Customer identification: Know your customer (KYC)

New AML/CTF reforms guidance has now been released. Until the laws change on 31 March 2026, we’ll maintain our guidance on existing obligations on these pages. 

To understand your obligations from 31 March onwards, please refer to our reforms guidance.

As a reporting entity you must apply customer identification procedures to all your customers. Part B of your AML/CTF program is solely focused on these ‘know your customer’ (KYC) procedures.

You must document the customer identification procedures you use for different types of customers. The procedures you use must be based on the level of money laundering/terrorism financing risk that different customers pose.

You must check a customer’s identity by collecting and verifying information before providing any designated services to them. You must identify both individual customers (people) and non-individual customers (such as companies, associations or trusts).

After checking a customer’s identity you must be satisfied that:

  • an individual customer is who they claim to be
  • a customer who is not an individual is a real entity (a business or organisation that actually exists) and you know the details of its beneficial owners.

KYC and being familiar with your customers’ typical financial transactions makes you aware of any unusual or suspicious activity and reduces the risk of your business or organisation being exploited for money laundering or terrorism financing purposes.

Part B of your AML/CTF program must include:

  • how you collect and verify KYC information
  • how you collect and verify information about the beneficial owners of your customers
  • how you identify customers who are politically exposed persons (PEPs) or who have beneficial owners who are PEPs
  • how you respond to discrepancies you find when verifying information you have collected
  • the risk-based systems and controls you use to work out whether you need to collect and/or verify further customer information
  • how you collect and verify information about agents acting for a customer, including details of the risk-based systems you use to do this.

The identity information you must collect and verify depends on the type of customer and the level of ML/TF risk posed by the customer.

For individual customers, this information includes, as a minimum requirement, their full name as well as either their residential address or date of birth. There are procedures for identifying customers who do not have conventional forms of identification in rare circumstances.

For customers who aren’t individuals, you must collect information so that you are reasonably satisfied the customer actually exists. For example, if the customer is a company in Australia you must collect and verify information including the full name of the company, whether it is registered with the Australian Securities & Investments Commission (ASIC) as a public or proprietary company, and its Australian Company Number (ACN) or Australian Registered Body Number (ARBN).

Information about a customer can be verified using reliable and independent documents or reliable and independent electronic data or a mix of both.

You must complete most of your applicable customer identification procedures before you provide any designated services to the customer. This applies to both one-off transactions and ongoing business relationships.

The required timeframe for identifying the beneficial owner of a customer and whether the customer or beneficial owner is a politically exposed person is different. You must do this either before you provide the designated service or as soon as possible afterwards.

You may use ‘safe harbour’ procedures to verify your customer’s identity if they are an individual and you have assessed their money laundering and terrorism financing risk as medium or low. These checks are less stringent than those required for high risk customers. You must still verify their full name, and, depending on which you collected, either their date of birth or residential address.

You can use either reliable and independent documents or electronic data to verify the identity of your medium or low risk customer.

For documents, you must use original or certified copies of primary or secondary documents. For electronic data, you must use at least two separate data sources to verify customer information. This can include records from credit reporting agencies.

The simplified company verification procedure only applies if you can confirm the company is one of the following:

  • a domestic (registered in Australia) company, listed on an Australian stock exchange
  • a majority-owned subsidiary of a domestic company listed on an Australian stock exchange
  • licensed and regulated by a Commonwealth, state or territory government regulator.

Documents obtained from at least one of the following will confirm this and can be used as verification:

The simplified trust verification procedure only applies if you can confirm the trust is one of the following:

  • a managed investment scheme registered by ASIC
  • an unregistered managed investment scheme that only has wholesale clients and does not make small scale offerings
  • a trust registered with and regulated by an Commonwealth Government regulator
  • a government superannuation fund established under legislation.

Confirming that your customer fits one of the above criteria is sufficient verification.

You must have risk-based systems and controls in place to deal with discrepancies you notice while verifying customer information, such as if someone’s name on their passport doesn’t match the name they gave you, or the name of a director provided by a company doesn’t appear on the company search extract. If you notice inconsistencies, you should collect more information from your customer. The procedures you document to deal with this situation must be appropriate for your business or organisation.

If a customer gives you identification documents in a language other than English, you should use an accredited translator to translate them into English, unless you or an employee understand the language used. In that case, you can translate the document/s into English yourself, but you should keep a record for other employees and to show AUSTRAC.

Related pages
Money laundering/terrorism financing risk assessment
Customer identification and verification
Beneficial owners
Politically exposed persons (PEPs)
Assisting customers who don’t have standard forms of identification
Reliable and independent documentation and electronic data
Source of funds and source of wealth
Related legislation

Part 1.2.1 of the AML/CTF Rules (latest version) – Key terms and concepts: see definition of KYC information

Part 1.2.1 of the AML/CTF Rules (latest version) – Key terms and concepts: see definition of primary non-photographic identification document

Part 1.2.1 of the AML/CTF Rules (latest version) – Key terms and concepts: see definition of primary photographic identification document

Part 1.2.1 of the AML/CTF Rules (latest version) – Key terms and concepts: see definition of reliable and independent documentation

Part 1.2.1 of the AML/CTF Rules (latest version) – Key terms and concepts: see definition of secondary independent documentation

Part 2, Division 4 (sections 32 to 34) of the AML/CTF Act (latest version) – Identification procedures etc

Part 2, Division 5 (sections 35) of the AML/CTF Act (latest version) – Verification of identity etc

Part 2, Division 5A (sections 35A to 35L) of the AML/CTF Act (latest version) – Use and disclosure of personal information for the purposes of verifying an individual’s identity

Part 2, Division 7 (sections 37 to 39) of the AML/CTF Act (latest version) – General provisions

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 16 Oct 2025
Page ID: 26

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.