From 1 July 2026, the firms newly covered by the AML/CTF regime have to do something many of them have never done formally before: confirm that a client is who they say they are, and keep a record of how they did it. This is customer due diligence, and identity verification sits right at the heart of it. The question this post answers is a practical one. When a new client walks in, or signs up online, how do you actually verify their identity in a way the regime accepts?
What you are trying to establish
Before the method, the goal. For most individual clients you need to be satisfied, on reasonable grounds, of a small set of basics: their full name, their date of birth, and their residential address. The standard is that you verify these against reliable and independent information, and that the depth of what you do is appropriate to the money laundering and terrorism financing risk the client presents. A low-risk client you have known for years, sitting across the desk, is not the same as a first-time remote client moving large sums, and the regime expects your verification to reflect that difference. (What a risk-based program actually requires)
Two ways to verify
There are two broad routes, and you can use either or both.
The first is documents. You sight a reliable, independent identity document, an original or a certified copy, such as a passport or a driver's licence, and confirm it shows the details you need. Done in person this is straightforward. Done remotely it is harder, because a photo of a document is easy to fake, which is why a remote document check is usually paired with a check that the person presenting it is its genuine holder.
The second is electronic data verification. Instead of relying on the document image alone, you match the client's details against reliable, independent electronic sources and confirm they line up with authoritative records. This is fast, it leaves a clean record, and it often means you do not need to store copies of sensitive documents at all.
Where the DVS fits
In Australia the backbone of electronic verification is the Document Verification Service, the DVS. The DVS is a government system that checks whether the details on an identity document, the name, date of birth and document number, match the records held by the agency that issued it. It returns a secure yes or no match and does not build a central store of your client's data. Because it checks against the issuing agency itself, the original and most authoritative source, it is the method the market treats as the benchmark for reliable and independent verification.
A small firm does not connect to the DVS directly. You reach it through an approved gateway service provider, which relays your check to the DVS and returns the result, usually in well under a second and on a simple per-check basis. The document types covered include the driver's licence, passport, Medicare card, visa and several others, and the electoral roll can be used to confirm a residential address.
A selfie is a layer, not a substitute
You will also hear about biometric checks, a selfie matched to the photo on a document, with a liveness test to defeat a held-up photo or a deepfake. This is genuinely valuable, especially for remote onboarding, but it answers a different question. A biometric check confirms that the person in front of the camera is the genuine holder of the document. It does not, on its own, confirm that the identity is real against an authoritative source. The strongest approach treats the two as layers: an electronic data or DVS check to confirm the identity is genuine, and a biometric check to bind it to the living person in front of you.
Match the method to the risk
None of this is a single mandatory recipe. The reformed regime is risk-based, which means you choose verification appropriate to the client and the service. For many everyday, lower-risk clients a sound electronic verification, or a properly sighted document, will be enough. Where the risk is higher, a politically exposed person, an opaque ownership structure, a high-value cash transaction, you are expected to do more, and that is enhanced due diligence. (How the program runs day to day) The method follows the risk, not the other way around.
Keep the record
Whatever route you take, the obligation does not end at the moment of verification. You have to be able to show, later, who you verified, how, and when. That record is what turns a private judgement into demonstrable compliance, and it is the first thing an AUSTRAC reviewer, or your own future self, will look for. Keep the result of each check and the basis for it, for seven years.
Where AML Mate fits
Verifying a client should be one clean step in onboarding, not a separate chore with its own logins and filing. AML Mate builds identity verification into the client record: you capture the person, run the check, and the result, the date, and the basis are stored against that client automatically, alongside their risk rating, beneficial owners, PEP and sanctions screening, and the rest of their file. Not sure which of your services are even in scope? The free compliance check tells you in two minutes, with no login. Then start a 14-day free trial, cancel anytime, and turn identity verification from a 1 July worry into a thirty-second habit.