🧠 Background
On March 27, 2025, during the ACAMS-AUSTRAC webinar, Realaml CEO Jordan Leroy McCown asked:
“In New Zealand, remote KYC requires both electronic confirmation of identity information and ensuring the person being onboarded can be matched to that identity — often through biometric or similar mechanisms. Given AUSTRAC’s Tranche 2 guidance is still evolving, why is there no reference to a mechanism for linking the person to the claimed identity, such as biometrics?”
AUSTRAC’s Ashlea McKenzie (Acting Director, Rules Reform) responded:
“...Under the Act, where the customer is an individual, there is a requirement to take steps to establish that the customer is the person the customer claims to be...
So there is an explicit requirement, for individuals only, and that's in the Act...”
This requirement is reiterated by AUSTRAC and the Attorney-General’s Department:
“An individual customer is who they claim to be.”
“In the case of customers who are individuals, take reasonable steps to establish that the customer is who they claim to be.”
What does this mean for Australian law firms?
You must go beyond simply collecting identity documents or verifying identity information.
To meet your customer due diligence obligations, law firms must:
✅ Verify that the identity exists and is valid, and
✅ Take steps to confirm that the person presenting the ID is the person to whom it belongs.
❓Does this apply only to remote clients?
No.
This requirement applies to all individual customers, regardless of whether the onboarding is remote or face-to-face.
However, the method of verification should reflect:
🔹 The customer’s money laundering or terrorism financing (ML/TF) risk, and
🔹 The channel of engagement (e.g., remote vs. in-person).
✅ Table of Compliant Methods
These methods meet the requirement to confirm an individual is who they claim to be because they:
Verify the identity, and
Link the person to that identity.
Method | Verifies the ID? | Links person to ID? | Why it meets the requirement |
Biometric liveness & facial matching (selfie + ID) | ✅ Yes | ✅ Yes | ID is authenticated; facial match confirms the person is alive and matches the ID |
In-person face-to-ID sighting | ✅ Yes | ✅ Yes | Staff inspect the ID and confirm the photo matches |
Secure video call with ID shown | ✅ Yes | ✅ Yes | Staff verify ID details and confirm match in real-time |
Selfie upload + EIV match | ✅ Yes | ✅ Yes | Electronic ID verification + biometric facial match |
Certified ID & third-party attestation | ✅ Yes | ✅ Yes | Referee certifies identity; must be recent and documented |
Hybrid: EIV + live call/email/video | ✅ Yes | ✅ Yes | EIV confirms ID; verbal/video interaction links it to the person |
❌ Table of Non-Compliant or Insufficient Methods
These methods may confirm that an identity exists but do not prove who is using it — meaning they fail to meet the requirement to link the person to the claimed identity..
Method | Why it’s not sufficient |
EIV alone (no selfie/liveness) | Doesn’t link the person to the ID |
Stored photo ID (no face check) | No way to know who submitted it |
Document authentication only | Doesn’t confirm presenter |
“We know them” / prior relationship | Does not constitute identity verification |
🤖 Is biometric verification required?
Not explicitly — but functionally yes, in many remote onboarding scenarios.
Without biometrics or another mechanism for linking the person to their ID, it is difficult for law firms to satisfy that an individual customer is who they claim to be.
👤 What if the person is already known to us?
That’s not enough.
Even if you have a prior relationship with the client, you must still complete identity verification in accordance with the Act — unless an explicit exemption applies.
⏳ Can law firms delay verification?
No — not under normal circumstances.
From 1 July 2026, under Section 28(1) of the AML/CTF Act, Australian law firms that are captured as reporting entities must verify a customer’s identity before providing any designated service under Tranche 2 (e.g., conveyancing, forming companies, managing client funds — subject to final rules).
Some industries may seek exemptions (e.g., auction-day real estate buyers), but no such exemption currently applies to legal practitioners.
If AUSTRAC introduces any exemptions in the future, law firms must:
Clearly document the exemption in their AML/CTF Program, and
Complete verification as soon as practicable, with no suspicion arising during the delay.
⚖️ What happens if we don’t comply?
Failing to comply with Section 28(1) is a civil penalty provision
Each unverified onboarding can count as a separate breach
Your firm must document your customer due diligence (CDD) approach and justification within your AML/CTF Program
🔹 AUSTRAC Resources
This FAQ is based on available guidance as of March 2025. Obligations may be updated as AUSTRAC finalises the Tranche 2 AML/CTF Rules.