Digital ID in Australia: What It Means for KYC (2026)

Digital ID in Australia: why now is the time to get ahead of it

Seven million Australians are already carrying a government-issued digital credential on their phone. As of today, the AML/CTF Amendment Act 2024 reforms are live for existing reporting entities and the organisations that have been building for this are already pulling ahead.

That gap is only going to widen. Most compliance and risk teams have spent the last six months focused on getting through the reforms themselves. Digital ID is the next wave, and right now almost no one in the market is building for it. The organisations that move in the next six to twelve months will onboard faster, lose less to fraud, and spend less time defending their verification model to a regulator.

Here’s what’s actually changed, what it means for your onboarding stack, and why the difference between “compliant” and “competitive” starts now.

Why document-only verification is running out of road

Most onboarding stacks were built around a simple model: capture a document, run it through OCR, check it against a database. That model assumed a fake document looked different from a real one. In 2026, that assumption doesn’t hold.

AUSTRAC flagged this directly in its May 2026 risk snapshot update: criminals are increasingly using AI to fabricate identities and forge documents as part of their money laundering toolkit. These aren’t crude fakes. AI-generated payslips, bank statements and identity documents now carry correct formatting, plausible employer details and internally consistent data. The tools to produce them are consumer-grade, not restricted to sophisticated operations.

The question worth asking isn’t “is this document real or fake?” It’s “was this document actually issued by the entity it claims to be from, or generated to look like it was?” Answering that takes forensic-level controls, not a visual scan. If your onboarding flow hasn’t adapted to ask it, your pass rates are telling you less than you think.

What the AML/CTF Amendment Act 2024 demands from regulated entities

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 received Royal Assent on 10 December 2024. The new customer due diligence framework took effect for existing reporting entities on 31 March 2026, with the reforms now extending to a broader range of sectors from 1 July 2026.

The substance of the change matters more than the dates. The old model was prescriptive: verify two specific data points against two reliable, independent sources, and you were covered. That model is gone. What replaces it is a risk-based framework that puts the judgement, and the responsibility, squarely on you.

Low-risk customers can move through a lighter flow. Higher-risk customers, particularly anyone new to your platform with no prior relationship, need stronger controls: biometrics, layered data checks, enhanced due diligence. Customer risk is no longer something you assess once at onboarding and file away. It’s a live input that should be shaping the verification flow in real time.

That shift is exactly where Digital ID becomes relevant, because it changes what “strong verification” can look like without adding friction.

How Australia's digital driver's licence rollout changes the picture

While the regulatory model has shifted, so has the infrastructure available to respond to it. And Australia is further ahead here than most compliance teams realise.

NSW launched its digital driver’s licence in 2019. As of 2024, more than 4.5 million licence holders, around 65% of the state’s drivers, were using it through the Service NSW app. Victoria launched in May 2024 and passed 1.8 million users within its first year. Queensland’s mobile driver’s licence has passed 1.2 million users and is the first in the country built to the ISO/IEC 18013-5 standard for mobile driving licences. NSW and South Australia launched before that standard was published, so they’re not yet aligned to it, though work is underway across jurisdictions to converge.

Add it up and you get more than seven million Australians, across three states, already carrying a verifiable digital credential as of 2025/26. That’s not a pilot. That’s a meaningful share of your customer base.

A cryptographically signed mobile driver’s licence is a fundamentally different class of evidence than a photo of a plastic card. There’s no OCR to get wrong. The credential can’t be fabricated without the issuer’s cryptographic signature failing. And because it’s device-bound, the person holding the phone is much more likely to be the person the credential belongs to.

We brought together a panel of digital identity experts - including Tash Hanson, former trust assurance lead at the NSW Department of Customer Service, to work through what this infrastructure shift means in practice. Watch the full discussion here.

Biometric verification already works. Here’s the proof.

Lumi, an Australian business lender, gives you a live answer to a question every CRO asks before tightening controls: does this slow down good customers? Read the full Lumi case study for the complete breakdown, but the headline numbers are worth sitting with.

Lumi consolidated its KYC and KYB processes and introduced biometric verification through FrankieOne. Within the first 90 days, that change identified and prevented approximately $400,000 in potential fraud losses. Annual operational savings landed at $45,000 or more, driven by a shift away from manually reviewing every application toward exception-based handling of genuinely high-risk cases. Lumi also became the first business lender in its category to introduce biometric verification, a differentiation that translated directly into broker and customer trust.

That’s what biometric verification delivers today: a live selfie checked against the document the customer presents, run through a commercial biometric provider via FrankieOne’s platform. It’s a meaningful step up from document-only checks, and Lumi’s numbers show it doesn’t cost you conversion to get there.

What’s coming next: government-grade biometric assurance

There’s a second layer of assurance on the horizon that goes further than anything available to regulated entities today: the Facial Verification Service.

Right now, the FVS operates within government. It matches a live facial image against the photo the relevant government agency holds on file - not the document the customer hands you, but the actual government record. As at mid-2024, the Australian Taxation Office was the only organisation using it. Regulated entities cannot access it yet.

The legal framework for private sector participation already exists. The Identity Verification Services Act 2023 sets out how access works: through formal participation agreements that carry strict privacy, security and oversight requirements. What the legislation doesn’t yet specify is when private sector access opens. That timeline is subject to ongoing government implementation work, and no confirmed date has been published.

What is clear is what private sector FVS access would mean when it arrives. A commercial biometric check confirms the person matches their document. The FVS would confirm the person matches the government’s own record. That’s a different order of assurance - one that closes a gap no document-based control can close on its own. The organisations with flexible verification infrastructure, built to take in new identity sources without a rebuild, will be the ones who can act on it quickly. The ones wired to document capture will be rebuilding while their competitors are already live.

Building an onboarding stack that’s ready for what’s next

None of this works if your onboarding stack can only do one thing well. A risk-based compliance model, by definition, needs to route different customers through different checks: lighter for low risk, layered for high risk, and able to take in new identity sources as they become available without a rebuild every time the landscape shifts.

A fixed, single-path flow built around document capture can’t do that. Neither can a stack of point solutions that don’t share data or a common decision point. What you need is the ability to bring in digital credentials alongside traditional documents, apply biometric checks where the risk profile calls for it, factor in device and behavioural signals, and produce an audit trail that holds up when AUSTRAC asks you to show your working.

2026 is the year of early adoption on digital credentials. According to Tash Hanson, strategic advisor in digital identity and former trust assurance lead at the NSW Department of Customer Service, widespread acceptance is likely 2027 to 2028 as regulatory guidance matures. The window to build ahead of that curve is now.

What to do now the risk-based framework is live

  1. Map your current verification flow against risk tiers. If every customer goes through the same checks regardless of risk profile, that’s the first gap to close.
  2. Check whether your onboarding stack can accept a digital driver’s licence. If the answer is no, you’re already behind a meaningful share of your customer base.
  3. Confirm your audit trail captures the reasoning behind each verification decision, not just the outcome. Outcomes-focused regulation means showing your reasoning, not just your results.
  4. Talk to your engineering or platform team about whether adding a new identity source requires a rebuild or a configuration change. That answer tells you how exposed you are to the next shift.

In our experience working with FrankieOne customers like Lumi, the organisations that treat identity verification as adaptable infrastructure, rather than a fixed checklist, absorb these changes at a fraction of the cost and disruption of those still treating it as a one-time build.

Frequently asked questions

Is a digital driver’s licence valid for AML/CTF identity verification in Australia?

Yes, in the states where it’s issued. A digital driver’s licence is a government-issued credential and can be used to meet identity verification requirements under the AML/CTF Act, subject to your AML/CTF program’s documented verification methods and current AUSTRAC guidance. Confirm your program explicitly covers digital credentials as an accepted identity source.

What’s the difference between the Document Verification Service and the Facial Verification Service?

The Document Verification Service (DVS) checks whether the biographic details on an identity document match the original government record. It’s available to regulated entities today. The Facial Verification Service (FVS) goes further, matching a live facial image against the government’s own photo record rather than the document the customer presents. It currently operates within government agencies only, with a legal framework in place for future private sector participation under the Identity Verification Services Act 2023.

How does the risk-based AML/CTF framework change identity verification requirements?

Under the previous prescriptive model, verifying two data points against two independent sources was sufficient. The risk-based framework removes that and requires verification intensity to match customer risk. Low-risk customers move through lighter flows. Higher-risk customers require stronger controls, including biometrics and enhanced due diligence. Your AML/CTF program needs to document how you determine risk tiers and map them to verification flows.

Will every Australian state have a digital driver’s licence?

Most are heading that way. NSW, Victoria and Queensland already have one live. The Northern Territory and Tasmania have both committed to launching one in 2026. Western Australia is the remaining gap among the most populous states.

Where to go from here

Digital ID isn’t a future regulatory wave you can plan for later. The risk-based framework is live, digital credentials are in the hands of millions of your customers, and the organisations building flexible verification infrastructure now will be the ones ready to move when private sector access to the Facial Verification Service arrives.

The risk-based framework is live. Watch our Digital ID expert panel to hear how practitioners are building for it, or talk to our team about your specific setup