AML/KYC Requirements In Australia: 2026 Update

If your business takes payments, moves money, deals with high-value goods, or helps customers set up accounts (especially online), you’ve probably heard the acronyms AML and KYC thrown around.

They can feel like “big bank rules” that don’t apply to smaller businesses - until a payment provider asks you to verify your customer, a marketplace suspends your account, or you’re told you may need to enrol with AUSTRAC.

This 2026 update breaks down what Australia’s anti-money laundering and counter-terrorism financing framework means in practice, when it applies to your business, and how to set up sensible processes without overcomplicating things.

What Do AML And KYC Mean In Australia (And Why Do They Matter)?

AML stands for Anti-Money Laundering. In Australia, AML obligations sit inside the broader AML/CTF framework, which includes Counter-Terrorism Financing.

KYC stands for Know Your Customer. It’s one of the key practical steps businesses take to reduce the risk of money laundering - by verifying who they’re dealing with and (where appropriate) understanding the purpose and nature of the relationship.

Even if you’re not directly regulated by AML/CTF laws, AML and KYC often show up because:

• banks, payment processors, and platforms apply KYC rules to you as their customer;
• investors and partners expect you to have basic risk controls;
• privacy and cyber obligations mean you need to be careful about how you collect and store identity information.

In other words: AML/KYC is both a legal compliance issue (for certain businesses) and an operational reality (for many more).

The Core Idea: Risk Management, Not Box-Ticking

Australia’s AML/CTF system is built around risk-based compliance. That means your processes should be proportionate to the risk your business actually faces.

A small online marketplace with low-value transactions won’t look the same as a remittance provider moving funds across borders - and it shouldn’t.

Who Needs To Comply With AML/CTF Laws In 2026?

Australia’s AML/CTF obligations mainly apply to businesses that provide certain regulated services called designated services (under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006).

If you provide a designated service, you may need to:

• enrol and/or register with AUSTRAC;
• adopt and maintain an AML/CTF program;
• carry out customer identification and verification (KYC);
• monitor transactions and lodge certain reports (for example, suspicious matter reporting);
• keep records for specific periods.

Common Examples Of AML-Regulated Businesses

While the exact scope depends on what you do and how you do it, AML/CTF laws commonly apply (in some form) to areas such as:

• Financial services (including some payment, remittance, and lending activities)
• Digital currency exchange and certain crypto-related services
• Gambling services
• Cross-border money movement and international funds transfer instructions

If your business model touches money movement, stored value, third-party payments, or international transfers, it’s worth getting advice early. The earlier you map your compliance position, the less painful it is to fix later.

What About “Tranche 2” Reforms In 2026?

You may have heard discussion about expanding Australia’s AML/CTF regime (often referred to as “Tranche 2”), which has historically been linked to professions and sectors like certain legal, accounting, real estate, and trust/company services.

Because reforms can change over time (and not every proposal becomes law in the same form), the practical takeaway for 2026 is this: if you operate in a sector that is likely to be captured by future AML/CTF changes, it’s smart to build a “compliance-ready” workflow now - especially around identity checks, record-keeping, and staff training.

What Are The Practical KYC Steps Most Businesses Need In 2026?

KYC can range from a basic identity check through to an ongoing customer due diligence program.

Even where you’re not strictly a designated service provider, you may still need KYC-style processes because banks and payment providers require them, or because your risk profile makes it sensible.

Step 1: Confirm Who Your Customer Is

At a minimum, you usually want to capture:

• full name (or entity name)
• date of birth (for individuals, where appropriate)
• address (residential or registered office)
• contact details
• ABN/ACN (for businesses)

If you’re dealing with a company, you may also need to understand who ultimately owns or controls it (often called the beneficial owner concept).

Step 2: Verify Identity Using Reasonable Methods

Verification methods depend on your industry and risk level, but could include:

• electronic verification checks (where available)
• document verification (for example, driver’s licence or passport)
• verification of business registration details
• additional checks for higher-risk customers (for example, politically exposed persons screening)

If you’re collecting identification documents, you should be careful about privacy compliance and data security. Collecting ID “just in case” can create unnecessary risk if you don’t have strong handling processes.

For businesses that store copies of licences or ID documents, it’s worth aligning your processes with privacy expectations around collection, storage, and access controls - including the practical guidance discussed in collecting and storing drivers licence photos.

Step 3: Understand The Purpose Of The Relationship (Where It Matters)

KYC isn’t only about confirming identity. It can also include understanding:

• why the customer is using your service
• the expected transaction size and frequency
• who is providing funds (in higher risk scenarios)

This step becomes more important when your business handles larger transactions, cross-border payments, third-party payments, or unusual payment patterns.

Step 4: Monitor Transactions And Update Customer Details

In many AML programs, the “O” in KYC is crucial - ongoing due diligence.

That might mean:

• monitoring for unusual transaction patterns
• re-verifying customers after certain triggers (for example, change of ownership, change of bank account, large transaction)
• keeping your customer data up to date

The goal isn’t to annoy legitimate customers. It’s to be able to spot red flags early and respond in a consistent way.

How Do AML/KYC Rules Intersect With Privacy And Data Security?

One of the biggest mistakes we see is businesses treating AML/KYC as a standalone checklist - without thinking through the privacy and cybersecurity impact.

When you collect identity information, you are often collecting personal information (and in some situations, sensitive information). That triggers obligations around transparency, safe storage, limited access, and proper disposal.

Collect Only What You Need (And Tell People Why)

If you’re requesting identity documents or running verification checks, you should be upfront about what you’re collecting and why. In many cases, this is handled through a Privacy Collection Notice presented at the point of collection.

From a practical perspective, your customer experience is better when you explain:

• what information you need
• why you need it (for example, fraud prevention, payment provider requirements, AML compliance)
• who you might share it with (for example, verification providers)
• how long you keep it for

Store KYC Information Safely

KYC data is high-value. If it’s exposed, it can lead to identity theft and serious reputational damage - even if you were collecting it for legitimate compliance reasons.

Basic safeguards often include:

• restricting staff access (role-based permissions)
• encrypting files at rest and in transit
• logging access to KYC records
• using reputable providers for identity verification and secure storage
• having a retention and deletion process

If you accept card payments or store payment details (even via a third-party system), you’ll also want to be careful about what you store, where, and how - especially if your KYC process collects billing and payment information alongside identity details. The compliance expectations and risk issues are closely linked to storing credit card details.

Have The Right Public-Facing Privacy Documents

Many businesses need a clear Privacy Policy that explains how they collect, use, store, and disclose personal information - including where KYC processes form part of onboarding.

This is especially important if you’re operating online, onboarding customers remotely, or using third-party verification tools.

Retention: Don’t Keep KYC Data Forever

AML rules can include minimum retention periods for certain records. Privacy principles also push you not to keep personal information longer than necessary.

The best approach is usually to define a retention schedule that is linked to your actual obligations and risk profile (and then follow it consistently). If your business is affected by industry-specific retention expectations, it’s also worth understanding the broader landscape, including issues raised in data retention requirements.

What Legal Documents And Policies Help You Implement AML/KYC Properly?

AML/KYC compliance isn’t only about what you do - it’s also about whether you can prove you do it consistently. That’s where clear documentation is your best friend.

The right documents depend on your business model and whether you’re a designated service provider, but these are common building blocks.

AML/CTF Program (If You’re Regulated)

If you provide designated services, you may need a written AML/CTF program that sets out how you manage risk and meet reporting and compliance requirements.

This typically covers:

• your risk assessment (products, customers, delivery channels, countries)
• customer due diligence procedures (KYC checks)
• transaction monitoring
• reporting and escalation pathways
• training and oversight
• record keeping

KYC/Onboarding Policy (Even If You’re Not Regulated)

Many businesses benefit from a simple internal policy setting out:

• when you verify a customer
• what documents or checks you accept
• who approves exceptions
• what “red flags” staff must escalate
• how you document checks

This is particularly helpful when you’re growing, hiring staff, or outsourcing parts of customer onboarding.

Staff Training And Workplace Policies

AML/KYC breaks down most often at the staff level - not because people don’t care, but because they’re rushed, unsure what to do, or afraid of upsetting a customer.

Training is much easier when you have clear role expectations and documented processes. If you’re employing staff who handle onboarding or payments, it’s also a good idea to ensure your employment paperwork supports compliance requirements (including confidentiality and process adherence) through a tailored Employment Contract.

Payment And Refund Terms (To Reduce Fraud Risk)

Fraud prevention and AML controls often overlap with your customer payment processes - for example, how you handle chargebacks, refunds, third-party payments, or unusual payment methods.

If you’re taking payments via direct debit, set expectations clearly and make sure the setup is compliant with Australian requirements. This often ties into direct debit laws and the rules of your financial institution or payment processor.

Common AML/KYC Triggers And Red Flags For Australian Businesses

You don’t need to treat every customer as suspicious. But you do need a practical way to identify when something looks “off” so you can pause, ask questions, and (if required) escalate internally.

Common red flags can include:

• Unusual payment behaviour (for example, multiple payments just under a typical threshold, or frequent payment reversals)
• Mismatch between customer identity and behaviour (for example, identity says one thing, business activity suggests another)
• Third-party payments (especially where the payer is unrelated and the explanation is vague)
• Unusual urgency (for example, customer pushes for speed and resists standard checks)
• Complex ownership structures without a clear commercial explanation
• Cross-border factors that don’t match the customer’s profile or stated purpose

What Should You Do If You Spot A Red Flag?

A good approach is to have a simple internal escalation process. For example:

1. pause the transaction or onboarding step (if appropriate)
2. ask clarifying questions and request supporting documents if needed
3. record what happened and what you checked
4. escalate to a manager or compliance lead
5. get legal advice if you’re unsure about your obligations

The important part is consistency. If you only apply checks sometimes, you create both compliance risk and customer complaints risk.

Design Your Process For Your Customer Experience

If your process feels random or overly intrusive, customers will abandon onboarding - even if they’re legitimate.

We often recommend:

• telling customers early that identity checks may be required
• keeping checks proportionate (don’t request a passport if a lower-risk method is enough)
• using secure, reputable verification methods
• setting clear timeframes and explaining what happens next

This protects your business while still keeping onboarding smooth.

Key Takeaways

• AML/CTF laws in Australia apply mainly to businesses providing designated services, but KYC expectations can affect many businesses through banks, payment processors, and fraud risk controls.
• Good KYC is risk-based: confirm who your customer is, verify identity using reasonable methods, understand the relationship where needed, and monitor for unusual activity.
• Privacy and AML/KYC must work together - if you collect identity information, use a clear Privacy Collection Notice, store data securely, and only keep it as long as you need to.
• Written policies, staff training, and well-designed onboarding and payment processes make compliance easier and reduce the chance of inconsistent decisions.
• Red flags don’t mean “guilty” - they mean you should pause, document what you’ve checked, and escalate internally so you can make consistent decisions.
• If your business model involves payments, stored value, cross-border transactions, crypto, or onboarding customers at scale, getting advice early can save you major rework later.

If you’d like a consultation on AML/KYC requirements for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.