Customer identification and verification

As a reporting entity, you must identify and know your customers.

Your customer identification procedures – know your customer (KYC) procedures – must be documented in Part B of your AML/CTF program. All AML/CTF programs must include a Part B program.

To identify, mitigate and manage money laundering and terrorism financing (ML/TF) risk, you need ongoing customer due diligence processes. This includes developing and documenting an enhanced customer due diligence program and a transaction monitoring program in Part A of your AML/CTF program.

Holders of an Australian Financial Services Licence (AFSL) who arrange for their customers to receive a designated service, and do not provide any other designated services, do not have to have a Part A program.

Customer identification and ongoing customer due diligence processes will help you identify unusual transactions and behaviour, to identify and manage high-risk customers and report suspicious matters when appropriate.

Identifying customers before providing a designated service

  • As of 17 June 2021, changes to the AML/CTF Act to explicitly prohibit reporting entities from providing a designated service if customer identification procedures cannot be performed.

You must not provide a designated service to a customer unless applicable customer identification procedures (ACIP) have been carried out.

This obligation applies regardless of whether it involves a one-off transaction or an ongoing business relationship.

Note there are some exceptions to this obligation, for more details see Exceptions to verifying a customer before providing a designated service.

Identifying and verifying customers: Part B of your AML/CTF program

Part B of your written AML/CTF program must document in detail the procedures you use to identify your customers and verify that their information is correct. After using these ‘applicable customer identification procedures’ you must be reasonably satisfied that:

  • an individual customer is who they claim to be
  • a customer who is not an individual (such as a company, association or trust) is a real entity and you know the details of its beneficial owners.

Applicable customer identification procedures

Applicable customer identification procedures (ACIP) include:

Your ACIP must consider, among other things:

  • the nature, size and complexity of your business
  • the purpose of your business relationship with your customers
  • the type of ML/TF risk you might reasonably face
  • customer types (including beneficial owners and politically exposed persons)
  • customers’ sources of funds and wealth
  • control structures of non-individual customers
  • types of designated services provided
  • how you deliver these services
  • the foreign jurisdictions you deal with.

If there is a higher risk associated with a customer, you will need to collect and verify more information to ensure you are reasonably satisfied that your customers are who they claim to be and that you are effectively managing your ML/TF risk.

Your systems and controls must:

  • consider the ML/TF risks identified
  • include procedures to collect and verify information relating to a customer's agent.

Your staff and, if applicable, your agents, must understand your ACIP and you must monitor and ensure compliance with these procedures.

In most cases, it is a requirement to carry out ACIP before providing a designated service, and the designated service must not be provided if a customer cannot first meet the ACIP requirements. Not carrying out your ACIP due to customers being unhappy or uncooperative puts your business and your community at greater risk and is a breach of your obligations.

Failure to correctly conduct ACIP on customers can significantly impact ongoing identification, mitigation and management of ML/TF risks and introduce risks across all aspects of AML/CTF compliance.

SmallBank is a small mutual bank. One of three directors of ShopCo, a small retail business, attends a branch of SmallBank and applies to open an account for the company.

As part of its ACIP, SmallBank asks ShopCo to provide identification relating to the company, which ShopCo provides. The SmallBank staff member verifies the information and enters it into SmallBank’s system, however accidentally misses one of the three directors, Jane Director.

The minimum ACIP information required for a proprietary company includes the names of each director.

Alerts are triggered and SmallBank carries out enhanced customer due diligence

Six months later, the account triggers an alert in SmallBank’s transaction monitoring program as a result of a spike in cash transactions into ShopCo’s business account. SmallBank reviews the alert, however determines that it is not suspicious. However, the account is flagged for enhanced monitoring of future activities.

Meanwhile, SmallBank’s transaction monitoring program triggers another red flag for similar activity on a personal account held by Jane Director. Jane Director’s account was previously flagged by SmallBank as a result of suspicious transactions and links to a local organised crime group.

SmallBank takes further action and corrects its records

SmallBank undertakes a review  and as a result forms a suspicion, undertakes enhanced customer due diligence (ECDD) and reports a suspicious matter report (SMR) to AUSTRAC. At this stage, however, SmallBank is not aware of the links between ShopCo and Jane Director.

Over the next three months, the cash transactions into ShopCo’s business account increase in size and frequency, triggering new alerts on SmallBank’s transaction monitoring program. SmallBank deems this to be suspicious, undertakes ECDD and provides an SMR to AUSTRAC.  ECDD includes verifying the information collected when the account was opened, revealing the link with Jane Director.

SmallBank corrects its records on ShopCo, which links the two accounts and triggers more alerts on both accounts as well as SMRs and further ECDD.

The impact of carrying out ACIP incorrectly

SmallBank’s error at the account opening stage allowed ShopCo to use SmallBank for suspected illegal activities, resulting in a failure to provide AUSTRAC and law enforcement valuable intelligence. After finding the error, SmallBank introduced a secondary assurance process for new customers to ensure that they are appropriately managing and mitigating their ML/TF risk. SmallBank also engaged a third party to undertake a review of its customer records to determine whether any other similar errors had occurred.

Ongoing customer due diligence procedures: Part A of your AML/CTF program

Part A of your AML/CTF program must include ongoing customer due diligence (OCDD) systems and controls to decide whether additional customer and beneficial owner information should be collected and verified on an ongoing basis.

OCDD includes ensuring the information you have about your customer is up to date, and processes for transaction monitoring and enhanced customer due diligence (ECDD). Enhanced customer due diligence procedures must be applied when there is a high risk of money laundering or terrorism financing.

Systems that carry out OCDD must be able to identify ML/TF risks, and be able to mitigate and manage those risks. For example, when unusual customer behaviour or other triggers are identified, you must conduct ECDD to investigate the risks further, and determine whether additional action is required to mitigate those risks.

Monitoring is not limited to identifying, mitigating or managing the risks posed by individual customers. Ongoing monitoring should also identify patterns of risk across customers and mitigate and manage that risk at a business level.

You must be proactive and monitor your customers throughout your entire relationship with them. 

Updates to customer due diligence requirements

If you cannot perform ACIP because you:

  • have doubts about the veracity or adequacy of previously obtained documents or information obtained when conducting ACIP or when relying on a reliable third party, or  
  • suspect on reasonable grounds that the customer is not the person that the customer claims to be, you must consider whether the circumstances are suspicious.

You must take reasonable measures to re-verify the customer’s identity or obtain additional KYC information to identify and verify the customer and ensure that you are satisfied that the customer is who they say they are.

You must have appropriate risk-based systems and controls to determine when to re-verify a customer or obtain additional KYC information as part of keeping your customer information up to date.

If you suspect that documents presented by a customer are fraudulent or stolen, submit an SMR to AUSTRAC.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 17 Jan 2024
Page ID: 23

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.