Customer identification and due diligence overview
As a reporting entity, you must identify and know your customers.
Your customer identification procedures – know your customer (KYC) procedures – must be documented in Part B of your AML/CTF program. All AML/CTF programs must include a Part B program.
To identify, mitigate and manage money laundering and terrorism financing (ML/TF) risk, you need ongoing customer due diligence processes. This includes developing and documenting an enhanced customer due diligence program and a transaction monitoring program in Part A of your AML/CTF program.
Holders of an Australian Financial Services Licence (AFSL) who arrange for their customers to receive a designated service, and do not provide any other designated services, do not have to have a Part A program.
Customer identification and ongoing customer due diligence processes will help you identify unusual transactions and behaviour, to identify and manage high-risk customers and report suspicious matters when appropriate.
Identifying customers before providing a designated service
- As of 17 June 2021, changes to the AML/CTF Act to explicitly prohibit reporting entities from providing a designated service if customer identification procedures cannot be performed.
You must not provide a designated service to a customer unless applicable customer identification procedures (ACIP) have been carried out.
This obligation applies regardless of whether it involves a one-off transaction or an ongoing business relationship.
Note there are some exceptions to this obligation, for more details see Exceptions to verifying a customer before providing a designated service.
Identifying and verifying customers: Part B of your AML/CTF program
Part B of your written AML/CTF program must document in detail the procedures you use to identify your customers and verify that their information is correct. After using these ‘applicable customer identification procedures’ you must be reasonably satisfied that:
- an individual customer is who they claim to be
- a customer who is not an individual (such as a company, association or trust) is a real entity and you know the details of its beneficial owners.
Applicable customer identification procedures
Applicable customer identification procedures (ACIP) include:
- collecting and verifying customer identification information through know your customer procedures
- identifying and verifying the beneficial owner(s) of a customer
- identifying whether a customer or beneficial owner of a customer is a politically exposed person (PEP)
- getting information on the purpose and intended nature of the business relationship.
Your ACIP must consider, among other things:
- the nature, size and complexity of your business
- the purpose of your business relationship with your customers
- the type of ML/TF risk you might reasonably face
- customer types (including beneficial owners and politically exposed persons)
- customers’ sources of funds and wealth
- control structures of non-individual customers
- types of designated services provided
- how you deliver these services
- the foreign jurisdictions you deal with.
If there is a higher risk associated with a customer, you will need to collect and verify more information to ensure you are reasonably satisfied that your customers are who they claim to be and that you are effectively managing your ML/TF risk.
Your systems and controls must:
- consider the ML/TF risks identified
- include procedures to collect and verify information relating to a customer's agent.
Your staff and, if applicable, your agents, must understand your ACIP and you must monitor and ensure compliance with these procedures.
In most cases, it is a requirement to carry out ACIP before providing a designated service, and the designated service must not be provided if a customer cannot first meet the ACIP requirements. Not carrying out your ACIP due to customers being unhappy or uncooperative puts your business and your community at greater risk and is a breach of your obligations.
Failure to correctly conduct ACIP on customers can significantly impact ongoing identification, mitigation and management of ML/TF risks and introduce risks across all aspects of AML/CTF compliance.
Ongoing customer due diligence procedures: Part A of your AML/CTF program
Part A of your AML/CTF program must include ongoing customer due diligence (OCDD) systems and controls to decide whether additional customer and beneficial owner information should be collected and verified on an ongoing basis.
OCDD includes ensuring the information you have about your customer is up to date, and processes for transaction monitoring and enhanced customer due diligence (ECDD). Enhanced customer due diligence procedures must be applied when there is a high risk of money laundering or terrorism financing.
Systems that carry out OCDD must be able to identify ML/TF risks, and be able to mitigate and manage those risks. For example, when unusual customer behaviour or other triggers are identified, you must conduct ECDD to investigate the risks further, and determine whether additional action is required to mitigate those risks.
Monitoring is not limited to identifying, mitigating or managing the risks posed by individual customers. Ongoing monitoring should also identify patterns of risk across customers and mitigate and manage that risk at a business level.
You must be proactive and monitor your customers throughout your entire relationship with them.
Updates to customer due diligence requirements
If you cannot perform ACIP because you:
- have doubts about the veracity or adequacy of previously obtained documents or information obtained when conducting ACIP or when relying on a reliable third party, or
- suspect on reasonable grounds that the customer is not the person that the customer claims to be, you must consider whether the circumstances are suspicious.
You must take reasonable measures to re-verify the customer’s identity or obtain additional KYC information to identify and verify the customer and ensure that you are satisfied that the customer is who they say they are.
You must have appropriate risk-based systems and controls to determine when to re-verify a customer or obtain additional KYC information as part of keeping your customer information up to date.
If you suspect that documents presented by a customer are fraudulent or stolen, submit an SMR to AUSTRAC.
The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.