Blog

About the post: Images and videos are generative AI-created. Prompt: A futuristic cyberpunk politician presenting an unfurled scroll to a crowd of people. Tools: Midjourney, Luma.

Australia’s New AML Laws: No More Simple Electronic KYC

Peter Violaris

The current landscape

Australia took large strides last week to become world leaders in Know Your Customer (KYC) requirements when doing your Anti-Money Laundering (AML) checks. On Friday 29th November, the new AML Bill passed both houses of the Commonwealth Parliament.

The signing into law by the Governor-General is a formality, and then the AML Bill will be officially law. 

This amendment to the existing AML laws is timed to ensure that Australia is well prepared for the upcoming Financial Action Task-Force (FATF) review of Australian AML practices in 2026. The Financial Action Task Force (FATF) is a global watchdog that sets and monitors international standards to combat money laundering, terrorist financing, and threats to the integrity of the financial system. 

Key changes in the law

The AML Law makes a lot of changes to existing AML practices, and this article will focus on just two of them:

  1. Widening of the entities with AML responsibilities—known as ”Tranche 2”; and
  2. A new “reasonable ground” requirement for KYC checks.

Extension to Tranche 2: A wider net

Most of the focus has been on the widening of entities who have to perform AML checks on their customers. It now includes lawyers, accountants, real estate agents, and dealers in precious stones, among others. There will be plenty of interest to see if, and how, the thousands of small businesses caught by their new obligations will comply. 

There are many who point out that in Germany and Singapore, it took a very long time for regulators to enforce AML requirements on these sectors. With FATF due to inspect Australia in 2026, the pressure will be on the regulators to actually enforce the law. 

But this is not the most interesting aspect of the law; though it will have a large impact on those businesses now caught. 

The game-changing “reasonable grounds” requirement

The most interesting thing is that there is a new “reasonable grounds” standard on the KYC part of the AML checks. This is brand new. 

Previously, the law said that entities had to simply collect various details about the individual, and AUSTRAC gave guidance on the risk based approach entities should take. Now the law itself has introduced a standard of KYC verification that must be met. 

Why electronic data checks no longer cut it

The “reasonable grounds” test will herald the end of over-reliance on electronic data checks for KYC purposes. It will no longer be possible to rely only on electronic data checks, but instead biometrics or in-person checks will be necessary.

This is because the unholy combination of: (a) millions of Australians’ stolen data available online; and (b) the power of readily available generative AI tools/websites being used to create very good deepfake documents and selfies means that it is now straightforward for a fraudster to defeat electronic data checks. 

All a fraudster needs to do is create a deepfake document (for around $10 on the regular web) with stolen data. This will pass review by a manual reviewer, no matter how well-trained, and pass electronic data checks (since the data is real, though stolen—unless the victim has reported the data theft to the right authorities). 

At IDVerse, we have seen a 30x increase in deepfake attacks since the end of 2022, and the growth continues to be exponential. Deepfakes are in the toolbox of every fraudster. This is why it is not “reasonable grounds” to rely on electronic data checks with a manual review of the document the data is taken from. It is just too easy for fraudsters to get past the electronic data checks. 

We understand that some rules will be published before Christmas that will sit beneath the amended law. It will be fascinating to see what guidance is given around the “reasonable grounds” criteria. 

Image animated using Luma.

Practical steps for compliance

Reporting entities need to understand the fraud landscape and look at the tools available to them to combat most, if not all, fraudsters. Fortunately, it is still possible to detect deepfake documents using an AI trained automated fraud detection system, even if the fraud is too good for a manual reviewer.

When buying a document fraud analysis tool make sure that:

  1. It does not fall back to manual reviewers for the hard to detect fraud—AI can detect AI fraud;
  2. The supplier updates its algorithms regularly (daily preferably) to respond to the latest fraud attacks;
  3. Electronic data checks still have their place—checks to the issuing authority is best, which in Australia means a DVS check; and
  4. The face is biometrically matched to a selfie video that is protected by a robust liveness detection. (Again, best practice is to use an AI trained automated system.)

Looking ahead, the forthcoming rules will be crucial for interpreting these new requirements. Whatever they contain, one thing is clear: the days of simple electronic data checks to be compliant are numbered, and reporting entities need to start preparing now. 

Stay tuned for updates as we analyse the rules when they’re published before Christmas.

About the post:
Images and videos are generative AI-created. Prompt: A futuristic cyberpunk politician presenting an unfurled scroll to a crowd of people. Tools: Midjourney, Luma.

About the author:
Peter Violaris is Global DPO and Head of Legal APAC for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 7 years and before that worked for London law firms.

x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security