FREQUENTLY ASKED QUESTIONS

VerifyAU Pty Ltd  |  ABN 90 695 310 224

217–219 Flinders St, Adelaide SA 5000

Last updated: 25 May 2026

1. About VerifyAU

1.1 What is VerifyAU?

VerifyAU is an Australian-built, cloud-based compliance platform designed specifically for businesses that are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the “AML/CTF Act”).

It brings every AUSTRAC compliance obligation into one place — your AML/CTF program, risk assessments, customer identity verification, Suspicious Matter Reports, staff training records, and complete audit trail — so your firm can meet its legal obligations without managing a patchwork of spreadsheets, templates, and manual processes.

VerifyAU is hosted in Sydney (AWS ap-southeast-2). All data is stored in Australia.


1.2 Who is VerifyAU built for?

VerifyAU is built for Australian designated services providers under the AML/CTF Act, including:

  • Accounting and tax firms — including public practices, BAS agents, and SMSF providers

  • Financial advisers — including AFSL holders and authorised representatives

  • Conveyancers and property lawyers — including those newly caught by the 2026 AUSTRAC reforms

  • Mortgage brokers and credit providers — ACL holders and credit representatives

  • Trust and company service providers

  • Dealers in precious metals and stones


The platform is designed so that non-lawyers can use it confidently. AUSTRAC’s requirements are translated into plain English workflows.


1.3 How is VerifyAU different from other compliance tools?

Most AML compliance tools in Australia fall into one of three categories: generic global platforms not built for AUSTRAC, static PDF templates with no workflow, or expensive law firm solutions. VerifyAU is none of these.

  • Built for AUSTRAC specifically — not adapted from a UK or US framework. Every obligation, every deadline, every document format mirrors actual AUSTRAC requirements.

  • End-to-end in one platform — most competitors solve one piece (identity checks only, or policy templates only). VerifyAU covers the entire compliance lifecycle.

  • AI-powered policy generation — your AML/CTF program is generated in minutes using AI trained on AUSTRAC’s own guidance, not copied from a generic template.

  • Automated identity verification — DVS, liveness detection, and PEP screening are integrated into client onboarding, with consent logged automatically.

  • 2026-compliant from day one — includes proliferation financing risk factor, unified program format, and independent evaluation deadline requirements built in.

  • Australian data sovereignty — your data is stored in Sydney. It does not leave Australia for storage purposes.


1.4 Does VerifyAU provide legal advice?

No. VerifyAU is a compliance management tool, not a legal advice service. The platform helps you document and manage your obligations — it does not advise you about your specific legal circumstances.

Everything in VerifyAU is built around AUSTRAC’s published guidance, the AML/CTF Act, and the AML/CTF Rules, so the workflows and document formats are grounded in the actual legal requirements. However, we strongly recommend seeking independent legal advice if you are uncertain about your specific obligations.


1.5 Am I still responsible for my firm’s AUSTRAC compliance if I use VerifyAU?

Yes. VerifyAU creates the paper trail, automates the workflows, and keeps your records — but legal responsibility for compliance always rests with your firm and your designated compliance officer. AUSTRAC’s enforcement powers apply to you, not to your software provider.

What VerifyAU does is make it dramatically less likely that your firm will fall short, by surfacing deadlines, recording approvals with timestamps, and ensuring nothing falls through the cracks.


2. What VerifyAU Covers

2.1 What AUSTRAC obligations does VerifyAU cover?

VerifyAU covers every major obligation a reporting entity has under the AML/CTF Act:

  • AML/CTF program — AI-generated, AUSTRAC-format unified program document with formal approval workflow

  • Entity risk assessment — 7-step wizard covering all 6 risk factors including proliferation financing (2026 requirement)

  • Compliance officer designation — designation workflow, fit and proper declaration, and automatic 14-day AUSTRAC notification countdown

  • Customer due diligence (CDD) — full client onboarding with DVS, liveness detection, PEP screening, and risk rating

  • Beneficial ownership — separate due diligence workflow for companies and trusts, including DVS and PEP checks on each beneficial owner

  • Suspicious Matter Reports (SMRs) — 3-day countdown timer, AI-drafted narratives, tipping-off safeguards, and post-lodgement lock

  • Unusual Activity Reports (UARs) — creation, resolution, and audit logging

  • Staff training — 3-tier training records with AUSTRAC e-learning links and 12-month renewal reminders

  • Personnel due diligence (PDD) — checks tracked with 30-day expiry alerts

  • Periodic client reviews — automated overdue alerts and review dashboard

  • Annual compliance report — due date, 30-day email reminder, and submission record

  • Independent evaluation — deadline calculated from your AUSTRAC Account Number (AAN), with 6-month advance reminder

  • 7-year record retention — append-only audit log; records cannot be deleted from compliance tables

  • Records export for AUSTRAC — all five record categories exportable as CSV from Settings


2.2 Does VerifyAU cover the 2026 AUSTRAC changes?

Yes. VerifyAU was built and launched in 2026 with the updated requirements incorporated from day one:

  • Proliferation financing (PF) — the new mandatory 6th risk factor is built into the risk assessment wizard as Step 6, with a DFAT sanctions link included

  • Unified AML/CTF program format — the old Part A / Part B structure has been replaced with a single unified program, and VerifyAU generates in this new format

  • Independent evaluation deadlines — calculated automatically from the last two digits of your AAN (2029 or 2030 deadline)

  • Expanded designated services — the platform supports conveyancers, real estate professionals, and other newly designated services from the 2024–2026 reforms


2.3 How does the AML/CTF program builder work?

You answer a series of questions about your firm — your industry, designated services, customer types, delivery channels, and geographic exposure. VerifyAU uses artificial intelligence to generate a complete, AUSTRAC-format AML/CTF program tailored to your answers.

The generated program follows the 2026 unified format, includes all required sections (risk assessment methodology, CDD procedures, staff training, compliance officer obligations, record keeping, reporting obligations, and proliferation financing), and can be formally approved by your Admin (Senior Manager) with name and timestamp recorded in the system.

The program downloads as a PDF and approval status resets automatically when a new version is generated, ensuring you always have a current, approved document on record.

Most firms complete their initial AML/CTF program in under an afternoon.


2.4 How does identity verification work?

VerifyAU integrates with One Click Services (OCS), an Australian provider with direct access to the federal government’s Document Verification Service (DVS) Hub. When you onboard a client, VerifyAU handles:

  • DVS checks — Australian driver’s licences, passports, and Medicare cards verified against government records in real time

  • Liveness detection — a short facial scan via the client’s phone or webcam confirms the person presenting documents is the same person in the photo

  • PEP and sanctions screening — checks against Politically Exposed Person and sanctions databases


Your client receives an invitation link by email and completes verification on their own device — no app download required. You see the result immediately on their profile. DVS consent is captured and logged before any check runs.


2.5 How does the Suspicious Matter Report (SMR) workflow work?

SMRs must be lodged with AUSTRAC within 3 business days of forming a suspicion (24 hours for terrorism-related matters). Missing this deadline is a serious breach. VerifyAU’s SMR workflow is built around this:

  • Countdown timer starts the moment an SMR is created — turns amber at 24 hours remaining, red if overdue

  • AI drafts the narrative text in AUSTRAC’s required format for your review and editing

  • Tipping-off warning displayed prominently on every SMR page — it is a criminal offence to disclose an SMR to the subject

  • Confirmation checkbox required before creating or updating any SMR

  • SMR access restricted to Admin (Senior Manager) and Compliance Officer roles only

  • SMRs cannot be deleted after lodgement — the record is permanent

  • All SMR activity captured in the full audit log


2.6 Does VerifyAU handle beneficial ownership for companies and trusts?

Yes. When a client is identified as a company or trust, VerifyAU automatically triggers a separate beneficial ownership section. For each beneficial owner, the platform collects name, date of birth, address, and relationship to the entity, then runs DVS and PEP screening on each owner individually. All records are stored in a dedicated beneficial owners table linked to the client record, satisfying AUSTRAC’s enhanced CDD requirements for complex client structures.


3. Getting Started

3.1 Is there a free trial?

Signing up for VerifyAU is free — there is no subscription fee to create your account and explore the platform. You can set up your firm profile, designate your compliance officer, and begin your risk assessment at no cost.

Identity verification checks (DVS, liveness detection, and PEP screening) consume credits, which are purchased as needed. There is no minimum spend and no lock-in contract.


3.2 How long does it take to get set up?

Most firms complete their initial setup in a single afternoon. The guided setup checklist walks you through every step in order:

  • Firm profile and AUSTRAC enrolment details — approximately 10 minutes

  • Compliance officer designation and fit and proper declaration — approximately 5 minutes

  • Entity risk assessment (7-step wizard) — approximately 20 to 40 minutes

  • AML/CTF program generation and approval — approximately 15 to 20 minutes

  • Inviting and onboarding your first clients — approximately 5 minutes per client


You do not need to complete everything in one session. The platform saves your progress at every step.


3.3 Do I need to already be enrolled with AUSTRAC?

No. You can start using VerifyAU before completing your AUSTRAC enrolment. The platform will display a prompt linking directly to the AUSTRAC website to complete enrolment, and will track your enrolment status once your AUSTRAC Account Number (AAN) is entered.

If you are not yet enrolled and you provide designated services, you should enrol as soon as possible — failure to enrol is a civil penalty offence.


3.4 Can I invite my staff to the platform?

Yes. You can invite any number of staff members to your firm’s account. Each staff member is assigned a role that controls what they can see and do:

  • Admin (Senior Manager) — full access including billing, settings, and all compliance functions

  • Compliance Officer — access to SMRs, client records, risk assessments, and compliance functions (not billing)

  • AML Staff — access to client onboarding and day-to-day compliance tasks

  • Read Only — view-only access to records


All staff sign in with their own credentials. Your firm’s data is completely isolated from other firms on the platform.


4. Pricing and Credits

4.1 How does pricing work?

VerifyAU uses a credit-based pricing model. Creating an account and using the platform’s compliance management features — AML program builder, risk assessment, SMR workflow, training records, and so on — is free.

Credits are consumed when you run identity verification checks on your clients: Document Verification Service (DVS) checks, liveness detection checks, and PEP and sanctions screening checks.

You purchase credits in advance via Stripe and top up as needed. There is no monthly subscription fee, no lock-in contract, and no minimum spend.


4.2 What happens if a verification check fails?

This depends on why the check failed:

  • Technical failure — if a check fails due to a platform or provider error and we were not charged by One Click Services for that check, the credits consumed are automatically returned to your account balance.

  • Identity not verified — if a check runs successfully but the person’s identity cannot be verified (a legitimate non-match result), credits are consumed because the check was performed correctly. No refund applies in this case.


4.3 Can I get a refund on unused credits?

Yes. You may request a refund of your unused credit balance within 14 days of purchase by sending a written request to support@verifyau.com.au. Refunds are processed to your original payment method within 10 business days.

Refund requests made more than 14 days after the purchase date are not accepted, except where required by the Australian Consumer Law. Unused credits do not expire while your account is active.


4.4 What is auto-recharge?

Auto-recharge automatically purchases a set amount of credits when your balance falls below a threshold you choose. This ensures you never run out of credits mid-workflow when onboarding a client. You can enable, disable, or adjust auto-recharge settings at any time from the Billing section of your account settings.


5. Data, Privacy and Security

5.1 Where is my data stored?

All data is stored in Australia. VerifyAU’s database is hosted on Supabase in the ap-southeast-2 region (Sydney, NSW). Your compliance records do not leave Australian shores for storage purposes.

Our application is delivered via Vercel (US-based infrastructure), but all data is processed and stored in Sydney. Some third-party services we use — including Stripe for payments and Resend for email delivery — operate from the United States. Our Privacy Policy contains a full list of sub-processors.


5.2 Is my data isolated from other firms?

Yes, completely. VerifyAU enforces strict data isolation at the database level using Supabase Row Level Security (RLS). No user can access another firm’s data, even if they know the record ID. Attempting to access another firm’s client record by modifying a URL is blocked at the database layer. VerifyAU staff do not have routine access to your compliance records.


5.3 What happens to my data if I cancel my account?

When you close your account, your access to the platform ends immediately. However, your compliance data is retained for 7 years from the date of the last compliance activity recorded in your account.

This is a legal requirement, not a commercial decision. The AML/CTF Act requires reporting entities to retain records for a minimum of 7 years. During the retention period, your data is held securely and is not used for any commercial purpose. At the end of the 7-year period, all data is permanently and securely deleted.

You can request a full CSV export of your records at any time before closing your account by emailing support@verifyau.com.au.


5.4 Is biometric data (liveness scans) stored?

Liveness checks are performed by One Click Services (OCS), an Australian identity verification provider. The facial scan is processed by OCS to compare the live image against the identity document photo.

VerifyAU stores the result of the liveness check (pass/fail, date, and reference) — not the raw biometric image itself. OCS handles and retains the biometric data under their own privacy obligations. See our Privacy Policy for full details.


5.5 How is the platform secured?

VerifyAU is built with security as a core requirement:

  • Encrypted in transit — all data is transmitted over TLS

  • Database-level access control — Row Level Security enforced in Supabase; access cannot be bypassed at the application layer

  • Two-factor authentication (2FA) — TOTP authenticator app 2FA available on all accounts; strongly recommended for Admin and Compliance Officer roles

  • Role-based permissions — staff can only see and do what their role permits

  • Append-only audit log — every material action is logged and cannot be deleted or altered

  • Immutable compliance records — SMR logs, training records, and client verification histories cannot be hard-deleted


5.6 Does VerifyAU comply with the Australian Privacy Act?

Yes. VerifyAU Pty Ltd (ABN 90 695 310 224) handles personal information in accordance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).

Our full Privacy Policy is available at verifyau.com.au/privacy-policy. It covers what information we collect, how we use it, who we share it with, how long we keep it, and how you can access or correct your information. Privacy enquiries can be directed to support@verifyau.com.au. Unresolved complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.


6. Using the Platform

6.1 Can I export my records for an AUSTRAC audit?

Yes. From the Settings section of your account, you can export all five categories of records that AUSTRAC may request during an audit:

  • Client records

  • Verification history (DVS, liveness, and PEP results)

  • SMR log

  • Staff training records

  • Full audit log


All exports are provided as CSV files. The audit log is append-only and captures every material action taken in your account, including who performed each action and when.


6.2 Does VerifyAU send compliance deadline reminders?

Yes. Automated email reminders are sent for every time-sensitive compliance obligation:

  • 14-day AUSTRAC notification countdown from compliance officer designation — turns red at day 14

  • SMR 3-day deadline countdown — amber at 24 hours remaining, red when overdue

  • Annual compliance report — 30-day advance email reminder to your compliance officer

  • Independent evaluation deadline — 6-month advance reminder

  • Staff training renewal — 12-month renewal reminders for Tier 2 and Tier 3 trained staff

  • PDD expiry — 30-day advance alerts for expiring personnel due diligence checks

  • Periodic client reviews — automated overdue alerts when client reviews fall due


6.3 What sign-in options are available?

VerifyAU supports three sign-in methods: email and password with optional TOTP two-factor authentication; Google OAuth; and Magic Link (passwordless sign-in via a secure email link). Two-factor authentication is strongly recommended for all Admin and Compliance Officer accounts.


6.4 Is there an uptime guarantee?

The platform is provided on an “as available” basis. We do not currently offer a formal Service Level Agreement with guaranteed uptime percentages. We use enterprise-grade infrastructure (Supabase and Vercel) and monitor the platform continuously. Scheduled maintenance is communicated in advance where possible.


6.5 How do I get support?

The platform includes a built-in Help Centre covering all major features in plain English, accessible from the top bar of any page inside the app. For additional assistance:


We aim to respond to all enquiries within one business day.


7. Contact Us

For questions about this FAQ or about VerifyAU generally, please contact:


VerifyAU Pty Ltd

217–219 Flinders St, Adelaide SA 5000

ABN 90 695 310 224

Email: support@verifyau.com.au

Website: verifyau.com.au