Reviewing and updating customers’ ML/TF risk and KYC information (Reform)

Learn about your ongoing customer due diligence (CDD) obligations on reviewing and updating:

  • your customer’s money laundering, terrorism financing and proliferation financing risk (we refer to these as ML/TF risk)
  • know your customer (KYC) information relating to a customer.

On this page

This section refers to the Act sections 26F and 30.

If you have a business relationship with a customer, you must both:

  • review and, if appropriate, update your identification and assessment of the customer’s ML/TF risk
  • periodically review and, if appropriate, update and reverify KYC information relating to the customer.

Your customer’s ML/TF risk profile and KYC information may change over time. 

To make sure you’re appropriately identifying and responding to this, your anti-money laundering and counter-terrorism financing (AML/CTF) policies must set out how:

  • often you’ll review and update different kinds of customers’ KYC information, including the behaviour and triggers that prompt further checks
  • you’ll make sure you’re applying appropriate measures if there’s a change to their ML/TF risk.

We expect your AML/CTF policies to describe how you’ll identify changes in a customer’s circumstances and KYC information that may impact their ML/TF risk. 

If you don’t do this, you may not be able to show that you can appropriately manage and mitigate your customer’s ML/TF risks on an ongoing basis. 

When you must review and update the customer’s ML/TF risk

This section refers to the Act section 30.

You must review and, where appropriate, update your assessment of the customer’s ML/TF risk if there’s a change to any of the following:

  • your business’ ML/TF risk assessment which could impact how you identify and assess customers’ ML/TF risk
  • the type of customer, such as becoming a politically exposed person or changing their corporate structure or beneficial owners
  • the kinds of designated services you’re providing or are asked to provide
  • the channels you use to deliver designated services to the customer. Such as the involvement of an agent, or changing to online service delivery
  • the countries you deal with when providing designated services to the customer.

You must do this if your customer is involved in unusual transactions or behaviour that may give rise to a suspicious matter report (SMR) obligation.

Example: Identifying that a customer has become a politically exposed person (PEP)

Company Y periodically checks their customers for any changes to PEP status. When conducting an open source check on one of their customers, a staff member identifies a potential match to a new domestic PEP. 

The compliance officer confirms the match and updates the customer’s ML/TF risk rating in accordance with their ML/TF risk assessment. 

Company Y applies measures to manage and mitigate the updated ML/TF risk, including more frequent reviews of their KYC information and more intensive transaction monitoring. 

When you must review and update KYC information

This section refers to the Act sections 26F and 30 and the Rules section 5–2.

 

You must review, and where appropriate, update and reverify, your customer’s KYC information at a frequency appropriate to their ML/TF risk.

You must also review, and if appropriate, update and reverify KYC information in certain circumstances, including if any of the following occur: 

  • you have doubts about whether the information previously collected is adequate or true
  • the customer, their beneficial owner, or a person on whose behalf the customer is receiving a designated service becomes a foreign PEP
  • the customer, their beneficial owner, or a person on whose behalf the customer is receiving a designated service becomes a domestic or international organisation PEP, and their ML/TF risk is high.

Your AML/CTF policies must also set out additional circumstances where you’ll collect, or collect and verify, additional KYC information in relation to a customer, including details about their source of funds and source of wealth. 

Triggers could include if:

  • your customer seeks a new designated service or product that has a higher ML/TF risk
  • there’s a sudden and unexplained increase in transaction volumes
  • you become aware of changes to their corporate structure or beneficial owners
  • there are sudden or recurring changes within a customer’s business model
  • you become aware of potential changes to their KYC information. For example, during interactions with your customer
  • there’s a change to the way you deliver services to the customer. For example, the involvement of an agent, or changing to online service delivery
  • there’s a change to the countries you deal with when providing designated services to the customer. 

How to review, reverify and update the customer’s ML/TF risk and KYC information

We expect your AML/CTF policies set out how you’ll review, update and reverify your customers’ ML/TF risk and KYC information in a way that’s appropriate to the customer’s risk.

For example, this may include:

  • asking customers to confirm or update information when you have face-to-face or telephone contact
  • using your business app to alert customers they need to confirm or update their information
  • identifying how frequently you’ll review different kinds of customers’ KYC information
  • processes to request and verify information following changes to your customer’s ownership structures, beneficial owners or persons acting on their behalf
  • processes to confirm source of funds and source of wealth, where appropriate. 

The way that you update KYC information relating to the customer, and the frequency by which you do so, must be appropriate to their ML/TF risk.

For example, you don’t need to collect and reverify information relating to an individual customer’s identity if the verification data, such as an identity document, has expired. This doesn’t change the customer’s identity or their ML/TF risk.

Learn more about collecting and verifying KYC information.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 16 Oct 2025
Page ID: 1327

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.