KYC Requirements in Australia: What You Need To Know in 2026

Australian age verification is one of the main reasons the country’s identity and compliance rules have been in the news recently. Under the new Social Media Minimum Age (SMMA) scheme, covered platforms must take “reasonable steps” to stop kids under 16 from creating or keeping accounts, effective December 10th, 2025. It’s worth noting that SMMA is not a separate KYC law, but rather a minimum-age framework added to Australia’s existing Online Safety Act 2021.

If a platform fails to take reasonable steps, the court can impose civil penalties. Government and regulator materials describe penalties of up to AUD 49.5 million (USD 34.4 million) for the most serious failures.

According to eSafety, an Australian government infoportal, reasonable steps include, but are not limited to: 

• Layered user choice in verification methods (not a “government ID only” gate).

• Strict separation between age assurance artifacts and other identity datasets.

• Deletion behavior that is provable through logs and controls.

• Controls against re-registration.

• Review paths for disputed decisions.

It’s worth noting that applying the storage patterns seen in AML carries risks: a long-retention AML archive and an age assurance dataset with rapid disposal are fundamentally different.

Ever since the news about the law came out, we have seen more and more public cases of appropriate measures taken by various platforms.

For example, TikTok now states that users aged 13–15 will no longer be able to hold or create accounts in Australia. What’s more, existing accounts in that age range will be deactivated, and affected users will be prompted with options such as confirming they are 16 or older or downloading their information.

Elsewhere, Snapchat now lets users verify themselves via a third-party provider using multiple routes, including a bank-based “yes/no” confirmation via ConnectID, a government ID scan, or selfie-based age estimation. However, some experts have raised concerns about how verification prompts could be exploited for scams, and what “on-device” processing could mean in practice.

Meta has also publicly disclosed that it deactivated 544,052 accounts it believed were held by under-16 users across Instagram, Facebook, and Threads during the first phase of implementation, and described ongoing compliance as a “multi-layered process” that it expected to keep refining.

Finally, age checks are also slowly spreading outside social media. ABC reported that search engines would also need to use age assurance for logged-in users under codes registered by eSafety.

Australia’s AML regulations can be found in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and related rules. As for regulators, two government bodies matter most in this context:

• AUSTRAC is Australia’s AML/CTF financial intelligence unit. It supervises businesses that fall within its scope, collects reports, issues guidance, and can take enforcement action.

• Home Affairs leads the reform program and publishes materials that firms use for transition planning.

This year, these two organizations will drive the change in who exactly will see AML/CTF scrutiny, and to what extent.

According to KYC requirements in Australia, if a business provides one or more designated services within the country, it becomes a reporting entity. With that label comes the obligation to meet a range of requirements such as having an AML/CTF program and reporting certain transactions and events to AUSTRAC. Moreover, this label has a direct product consequence: a single brand can end up with different KYC rules depending on which designated service is delivered.

In this context, tranche 2 is the most significant change, because it expands the regime into industries that often do not think of themselves as designated services. AUSTRAC’s tranche 2 fact sheet groups new entrants around areas such as real estate, law, accounting, trust and company service providers, and dealers in precious metals and stones (among others), with obligations starting July 1, 2026.

And although many new entrants already collect customer details for fraud or operational reasons, they may have not built an AUSTRAC-style operational backbone: enrollment, written procedures, escalation paths, and evidence records.

AUSTRAC has the power to require an external auditor to review a reporting entity’s AML/CTF controls — and lately it has executed this power more frequently. When it does (and when something goes wrong), we usually hear about it from the news.

Recent examples that have kept AML/KYC in mainstream business news include:

• Entain (Ladbrokes, Neds): AUSTRAC commenced civil penalty proceedings in December 2024, alleging serious and systemic non-compliance.

• Mounties (pubs and clubs sector): AUSTRAC launched civil penalty proceedings in July 2025, alleging serious and systemic non-compliance.

• SkyCity Adelaide (casino):The Federal Court ordered SkyCity Adelaide to pay a $67 million penalty (plus costs) following AUSTRAC proceedings.

Across cases like these, several weak spots are almost universal among organizations lacking robust KYC systems:

• Customer risk ratings stop matching how customers actually behave.

• Exceptions and overrides become routine and lightly documented.

• Higher-risk customers do not trigger consistent extra steps.

• Monitoring outputs do not reliably feed back into customer reviews and refresh decisions.

Not every AUSTRAC action is a headline: infringement notices and guidance updates are just as important (and even more common), as they shape what teams must build and how they must communicate.

For example, in September 2025, AUSTRAC issued an infringement notice to Revolut Australia for failing to lodge an international funds transfer instruction (IFTI) report on time. 

AUSTRAC has also updated its guidance on “tipping off,” with changes taking effect on March 31, 2025. In plain terms, “tipping off” is disclosing protected information in a way that could prejudice an investigation, including by signaling to a customer that they are under review. 

Status labels in admin tools, automated emails, in-app banners, support scripts, and even who can see a “suspicious” flag in a dashboard can accidentally reveal more than intended. Product teams usually handle this the same way they handle other sensitive-risk workflows: strict role-based access, neutral customer messaging templates, careful audit logging, and UI language that avoids implying an investigation is underway.

In this section, we have gathered a few minor yet important updates. They are not the cornerstones of KYC in Australia, but they will definitely show up in implementations and vendor due diligence.

Australia’s Digital ID Act 2024 put digital ID on a clearer legal footing and formalized oversight settings. For KYC teams, the practical takeaway is that digital ID can be a strong option for customers who already use it, but it is still one verification method inside a wider AML file.

Digital ID does not remove the need to capture and maintain the pieces that usually drive audit effort: beneficial ownership, authority to act for business customers, a clear “purpose of relationship” narrative, plus sanctions and PEP screening. It also does not shift accountability away from the reporting entity. Even when a third party performs a step, the regulated business still needs a record that explains what was checked, what method was used, and why that method fits the customer’s risk profile.

Australia also has government services that help validate identity attributes, most often discussed as the Document Verification Service (DVS) and Face Verification Service (FVS). Namely, the Identity Verification Services Rules 2024 set the rules framework for use and participation.

These services are best treated as evidence inputs: they can strengthen confidence in specific attributes, but they do not make the rest of the customer file go away. Teams still need to decide what a given result means for onboarding and monitoring, and they need defensible handling for cases that do not fit neatly, such as coverage gaps and partial or unexpected responses.

Australia’s privacy regulator has shown it is willing to take action where facial recognition is used in ways it views as unlawful. In November 2024, the Office of the Australian Information Commissioner (OAIC) stated that Bunnings Group Limited, an Australian hardware and garden center chain, breached privacy law through its use of facial recognition technology, with findings tied to collection and governance expectations around sensitive biometric data.

The lesson is that face-based steps need a clear, reviewable story that connects purpose, user notice, access, and retention. In practice, teams get fewer surprises later when they need to answer, in plain language: what is collected, why it is collected, who can view it, how long it stays in systems, and how deletion works once the purpose is fulfilled.

Australia’s 2026 compliance changes reward teams that treat identity as a reliable evidence system as opposed to a one-time gate. 

SMMA turned age verification in Australia into a regulated system with penalties, formal guidance, and privacy limits that apply to vendors as well as platforms. AML/CTF reform and tranche 2 expand AUSTRAC supervision and push more businesses to document, run, and defend their customer due diligence in a way that stays readable long after onboarding.

For many teams, the practical question is not “Which check do we run?” but “What proof do we keep, and how do we keep it without storing more personal data than we need?” The right solution can provide you with two things at once: high-quality verification signals and evidence outputs that auditors and regulators can read.

This is where Regula IDV Platform can step in: it is an end-to-end framework for identity verification and user lifecycle management with flexible orchestration and configurable workflows that can be adapted to all KYC compliance needs.

It brings together the core capabilities required for robust KYC in Australia, including:

• Configurable KYC and onboarding workflows, allowing organizations to adjust in line with evolving regulatory requirements and risk policies.

• Automated AML and PEP screening as well as custom watch lists, using trusted global data providers.

• Document and biometric verification, backed by one of the industry’s largest databases containing 16,000 templates from 254 countries and territories, along with advanced face matching and liveness detection.

• Top-rated age estimation (according to NIST) that produces reliable and citable outcomes.

• Structured user data management and audit-ready evidence for ongoing monitoring.

• Smooth integration with your existing tech stack via flexible connectors.

Need to stay KYC-compliant in Australia? The Regula team can help.