Skip to main content

Overview

This guide covers FrankieOne’s KYC solution for Australian banking, designed to support AUSTRAC risk-based customer due diligence requirements (current framework aligned with ‘2+2’ expectations, designed to evolve with upcoming AML/CTF reforms in Australia). This use case illustrates how a configurable risk-based onboarding flow can support both current AUSTRAC expectations and the direction of upcoming AML/CTF reforms in Australia.

Summary

Available Workflows

WorkflowCDD TierPurposeWhen to Use
AUS-Risk-CDD-Email-PhoneAllRisk-based orchestrationRecommended - Automatically routes based on risk signals
AUS-Basic3V-TwoPlusIDSimplifiedStreamlined verificationLow-risk customers, established relationships
AUS-Advanced1V-IDOnlyStandardGovernment ID verificationMedium-risk customers, most new accounts
AUS-Advanced3V-TwoPlusIDEnhanced (EDD)Full enhanced verificationHigh-risk customers, PEPs, high-value products

Risk-Based Orchestration: AUS-Risk-CDD-Email-Phone

Risk LevelCDD TierRouted ToChecks Included
LowSimplifiedAUS-Basic3V-TwoPlusIDDVS, dual credit bureau, electoral roll, PEP/sanctions
MediumStandardAUS-Advanced1V-IDOnlyGovernment ID verification, PEP/sanctions
HighEnhanced (EDD)AUS-Advanced3V-TwoPlusIDAll Standard + biometrics, document authenticity, adverse media

Quick Implementation Flow

Decision Outcomes

OutcomeAction
PASSActivate account, send welcome notification
REVIEWRoute to compliance queue, inform customer
FAILRecord rejection, send customer-safe message
PASS/REVIEW/FAIL outcomes can be combined with periodic reviews and ongoing monitoring rules to help customers keep pace with evolving AUSTRAC expectations around ongoing CDD. Next steps:
  • Configure triggers for refresh (e.g., profile changes, new PEP/adverse media hits)
  • Use AML screening and fraud signals to inform ongoing risk rating over the customer lifecycle

Risk-Based CDD Tiers

Under Australia’s AML/CTF reforms, customer due diligence follows a three-tiered model aligned with FATF recommendations. FrankieOne workflows map to each tier:
CDD TierWhen to ApplyFrankieOne WorkflowVerification Intensity
Simplified CDDLow-risk customers, standard products, established relationshipsAUS-Basic3V-TwoPlusIDGovernment ID + credit bureau + electoral roll + screening
Standard CDDMedium-risk customers, most new account openingsAUS-Advanced1V-IDOnlyGovernment ID verification + screening
Enhanced CDD (EDD)High-risk customers, PEPs, high-value products, complex structuresAUS-Advanced3V-TwoPlusIDFull verification + biometrics + document authenticity + adverse media + manual review
Applying the tiers:
  • Simplified CDD — Appropriate where ML/TF risk is demonstrably low. Reduced verification intensity, but identification still required. Your AML/CTF program defines eligible scenarios.
  • Standard CDD — The baseline for most customer onboarding. Meets current AUSTRAC expectations for identity verification.
  • Enhanced CDD — Required when risk factors are elevated. Includes additional verification steps, deeper screening, and ongoing enhanced monitoring.
Note: The reforms allow reporting entities flexibility in how they apply these tiers based on their risk assessment. FrankieOne’s configurable workflows support all three tiers and can be adjusted as your AML/CTF program evolves.

Workflow Selection Guide

Customer TypeProduct RiskCDD TierRecommended Workflow
Australian citizen, standard accountLowSimplifiedAUS-Risk-CDD-Email-Phone → Basic3V
Australian citizen, new relationshipMediumStandardAUS-Risk-CDD-Email-Phone → Advanced1V
Australian citizen, high-value productMedium-HighEnhancedAUS-Risk-CDD-Email-Phone → Advanced3V
Temporary residentMediumStandard/EnhancedAUS-Risk-CDD-Email-Phone → Advanced1V or Advanced3V
Foreign national, non-residentHighEnhancedAUS-Advanced3V-TwoPlusID + manual review
PEP or PEP associateHighEnhancedAUS-Advanced3V-TwoPlusID + manual review
Business/TrustHighEnhancedBusiness verification (KYB)

Support

Expanded Details

Regulatory Context

Disclaimer: The information in this section is provided for general guidance only and does not constitute legal or compliance advice. Customers must seek independent AML/CTF compliance advice to ensure their implementation meets their specific regulatory obligations. FrankieOne is not responsible for customers’ compliance decisions or outcomes.
AML/CTF Reforms: The Australian Government is implementing significant reforms to the AML/CTF regime. Customers should review the latest guidance and legislative changes to ensure ongoing compliance:

AUSTRAC AML/CTF Act Obligations

Australian banks must comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). FrankieOne’s banking workflows can support these core obligations:
ObligationRequirementHow FrankieOne Can Support
Customer IdentificationCollect and verify customer identity before providing designated servicesAutomated identity verification against government data sources
Ongoing Customer Due DiligenceMonitor customers and transactions on an ongoing basisRe-verification triggers and screening refresh (where configured)
AML/CTF ProgramEstablish and maintain a compliant programConfigurable risk rules aligned to your program
ReportingSubmit SMRs, TTRs, and IFTIs as requiredAudit trails and exportable verification and audit data

Customer Identification Requirements

AUSTRAC’s customer identification procedure for individuals involves collecting and verifying specific information before providing a designated service. FrankieOne’s AUS-Basic3V-TwoPlusID workflow is designed to support these requirements. Common Collection Requirements: Common practice is to collect all three of the following. Your AML/CTF program defines specific requirements for your customer type and channel.
InformationDescriptionFrankieOne Collection
Full NameCustomer’s complete legal nameCaptured via form input and document OCR
Date of BirthCustomer’s DOBCaptured via form input and document OCR
Residential AddressCustomer’s current residential address (not PO Box)Captured via form input with address standardisation
Verification Requirements: Common verification requirements include:
  • Full name - verified against a reliable and independent source
  • Either date of birth OR residential address - verified against a reliable and independent source
Your AML/CTF program defines specific verification requirements based on your risk assessment.
RequirementFrankieOne Verification
Full Name VerificationVerified against DVS (passport, driver licence, Medicare, visa) and cross-referenced with credit bureau records
Date of Birth VerificationValidated via eligible document verification responses (where available) with consistency checks across data sources
Residential Address VerificationVerified against electoral roll, credit bureau, and utility records; GNAF standardisation applied
Government ID VerificationDVS verification for eligible documents (passport, driver licence, Medicare card, visa); birth certificates and citizenship certificates supported as identity evidence depending on configuration
Note: FrankieOne’s default workflows verify all three data points (name, DOB, and address) to provide enhanced assurance, though AUSTRAC’s minimum requirement is name plus either DOB or address. Your AML/CTF program should define which verification approach applies based on your risk assessment.

Electronic Verification for Risk-Based Onboarding

FrankieOne supports electronic verification procedures that meet current AUSTRAC customer identification expectations (2+2 style) and can be configured to support the upcoming single, risk-based CDD model. Requirements are defined by your AML/CTF program; customers should validate specific requirements with their compliance advisers. This configuration is designed to adapt as Australian AML/CTF reforms consolidate customer identification into a single, risk-based CDD obligation and refine ongoing monitoring expectations.
RequirementFrankieOne Support
Multiple independent sourcesSupports verification across multiple electronic data sources, depending on configuration
Government sourceSupports Australian government document verification via DVS
Name + additional attributeSupports verification of name, DOB, and address
Reliable and up-to-date dataUses real-time electronic data sources where available
Note: Risk-based onboarding requirements depend on your specific AML/CTF program configuration and compliance practices. Customers should seek independent advice to confirm their implementation meets their program requirements.

APRA Prudential Standards

For ADIs (Authorised Deposit-taking Institutions), additional APRA requirements apply:
  • CPS 234 (Information Security): FrankieOne is ISO 27001 certified and data is encrypted at rest and in transit
  • CPS 220 (Risk Management): Configurable risk thresholds align verification intensity to your risk appetite
  • CPS 231 (Outsourcing): FrankieOne provides security, risk, and operational documentation (e.g., ISO 27001, SOC 2 Type II, data residency, and subcontractor disclosures) to support customer outsourcing assessments

Workflow Configuration Details

Primary Workflow: AUS-Basic3V-TwoPlusID

This workflow provides baseline verification suitable for low-to-medium risk customers. Data Sources (example configuration):
Source TypePurpose
Government document verification (DVS)Government ID verification
Credit bureau (primary)Identity match
Credit bureau (secondary)Fallback identity match
Electoral rollAddress verification
Sanctions/PEP listsAML screening
Note: Specific data sources and providers depend on your configuration and region. Contact your FrankieOne representative for available options.
Verification Logic (illustrative): 
IF government_id_match = TRUE AND credit_bureau_match = TRUE
  AND sanctions_clear = TRUE
  AND pep_level <= configured_threshold
THEN → PASS

IF government_id_match = FALSE OR credit_bureau_match = FALSE
THEN → Step-up to advanced workflow

IF sanctions_hit = TRUE OR pep_level >= configured_threshold
THEN → REVIEW (manual queue)

Step-Up Workflow: AUS-Advanced3V-TwoPlusID

Triggered when primary verification is inconclusive or risk indicators are elevated. Additional Checks:
CheckDescriptionTrigger Condition
Biometric facial matchLiveness detection and face-to-document matchingPrimary verification inconclusive
Document authenticityTampering and fraud detectionDocument quality or consistency issues
Adverse media screeningNews and media source checksPEP match or sanctions near-match
Enhanced address verificationAdditional address data sourcesNo electoral roll match
Note: Specific biometric and screening providers depend on your configuration. Contact your FrankieOne representative for available options.

Risk-Based Orchestration: AUS-Risk-CDD-Email-Phone

This risk model implements a risk-based approach to customer due diligence and ongoing monitoring, consistent with AUSTRAC’s expectations and the direction of current AML/CTF reforms in Australia. This orchestration workflow evaluates risk signals at verification start and automatically routes customers to the appropriate verification path. A single-call approach that eliminates manual step-up decision logic. Risk Signals Evaluated:
SignalRisk LevelDescription
Email age under 30 daysHighRecently created email address
Email domain disposableCriticalTemporary email service detected
Phone type = VoIPMediumNon-mobile number provided
Phone carrier mismatchMediumCarrier doesn’t match country
IP geolocation mismatchHighIP country differs from claimed residence
Device fingerprint velocityHighSame device used for multiple applications
Session anomaliesMediumUnusual browser/device patterns
Customer risk ratingVariableHigher ratings drive enhanced due diligence and more frequent reviews
These risk factors can be tuned as regulatory guidance evolves (for example, where reforms call out higher-risk customer types or jurisdictions). Low Risk Indicators:
  • Email aged 6 months or more
  • Valid mobile phone number matching country
  • IP geolocation matches claimed residence
  • No device velocity concerns
  • Standard product application
High Risk Indicators:
  • Recently created email (under 30 days)
  • Disposable email domain
  • VoIP or invalid phone number
  • IP/residence mismatch
  • Device linked to multiple applications
  • High-value product application
Benefits of Single-Call Orchestration:
  • Simplified integration (one API call)
  • Automatic risk-based routing
  • Consistent risk assessment
  • Reduced development overhead
  • Real-time fraud signal evaluation

Step-Up Workflow Approaches

FrankieOne offers two approaches for implementing risk-based step-up verification. Choose the approach that best fits your integration requirements and desired level of control.
Note: The examples in this section are illustrative and show conceptual patterns. Actual API endpoints, request/response formats, and workflow names may vary. Refer to the FrankieOne API documentation for current implementation details. Workflow availability depends on your plan and configuration.

Option A: Risk-Based Orchestration Workflow (Example: AUS-CDD-Risk)

For streamlined integration, use a risk-based orchestration workflow that automatically adjusts verification intensity based on real-time risk assessment. Availability and configuration of risk-based orchestration workflows depends on your plan and implementation. How it works: A risk-based orchestration workflow evaluates risk signals at the start of verification and automatically selects the appropriate verification path: Risk Factors Evaluated:
FactorLow RiskHigh Risk
Product typeEveryday account, basic savingsHome loan, business account, high-limit credit
Customer nationalityAustralian citizen/PRForeign national, high-risk jurisdiction
PEP indicatorsNoneAny PEP level detected
Age of customer dataExisting customer, data under 12 monthsNew customer, no prior relationship
ChannelBranch, established digitalNew device, VPN detected
Transaction profileStandard patternsUnusual for demographic
When to use this approach:
  • You want simplified integration with a single API call
  • You prefer FrankieOne to manage risk-based orchestration
  • Your risk appetite aligns with standard banking risk tiers
  • You want consistent risk assessment across all customers

Option B: Explicit Multi-Workflow Chaining

For maximum control, you can explicitly call two or more workflows in sequence, implementing your own step-up logic based on the results of each workflow. How it works: When to use this approach:
  • You need custom step-up logic based on your specific risk appetite
  • You want to integrate additional business rules between workflow calls
  • You need to call different step-up workflows based on the failure reason
  • You require detailed control over the customer experience at each stage

Comparison: CDD Risk vs Explicit Multi-Workflow

AspectCDD Risk WorkflowExplicit Multi-Workflow
API calls1 (single call)2+ (one per workflow)
Step-up logicFrankieOne managedYour implementation
CustomisationConfigurable thresholdsFull control
Integration complexityLowerHigher
Risk assessmentBuilt-in risk engineYour rules
Best forStandard banking flowsComplex custom logic

Step-by-Step Implementation

Note: This section describes the conceptual implementation flow. For actual API endpoints, request/response schemas, and code examples, refer to the FrankieOne API Documentation.

Prerequisites

Before implementing, ensure you have:
  • FrankieOne API credentials
  • Webhook endpoint configured and accessible
  • OneSDK embedded in your application (recommended) OR direct API integration
  • Test environment access for sandbox verification

Step 1: Create Individual

Create a customer record with collected personal information:
  • Full name (given, middle, family)
  • Date of birth
  • Residential address
  • Contact details (phone, email)
  • Your internal customer reference
API Reference: See Managing Individuals in the FrankieOne documentation.

Step 2: Upload Identity Documents

Submit government-issued ID for verification. Supported Document Types:
Document TypeDescription
Australian PassportInternational travel document
Driver LicenceState-issued driver licence
Medicare CardHealthcare entitlement card
VisaImmigration document
Birth CertificateBirth registration document
Citizenship CertificateCitizenship evidence
API Reference: See Document Upload in the FrankieOne documentation.

Step 3: Execute Verification Workflow

Trigger the KYC workflow for the individual. The workflow will:
  • Verify identity against government and commercial data sources
  • Perform PEP and sanctions screening
  • Assess fraud risk signals
  • Return an outcome (PASS, REVIEW, or FAIL)
API Reference: See Executing Workflows in the FrankieOne documentation.

Step 4: Handle Webhook Events

Configure your webhook endpoint to receive verification results asynchronously. Typical Webhook Events:
Event TypeDescriptionRecommended Action
Workflow completedVerification finishedProcess outcome (PASS/REVIEW/FAIL)
Workflow failedSystem error occurredRetry or escalate to support
Review requiredManual review neededRoute to compliance queue
Screening alertNew screening match foundInvestigate alert
Document rejectedDocument validation failedRequest new document from customer
API Reference: See Webhooks & Notifications in the FrankieOne documentation.

Step 5: Process Decision Outcomes

Handle verification outcomes in your application: PASS Outcome:
  • Update customer KYC status to verified
  • Activate account and enable features
  • Send welcome notification
REVIEW Outcome:
  • Create internal review case with priority and SLA
  • Notify compliance team
  • Update customer status to pending review
  • Inform customer their application is being reviewed
FAIL Outcome:
  • Record rejection with internal reason codes
  • Update application status
  • Send customer-safe rejection notification (without sensitive details)
  • Log for audit purposes

Risk Tier Examples

Tier 1: Low Risk - Auto-Approve

Customer Profile:
  • Australian citizen
  • Valid Australian passport or driver licence
  • Residential address matches electoral roll
  • No PEP or sanctions matches
  • Email and phone pass fraud checks
Example Scenario:
Mary Testone, 32, applies for an everyday transaction account via mobile app. She provides her Victorian driver licence and current address. Government ID verification confirms the licence is valid, credit bureau matches her name and DOB, electoral roll confirms her address. No screening matches. Account activated.

Tier 2: Medium Risk - Enhanced Due Diligence

Customer Profile:
  • Foreign national with Australian visa
  • PEP Level 2 or 3 (family member or close associate)
  • Minor discrepancies in data matching
  • Higher-value product (e.g., home loan, business account)
Example Scenario:
James Testtwo, 45, applies for a business transaction account. He’s a permanent resident originally from Singapore. His father is a former Singaporean government minister (PEP Level 2). Government ID validates his passport, but no electoral roll match (recent address change). System triggers step-up: biometric check passes, no adverse media found, address verified via alternative source. Case routed to compliance for PEP assessment. Compliance approves with enhanced monitoring flag.

Tier 3: High Risk - Manual Review Required

Customer Profile:
  • Sanctions list near-match (similar name, different DOB)
  • Adverse media findings
  • Multiple identity documents with discrepancies
  • High-risk jurisdiction connections
  • Fraud signals detected
Example Scenario:
Robert Testthree, 38, applies for a savings account. Name returns a near-match on sanctions list (different middle name and DOB). Adverse media search finds articles about a fraud investigation involving someone with a similar name. Biometric passes. Case escalated to senior compliance officer. After investigation: sanctions match confirmed as false positive (different person), adverse media relates to different individual. Approved with standard monitoring.

Tier 4: Auto-Reject

Triggers for Automatic Rejection:
TriggerRationaleCustomer Communication
Confirmed sanctions matchLegal prohibition”Unable to proceed with application”
Document confirmed fraudulentFraud prevention”Unable to verify identity”
Age verification failed (under 18)Product eligibility”Age requirement not met”
Duplicate application (fraud pattern)Fraud prevention”Application already exists”
Deceased indicatorData integrity”Unable to verify identity”
Device/IP on fraud blocklistFraud prevention”Unable to proceed at this time”

Edge Cases and Special Handling

Name Mismatches

ScenarioExampleHandling
Married name changeLicence: Sarah Testfive, Passport: Sarah TestsixAccept with statutory declaration or marriage certificate
Transliteration varianceMikel vs Mikael vs MichaelFuzzy matching; manual review if below threshold
Hyphenated namesEmma-Test vs Emma Test vs EmmaTestNormalise hyphens and spaces before matching
Name order differencesWei Testseven vs Testseven WeiSupport both Western and Eastern name order conventions
Titles and suffixesDr. Tom Testeight Jr. vs Tom TesteightStrip titles/suffixes before matching
Accent marksJosé Testnine vs Jose TestnineNormalise diacritics for matching

Document Expiry Handling

Document TypeExpired AcceptanceGrace PeriodConditions
PassportNo0 daysMust be current
Driver LicenceConditional90 daysIf renewal in progress
MedicareYes2 yearsFor identity only, not entitlement
VisaNo0 daysMust be current and valid
Birth CertificateYesN/ANo expiry
Citizenship CertificateYesN/ANo expiry

Re-verification Triggers

TriggerRe-verification LevelTimeframe
Product upgrade (e.g., basic → premium)Document refreshBefore activation
Dormant account reactivation (over 12 months)Full re-verificationBefore reactivation
Significant transaction pattern changeRisk reassessmentWithin 7 days
Customer-initiated detail changeVerify changed elementsImmediate
Screening alert on existing customerEnhanced due diligenceWithin 24 hours
Regulatory requirement (periodic review)Full re-verificationPer risk rating schedule
Fraud indicator detectedFull re-verification + fraud checksImmediate
Fraud and cyber signals are increasingly relevant to both financial crime risk and broader AML/CTF expectations and can be integrated into your overall ML/TF risk assessment.

Periodic Review Schedule

Customer Risk RatingReview FrequencyScope
LowEvery 3 yearsScreening refresh, address confirmation
MediumAnnuallyFull identity re-verification
HighEvery 6 monthsFull re-verification + enhanced screening
PEPEvery 6 monthsFull re-verification + adverse media

Joint Account Handling

All account holders must be independently verified before account activation.

Minor Accounts (Under 18)

Account TypeAge RangeRequirements
Youth saver14-17Minor KYC + parent/guardian verification
Child trust0-17Parent/guardian KYC only; minor recorded
Teen everyday16-17Minor KYC + parent/guardian consent

Non-Resident Accounts

Customer TypeID RequirementsAdditional Checks
Tourist/VisitorForeign passport + visaVisa validity, travel history
Temporary residentPassport + valid visaVEVO check, visa conditions
Foreign studentPassport + student visaCoE verification
Working holidayPassport + WHVVEVO check

Compliance Reporting

Audit Trail Requirements

FrankieOne maintains comprehensive audit trails for all verification activities.
Data CategoryRetention PeriodPurpose
Verification requests7 yearsAML/CTF compliance
Document images7 yearsEvidence retention
Decision outcomes7 yearsAudit trail
Screening results7 yearsAML/CTF compliance
API request/response logs2 yearsTechnical audit
Webhook delivery logs90 daysTroubleshooting

AUSTRAC Reporting Support

FrankieOne provides data exports to support AUSTRAC reporting requirements:
  • Subject details and identification documents
  • Verification history
  • Screening alerts and suspicious indicators
Note: Transaction monitoring and patterns are typically managed by your core banking system, not FrankieOne.

Regulatory Examination Support

FrankieOne can assist with generating examination packages for AUSTRAC or APRA examinations.
SectionDescription
Executive SummaryVerification volumes, pass rates, key metrics
Policy DocumentationCurrent workflow configurations and thresholds
Screening SummaryPEP/sanctions alerts and resolution outcomes
Manual Review LogAll manual decisions with rationale
Exception ReportCases outside normal parameters
System Change LogConfiguration changes with approvals
Sample CasesRepresentative examples from each outcome category

Troubleshooting

IssueLikely CauseResolution
Government ID verification returning “NO_MATCH”Name/DOB format mismatchCheck date format (YYYY-MM-DD), remove titles from name
Biometric check failing repeatedlyPoor image qualityGuide user on lighting, positioning; allow retry
Webhook not receivedFirewall blockingWhitelist FrankieOne IPs; check endpoint accessibility
High false positive rate on screeningThresholds too sensitiveTune matching thresholds; implement exclusion lists
Slow response timesConfiguration issueContact FrankieOne support for optimisation

Regulatory Context (Australia)

This example is designed for reporting entities operating under Australia’s AML/CTF framework and is aligned to current AUSTRAC guidance. Australian AML/CTF laws are undergoing reform, including a move to a single, risk-based customer due diligence obligation and expanded coverage of additional sectors (tranche 2). FrankieOne does not provide legal or regulatory advice. Reporting entities should obtain their own advice and configure workflows in line with their AML/CTF programs.