You must establish the following matters on reasonable grounds:

• the identity of the customer
• the identity of any person acting on the customer’s behalf and their authority to act
• the identity of any person on whose behalf the customer is receiving the service
• if any of the above persons are a politically exposed person (PEP) (where they are an individual) or designated for targeted financial sanctions (TFS)
• the nature and purpose of the business relationship or occasional transaction. 

This guidance provides examples of the baseline information that could be collected and verified as part of establishing each matter for an individual that doesn’t:

• receive the designated service at or through an overseas permanent establishment (for example, a foreign branch or subsidiary of an Australian company)
• trigger enhanced CDD
• trigger any additional collection of information based on their money laundering, terrorism financing and proliferation financing risks. We refer to these as ML/TF risks.

This guidance also outlines examples of the following:

• independent and reliable data that could be used to verify information – where this guidance refers to documents you could obtain either an original or a reliable copy of the document or extract from that document. If these documents have expired, it may be appropriate to collect and/or verify additional information.
• circumstances where collection or verification requirements can be reduced or delayed. 

It’s important to note that you’re not required to keep these documents under your record keeping obligations and can instead record details of these documents. Learn more about record keeping. 

You could establish these matters by:

• collecting and verifying different information (unless this guidance specifies that collection or verification must occur)
• using other independent and reliable data to that specified in this guidance.

Additional requirements

You must also identify the customer’s ML/TF risk and may need to collect and verify additional information to meet the following requirements: 

• to establish a matter on reasonable grounds
• to identify the ML/TF risk of the customer, based on know your customer (KYC) information reasonably available to you. Learn about assigning customer risk ratings.
• to resolve any discrepancies that arise while providing information
• collect and verify additional KYC information as appropriate to the ML/TF risk of the customer, particularly if this risk is medium or high. 

You must apply enhanced CDD measures for some customers. Learn more in enhanced CDD.

You’ll could collect information using a customer onboarding form. This is an online or paper form that you ask new customers to complete.

Customer identity

You must establish the identity of your individual customer.

Collect information

We expect you to collect enough information to distinguish the individual customer from another individual with the same or similar name and other details. 

You could collect information on the customer’s:

• full name
• other name(s) (if any) that they’re commonly known by. For example, a former name or an anglicised name if the customer has adopted one
• date of birth
• residential address
• unique identifier (if the customer has one). For example, a passport or driver’s licence number or a foreign national identity number.

Verify information

We expect you to verify information to establish that the individual customer exists.

You could verify the customer’s full name and date of birth. This information is useful in establishing identity as it often stays the same throughout a customer’s life. 

You could verify this information using either a:

• government-issued primary photographic identification document. For example, a current drivers’ licence, passport, proof of age card, passport or foreign national identify card
• primary non-photographic identification document. For example, a birth certificate, citizenship certificate or concession card, and a secondary identification document showing the individual’s name and address, such as a utility bill or notice issued by a commonwealth, state, territory or local government body. 

Your customer might be unable to provide standard identification documents. In these circumstances, you can comply with your obligations in different ways. 

Learn more in our alternative identification guidance.

Making sure the customer is the person they claim to be

You could match the customer’s appearance against their photographic identification. 

You could complete this in-person or online. For example, by:

• comparing the customer against their photograph on a driver’s licence or passport in their presence
• participating in a video call and comparing the name and features of the live video image to the name and photo on the identification document
• using biometric technology to compare the customer’s identification against their appearance, such as a solution provided by an ID verification provider.

If you’ve verified the customer’s identity using non-photographic identification, you could confirm that they’re who they claim to be by collecting a reference from an independent and reliable source. You could then cross-check the information provided in the reference against the information you have already collected.

If you suspect on reasonable grounds that a person isn’t who they claim to be, you must file a suspicious matter report. You cannot start to provide a designated service to the customer until you are satisfied that they are who they claim to be on reasonable grounds. 

Example: Verifying information and resolving inconsistencies

Business A uses an onboarding form to collect information about an individual customer’s full name, residential address and date of birth, and whether the customer has had any other name. This confirms they don’t have another name. The business also collects additional information to establish the customer’s ML/TF risk.

Business A verifies this information by asking the customer for their driver’s licence and confirms they’re who they claim to be by comparing their face to the licence photo in person. Business A notices the licence address doesn’t align with the one provided in the onboarding form. The customer explains that they moved address in the previous week.

The customer provides a recent utility bill to verify their new address and resolve the inconsistency. 

Based on the information provided, and after giving the customer a low ML/TF risk rating based on other information, Business A determines that they have established the identity of the customer on reasonable grounds. 

Nature and purpose of the business relationship

You must establish the nature and purpose of the business relationship and occasional transaction with the customer. 

Collect information

We expect you to collect information on the reasons the customer is seeking your services and the nature of those services. Without this information, it will be difficult to establish the nature of the business relationship or occasional transaction on reasonable grounds.

You could also gather information on the person’s occupation. This can provide a good starting point to determine whether the: 

• way your services are used is inconsistent with the stated nature of the business relationship or occasional transaction
• behaviour of your customer or associated persons is unusual.

This is relevant to determining your customer’s risk rating during initial and ongoing CDD. See assigning risk ratings. 

This information could either be collected in an onboarding form or determined from your initial engagement with the customer and any of their representatives.

Verify information 

You won’t need to verify the information you’ve collected on this matter if all of the following apply:

• you aren’t required to apply enhanced CDD measures in relation to the customer

• you’ve taken reasonable steps to establish that the customer is the person they claim to be 

• you’ve identified the customer’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service

• you’ve collected KYC information about the nature and purpose of the business relationship or occasional transaction that is appropriate to the ML/TF risk of the customer. 

This means that, in practice, after establishing the identity of the customer, you’ll generally only need to verify information on nature and purpose if any of the following apply: 

• you are required to apply enhanced CDD
• you have doubts about the adequacy and veracity of the information your customer provided.

If you’re required to verify the nature and purpose of the business relationship or occasional transaction, you must do this by using reliable and independent data. 

Example – Unexplained wealth in real estate transaction 

For example, an 18-year-old individual wants to engage a conveyancing firm to purchase a high-value property using physical currency to further their ‘property portfolio’. During CDD, the individual lists their occupation as ‘student’. The real estate agency identifies the customer as high risk, triggering enhanced CDD. 

They collect and verify information on the source of the cash and wealth of the customer. The customer provides that the physical currency was received through an inheritance and provides a grant of probate to verify this.  

Learn more about information you can collect and verify to establish a person’s source of funds and source of wealth. 

Persons acting on behalf of the customer

You must establish the identity of any person acting on behalf of the customer and their authority to act. You only need to do this for representatives of the customers who engage with you in relation to your designated services. 

Collect information 

You can determine whether an individual is acting on behalf of another person from: 

• the way they engage with your services – such as seeking the service in the name of another person and not their own name
• customer onboarding processes – through which you can ask whether the individual is acting on behalf of another person or will have a person act on their behalf. 

If there’s no information to suggest an individual is acting on behalf of another person, or will have another person represent them, you don’t need to establish this matter. 

If an individual is interacting with you on behalf of another person, the person they are representing is the customer. You must identify who the customer is and can use the practical guides we’ve provided depending on if they’re an individual, body corporate, unincorporated association, partnership, trust, sole trader or government body.

If the customer tells you that they’ll interact with you through another person, you must establish both: 

• the identity of the representative – this process will differ depending on whether they are an individual, body corporate, unincorporated association, partnership, trust, sole trader or government body
• their authority to act as a representative for the customer – including collecting information about the nature of their authority to act for the customer. This could include being appointed under an agency agreement, power of attorney or employed with appropriate authority to act as a representative.

You could also collect information on the reason for granting the authority to act. For example, in the context of real estate purchases, a representative may provide that they have been hired under an agency agreement to help broker the purchase of property. 

This provides a good baseline from which you can establish related ML/TF risk and whether the behaviour of the representative is unusual through the course of your business relationship with the customer. 

Verify information

You’re taken to have established the identity of the customer’s representative and their authority to act, if all of the following are satisfied:

• you’ve identified the customer’s ML/TF risk based on KYC information about the customer reasonably available to you before starting to provide the service

• the customer’s ML/TF risk is low and enhanced CDD doesn’t apply 

• you’ve taken reasonable steps to establish that the customer is the person they claim to be 

• you’ve collected KYC information about any representative and their authority to act, as appropriate to the customer’s ML/TF risk

• there are no reasonable grounds for you to doubt the adequacy or veracity of that KYC information.

This will allow you to establish the matter without verifying the information you’ve collected.

If these circumstances don’t apply, you could verify: 

• the identity of the representative – in the same way you would verify the identity of an individual, body corporate, unincorporated association, partnership, trust, sole trader or government body (depending on which person the representative is)
• their authority to act as a representative of the customer – by gathering reliable and independent data that establishes their authority to act.

Reliable and independent data establishing authority to act could include, for example:

• a power of attorney – a document granting the person power of attorney 

• employees – written confirmation from their employer that they’re authorised to act 

• general appointments – a letter, agency agreement or other authorisation from the customer establishing that the representative has authority to act on their behalf or confirmation from a reliable third party. For example, a legal practitioner, accountant or other professional (who isn’t the person acting on behalf of the customer in relation to the designated service). 

Customers receiving services on another person’s behalf

If you’ve established the identity of your customer on reasonable grounds, you’ll generally not be required to collect or verify information on this matter. 

Politically exposed persons and sanctions

You must establish if your customer, or any person acting on their behalf or receiving a service on their behalf in relation to your designated services, is a person designated for targeted financial sanctions (TFS).

You must also establish whether any of these persons, if they are individuals, are a politically exposed person (PEP). 

Collect information

You could ask your customer, in an onboarding form, whether any of the following individuals are a PEP: 

• the customer
• any person acting on the customer’s behalf
• any person receiving a service on their behalf.

In the onboarding form, you could specify that a PEP includes the following:

• a foreign PEP
• a domestic PEP
• an international organisation PEP.

If the customer confirms that one of the individuals mentioned above are a PEP, they could then provide the details the individual and a description of their role. For example, Australia’s High Commissioner to New Zealand.

For TFS, you’ll have already collected information about the identity of the customer and any person acting on their behalf. This may be enough to complete the verification steps outlined below. 

If you have information that a person is subject to TFS, don’t deal with their assets without a permit from the Australian Sanctions Office. Criminal penalties may apply if you do. Further information is on the Australian Sanctions Office website.

Delayed verification

In practice, you would typically complete PEP and TFS verification after you’ve collected information about the identity of the customer and any person acting on their behalf. 

This helps you conduct accurate PEP and TFS searches. 

Ordinarily, you would need to verify this information before you start providing a designated service. 

In some circumstances you may be able to delay verification where carrying them out would interrupt the ordinary course of business and other conditions are met. 

Learn more about delayed verification for CDD. 

Verify PEP information

You could verify the information provided by: 

• checking the individual’s background using reliable and independent online sources, including government websites and other official data sources, and in the media
• using databases and reports from third-party providers that provide PEP screening services.

You could make sure any service you use satisfies both of the following: 

• reflects the definition of PEP in the Act and Rules
• allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if an individual is a PEP.

Verify sanctions information

You can use the Department of Foreign Affairs and Trade’s Consolidated List to search for persons listed for TFS under Australian sanctions laws. 

Sanctions listings change often, so always check for the most recently published list.

A person may have variations in the spelling of their name, particularly non-English names changed into English. You may need to check alternative spellings or use a service that allows for effective searching despite minor discrepancies or errors in the data entered. 

Learn how to establish if a person is subject to TFS.

Related pages

• Initial customer due diligence on different customers
• Initial customer due diligence overview
• Enhanced CDD
• Delayed verification for CDD
• Politically exposed persons
• Persons designated for targeted financial sanctions