1. What Is KYC and Why Does It Matter?
KYC, or Know Your Customer, refers to the process a business uses to verify the identity of its customers and understand who it is doing business with. For money transfer businesses, this means confirming that a customer is who they claim to be before facilitating any transaction on their behalf. KYC is not just a regulatory box-ticking exercise. Its primary purpose is to prevent financial crime — specifically money laundering and the financing of terrorism — by ensuring that businesses cannot be used as vehicles for moving illicit funds. In Australia, the obligation to implement KYC procedures flows directly from the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006, which is administered by AUSTRAC (Australian Transaction Reports and Analysis Centre). If your business provides remittance services, you are a reporting entity under this legislation and are legally required to have a compliant KYC program in place.💡 Key Takeaway Failing to perform adequate KYC checks is one of the most common reasons AUSTRAC takes enforcement action against remittance businesses. Even well-intentioned businesses can face penalties if their procedures are incomplete or poorly documented.
2. Understanding Customer Due Diligence (CDD)
Customer Due Diligence is the broader set of processes that includes — but goes beyond — identity verification. While KYC is about confirming who your customer is, CDD is about understanding why they are using your service, what their financial activity looks like, and whether that activity is consistent with what you would expect from a customer in their circumstances.The Three Tiers of CDD
| CDD Level | When It Applies | Key Actions |
|---|---|---|
| Standard CDD | All customers by default | Verify identity, understand purpose of relationship |
| Simplified CDD | Low-risk customers or transactions | Reduced verification where risk is demonstrably low |
| Enhanced Due Diligence (EDD) | High-risk customers or unusual transactions | Deeper verification, source of funds, senior sign-off |
3. The AUSTRAC Framework and AML/CTF Obligations
AUSTRAC is Australia’s primary financial intelligence and regulatory body for anti-money laundering and counter-terrorism financing. All businesses that provide remittance services and facilitate international transfers must be registered on AUSTRAC’s Remittance Sector Register before they can lawfully operate. Under the AML/CTF Act, registered remittance businesses are required to:- Develop and maintain a written AML/CTF Program
- Perform customer identification and verification procedures (KYC)
- Conduct ongoing customer due diligence
- Submit transaction reports to AUSTRAC (including threshold transaction reports and suspicious matter reports)
- Keep records for at least seven years
- Train staff on their compliance obligations
⚠️ ImportantOperating a remittance business without being registered with AUSTRAC is a criminal offence under the AML/CTF Act. If you are unsure about your registration status or obligations, seek professional guidance before you begin trading. You can learn more about the serious risks of operating without proper authorisation.
4. Step-by-Step KYC Process for Remittance Businesses
Here is how a compliant KYC process typically works for a money transfer business in Australia:
Step 1 — Customer Identification
Before providing any service, you must collect identifying information from your customer. For an individual, this typically includes their full legal name, date of birth, and residential address. For a business customer, you need the entity’s legal name, ABN or ACN, and registered address.
Step 2 — Identity Verification
Collecting information is not enough — you must verify it. This is usually done by checking the customer’s details against a reliable, independent source. Acceptable verification methods under AUSTRAC guidelines include:
- Document-based verification (e.g., a certified copy of a passport or driver’s licence)
- Electronic verification through a recognised identity verification service
- A combination of both approaches (often required for higher-risk customers)
Step 3 — Understanding the Customer Relationship
You must understand the nature and purpose of the customer’s relationship with your business. Why are they sending money? To whom? How frequently? This contextual understanding helps you assess whether future transactions are consistent with what you would expect — and flag anything that seems out of place.
Step 4 — Politically Exposed Person (PEP) Screening
Your KYC process must include checks to identify whether a customer is a Politically Exposed Person — someone who holds, or has held, a prominent public function. PEPs present a higher risk of corruption and require enhanced due diligence. This screening should also extend to close associates and family members of PEPs.
Step 5 — Sanctions Screening
Every customer must be screened against relevant sanctions lists — including those maintained by the Australian Government and international bodies such as the United Nations. If a customer appears on a sanctions list, you must not proceed with the transaction and may have reporting obligations.
5. Customer Risk Levels and Enhanced Due Diligence
Not every customer poses the same level of risk. A well-designed KYC and CDD program must include a risk-based approach — meaning the depth of your checks should be proportionate to the risk the customer or transaction presents.
Factors that typically elevate a customer’s risk profile include:
- Sending funds to or from high-risk jurisdictions (countries identified by FATF as having strategic deficiencies)
- Transactions that are unusually large or structurally complex
- Customers who are reluctant to provide identification or explanation for their activities
- PEP status or close association with a PEP
- Inconsistencies between the customer’s stated purpose and their actual transaction behaviour
Where a customer is assessed as high-risk, you must apply Enhanced Due Diligence. This involves more rigorous identity verification, obtaining evidence of the source of funds, seeking senior management approval before establishing or continuing the relationship, and more frequent ongoing monitoring.
Understanding how to calibrate your risk approach is one of the areas where many businesses struggle. A detailed review of how remittance operators can avoid common compliance errors can help you build a more robust internal framework from the outset.
6. Ongoing Monitoring and Record-Keeping
KYC is not a one-time event that happens when a customer first signs up. Your obligations continue throughout the entire customer relationship. This is what AUSTRAC calls ongoing customer due diligence.
What Ongoing Monitoring Involves
Ongoing monitoring means regularly reviewing your customers’ transaction patterns and updating their KYC information when it changes. For example:
- If a customer suddenly starts sending much larger amounts than they previously did, that should trigger a review.
- If a customer’s circumstances change — for instance, they become a PEP — your records should reflect that and your approach should adjust accordingly.
- If a customer’s identification documents expire or their address changes, those records should be updated.
Record-Keeping Requirements
Under the AML/CTF Act, you are required to retain all KYC and transaction records for a minimum of seven years. These records must be stored in a way that allows them to be retrieved and provided to AUSTRAC upon request. Digital records are acceptable, provided they are secure and backed up appropriately.
📁 Pro TipInvest in a compliance management system early. Trying to reconstruct seven years of customer records manually is not just time-consuming — in the event of a regulatory review, disorganised records can be almost as damaging as having no records at all.
7. Common KYC Mistakes and How to Avoid Them
Even businesses with good intentions can fall short when it comes to KYC compliance. Here are the most common pitfalls and how to sidestep them:- Using a generic AML/CTF program. Templates can be a starting point, but your program must be tailored to your specific business model, customer base, and risk profile. AUSTRAC expects to see evidence that you have genuinely assessed your risks.
- Failing to re-verify customers. Customer information changes. If you verified a customer’s identity five years ago and have not updated those records since, you may not be compliant today.
- Ignoring low-value transactions. Financial criminals often use a technique called “structuring” — breaking up large transactions into smaller ones to avoid detection. Your monitoring systems need to be able to detect patterns, not just individual transaction values.
- Poor staff training. Your compliance program is only as effective as the people implementing it. Regular, documented training for all relevant staff is a regulatory requirement — not an optional extra.
- Not filing suspicious matter reports. If you identify a suspicious transaction, you are legally obligated to file a Suspicious Matter Report (SMR) with AUSTRAC. Failing to do so — even if the transaction ultimately turns out to be legitimate — is a breach of your obligations.
Need Help Getting Compliant?
Our team helps remittance businesses navigate AUSTRAC registration, AML/CTF programs, and ongoing compliance obligations — so you can focus on running your business.
Frequently Asked Questions
KYC (Know Your Customer) is the identity verification component of your compliance obligations — confirming who your customer is. Customer Due Diligence (CDD) is broader and includes understanding why customers use your service, assessing their risk level, and monitoring their activity over time. KYC sits within the CDD framework.
Yes. Any business registered with AUSTRAC as a remittance provider — whether as an independent dealer, network provider, or affiliate — is legally required to perform KYC checks on its customers as part of its AML/CTF obligations.
Common documents include an Australian passport, driver’s licence, Medicare card, or foreign passport. For electronic verification, AUSTRAC-approved identity verification services are acceptable. The documents used should be current, original (or certified copies), and sufficient to confirm the customer’s full name, date of birth, and residential address.
Enhanced Due Diligence (EDD) is a deeper level of customer verification applied to higher-risk customers or transactions. It is required when a customer is a Politically Exposed Person, when transactions involve high-risk countries, or when a customer’s behaviour raises concerns. EDD typically involves verifying the source of funds and obtaining senior management approval.
Under the AML/CTF Act, you must retain all customer identification, verification, and transaction records for a minimum of seven years. These records must be accessible and able to be provided to AUSTRAC upon request.
AUSTRAC has a range of enforcement powers, including issuing infringement notices, imposing civil penalties, accepting enforceable undertakings, and referring matters for criminal prosecution. Penalties can be substantial — in some cases running into tens of millions of dollars. Non-compliance can also result in suspension or cancellation of your registration.
Yes, and many businesses do. There are a number of AUSTRAC-compliant electronic identity verification services available in Australia. However, technology is a tool — not a substitute for having a sound compliance framework, trained staff, and well-documented policies and procedures. You remain responsible for the adequacy of your KYC program regardless of the tools you use.
Yes, if their circumstances change or if your ongoing monitoring identifies a change in their risk profile. You should also conduct periodic reviews of your customer base — particularly for long-standing customers who were onboarded before your current KYC procedures were in place. Any gaps in verification should be remediated promptly.
