KYC Information

In the Australian financial landscape, KYC Information is the first line of defense against money laundering, terrorism financing, and proliferation financing. As we enter 2026, the regulatory environment has undergone its most significant transformation in decades.

With the full implementation of Tranche 2 reforms, the obligation to “Know Your Customer” now extends far beyond banks to include lawyers, accountants, and real estate agents.

For compliance officers and business owners, understanding exactly what KYC information must be collected and how it must be verified is no longer optional; it is a statutory mandate enforced by AUSTRAC.

What Is KYC Information Under Australia’s AML/CTF Law?

KYC (Know Your Customer) refers to the process of collecting and verifying identifying information about a client. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, KYC is the foundational component of Customer Due Diligence (CDD).

The primary purpose of KYC information is to ensure that a business is reasonably satisfied that a customer is who they claim to be. This transparency prevents criminals from using anonymous accounts or shell companies to move illicit funds.

Within your AML/CFT Program, KYC procedures reside in Part B, which outlines the specific systems and controls your business uses to identify and verify every customer before providing a designated service.

KYC Information vs KYC Process – What Is the Difference?

Many businesses use the terms KYC information and KYC process interchangeably. They are related, but they are not the same thing.

KYC information is the actual data you collect and use to identify a customer and assess their money laundering and terrorism financing (ML/TF) risk. According to AUSTRAC, KYC information includes both:

• Information obtained from the customer
• Information obtained from other reliable sources

This can include identity details, ownership structure, control information, business activity, and risk indicators.

The KYC process, on the other hand, refers to the procedures documented in your AML/CTF program (particularly Part B). It explains:

• How you collect customer information
• How you verify that information
• How you assess risk
• How you document decisions
• When you escalate or apply enhanced due diligence

In simple terms:

• KYC information = the data
• KYC process = the system you use to collect and assess that data

Your compliance program must clearly describe both. Having information without a documented process is not enough. And having a process without proper evidence is equally risky.

What KYC information Must Be Collected in Australia?

The specific data points you must collect depend on whether the customer is an individual, a company, or a trust.

For Individuals

At a minimum, you must collect:

• Full name
• Date of birth AND/OR Residential address

For Companies and Trusts

You must verify the legal existence of the entity and its structure, including:

• Full name of the entity and its ACN/ARBN.
• Registered office address and principal place of business.
• Beneficial Ownership: You must identify any individual who ultimately owns or controls 25% or more of the entity.
• PEP Screening: Determining if the customer or beneficial owner is a Politically Exposed Person (PEP).

KYC Information and Customer Due Diligence (CDD) Obligations

KYC is not a “one-off” event at onboarding. Under the 2026 AUSTRAC Rules, CDD is a continuous cycle:

• Initial CDD: Completed before providing any designated service. This involves collecting KYC information and verifying it against reliable and independent sources (such as the Document Verification Service (DVS)).
• Ongoing Customer Due Diligence (OCDD): You must monitor the customer relationship to ensure their transactions align with their known risk profile. If a customer’s circumstances change such as a sudden change in beneficial ownership you must update and re-verify their KYC information.
• Enhanced Customer Due Diligence (ECDD): Required when a customer is high-risk, a foreign PEP, or when a suspicious matter arises. This involves deeper dives into the Source of Wealth (SoW) and Source of Funds (SoF).

KYC Information Requirements

The Tranche 2 reforms have brought a new wave of “gatekeeper” industries into the regulatory net. As of July 1, 2026, the following sectors must implement full KYC and CDD procedures:

• Lawyers and Conveyancers
• Accountants
• Real Estate Agents
• Trust and Company Service Providers

For these professionals, client onboarding can no longer rely on a simple handshake or an unverified business card. Real estate agents, for example, must now verify the identity of both buyers and sellers in property transactions.

For firms previously unregulated, Tranche 2 readiness advisory is essential to transition from informal “client files” to AUSTRAC-compliant digital identity verification systems.

Common Mistakes When Collecting KYC Information

Even seasoned reporting entities often stumble on the following:

• Expired Documents: Accepting a driver’s licence that has expired (Note: AUSTRAC allows passports expired within the last 2 years, but most other IDs must be current).
• Unverified Beneficial Owners: Identifying the company but failing to “look through” to the actual humans who control the shares.
• Manual Errors: Relying on physical photocopies that are illegible or not properly certified.
• Static KYC: Failing to refresh data during the OCDD process, leading to “stale” records that no longer reflect the client’s risk.

Record-Keeping Obligations for KYC Information

In the eyes of AUSTRAC, “if it isn’t documented, it didn’t happen.”

• Retention Period: You must keep all KYC and verification records for the entire duration of the customer relationship and for seven years after the relationship ends.
• Format: Records must be stored securely (digital or physical) and be “readily accessible” for an AUSTRAC inspection.
• Audit Trail: You must be able to demonstrate exactly what steps you took to verify the information and who approved the onboarding.

How to Strengthen KYC Information Controls

To ensure your business remains compliant and avoids the multi-million dollar penalties recently handed down by AUSTRAC, you should:

• Implement Digital IDV: Use automated Identity Verification (IDV) tools to match documents against government databases in real-time.
• Conduct Regular Audits: Schedule an independent AML review to identify gaps in your KYC files.
• Upskill Your Team: Ensure front-line staff understand the difference between a “Standard” and “Enhanced” KYC check through specialized training.

How “Tranche Two Consultants” Can Help

As specialized AML Consultants, we understand that for many businesses, the shift to the 2026 KYC standards is a major operational hurdle. Tranche Two Consultants helps you simplify compliance so you can focus on your core business.

Our services include:

• Custom KYC Policy Drafting: Tailored procedures that fit your specific client types.
• Beneficial Ownership Mapping: Expert assistance in untangling complex trust and corporate structures.
• Digital Onboarding Integration: Recommending and setting up the right KYC technology for your firm.
• Ongoing Compliance Support: Acting as your external AML desk to manage high-risk escalations.