AML Identity Verification in Australia: What's Changing Now
AML identity verification in Australia is changing. Here's what replaces the old model.
AML identity verification in Australia is at an inflection point. Most compliance and product teams haven't fully registered it yet, but three things are converging at the same time, and the window to get ahead of them is shorter than it looks.
Digital credential infrastructure is already live and in millions of pockets. The AML/CTF Amendment Act 2024 has replaced prescriptive safe harbour rules with a risk-based model that places real responsibility on regulated entities. And AI KYC fraud has reached the point where legacy document-based checks are no longer a reliable control. Australia's AML identity verification landscape is more advanced than most markets appreciate. But that advantage only materialises if your organisation is built to use it.
None of these would be enough on its own. Together, they create a forcing function that compliance, product, and risk teams can't ignore.
We brought together a panel of digital identity experts to work through what this convergence means in practice: where the technology actually stands, what the regulatory shift requires, and what organisations should be doing right now. What follows is what they told us.
The panel
Tash Hanson, strategic advisor in digital identity and former trust assurance lead at the NSW Department of Customer Service; Andy Bernstone, Identity Solutions Lead at Daon; Dion Gilchrist, Senior Product Manager at MATTR; and Vanessa Fierens, Product Lead at FrankieOne.
Why AI KYC fraud is making the document-based model obsolete
Start with the basic problem. The AML identity verification model that most regulated entities still rely on was designed for in-person, lower-volume environments. It has never translated cleanly to digital at scale, and the gap is getting wider.
|
“Document-based identity checks were never designed for the world we're operating in today. They were built for in-person, lower-volume environments. The model doesn't translate well to digital at scale.” Tash Hanson, Strategic Advisor, Digital Identity |
The friction is obvious to anyone who has actually been through a digital onboarding flow. Photograph your licence. Upload a selfie. Do it again at the next institution. For customers, the experience is exhausting. For businesses, it converts poorly and produces results that are increasingly unreliable.
|
“By far the biggest dropout percentage is at that ID capture screen. People don't carry physical ID. The lighting is bad. The ID is damaged. They get frustrated and drop out.” Andy Bernstone, Identity Solutions Lead, Daon |
For any organisation where KYC onboarding sits on the customer acquisition path, that dropout is a measurable cost. But the operational problem is no longer the deepest one.
AI-generated documents have reached the point where they defeat visual inspection and basic OCR. The confidence that document-based checks once provided has eroded significantly. Vanessa Fierens, Product Lead at FrankieOne, put it plainly:
|
“If you're running off older biometric tech where you can actually upload an image, you really need to be using more modern biometric capability with liveness. It's just way too easy and too commoditised to fabricate these days with AI.” Vanessa Fierens, Product Lead, FrankieOne |
The risk of staying document-only is no longer just operational. It's a growing fraud exposure.
Why Australia's digital identity infrastructure is further ahead than you think
Most compliance and product teams don't fully appreciate how far digital identity verification in Australia has come. The infrastructure layer that underpins the next generation of KYC isn't theoretical. It's live, at scale, and accelerating.
NSW launched its digital driver's licence in 2019. More than 4.5 million licence holders now use it through the Service NSW app, representing around 65% of the state's drivers. Victoria launched its digital driver's licence in May 2024 and hit 1.8 million users within the first year. Queensland's
ISO-compliant mobile driver's licence has passed 1.2 million users.
That's more than seven million Australians across three states already carrying a verifiable digital credential in their pocket. Tash Hanson, who was deeply involved in NSW's digital identity program, sees the broader significance:
|
“Australia actually is in a unique position to potentially have the largest MDL rollout globally.” Tash Hanson |
The standards have been agreed on. The adoption is real. What's still catching up is the regulatory guidance that gives organisations confidence to accept verifiable credentials inside their AML identity verification and KYC workflows. That guidance is coming. The question is whether your architecture will be ready to use it when it does.
How the AML/CTF reforms are redefining AML onboarding
The AML/CTF Amendment Act 2024 received Royal Assent on 10 December 2024. For current reporting entities, the new customer due diligence framework took effect on 31 March 2026. For Tranche 2 entities (lawyers, accountants, real estate agents, and around 100,000 other newly regulated businesses), obligations commence 1 July 2026.
The change at the heart of the reforms is a shift from prescriptive rules to a risk-based, outcomes-focused model. Under the previous safe harbour provisions, the standard approach was to capture specific data points and verify them against two reliable and independent databases. That approach is gone.
|
“Previously it was very prescriptive. Capture these data points, verify them against two reliable and independent databases. With the reforms, there's now more onus on the regulated entity to assess the level of risk and build their identity verification rules around that.” Andy Bernstone, Identity Solutions Lead, Daon |
In practice, this means AML onboarding can no longer follow a single fixed path. Organisations now have both the autonomy and the obligation to match verification intensity to customer risk. Low-risk customers move through a lighter flow. Medium and high-risk customers, particularly new-to-platform customers with no prior relationship, face stronger controls: biometrics, document intelligence, layered data checks.
Fierens describes how that tiering works in practice:
|
“It really should be that risk-based approach with layers of checks. Brand new customers probably do need to go down the medium to high-risk flow, because that's going to be your anchor of trust. But if they're existing customers you onboarded two or four years ago, you could send those down a lower-risk path with lower friction.” Vanessa Fierens, Product Lead, FrankieOne |
Customer risk rating is no longer a static compliance exercise. It's a dynamic input to your verification flow. The organisations that treat it that way will build onboarding that is both more defensible and more efficient.
Digital credentials break the trade-off between trust and friction
The strongest argument for digital credentials and mobile driver's licence-based KYC isn't the technology. It's what the technology makes possible for your pass rates and fraud exposure simultaneously.
Dion Gilchrist explained the technical foundation that makes this work:
|
“When a relying party requests credential data, you specify exactly what you need. The wallet bundles that token together, and it's still signed by the issuer. Once you verify that, you know if it's been tampered with.” Dion Gilchrist, Senior Product Manager, MATTER |
A cryptographically signed credential, bound to the holder's device and verified against the issuer's signature, is a fundamentally different class of evidence than a photographed ID card. The OCR can't be wrong because there's no OCR. The document can't be fabricated because the issuer's signature would fail. The holder can't be someone else because the credential is device-bound.
The practical implication, based on FrankieOne's data across client deployments, is significant. Safe harbour flows achieve pass rates of 80 to 90 percent. That sounds good. But Fierens notes what that number doesn't show:
|
“Great pass rate, but you could also be letting through a high proportion of fraudsters. Tighten the controls with biometrics, and the pass rate drops 10 to 15 percent, but your fraud rate drops with it.” Vanessa Fierens, Product Lead, FrankieOne |
Digital credentials change this equation. Higher assurance without the friction that drives dropout. In a regulatory environment that now requires you to calibrate verification intensity to risk, that's not a marginal improvement. It's a structural one.
FrankieOne clients who move to layered verification with modern biometrics see 15%+ uplift in pass rates alongside a 53% reduction in fraud losses. The two outcomes are not in tension. Done right, they move together.
Where to start with AML onboarding: a practical approach
The panel's practical advice on AML onboarding was consistent: don't wait for the full ecosystem to mature before you move, but don't try to rebuild everything at once either.
Fierens' starting point is the pain audit:
|
“The realistic first step isn't to rip out your KYC and rebuild it. Start by looking at the pain points in your flow and the places where fraudsters are getting in. If you're in the onboarding team and you haven't spoken with the fraud team, go speak with the fraud team.” Vanessa Fierens, Product Lead, FrankieOne |
The highest-impact early use cases for stronger AML identity verification are onboarding, step-up verification for high-value transactions, and account recovery. These are the moments where assurance level has the most direct effect on both fraud prevention and AML KYC compliance.
Bernstone added a useful discipline test for teams evaluating whether to invest:
|
“You need to establish that there's actually value before investing time and effort. Signs that it is valuable would be high dropout at the ID capture step, high rates of fraud, or a lot of abandoned carts at checkout. If you haven't got those signs, challenge yourself about whether this is a route you want to go down.” Andy Bernstone, Identity Solutions Lead, Daon |
And Gilchrist on the scope of the first step:
|
“All you need is one use case. It doesn't have to be across the board. It will exist alongside existing mechanisms. It's not replacing what you have, it's enhancing it.” Dion Gilchrist, Senior Product Manager, MATTER |
The ROI window is 12 months to three years. Plan accordingly. This is not a short-term project.
The timeline: early adoption in 2026, wide acceptance by 2028
Where does this leave the market right now? Tash Hanson's read is the most direct answer available:
|
“2026 is the year of early adoption, but only if the regulators move first. Widespread acceptance, probably 2027 to 2028.” Tash Hanson |
In Hanson's view, the organisations that move in the next 12 months will be meaningfully better positioned when the wider market catches up. The technology is proven. The regulatory direction for KYC in Australia is clear. The adoption is real. The window for building ahead of the curve is now.
If you want to understand how digital credentials fit into your AML identity verification architecture, that's exactly where we start. Watch the full panel conversation for the complete discussion, or talk to our team about your specific AML onboarding setup.
Frequently asked questions
What is risk-based KYC?
Risk-based KYC is an approach to customer due diligence where verification intensity is matched to the actual risk a customer presents, rather than applying a single standard process to everyone. Under Australia's AML/CTF Amendment Act 2024, regulated entities are now required to assess the money laundering and terrorism financing risk of each customer before providing a designated service, and to apply controls proportionate to that risk. Low-risk customers move through lighter verification flows. High-risk customers, including new-to-platform customers with no prior relationship, face stronger controls: biometrics, layered data checks, and enhanced due diligence. The shift from the previous prescriptive safe harbour model to this risk-based approach gives organisations more flexibility, but also more responsibility to get the calibration right.
Can I use a digital driver's licence for AML identity verification in Australia?
Digital driver's licences are accepted as a valid form of identification across NSW, Victoria, and Queensland, and are increasingly being used in identity verification workflows. Whether they satisfy AML/CTF customer due diligence requirements depends on the specific verification context and how the credential is presented and verified. A cryptographically signed mobile driver's licence, verified against the issuer's signature in real time, provides a higher assurance level than a photographed physical document. Regulatory guidance on the formal acceptance of verifiable credentials within KYC workflows is still developing. The consensus from practitioners is that 2026 will see early adoption in compliant flows, with wider acceptance by 2027 to 2028 as guidance matures. Organisations should prepare their verification architecture now so they can act when the guidance arrives.
When do the new AUSTRAC customer due diligence requirements take effect?
The AML/CTF Amendment Act 2024 received Royal Assent on 10 December 2024. For current reporting entities (banks, fintechs, payment services, and others already regulated under the AML/CTF Act), the new customer due diligence framework took effect on 31 March 2026. For Tranche 2 entities, including lawyers, accountants, real estate agents, dealers in precious metals and stones, and trust and company service providers, enrolment opens 31 March 2026 and full obligations commence 1 July 2026. The reforms shift the focus from a prescriptive checklist model to a risk-based, outcomes-oriented approach, requiring organisations to identify and assess ML/TF risk at the start of every customer relationship. For the latest guidance, refer to AUSTRAC's AML/CTF Reform page at austrac.gov.au.
Watch the full conversation
Want to map how digital identity fits your AML compliance workflow?
Book a 30-minute session with our team. Book a demo
.png)
