A guide to KYC requirements in Australia

Like other member countries of the Financial Action Task Force (FATF), Australia’s KYC requirements comprise a core part of the country’s anti-money laundering and combatting terrorist financing (AML/CTF) regime. Australia’s KYC requirements are aligned with the FATF’s standards, ensuring firms collect and verify customer information in line with international best practices.

But what are these requirements, and how can firms ensure compliance to help safeguard the integrity of Australia’s financial system? This article explores the nuances of Australia’s KYC requirements, offering compliance professionals guidance on mitigating the risk of non-compliance and improving their firm’s onboarding protocols.

What is KYC, and why is it important? 

KYC is the process of verifying a customer’s identity before facilitating their transactions. By law, Australian firms must identify both individual customers and corporate entities by verifying their personal and company information using official documentation. Firms must also assess the risks of facilitating transactions on behalf of these clients or entities.

KYC is important for several reasons:

• Preventing financial crime: KYC checks help mitigate the risk of financial crimes such as money laundering, terrorist financing, fraud, and identity theft. By verifying the identity of customers, firms can reduce the risk of these illegal activities occurring with their systems.
• Regulatory compliance: Australia’s AML/CTF laws require regulated firms to implement KYC procedures. Failure to comply with these regulations can result in several penalties, including fines and legal consequences. 
• Risk mitigation: KYC allows FIs to assess the risk associated with each customer. Customers with higher-risk profiles, such as politically exposed persons (PEPs) or those from high-risk jurisdictions, may require more extensive due diligence to ensure they are not involved in illicit activities. 
• Enhanced security: Verifying customers’ identities helps protect businesses and legitimate customers from fraud and unauthorized transactions. It adds an additional layer of security to transactions and reduces the likelihood of account takeover or unauthorized access. 
• Collaborating with law enforcement: In situations where financial crimes do occur, KYC records can be invaluable for law enforcement agencies – in Australia’s case, the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission (ACIC), and the National Anti-Corruption Commission (NACC) to name a few. Theses agencies can use the information to investigate and prosecute individuals or business entities involved in illegal activities. 

AML & KYC regulations in Australia

The AML/CFT Act 2006

The Anti-Money Laundering Counter-Terrorism Financing (AML/CFT) Act 2006 outlines Australia’s framework for combatting money laundering and the financing of terrorism. It details expectations, regulations, and penalties for non-compliance. The Act applies to a wide range of businesses and professions, called reporting entities, including:

• Banks.
• Financial institutions.
• Casinos.
• Cryptocurrency exchanges.
• Bullion dealers.
• And more.

Under the legislation, reporting entities are required to conduct customer due diligence (CDD) procedures. They must also report any suspicious activity or large cash transactions to the Australian Transaction Reports and Analysis Centre (AUSTRAC). Additionally, firms are required to keep records of customer information for at least seven years after the provision of any designated services has ceased. 

The Privacy Act

Additional KYC legislation applicable for Australian firms includes the country’s Privacy Act, which covers all personal information that is collected and verified during the customer identity verification process. Since this type of information is considered sensitive, companies should consider storing the data with a higher level of privacy protection, according to the Australian Privacy Principles.

Chapter 11 of the Australian Privacy Principles outlines the steps that reporting entities should take to ensure the security of personal information gathered throughout the KYC process. These steps involve: 

• Implementing a culture of data governance.
• Maintaining the culture through regular training. 
• Employing data handling practices, procedures, and systems across business models.
• Ensuring robust IT and access security.
• Developing internal strategies in case of data breaches.
• Identifying a process for the destruction and de-identification in certain circumstances.

Australia’s financial regulators

Including AUSTRAC, there are three main financial regulators in Australia:

• AUSTRAC provides tools, AML/CTF guidance, and enforcement measures for entities under its supervision. The regulator was also instrumental in helping update Australia’s framework for combating money laundering.
• The Australian Securities and Investments Commission (ASIC) monitors institutions and markets to make sure they operate ethically and fairly. It regulates individual and institutional conduct and advocates for customers.
• The Australian Prudential Regulation Authority (APRA) oversees Australian financial institutions. It focuses on stability and safety in the financial system.
  

Components of the KYC process 

There are three core components of every KYC process, including:

1. A customer identification program (CIP).
2. Customer due diligence (CDD).
3. Ongoing due diligence. 

Click here to learn more about each stage of the KYC process.

What are the KYC compliance requirements in Australia?

In light of the core components of KYC listed above, Australian firms are required to:

1. Verify a customer’s identity.
2. Identify and verify a customer’s SoF and SoW.
3. Conduct customer risk assessments.
4. Maintain records of customer identification history and all transactions.
5. Report suspicious transactions to AUSTRAC. 

1. Customer identity verification

Under KYC requirements in Australia, firms must verify a customer’s identity before allowing them to onboard and make transactions. That is, they must be sure the customer is who they say they claim to be. Customers are asked to provide documents such as a passport, driver’s license, proof of address, or other government-issued documentation. A big KYC challenge facing FIs and other reporting entities (REs) is matching the proof of identity to the client. Using trusted providers, many firms are moving towards a biometric model of KYC identity verification.

Firms must also be certain of the true owner or owners (also known as beneficial owner) of any non-individual customers or entities. This means the person or persons who ultimately own or control the entity.

Companies are required to provide:

• Full company name.
• Whether the company is registered with ASIC as a public or proprietary company.
• The company’s Australian Company Number (ACN) or Australian Registered Body Number (ARBN).

2. SoF and SoW verification

Under the Privacy Act, Australian reporting entities are required to identify and verify SoF and SoW as part of their KYC processes. When developing SoF and SoW processes, AUSTRAC recommends firms ask the following questions to ensure all procedures align with their risk appetite: 

• Can the customer’s SoF or SoW be easily explained through their occupation, investments, or inheritance?
• Is the customer’s background consistent with their former, current, or planned business activity and turnover?
• Do the explanations for SoF and SoW match the information gathered through EDD and open-source checks?
• Do high-risk customers require the same level of verification for establishing their SoF and SoW?
• Should higher thresholds for “reasonable measures” be applied when dealing with a foreign PEP as a customer or beneficial owner?

According to AUSTRAC, “reasonable measures” means what is practical and necessary in line with the firm’s identified money laundering and terrorist financing risks.

3. Customer risk assessment

As part of the KYC process, Australian firms are required to carry out a risk assessment for their customers. This assessment takes into account the likelihood of the customer “being involved in money laundering or terrorism financing, based on factors such as the size, nature, and complexity of their operations.” Since every customer risk assessment is unique, there is no one-size-fits-all approach. To ensure compliance with regulations, firms must create a flexible AML program that is tailored to their individual customer’s profile, needs, and risks. Depending on the alerts raised or concerns identified during the risk-based approach, KYC procedures may need to be adjusted accordingly.

4. Record keeping

FIs are required to maintain records of customer identification history and all transactions for a set time period. In Australia, this is for the duration of the business relationship and seven years afterwards. Under KYC compliance in Australia, firms must keep a record of how they verified a customer’s identy and what information they presented. 

Firms must keep robust records for independent audits, regulator spot-checks, and any future fraud enquiries.

5. Reporting suspicious activity

Firms are required by law to report suspicious transactions or activity to AUSTRAC as part of their role in investigating and preventing financial crime and terrorist financing. Reasons for suspicion may include larger or more frequent transactions, payments to/from an individual on a sanctions list, or several transactions just below the reporting threshold – which may indicate structuring.

In Australia, these reports are called suspicious matter reports (SMRs). In other jurisdictions, these are called suspicious activity reports (SARs).

The benefits of being KYC compliant

Some key advantages of being KYC compliant include:

• Risk mitigation: KYC procedures enable FIs to assess the risk associated with each customer. By verifying the identity and background of customers, they can categorize them based on risk profiles. This risk-based approach helps firms allocate resources and monitoring efforts more efficiently to high-risk customers, reducing the likelihood of fraud, defaults, or other financial losses.
• Regulatory compliance: Regulatory authorities impose strict KYC requirements on FIs to combat money laundering, terrorism financing, and other financial crimes. Compliance with these regulations is critical to avoid fines, sanctions, or even the loss of a banking license.
• Enhanced reputation: Maintaining robust KYC standards builds a reputation for trust and integrity. Customers are more likely to entrust their assets to FIs that demonstrate a commitment to security and transparency, thereby attracting and retaining clientele.
• Operational efficiency: KYC compliance streamlines customer onboarding processes. With verified customer data readily available, firms can open accounts and offer services more efficiently, reducing administrative costs and speeding up time-to-market for new products.
• Fraud prevention: KYC procedures help identify and prevent fraud. By ensuring that customers are who they claim to be, institutions can detect and block unauthorized transactions and protect themselves and their customers from various forms of fraud.
• Cross-border operations: For firms looking to expand internationally, KYC compliance is crucial. It ensures adherence to various countries’ regulations, facilitating cross-border transactions and partnerships. Additionally, it enables institutions to understand the specific risks associated with different regions and adjust their strategies accordingly.
• Monitoring and reporting: KYC procedures include ongoing due diligence, which allows FIs to monitor customer transactions for suspicious activity. Early detection and reporting of unusual transactions to regulatory authorities can help in preventing money laundering and other illicit financial activities.

Penalties for non-compliance with KYC requirements in Australia

Non-compliance with KYC requirements in Australia can result in significant penalties and legal consequences. The penalties for non-compliance are enforced by AUSTRAC and may include the following:

• Civil penalties: AUSTRAC can impose civil penalties on reporting entities that fail to meet their AML/CTF obligations. These penalties can range from fines, which can be quite substantial, depending on the severity of the non-compliance.
• Criminal prosecution: In more severe cases of non-compliance, criminal prosecution may be pursued against individuals and organizations. This could lead to fines, imprisonment, or both, especially if non-compliance is intentional or part of a broader criminal scheme.
• Enforceable undertakings: AUSTRAC can also enter into enforceable undertakings with reporting entities, which are legally binding agreements that outline specific actions the entity must take to rectify non-compliance issues.
• License suspension or revocation: AUSTRAC has the authority to suspend or revoke the operating licenses of financial institutions or other reporting entities that repeatedly or egregiously fail to comply with AML/CTF requirements.
• Reputation damage: Non-compliance can result in significant damage to an organization’s reputation, which can lead to a loss of customers and business opportunities.

Meet KYC compliance in Australia using advanced solutions

It’s crucial for organizations subject to AML/CTF regulations in Australia to take KYC requirements seriously, establish robust compliance programs, and regularly update their policies and procedures to remain in compliance with the law. As new risks emerge and the AML/CFT landscape evolves, FIs need innovative software partners who understand the challenges of KYC. ComplyAdvantage’s automated KYC software utilizes a proprietary, consolidated risk database for automated screening and monitoring. Customizable matching technology means faster and more accurate KYC, enhancing customer experience and reducing onboarding time.