For most professional services firms, client intake has always involved collecting some identifying information. A name, an ABN, an email address. But with the expansion of Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework under Tranche 2 reforms, the bar has been raised significantly and know your customer (KYC) procedures are now a formal, compliance-driven obligation for a growing number of professions.

This guide covers what a know your customer procedure involves, who needs one, and how to build a client intake process that meets your compliance obligations without creating unnecessary friction for your clients.

While regulatory specifics vary by jurisdiction, the practical steps are universal and that is what we focus on here.

Note: This article provides general information only and does not constitute legal or compliance advice. Consult a qualified adviser for guidance specific to your practice and obligations.

What Is a Know Your Customer Procedure?

A know your customer (KYC) procedure is a structured process for identifying and verifying the identity of a client before entering into a business relationship, and for understanding the nature of that relationship well enough to assess any associated risk.

In the context of professional services, KYC sits at the heart of AML/CTF compliance. It is the mechanism through which firms demonstrate that they know who they are working with, what those clients do, and whether the engagement presents a money laundering or terrorism financing risk.

KYC is not a one-off form. It is an ongoing obligation: client information must be kept current, risk profiles must be re-evaluated when circumstances change, and records must be maintained for a minimum of seven years.

Who Needs a KYC Procedure?

Historically, AML/CTF obligations applied primarily to financial institutions: banks, credit unions, remittance dealers, and gambling operators.

That has changed significantly in many jurisdictions, including Australia, where the AML/CTF Amendment Act extended obligations to a broad category of designated non-financial businesses and professions (DNFBPs).

Firms now required to implement a formal know your customer procedure include:

  • Accountants and tax agents: when providing services such as managing client funds, company structuring, or buying and selling businesses
  • Lawyers and conveyancers: when involved in real property transactions, trust and company creation, or managing client funds
  • Mortgage brokers and finance brokers: when facilitating credit or lending arrangements
  • Bookkeepers: when providing certain financial management services
  • Real estate agents: when acting in the purchase or sale of real property

If your practice falls into any of these categories, you are likely required to register with your relevant regulatory authority, establish an AML/CTF programme, and implement a compliant KYC procedure.

In Australia, that means enrolling with AUSTRAC. For a detailed breakdown of the Australian obligations, see our guide to Tranche 2 AML/CTF and your client intake process.

Practitioners in other jurisdictions should check with their local financial intelligence unit or regulatory body.

What Does a KYC Procedure Involve?

At its core, a know your customer procedure has three components: identification, verification, and risk assessment. Here is what each involves in practice.

1. Customer Identification

You need to collect information that allows you to identify who you are dealing with. The information required depends on the type of client.

For individual clients:

  • Full legal name
  • Date of birth
  • Residential address
  • Government-issued photo identification (e.g. passport or driver’s licence)

For companies and trusts:

  • Full legal name and ABN / ACN
  • Registered address
  • Nature of the business
  • Beneficial ownership details: who ultimately owns or controls the entity (typically any person holding more than 25% of shares or voting rights)
  • For trusts: a copy of the trust deed and identification of the trustee

2. Identity Verification

Collecting information is only the first step, you also need to verify that the information is genuine. This typically involves checking the identity documents provided against the details collected, and may require electronic verification through services such as the Document Verification Service (DVS) or a certified AUSTRAC-approved provider.

The level of verification required varies with risk: a low-risk domestic individual requires a different level of scrutiny than a trust with offshore beneficiaries or a client in a high-risk industry.

3. Risk Assessment

Once you have identified and verified the client, you must assess the risk they present. A basic risk assessment considers:

  • The nature of the services being provided
  • The client’s industry and source of funds
  • Whether the client is a politically exposed person (PEP) or has connections to jurisdictions with weak AML/CTF frameworks
  • Any red flags identified during onboarding: unusual urgency, reluctance to provide documents, inconsistencies in information

Higher-risk clients require enhanced due diligence (EDD), which involves gathering more information and applying closer scrutiny before and during the engagement.

The Intake Problem: Why KYC Breaks Down in Practice

The know your customer procedure makes sense on paper.

In practice, it often becomes a bottleneck, particularly for smaller professional services firms that lack dedicated compliance staff.

The most common failure points are:

  • Fragmented collection: documents arrive via email, text, post, and in-person, making it difficult to confirm what has been received and what is still outstanding
  • Insecure channels: clients emailing scanned passports and bank statements to a general inbox, creating both a security risk and a records management challenge
  • Inconsistent process: different staff members onboard clients differently, leading to gaps in the compliance record
  • No audit trail: when an AUSTRAC audit occurs, demonstrating that the right information was collected, verified, and recorded requires documentation that many firms simply do not have

A well-designed client intake process addresses all of these and a secure client portal is the most reliable way to implement it consistently across your practice.

Building a KYC-Compliant Customer Intake Process

Here is a practical framework for building a client intake process that supports your know your customer obligations.

Step 1: Define what you need to collect before onboarding starts

Create a standard client intake checklist for each client type: individual, company, trust, SMSF. Every new client engagement should trigger the same structured request, so nothing is missed and the process is defensible if questioned.

Step 2: Send a structured, secure document request

Rather than asking clients to email sensitive documents, send them a structured request through a secure platform. This gives clients a clear list of what is needed, allows them to upload documents safely, and creates a timestamped record that the request was sent and documents were received.

This is what a secure document collection platform like Gatheroo is designed for: structured requests, secure upload, and a complete audit trail – without any documents passing through email.

Step 3: Verify identity against the documents received

Once documents are received, record the verification step, which staff member verified which documents, on which date, using which method. This is the record that proves compliance if you are ever audited.

Step 4: Complete and document the risk assessment

Use a consistent risk assessment template for every new client. Rate the risk level, record the basis for your assessment, and note any enhanced due diligence steps taken for higher-risk clients. Keep this on file alongside the identity documents.

Step 5: Set a review schedule

KYC is not one-and-done. Build a review schedule into your practice management system: trigger a refresh when a client’s circumstances change, when they instruct you on a new type of matter, or at a set interval (typically every one to three years depending on risk level).

What Records Do You Need to Keep?

Under the AML/CTF Act, regulated entities are required to retain KYC records for a minimum of seven years from the end of the business relationship. This includes:

  • All identity documents collected
  • Verification records (who verified what, when, and how)
  • Risk assessments
  • Copies of any transaction records related to the engagement
  • Suspicious matter reports, if any were filed

Records must be stored securely, which, given that they contain highly sensitive personal information, means encrypted storage with access controls. Storing identity documents in an unprotected shared drive or an email inbox does not meet this standard.

Common KYC Mistakes Professional Services Firms Make

  • Collecting documents but not verifying them: having a copy of a passport on file is not the same as having verified it. The verification step must be recorded separately.
  • Treating KYC as a one-off exercise: ongoing monitoring is a legal requirement, not optional.
  • Using email as the document collection channel: email is not a secure or auditable channel for identity documents. It creates risk and generates no reliable compliance record.
  • No risk assessment documentation: if you cannot show you assessed the client’s risk profile and why, the compliance record is incomplete.
  • Assuming it only applies to regulated financial services: the Tranche 2 reforms significantly expand who is covered. If you are uncertain whether your practice is now a reporting entity, seek specific advice.

Frequently Asked Questions

What is the difference between KYC and AML/CTF?

AML/CTF (Anti-Money Laundering and Counter-Terrorism Financing) is the broader regulatory framework. KYC – know your customer – is a specific component of that framework: the process of identifying, verifying, and understanding who you are doing business with. KYC is the foundation; AML/CTF is the full structure built on top of it.

Does every professional services firm need a KYC procedure?

Not every firm, but far more than before the Tranche 2 reforms. Whether you are covered depends on the specific services you provide and the transactions involved. Accountants, lawyers, mortgage brokers, conveyancers, and bookkeepers providing certain services are now likely to be covered. Check with AUSTRAC or a qualified compliance adviser if you are uncertain.

How long does a KYC process take?

With a structured intake process and the right tools, initial KYC for a straightforward individual client can be completed in minutes. The time is mostly spent waiting for clients to submit their documents, which is exactly why making the submission process as simple and secure as possible matters.

Can I collect identity documents via email?

You can, but it is not recommended from either a security or compliance perspective. Email is unencrypted in transit, creates no structured audit trail, and puts sensitive personal information at risk. A secure document collection platform provides a significantly better experience for clients and a far more defensible compliance record for your firm.

What happens if my KYC procedure is inadequate?

AUSTRAC has significant enforcement powers, including civil penalties, enforceable undertakings, and in serious cases, criminal referrals. Beyond regulatory consequences, inadequate KYC records expose your firm to reputational risk and potential liability if a client relationship later proves to involve financial crime.

Get Your Client Intake Right From the Start

A strong know your customer procedure does not have to be complicated but it does have to be consistent. The firms that handle KYC well are the ones that have built it into their standard onboarding process: a structured request, a secure collection channel, a documented verification step, and a risk assessment on file before the first billable hour is recorded.

Gatheroo is built for exactly this kind of structured, secure client intake. Every document request is tracked, every upload is encrypted, and every interaction creates a timestamped audit trail, so when the question is asked, the answer is already on file.

See how Gatheroo fits into your client intake process – no credit card required.