Go to top of page

Document Verification Service and individual customer and beneficial owner identification


What is the Document Verification Service?

The Document Verification Service (DVS) is a secure, national, real-time, online, electronic document verification system managed by the Department of Home Affairs.

The DVS is available for a fee to organisations that have a reasonable need to identify their customers, are subject to the Privacy Act 1988 and are approved as DVS business users.

The DVS provides authorised organisations, such as reporting entities, with a means to electronically match identifying information or credentials on certain government-issued identity documents directly with the issuing government organisation (whether Commonwealth, state or territory). This allows reporting entities to check that the identity document presented by an individual is current or valid (for example, the document has not been cancelled).

The DVS can match key details from the following Australian identity documents:

  • visas
  • Australian Travel Documents (passports)
  • Medicare cards
  • drivers licenses
  • citizenship certificates
  • ImmiCards
  • descent extracts (where citizenship is obtained on the basis of the citizenship of the person's parents)
  • birth certificates
  • marriage certificates
  • change of name certificates.

Government organisations that issue the above documents maintain ownership and control of their data and systems and are responsible for ensuring that their databases are accurate and up-to-date. The DVS does not:

  • verify the identity of the individual presenting the document for verification
  • make a decision on an individual’s identity
  • verify documents or identity credentials for non-individual entities such as companies trusts, partnerships, incorporated and unincorporated associations
  • verify the authenticity of physical documents, only the information on those documents
  • provide information about why a match failed
  • provide access to the database of the issuing government organisation
  • retrieve any personal or other information held by the issuing government organisation about the individual
  • retain any personal information provided by the reporting entity in relation to an individual.

The DVS only verifies the details contained in identity documents associated with an individual. Its use by a reporting entity should support and supplement the reporting entity’s decision-making process about whether a customer is the person they claim to be on the basis of the documents they produce. If a reporting entity is not satisfied that an individual’s identity has been verified through the DVS, it is up to the reporting entity to determine whether additional information should be collected and verified from the individual, whether in documentary or electronic form.

Organisations wishing to use the DVS must comply with its terms and conditions in relation to privacy, data protection, IT systems requirements and security. They will also be subject to audits by contracted independent auditors of their compliance with those terms and conditions.

Current DVS fees:

Type of fee

Cost (exclusive of GST)

Technical connection charge (for businesses wanting to be directly connected to the DVS structure as Gateway Service Providers (GSPs) – for themselves or other business users)


Transaction fees – payable by the GSPs

Range from $0.45 to $1.20 per query (depending on the volume of transactions)

DVS matching process

The DVS checks whether certain identifying information or credentials on an identity document matches those on the database of the government organisation which issued the document. 

The ‘checking process’ (as described below) is undertaken by the reporting entity lodging an Information Match Request with the DVS and receiving an Information Match Result in relation to the individual credentials on the document provided:

1. Customer presents an identity document to the reporting entity

A customer may present the identifying document to a reporting entity either in person, online, by phone registration or by postal application.

It is important to note that one of the requirements of using the DVS is that the reporting entity must obtain informed consent from the individual (for example, the individual customer or a beneficial owner of a non-individual customer) prior to the reporting entity disclosing or verifying any personal information through the DVS or with third parties.

2. Reporting entity lodges an Information Match Request with the DVS

The reporting entity enters identifying information from the document (such as the individual’s name, date of birth and the credential number) into the DVS Information Match Request.

The Information Match Request is encrypted and sent using a secure communications pathway.  

3. The DVS provides an Information Match Result to the reporting entity

The DVS carries out an automated check of the data to confirm or deny whether the information provided in the Information Match Request matches the information held by the relevant government organisation which has issued the document.  This automatic response is called an Information Match Result.

4. Types of Information Match Results

The reporting entity will receive one of the following Information Match Result response codes:

  • [Y] – matched
  • [N] – not matched, or
  • [S] - for system availability error, or
  • [D] - document is invalid or not electronically captured.

AML/CTF identification and verification requirements for individual customers

Customer identification and verification procedures are contained in Chapter 4 of the AML/CTF Rules.  Part 4.2 of that chapter specifies the minimum Know-Your-Customer (KYC) information which must be collected and verified in relation to an individual customer.  A reporting entity is able to collect and verify additional KYC information about an individual, if an assessment of money-laundering and terrorism-financing (ML/TF) risk indicates that collection of additional KYC information is warranted.

KYC information collected from an individual must be verified from:

 Verification of KYC information using reliable and independent electronic data

If a reporting entity assesses an individual customer as being of medium or lower ML/TF risk, the reporting entity has the option of using documentation-based or electronic-based ‘safe harbour’ customer identification and verification procedures.  Paragraph 4.2.13 of Chapter 4 sets out one procedure for electronic-based safe harbour identification and verification, which is summarised below:

Summary of electronic-based safe harbour procedure – medium or lower ML/TF risk individual customers

Minimum KYC information required



Minimum number of separate electronic data sources that must be used

Full name





Residential address


Either one or both


Date of birth




Customer has transaction history for at least the past 3 years




* Under the electronic-based safe harbour procedures, only the customer’s name, not the customer’s full name, needs to be verified.

AML/CTF identification and verification requirements for beneficial owners

From 1 June 2014, new identification and verification procedures apply in relation to beneficial owners of customers. Part 4.12 of Chapter 4 specifies the minimum information which must be collected and verified.  A reporting entity is able to collect and verify additional information about a beneficial owner, if an assessment of ML/TF risk indicates that collection of additional information is warranted.

Part 4.12 specifies that for individual customers, reporting entities may assume that the customer and the beneficial owner are one and the same, unless the reporting entity has reasonable grounds to consider otherwise.  In these circumstances, there is no separate beneficial owner to identify and verify as the identification of the customer will mean that the beneficial owner is also identified.  For non-individual customers, paragraph 4.12.2 contains modified beneficial owner requirements for certain types of company, trust and Australian Government Entity customers.

As with individual customers, verification of information collected about each beneficial owner of a customer must be based on reliable and independent documentation or reliable and independent electronic data or a combination of both of these sources.

If a reporting entity assesses a customer (individual or non-individual) as being of medium or lower ML/TF risk, the reporting entity has the option of using documentation-based or electronic-based ‘safe harbour’ identification and verification procedures in relation to the beneficial owner.  Paragraph 4.12.7 sets out one procedure for electronic-based safe harbour identification and verification of beneficial owners, which is summarised below:

Summary of electronic-based safe harbour procedure – beneficial owners of medium or lower ML/TF risk customers

Minimum beneficial owner information required



Minimum number of separate electronic data sources that must be used

Full name




Full residential address




Date of birth




* A reporting entity can verify either the residential address or date of birth, or both.

Using the DVS for AML/CTF identification and verification purposes

A reporting entity may use the DVS for electronic-based safe harbour purposes for individual customers and individual beneficial owners of non-individual customers (such as companies, trusts and partnerships).

The ‘safe harbour requirements’ in Part 4.2 of Chapter 4 require the use of separate ‘electronic data sources’. AUSTRAC considers that the DVS is not a single ‘electronic data source’, but is instead a system which provides access to multiple ‘electronic data sources’.  The DVS facilitates access to separate databases maintained by government, each of which constitute a separate ‘electronic data source’, for example, drivers’ licences (one data source) and passports (a second data source).

‘Safe harbour’ procedures cannot be used in relation to customers who are high ML/TF risk. Reporting entities may use electronic data, such as the DVS, for the purposes of verifying high ML/TF risk customers (and their beneficial owners).  However, identification of high-risk customers requires more detailed or extensive checks than under the electronic-based safe harbour procedures for medium or lower ML/TF risk customers.  The number and type of verification procedures used by a reporting entity in high ML/TF risk circumstances is determined by the reporting entity on the basis of its ML/TF risk assessment of its customers and the designated services it provides.

If a reporting entity uses electronic data for verification, the reporting entity is required under Part 4.10 of Chapter 4 to determine:

  • whether the electronic data is reliable and independent, taking into account the following factors:
    • the accuracy of the data
    • how secure the data is
    • how the data is kept up-to-date
    • how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected)
    • whether the data has been verified from a reliable and independent source
    • whether the data is maintained by a government body or pursuant to legislation, and
    • whether the electronic data can be additionally authenticated, and
  • what reliable and independent electronic data the reporting entity will use for the purpose of verification
  • the reporting entity‘s pre-defined tolerance levels for matches and errors, and
  • whether, and how, to confirm KYC information collected from a customer by independently initiating contact with the person that the customer claims to be.

AUSTRAC considers that the DVS fulfils all the criteria for ‘reliable and independent electronic data’ and, accordingly, can be relied upon by reporting entities to undertake their customer and beneficial owner verification obligations as required by the AML/CTF Act and AML/CTF Rules.  It is noted that reporting entities may use other electronic data (and, therefore, potentially other services) for the purposes of verification if they meet the criteria specified in Part 4.10.

Record-keeping obligations and the DVS

Under section 112 (Making of records of identification procedures) of the AML/CTF Act, reporting entities are required to keep records of the applicable customer identification procedure (ACIP) they undertake in respect to each customer, and of the information they obtain in the course of carrying out that procedure.

ACIP records must be kept until the end of the first 7 year period:

  • commencing after the ACIP is carried out
  • throughout the whole of which the reporting entity did not provide any designated services to the customer.

There is no AML/CTF requirement for reporting entities to copy documents produced by customers.  For example, a reporting entity may record details about identification documents produced by a customer, such as passport or driver licence details, rather than photocopy them.  However, if a customer produces a physical document to the reporting entity as part of the ACIP and the reporting entity makes a copy of the document, under section 111 of the AML/CTF Act the reporting entity is taken to have made a record of the information contained in that copied document and the 7 year record-retention requirement will apply.

For the purposes of making copies of documents or recording information, a reporting entity has the discretion to, for example, print off screen displays of searches, scan or retain certified copies of the documents it has used for the ACIP.  It is noted that the majority of reporting entities photocopy or scan copies of photographic identification documents produced to them by customers.  Other practices include electronically recording the details of the documents or making manual file notes or records of documents sighted.

If a reporting entity uses the DVS as part of the ACIP process, a record of the use of the DVS must be made for the purposes of the AML/CTF Act. The creation of this record may include either printing, saving electronically, scanning or by making a file note of the Information Match Result obtained (including the date of the Result).

A record of the Information Match Result will fulfil the record-keeping requirements of the AML/CTF Act as it will verify customer details obtained under the ACIP, provide a record of that verification and how the verification took place.

It is noted that all business users of the DVS are required to sign contracts with the Department of Home Affairs in relation to their use of the Service. One of these conditions is that reporting entities are required to record any DVS Information Match Results they receive (including errors).  This contractual requirement is separate to AML/CTF record-keeping requirements, but may satisfy those AML/CTF requirements if the records made contain sufficient details about the customer and the ACIP undertaken for the purposes of section 112 of the AML/CTF Act.

Designated Business Groups (DBGs)

Where a reporting entity is a member of a DBG, there is scope for that reporting entity to rely on an ACIP carried out in relation to a customer by another reporting entity in the same DBG under section 38 (Applicable customer identification procedures deemed to be carried out by a reporting entity) of the AML/CTF Act.

If a reporting entity has utilised the DVS as part of carrying out an ACIP in relation to a customer, any other reporting entity in the DBG may be able to rely on those DVS results in relation to that customer.  However, the conditions specified in Part 7.3 of Chapter 7 of the AML/CTF Rules, which relate to DBGs, must be met.

If a reporting entity is a member of a DBG, there is also scope for another member of the DBG to discharge the ACIP record-keeping obligations of the reporting entity under the AML/CTF Act.  This means that one reporting entity in a DBG may undertake all record-keeping functions for all the reporting entities in the DBG and also undertake the ACIP in relation to all common customers of the DBG.

For further information about DBG's please go to Chapter 3 of the AUSTRAC compliance guide.

Privacy requirements

Reporting entities should note that they are required to comply with the Privacy Act 1988 (Privacy Act), including the requirement to comply with the Australian Privacy Principles (APPs), in relation to all activities carried on for the purposes of, or in connection with, the AML/CTF Act, even if they would otherwise be exempt from the Privacy Act.

AUSTRAC notes that use of the DVS does not alter the obligations of reporting entities in dealing with personal information of individuals under the Privacy Act, including the collection, use and storage of personal information, how personal information is kept current and up-to-date and the handling of personal information security breaches.

Under the Privacy Act, the Australian Privacy Commissioner may conduct an assessment of whether personal information held by a reporting entity is being maintained and handled in accordance with the APPs.  This extends to personal information that a reporting entity is required to collect under the AML/CTF regime.

Further information

Further information on the DVS can be found at the following links:

Last modified: 19/12/2018 13:06