You must establish the following matters on reasonable grounds:

• the identity of the customer
• the identity of any person the customer is receiving the designated service on behalf of
• the identity of any person acting on behalf of the customer and their authority to act
• the identity of any beneficial owners of the customer
• if any of the above persons are a politically exposed person (PEP) (where they are an individual) or designated for targeted financial sanctions (TFS)
• the nature and purpose of the business relationship or occasional transaction.

Why these matters are so extensive

Bodies corporate, partnerships and unincorporated associated are used for a range of legitimate purposes. They’re also commonly used by money launderers to place, layer and integrate the proceeds of crime. They do this to disguise the illicit origins of these proceeds and the individuals who control them. 

Our National Money Laundering Risk Assessment 2024 rated legal structures and bodies corporate as a high money-laundering risk that was persistently being exploited by criminals to store and move large volumes of criminal proceeds, including offshore. 

Just because legal structures and bodies corporate are nationally high risk, does not mean every legal structure and body corporate will be a high ML/TF risk customer for your business. This will depend on all the circumstances, including the complexity of the trust and its ability to disguise the identity of individuals who own and control it. 

Learn more at assigning customer risk ratings. 

You must establish the matters above to make sure that the bodies corporates and other structures you deal with remain transparent. You can do this by following the steps below. This will help ensure that your business knows the body corporate or other structure exists, and its identity and the persons who control, own and benefit from it. 

If you don’t do this, you may be in breach of your anti-money laundering and counter-terrorism financing (AML/CTF) obligations. You’ll also leave your business vulnerable to being exploited by criminal groups that disguise their activities behind these bodies corporate or other structures.

What this guidance covers

This guidance provides examples of the baseline information that could be collected and verified as part of establishing each matter for a customer that doesn’t: 

• receive the designated service at or through an overseas permanent establishment (such as a foreign branch or subsidiary of an Australian company)
• trigger enhanced CDD
• trigger any additional collection of information based on their money laundering, terrorism financing and proliferation financing risks. We refer to these as ML/TF risks.

You could collect information using a customer onboarding form. This is an online or paper form that you ask new customers to complete.

This guidance outlines examples of the following:

• independent and reliable data that could be used to verify information – where this guidance refers to documents, you could obtain either an original or a reliable copy of the document or extract from that document. If these documents have expired, it may be appropriate to collect and/or verify additional information.
• circumstances where collection or verification requirements can be reduced or delayed. 

It’s important to note that you’re not required to keep these documents under your record keeping obligations and can instead record details of these documents. Learn more about record keeping.

You could establish these matters by:

• collecting and verifying different information (unless this guidance specifies that collection or verification must occur), or
• using other independent and reliable data to that specified in this guidance

Additional requirements 

You must also identify the customer’s ML/TF risk and may need to collect and verify additional information to meet the following requirements: 

• to establish a matter on reasonable grounds
• to identify the ML/TF risk of the customer, based on know your customer (KYC) information reasonably available to you. Learn about assigning customer risk ratings.
• to resolve any discrepancies that arise while providing information
• collect and verify additional KYC information as appropriate to the ML/TF risk of the customer, particularly if this risk is medium or high. 

You must apply enhanced CDD measures for some customers. Learn more in enhanced CDD.

Customer identity

You must establish the identity of the body corporate, partnership or unincorporated association. 

Collect information

You must at least collect the following information.

The customer’s full name

This is the full name the customer uses for official purposes, such as in contracts or when engaging with government bodies. Often a body corporate’s name will include the words ‘Proprietary’, ‘Limited’ or ‘Incorporated Association’ in its name, depending on what type of body corporate it is.

For a company incorporated in Australia this is the name registered on the Australian Companies Register. If the company hasn’t selected a name, it’s the Australian Company Number (ACN).

For a partnership or unincorporated association that doesn’t operate under a business or charity name, this is the names of all the partners or members of a partnership or unincorporated association.

Any business names of the customer

This includes all business names the customer uses to run a business in Australia.

Any other names the customer is commonly known by

Some customers may not have any other names they are commonly known by.

Unique identifier for the customer (if any has been given)

This will generally be an Australian Business Number (ABN) or ACN for a customer operating in Australia. 

In some cases, a unique identifier may not be available. For example, an incorporated association in Australia that doesn’t carry on a business.

Address of the principal place of business or operations of the customer

This is the main physical location where the body corporate, partnership or unincorporated association conducts their activities. 

For companies registered with the Australian Securities and Investments Commission (ASIC) this is the address registered as the principal place of business. 

Address of any registered office of the customer

This applies if the customer’s registered office is a separate address from its principal place of business or operations. This is often the address used for legal and formal correspondence, which could be the customer’s accountant or lawyers’ address.

For companies registered with ASIC this is the registered office address provided.

Evidence of the customer’s existence

This can be established by searching registers such as: 

• ASIC Connect’s companies and organisation register or business names register
• Australian Business Register ABN Lookup. 

For a body corporate this could be: 

• a certificate of registration from the Australian Government Business Registration Service  
• an organisation extract from ASIC’s registries. 

For a partnership this could be a: 

• partnership agreement
• certificate of registration from a foreign regulatory body. 

For incorporated or unincorporated associations this could be the customer’s constitution.

For a registered co-operative this could be an official extract of the co-operatives register from the state or territory where the customer was incorporated.

Powers that bind and govern the customer

For example, for:

• a body corporate – the constitution or equivalent document
• a partnership – the partnership agreement
• an unincorporated association – the constitution or rules of the association.

If the customer is an Australian body corporate and uses the replaceable rules from the Corporations Act 2001 to establish the powers that bind and govern them, you can get that information from publicly available sources. If they’ve replaced one or more of these replaceable rules, you could collect information on this from a representative of the customer. 

Individuals responsible for the governance and executive decisions of the customer

This includes the full name of the individual or each member of the group with primary responsibility for governance and executive decisions. For example, the board of the directors for an Australian company or registered co-operative, or the committee for an incorporated association. 

For bodies corporate, you must also collect any director identification number where applicable. 

Verify information

You could verify the following information depending on the type of customer.

Australian company

The full name of the company as registered with ASIC.

The ACN issued to the company.

You can verify this information using reliable and independent data such as:

• information on ASIC registers – searching by company name and ACN
• certificate of incorporation or registration.

Registered foreign company

The full name of the company as registered with ASIC.

Whether the company is registered with the relevant foreign registration body and if so whether it’s is registered as a private or public company.

The Australian Registered Body Number (ARBN) issued to the company by ASIC.

You can verify this information using reliable and independent data such as:

• information on ASIC registers – searching by company name and ARBN
• certificate of incorporation or registration.

Unregistered foreign company

The full name of the company.

Whether the company is registered by the relevant foreign registration body and, any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration.

You can verify this information using reliable and independent data such as information on foreign government registers.

Partnerships

The full name of the partnership from the partnership agreement, reliable copy or extract of the partnership agreement.  

You could verify this with reliable and independent data such as a partnership agreement, reliable copy or extract of a partnership agreement.

The ABN of the partnership business, if any. 

Unincorporated associations 

Verify the full name (if any) of the association from: 

• the rules or constitution of the association
• or from a copy, or extract of the rules or constitution of the association
• or from reliable and independent data relating to the association. 

You could verify this with reliable and independent data such as:

• the constitution or rules of the association or a reliable copy or extract of the constitution or rules of the association
• the ABN of the business, if any.

Learn how you can verify information about an individual’s identity. 

Nature and purpose of the business relationship

You must establish the nature and purpose of your business relationship with the body corporate, partnership or unincorporated association.

Collect information

You must at least collect information about the nature of the body corporate, partnership or unincorporated association’s business or operations. 

This information could either be collected in an onboarding form or determined from your initial engagement with the customer’s representatives.

We expect you to collect information on all of the following: 

• general commercial activity or sector the customer operates in. For example, law firm, food services, real estate agency or similar
• kinds of products and services offered by the business. For example, for a law firm, they may offer conveyancing, criminal law and commercial advisory services.
• if not engaged in commercial activity, the purpose of the corporate body, partnership or unincorporated association – including being set up for managing personal assets, or a social or charitable purpose such as a tennis club or wildlife rescue association. 

We also expect you to collect information on the reasons the customer is seeking your services and the nature of the services they’re seeking. Without this information, it will be difficult to establish the nature of the business relationship or occasional transaction on reasonable grounds.

This can provide a good starting point to determine whether the: 

• way your services are used is inconsistent with the stated nature of the business relationship or occasional transaction
• behaviour of your customer or associated persons is unusual.

This is relevant to determining your customer’s risk rating during initial and ongoing CDD. See assigning risk ratings. 

Verify information

You won’t need to verify the information you’ve collected on this matter if all the following apply:

• you aren’t required to apply enhanced CDD measures in relation to the customer

• you’ve identified the customer’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service

• you’ve collected KYC information about the nature and purpose of the business relationship or occasional transaction that is appropriate to the ML/TF risk of the customer. 

This means that, in practice, after establishing the identity of the customer, you’ll generally only need to verify information you collected on the matter if any of the following apply: 

• you are required to apply enhanced CDD
• you have doubts about the adequacy and veracity of the information your customer provided.

If you’re required to verify information on this matter, you must do this by using reliable and independent data. 

For example:

• evidence of business activity, such as business activity statements – to verify that activities align with the stated purpose of the customer
• sighting documentation that sets out the purpose of the customer’s operations
• requesting business records such as letters from the customer’s lawyer or accountant
• viewing publicly available information about the customer from third parties. Such as reliable third-party websites that provide information on their business or operations 

• searches of the ACNC register of charities and ATO’s register of deductible gift recipients – to verify whether the customer is a charity or engaged in purposes related to the public good.

Simplified verification for certain matters

There are certain circumstances where you’ll have been taken to have established the following matters:

• the identity of a person acting on behalf of the customer and their authority to act – any representative of the customer who engages with you in relation to the designated service
• the identity of a person receiving a service on the customer’s behalf – you’ll only be required to do this in limited circumstances
• the identity of a beneficial owner of the customer.   

A matter mentioned above will be taken to be established where all of the following apply:

• you’ve identified the customer’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service
• the customer’s ML/TF risk is low and enhanced CDD doesn’t apply to them
• you’ve collected KYC information about the matter, as appropriate to the customer’s ML/TF risk
• there are no reasonable grounds for you to doubt the adequacy or veracity of that KYC information.

If this is satisfied, you don’t need to verify the information you’ve collected on the matter. 

Persons acting on behalf of the customer

You must establish the identity of any person acting on behalf of the customer and their authority to act. You only need to identify representatives who engage with you in relation to your designated services. You don’t need to verify every representative that the customer has.

This is a common requirement for bodies corporate, partnerships and unincorporated associations, which will often interact with you through an individual employee or agent.

Collect information

You can determine whether a person is acting on behalf of a body corporate, partnership or unincorporated association from:

• the way they engage with your services. Such as seeking the service in the name of a body corporate, partnership or unincorporated association and not their own name
• if they indicate your services aren’t for them
• customer onboarding processes – where you can ask whether the person is acting on behalf of another person or will have a person act on their behalf.

If a body corporate, partnership or unincorporated association is seeking your services on behalf of another person, the person they are representing is the customer. You must identify who this customer is. You can use the practical guides we’ve provided depending on if they’re an individual, body corporate, unincorporated association, partnership, sole trader, trust or government body.

If the body corporate, partnership or unincorporated association is the customer, they will interact with you through a representative. 

You must collect information on both of the following:

• the identity of the representative – this process will differ depending on whether they are an individual, body corporate, unincorporated association, partnership, trust, sole trader or government body
• their authority to act for the customer – including collecting details about the nature of their authority to act for the customer. This could include being appointed under an agency agreement, power of attorney or employed with appropriate authority to act as a representative.

You could also collect information on the reason for granting the authority to act. For example, in the context of real estate purchases, a representative may provide that they have been hired under an agency agreement to help broker the purchase of property.

This provides a good baseline from which you can establish related ML/TF risk and whether the behaviour of the representative is unusual through the course of your business relationship with the customer. 

Verify information 

You’re taken to have established the identity of the person acting on behalf of the customer and their authority to act if all of the following are satisfied:

• you’ve established on reasonable grounds the authority of the person to act on behalf of the body corporate, partnership or unincorporated association

• you determine on reasonable grounds that any additional ML/TF risk associated with the person representing the body corporate, partnership or unincorporated association is low 

• you’ve collected KYC information about the representative and their authority to act, as appropriate to the customer’s ML/TF risk

• there are no reasonable grounds for you to doubt the adequacy or veracity of that KYC information.

This will allow you to establish the identity of the relevant representative without verifying the information you’ve collected on this matter.

If these circumstances don’t apply, you could verify: 

• the identity of the representative – this process will differ depending on whether they are an individual, body corporate, unincorporated association, partnership, trust, sole trader or government body
• their authority to act as a representative of the customer – by gathering reliable and independent data that establishes their authority to act.

Reliable and independent data establishing authority to act could include, for example:

• for employees – written confirmation from their employer that they’re authorised to act
• where a customer is represented by an insolvency practitioner – the court order appointing the insolvency practitioner or the insolvency notice on the ASIC Published Notices website
• for general agency appointments – a letter, agency agreement or other authorisation from the customer establishing that the agent has authority to act on their behalf, or confirmation from a reliable third party. For example, a legal practitioner, accountant or other professional who isn’t the person acting on behalf of the customer in relation to the designated service. 

Customers receiving services on another person’s behalf

If you’ve established on reasonable grounds that your customer is a body corporate, partnership or unincorporated association, you’ll generally not be required to collect or verify information on this matter. 

When you don’t need to check beneficial owners

If one of the exceptions below are satisfied, you’ll be taken to have established both of the following:

• the identity of any beneficial owner of the customer
• whether any beneficial owner of the customer is a politically exposed person (PEP) or person designated for targeted financial sanctions. 

You’ll still need to verify the identity of, and conduct PEP and sanctions checks on, all of the following persons: 

• the body corporate, partnership or unincorporated association
• any representative of the body corporate, partnership or unincorporated association that engages with you in relation to designated services
• any person on whose behalf the body corporate, partnership or unincorporated association is receiving the designated service. 

Low risk customers 

The customer is low ML/TF risk, enhanced CDD doesn’t apply to them and you’re satisfied on reasonable grounds that the customer is, or is controlled by, any of the following:

• a government body
• an entity subject to regulatory oversight by a prudential, insurance, or investor protection regulator through registration or licensing requirements
• a corporation or association of homeowners in a strata title or community title scheme.

To determine this, collect information from the representative of the customer as to whether the customer fits into any of the above categories. 

You could verify this information by obtaining reliable and independent data to:

• establish that a relevant entity above controls the customer. Learn more about beneficial ownership and control
• determine if the customer is, or is controlled by, a government body. Learn more about identifying a government body
• determine if the customer is, or is controlled by, a corporation or association of homeowners in a strata title or community title scheme. Learn more about establishing the identity of a body corporate or unincorporated association above.

To determine if the customer, or an entity that controls them, is subject to regulatory oversight as outlined above, you could also ask for information on all of the following: 

• the regulator they’re registered or licensed with. For example, the Australian Prudential Regulation Authority (APRA)
• the capacity in which they’re registered or licensed. For example, to provide superannuation-related services
• any unique licensing or registration number. 

You may also be able to determine this based on information you have collected on other matters. 

For example, information you have collected on the nature of the customer’s business could tell you whether the customer is any of the following: 

• a bank (and therefore subject to prudential regulatory oversight)
• an insurer (and subject to insurance regulatory oversight) or
• a financial services business (subject to the Australian Financial Services Licencing laws). 

Depending on the regulator they’re registered or licensed with, you could verify this information by: 

• for banking, insurance and superannuation businesses – checking their registration details on the APRA website
• for Australian Financial Services or credit licensees, registered auditors and liquidators and self-managed super fund services – search ASIC’s professional services registers. 

Publicly listed companies

You also don’t need to establish a customer’s beneficial owners if you establish on reasonable grounds they’re both of the following:  

• a listed public company
• subject to public disclosure requirements (however imposed), that ensure transparency regarding the identity of any beneficial owners.

For example, this will be satisfied where a company is listed on the Australian Stock Exchange, or another exchange that includes appropriate transparency requirements.  

If this circumstance applies, you’ll also not be required to identify the individual who is the CEO or equivalent of the customer. 

Identifying beneficial owners

You must identify all beneficial owners of this customer unless the above deeming provisions apply. 

Collect information

You must at least collect KYC information about the ownership and control structure of the customer. This will help you determine the beneficial owners of the customer. 

Information on the ownership and control structure means:

• information on the ownership of the body corporate, partnership or unincorporated association, including any distribution of shares and the kind of shares distributed
• duties, rights and entitlements for administering the body corporate, partnership or unincorporated association
• control and decision-making processes of the body corporate, partnership or unincorporated association.

In addition, you could ask your customer’s representative to provide information directly identifying all beneficial owners of the customer. Some customer representatives will have this information on hand, which can assist greatly with verification.

Verify information

To verify the information about the ownership and control structure of the customer, you can cross-reference with:

• the customer’s constitution, charter or rules
• information found on ASIC registers
• annual statements including amendments submitted to ASIC by certain large companies
• distribution of member statements
• partnership agreements.

Based on the information collected, you’ll need to establish the identity of any individual who owns or controls the customer. Learn more about determining ownership and control.  

If you’re unable to establish the identity of beneficial owners 

If you’re unable to establish the identify of any beneficial owners of a body corporate, partnership or unincorporated association, you’re taken to have established this matter on reasonable grounds if you’ve:

• taken all reasonable steps to establish the identity of any beneficial owners
• recorded the steps taken and any difficulties encountered when trying to establish the identity of any beneficial owners
• collected information about the identity of the individual who is the chief executive officer (or equivalent)
• verified information as appropriate to the ML/TF risk of the customer.

Politically exposed persons and sanctions

You must establish if your customer, or any person acting on their behalf or receiving a service on their behalf in relation to your designated services, is a person designated for targeted financial sanctions (TFS).

You must also establish whether any of these persons, if they are individuals, are a politically exposed person (PEP). 

Collect information

You could ask your customer’s representative, in an onboarding form, whether any of the individuals referred to above are a PEP. 

In the onboarding form, you could specify that a PEP includes the following:

• a foreign PEP
• a domestic PEP
• an international organisation PEP.

If the customer confirms that one of the individuals mentioned above are a PEP, they could then provide the details of the individual and a description of their role. For example, Australia’s High Commissioner to New Zealand.

For TFS, you’ll have already collected information about the identity of the customer and any person acting on their behalf, which will be enough to complete the verification steps outlined below. 

If you’ve information that a person is subject to TFS, don’t deal with their assets without a permit from the Australian Sanctions Office. Criminal penalties may apply if you do. Further information is on the Australian Sanctions Office website.

Delay verification

In practice, you would typically complete PEP and TFS verification after you’ve collected information about the identity of the customer and any person acting on their behalf. 

This helps you conduct accurate PEP and TFS searches. 

Ordinarily, you would need to verify this information before you start providing a designated service. 

In some circumstances you may be able to delay verification where carrying them out would interrupt the ordinary course of business and other conditions are met. 

Learn more about delayed verification for CDD. 

Verify PEP information

You could verify the information provided by: 

• checking the individual’s background using reliable and independent online sources, including government websites and other official data sources, and in the media
• using databases and reports from third-party providers that provide PEP screening services.

You could make sure any service you use satisfies both of the following: 

• reflects the definition of PEP in the Act and Rules
• allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if a person is an individual PEP.

Verify sanctions information

You can use the Department of Foreign Affairs and Trade’s Consolidated List to search for persons and entities listed for TFS under Australian sanctions laws. 

Sanctions listings change often, so always check for the most recently published list.  

A person may have variations in the spelling of their name, particularly non-English names changed into English. You may need to check alternative spellings or use a service that allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if a person is subject to TFS. 

Related pages

• Initial customer due diligence on different customers
• Initial customer due diligence overview
• Enhanced CDD
• Delayed verification for CDD
• Politically exposed persons
• Persons designated for targeted financial sanctions