Australia's AML/CTF reform landscape shifted significantly on 31 March 2026, when the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2024 and the AML/CTF Rules 2025 came into effect. These reforms represent the most substantial overhaul of Australia's AML/CTF framework in nearly two decades, and bronID has updated its identity verification (IDV) procedures accordingly.
This article explains the changes bronID is making to its individual and organisational verification procedures, the different procedure sets now available to our clients, and what you need to do - or not do - to remain compliant.
The Regulatory Context: Reform, Transitional Rules, and Interpretation
The new AML/CTF Rules 2025 introduced updated Customer Due Diligence (CDD) obligations, expanded the scope of regulated entities to include Tranche 2 gatekeepers (lawyers, accountants, real estate agents and others), and brought significant changes to how beneficial ownership and UBO verification must be conducted.
At the same time, the government acknowledged the scale of change facing existing reporting entities. In January 2026, the Department of Home Affairs and AUSTRAC announced transitional rules providing a three-year grace period - from 31 March 2026 to 30 March 2029 - for existing Tranche 1 entities to transition their initial customer due diligence processes to the new Section 28 CDD framework. Crucially, entities must choose one approach and apply it consistently: they cannot mix and match old ACIP procedures with new CDD obligations.
Regardless of which path a reporting entity takes for initial CDD, ongoing customer due diligence under Section 30 becomes mandatory for all entities from 31 March 2026 without any transitional relief.
Important: While the transitional rules offer flexibility, ongoing CDD obligations under Section 30 apply to all entities from 31 March 2026 with no grace period. Make sure your monitoring and review processes are updated.
AUSTRAC Interpretive Guidance vs. the Rules Themselves
One important nuance that every reporting entity - and every provider like bronID - must navigate is that the AML/CTF Rules 2025 and AUSTRAC's interpretive guidance are not the same thing. AUSTRAC's published guidance is often more prescriptive and onerous than the literal text of the Rules. Different reporting entities, legal advisors, and compliance professionals may reach different reasonable conclusions about what the Rules require in specific circumstances.
bronID has designed its verification procedures to accommodate this spectrum. The default bronID procedures are calibrated to closely align with the AML/CTF Rules and the AUSTRAC's guidance. However, our IDV Rules framework allows clients to configure their procedures to reflect their own AML/CTF Program's interpretation, within reasonable bounds, where that interpretation differs. This flexibility is managed through the IDV Rules configuration available in the bronID Portal.
Individual Verification: Two Procedures
For the verification of individuals - whether as direct customers or as Ultimate Beneficial Owners (UBOs) in a KYB context - bronID offers two distinct verification procedures. The applicable procedure will depend on your configuration and client requirements.
1. Electronic Verification (data-based procedure - currently known as Safe Harbour) relies on matching personal information against two independent data sources - typically government and commercial databases. It is a faster, lower-friction process well suited to digital onboarding at scale.
2. eDocument KYC requires the individual to provide government-issued identity documents (such as a passport or driver licence), complete a liveness check, and pass a biometric comparison against the photo document. This approach more closely aligns with AUSTRAC's expectations under the reformed framework and produces a stronger evidentiary record of identity.
For the Tranche 2 KYB procedures (V3, described below), eDocument KYC is the default method used to verify UBOs. This reflects both AUSTRAC's guidance under the reformed CDD obligations and the higher risk profile generally associated with beneficial ownership verification in complex entity structures.
KYB Procedures: Three Versions, Two Active from 31 March 2026
bronID's Know Your Business (KYB) verification procedures are structured around three versions, reflecting the pre-reform baseline and the two pathways available from 31 March 2026.
V2 - Transitional Procedures (for clients adopting transitional rules)
V2 procedures apply to existing bronID clients who elect to use the transitional rules and continue with the existing ACIP-based approach to initial CDD during the grace period. These procedures introduce only minor differences from the V1 baseline, and the primary purpose is to bring existing procedures into alignment with the structure and terminology of the reformed framework - smoothing the eventual transition to V3.
Importantly, no system upgrade is required for V2. Existing clients can continue using their current bronID integration and the V2 procedures will be applied automatically. There is no disruption to existing onboarding workflows.
V3 - Tranche 2 Procedures (full reformed CDD)
V3 procedures reflect bronID's full implementation of the reformed AML/CTF Rules 2025 CDD obligations. This version introduces expanded data collection requirements for all entity types - most notably the collection of information about the nature of the entity's commercial activities - and applies eDocument KYC as the default method for UBO verification.
V3 also introduces changes to specific entity types. For example, trust verification under V3 requires all trustees to be identified and verified (not just one as under V1), reflecting the updated regulatory expectations for trust structures.
Transitioning to V3 requires an upgrade to bronID's API v5 and adoption of the new KYB Whitelabel Forms. Clients should contact bronID to discuss their migration timeline.
Summary: If you use transitional rules and want to continue with minimal changes, V2 requires no upgrade. If you are ready to fully transition to the reformed framework, V3 requires API v5 and the new forms. Either way, ongoing CDD obligations under Section 30 apply from 31 March 2026 regardless of which path you choose.
What Changes by Entity Type
The table below summarises the material differences across all three procedure versions. V1 vs V2 differences are minor; V1 vs V3 differences are more extensive.
V1 vs V2: What Actually Changes
The V2 transitional procedures are designed to be as close to V1 as possible, requiring no system changes from existing clients. Across nearly all entity types, the verification process is unchanged between V1 and V2. There is one material exception:
The rationale for this change is alignment with the reformed regulatory framework's expectations around trust structures, where all persons exercising trustee authority are considered relevant to the ML/TF risk assessment. This adjustment also brings V2 into alignment with V3 on this specific point, simplifying the eventual transition.
All other parameters - entity existence verification, director/officer collection, UBO identification and verification, address collection, unique identifiers, and document requirements - remain the same between V1 and V2.
V1/V2 vs V3: What Changes in the Tranche 2 Procedures
V3 introduces more substantive changes, primarily in two areas: (1) the addition of nature of entity as a required data point across all entity types, and (2) the application of eDocument KYC as the default UBO verification method. Additional entity-specific changes are noted below.
Across all entity types under V3, UBO verification defaults to eDocument KYC rather than electronic Safe Harbour. This is the most significant operational change for clients transitioning to V3, as it requires UBOs to complete a document upload and liveness/biometric check rather than a data-only match.
Flexibility Through IDV Rules Configuration
bronID recognises that reporting entities operating under the same rules may legitimately reach different interpretations of their obligations - particularly where AUSTRAC's interpretive guidance goes beyond what the Rules themselves strictly require.
To accommodate this, the bronID IDV Rules allow clients to configure key aspects of their verification procedures within the Portal. This includes adjusting the individual verification method (Electronic Verification vs. eDocument KYC), modifying how specific entity types are processed, and managing other parameters that reflect differences in AML/CTF Program design across client organisations.
This means that two bronID clients in similar sectors may run meaningfully different verification procedures - both compliant with the Rules as reasonably interpreted under their respective AML/CTF Programs. bronID's role is to execute those procedures accurately and consistently, not to impose a single interpretation on all clients.
Next Steps for bronID Clients
If you are an existing client using API v4 or earlier:
- You will be transitioned to V2 procedures from 31 March 2026. No action is required on your part.
- V2 procedures involve only minor changes from V1 and will not disrupt your existing workflows.
If you want to transition to V3 ( Tranche 2 compliance):
- Contact bronID to discuss your API v5 migration timeline.
- Plan for updated KYB Whitelabel Forms and expanded data collection fields.
- UBO verification will default to eDocument KYC under V3; ensure your customer communications reflect this.
If you want to customise your verification procedures:
- Review the IDV Rules configuration available in the bronID Portal.
- Speak with bronID's compliance team to ensure any customisations are consistent with your AML/CTF Program.
Need help? Contact bronID at support@bronid.com to discuss your transition plan, API v5 integration, or IDV Rules configuration. Our compliance team is available to assist with alignment between your AML/CTF Program and your bronID verification procedures.
This article is provided for informational purposes only and does not constitute legal advice. The AML/CTF rules and associated obligations are subject to ongoing regulatory development. Reporting entities should consult with their legal and compliance advisors when making decisions about their AML/CTF obligations. Information is current as of March 2026.
