Australia is rolling out the largest AML/CTF reform in almost two decades. The new AML/CTF Act amendments and the new AML/CTF Rules introduce a modernised, risk-based framework for customer due diligence (CDD) and identity verification (IDV).

These reforms implement long-awaited Tranche 2 regulation, bringing lawyers, accountants and real estate agents into scope. They also tighten obligations for current reporting entities (banks, remitters, fintechs, casinos, etc.).

Aside from many updates within the new amendments and the AML/CTF Rules, one of the most important changes that affects all reporting entities is the way they perform identity verification and customer due diligence, which has been reshaped under the new AML/CTF Rules.

AUSTRAC has confirmed it will release industry guidance in October 2025 and update its Easy Reference Guide to provide clarity on IDV across all entity types.

When does it take effect?

Tranche 1 (existing reporting entities): New CDD/IDV rules apply from 31 March 2026.
Tranche 2 (new sectors): AML/CTF obligations begin 1 July 2026, with enrolment opening 31 March 2026.

Identity Verification and Customer Due Dilligence: old Chapter 4 Rules vs. new Part 6 Rules

Under the old Chapter 4 Rules, IDV was prescriptive: fixed document checklists, safe harbours, and exemptions. Each entity type had its own detailed section (e.g. individuals, companies, trusts, partnerships, associations, government bodies).

The new Part 6 Rules shift to an outcomes-based, risk-driven model. Some entity types are batched together — for example, bodies corporate, partnerships, and unincorporated associations are all dealt with under one section. This simplifies the structure but places more responsibility on reporting entities to apply the rules appropriately across different customer types.

Key changes include:

Expanded scope of collection: must capture aliases, governance powers, director IDs (DINs), and trust controllers (settlor, appointor, guardian, protector).
Verification tightened: explicitly requires collection and verification of more roles, including appointors, protectors, guardians, and settlors, and also introduces a formal fallback procedure — if beneficial owners cannot be identified, the reporting entity must collect and verify the CEO (or equivalent).
Enhanced CDD (ECDD): mandatory in certain cases (PEPs, unusual services, virtual asset services involving cash) with explicit Source of Wealth/Funds requirements.
Simplified CDD: clearer criteria for low-risk customers, but still requires sufficient KYC to establish identity.

Side-by-Side Table: What’s Collected, Verified, and How

Side-by-Side Table: What’s Collected, Verified, and How
Entity Type	Chapter 4 (current) – What to Collect	Chapter 4 – What to Verify & Methods	Part 6 (from 1 April 2026) – What to Collect	Part 6 – What to Verify & Methods
Individuals	Full name Date of birth Residential address	Verify full name + (DOB or address) Methods: reliable documents (passport, licence, utility bills), reliable electronic sources or safe harbour with ≥2 electronic sources/documents	Full name Business names (if sole trader) Other known names/aliases Unique identifier Principal business address Nature of business	Take “reasonable steps” to verify identity using reliable & independent sources proportionate to risk
Companies	Registered name Registered & principal address ACN/ARBN Type (public/private) Director names (proprietary)	Verify existence via ASIC/registries Methods: company extract, regulator data, disclosure certificate	Name Business/other names Unique ID Addresses Evidence of existence Governance powers Names + DINs of executives	Verify existence, governance and beneficial owners (BOs) If BOs can’t be identified → verify CEO
Trusts	Name, type, country of establishment Settlor (unless <$10k, deceased, exempt) Trustee info Beneficiaries or class	Verify trust name, trustee(s), settlor (unless exempt) Methods: trust deed, disclosure certificate	Name, type, aliases, unique ID Address Evidence of existence Governance powers & decision makers Trustees, beneficiaries/classes Settlor, appointor, guardian, protector	Verify trustees, beneficiaries, BOs, settlor & other controllers using reliable/independent data
Partnerships	Partnership name Business name Country Names & addresses of all partners; full KYC for one partner	Verify partnership name via agreement/docs Verify one partner’s identity	Grouped in Part 6 under “body corporate, partnership or unincorporated association” Name Business/other names Unique ID Addresses Evidence of existence Governance powers & individuals (DINs)	Verify governance, BOs If BOs not identifiable → verify CEO equivalent
Associations / Co-ops	Name Principal office address Incorporation/registration number Governing committee names	Verify name + registration number via regulator docs, constitution or rules	Grouped in Part 6 under “body corporate, partnership or unincorporated association” Same collection requirements as above	Verify existence + governance individuals BO fallback = CEO equivalent
Government Bodies	Name Principal operations address Whether Commonwealth, State, Territory or foreign + jurisdiction	Verify via reliable & independent documents/electronic data	Name Other names Establishing country/part Unique ID Address Evidence of existence Names of governance/executive decision makers	Verify existence + governance individuals using reliable & independent data

‍

What’s Next

October 2025: AUSTRAC to release core industry guidance and update its Easy Reference Guide.
March–July 2026: new regime enforced for Tranche 1, then Tranche 2.
Ongoing: businesses must align policies, systems, and forms to new risk-based verification.

‍

How bronID Helps You Navigate the New IDV/CDD Rules

Starting January 2026, bronID will roll out a suite of upgrades to make compliance with the new AML/CTF Rules simple and low-touch for our customers:

New API v5: a major release that not only supports the expanded data fields and verification logic required under Part 6, but also delivers significant performance improvements and a much simpler integration process. With one API endpoint format, customers will be able to cover all entity types across all countries bronID supports — reducing technical complexity and speeding up deployments.
Whitelabel forms flow & embedded flow: updated to capture aliases, governance roles, DINs, and trust controllers in line with the new framework.
Portal procedures updated: all IDV/CDD procedures will be refreshed inside the Portal, ensuring consistency and transparency.

Procedural Manuals for Every Customer

Every bronID customer or prospective customer will receive a dedicated ID Verification Procedural Manual. This manual will provide:

The exact procedures for each entity type (individuals, companies, trusts, partnerships, associations, government bodies).
What information must be collected and verified.
How bronID executes verification, step by step.

All verification work will be carried out on the bronID side, requiring very little operational overhead from compliance teams.

Data Collection and Compliance

There may be small adjustments to data collection to align with the updated AML/CTF Rules and AUSTRAC’s upcoming October 2025 guidance on IDV. bronID will seamlessly integrate these changes into its systems.

Testing and Production Rollout

Early 2026: updates available in the test environment, giving customers ample time to switch ahead of enforcement.

March 2026: updates released to the production environment.

With these enhancements, bronID customers will be able to transition effortlessly to the new IDV/CDD requirements and remain fully compliant, without adding operational burden.