 points. Verification may be documentary or electronic (via the Document Verification Service — DVS, a government service that verifies the authenticity of Australian identity documents in real time).

Beneficial owner identification: any natural person who directly or indirectly holds 25% or more of the capital or voting rights, or exercises effective control. For listed public companies, an exemption applies due to existing transparency. Australia does not yet have a federal beneficial ownership register comparable to European registers, although proposals are under discussion.

Determining the purpose and nature of the relationship: understanding the customer's activity, source of funds, and purpose of the business relationship.

Ongoing customer due diligence (OCDD): transaction monitoring, information updating, and periodic reassessment of risk profiles.

Enhanced Due Diligence (EDD)

Enhanced due diligence is required in the following situations:

Politically exposed persons (PEPs): the Australian definition covers foreign, domestic, and international PEPs. Domestic PEPs were included by the 2024 amendment. Measures include management approval, clarification of source of funds and wealth, and enhanced monitoring.
Correspondent banking: correspondent relationships with foreign financial institutions are subject to specific obligations, including prohibition of relationships with shell banks.
High-risk countries: countries identified by the FATF or subject to specific AUSTRAC directives.
ML/TF risk factors: complex, unusual, or high-value transactions without apparent economic justification.
Non-face-to-face customers: where the customer is not physically present during identity verification.

Required Documents

For natural persons:

Valid Australian or foreign passport
Australian driver licence (including digital driver licence in states that have adopted it)
Australian birth certificate
Medicare card, pension card, or other supplementary government document
Proof of address (utility bill, bank statement, government correspondence)
The minimum of 100 identification points must be met

For legal persons:

Australian Company Number (ACN) and/or Australian Business Number (ABN)
ASIC (Australian Securities and Investments Commission) register extract
Company constitution (articles of association)
Identity documents of directors and beneficial owners (25%+)
Register of members (shareholder register)
Where applicable, trust documentation (trust deed)

For trusts:

Complete trust deed (including annexures and amendments)
Identification of the trustee (natural or legal person), settlor, and beneficiaries
ABN or TFN (Tax File Number) of the trust
For unincorporated trusts: governance regime documentation

Retention period: 7 years after the end of the business relationship or execution of the transaction.

Reporting Obligations

Suspicious Matter Reports (SMRs): reporting entities must submit an SMR to AUSTRAC within 3 business days of forming a suspicion that a transaction (or attempted transaction) is related to money laundering, terrorist financing, or any other serious criminal offence. If the transaction relates to terrorist financing, the report must be submitted within 24 hours.

Threshold Transaction Reports (TTRs): mandatory reporting for any cash transaction (or e-currency) of AUD 10,000 or more. The report must be submitted within 10 business days.

International Funds Transfer Instructions (IFTIs): mandatory reporting for any international funds transfer (incoming or outgoing), regardless of amount. Deadline of 10 business days.

AML/CTF compliance reports: reporting entities must submit an annual compliance report to AUSTRAC, detailing their AML/CTF programme.

Tipping off prohibition: informing a customer that an SMR has been or will be submitted constitutes a criminal offence punishable by 2 years' imprisonment.

In 2024, AUSTRAC received approximately 340,000 SMRs and more than 230 million combined TTRs and IFTIs.

Penalties for Non-Compliance

Civil penalties (AUSTRAC):

Civil penalties: for contravention orders, amounts can be substantial. Maximum fines are calculated by reference to penalty units (1 penalty unit = AUD 313 in 2026) and can reach hundreds of millions of dollars for systemic violations
Enforceable undertakings: enforceable compliance agreements
Remedial directions: remediation orders
Infringement notices: fixed fines for minor breaches

Notable examples: Australian penalties are among the highest in the world. Westpac accepted a settlement of AUD 1.3 billion in 2020 for more than 23 million AML/CTF Act violations (primarily failures to report IFTIs). Commonwealth Bank of Australia paid AUD 700 million in 2018. Crown Resorts was sanctioned for AML failures in its casinos.

Criminal sanctions:

Money laundering (Division 400 of the Criminal Code Act 1995) is punishable by 25 years' imprisonment and/or a fine equivalent to three times the value of laundered property (or AUD 100,000 if the triple is less)
Terrorist financing (Division 103 of the Criminal Code) is punishable by life imprisonment
Structuring (intentional splitting of transactions to avoid reporting thresholds) is punishable by 5 years' imprisonment

Sectoral regulator sanctions: APRA, ASIC, and state gaming regulators may impose additional sanctions.

How CheckFile Helps

Australia's AML/CTF regime, strengthened by record fines against Westpac and CBA and the extension to Tranche 2 entities, demands a first-class document verification framework. CheckFile offers an AI-powered document verification solution adapted to the specifics of the Australian market.

The platform automatically verifies the authenticity of Australian identity documents — passport, driver licences from each state and territory (including digital driver licences), birth certificates, Medicare cards — and automatically calculates the points score required by the Australian system. The AI integrates with the Document Verification Service (DVS) for real-time document authenticity verification. Document fraud detection achieves accuracy exceeding 99%.

For the increased needs arising from the Tranche 2 extension (lawyers, accountants, real estate agents), CheckFile provides a turnkey solution enabling these new obligated entities to rapidly implement a compliant verification process. The complete, timestamped audit trail, archived for the 7 years required by Australian regulations, meets AUSTRAC compliance examination requirements. API integration is compatible with Australian banking and onboarding platforms. Processing complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

FAQ

What documents are required for KYC in Australia?

Australia uses a unique points-of-identification system. The customer must provide documents totalling at least 100 points (e.g., passport at 70 points + driver licence at 40 points). For legal persons, an ASIC register extract, company constitution, identity documents of directors and beneficial owners (25%+) are required. Retention is 7 years after the end of the business relationship.

What are the penalties for KYC non-compliance in Australia?

Australian penalties are among the highest in the world. Westpac paid AUD 1.3 billion and CBA AUD 700 million. Money laundering carries up to 25 years' imprisonment. Terrorist financing is punishable by life imprisonment. AUSTRAC has substantial civil penalty powers for systemic violations.

How often must KYC checks be updated in Australia?

The AML/CTF Act requires ongoing customer due diligence (OCDD). Reporting entities must reassess risk profiles at regular intervals: annually for high-risk customers, every 3 years for medium risk, and every 5 years for low risk. Trigger events (change of beneficial ownership, unusual transaction, adverse information) require an immediate update. AUSTRAC checks OCDD programme quality during its examinations.