Indicators of suspicious activity for non-bank lenders and financiers

On this page

• Customer identification and behaviour
• Money laundering
• Tax crimes, fraud and scams
• Terrorism, national security and international crime
• Suspicious matter reporting
• Related pages

Customer identification and behaviour

Customer identification indicators

A customer:

• who’s identification document cannot be authenticated
• provides identification information that is false, misleading, vague, or cannot be verified
• refuses or is reluctant to provide identification information or documents 
• has inconsistencies in information across different identification documents
• has sources of wealth or sources of funds that are unexplained and/or inconsistent with their profile
• is overly secretive about their source of wealth or funds or has difficulty providing evidence of their source of wealth or funds 
• appears to be known to law enforcement or associates with criminals, based on open source information

Customer behaviour indicators

A customer:

• makes an unusual enquiry to staff about whether they report to government authorities. For example, AUSTRAC, the Australian Taxation Office or law enforcement agencies
• requests that their transaction is not reported to AUSTRAC 
• appears nervous, overly defensive when asked questions, evasive, or leaves without the service being provided. For example, they don’t want to proceed if they have to provide ID 
• and/or their activity is the subject of law enforcement enquiries 
• appears nervous, overly defensive, or evasive when questioned
• appears to be directed by a third party, or makes a transaction in a branch while accompanied, overseen or directed by third party

Money laundering

Money laundering indicators

A customer:

• has unusual transaction patterns or frequency of transactions. For example, multiple payers make loan repayments, or payments are sent to and/or received from foreign jurisdictions to which the customer does not have an obvious link (for example, no known family, friends or business relationships) 
• applies for loans and/or makes early loan payouts or large value loan repayments that are inconsistent with their profile, or with no reason provided
• makes rapid transactions in and out of offset or loan accounts 
• transfers goods or funds internationally without a clear reason 
• has incoming payments that are inconsistent with their profile 
• makes large value deposits into their account over a short period 
• uses cash repayment options excessively or unexpectedly, inconsistent with their profile. For example, an individual customer changes from direct debit to frequent small cash repayments, or a small business customer changes from electronic payments to large cash repayments
• makes regular or frequent structured cash payments 
• makes or receives rapid transfers to or from third parties 
• receives deposits from unknown parties, foreign jurisdictions, different domestic locations, or via cheques in the name of unrelated parties 

Actions and controls 

• Implement transaction monitoring rules, which identify changes in customer transaction patterns and/or activities that may be inconsistent with a customer’s risk profile
• Review the customer’s know your customer (KYC) information and conduct screening on a regular and ongoing basis
• Establish and verify customer business relationships and source of funds or wealth
• Conduct enhanced customer due diligence on high risk customers and to query unusual activity 
• Consider refusing to continue providing designated services where the risk is deemed in excess of your business’ established risk appetite 
• Restrict the extent of cash deposits to repay loans.

Tax crimes, fraud and scams

Tax evasion indicators 

A customer:

• is unable to provide sufficient documentation to verify information provided in their applications
• whose business appears to be running at a loss but is potentially concealing cash income 
• provides information on their application that indicates they work full time for cash payments, but they also receive government benefits
• claims to have no or very limited expenditure for living expenses and works cash-in-hand jobs

Actions and controls 

• Apply transaction monitoring rules to customer accounts and transactions that trigger further reviews of unusual activity 
• Undertake credit checks and review loan and financial history
• Collect customer occupation and payslips at on-boarding, then undertake open source checks to understand their occupation’s typical financial profile 
• Request and assess additional information regarding business or asset structures, registration, financial status and links to overseas contacts

Identity and loan fraud indicators 

A customer:

• provides identification and/or loan supporting documents that appear to be falsified. For example the company or employer listed does not exist, unusual or missing letterhead, inconsistent use of fonts etc.
• applies for multiple loans, credit cards, and/or finance products within a short period of time 
• whose first payment defaults 
• has inconsistent or invalid personal details. For example, disconnected mobile numbers or multiple IP addresses 
• Customer immediately transfers funds from a newly-opened account to cryptocurrency exchanges, particularly to peer-to-peer cryptocurrency networks

Other indicators include:

• Multiple customers use common details across numerous applications, e.g. ID numbers, address, phone number, other contact details, IP address, customer photograph, etc. 
• Brokers or third party providers have a significant increase in the number of customer applications

Actions and controls 

• Monitor or prevent the creation of customer profiles with existing customer details. A new customer attempting to do this should be required to visit a branch or third party broker to conduct identity verification. This prevents fraudsters from creating multiple profiles with a single set of identity details. 
• Implement processes to verify customer information. For example, by contacting the customer’s employer or using open source information to verify the legitimacy of the employer. Consider implementing procedures such as:
  • electronic verification of identity documents
  • verification of supporting documents
  • verification of contact details and 
  • video call authentication of the customer. 
• Where customers have been referred via a third party or broker, conduct in-house customer identification and verification processes. 
• Implement appropriate procedures to conduct additional due diligence where unusual broker activity has been identified 
• Implement alerts to detect frequent changes to contact details, blacklisted identification and similarities to previous fraudulent applications.

Welfare fraud indicators

A customer:

• has transactions that are inconsistent with the typical profile of someone receiving government benefits. For example, higher volume and/or higher amount of transactions 
• provides information on the loan application that is inconsistent with the corresponding government benefit income statement. For example, income, marital status, home ownership, rental payments, employment status, or number of dependants, etc. 
• receives government benefits without withdrawing the funds, possibly indicating they may have access to other undeclared sources of income 
• is subject to enquiries from Australian Government departments responsible for social welfare and human services activities 

Actions and controls 

• Request government benefit income statements to support loan applications 
• Conduct transaction monitoring to identify changes in customer transaction patterns. For example, activities that may indicate possible undeclared income or unusual activity 
• Request and assess additional information where account activity is inconsistent with the customer profile, including receipt of welfare support, links to unidentified third parties, or rapid transactions.

Scam indicators

A customer:

• changes their details immediately following loan, credit card, or financing approval. For example, change of residential address, frequent changes to customer phone number 
• has online activity that is inconsistent with their history or profile. For example, rapid change in customer’s geographic location, registration of new devices, deregistration of previous device, deposits or withdrawals in different jurisdictions 
• reports that they are a victim of a scam, or there is a notification of scam activity on the customer’s account, such as from another financial institution.

Actions and controls 

• Conduct re-identification and re-verification to confirm the identity of loan applicants where their activity is inconsistent with the customer profile, or following notification of potential scam activity
• Suspend the business relationship or close accounts related to reported scams 
• Request and assess additional information where account activity is inconsistent with the customer profile. For example, links to unidentified third parties, deposits from unexpected foreign jurisdictions or domestic locations, or use of multiple currencies.

Terrorism, national security and international crime

Terrorism financing indicators

A customer:

• uses loan drawdown facilities for small amounts citing the reason for withdrawal as ‘support payments’ 
• makes donations to small charities linked to extremist ideologies

Open source information:

• indicates a customer is has links to terrorist groups or terrorism activities
• indicates a customer displays extremist ideologies (for example, social, political, environmental etc.)

Actions and controls 

• Conduct searches for open source information on customers, their associates or organisations to determine any associations or affiliations to terrorism. This may include reviewing social media accounts held by the customer 
• Screen customers against the Department of Foreign Affairs and Trade (DFAT) consolidated list for known terrorists and sanctioned entities, the Terrorist Organisations list on the Australian National Security website, or other watch lists available from commercial providers
• Be aware of entities, regions and countries known to be at high-risk of terrorism activities.

Proliferation financing indicators

Proliferation financing is when a person makes available an asset, provides a financial service or conducts a financial transaction that is intended to facilitate the proliferation of weapons of mass destruction, regardless of whether the activity occurs or is attempted. 

All reporting entities must have risk-based systems and controls in their transaction monitoring programs to identify and report suspicious matters. This includes monitoring for suspicions that individuals or businesses are attempting to avoid Australia’s sanctions laws in connection with the provision of a designated service, or a request to provide a service.

A customer:

• is matched through screening against an Australian or international sanctions list 

Corporations:

• sharing directors and management, addresses, emails, phone numbers and financial infrastructure with other entities in their networks 
• obfuscating their identities and activities by: 
• using aliases and transliteration of company names; 
• using subsidiaries or branches; 
• using third-country nationals in corporate ownership structures; or 
• registering in jurisdictions with opaque corporate registers where information on ultimate beneficial ownership is not easily accessible

Actions and controls 

• Screen customers against the DFAT consolidated list for known terrorists and sanctioned entities
• Conduct further identification and verification processes in relation to customers who are corporations, including cross-checking for corporations sharing details with other entities. 

Suspicious matter reporting

If you suspect that a customer or transaction is linked to a crime, you must submit a suspicious matter report (SMR) to AUSTRAC and conduct enhanced customer due diligence in accordance with your AML/CTF program. 

The timeliness of your SMRs is critical to protecting Australians from serious crime, including terrorism. SMRs for terrorism related matters must be lodged within 24 hours of forming the suspicion. All other SMRs must be lodged within three business days after the day on which you form the suspicion. This applies even if you have reported the matter to another law enforcement agency or organisation. 

Where possible, you should collect the following information and include it in SMRs:

• IP addresses with a timestamp of when the interaction or transaction occurred
• Inbound IP source port
• Device identifiers, for example, Media Access Control (MAC) addresses
• International Mobile Equipment Identity (IMEI) number
• Details of system or account compromise, e.g. malware or ransomware.

Related pages

• Your industry
• Suspicious matter reports (SMRs)
• Enhanced customer due diligence (ECDD) program
• Proliferation financing in Australia national risk assessment 2022
• Terrorism financing in Australia national risk assessment 2024
• Money laundering in Australia national risk assessment 2024