Customer Onboarding Policy

Payvel Pty Ltd · ACN: 27673904599

Last Updated: 02 March 2026

1. Policy Statement and Purpose

Payvel Pty Ltd is fully committed to the principle of 'Know Your Customer' (KYC) as a fundamental and non-negotiable cornerstone of its AML/CTF Program. A thorough understanding of who our customers are, and the ML/TF risks they may pose, is essential to preventing the misuse of our services for criminal purposes.

The purpose of this policy is to establish the official framework and procedures for:

  • Identifying and verifying the identity of all customers before providing any designated services.
  • Identifying the ultimate beneficial owners of non-individual customers.
  • Assessing the potential money laundering and terrorism financing (ML/TF) risk associated with each customer relationship.
  • Applying appropriate levels of due diligence that are proportionate to the assessed risk.

This policy is designed to ensure full compliance with the customer due diligence obligations stipulated in the AML/CTF Act 2006 and the detailed procedural requirements of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules).

2. Scope and Application

This policy applies to all prospective customers of Payvel Pty Ltd seeking to use any of its 'designated services' as defined under the AML/CTF Act. It covers all methods and channels through which customers are onboarded, including but not limited to face-to-face interactions, online applications, and relationships initiated through third-party agents or intermediaries.

3. The Risk-Based Approach to Customer Onboarding

The foundation of Payvel Pty Ltd's customer onboarding process is a risk-based approach. This means that the scope, intensity, and frequency of due diligence measures applied to a customer are directly proportional to the ML/TF risk that the customer is assessed to present. This approach allows compliance resources to be focused most effectively on areas of higher risk, in line with global best practice.

Payvel Pty Ltd's enterprise-wide ML/TF Risk Assessment identifies and rates the inherent risks associated with various factors, including:

  • Customer Types: e.g., individuals, companies, trusts, non-residents.
  • Jurisdictions: The countries customers are from or transact with.
  • Products and Services: The specific designated services being used.
  • Delivery Channels: How services are accessed (e.g., online vs. in-person).

Based on these factors, each customer is assigned a Customer Risk Rating (e.g., Low, Medium, High) during the onboarding process. This rating is the primary determinant of the specific identification, verification, and ongoing monitoring procedures that will be applied throughout the customer relationship.

4. Governance and Responsibilities

Clear roles and responsibilities are essential for the consistent and effective execution of this policy.

4.1 Senior Management

Senior Management is responsible for:

  • Formally approving the risk-based approach and the overall framework of this policy.
  • Ensuring the customer onboarding function is adequately resourced with skilled personnel and appropriate technology.

4.2 AML/CTF Compliance Officer

The AML/CTF Compliance Officer is responsible for:

  • The design, implementation, and ongoing maintenance of the procedures detailed in this policy.
  • Providing expert guidance and training to staff on KYC requirements.
  • Acting as the final escalation point for high-risk or complex customer onboarding cases.
  • Reviewing and approving the onboarding of all high-risk customers.

4.3 Front-line Staff / Onboarding Team

All staff involved in the customer onboarding process are responsible for:

  • Diligently executing the procedures outlined in this policy.
  • Accurately collecting and verifying customer information and documentation.
  • Correctly assessing the initial customer risk rating based on established criteria.
  • Promptly escalating any red flags, discrepancies, or potentially high-risk customers to the AML/CTF Compliance Officer.

5. Customer Identification Program (CIP)

The Customer Identification Program (CIP) details the mandatory procedures for identifying and verifying all customers.

5.1 Prohibition Before Identification

It is the strict policy of Payvel Pty Ltd that no designated service will be provided to a customer if the applicable customer identification procedure, as detailed in this section, cannot be satisfactorily completed. This is a direct requirement of the AML/CTF Act.

5.2 Minimum Information Collection Requirements

The baseline information that MUST be collected for different customer types is specified in the AML/CTF Rules. This information forms the basis of the KYC record. The specific requirements are detailed in the subsequent sections.

5.3 Verification Standards: Reliable and Independent Sources

All verification of customer information must be conducted using "reliable and independent" documentation, electronic data, or a combination of both.

Reliable and Independent Documentation: Includes current, original government-issued identification documents or certified copies thereof. Passports that have expired within the last two years are also acceptable.

Reliable and Independent Electronic Data:Includes data from reputable sources that are accurate, secure, and comprehensive. The Australian Government's Document Verification Service (DVS) is an approved electronic source for verifying certain identity documents. Any third-party digital identity provider used must be subject to a formal due diligence process to ensure their methods are robust, secure, and appropriate for the ML/TF risk, thereby mitigating risks such as synthetic identity fraud or deepfakes.

5.4 Identification Procedures for Individuals & Sole Traders

Collect: For an individual customer, the following must be collected:

  • Full name (including all given names and family name).
  • Full residential address.
  • Date of birth.

Verify: The following must be verified using reliable and independent sources:

  • The customer's full name, AND
  • EITHER their date of birth OR their residential address.

(Refer to Appendix B for a detailed matrix of acceptable documents).

5.5 Identification Procedures for Companies (Domestic & Foreign)

Collect: For a corporate customer, the following must be collected:

  • Full name of the company as registered.
  • Australian Company Number (ACN) for domestic companies or Australian Registered Body Number (ARBN) for registered foreign companies.
  • Full address of the registered office and principal place of business.
  • Registration status (e.g., public or proprietary).
  • For proprietary companies, the full names of all directors.

Verify:The collected information must be verified against a reliable and independent source, such as a search of the Australian Securities & Investments Commission (ASIC) database or an equivalent foreign corporate registry.

5.6 Identification Procedures for Trusts

Collect: For a trust, the following must be collected:

  • Full name of the trust.
  • Full name of every trustee.
  • The Australian Business Number (ABN) of the trust, if one has been issued.

Verify: The existence, type, and controlling structure of the trust must be verified by obtaining and reviewing a certified copy or certified extract of the governing trust deed.

5.7 Identification of Beneficial Owners

For all non-individual customers (e.g., companies, trusts, partnerships), it is mandatory to look through the legal structure to identify the natural persons who ultimately own or control it.

Definition:A 'beneficial owner' is defined as any individual who ultimately owns or controls, directly or indirectly, 25% or more of the customer, or who otherwise exercises effective control over the customer.

Procedure: Payvel Pty Ltd must take reasonable measures to identify all individuals who meet this definition. This involves obtaining and reviewing ownership charts, trust deeds, partnership agreements, or other relevant constitutional documents.

Collection and Verification: Once identified, the following information must be collected for each beneficial owner:

  • Full name.
  • EITHER their full residential address OR their date of birth.

This information must then be verified using the same standards as for an individual customer.

5.8 Identification of Politically Exposed Persons (PEPs)

Individuals who hold prominent public positions can pose a higher risk of being involved in corruption or money laundering.

Definition: A Politically Exposed Person (PEP) is an individual who holds a prominent public position in a government body or international organization, in Australia or overseas. Immediate family members and close associates of such individuals are also considered PEPs.

Procedure: As part of the onboarding process, Payvel Pty Ltd must take reasonable steps to determine whether a customer or any of their beneficial owners is a PEP. This will be achieved through a combination of:

  • Direct questioning of the customer (e.g., via a declaration on the application form).
  • Screening names against reputable third-party PEP databases.
  • Reviewing publicly available information where appropriate.

6. Due Diligence Procedures

The Customer Risk Rating assigned during onboarding dictates the level of due diligence to be performed.

6.1 Simplified Due Diligence ('Safe Harbour') for Low-Risk Customers

For individual customers who have been assessed as presenting a low or medium ML/TF risk, streamlined 'safe harbour' verification procedures may be applied as permitted by the AML/CTF Rules. These procedures allow for verification based on a reduced set of documentation. The specific combinations of documents are detailed in Appendix B.

6.2 Standard Due Diligence for Medium-Risk Customers

This is the default level of due diligence applied to the majority of customers. It requires the full and satisfactory completion of all procedures outlined in the Customer Identification Program (Section 5.0).

6.3 Enhanced Customer Due Diligence (ECDD) for High-Risk Customers

ECDD involves a higher level of scrutiny and must be applied in all high-risk situations. The quality of information gathered during this process is paramount, as it establishes the baseline for the intensive ongoing monitoring that high-risk customers require. An incomplete or inaccurate profile at this stage will severely compromise the effectiveness of downstream transaction monitoring systems, potentially leading to a failure to detect genuinely suspicious activity.

Triggers for ECDD

ECDD is mandatory when:

  • A customer is assessed as high-risk based on the initial risk assessment.
  • The customer or a beneficial owner is identified as a foreign PEP.
  • A transaction involves a party from a prescribed foreign country as designated by Australian law.
  • A suspicion is formed about the customer in relation to money laundering or terrorism financing at any stage.

ECDD Measures

When ECDD is triggered, in addition to standard due diligence, one or more of the following measures must be undertaken:

  • Obtain Additional Information:Collect and verify additional information about the customer's identity or business.
  • Establish Source of Wealth and Funds:Take reasonable measures to understand and, where appropriate, corroborate the customer's and/or beneficial owner's source of wealth (the origin of their total net worth) and the source of funds for the proposed transactions.
  • Clarify Purpose of Relationship: Obtain more detailed information regarding the intended nature and purpose of the business relationship.
  • Senior Management Approval: Obtain approval from a senior managing official (e.g., the AML/CTF Compliance Officer or CEO) before establishing or continuing the business relationship.

7. Handling of Discrepancies and Refusal of Service

Discrepancies: Any discrepancy identified during the verification process (e.g., a difference in name or address between an application form and an identity document) must be investigated and satisfactorily resolved before the onboarding can proceed.

Refusal of Service: If a customer is unable or unwilling to provide the required KYC information and documentation, or if discrepancies cannot be resolved to the satisfaction of Payvel Pty Ltd, the onboarding process must be terminated. No services will be provided to the customer.

Suspicious Matter Reporting: The circumstances surrounding a refusal to provide information or the provision of potentially fraudulent documents must be assessed to determine if they give rise to a suspicion of ML/TF. If so, a Suspicious Matter Report (SMR) must be submitted to AUSTRAC.

8. Record Keeping

Compliance with record-keeping obligations is mandatory.

  • All information, data, and documents collected and verified as part of the customer onboarding process must be retained.
  • Records of the customer risk assessment, any ECDD measures undertaken, and senior management approvals must also be kept.
  • All records must be retained for a period of seven years following the date the business relationship with the customer is terminated.

9. Policy Review and Assurance

To ensure ongoing effectiveness and compliance, this policy will be subject to regular review.

  • The AML/CTF Compliance Officer will review this Customer Onboarding Policy at least annually, or more frequently if required by changes to legislation, regulation, or the business's risk profile.
  • The operational effectiveness of the procedures and controls outlined in this policy will be assessed as part of the regular independent review of Payvel Pty Ltd's overall AML/CTF Program, as required by Part A of the program.

10. Appendix B: Customer Identification & Verification Document Matrix

See Part A of the AML/CTF program, annexure A. This matrix is a practical guide for staff to ensure consistent application of identification and verification procedures. It is not exhaustive and any queries should be directed to the AML/CTF Compliance Officer.

Acceptable Document Lists

Primary Photographic Identification:

  • Australian Driver's Licence (current)
  • Australian Passport (current or expired within the last 2 years)
  • Australian Proof of Age Card (current)
  • Foreign Passport (current)
  • Foreign National Identity Card (current)

Primary Non-Photographic Identification:

  • Australian Birth Certificate or Birth Extract
  • Australian Citizenship Certificate
  • Centrelink Pensioner Concession Card, Health Care Card, or Seniors Health Card (current)
  • Foreign Birth Certificate

Secondary Identification:

  • Notice issued by the Australian Taxation Office (ATO) within the last 12 months showing name and residential address.
  • Notice issued by a local government body or utilities provider (e.g., council rates, electricity, water bill) within the last 3 months showing name and residential address.
  • Notice from the Commonwealth or a State/Territory government showing provision of financial benefits within the last 12 months.