For years, clear rules, box-ticking procedures, and safe harbour provisions made customer due diligence feel manageable—even comfortable. We believed prescription kept us safe. As we prepare for the new reforms, that comfort is quickly fading—replaced by a more fluid, ambiguous, and potentially riskier landscape.
This is the future that sophisticated entities asked for: fewer rules, greater flexibility, and the freedom to move at the speed of emerging technology. But with the reforms fast approaching, we have to ask—do we still prefer the devil we know, or are we ready to bowl without the bumpers?
The Comfort (and Illusion) of Prescription
Back when electronic verification first emerged, it seemed like a compliance shortcut. Two reliable data sources, a yes/no result from your provider, a ticked box on your checklist. Job done. And if you followed the letter of the law—like the safe harbour mechanism in Chapter 4 of the AML/CTF Rules—you could claim peace of mind.
But here’s the uncomfortable truth: while safe harbour might have given you comfort at the time, it didn’t really give you coverage.
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 aims to modernise customer due diligence (CDD) obligations, yet many organisations are still clinging to outdated frameworks that no longer reflect how the world operates.
And that’s a problem. Safe harbour was designed for a different time—one when identities were static, documents were king, and “reliable and independent” data was easy to define.
Today, it’s not.
The move away from prescription here is no accident. These changes are consistent with the Attorney-General’s stated policy intent: to move the industry away from a check-box approach, set outcomes-focused obligations, and require reporting entities to take a genuinely risk-based approach to their AML/CTF programs. This shift is not just regulatory housekeeping—it represents a fundamental reorientation of how AML/CTF compliance is expected to work in practice.
The Cracks in Safe Harbour
Safe harbour is narrow by design. It was introduced before the DVS was mainstream and it was only ever intended to provide a prescriptive path for verifying low- to medium-risk customers. Yet many reporting entities continue to stretch it beyond its narrow intent, assuming it offers broad protection.
It doesn’t.
The caveats are everywhere:
- High-risk customers are excluded—yet those are exactly the ones regulators zero in on when things go wrong.
- Reliability and independence are subjective—most reporting entities would struggle to explain how their external electronic verification solutions satisfy Part 4.10.2 requirements.
- Documentation often fails the test—was it an original document sighted, and if so, do you have a copy? If it was a certified copy, who certified it? Were they in fact a valid certifier? Did anyone confirm the certification? Is the document current? If you can’t answer with certainty, you may not be compliant.
- Direct contact may be required—but confirming KYC information collected about a customer by independently initiating contact as set out in Rule 4.10.2(4) is often missing from AML/CTF Programs and ignored in practice.
- And then there’s the terminology trap. What’s the difference between “name” and “full name”? One part of the Rules requires “full name,” where another just refers to “name.” Inconsistent language leads to inconsistent practice—and that’s fertile ground for regulatory risk, especially where there are operational constraints with verifying full name using electronic verification, including the DVS.
From Prescription to Outcomes—Ready or Not
For years, many reporting entities pushed for a shift from prescriptive rules to a genuinely risk-based approach. And now, it’s happening:
- Safe harbour will be removed;
- CDD must be appropriate to the ML/TF risk; and
- There will be a focus on collecting and verifying information that aligns with a customer’s risk profile—without a defined list of steps or safe routes to follow.
It’s the flexibility many larger entities wanted—but it comes at a cost: accountability for the outcomes.
Without the ‘bumpers’ of prescription, it’s up to each reporting entity to determine:
- What is appropriate?
- What is reliable?
- What is independent?
And most critically: Will your decisions stand up to scrutiny when AUSTRAC comes knocking?
Larger, more mature entities may take this shift in stride—but for smaller firms and new Tranche 2 entrants, building this capability will take time, and support from advisors.
Technology Outpacing the Rulebook
Verification technology continues to evolve rapidly—AI-powered matching, biometrics, and real-time monitoring are now common, and tomorrow’s tools will be smarter still. But the regulatory framework hasn’t kept pace. Many reporting entities are still navigating rules written in an era of PDFs and static identity data, while the real world has become dynamic, probabilistic, and increasingly shaped by algorithms that few fully understand—or control.
It’s no longer enough to rely on a vendor’s “black box.” If you can’t articulate how your verification process works, what it’s based on, and whether it meets the required standards, then you’re exposed.
And with a fully risk-based model on the horizon, this disconnect will only become more pronounced. As new requirements emerge—such as place of birth verification—the gap between regulatory expectations and what’s operationally realistic is widening.
The Place of Birth Problem
Among the many shifts the draft reforms introduce, one stands out for its head-scratching complexity: place of birth verification.
Reporting entities may soon be required to collect and verify an individual’s date and place of birth when providing account-based or value transfer services in Australia. But there’s a problem—most electronic data sources don’t capture this information, and its actual value in mitigating ML/TF risk remains debatable.
Although this measure was introduced to address FATF Recommendation #16, that guidance outlines several options for originator information in wire transfers—not just place of birth. It includes the originator’s address, national identity number, customer identification number, or date and place of birth.
The Amending Act itself only provided the rule-making power, but the consultation draft of the Rules suggests that AUSTRAC is leaning toward a specific approach—requiring place of birth verification. This direction may reflect a desire for uniformity, but it could create unnecessary friction for both businesses and customers, especially in the absence of widely available electronic sources.
External solution providers may eventually help close the gap—but in the meantime, reporting entities could find themselves reverting to document-based verification for place of birth.
That could mean slower onboarding, greater friction for customers, and increased operational burden across already stretched compliance teams.
If adopted as drafted, the short-term cost of alignment with FATF may well be a step backward in practicality and progress.
So… Do We Prefer the Devil We Know?
As we prepare to leave behind prescribed CDD and enter into predominantly risk-based waters, reporting entities are in uncharted territory. The rules are less clear. The safety nets will be gone. And the responsibility for the outcomes will be squarely on your shoulders.
The freedom to design your own controls sounds great—until something goes wrong.
- Will you be able to demonstrate that your CDD processes achieve the intended risk mitigation outcomes?
- Will you be able to clearly justify your decisions on when to apply ECDD?
So, is this the future we wanted? Perhaps. But if we do miss the perceived certainty of prescription, we must remember it was only ever an illusion.
Risk-based KYC means you’re bowling without the bumpers. It’s no longer about playing it safe—it’s about proving you can hit the pins without veering into the gutters.
At Platinum AML, we believe it’s time to rethink what “compliance” means in this new world. Not as a checkbox exercise, or a passive reaction to rules—but as a proactive, risk-driven discipline that stays one step ahead.
Because in 2026, it won’t be enough to follow the rules. You’ll need to defend how and why you built them.