With Australia's AML/CTF reform taking effect on 31 March 2026, understanding the customer due diligence requirements for organisational entities has become more critical than ever. It's important to recognise that AUSTRAC's published guidelines on Customer Due Diligence are considerably more detailed than the AML/CTF Rules themselves, and in some cases extend the requirements beyond what is explicitly stated in the Rules. These guidelines represent AUSTRAC's interpretation of how reporting entities should apply the AML/CTF Act and its associated Rules in practice.
That said, whilst AUSTRAC's interpretations are highly influential for compliance purposes, they do not carry the force of law. Australian courts remain the ultimate authority when interpreting legislation and determining whether any provisions of the AML/CTF Act have been contravened, meaning that in any legal dispute, it is the judicial interpretation that prevails over regulatory guidance.
In light of this regulatory landscape, bronID has adopted a conservative approach to compliance. We incorporated both the explicit requirements set out in the AML/CTF Rules and AUSTRAC's published interpretations of the CDD procedures. This dual-layered approach ensures that bronID's compliance framework not only meets the minimum legal requirements but also aligns with the regulator's expectations, thereby minimising regulatory risk for bronID clients.
This guide breaks down the practical steps reporting entities must take to establish the identity, ownership, and control of business customers across all entity types, providing a comprehensive framework for meeting the spirit of the new CDD requirements. bronID has tailored its KYB procedures in accordance with the guidance outlined below.
Why Know Your Business (KYB) Matters
Know Your Business procedures form the cornerstone of effective anti-money laundering and counter-terrorism financing controls. While many are familiar with Know Your Customer (KYC) requirements for individuals, KYB addresses the unique challenges that corporate structures and legal arrangements present.
AUSTRAC's National Money Laundering Risk Assessment 2024 rated both legal structures and bodies corporate as high money-laundering risks, noting they are persistently exploited by criminals to store and move large volumes of criminal proceeds, including offshore. Trusts received a similar assessment, with their poor transparency identified as a key national vulnerability to criminal exploitation.
The reason is straightforward: organisational entities can disguise the individuals who ultimately control and benefit from them. Money launderers exploit this opacity to place, layer, and integrate the proceeds of crime while concealing their illicit origins.
KYB procedures counter this threat by requiring reporting entities to look through the corporate veil and establish two critical elements:
Entity Verification: Confirming that the organisation exists as a legal entity and establishing its fundamental identity characteristics. This includes verifying the organisation's legal name, registration details, principal place of business, and the legal instruments that govern its operations.
Ultimate Beneficial Owner (UBO) Verification: Identifying and verifying the individuals who ultimately own or control the entity. This is the most critical aspect of KYB, as it reveals who truly stands behind the corporate structure. Beneficial owners may include shareholders, partners, trustees, settlors, appointors, protectors, directors, and others who exercise control over the entity.
The legislation requires reporting entities to establish these matters on reasonable grounds before providing designated services. This means you must collect sufficient Know Your Customer information and, in most cases, verify that information using reliable and independent data sources.
Importantly, just because certain entity types are rated as nationally high risk does not automatically mean every customer of that type will be high risk for your business. You must assess each customer's money laundering and terrorism financing risk based on their specific circumstances, including the complexity of their structure and their ability to disguise beneficial ownership.
CDD Procedures by Entity Type
The specific information you must collect and verify varies depending on the type of organisational entity. The tables below provide a comprehensive overview of requirements for each entity type under the reformed AML/CTF regime.
Sole Trader
Australian Company
Registered Foreign Company
Unregistered Foreign Company
Partnership
Incorporated Association
Unincorporated Association
Registered Co-operative
Trust
Government Body
Additional Requirements (All Entity Types)
The following must also be established for ALL entity types:
Note: Items marked with "Yes" for verification may be subject to simplified verification procedures or may only require verification under certain circumstances based on the customer's ML/TF risk rating and whether enhanced CDD applies.
When Beneficial Owners Don't Need to Be Verified: Understanding the Exemptions
One of the most significant practical aspects of the CDD requirements is recognising that certain categories of organisational customers don't require beneficial ownership verification at all. This isn't about simplified verification—it's a complete exemption from the obligation to identify and verify beneficial owners. Understanding when these exemptions apply can substantially streamline your onboarding processes for qualifying customers.
The Rationale Behind Beneficial Owner Exemptions
The requirement to identify beneficial owners exists because organisational structures can obscure the individuals who ultimately control and benefit from an entity. However, some types of organisations are already subject to such extensive regulatory oversight, transparency requirements, or public accountability that the money laundering and terrorism financing risks are inherently mitigated. In these cases, requiring reporting entities to duplicate what regulators or public disclosure regimes already ensure would be redundant and inefficient.
The legislation therefore carves out specific exemptions where you'll be taken to have established the identity of beneficial owners without needing to identify or verify them. Importantly, when these exemptions apply, you're also taken to have established whether any beneficial owner is a politically exposed person or designated for targeted financial sanctions—though you must still conduct PEP and sanctions checks on the entity itself and any representatives or other relevant persons.
Low Risk Customers: The Primary Exemption Category
The most broadly applicable exemption applies when your customer is low ML/TF risk, enhanced CDD doesn't apply to them, and you're satisfied on reasonable grounds that the customer is, or is controlled by, any of the following three entity types:
Government Bodies: This includes the government of a country or part of a country, such as federal, state, territory, or local governments, as well as agencies and authorities of such governments. The rationale is straightforward: government bodies are subject to extensive public accountability, political oversight, and transparency requirements. Their operations, funding, and activities are matters of public record and scrutiny.
For example, if your customer is the Commonwealth Department of Defence, a state health department, or a city council, and you've assessed them as low ML/TF risk, you don't need to identify or verify beneficial owners. The individuals with governance responsibility (ministers, department heads, councillors) are already subject to public disclosure regimes and democratic accountability mechanisms that far exceed what beneficial ownership verification would achieve.
Entities Subject to Regulatory Oversight: This category encompasses entities registered or licensed by prudential, insurance, or investor protection regulators. The key requirement is that the entity must be subject to regulatory oversight through registration or licensing requirements that ensure the regulator knows who owns and controls the entity.
This exemption captures a wide range of financial services and regulated entities. Examples include banks and authorised deposit-taking institutions regulated by the Australian Prudential Regulation Authority, insurers and superannuation funds subject to APRA oversight, Australian Financial Services licensees and Australian Credit licensees regulated by ASIC, registered auditors and liquidators overseen by ASIC, and self-managed super fund auditors registered with ASIC.
The underlying principle is that these regulators already conduct extensive due diligence on ownership and control as part of their licensing and ongoing supervision. APRA, for instance, requires financial institutions to notify them of any change in control or significant ownership. ASIC conducts fit and proper person assessments on responsible managers of licensed entities. These regulatory frameworks ensure transparency of ownership and control, making additional beneficial ownership verification redundant.
Strata and Community Title Corporations: The third category covers corporations or associations of homeowners in strata title or community title schemes. These are the bodies corporate that manage apartment buildings, townhouse complexes, and other shared property developments. The exemption recognises that these entities exist purely to manage common property on behalf of the unit owners, who are publicly identifiable through land title records. There's no capacity to obscure beneficial ownership because the "owners" of the strata corporation are simply the registered proprietors of the units, which is already a matter of public record on the land titles register.
How to Establish the Exemption Applies
To rely on this exemption, you must first establish on reasonable grounds that your customer falls into one of the three qualifying categories. This means collecting and verifying information that demonstrates the customer's status.
For government bodies, you would collect information from the customer's representative about whether they are a government body, and verify this using reliable and independent data such as searches of government directories, the Department of Finance list of Commonwealth entities and companies, official government websites with .gov.au domains, or legislation establishing the agency or body.
For regulated entities, you should collect information from the customer's representative about the regulator they're registered or licensed with, the capacity in which they're registered or licensed, and any unique licensing or registration number. You may also determine this from information you've already collected about the nature of the customer's business. For instance, if during your collection of nature and purpose information you established that the customer is a bank, you know they must be licensed by APRA. You can then verify this information by checking registration details on the relevant regulator's website, such as APRA's website for banking, insurance, and superannuation entities, or ASIC's professional services registers for financial services licensees, credit licensees, registered auditors, and liquidators.
For strata and community title schemes, you would collect information confirming the customer is a body corporate or association established under strata or community title legislation, and verify this using the customer's constitution or by-laws, strata plan documentation, or searches of land title records showing the strata or community title scheme.
Control by a Qualifying Entity: The Extended Application
The exemption doesn't only apply when your customer is directly a government body, regulated entity, or strata corporation. It also applies when your customer is controlled by one of these qualifying entities. This significantly extends the exemption's practical application.
For example, if your customer is a trust and the trustee is a bank (a regulated entity subject to APRA oversight), the trust may qualify for the beneficial owner exemption if it's low risk and the bank's control over the trust is established. Similarly, if your customer is a subsidiary company that's wholly owned by a government department, and you've established that government control, the exemption may apply.
To establish control, you'll need to apply the beneficial ownership and control rules, which generally look at ownership of more than fifty percent of shares or units, or the capacity to determine decisions about financial and operating policies. The key is demonstrating that a qualifying entity has this level of control over your customer.
Publicly Listed Companies: The Transparency Exemption
A separate and distinct exemption applies to publicly listed companies that are subject to public disclosure requirements ensuring transparency regarding beneficial ownership. This exemption is not conditional on the customer being low risk—it applies regardless of the risk rating, though you must still determine the customer's risk and may need to apply enhanced CDD for other reasons.
The classic example is a company listed on the Australian Securities Exchange. ASX listing rules require extensive continuous disclosure obligations, including substantial shareholder notices when someone acquires more than five percent of the company, disclosure of directors' interests, and change of director notices. These public disclosure requirements ensure that beneficial ownership is transparent and available to the market and regulators.
The exemption can also apply to foreign companies listed on overseas exchanges, provided those exchanges have comparable public disclosure requirements that ensure transparency of beneficial ownership. Major stock exchanges in developed markets typically meet this standard, but you should verify that the specific exchange imposes transparency requirements equivalent to those on the ASX.
Importantly, when this exemption applies, you're also not required to identify the individual who is the CEO or equivalent of the customer. For most customers where you can't identify beneficial owners, you must fall back to identifying the most senior executive. But for publicly listed companies with transparent beneficial ownership, even this fallback isn't necessary.
What You Still Must Verify
It's critical to understand that these exemptions are limited to beneficial owner identification and verification only. Even when an exemption applies, you must still complete all other aspects of CDD:
You must establish the identity of the entity itself by collecting and verifying the organisation's name, registration details, address, and other identity particulars. You must identify and verify any representatives who engage with you in relation to designated services. You must conduct PEP and sanctions screening on the entity itself and all representatives. You must collect information about the nature and purpose of the business relationship and verify it if required. You must assess the customer's ML/TF risk and apply enhanced CDD measures if required for other reasons beyond beneficial ownership.
The exemptions eliminate only the requirement to identify and verify the individuals who ultimately own or control the entity. All other CDD obligations remain in full force.
Practical Application and Documentation
When you determine that a beneficial owner exemption applies, document your reasoning clearly. Your records should show which exemption category the customer falls into, the information you collected to establish this, how you verified the qualifying status, and your assessment that the customer is low risk where that's a condition of the exemption.
For example, your CDD file for a bank customer might include a note such as: "Customer is Westpac Banking Corporation, AFSL 233714, an authorised deposit-taking institution regulated by APRA. Verified through APRA register. Customer assessed as low ML/TF risk. Beneficial owner exemption applies under Rules section 6-18 as customer is subject to regulatory oversight through APRA licensing. No beneficial owner identification or verification required."
This documentation demonstrates your compliance with the exemption requirements and provides an audit trail showing you've established the customer's qualifying status on reasonable grounds.
The Exemption's Limitations: When It Doesn't Apply
Several important limitations constrain when these exemptions can be used:
The low-risk exemption only applies to low-risk customers where enhanced CDD doesn't apply. If you've assessed the customer as medium or high risk, or if enhanced CDD is triggered for any reason, you must identify and verify beneficial owners regardless of whether the customer is a government body, regulated entity, or strata corporation. Similarly, if you have reasonable grounds to doubt the information provided about the customer's status as a qualifying entity, you cannot rely on the exemption.
The exemptions also don't apply to the customer's representatives or persons receiving services on the customer's behalf. You must still verify the identity of individuals who act for the customer, even though you don't need to verify beneficial owners. If a government department employee engages with you to open an account for the department, you still need to verify that employee's identity and authority to act, even though you don't need to identify beneficial owners of the government department.
Finally, remember that these are exemptions from beneficial owner verification, not exemptions from ongoing due diligence. You must continue to monitor the business relationship for unusual or suspicious activity, and you must reassess whether the exemption continues to apply if circumstances change. If a regulated entity loses its license, the exemption no longer applies. If you reassess a customer from low risk to high risk, beneficial owner identification becomes required.
Strategic Value of Understanding Exemptions
Understanding when beneficial owner exemptions apply provides significant strategic value for your AML/CTF program. For customer segments dominated by government bodies, financial institutions, or listed companies, you can design streamlined onboarding processes that focus verification efforts on identity, representatives, and PEP/sanctions screening rather than conducting time-consuming beneficial ownership analysis.
However, the exemptions require careful application. You cannot simply assume every bank or government agency qualifies—you must actually collect the information and verify the qualifying status. And you must maintain the assessment that enhanced CDD doesn't apply and the customer remains low risk. The exemptions are a privilege earned through proper risk assessment and verification, not a blanket pass on beneficial ownership due diligence.
Simplified Verification
One of the most significant practical aspects of the CDD regime is the concept of simplified verification. This recognises that not all matters require the same level of verification rigor and allows reporting entities to adopt a risk-based approach without compromising compliance.
Which Matters Can Be Simplified?
Simplified verification can apply to three specific matters:
Identity of persons acting on behalf of the customer: This includes any representative of the organisation who engages with you in relation to designated services, such as employees, agents, or corporate officers.
Identity of persons receiving services on the customer's behalf: In limited circumstances where the organisation is receiving services for another party (most commonly relevant for life insurance policies).
Identity of beneficial owners: The individuals who ultimately own or control the entity.
When Does Simplified Verification Apply?
All four of the following conditions must be satisfied simultaneously:
You've identified the customer's ML/TF risk based on KYC information reasonably available to you before starting to provide the service. This means you've conducted your initial risk assessment and assigned a risk rating.
The customer's ML/TF risk is low according to your assessment, and enhanced CDD doesn't apply to them. Medium or high-risk customers cannot benefit from simplified verification.
You've collected appropriate KYC information about the matter that corresponds to the customer's ML/TF risk level. You still need to collect the information, even if you don't verify it.
You have no reasonable grounds to doubt the adequacy or veracity of the KYC information you've collected. If something doesn't add up or raises concerns, simplified verification is not appropriate.
What Simplified Verification Means in Practice
When simplified verification applies, you're taken to have established the relevant matter without needing to verify the information you've collected using independent and reliable data. This significantly streamlines the onboarding process for low-risk customers.
For example, if you're onboarding a low-risk Australian company and the individual representing them is an employee, you would still collect information about that employee's identity and authority to act. However, under simplified verification, you wouldn't need to verify this information through independent means such as checking employee confirmation letters or other documentation, provided all four conditions above are satisfied.
It's crucial to understand that simplified verification is not the same as not collecting information at all. You must still gather the required KYC information through your customer onboarding processes. The simplification relates only to the verification step, reducing the need for independent data sources to corroborate what you've been told.
Important Limitations
Simplified verification never applies to:
• The identity of the entity itself (this must always be verified)
• The nature and purpose of the business relationship (verification requirements depend on other factors)
• PEP checks and sanctions screening (these must always be conducted)
• Any situation where enhanced CDD applies
• Medium or high-risk customers
Additionally, even when simplified verification would otherwise apply, you must still verify information if you have doubts about what you've been provided. Your professional judgment and obligation to establish matters on reasonable grounds takes precedence over administrative simplifications.
Final notes: A Risk-Based Approach to Organisational Due Diligence
The reformed AML/CTF legislation establishes comprehensive customer due diligence requirements for organisational entities that balance thoroughness with risk-based flexibility. By requiring reporting entities to establish identity, beneficial ownership, representative authority, nature of business, and PEP/sanctions status, the framework ensures transparency while recognising that not every customer presents the same risk.
The key to successful implementation is understanding when simplified verification applies, when full verification is required, and when enhanced measures become necessary. The tables provided in this guide offer a clear roadmap for each entity type, but remember that these represent baseline requirements—you must always consider the specific risk profile of each customer and collect additional information as appropriate.
As you prepare for the March 2026 implementation date, focus on building robust onboarding processes that collect complete information from the outset, establish clear verification procedures using reliable and independent data sources, document your decision-making and risk assessments thoroughly, and implement effective ongoing monitoring to detect changes in customer circumstances.
