Customer identification: Know your customer (KYC)
As a reporting entity you must apply customer identification procedures to all your customers. Part B of your AML/CTF program is solely focused on these ‘know your customer’ (KYC) procedures.
You must document the customer identification procedures you use for different types of customers. The procedures you use must be based on the level of money laundering/terrorism financing risk that different customers pose.
You must check a customer’s identity by collecting and verifying information before providing any designated services to them. You must identify both individual customers (people) and non-individual customers (such as companies, associations or trusts).
After checking a customer’s identity you must be satisfied that:
- an individual customer is who they claim to be
- a customer who is not an individual is a real entity (a business or organisation that actually exists) and you know the details of its beneficial owners.
KYC and being familiar with your customers’ typical financial transactions makes you aware of any unusual or suspicious activity and reduces the risk of your business or organisation being exploited for money laundering or terrorism financing purposes.
Part B of your AML/CTF program must include:
- how you collect and verify KYC information
- how you collect and verify information about the beneficial owners of your customers
- how you identify customers who are politically exposed persons (PEPs) or who have beneficial owners who are PEPs
- how you respond to discrepancies you find when verifying information you have collected
- the risk-based systems and controls you use to work out whether you need to collect and/or verify further customer information
- how you collect and verify information about agents acting for a customer, including details of the risk-based systems you use to do this.
The identity information you must collect and verify depends on the type of customer and the level of ML/TF risk posed by the customer.
For individual customers, this information includes, as a minimum requirement, their full name as well as either their residential address or date of birth. There are procedures for identifying customers who do not have conventional forms of identification in rare circumstances.
For customers who aren’t individuals, you must collect information so that you are reasonably satisfied the customer actually exists. For example, if the customer is a company in Australia you must collect and verify information including the full name of the company, whether it is registered with the Australian Securities & Investments Commission (ASIC) as a public or proprietary company, and its Australian Company Number (ACN) or Australian Registered Body Number (ARBN).
Information about a customer can be verified using reliable and independent documents or reliable and independent electronic data or a mix of both.
You must complete most of your applicable customer identification procedures before you provide any designated services to the customer. This applies to both one-off transactions and ongoing business relationships.
The required timeframe for identifying the beneficial owner of a customer and whether the customer or beneficial owner is a politically exposed person is different. You must do this either before you provide the designated service or as soon as possible afterwards.
You may use ‘safe harbour’ procedures to verify your customer’s identity if they are an individual and you have assessed their money laundering and terrorism financing risk as medium or low. These checks are less stringent than those required for high risk customers. You must still verify their full name, and, depending on which you collected, either their date of birth or residential address.
You can use either reliable and independent documents or electronic data to verify the identity of your medium or low risk customer.
For documents, you must use original or certified copies of primary or secondary documents. For electronic data, you must use at least two separate data sources to verify customer information. This can include records from credit reporting agencies.
The simplified company verification procedure only applies if you can confirm the company is one of the following:
- a domestic (registered in Australia) company, listed on an Australian stock exchange
- a majority-owned subsidiary of a domestic company listed on an Australian stock exchange
- licensed and regulated by a Commonwealth, state or territory government regulator.
Documents obtained from at least one of the following will confirm this and can be used as verification:
- searching the relevant domestic stock exchange
- a public document issued by the company (such as an annual report)
- searching a relevant Australian Securities and Investments Commission (ASIC) database
- searching the licence or other records of the relevant regulator.
The simplified trust verification procedure only applies if you can confirm the trust is one of the following:
- a managed investment scheme registered by ASIC
- an unregistered managed investment scheme that only has wholesale clients and does not make small scale offerings
- a trust registered with and regulated by an Commonwealth Government regulator
- a government superannuation fund established under legislation.
Confirming that your customer fits one of the above criteria is sufficient verification.
You must have risk-based systems and controls in place to deal with discrepancies you notice while verifying customer information, such as if someone’s name on their passport doesn’t match the name they gave you, or the name of a director provided by a company doesn’t appear on the company search extract. If you notice inconsistencies, you should collect more information from your customer. The procedures you document to deal with this situation must be appropriate for your business or organisation.
If a customer gives you identification documents in a language other than English, you should use an accredited translator to translate them into English, unless you or an employee understand the language used. In that case, you can translate the document/s into English yourself, but you should keep a record for other employees and to show AUSTRAC.
The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.