KYC Compliance for Mortgage Brokers: Your AUSTRAC Obligations Explained

Mortgage brokers in Australia operate at the intersection of consumer finance and regulatory compliance. As reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), mortgage brokers have had KYC (Know Your Customer) obligations for years. However, the regulatory landscape continues to evolve, with AUSTRAC increasing its supervisory focus on the broking sector and the broader Tranche 2 reforms raising the bar for all reporting entities. This guide explains your AUSTRAC obligations in full, with practical guidance on building and maintaining a compliant KYC program.

What Are the AUSTRAC KYC Requirements for Mortgage Brokers?

Mortgage brokers are classified as reporting entities under the AML/CTF Act because they provide designated services related to lending and financial arrangements. As a reporting entity, you must comply with AUSTRAC's customer due diligence requirements, which are collectively known as KYC (Know Your Customer) obligations.

Your core KYC obligations include:

Customer identification: Collecting sufficient information to establish the identity of each customer before you provide a designated service
Customer verification: Verifying the customer's identity using reliable and independent documentation or electronic data sources
Beneficial owner identification: Identifying and taking reasonable steps to verify the identity of any beneficial owners of entity clients (companies, trusts, partnerships)
Ongoing customer due diligence: Keeping customer information current and monitoring the business relationship for unusual or suspicious activity
Record keeping: Retaining all identification, verification, and transaction records for a minimum of seven years
Suspicious matter reporting: Filing suspicious matter reports (SMRs) with AUSTRAC when you form a suspicion on reasonable grounds that a transaction or matter may be related to money laundering, terrorism financing, or other serious criminal offences
AML/CTF program: Maintaining a documented AML/CTF program covering both Part A (customer due diligence and internal controls) and Part B (employee training)

These obligations apply to all mortgage brokers, whether you operate as a sole trader, a small brokerage, or part of a larger aggregator network. The size of your business may influence the scale and complexity of your compliance program, but the core obligations do not change.

How Does the 2+2 Identification Standard Apply to Mortgage Brokers?

The 2+2 standard is the minimum identification requirement under the AML/CTF Rules for verifying the identity of individual customers. It requires you to verify at least two identifying attributes (such as full name and date of birth) from at least two different reliable and independent data sources.

In practice, this means collecting at least two forms of identification from different categories and verifying them against the issuing agency's records.

What Counts as a Reliable Data Source?

For electronic verification, a reliable data source is one that is accurate, current, and independent. The primary electronic data sources used in Australia are those accessible through the Document Verification Service (DVS), which connects to government issuing agencies including state transport departments, the Department of Foreign Affairs and Trade, and Services Australia.

For document-based verification, a reliable data source is the original government-issued document itself. You must sight the original document, confirm it appears genuine, and record the relevant details.

Common 2+2 Document Combinations for Mortgage Brokers

The most common document combinations used by mortgage brokers to satisfy the 2+2 standard include:

Driver licence + passport: Verifies full name, date of birth, and photograph from two independent government agencies
Driver licence + Medicare card: Verifies full name and date of birth from two sources, with the driver licence providing a photograph
Passport + birth certificate: Verifies full name and date of birth from two sources, useful for customers who do not hold a driver licence
Driver licence + citizenship certificate: Appropriate for naturalised Australian citizens

For electronic verification through Australian Identity Solutions, you simply enter the document details into our platform. DVS checks them against the issuing agency's records in seconds, and the result is logged automatically.

Entity Verification

When your customer is a company, trust, partnership, or other legal entity, you must also:

Verify the entity's existence through an independent source (e.g., ASIC company search, trust deed review, ABN lookup)
Identify and verify the identity of the beneficial owners (individuals who own 25 percent or more, or exercise effective control)
Identify and verify the identity of the person authorised to instruct you on behalf of the entity
For trusts, identify the trustee, settlor, appointor (if any), and beneficiaries or classes of beneficiaries

What Must Be Included in a Mortgage Broker's AML/CTF Program?

Every mortgage broker must have a documented AML/CTF program that is tailored to their business. The program must be in writing, be approved by a senior member of the business (or the business owner for sole traders), and be reviewed and updated regularly to ensure it remains current and effective.

Part A: Customer Identification and Risk Management

Your Part A program must cover:

Customer identification procedures: Detailed steps for how your business will collect and verify customer identity information, including the documents accepted, the verification methods used (electronic or manual), and the procedures for different customer types (individuals, companies, trusts).

Risk assessment methodology: How you assess the money laundering and terrorism financing risks associated with your customer base, the services you provide, and the channels through which you deliver them. Your risk assessment should consider factors including customer geography, transaction types and values, source of funds, and any industry-specific risk indicators.

Enhanced due diligence triggers: The circumstances in which your standard verification process is insufficient and enhanced measures are required. Common triggers include high-risk countries, complex ownership structures, unusual transaction patterns, customers who are politically exposed persons (PEPs), and situations where source of funds cannot be readily established.

Ongoing customer due diligence procedures: How you will keep customer information current, monitor for changes in risk profile, and detect potentially suspicious activity throughout the business relationship.

Record-keeping policies: How you will store, secure, and manage compliance records to meet the seven-year retention requirement.

Reporting procedures: Internal processes for identifying, escalating, and filing suspicious matter reports with AUSTRAC, including the role of the AML/CTF compliance officer.

Part B: Employee Training

Your Part B program must ensure that all employees who provide designated services or who may identify suspicious matters receive adequate training. The training must cover:

Your AML/CTF obligations under the Act and Rules
Your business's specific AML/CTF program and procedures
How to identify suspicious behaviour and transaction patterns
How to report concerns internally
The consequences of non-compliance, both for the business and for individuals

Training must be provided to new employees before they commence providing designated services, and ongoing training must be delivered at regular intervals (AUSTRAC recommends at least annually) and whenever there are material changes to your program.

For sole traders and small brokerages, Part B may be relatively simple, but it must still be documented. Even if you are a one-person operation, you should document that you have completed relevant AML/CTF training and maintain records of this.

What Does Ongoing Customer Due Diligence Look Like for Brokers?

KYC is not a one-time event. AUSTRAC requires mortgage brokers to conduct ongoing customer due diligence (CDD) throughout the duration of the business relationship. This means your obligations extend beyond the initial loan application and settlement process.

Ongoing CDD for mortgage brokers includes:

Keeping customer information current: If you become aware that a customer's details have changed (such as a change of name, address, or contact information), update your records accordingly. If you provide ongoing services to the customer (such as refinancing or additional borrowing), re-verify their identity if the existing verification is outdated or if you have concerns about its accuracy.

Transaction monitoring: Monitor the transactions and interactions you have with customers for unusual patterns. For mortgage brokers, this might include applications with inconsistent information, unusually rapid refinancing, customers seeking to settle in unusual ways, or instructions that do not align with the customer's stated circumstances.

Reassessing risk: Periodically reassess the risk profile of your customer base. If a customer's circumstances change materially, or if new information comes to light that affects the risk assessment, apply enhanced due diligence as appropriate.

Detecting suspicious matters: Remain alert to indicators of potential money laundering or terrorism financing. Suspicious matter indicators relevant to mortgage brokers include:

Applications where the source of deposit funds is unclear or inconsistent with the customer's stated income
Customers who are unusually insistent on particular settlement arrangements
Third parties providing funds for deposits or repayments without a clear legitimate reason
Complex loan structures that appear designed to obscure the true source of funds
Customers who are reluctant to provide identification or provide inconsistent information
Transactions involving properties in high-risk locations or with values that appear inconsistent with the property's characteristics

If you form a suspicion on reasonable grounds, you must file a suspicious matter report (SMR) with AUSTRAC within the prescribed timeframes. You must not disclose to the customer that an SMR has been filed (this is known as the "tipping off" prohibition).

Why Is Seven-Year Record Retention Critical?

Under the AML/CTF Act, mortgage brokers must retain all relevant records for a minimum of seven years. This includes:

Customer identification records: The documents collected, verification results, and any additional due diligence information
Transaction records: Details of the designated services provided, including loan applications, correspondence, and settlement information
AML/CTF program documentation: Your current and previous AML/CTF programs, risk assessments, and any amendments
Training records: Evidence that employees have received AML/CTF training, including dates, content covered, and attendance
Suspicious matter reports: Copies of any SMRs filed, along with supporting documentation and internal investigation notes

The seven-year period begins from the date the relevant record was created or the relevant transaction was completed. For customer identification records, the seven-year period runs from the date the business relationship with the customer ends.

Proper record keeping is not just a compliance box to tick. It is your primary evidence of compliance if AUSTRAC conducts an examination or investigation of your business. Incomplete or poorly maintained records are one of the most common findings in AUSTRAC compliance examinations and can lead to enforcement action in their own right.

Australian Identity Solutions automatically retains all verification records with full audit trails, timestamps, and document details for the required retention period. Records are stored securely in Australian data centres and can be retrieved instantly for compliance reviews or AUSTRAC examinations.

How Do Aggregator and Franchise Models Affect Compliance?

Many mortgage brokers operate under aggregator or franchise arrangements. While aggregators may provide compliance resources, templates, and guidance, the legal obligation to comply with the AML/CTF Act rests with the reporting entity, which is typically the individual broker or the brokerage company.

Key considerations for brokers in aggregator networks:

Responsibility is not delegated: Even if your aggregator provides an AML/CTF program template, you are responsible for ensuring the program is tailored to your specific business, implemented in practice, and kept up to date
Technology access: Some aggregators provide access to identity verification tools through their platforms. Confirm whether these tools meet the DVS-connected, 2+2 verification standard required by AUSTRAC
Training: Aggregator-provided training can contribute to your Part B program, but you should confirm it covers all required topics and is delivered at appropriate intervals
Record keeping: Ensure you have access to and control over your compliance records, even if they are stored on the aggregator's systems. If you leave the aggregator, you need to retain access to records for the seven-year period

If your aggregator does not provide adequate compliance support, or if you want to supplement their offering with more robust identity verification capabilities, Australian Identity Solutions offers standalone DVS verification that can be used independently of or alongside aggregator systems.

What Penalties Do Mortgage Brokers Face?

AUSTRAC has a range of enforcement tools for non-compliant reporting entities, and mortgage brokers are not exempt from scrutiny. The penalties framework is consistent with that described in our Tranche 2 guide, with maximum civil penalties of up to AUD 28.2 million per contravention for corporations and AUD 5.64 million for individuals.

In practice, AUSTRAC's enforcement approach for smaller reporting entities tends to focus on:

Education and engagement: AUSTRAC conducts sector-specific outreach programs and publishes guidance to help reporting entities understand their obligations
Compliance assessments: AUSTRAC may conduct desktop or on-site examinations to assess your compliance. The outcomes can range from informal recommendations to formal remedial directions
Infringement notices: For specific, less serious breaches, AUSTRAC can issue infringement notices carrying penalties of thousands of dollars
Remedial directions: AUSTRAC can direct you to take specific steps to bring your business into compliance, at your own expense
Civil penalty proceedings: For serious or systemic non-compliance, AUSTRAC can pursue civil penalties through the Federal Court

The cost of compliance is a fraction of the cost of enforcement. Investing in a robust KYC program and reliable verification technology is the most effective risk mitigation strategy available to mortgage brokers.

How Can Australian Identity Solutions Help Mortgage Brokers?

Australian Identity Solutions provides a streamlined identity verification platform designed for the specific needs of Australian mortgage brokers.

Our platform enables you to:

Verify customer identities in seconds using DVS-connected electronic verification of driver licences, passports, Medicare cards, and other government-issued documents
Meet the 2+2 standard consistently with guided verification workflows that ensure all required checks are completed
Verify entity clients and beneficial owners through structured workflows covering companies, trusts, partnerships, and other legal structures
Maintain compliant records automatically with seven-year retention, secure Australian hosting, and instant retrieval for audits and AUSTRAC examinations
Integrate with your existing systems through our API, or use our simple web-based dashboard for manual verifications
Scale as your business grows with pay-per-verification pricing and no lock-in contracts. Check our pricing page for current rates

Whether you are a sole trader broker or part of a larger aggregator network, AIS provides the verification capability you need to meet your AUSTRAC obligations without adding complexity to your client experience.

Key Takeaways

Mortgage brokers are reporting entities under the AML/CTF Act with comprehensive KYC obligations including customer identification, verification, ongoing due diligence, and suspicious matter reporting
The 2+2 identification standard requires verifying at least two identifying attributes from two independent, reliable data sources, most effectively done through DVS-connected electronic verification
Your AML/CTF program must include Part A (customer identification, risk assessment, ongoing CDD, record keeping, reporting) and Part B (employee training), documented, approved, and regularly reviewed
Ongoing customer due diligence is mandatory, including keeping customer information current, monitoring for unusual activity, and filing suspicious matter reports when warranted
All compliance records must be retained for at least seven years, including identification records, transaction records, program documentation, training records, and SMR files
Operating under an aggregator does not transfer your compliance obligations; you remain responsible for ensuring your AML/CTF program is tailored, implemented, and maintained
Penalties for non-compliance are significant, ranging from infringement notices to civil penalties of millions of dollars, plus the reputational damage of enforcement action
Electronic identity verification through Australian Identity Solutions provides the fastest, most accurate, and most cost-effective way for mortgage brokers to meet their AUSTRAC KYC obligations

Compliance is not optional, but it does not have to be onerous. With the right processes and technology in place, KYC becomes a natural part of your client engagement workflow that protects your business, your clients, and the integrity of the financial system. Get started with Australian Identity Solutions today.

What Are the AUSTRAC KYC Requirements for Mortgage Brokers?

Your core KYC obligations include:

Customer identification: Collecting sufficient information to establish the identity of each customer before you provide a designated service
Customer verification: Verifying the customer's identity using reliable and independent documentation or electronic data sources
Beneficial owner identification: Identifying and taking reasonable steps to verify the identity of any beneficial owners of entity clients (companies, trusts, partnerships)
Ongoing customer due diligence: Keeping customer information current and monitoring the business relationship for unusual or suspicious activity
Record keeping: Retaining all identification, verification, and transaction records for a minimum of seven years
Suspicious matter reporting: Filing suspicious matter reports (SMRs) with AUSTRAC when you form a suspicion on reasonable grounds that a transaction or matter may be related to money laundering, terrorism financing, or other serious criminal offences
AML/CTF program: Maintaining a documented AML/CTF program covering both Part A (customer due diligence and internal controls) and Part B (employee training)

How Does the 2+2 Identification Standard Apply to Mortgage Brokers?

In practice, this means collecting at least two forms of identification from different categories and verifying them against the issuing agency's records.

What Counts as a Reliable Data Source?

Common 2+2 Document Combinations for Mortgage Brokers

The most common document combinations used by mortgage brokers to satisfy the 2+2 standard include:

Driver licence + passport: Verifies full name, date of birth, and photograph from two independent government agencies
Driver licence + Medicare card: Verifies full name and date of birth from two sources, with the driver licence providing a photograph
Passport + birth certificate: Verifies full name and date of birth from two sources, useful for customers who do not hold a driver licence
Driver licence + citizenship certificate: Appropriate for naturalised Australian citizens

Entity Verification

When your customer is a company, trust, partnership, or other legal entity, you must also:

Verify the entity's existence through an independent source (e.g., ASIC company search, trust deed review, ABN lookup)
Identify and verify the identity of the beneficial owners (individuals who own 25 percent or more, or exercise effective control)
Identify and verify the identity of the person authorised to instruct you on behalf of the entity
For trusts, identify the trustee, settlor, appointor (if any), and beneficiaries or classes of beneficiaries

What Must Be Included in a Mortgage Broker's AML/CTF Program?

Part A: Customer Identification and Risk Management

Your Part A program must cover:

Record-keeping policies: How you will store, secure, and manage compliance records to meet the seven-year retention requirement.

Reporting procedures: Internal processes for identifying, escalating, and filing suspicious matter reports with AUSTRAC, including the role of the AML/CTF compliance officer.

Part B: Employee Training

Your Part B program must ensure that all employees who provide designated services or who may identify suspicious matters receive adequate training. The training must cover:

Your AML/CTF obligations under the Act and Rules
Your business's specific AML/CTF program and procedures
How to identify suspicious behaviour and transaction patterns
How to report concerns internally
The consequences of non-compliance, both for the business and for individuals

What Does Ongoing Customer Due Diligence Look Like for Brokers?

Ongoing CDD for mortgage brokers includes:

Detecting suspicious matters: Remain alert to indicators of potential money laundering or terrorism financing. Suspicious matter indicators relevant to mortgage brokers include:

Applications where the source of deposit funds is unclear or inconsistent with the customer's stated income
Customers who are unusually insistent on particular settlement arrangements
Third parties providing funds for deposits or repayments without a clear legitimate reason
Complex loan structures that appear designed to obscure the true source of funds
Customers who are reluctant to provide identification or provide inconsistent information
Transactions involving properties in high-risk locations or with values that appear inconsistent with the property's characteristics

Why Is Seven-Year Record Retention Critical?

Under the AML/CTF Act, mortgage brokers must retain all relevant records for a minimum of seven years. This includes:

Customer identification records: The documents collected, verification results, and any additional due diligence information
Transaction records: Details of the designated services provided, including loan applications, correspondence, and settlement information
AML/CTF program documentation: Your current and previous AML/CTF programs, risk assessments, and any amendments
Training records: Evidence that employees have received AML/CTF training, including dates, content covered, and attendance
Suspicious matter reports: Copies of any SMRs filed, along with supporting documentation and internal investigation notes

How Do Aggregator and Franchise Models Affect Compliance?

Key considerations for brokers in aggregator networks:

Responsibility is not delegated: Even if your aggregator provides an AML/CTF program template, you are responsible for ensuring the program is tailored to your specific business, implemented in practice, and kept up to date
Technology access: Some aggregators provide access to identity verification tools through their platforms. Confirm whether these tools meet the DVS-connected, 2+2 verification standard required by AUSTRAC
Training: Aggregator-provided training can contribute to your Part B program, but you should confirm it covers all required topics and is delivered at appropriate intervals
Record keeping: Ensure you have access to and control over your compliance records, even if they are stored on the aggregator's systems. If you leave the aggregator, you need to retain access to records for the seven-year period

What Penalties Do Mortgage Brokers Face?

In practice, AUSTRAC's enforcement approach for smaller reporting entities tends to focus on:

Education and engagement: AUSTRAC conducts sector-specific outreach programs and publishes guidance to help reporting entities understand their obligations
Compliance assessments: AUSTRAC may conduct desktop or on-site examinations to assess your compliance. The outcomes can range from informal recommendations to formal remedial directions
Infringement notices: For specific, less serious breaches, AUSTRAC can issue infringement notices carrying penalties of thousands of dollars
Remedial directions: AUSTRAC can direct you to take specific steps to bring your business into compliance, at your own expense
Civil penalty proceedings: For serious or systemic non-compliance, AUSTRAC can pursue civil penalties through the Federal Court

How Can Australian Identity Solutions Help Mortgage Brokers?

Australian Identity Solutions provides a streamlined identity verification platform designed for the specific needs of Australian mortgage brokers.

Our platform enables you to:

Verify customer identities in seconds using DVS-connected electronic verification of driver licences, passports, Medicare cards, and other government-issued documents
Meet the 2+2 standard consistently with guided verification workflows that ensure all required checks are completed
Verify entity clients and beneficial owners through structured workflows covering companies, trusts, partnerships, and other legal structures
Maintain compliant records automatically with seven-year retention, secure Australian hosting, and instant retrieval for audits and AUSTRAC examinations
Integrate with your existing systems through our API, or use our simple web-based dashboard for manual verifications
Scale as your business grows with pay-per-verification pricing and no lock-in contracts. Check our pricing page for current rates

Key Takeaways

Mortgage brokers are reporting entities under the AML/CTF Act with comprehensive KYC obligations including customer identification, verification, ongoing due diligence, and suspicious matter reporting
The 2+2 identification standard requires verifying at least two identifying attributes from two independent, reliable data sources, most effectively done through DVS-connected electronic verification
Your AML/CTF program must include Part A (customer identification, risk assessment, ongoing CDD, record keeping, reporting) and Part B (employee training), documented, approved, and regularly reviewed
Ongoing customer due diligence is mandatory, including keeping customer information current, monitoring for unusual activity, and filing suspicious matter reports when warranted
All compliance records must be retained for at least seven years, including identification records, transaction records, program documentation, training records, and SMR files
Operating under an aggregator does not transfer your compliance obligations; you remain responsible for ensuring your AML/CTF program is tailored, implemented, and maintained
Penalties for non-compliance are significant, ranging from infringement notices to civil penalties of millions of dollars, plus the reputational damage of enforcement action
Electronic identity verification through Australian Identity Solutions provides the fastest, most accurate, and most cost-effective way for mortgage brokers to meet their AUSTRAC KYC obligations

KYC Compliance for Mortgage Brokers: Your AUSTRAC Obligations Explained

What Are the AUSTRAC KYC Requirements for Mortgage Brokers?

How Does the 2+2 Identification Standard Apply to Mortgage Brokers?

What Counts as a Reliable Data Source?

Common 2+2 Document Combinations for Mortgage Brokers

Entity Verification

What Must Be Included in a Mortgage Broker's AML/CTF Program?

Part A: Customer Identification and Risk Management

Part B: Employee Training

What Does Ongoing Customer Due Diligence Look Like for Brokers?

Why Is Seven-Year Record Retention Critical?

How Do Aggregator and Franchise Models Affect Compliance?

What Penalties Do Mortgage Brokers Face?

How Can Australian Identity Solutions Help Mortgage Brokers?

Key Takeaways

Ready to verify your first customer?

KYC Compliance for Mortgage Brokers: Your AUSTRAC Obligations Explained

What Are the AUSTRAC KYC Requirements for Mortgage Brokers?

How Does the 2+2 Identification Standard Apply to Mortgage Brokers?

What Counts as a Reliable Data Source?

Common 2+2 Document Combinations for Mortgage Brokers

Entity Verification

What Must Be Included in a Mortgage Broker's AML/CTF Program?

Part A: Customer Identification and Risk Management

Part B: Employee Training

What Does Ongoing Customer Due Diligence Look Like for Brokers?

Why Is Seven-Year Record Retention Critical?

How Do Aggregator and Franchise Models Affect Compliance?

What Penalties Do Mortgage Brokers Face?

How Can Australian Identity Solutions Help Mortgage Brokers?

Key Takeaways

Ready to verify your first customer?