Know Your Customer (KYC): Guide for Businesses
Written byMatt LeeburnWhat is Know Your Customer (KYC)?
Know Your Customer (KYC) is the set of processes a reporting entity uses to identify and verify the identity of customers, understand their business relationships, and assess the money-laundering and terrorism-financing risk they pose. KYC sits at the core of customer due diligence (CDD) and supports the objectives of the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework by preventing misuse of financial and commercial services for illicit purposes.
KYC is not a single act but an ongoing program: initial identification and verification, a risk assessment that determines the level of monitoring required, and continuous scrutiny of transactions and relationships. Good KYC practices combine documentary evidence, electronic checks and pragmatic "reasonable steps" when dealing with complex ownership structures.
Why KYC matters for your business
KYC protects your business from legal, financial and reputational harm by reducing exposure to fraud, bribery and sanctioned parties; enabling early detection of suspicious activity and timely reporting; demonstrating to regulators that your AML/CTF controls are effective; and preserving customer trust by showing you manage risk responsibly.
Failure to apply adequate KYC can lead to regulatory enforcement, remediation costs, operational disruption, and loss of licence or contracting counterparties. For lenders, payment service providers and merchants, robust KYC is both a risk-management and trust-building tool.
Legal and regulatory framework
KYC obligations arise from the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and associated Rules, together with regulator guidance. The regulator sets expectations on customer identification, verification, record keeping and reporting, and publishes detailed guidance on applying "reasonable steps" and enhanced due diligence.
Key statutory and guidance sources include the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (primary legislative basis) and AUSTRAC guidance on customer identification and verification, reporting and record keeping, and enforcement outcomes.
Reporting categories that closely interact with KYC are Suspicious Matter Reports (SMRs), Threshold Transaction Reports (TTRs), and International Funds Transfer Instructions (IFTIs).
Record retention obligations and evidentiary standards are set out in the legislation and AUSTRAC guidance; adopt a defensible internal policy that meets legislative minimums and preserves an audit trail.
Who must comply (reporting entities)
Reporting entities include a broad range of businesses that provide designated services and thus must implement KYC as part of AML/CTF compliance. Typical examples include banks, credit providers and lenders; remittance and cross-border payment providers; casinos and gaming operators; bullion and precious-metal dealers; dealers in high-value goods and certain professional services; and fintech platforms and digital currency exchanges.
Obligations can vary by sector (for example, higher monitoring thresholds in gaming or remittance). Entities that plan to accept or originate business lending should embed KYC within customer onboarding and ongoing account management.
Core KYC obligations (customer due diligence)
Customer due diligence (CDD) is the operational translation of KYC. Core obligations are:
- Identify the customer: capture full legal name, date of birth, address, ABN/ACN or equivalent, and contact details.
- Verify identity: obtain documents or reliable electronic verification to confirm identity.
- Verify beneficial ownership: identify and verify individuals with ownership or control according to thresholds.
- Understand purpose and expected activity: obtain the customer's stated purpose and expected transaction patterns.
- Risk profiling: assign a risk rating (low/standard/high) based on customer type, services used and geographic or product risk.
- Ongoing monitoring: review transactions and periodic information to detect unusual or suspicious behaviour.
- Escalation and reporting: file SMRs where knowledge or suspicion of illicit activity arises and take steps to freeze or terminate relationships if warranted.
A risk-based approach means higher-risk customers (e.g., trust structures, high-net-value cross-border flows) require enhanced due diligence (EDD) and more frequent review.
Acceptable identity verification methods and documents
Verification must be reliable and proportionate. Use primary photo IDs where possible; supplement with secondary documents or electronic verification for corroboration.
For individuals, accept at least one primary photo ID (passport, driver licence, national ID) plus a secondary corroborator if risk is higher (utility bill, rates notice). For companies, obtain an official registry extract showing company name, ACN/ABN, registered office and officeholders, and verify beneficial owners (shareholders with >25% or otherwise controlling). For trusts, verify the trustee's identity (corporate or individual) and take reasonable steps to identify beneficiaries and settlors as required.
When documentary evidence is not available, document the "reasonable steps" taken (e.g., public registry searches, third-party confirmations). Maintain a complete audit trail.
Electronic KYC and digital identity verification
Electronic KYC (eKYC) uses digital identity services, facial biometrics, document scanning (OCR), and real-time registry checks to speed onboarding and improve reliability. Key considerations include using reputable identity providers that produce a verifiable audit trail (date/time, IP, device, document images, results); combining methods such as document authentication, liveness/bio check, and authoritative database match (e.g., government or licensing databases); retaining copies of scanned documents and provider results for the required retention period; and applying the same risk-based thresholds (eKYC is appropriate for standard-risk customers; high-risk relationships still require enhanced, often manual, checks).
Keep vendor due diligence records (contract, security and privacy assessments, vendor reports) to show you assessed the provider.
Beneficial ownership, trusts and complex structures
Complex ownership structures increase ML/TF risk and require careful handling. Identify ultimate beneficial owners (UBOs) — natural persons who ultimately own or control the customer (common threshold >25% equity or otherwise exercise control). For layered entities, trace ownership to natural persons and document steps taken if ownership is obscured. For trusts, verify the trustee and take reasonable steps to identify beneficiaries, settlors and appointors if they exercise control. Where ownership cannot be established, document and escalate: apply enhanced monitoring, consider refusing the relationship if risk cannot be mitigated.
Practical "reasonable steps" include registry searches, corporate filings, shareholder registers, solicitor confirmations, and third-party attestations. Record results and justifications.
Politically exposed persons (PEPs), sanctions and enhanced due diligence
PEPs and sanctioned parties pose elevated risk and generally trigger enhanced due diligence (EDD). PEPs are individuals with prominent public functions domestically or abroad, their family members and close associates. Screening should be performed at onboarding and periodically. Sanctions screening requires checking customers and counterparties against government and international sanctions lists; block or refuse prohibited transactions.
EDD measures may include senior-level approval to onboard/retain the customer; independent source verification of funds and wealth; more frequent transaction reviews and lower transaction thresholds for alerts; and contractual restrictions and enhanced monitoring technology.
Integrate PEP and sanctions screening into the KYC workflow and document decisions and approvals for EDD outcomes.
Reporting obligations and record keeping
KYC feeds reporting duties. Reporting obligations tied to KYC include Suspicious Matter Reports (SMRs) filed where knowledge or suspicion exists about money laundering, terrorism financing or related predicate offences; Threshold Transaction Reports (TTRs) reporting cash transactions above the legislated threshold; and International Funds Transfer Instructions (IFTIs) reporting cross-border instructions per reporting rules.
Record-keeping minimums require retaining identity and verification records, transaction histories, risk assessments and SMR/TTR/IFTI evidence for the statutory retention period (generally seven years from the end of the relationship or relevant transaction). Preserve original documents or certified copies where required, and retain electronic records with clear audit trails. Protect records with appropriate access controls, encryption, and retention/deletion policies.
Consequences and enforcement — what happens if you fail KYC
Regulatory consequences for poor KYC include investigations, enforcement actions and remedial directions. Common enforcement themes include failing to verify customer identity or to take reasonable steps to identify beneficial owners; weak or absent transaction monitoring and failure to report suspicious matters; and inadequate record-keeping or failure to maintain an audit trail of checks.
Outcomes may include enforceable undertakings, remediation notices, civil penalties, and in serious cases, criminal investigations. When breaches are identified, an effective remediation program (root-cause analysis, staff retraining, system fixes, and retrospective reviews) will be expected.
Practical KYC onboarding checklist (step-by-step)
A concise, front-line checklist for onboarding staff and operations includes the following steps:
- Capture basic customer details (legal name, ABN/ACN, date of birth, address, contact details).
- Select risk profile template based on product, jurisdiction and customer type.
- Request primary verification documents: passport or driver licence for individuals; company extract and director IDs for companies; trust deed and trustee ID for trusts.
- Perform electronic verification (document scan + liveness + registry match) and log provider result.
- Identify and verify beneficial owners (UBOs) using registry searches and shareholder registers.
- Conduct PEP and sanctions screening; document results.
- Complete initial risk assessment and assign monitoring level.
- Approve or escalate higher-risk files to senior compliance or MLRO for EDD.
- Create and store the customer file with all documents, checks, timestamps and staff IDs.
- Set review cadence (e.g., annual for standard risk, 6-monthly for high risk); schedule transaction monitoring alerts.
- If suspicion arises, escalate and consider lodging a SMR promptly. Document the decision path.
Short onboarding flow for front-line staff: Capture → Verify → Screen (PEP/sanctions) → Risk Rate → Approve/Escalate → Monitor → Record.
Provide this checklist as a template in internal SOPs and adapt to your product lines and regulatory obligations.
Common pitfalls and best practice tips
Common pitfalls to avoid include relying on a single limited evidence source (use multi-factor verification instead); treating KYC as a one-off check (implement continuous monitoring); poor documentation of "reasonable steps" when ownership cannot be immediately verified; inadequate vendor due diligence on eKYC providers (maintain vendor risk files); and not aligning KYC controls with transaction monitoring rules (ensure integration).
Best practice tips include keeping a clear audit trail for every decision; using tiered risk templates to standardise responses; training frontline staff regularly on red flags and reporting; maintaining secure, searchable digital storage for records; and integrating KYC with CRM, transaction monitoring systems and sanctions lists to automate screening and audit logging.
FAQ
Which documents are acceptable for individual verification?
Primary photo ID such as a passport, driver licence or national identity card; secondary proof (utility bill, financial statement) can corroborate address. Retain copies or certified electronic images and document the verification method.
How long must I keep KYC records?
Maintain records for the statutory retention period (commonly seven years from the end of the relationship or transaction). Keep electronic audit trails, verification outputs and any SMR/TTR/IFTI files.
When must I file a suspicious matter report?
File an SMR when you know or reasonably suspect the customer's funds are linked to money laundering, terrorism financing or related offences. Report promptly and retain supporting evidence.
What are reasonable steps to identify a beneficial owner?
Registry searches, shareholder registers, solicitor or accountant confirmations, company filings, and requesting certified documents from customers. If ownership remains unclear, escalate under EDD and consider refusal.
Can I use eKYC for high-risk customers?
eKYC is suitable for many customers but high-risk relationships usually require additional verification and manual review. Maintain an audit trail for all eKYC checks.
How often should I re-verify customer identity?
Reverification frequency depends on risk: annual or biennial for standard risk; more frequent for high risk or when indicators (change of ownership, suspicious transactions) arise.
What should I do for PEPs and sanctioned parties?
Apply enhanced due diligence for PEPs (senior approval, source of funds checks) and block or refuse business with sanctioned parties per applicable lists. Document decisions and approvals.
Who should approve high-risk onboarding decisions?
A senior compliance officer or MLRO should approve high-risk onboarding and document the rationale and mitigation measures.
Further reading
For authoritative guidance and regulatory sources:
Key takeaways
Know Your Customer (KYC) is a core AML/CTF compliance obligation that requires businesses to identify, verify and continuously monitor their customers to mitigate money-laundering and terrorism-financing risk. Robust KYC practices—combining primary and secondary identity documents, electronic verification, beneficial ownership checks, and PEP/sanctions screening—protect your business from regulatory enforcement, financial loss and reputational harm. Practical implementation includes a clear onboarding checklist, tiered risk templates, comprehensive record-keeping with audit trails, and regular staff training.
This article is general information only and is not legal, tax or financial advice.