Onboarding KYC Was the Old Standard. Ongoing Verification Is the New One.
The amended AML/CTF Rules require ongoing customer due diligence, not just onboarding KYC. Here is what changed, what it means for your business, and what "ongoing" actually looks like in practice.
What actually changed
For years, Australian businesses treated identity verification as an onboarding event. Check the ID. Run the DVS query. File the records. Move on. The amended rules change that expectation in three areas.
Ongoing customer due diligence
The previous framework allowed businesses to verify identity at onboarding and rely on that indefinitely. The amended rules require ongoing monitoring and re-verification based on risk. This extends to beneficial ownership, source of funds, and the legitimacy of the business relationship itself.
Beneficial ownership transparency
Businesses must now identify and verify the beneficial owners of legal entities they deal with. This means looking through trust structures, corporate chains, and nominee arrangements to find the humans who ultimately own or control the entity.
Enhanced record-keeping
All verification activities, risk assessments, and due diligence decisions must be documented and retained for seven years. The emphasis is on demonstrating a process, not just holding records. If AUSTRAC asks how you verified a payment, "we checked their ID three years ago" is not an answer.
Why this matters beyond compliance
The regulatory shift did not happen in a vacuum. It happened because onboarding-only verification demonstrably fails to prevent fraud.
$2.03 billion was lost to payment scams in Australia in 2024. Payment redirection fraud, where an attacker changes bank account details to divert legitimate payments, accounted for $152.6 million of that. Year-on-year growth: 66%.
The pattern is consistent: the fraud happens months or years after onboarding, at the point money moves. An employee's bank details are changed via a compromised email. A supplier's account is substituted with a fraudulent one. An investor's redemption is redirected to an account the attacker controls.
None of these attacks are caught by onboarding KYC. By definition, onboarding verification happened before the fraud was even attempted.
What "ongoing" looks like in practice
The rule says "ongoing due diligence." It does not prescribe exactly how. That is intentional. AUSTRAC expects businesses to design processes appropriate to their risk profile. But the practical implications are clear.
At the point of payment
Before every significant payment, verify that the destination bank account still belongs to the intended recipient. If the account details have changed since the last verification, re-verify before the payment is processed. This is the single highest-impact control a business can implement.
On a triggered basis
When a customer changes their bank details, address, business structure, or authorised signatories, treat it as a re-verification event. Do not just file the change request. Confirm the legitimacy of the change through an independent channel.
On a periodic basis
For ongoing business relationships, schedule re-verification at intervals proportionate to risk. A low-risk domestic supplier with a five-year relationship might warrant annual re-checks. A new international counterparty might warrant quarterly.
On a risk-signal basis
Monitor for signals that something has changed: ABN deregistration, director changes, PEP screening hits, sanctions list matches, unusual payment patterns. Any signal should trigger a review and potential re-verification.
The audit trail problem
Here is where many businesses get stuck: even if they are doing ongoing verification informally, they cannot prove it.
Phone calls to confirm bank details are not logged in a searchable system. Email confirmations sit in individual inboxes. Manual checks are not time-stamped or linked to specific transactions. When AUSTRAC or an auditor asks "show me your ongoing due diligence for this customer," the answer is "we called them," which is not an answer at all.
The amended rules do not just require ongoing due diligence. They require evidence of ongoing due diligence. A process that cannot be audited is a process that does not exist in the eyes of the regulator.
The Scams Prevention Framework adds pressure
The Scams Prevention Framework, passed in February 2025 and effective July 2026, creates additional obligations for businesses in the payment chain. Banks are directly captured first, but the framework is designed for expansion. Payment platforms, financial intermediaries, and other entities in the payment flow are expected to be designated in subsequent tranches.
The framework's core principle: businesses that facilitate payments have a duty to prevent scams. That duty includes verifying that payments are going where they are supposed to go, not just at the start of the relationship, but every time money moves.
For businesses that are also AUSTRAC reporting entities, the two frameworks compound. AML/CTF rules require ongoing due diligence on customers. The Scams Prevention Framework requires due diligence on payment destinations. Together, they create a regulatory expectation that verification is continuous, not a one-time event.
The gap between policy and practice
Most Australian businesses have updated their AML/CTF policies to reference ongoing due diligence. Fewer have updated their actual processes. That gap is where fraud happens, and increasingly, where regulatory enforcement happens too.
What the policy says
"We conduct ongoing customer due diligence based on risk." The policy is updated. The board has signed off. The compliance team is satisfied. On paper, the business meets the new requirements.
What actually happens
Identity is verified at onboarding. Bank detail changes are accepted via email. Nobody re-checks the bank account before payment. AUSTRAC's enforcement actions consistently target this disconnect between documented policies and actual practices.
What the transition looks like
Businesses moving from onboarding-only verification to ongoing due diligence typically go through three phases. Each phase builds on the last, and each produces the audit trail that the amended rules require.
See How It WorksPayment-event verification
The highest-impact change is also the simplest. Before every payment, verify that the bank account on file still belongs to the intended recipient. If it has changed, hold the payment until the change is confirmed through an authenticated channel. This single control addresses the majority of payment redirection fraud.
Change-event verification
Treat every change to customer details (bank accounts, addresses, authorised signatories, business structure) as a re-verification trigger. Replace manual, email-based change processes with authenticated digital flows that create an auditable record.
Continuous monitoring
Implement ongoing monitoring for risk signals: ABN status changes, PEP and sanctions screening, unusual payment patterns, director changes. Automate alerts so that high-risk changes trigger immediate re-verification without manual intervention.
Frequently asked questions
What changed in the AML/CTF rules?
What does "ongoing due diligence" mean in practice?
What is the compliance deadline?
Does this apply to my business?
How does ezyshield help with ongoing due diligence?
Related content
AML/CTF Compliance in Australia
The broader AML/CTF compliance landscape and what it means for payments.
LEARNScams Prevention Framework
How the framework compounds ongoing due diligence obligations.
THREATPayment Redirection Fraud
The fraud type that onboarding-only verification fails to catch.
PRODUCTHow ezyshield Works
See how ezyshield automates payment verification and ongoing due diligence.
Ongoing due diligence without ongoing manual work
ezyshield automates the payment verification that the amended AML/CTF rules require. Verify at every payment, log every check, and prove your process to any auditor.