Home/Guides/KYC Verification

KYC Guide

KYC Identity Verification Guide for Australian Businesses

Know Your Customer (KYC) is the cornerstone of AML/CTF compliance. This guide covers every aspect of identity verification under Australian law — from legal requirements through to practical verification methods and what IntelliCompli automates.

Last updated: March 2026•20 min read•Australian law

What is KYC and why it matters

Know Your Customer (KYC) is the process of verifying that a customer is who they claim to be before entering into a business relationship or providing a service. In the AML/CTF context, KYC is the foundational control that prevents criminals from using false identities to access financial services and launder money.

Under the AML/CTF Act 2006, KYC is referred to as “customer identification and verification” and forms Part B of every reporting entity's AML/CTF program. The obligation is not merely to collect identity information — it is to verify that information against a reliable, independent source. Self-certification by a customer is not sufficient verification.

KYC applies at the start of a customer relationship (“onboarding KYC”), when a customer conducts a significant transaction, when circumstances change materially, and on a periodic basis under ongoing customer due diligence requirements.

3 steps

Collect, verify, and record — the three steps of compliant KYC

7 years

Minimum record retention for all KYC documentation under the AML/CTF Act

< 60s

Typical time to complete electronic KYC with document + biometric verification

KYC requirements under Australian law

The legal basis for KYC in Australia is found in Part 2 of the AML/CTF Act 2006 and the detailed requirements set out in the AML/CTF Rules 2007 (Chapters 4 and 5). The Rules specify the information that must be collected and the verification methods that are acceptable.

The AML/CTF Rules adopt a “safe harbour” approach — there are prescribed methods that, if followed correctly, provide certainty of compliance. Reporting entities may also use other methods provided they are satisfied the customer's identity has been reliably established. The 2024 amendments modernise these requirements to better accommodate digital and biometric verification.

Core KYC requirements for individuals

Collect

Full legal name

Date of birth

Residential address

For higher-risk: source of funds

Verify using

One primary photographic ID (e.g., passport, driver's licence)

Or: one primary non-photo ID plus one secondary ID

Or: electronic verification (DVS, credit bureau)

For EDD: additional documents + source of funds evidence

Core KYC requirements for businesses

Collect

Registered business name and trading name

ABN or ACN

Registered address

Nature of business

Names of directors and beneficial owners

Verify using

ASIC company search or ABR lookup

Constitutional documents (trust deed, partnership agreement)

Individual KYC on each director and beneficial owner

For higher risk: financial statements, bank references

Types of identity verification

Australian law recognises three primary methods for verifying identity. Each has advantages and limitations. Most modern KYC programs combine methods for the best balance of security and customer experience.

Document verification

The customer presents one or more government-issued identity documents which are sighted and recorded by the reporting entity. This can be in-person or via remote document upload with OCR scanning.

Examples

Australian passport

Australian driver's licence

Medicare card (as secondary document)

Foreign passport with visa

Australian birth certificate

Citizenship certificate

Advantages

Widely accepted, works for all customer types, familiar to customers.

Limitations

Risk of forged or altered documents, labour-intensive for manual review.

Biometric verification

The customer completes a selfie or liveness check that is matched against the photo on their identity document or a government database. Biometric verification significantly reduces the risk of identity fraud.

Examples

Passive liveness detection (no action required)

Active liveness (follow-the-dot, head movement)

Selfie-to-document face match

Face match against government ID database

3D depth analysis for deepfake detection

Advantages

High fraud prevention, fast for customers, audit-ready evidence.

Limitations

Some customers may be uncomfortable; requires mobile device or webcam.

Electronic verification

The customer's identity is verified against authoritative government and commercial data sources without requiring physical documents. In Australia, this includes the Document Verification Service (DVS) and services accredited under the Trusted Digital Identity Framework (TDIF).

Examples

Document Verification Service (DVS) — matches document data against issuer records

Trusted Digital Identity Framework (TDIF) — Australia's national digital identity framework

Credit bureau identity checks (Equifax, Experian, illion)

ATO tax file number verification

Medicare number verification

Electoral roll cross-referencing

Advantages

Fast, scalable, tamper-proof audit trail, low friction for customers.

Limitations

Requires integration with data sources; not all foreign documents are covered.

Verifying individuals vs businesses: KYC vs KYB

The term KYC is commonly used for individual customer verification. Business verification — confirming the legitimacy and ownership of corporate entities — is often called Know Your Business (KYB). Both are required under the AML/CTF Act.

KYC — Individuals

For individual customers, KYC focuses on confirming that the person is who they claim to be. The key risk is identity fraud — using stolen or fabricated identities to open accounts.

Collect: name, DOB, address

Verify: government-issued ID or electronic sources

Check: sanctions lists, PEP databases

For EDD: source of funds, source of wealth

Biometric: liveness + face match for high-risk

KYB — Businesses

For business customers, KYB involves verifying the entity's legal existence, understanding its ownership structure, and identifying the natural persons who ultimately control it — the beneficial owners.

Collect: ABN/ACN, registered name, address

Verify: ASIC records, ABR search

Identify: directors, secretaries, beneficial owners

KYC on each beneficial owner (25%+ stake)

For trusts: verify trustee, settlor, beneficiaries

Beneficial ownership identification

A beneficial owner is any natural person who ultimately owns or controls 25% or more of a business entity, or who otherwise exercises effective control over the entity. Identifying beneficial owners is one of the most critical — and most commonly overlooked — elements of KYB.

For complex corporate structures, you must “look through” the chain of ownership until you reach natural persons at every significant ownership level. If a 40% shareholder is itself a company, you must identify the beneficial owners of that company. For trusts, you must identify the trustee(s), settlor, protector, and all named or identifiable beneficiaries.

Companies

Shareholders with 25%+ voting rights or equity. Ultimate holding company shareholders. Directors with veto rights.

Trusts

Trustee(s), settlor, protector or appointer, and all identifiable beneficiaries. Beneficiary classes must be identified.

Partnerships

All general partners. Limited partners with 25%+ economic interest. Managing partners with control rights.

How IntelliCompli handles KYC

IntelliCompli integrates Stripe Identity for automated document and biometric verification alongside manual KYC workflows for cases where automation is not appropriate.

Stripe Identity — automated KYC

IntelliCompli uses Stripe Identity for automated document verification and biometric liveness checks. Customers complete the verification flow in under 60 seconds on any device.

Document OCR — extracts data from driving licences and passports

Biometric liveness — passive or active selfie liveness check

Face match — photo on document vs selfie

Document authenticity — detects forgery and alteration

Supports 33 countries and 10,000+ document types

Complete audit trail with timestamped evidence

Manual KYC workflow

For customers where automated verification is not appropriate — such as elderly customers, international visitors, or customers with unusual documents — IntelliCompli provides a structured manual KYC workflow.

Guided document collection with required field prompts

Document upload and secure storage

Reviewer assignment with approval workflow

Outcome recording with compliance notes

Escalation to enhanced due diligence

7-year tamper-evident record retention

Cost comparison and options

The cost of KYC varies significantly depending on the method and volume. Here is a guide to the typical cost profile of each approach.

Method	Cost per verification	Speed	Best for
Manual in-person	$15–$50 (staff time)	5–15 min	In-branch, high-value customers
Document upload (manual review)	$5–$20 (staff time)	1–24 hours	SMEs, low volume
Electronic (DVS/credit bureau)	$0.50–$3.00	Seconds	High volume, Australian customers
Automated doc + biometric (Stripe)	$1.50–$5.00	Under 60 sec	Remote onboarding, international customers

Fallback for verification failures

Where automated verification fails (e.g., blurry document, liveness check failed, international document not supported), IntelliCompli automatically falls back to a guided manual verification workflow. This ensures no customer is blocked from onboarding solely due to technical limitations.

KYC record keeping obligations

Under Part 10 of the AML/CTF Act, reporting entities must retain all KYC records for a minimum of 7 years from the date the record was made or the customer relationship ended. This includes copies of all identity documents, electronic verification results, and biometric evidence.

Records must be stored in a retrievable form. AUSTRAC can request access to KYC records as part of a compliance assessment or law enforcement referral. Inability to produce records promptly is itself a contravention of the Act.

What to retain

Copies of all identity documents (where collected)

Electronic verification results and source used

Biometric evidence (liveness results, face match scores)

Risk rating and the basis for the rating

Name of the staff member who completed verification

Date and method of verification

Any supporting notes or escalation records

How to store records

Secure, access-controlled digital storage

Tamper-evident audit logging for all access and changes

Encryption at rest and in transit

Regular backup with tested recovery procedures

Automated retention policy — records not deleted before 7 years

Searchable and retrievable within 24 hours of AUSTRAC request

Related guides

Customer Due Diligence Checklist

The full CDD process that KYC feeds into — standard, simplified, and enhanced due diligence.

AUSTRAC Reporting Guide

TTR, SMR, and IFTI reporting obligations that rely on accurate KYC data.

Tranche 2 Reform Guide

How Tranche 2 changes KYC obligations for professional services firms from 1 July 2026.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal, financial, or professional compliance advice. While we endeavour to keep this information accurate and up to date, legislation and regulatory guidance change frequently. You should seek independent legal or compliance advice specific to your circumstances before acting on any information in this guide. See our Privacy Policy for how we handle your data.

Automate KYC in under 60 seconds

IntelliCompli integrates Stripe Identity for instant document and biometric verification — with full audit trail, 7-year record retention, and fallback to manual KYC where needed.

Start Free Trial Book a Demo