AML/KYC Requirements in Australia (Complete Guide 2026)

Australia has made significant legislative and regulatory reforms in recent years to strengthen its Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) regime. These include new legislation to expand the regime's scope, modernize key regulations, and improve business compliance. They also include launching a new online platform to help businesses meet their compliance obligations more easily, efficiently, and effectively.

The Financial Action Task Force (FATF) acknowledged this upgrade in its latest report, noting that Australia has been actively developing a stricter Anti-Money Laundering regime. In particular, it “has taken steps to improve how risk-based supervision is undertaken in the financial sector.” 

Regulated businesses must keep an eye on these changing regulations to ensure compliance. The penalties for non-compliance can be severe, both financially and for a business’s reputation, so being on top of the latest requirements is essential.

So, let’s get familiar with Australia’s AML laws and how to comply with them. To help with this, we at Sumsub have prepared this guide with all the necessary information on AML and KYC in Australia. 

What is KYC in Australia, and why it matters

Know Your Customer (KYC) is the process of obtaining and verifying a customer’s identity from reliable, independent sources in accordance with the Anti‑Money Laundering and Counter-Terrorism Act 2006 (AML/CTF Act) and AUSTRAC Rules 2025. During the process, customers submit official identification and other relevant data, while reporting entities must verify that the documents and information are authentic and relate to the true customer.  

Core KYC Information (as defined under Part 6 of the AML/CTF Rules 2025) includes any data collected to identify a customer and assess their money-laundering and terrorism-financing risk. Core KYC Information includes:

• Full name
• Date of birth
• Address

The authenticity of this information must be verified through reliable sources, such as passports or other government-issued IDs, and checked against trusted resources, e.g., government databases.

KYC usually goes hand in hand with Customer Due Diligence (CDD), where the customer’s verified information is used to assess their risk of involvement in money laundering and terrorist financing.

The importance of KYC is difficult to overstate. In Australia, regulated companies must implement KYC checks in order to comply with regulations and avoid penalties. KYC allows businesses to identify any risks of money laundering and terrorist financing that customers pose, while protecting the integrity of the financial system. It also protects businesses from the reputational risks that can follow if they are found to be in breach of AML/CTF rules.

Yet, even unregulated companies can significantly benefit from KYC, as this procedure minimizes the chances of financial crime and protects the company’s reputation from harm. 

Moreover, more industries are getting regulated, with the recent AML/CTF Amendment Act expanding the regime to cover additional high-risk services. Sooner or later, your company may also have to comply with Anti-Money Laundering laws. To make this transition sooner, consider implementing a KYC solution ahead of time. 

Who regulates AML/KYC in Australia?

The Australian Transaction Reports and Analysis Center (AUSTRAC) is the primary government body responsible for overseeing AML compliance. The authority also functions as the country's Financial Intelligence Unit (FIU). Among other responsibilities outlined by the AML/CFT Act and FTR Act, AUSTRAC also receives, processes, and investigates various reports (e.g., suspicious activity reports) submitted by financial institutions.

Other regulators and government bodies involved in AML oversight include:

• The Australian Securities and Investment Commission (ASIC)
• The Australian Prudential Regulation Authority (APRA)
• The Australian Taxation Office (ATO)
• The Australian Criminal Intelligence Commission (ACIC)
• The Australian Federal Police (AFP)
• Australian State and Territorial Police
• The Commonwealth Director of Public Prosecutions (CDPP)

Roles of different Australian government bodies in AML

Government body	AML role
AUSTRAC	Receiving, analyzing, and passing on information about suspected financial crimes to relevant authorities. Providing guidance to businesses on AML compliance obligations.
Australian Securities and Investment Commission (ASIC	Examining customer complaints and ensuring that companies operate fairly and ethically.
Australian Prudential Regulation Authority (APRA)	Ensuring that companies are financially stable and trustworthy.
Australian Taxation Office (ATO)	Identifying and investigating signs of financial crime, as well as confiscation actions to recover the proceeds of crime.
Australian Criminal Intelligence Commission (ACIC)	Investigating money laundering and other types of financial crime, often in partnership with other government agencies.
Australian Federal Police (AFP)	Investigating and prosecuting money laundering offenses under federal law.
Australian State and Territory Police	Investigating and prosecuting money laundering offenses under state and territorial law.
Commonwealth Director of Public Prosecutions (CDPP)	Prosecuting money laundering offenses at the federal level.

Overview of AML/KYC regulations in Australia

The main regulation in the country is the Anti-Money Laundering Counter Terrorism Financing Act 2006 (AML/CTF Act), which has been amended several times to strengthen Australia’s framework against money laundering, terrorism financing, and other financial crimes. The Act defines regulated entities—such as banks, financial institutions, digital currency exchanges, casinos, and other designated service providers—and requires them to register with AUSTRAC, implement an AML/CTF program, and meet ongoing compliance obligations.

Significant amendments were made to the AML/CTF Act recently by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (AML/CTF Amendment Act). Passed by the Australian Parliament in 2024 and coming into force in March 2026, the Amendment Act:

• Expands the regime to cover more high-risk services (such as real estate agents, lawyers, accountants, and dealers in precious metals and stones)
• Modernizes regulations related to digital currency, virtual assets, and payment technology
• Aims to simplify and clarify the regime so that it will be more business-friendly while improving financial crime detection and prevention

Timeline of AML/CTF regulation in Australia

Financial Transaction Reports Act 1988

Date of introduction: 1988
Date of implementation: 1988-1989
Date of repeal: January 7, 2024
Key effects: None outstanding

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006

Date of introduction: Dec 2006
Date of implementation: Dec 2006
Date of repeal: n/a
Key effects:

• Specifies which types of entities are covered by AML/CTF regulations
• Requires all obliged entities to register with AUSTRAC
• Sets out the key AML/CTF obligations for regulated entities
• Establishes penalties for non-compliance

The AML/CTF Rules Instrument 2007

Date of introduction: 2007
Date of implementation: 2007
Date of repeal: n/a
Key effects:

Provides the rules and procedures that regulated entities must follow, including for CDD, record-keeping, and reporting.

The AML/CTF (Prescribed Foreign Countries) Regulations 2018

Date of introduction: Mar 2018
Date of implementation: Mar 2018
Date of repeal: n/a
Key effects:

Establishes which foreign countries are considered to have comparable AML/CTF regimes for the purposes of international cooperation.

AML/CTF reform program (‘Phase 1.5’)

Date of introduction: Jun 2021
Date of implementation: Jun 2021
Date of repeal: n/a
Key effects:

• Clarifies CDD obligations
• Strengthens AML/CTF protections where one financial institution provides services for another
• Expands scope for reporting entities to use third parties for KYC
• Expands “tipping off” exceptions to facilitate legitimate information sharing

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024

Date of introduction: Dec 2024 
Date of implementation: Mar 2026
Date of repeal: n/a
Key effects:

• Expands the scope of the regime to cover additional high-risk entities
• Modernizes the regulation of digital currency and technology for virtual assets and payments
• Simplifies and clarifies the regime to make it more business-friendly and effective

While the AML/CTF Act is the main regulation in Australia, companies should also follow AUSTRAC guidelines and other applicable laws, such as the Privacy Act 1988, which ensures that sensitive information collected during the KYC process is protected in accordance with the Australian Privacy Principles. 

To meet Australian regulatory requirements, companies need to properly conduct due diligence checks, which can be done with an efficient KYC solution. Other necessary checks include monitoring of user behavior/transactions, reporting, and recordkeeping.

Step-by-step KYC process for businesses in Australia

An effective KYC process for businesses in Australia should include the following key steps:

1. Implementing a risk-based approach. Regulated entities must have a framework in place that allows them to assess customers’ level of risk and tailor the KYC process for each customer based on their individual risk profile. Under AUSTRAC’s 2025 guidance, risk assessments must be reviewed at least every three years or whenever material changes occur and must explicitly account for new risk factors such as exposure to virtual assets, real estate, or proliferation financing.
2. Customer Due Diligence (CDD)—where identifying information about customers is collected and verified. For individuals, this covers their full name, date of birth, residential address, citizenship and residency status, occupation or business activity, purpose of relationship, source of funds and wealth, beneficial ownership (if any), and intended beneficiaries of transactions. Verification will rely on ID documents, other relevant paperwork, and checks with government databases. CDD also includes checking the customer against databases of high-risk individuals, including those who are suspected of criminal activity, on international sanctions lists, or considered Politically Exposed Persons (PEPs).
3. Risk profiling. Based on the information gathered during CDD, the customer will be assigned a level of risk for money laundering and terrorist financing. Any customer who is deemed too high risk should be rejected.
4. Enhanced Due Diligence (EDD). Where a customer is considered to be high risk, then additional checks should be carried out, known as Enhanced Due Diligence. EDD must specifically include verifying the source of funds and source of wealth, obtaining senior management approval before establishing or continuing the relationship, and increasing ongoing monitoring. This helps to ensure any risks are properly understood, and customers with a high likelihood of involvement in financial crime can be rejected.
5. Reporting. If a customer's KYC process identifies suspicious activity, this should be promptly reported to AUSTRAC. AUSTRAC expects Suspicious Matter Reports (SMRs) to be submitted within three business days (24 hours for terrorism-related cases) once a suspicion is formed.
6. Periodic reviews of customer data. Customer data should be reviewed periodically as risk profiles can change over time. Higher-risk individuals should have KYC carried out again on a more frequent basis to minimize the risk of financial crime going undetected.

What documents are accepted for KYC in Australia?

AUSTRAC specifies that reporting entities must verify customer identity using reliable and independent documentation or electronic data. AUSTRAC specifies three types of documents that can be used for KYC in Australia:

1. Original primary photo ID, specifically:
   1. Australian or overseas driver’s license or permit (including digital driver’s licence)
   2. Australian passport (current or expired within the past two years)
   3. Recognized foreign passport
   4. Australian-issued government proof of age card
   5. Recognized foreign ID card
   6. Recognized international travel documents
2. Original primary non-photo ID, specifically:
   1. Australian birth certificate, birth extract, or citizenship certificate
   2. Foreign birth certification or citizenship certificate
   3. Government-issued concession card
3. Original secondary ID, specifically:
   1. Notice from the Australian Tax Office or other government agency issued in the last 12 months, and containing the person’s name and home address
   2. Council rates notice or utility bill issued in the last three months, with the person’s name and home address
   3. For under 18s, a letter from a school principal issued in the last three months with details of the person’s name, home address, and dates of their school attendance

Reliable and independent electronic data

AUSTRAC recognizes the use of electronic data sources for KYC purposes. Reporting entities must evaluate whether the data is:

• accurate
• secure
• up-to-date
• comprehensive
• verified from a reliable and independent source
• maintained by a government agency or legislative authority
• capable of additional authentication (e.g. through biometric or multi-factor verification tools)

One government-approved method is the Document Verification Service (DVS), managed by the Department of Home Affairs. This service verifies identification data directly against issuing agencies.

The importance of KYC risk assessments 

Customers may pose different risk levels. Therefore, companies must assess the risk posed by a given customer, divide them into risk categories, and adjust their checks accordingly. To learn more about the differences between each risk category, check out our articles on Customer Due Diligence and Enhanced Due Diligence. 

Suggested read: AML & Fraud Risk Assessment in 2025: Risk Matrices, Risk Scoring, and Best Practices

KYB requirements: Know Your Business in Australia 2026

Know Your Business (KYB) is the equivalent of KYC for when a regulated entity needs to onboard a new business client. KYB is just as important as KYC and follows the same general process; however, there are different requirements for the information that must be collected when onboarding a new business client.

Upon commencing a business relationship with another company, it’s necessary to collect the following:

1. The full name of the company 
2. The full address of the company’s registered office and principal place of business, if any
3. The registration number issued to the company
4. Whether the company is registered as a proprietary or public company
5. If the company is registered as a proprietary company, the name of each director of the company
6. Obtain information about the nature and purpose of the business relationship to assess money laundering and terrorism financing (ML/TF) risk.

Additionally, the Ultimate Beneficial Owner (UBO) of the legal entity should be identified and verified.

To learn more about the specific documents that must be collected from businesses, check out our guidelines here.

What is UBO verification in Australia?

UBO verification is the process that regulated businesses must follow to identify the ‘Ultimate Beneficial Owner’ of a business. A beneficial owner is someone who owns at least 25% of an entity, either directly or indirectly, or otherwise exercises control through voting rights, agreements, or the ability to influence key decisions. A company may have more than one beneficial owner, and they will all need to be identified as part of the KYB process. 

The purpose of UBO verification is to understand who is behind a company so that their identity or identities can be verified, and their level of risk for money laundering and terrorist financing can be determined. This assessment must align with the reporting entity’s documented risk-based AML/CTF program and reflect any simplified or enhanced due diligence applied under Part 6 of the AML/CTF Rules (2025).

Regulated entities in Australia are required to carry out UBO verification as part of KYB and keep a record of how this process was carried out.

How to become KYC compliant in Australia (2026)

To comply with AML regulations in Australia, companies need to follow the obligations set out by the AML/CFT Act. They include:

1. Establishing effective AML policies and internal controls
2. Appointing an AML/CTF compliance officer (MLRO)
3. Providing ongoing AML/CTF training to relevant staff
4. Conducting a risk-based assessment of each customer based on money laundering, terrorism financing, and proliferation financing risks
5. Conducting Customer Due Diligence (CDD): Simplified Due Diligence, and Enhanced Due Diligence, when necessary
6. Identifying and verifying Source of Funds and Source of Wealth, with expanded mandatory collection requirements for PEPs and higher-risk customers under AUSTRAC’s Tranche 2 rules
7. Implementing Ongoing CDD and transaction monitoring proportionate to customer risk
8. Recordkeeping for at least seven years from the end date of a business relationship or final transaction
9. Reporting suspicious activity via Suspicious Matter Reports. Entities must submit SMRs within 24 hours if the matter relates to terrorism financing, and within 3 business days for other suspicious activity.

Companies must submit a special report to AUSTRAC every time a customer conducts a transfer of physical currency exceeding AUD 10,000, within 10 days after the transaction took place. In cases when a company believes that a transaction is related to a criminal activity, the Suspicious Matter Reports must be submitted within 24 hours if the crime is linked to terrorism financing, and within 3 days if it’s related to money laundering.

KYC recordkeeping requirements in Australia

Regulated entities must keep proper records of their customer identification processes and KYC findings as part of their AML/CTF obligations, as specified by AUSTRAC. These records must be stored securely in a format that means they can be retrieved and audited when required.

For each KYC procedure, a record must be kept of:

• The steps taken to identify a customer
• The information they provided
• The result of any checks made through the Document Verification Service (DVS)
• The details of any credit reporting agencies you have used, as well as the customer information shared with them, and any assessment they provided

If new information is subsequently collected about the same customer, their original information must still be retained.

These records must be kept for the entire time that a customer remains with a business and for seven years afterward.

Age verification in Australia in 2026

In 2025–2026, Australia is implementing significant reforms in online age verification to enhance child protection.

Under the Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth), effective from December 10, 2025, social media platforms such as TikTok, Instagram, Snapchat, X, Facebook, and YouTube will be designated “Age‑Restricted Social Media Platforms” (ARSMPs) and must take "reasonable steps" to prevent Australians under 16 from creating or maintaining accounts. This includes using minimally invasive age verification methods like facial age estimation, digital ID, or credit card checks, with a focus on privacy and data minimization.

By March 2026, these requirements will extend to adult content websites, AI services, and app stores. Non-compliant companies face penalties up to AUD 50 million (USD 32.7 million). These measures aim to reduce children's exposure to harmful content while balancing privacy concerns.

Penalties for KYC non-compliance in Australia

AUSTRAC is in charge of enforcing penalties for failures to comply with regulations and/or purposeful illicit activity. The penalties may vary from fines to license revocation and even imprisonment. 

The potential penalties fall into four categories:

1. Civil penalty orders. These can be up to 20,000 penalty units (currently equal to AUD 6.6 million or approximately USD 4.3 million) with a higher rate of up to 100,000 penalty units for corporate entities (currently equivalent to AUD 33 million or approximately USD 21.4 million).
2. Enforceable undertakings. Setting out specific steps an entity must take to achieve compliance. Failure to comply with enforceable undertakings can result in enforcement of the terms by the Federal Court of Australia. The details of these undertakings can be made public, so they have the potential to cause serious reputational harm.
3. Infringement notices. Detailing exactly how a business has breached its obligations. These notices can be made public, again introducing a risk of serious reputational harm.
4. Remedial actions. Providing directions for how to comply with certain elements of AML/CTF rules. Again, these directions can be made public, risking reputational harm.

How to choose the best KYC solution for your business in Australia

The choice of a KYC solution will depend on the needs of a business. However, in general, an effective KYC solution will offer features including:

• Automated document verification. Allowing rapid authentication of documents.
• Biometric and behavioral analysis. Using signals such as device usage and typing speed to spot fraudsters. Facial biometrics can also be used for liveness checks to confirm a customer is a real person and that they match their ID photo.
• Risk-based scoring. Automatically assessing the risk level of each customer based on multiple factors to prioritize review.
• AI integration. Facilitating streamlining of processes and faster, more accurate flagging of suspicious activity.
• Device intelligence. Enabling integration of fraud detection and prevention technology from third-party providers.
• Automated screening for sanctions and PEPs. Allowing sanctioned individuals and Politically Exposed Persons to be identified faster.
• Ongoing KYC checks. Making KYC a continuous process that can be updated as and when customers’ risk profiles change. 
• Centralized record keeping. Ensuring accurate records are kept in a single place accessible to everyone who needs them when they need them.

Sumsub provides a variety of tools that can minimize criminal activity. These include, but aren’t limited to:

• Customer identification—providing customer personal data (name, date of birth, address)
• Liveness—checking that the customer is a real and living person. This can be done through facial biometrics authentication.
• Verification—determining the authenticity of the customer’s claims and documents. This step may include AML screening to check whether the customer is listed in adverse media, sanctions lists, PEP lists, etc.
• Address verification—verifying that the customer actually resides in their selected country by checking utility bills, bank statements, or other proof of address documents. This includes checking whether the customer comes from high-risk countries (such as Iran and North Korea) or countries under increased monitoring.
• Risk scoring—determining the risk category of the customer based on the results of the above checks. Depending on the calculated risk level, businesses adjust their approach to the customer’s verification. Accordingly, a higher risk score will necessitate additional checks.

FAQ

• Is KYC mandatory in Australia?

  Yes, KYC is mandatory for regulated entities in Australia as part of their AML obligations. It is also strongly recommended for non-regulated companies to help combat fraud and prevent bad actors from exploiting their services.

• What are the KYC requirements in Australia?

  The main regulation in Australia is called the Anti-Money Laundering Counter Terrorism Financing Act (AML/CTF Act). The Act outlines the list of affected entities, which includes various types of companies working with finances (banks, financial institutions, crypto companies, casinos, etc.), and sets requirements for them. In Australia, KYC requirements mandate that regulated entities verify a customer’s identity and assess the risk of money laundering or terrorism financing before establishing a business relationship. From the customer, Australian KYC requires providing verified identity information, typically including a government-issued ID (like a passport or driver’s license), proof of address, and sometimes additional information depending on risk factors or transaction type.

• How long does KYC take in Australia?

  KYC in Australia can take anywhere from seconds to several days, depending on the business and the systems they use. One of the key advantages of Sumsub’s KYC compliance solution is that it can verify users from any country in just 30 seconds on average.

• Do I need to re-verify existing customers?

  Depending on their assigned risk level, customers may need to be re-verified on an ongoing basis. This is part of a regulated entity's Ongoing Customer Due Diligence (OCDD) obligations. Re-verification may also be required where there are doubts about the authenticity or adequacy of information used for an initial verification and/or where there is reason to suspect an existing customer of identity fraud.

• What happens if a customer fails KYC?

  If a customer fails KYC in Australia, regulated entities are legally required to refuse to onboard them or to terminate the business relationship. This helps prevent money laundering, fraud, and other financial crimes.

• What is the difference between KYC and AML?

  Anti-Money Laundering (AML) refers to the overall framework of activity obliged businesses must undertake to identify and prevent money laundering per regulatory requirements. KYC is a key part of the AML process that involves collecting identity information from customers, then checking the authenticity of this information.

• How often should KYC be updated?

  KYC processes should be continuously reviewed and updated as needed to ensure they remain compliant with the latest regulations. Regular internal and external audits can assist with identifying any areas where updates are needed. Individual customers’ KYC should be re-run regularly if they are considered a high-risk individual and/or when there are reasons to suspect their original KYC was flawed.

• What is eKYC in Australia?

  eKYC, or electronic Know Your Customer, is a digital process for verifying the identity of customers. Instead of traditional face-to-face verification, eKYC uses technology to allow users to submit electronic copies of documents (such as ID cards, passports, or driver’s licenses) and personal information online. The process often includes biometric data (like facial recognition or liveness checks) and can leverage AI technology for faster and more accurate verification. eKYC streamlines onboarding, reduces fraud, and ensures compliance with regulatory standards across various industries, including banking, fintech, crypto, and more.