Identity Verification Toolkit for Tranche 2 Entities
In this article, we will explore the critical role of Identity Verification (IDV) in AML/CFT/CPF compliance. Financial crimes have an adverse impact on the economy and society at large. Governments across the globe have implemented AML/CFT/CPF laws and regulations to curb the menace of financial crimes like money laundering, terrorist financing, and proliferation financing. Know Your Customer (KYC) processes play a huge role in preventing and detecting financial crimes. One of the important aspects of KYC processes is to perform customer ID Verification.
What is ID Verification
ID Verification, also known as Identity Verification, is a regulatory obligation where a Reporting Entity identifies and verify the authenticity of the ID Documents provided by the individual customers as well as non-individual customers (such as companies, associates, trust, etc.). This verification helps Reporting Entities in Australia to establish the true identity of their clients before providing designated services to them, thereby reducing the risk of being exploited for illegal financial activities.
Regulatory Requirements for ID Verification
IDV is a regulatory obligation for all the Reporting Entities in Australia under the following legislations:
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- Anti-Money Laundering and Counter-Terrorism Financing Rules 2007
- Associated regulations, etc.
The proposed reform, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, introduces the requirement of the ID Verification for Tranche 2 Entities which will come into effect from July, 2026.
Role of in Tranche 2 Entity’s AML/CTF Framework
Knowing a customer’s profile gives insight into who a customer is and what the nature of their business is. Having knowledge of the customer and their business helps in detecting irregular activities or behavior. A business can monitor customer transactions and activities and detect abnormal or unusual transactions. It also helps in knowing the risks associated with customers.
Each customer is different and has different types of risks associated with them. For example, a PEP poses a higher risk than a non-PEP individual. In the same way, a customer from high jurisdictional risk poses more risk than a customer from low jurisdictional risk. Therefore, it is important to understand the customer for the right risk assessment.
Below are some of the key roles that IDV performs in mitigating ML/TF risk:
Reduction in Financial Crimes
Identity verification helps in the reduction of financial crimes. As Reporting Entities are required to perform Identity Verification procedures before entering into a business transaction, it discourages criminals from placing their illicit money into the legitimate economy and thereby reduces financial crimes and their adverse effects on the economy and society at large.
Enhanced Trust and Reputation
Businesses that are compliant with the ID verification procedures know who they are dealing with and can take a risk-based approach when performing their Customer Due Diligence (CDD) Procedures. If there is a slight suspicion as to the legitimacy of the ID Documents provided, more detailed KYC procedures can be applied. A compliant business creates an environment of trust among other businesses and thereby earns a reputation and a positive brand image.
Improved Regulatory Compliance
Identity Verification procedures ensure compliance with the regulatory requirements. If a Reporting Entity is consistently doing IDV before customer onboarding then if any suspicion arises with respect to Money Laundering, Terrorist Financing, or Proliferation Financing, it can be reported to the Australian Transaction Reports and Analysis Centre (AUSTRAC) within a reasonable time.
Streamlined Customer Onboarding Procedures
Identity Verification ensures uniform business-wide customer onboarding procedures. This results in proper Customer Due Diligence and risk assessment. The appropriate level of due diligence is carried out depending on the risks associated with the customer.
Steps for Identity Verification by Reporting Entities
All the Reporting Entities, including Tranche 2 entities, must continuously maintain and updating Applicable Customer Identification Procedures (ACIP) as part of a thorough and risk-sensitive approach to Customer Due Diligence:
Identifying the Timeframe
- Reporting Entities are expected to complete customer identification procedures prior to delivering any designated service. This obligation applies regardless of whether the interaction involves a single transaction or forms part of an ongoing business arrangement.
- In relation to beneficial ownership and Politically Exposed Person (PEP) status, the timing requirements are slightly more flexible. While it is preferable to determine these aspects before the designated service is provided or shortly thereafter, provided it is completed as soon as practicable within a risk-based framework.
Collecting and Verifying Customer’s ID Documents
Tranche II Reporting Entities must obtain reliable Identification Documents or data and verify their authenticity to confirm the customer’s identity. When verifying a customer’s identity, Reporting Entities must be relying on documents that are both trustworthy and independent. The reliable and independent documents in Australia include:
A. For Individuals
1. Primary Photographic Identification Documents: These are official documents that include a photograph of the individual and are generally issued by a government authority. Acceptable examples include:
- Driver’s licence (physical or digital)
- Australian passport
- Australian-issued proof of age card
- Passport issued by a foreign government or the United Nations
- International travel document from a recognised authority
- National identity card issued by a foreign government or the United Nations.
2. Primary Non-Photographic Identification Documents: Where a photograph is not available, the following original documents can be used to verify identity:
- Australian birth certificate or
- Australian citizenship certificate
- Foreign birth or citizenship certificate
- Concession card issued by the Australian government (such as a pensioner card, healthcare card, or seniors health care card).
3. Secondary Identification Documents: These documents provide supporting information and must include the customer’s name and residential address. Acceptable examples are:
- Letter or notice from a government agency (e.g., the ATO or Centrelink) issued within the past 12 months
- Utility bill or local council rates notice issued within the last 3 months (e.g., electricity, gas, or water bill)
- For minors under 18:
- Letter from a school principal issued within the last 3 months, showing the student’s name, residential address, and attendance details
- Student identification card, if available.
Note: All documents used must be current. However, an Australian or foreign passport can be accepted if it has expired within the last two years.
B. For Legal Entities
- Certificate of incorporation of a company from ASIC (Australian Securities and Investment Commission) and/or an annual statement including the amendments submitted to ASIC
- Trust deed
- Partnership agreement
- Constitution and/or certificate of incorporation for an incorporated association
- Constitution of a registered cooperative.
Identifying Beneficial Ownership
When the customer is a legal entity, the Reporting Entity must be:
- Identifying the individuals who own 25% ownership or control the entity.
- Verifying their identity using reliable and independent documents.
- Understanding the ownership and control structure.
Performing Screening for Politically Exposed Persons (PEPs)
- Tranche 2 Reporting Entities should determine if the customer or their beneficial owners are PEPs, which may elevate the risk profile.
- Enhanced Due Diligence (EDD) is required if the individual is a PEP, due to elevated ML/TF risk.
Understanding the Business Relationship
- Tranche 2 Reporting Entities should gather information on why the customer is engaging with their services.
- Understanding the expected nature, purpose, and duration of the relationship.
Addressing Risk Based Factors
IDV Procedures of a Reporting Entity must be developed with regard to the specific risks relevant to their operations. Key factors to address include:
- The size, scope, and complexity of the business activities
- The nature and purpose of the customer relationship
- The level and type of money laundering or terrorism financing (ML/TF) risks involved
- Types of customers and their profiles, including their ownership and control structures
- The sources of customer funds and wealth
- The method of delivery of your services (face-to-face, digital, third-party, etc.)
- The jurisdictions involved, especially where foreign exposure increases risk
Different Types of Customer Verification Procedures for Reporting Entities
Identity Verification Procedures vary based on the type of customer and their assessed level of Money Laundering (ML) and Terrorism Financing (TF) risk. Below is a breakdown of the customer verification approaches for individuals, companies, and trusts, particularly under simplified or ‘safe harbour’ provisions:
1. ‘Safe Harbour’ Verification Procedure
Reporting Entities may apply ‘safe harbour’ procedures when verifying the identity of individuals assessed as posing medium or low ML/TF risk. These procedures are less rigorous than those required for high-risk individuals but still mandate the collection and verification of key identifiers such as:
- Full name, and
- Either the date of birth or residential address.
Verification can be carried out using:
- Reliable and independent documentation (originals or certified copies of primary or secondary identification documents), or
- Electronic data sources, ensuring at least two independent and credible sources are used (e.g., databases from credit reporting agencies).
2. Simplified Verification Procedures
Reporting Entities may apply simplified verification procedures in low-risk cases:
For Companies: Verification is simplified if the company is:
- Listed on an Australian stock exchange
- A majority-owned subsidiary of a listed company
- Licensed and regulated by a Commonwealth, State, or Territory authority
In these cases, Reporting Entity can verify through Stock exchange listings, Australian Securities and Investments Commission (ASIC) records, annual reports, or regulator databases.
For Trusts: Simplified checks apply if the trust is:
- A registered managed investment scheme
- An unregistered scheme for wholesale clients only
- Supervised by a Commonwealth regulator
- A government superannuation fund
Methods of Performing Identity Verification or Tranche 2 Entities
Verification of identity can be done in different ways, such as digital verification using biometrics or identity verification using identity cards. Following are multiple methods that Reporting Entities may adopt to verify the identity of individuals as well as entities:
Biometric Verification
Using technology to scan fingerprints, eye scans, and facial recognition and compare them against the central database provides more security, and this method is more reliable. It is difficult to fake this verification.
Document Verification
For individuals, verification typically includes checking official documents such as For companies, Australian Business Number (ABN) registration details or Australian Securities and Investments Commission (ASIC) records can be used.
Reporting Entities should verify the authenticity of customer ID Documents through both online and offline methods, which include:
- ID Confirmation: Validate the document with issuing authorities such as the Department of Home Affairs (for Australian passports). ID Documents that are using electronic data can verify the data through Document Verification Service (DVS) which is a secure online system managed by the Department of Home Affairs.
- ID Validation: Assess the genuineness of the document to detect any signs of forgery or tampering.
- ID Number Match: Verify the document’s issue date and validity period to ensure the ID document is current and accurate.
Knowledge-Based Authentication (KBA)
Reporting Entities may enhance identity assurance by asking personalized security questions that only the genuine individual can answer. This method will add an extra layer of protection to fight against ML/TF risk.
Online verification with Biometrics and AI
Reporting Entities can authenticate IDs in real-time by prompting customers to upload selfies which is then matched against the image in their Identity Document using facial recognition and artificial intelligence.
Two-Factor Authentication (2FA)
Reporting Entities should use multi-layer security by adding a layer of security and asking users to confirm their identity through a second method like a code or One Time Password (OTP) sent to their phone or email along with the password.
Device Verification
Reporting Entities may assess the legitimacy of ID documents and the device used by the customer during onboarding or transactions to detect fraud and ensure security.
Challenges in IDV Process for Reporting Entities
Despite the clear regulatory requirements, Reporting Entities often face several challenges in effective implementation of the ID Verification process such as:
Uneven Jurisdictional Requirements
IDV systems face significant complexity when deployed across multiple jurisdictions. Each country may have distinct Know Your Customer (KYC) regulations, resulting in inconsistent record-keeping standards and verification requirements.
Data Privacy and Security Compliance
A major hurdle for IDV solutions is navigating stringent data privacy laws and biometric data regulations. Gaining valid consent and managing sensitive biometric information such as facial recognition or fingerprint data must be done in full compliance with regional laws (e.g., GDPR, Australia’s Privacy Act, 1988). Any misstep could lead to legal penalties and loss of user trust.
Exploitation Through Deepfakes and Cyber Threats
The remote nature of IDV particularly in digital onboarding exposes systems to sophisticated threats. Deepfake technology may be used to impersonate individuals, bypassing facial verification tools. Additionally, malware infections, phishing, and cyberattacks targeting IDV databases pose persistent risks to data integrity and authenticity.
Lack of System Integration
Not all IDV tools are designed for easy integration into a company’s existing infrastructure. This lack of interoperability can disrupt the onboarding workflow and lead to inefficiencies, as organisations are forced to manually bridge gaps between legacy systems and modern IDV platforms.
Resistance from High-Risk Customer Segments
Despite advanced IDV technologies, challenges persist in verifying high-risk customers such as Politically Exposed Persons (PEPs) or Ultimate Beneficial Owners (UBOs) with complex corporate ownership structures. These individuals may delay or withhold critical information, hindering timely completion of the IDV process and increasing exposure to compliance risk.
Best Practices for ID Verification
To meet global compliance expectations and reduce exposure to financial crime, Tranche two Entities should adopt the following best practices for implementing a robust IDV process:
Adopt a Risk-Based Approach
Reporting Entities must apply Identity Verification measures proportionate to the level of risk posed by each customer or transaction. A standardised approach for all customers fails to account for varying levels of money laundering risks. Therefore, a risk-based strategy should be incorporated by Reporting Entities which includes classifying customers into risk categories (low, medium, high) and adjusting verification procedures based on risk (e.g., enhanced due diligence for high-risk profiles).
Define Comprehensive IDV Policies and Procedures
Internal AML/CFT policies must clearly define the types of Identity Documents that are acceptable, and how these documents are verified. It should categorically define the steps that are required to handle non-face-to-face onboarding and remote verifications.
Incorporate Ongoing Monitoring
Identity verification is not a one-time task. Businesses must establish processes for monitoring for changes in customer information and Re-verifying Identities during periodic reviews or when risk profiles change.
Ensure Staff Competency Through Training
Reporting Tranche II entities should ensure that their employees who are responsible for conducting IDV such as KYC analysts, and Compliance Officers must be trained to detect forged or fraudulent document and identify red flags such as inconsistent information, false addresses, or outdated IDs.
Leverage Technology and Automation
Digital solutions are key to improving the speed, accuracy, and reliability of IDV. Reporting Tranche II entities should include tools such as facial recognition, biometric checks, and OCR, API-based integration with government databases and watchlists, etc. Automated verification reduces human error and speeds up onboarding while ensuring full audit trails.
Technologies Powering Identity Verification Software for Tranche 2 Entities
Identity verification software enables Reporting Entities to efficiently capture customer data and perform its verification against the relevant databases. It helps the Reporting Entities to overcome the challenges associated with the manual methods and provides an efficient, timesaving, less error-prone, systematic, and accurate way to perform the IDV of their clients. By automating the process, IDV software ensures a streamlined, accurate, and compliant approach to verifying customer identities, thereby enhancing regulatory adherence and customer onboarding experience.
Artificial Intelligence and Machine Learning
Artificial intelligence and machine learning are central to modern IDV systems. It helps analyze ID documents by identifying patterns, attributes, and potential anomalies. It will flag the documents if they appear to be forged.
Optical Character Recognition
Optical Character Recognition (OCR) helps in extracting data from documents, thereby saving time and ensuring a faster turnaround. It also minimizes manual data entry errors, improving operational efficiency.
Blockchain Technology
Blockchain provides an enhanced layer of security as it provides a temper-proof ID verification. It makes the entire process auditable, traceable, and verifiable.
Biometric Verification
Biometric IDV tools helps the Reporting Entities to verify customer identity by different methods such as facial recognition, fingerprint scanning, and iris detection, offer robust security and accuracy.
Electronic Know Your Customer (eKYC)
eKYC eliminates the need for physical documents by enabling digital Identity Verification using government-backed databases and secure APIs. It allows customers to complete KYC processes remotely, offering a faster, paperless, and cost-effective method of compliance, especially in digital banking and fintech platforms.
These advanced technologies collectively ensure that Identity Verification software remains an essential component of an effective AML/CTF compliance framework, improving risk management while enhancing user experience and regulatory compliance.
Let IDV Concerns Disappear in Your Rearview Mirror!
Verifying customer identity gives more knowledge about the customer and their business. Correct risk rating and due diligence can be done if the identification process is right. When doing Identity Verification, a business gains access to customers’ personal information. It is important to protect customer information from data breaches and fraud. Thus, a Reporting Tranche 2 Entity should identify the customer by having the right identification and verification program and protect customer data by having the right data management and protection tools.
About the Author
Jyoti Maheshwari
CAMS, ACA
Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.
