In 2022, Bank Negara Malaysia awarded digital bank licences to five applicants: GXBank, Boost Bank, AEON Bank (backed by RHB), KAF Digital, and Zicht. None of these institutions have a branch network. None of them can sit a customer across a desk and photocopy a MyKad. For them, remote identity verification is not a product feature — it is the only way they can onboard a customer at all.

That is why BNM's eKYC framework matters. The question for compliance officers and product teams at these institutions — and at the e-money issuers, remittance operators, and licensed payment service providers that operate under the same rules is not whether to implement eKYC. It is whether the implementation will satisfy BNM when examiners review session logs during an AML/CFT examination.

This guide covers what BNM's eKYC framework requires, where institutions most commonly fall short, and what the rules mean in practice for tiered account access.

The Regulatory Scope of BNM's eKYC Framework

BNM's eKYC Policy Document was first issued in June 2020 and updated in February 2023. It applies to a wide range of supervised institutions:

• Licensed banks and Islamic banks
• Development financial institutions
• E-money issuers operating under the Financial Services Act 2013 — including large operators such as Touch 'n Go eWallet, GrabPay, and Boost
• Money service businesses
• Payment Services Operators (PSOs) licensed under the Payment Systems Act 2003

The policy document sets one overriding standard: eKYC must achieve the same level of identity assurance as face-to-face verification. That standard is not aspirational. It is the benchmark against which BNM examiners assess whether a remote onboarding programme is compliant.

For a deeper grounding in what KYC requires before getting into the eKYC-specific rules, the KYC compliance framework guide covers the foundational requirements.

The Four BNM-Accepted eKYC Methods

BNM's eKYC Policy Document specifies four accepted verification methods. Institutions must implement at least one; many implement two or more to accommodate different customer segments and device capabilities.

Method 1 — Biometric Facial Matching with Document Verification

The customer submits a selfie and an image of their MyKad or passport. The institution's system runs facial recognition to match the selfie against the document photo. Liveness detection is mandatory — passive or active — to prevent spoofing via static photographs, recorded video, or 3D masks.

This is the most widely deployed method among Malaysian digital banks and e-money issuers. It works on any smartphone with a front-facing camera and does not require the customer to be on a live call or to own a device with NFC capability.

Method 2 — Live Video Call Verification

A trained officer conducts a live video interaction with the customer and verifies the customer's face against their identity document in real time. The officer must be trained to BNM's specified standards, and the session must be recorded and retained.

This method provides strong identity assurance but introduces operational cost and throughput constraints. Some institutions use it as a fallback for customers whose biometric verification does not clear automated thresholds.

Method 3 — MyKad NFC Chip Reading

The customer uses their smartphone's NFC reader to read the chip embedded in their MyKad directly. The chip contains the holder's biometric data and personal information, and the read is cryptographically authenticated. BNM considers this the highest assurance eKYC method available under Malaysian national infrastructure.

The constraint is device compatibility: not all smartphones have NFC readers, and the feature must be enabled. Adoption among mass-market customers remains lower than biometric methods as a result.

Method 4 — Government Database Verification

The institution cross-checks customer-provided information against government databases — specifically, JPJ (Jabatan Pengangkutan Jalan, road transport) and JPN (Jabatan Pendaftaran Negara, national registration). If the data matches, the identity is considered verified.

BNM treats this as the lowest-assurance method. Critically, it does not involve any biometric confirmation that the person submitting the data is the same person as the registered identity. BNM restricts Method 4 to lower-risk product tiers, and institutions that apply it to accounts exceeding those tier limits will face examination findings.

Liveness Detection: What BNM Expects

BNM's requirement for liveness detection in biometric methods is explicit in the February 2023 update to the eKYC Policy Document. The requirement exists because static facial matching alone — matching a selfie against a document photo — can be defeated by holding a photograph in front of the camera.

BNM expects institutions to document the accuracy performance of their liveness detection system. The specific thresholds the policy document references are:

• False Acceptance Rate (FAR): below 0.1% — meaning the system incorrectly accepts a spoof attempt in fewer than 1 in 1,000 cases
• False Rejection Rate (FRR): below 10% — meaning genuine customers are incorrectly rejected in fewer than 10 in 100 cases

These are not defaults — they are floors. Institutions must document their actual FAR and FRR in their eKYC programme documentation and must periodically validate those figures, particularly after model updates or changes to the verification vendor.

Third-party eKYC vendors must be on BNM's approved list. An institution using a vendor not on that list — even a globally recognised biometric vendor — does not have a compliant eKYC programme regardless of the vendor's technical capabilities.

Account Tiers and Transaction Limits

BNM applies a risk-based framework that links account access limits to the assurance level of the eKYC method used to open the account. This is not optional configuration — these are regulatory caps.

Tier 1 — Method 4 (Database Verification Only)

• Maximum account balance: MYR 5,000
• Maximum daily transfer limit: MYR 1,000

Tier 2 — Methods 1, 2, or 3 (Biometric Verification)

• E-money accounts: maximum balance of MYR 50,000
• Licensed bank accounts: no regulatory cap on balance (subject to the institution's own risk limits)

If a customer whose account was opened via Method 4 wants to move into Tier 2, they must complete an additional verification step using a biometric method. That upgrade process must be documented and the records retained — the same as any primary onboarding session.

This tiering structure means product decisions about account limits are also compliance decisions. A digital bank that launches a savings product with a MYR 10,000 minimum deposit and relies on Method 4 for onboarding has a compliance problem, not just a product design problem.

Record-Keeping: What Must Be Retained and for How Long

BNM requires that all eKYC sessions be recorded and retained for a minimum of 6 years. The records must include:

• Raw images or video from the verification session
• Facial match confidence scores
• Liveness detection scores
• Verification timestamps
• The outcome of the verification (approved, rejected, referred for manual review)

During AML/CFT examinations, BNM examiners review eKYC session logs. An institution that can demonstrate a successful biometric match but cannot produce the underlying scores and timestamps for that session does not have compliant records. This is a documentation failure, not a technical one and it is one of the more common findings in Malaysian eKYC examinations.

eKYC Within the Broader AML/CFT Programme

A compliant eKYC onboarding process does not discharge an institution's AML/CFT obligations for the full customer lifecycle. BNM's AML/CFT Policy Document — separate from the eKYC Policy Document — requires institutions to apply risk-based customer due diligence (CDD) continuously.

Two areas where this creates friction in eKYC-based operations:

High-risk customers require Enhanced Due Diligence (EDD) that eKYC cannot complete. A customer who is a Politically Exposed Person (PEP), operates in a high-risk jurisdiction, or presents unusual transaction patterns requires EDD. Source of funds verification for these customers cannot be completed through biometric verification alone. Institutions must have documented rules specifying when an eKYC-onboarded customer triggers the EDD workflow — and those rules must be reviewed and enforced in practice, not just documented.

Dormant account reactivation is a re-verification trigger. BNM expects institutions to treat the reactivation of an account dormant for 12 months or more as an event requiring re-verification. This is a common gap: many institutions have onboarding eKYC workflows but no corresponding re-verification process for dormant accounts coming back to active status.

For institutions that have deployed transaction monitoring alongside their eKYC programme, integrating eKYC assurance levels into monitoring rule calibration is good practice — a Tier 1 account that begins transacting at Tier 2 volumes is exactly the kind of pattern that should generate an alert. The transaction monitoring software buyer's guide covers what to look for in a system capable of handling this kind of integrated logic.

Common Implementation Gaps

Based on BNM examination findings and the February 2023 policy document guidance, four gaps appear most frequently in Malaysian eKYC programmes:

1. Using Method 4 for accounts that exceed Tier 1 limits. This is the most consequential gap. If an account opened via database verification reaches a balance above MYR 5,000 or a daily transfer above MYR 1,000, the institution is operating outside the regulatory framework. The fix requires either enforcing hard caps at the product level or requiring biometric re-verification before account limits expand.

2. No liveness detection documentation. An institution that has deployed biometric eKYC but cannot demonstrate to BNM that it tested for spoofing — with documented FAR/FRR figures — does not have a defensible eKYC programme. The technology alone is not enough; the validation and documentation must exist.

3. Third-party eKYC vendor not on BNM's approved list. BNM maintains an approved vendor list for a reason. An institution that integrated a non-listed vendor, even one with strong global credentials, needs to remediate — either by migrating to an approved vendor or by engaging BNM directly on the approval process before continuing to use that vendor for compliant onboarding.

4. No re-verification trigger for dormant account reactivation. Institutions that built their eKYC programme around the onboarding workflow and never implemented re-verification logic for dormant accounts have a gap that BNM examiners will find. This requires both a policy update and a system-level trigger.

What Good eKYC Compliance Looks Like

A compliant eKYC programme in Malaysia has five elements that work together:

1. At least one BNM-accepted verification method, implemented with a BNM-approved vendor and validated to the required FAR/FRR thresholds
2. Hard account tier limits enforced at the product level, with a documented upgrade path that triggers biometric re-verification for Tier 1 accounts requesting higher access
3. Complete session records — images, scores, timestamps, and outcomes — retained for the full 6-year period
4. EDD triggers documented and enforced for high-risk customer categories, including PEPs and high-risk jurisdiction connections
5. Re-verification workflows for dormant accounts reactivating after 12 months of inactivity

Meeting all five is not a one-time project. BNM expects periodic validation of vendor performance, regular review of threshold calibration, and documented sign-off from a named senior officer on the state of the eKYC programme.

For Malaysian institutions building or reviewing their eKYC programme, Tookitaki's AML compliance platform combines eKYC verification with transaction monitoring and ongoing risk assessment in a single integrated environment — designed for the requirements BNM examiners actually check. Book a demo to see how it works in a Malaysian digital bank or e-money context, or read our KYC framework overview for a broader view of where eKYC sits within the full compliance programme.

The profits looked real. The numbers kept climbing. And that was exactly the trap.

The Scam That Looked Legit — Until It Wasn’t

She watched her investment grow to NT$250 million.

The numbers were right there on the screen.

So she did what most people would do, she invested more.

The victim, a retired teacher in Taipei, wasn’t chasing speculation. She was responding to what looked like proof.

According to a report by Taipei Times, this was part of a broader scam uncovered by authorities in Taiwan — one that used a fake investment app to simulate profits and systematically extract funds from victims.

The platform showed consistent gains.
At one point, balances appeared to reach NT$250 million.

It felt credible.
It felt earned.

So the investments continued — through bank transfers, and in some cases, through cash and even gold payments.

By the time the illusion broke, the numbers had disappeared.

Because they were never real.

Inside the Illusion: How the Fake Investment App Worked

What makes this case stand out is not just the deception, but the way it was engineered.

This was not a simple scam.
It was a controlled financial experience designed to build belief over time.

1. Entry Through Trust

Victims were introduced through intermediaries, referrals, or online channels. The opportunity appeared exclusive, structured, and credible.

2. A Convincing Interface

The app mirrored legitimate investment platforms — dashboards, performance charts, transaction histories. Everything a real investor would expect.

3. Fabricated Gains

After initial deposits, the app began showing steady returns. Not unrealistic at first — just enough to build confidence.

Then the numbers accelerated.

At its peak, some victims saw balances of NT$250 million.

4. The Reinforcement Loop

Each increase in displayed profit triggered the same response:

“This is working.”

And that belief led to more capital.

5. Expanding Payment Channels

To sustain the operation and reduce traceability, victims were asked to invest through:

• Bank transfers
• Cash payments
• Gold and other physical assets

This fragmented the financial trail and pushed parts of it outside the system.

6. Exit Denied

When withdrawals were attempted, friction appeared — delays, additional charges, or silence.

The platform remained convincing.
But it was never connected to real markets.

Why This Scam Is a Step Ahead

This is where the model shifts.

Fraud is no longer just about convincing someone to invest.
It is about showing them that they already made money.

That changes the psychology completely.

• Victims are not acting on promises
• They are reacting to perceived success

The app becomes the source of truth.This is not just deception. It is engineered belief, reinforced through design.

For financial institutions, this creates a deeper challenge.

Because the transaction itself may appear completely rational —
even prudent — when viewed in isolation.

Following the Money: A Fragmented Financial Trail

From an AML perspective, scams like this are designed to leave behind incomplete visibility.

Likely patterns include:

• Repeated deposits into accounts linked to the network
• Gradual increase in transaction size as confidence builds
• Use of multiple beneficiary accounts to distribute funds
• Rapid movement of funds across accounts
• Partial diversion into cash and gold, breaking traceability
• Behaviour inconsistent with customer financial profiles

What makes detection difficult is not just the layering.

It is the fact that part of the activity is deliberately moved outside the financial system.

Red Flags Financial Institutions Should Watch

Transaction-Level Indicators

• Incremental increase in investment amounts over short periods
• Transfers to newly introduced or previously unseen beneficiaries
• High-value transactions inconsistent with past behaviour
• Rapid outbound movement of funds after receipt
• Fragmented transfers across multiple accounts

Behavioural Indicators

• Customers referencing unusually high or guaranteed returns
• Strong conviction in an investment without verifiable backing
• Repeated fund transfers driven by urgency or perceived gains
• Resistance to questioning or intervention

Channel & Activity Indicators

• Use of unregulated or unfamiliar investment applications
• Transactions initiated based on external instructions
• Movement between digital transfers and physical asset payments
• Indicators of coordinated activity across unrelated accounts

The Real Challenge: When the Illusion Lives Outside the System

This is where traditional detection models begin to struggle.

Financial institutions can analyse:

• Transactions
• Account behaviour
• Historical patterns

But in this case, the most important factor, the fake app displaying fabricated gains — exists entirely outside their field of view.

By the time a transaction is processed:

• The customer is already convinced
• The action appears legitimate
• The risk signal is delayed

And detection becomes reactive.

Where Technology Must Evolve

To address scams like this, financial institutions need to move beyond static rules.

Detection must focus on:

• Behavioural context, not just transaction data
• Progressive signals, not one-off alerts
• Network-level intelligence, not isolated accounts
• Real-time monitoring, not post-event analysis

This is where platforms like Tookitaki’s FinCense make a difference.

By combining:

• Scenario-driven detection built from real-world scams
• AI-powered behavioural analytics
• Cross-entity monitoring to uncover hidden connections
• Real-time alerting and intervention

…institutions can begin to detect early-stage risk, not just final outcomes.

From Fabricated Gains to Real Losses

For the retired teacher in Taipei, the app told a simple story.

It showed growth.
It showed profit.
It showed certainty.

But none of it was real.

Because in scams like this, the system does not fail first.

Belief does.

And by the time the transaction looks suspicious,
it is already too late.

You've read the AML/CTF Act. You've reviewed the AUSTRAC guidance notes. You know what KYC is. What you're less certain about is what AUSTRAC's CDD rules actually require in practice — specifically what "ongoing monitoring" means operationally, and whether your current programme would hold up under examination scrutiny.

That gap between understanding the concept and knowing what "compliant" looks like in an AUSTRAC context is precisely where most examination findings originate.

This guide covers the specific obligations under Australian law: the identification requirements, the three CDD tiers, what ongoing monitoring actually demands of your team, and what AUSTRAC examiners consistently find wrong. For a definition of KYC and its foundational elements, see our KYC guide. This article focuses on what those principles look like under Australian law.

AUSTRAC's KYC Legal Framework

KYC obligations for Australian reporting entities flow from three primary sources. Using the right citations matters when you are writing policies, responding to AUSTRAC inquiries, or preparing for examination.

The AML/CTF Act 2006, Part 2 establishes the core customer due diligence obligations. It requires reporting entities to collect and verify customer identity before providing a designated service, and to conduct ongoing customer due diligence throughout the relationship.

The AML/CTF Rules, made under section 229 of the Act, contain the operational requirements. Part 4 sets out the customer identification procedures — the specific information to collect, the acceptable verification methods, and the document retention obligations. Part 7 covers ongoing customer due diligence, including the circumstances that trigger a review of existing customer information.

AUSTRAC's Guidance Note: Customer Identification and Verification (2023) provides AUSTRAC's interpretation of how the rules apply in practice. It is not law, but AUSTRAC examiners treat it as the standard they expect to see reflected in institution procedures. Where a compliance programme diverges from the guidance note without documented rationale, that divergence will require explanation.

Step 1: What AUSTRAC's Customer Identification Rules Require

Under Part 4 of the AML/CTF Rules, identification requirements differ depending on whether the customer is an individual or a legal entity.

Individual Customers

For individual customers, your programme must collect:

• Full legal name
• Date of birth
• Residential address

Verification for individuals can be completed by one of two methods. The first is document-based verification: a current government-issued photo ID — an Australian passport, a foreign passport, or a current Australian driver's licence. The second is electronic verification, which allows an institution to verify identity against government and commercial databases without requiring a physical document. AUSTRAC's 2023 guidance note confirms that electronic verification satisfies the requirement under Part 4, subject to the provider meeting the reliability standards set out in the guidance.

Corporate and Entity Customers

For companies, the identification requirements extend beyond the entity itself. Under Part 4, you must collect:

• Australian Business Number (ABN) or Australian Company Number (ACN)
• Registered address
• Principal place of business

You must also identify and verify ultimate beneficial owners (UBOs): individuals who own or control 25% or more of the entity, directly or indirectly. This threshold is set out in the AML/CTF Rules and mirrors the FATF standard. For entities with complex ownership structures — layered trusts, offshore holding companies — the tracing obligation runs to the natural person at the end of the chain, not just to the first corporate layer.

Document Retention

Part 4 requires all identification records to be retained for seven years from the date the business relationship ends or the transaction is completed. This applies to both the information collected and the verification outcome.

The Three CDD Tiers: AUSTRAC's Risk-Based Approach

AUSTRAC's AML/CTF framework is explicitly risk-based. The AML/CTF Act and Rules do not prescribe a single set of procedures for all customers — they require procedures calibrated to the risk the customer presents. In practice, this means three tiers.

Simplified CDD

Simplified CDD applies to customers who present demonstrably low money laundering and terrorism financing risk. The AML/CTF Rules identify specific categories where simplified procedures are permitted: listed companies on a recognised exchange, government bodies, and regulated financial institutions.

For these customers, full verification is still required. What changes is the scope and intensity of ongoing monitoring — institutions may apply reduced monitoring frequency and lighter risk-rating review schedules. The key requirement is that the basis for applying simplified CDD is documented in your risk assessment. AUSTRAC examiners do not accept "it's a listed company" as a sufficient standalone rationale. They expect to see it connected to a documented assessment of the specific risk factors.

Standard CDD

Standard CDD is the default for retail customers — individuals and small businesses who do not fall into a simplified or elevated risk category. It requires:

• Full identification and verification in line with Part 4
• A risk assessment at onboarding, documented in the customer file
• Ongoing monitoring proportionate to the risk rating assigned

The risk assessment does not need to be elaborate for a standard-risk customer, but it needs to exist. AUSTRAC examinations consistently find that standard CDD procedures are applied as a collection exercise — gather the documents, tick the boxes — without any documented risk assessment. That is an examination finding waiting to happen.

Enhanced Due Diligence (EDD)

EDD is required for customers who present heightened money laundering or terrorism financing risk. The AML/CTF Rules and AUSTRAC's guidance identify specific categories — see the next section — but the list is not exhaustive. Your AML/CTF programme must define your own EDD triggers based on your business model and customer base.

EDD requirements include:

• Verification of source of funds and source of wealth — not just collecting a declaration, but taking reasonable steps to corroborate it
• Senior management approval for onboarding or continuing a relationship with an EDD customer. This requirement is not a formality; AUSTRAC expects the approving officer to have reviewed the risk assessment, not merely signed it
• Enhanced ongoing monitoring — higher frequency of transaction review, more frequent risk-rating reviews, and documented rationale for each review outcome

High-Risk Customer Categories AUSTRAC Specifically Flags

AUSTRAC's guidance identifies several customer types that require EDD as a matter of policy, regardless of other risk factors.

Politically Exposed Persons (PEPs) — both domestic and foreign — are a mandatory EDD category. The AML/CTF Rules adopt the FATF definition: individuals who hold or have held prominent public functions, and their immediate family members and close associates. Note that domestic PEPs are in scope. An Australian federal minister or senior judicial officer requires the same EDD treatment as a foreign head of state.

Customers from FATF grey-listed or black-listed jurisdictions — countries subject to FATF's enhanced monitoring or countermeasures — require EDD. The applicable list changes as FATF updates its public statements. Your programme needs a documented process for updating the list and re-assessing affected customers when it changes.

Cash-intensive businesses — gaming venues, car dealers, cash-based retailers — present elevated money laundering risk and require EDD regardless of their ownership structure or trading history.

Non-face-to-face onboarded customers — where there has been no in-person identity verification — require additional verification steps to compensate for the elevated identity fraud risk. Electronic verification through a robust provider can satisfy this, but the file should document the method used and why it was considered sufficient.

Trust structures and shell companies — particularly those with nominee directors, bearer shares, or complex layered ownership — require full UBO tracing and documented assessment of why the structure exists. AUSTRAC's 2023 guidance note specifically calls out trusts as an area where UBO identification has been inadequate in practice.

Ongoing Monitoring: What AUSTRAC Actually Requires

Ongoing customer due diligence under Part 7 of the AML/CTF Rules has two distinct components, and examination findings show institutions frequently confuse them.

Transaction Monitoring

Your monitoring must be calibrated to each customer's risk profile and stated purpose of account. A remittance customer who stated they send money home monthly should be assessed against that baseline. Transactions that diverge from it — large inbound transfers, payments to unrelated third parties, rapid cycling of funds — require investigation.

The obligation here is not simply to run a transaction monitoring system. It is to ensure the system's parameters reflect what you know about the customer. AUSTRAC examiners ask: when did you last update this customer's risk profile, and are your monitoring rules still calibrated to it?

For AUSTRAC's specific transaction monitoring obligations and how to build a programme that meets them, see our AUSTRAC transaction monitoring requirements guide.

Re-KYC Triggers

Part 7 requires institutions to keep customer information current. AUSTRAC's guidance identifies specific events that should trigger a review of existing customer information:

• Material change in customer circumstances — change of beneficial ownership, change of business activity, change of registered address
• Risk rating review — when a periodic review results in a change to the customer's risk rating
• Dormant account reactivation — where an account that has been inactive for an extended period is reactivated
• Periodic review for high-risk customers — EDD customers require scheduled re-KYC regardless of whether a trigger event has occurred. AUSTRAC's guidance suggests annual review as a minimum for high-risk customers, though institutions should set intervals based on their own risk assessment

The examination question AUSTRAC asks on ongoing monitoring is pointed: does your customer's risk assessment reflect who they are today, or who they were when they first onboarded? If the answer is the latter for a significant proportion of your customer book, that is a programme-level finding.

Tranche 2: What the AML/CTF Amendment Act 2024 Means for Banks

The AML/CTF Amendment Act 2024 — often called Tranche 2 — extended AML/CTF obligations to lawyers, accountants, real estate agents, and dealers in precious metals and stones. These entities became reporting entities in 2025, with full compliance required by 2026.

For banks and financial institutions already under AUSTRAC supervision, Tranche 2 creates two practical consequences.

First, PEP screening pressure increases. Newly regulated sectors are now required to identify PEPs in their customer bases. PEPs who were previously managing their financial affairs through unregulated advisers — legal firms, accounting practices — are now being identified and reported. Banks should expect an increase in STR activity related to existing customers who are now PEPs of record in other regulated sectors.

Second, documentation standards for high-risk corporate customers rise. A bank customer who is a large corporate connected to Tranche 2 entities — a property developer using a law firm and an accountant — now operates in a broader regulatory environment. Banks should review their EDD procedures for such customers to confirm that source of wealth verification accounts for the full range of the customer's business relationships, not just the bank relationship in isolation.

Common AUSTRAC Examination Findings on KYC/CDD

AUSTRAC's published enforcement actions and examination feedback reveal four findings that appear repeatedly.

Outdated customer information. Long-standing customers — those onboarded five or more years ago — frequently have no re-KYC on file. The identification records collected at onboarding are accurate for the person who walked in then. Whether they are accurate for the customer today has not been assessed. This is a programme design failure, not a one-off oversight.

Inadequate UBO identification for corporate customers. The 25% threshold is understood. The practical problem is tracing it. Institutions often stop at the first corporate layer and accept a director's declaration that no individual holds a 25%+ interest. AUSTRAC expects institutions to take reasonable steps to corroborate that declaration — corporate registry searches, publicly available ownership information, cross-referencing against disclosed group structures.

Inconsistent EDD for PEPs. PEP procedures that look robust on paper frequently break down in application. The common failure is not identifying PEPs at all — it is applying EDD to foreign PEPs but not domestic PEPs, or applying EDD at onboarding but not at periodic review, or documenting source of wealth declarations without any corroboration step.

No documented rationale for risk tier assignment. Institutions that assign customers to standard or simplified CDD tiers without documented rationale are exposed. If an examiner picks up a file and asks "why was this customer not flagged for EDD?", the answer needs to be in the file. "We assessed the risk at onboarding" is not an answer. The documented risk factors, the conclusion, and the sign-off from the responsible officer need to be there.

Building a Programme That Holds Up Under Examination

The gap between a technically compliant KYC programme and one that holds up under AUSTRAC examination is documentation and process. The legal requirements are specific. The examination question is whether your procedures implement them consistently, and whether your files show that they did.

For compliance officers building or reviewing their CDD programme, two resources cover the adjacent obligations in detail: the AUSTRAC transaction monitoring requirements guide covers the monitoring obligations that flow from CDD risk ratings, and the transaction monitoring software buyers guide covers the technology decisions that determine whether monitoring is operationally viable at scale.

If you want to assess whether your current KYC and CDD programme meets AUSTRAC's requirements in practice book a demo with Tookitaki to see how our FinCense platform helps Australian financial institutions build risk-based CDD programmes that operate at scale without sacrificing documentation quality.