Compliance reporting

Your compliance reporting requirements

If your organisation uses the identity verification services (IVS), you must complete compliance reporting each year. Not doing so may result in your access to the IVS being suspended or terminated.

The Identity Verifications Services Act 2023 (IVS Act) sets out your legal obligations. These include:

• self-auditing your use of the DVS each year
• reporting each year on the compliance or non-compliance of your IVS use.

As an IVS user, you have an agreement with us, the Attorney-General’s Department. You need this participation agreement to access the IVS. It contains obligations you must meet to access the IVS, including your compliance reporting requirements.

Compliance reporting ensures your organisation has implemented the necessary technical, privacy and security safeguards to sufficiently protect individuals’ personal information when verifying their identity.

Even if you access the IVS through a gateway service provider, you must complete compliance reporting each year.

How the process works

Your self-audit involves reviewing your use of the IVS to ensure it complies with:

• your participation agreement
• the Identity Verification Services Rules 2024 (IVS Rules 2024)
• relevant access policies and guidelines.

Your self-audit must cover the reporting period we advise.

Following your self-audit, you must complete and submit a compliance statement by the due date.

Submitting a completed compliance statement by the due date is one of the requirements of your participation agreement. If you do not meet the requirements of your agreement, we may need to suspend or terminate your access to the IVS.

Visit IVS compliance reporting for more details on the compliance reporting process.

Completing a compliance statement

If you have signed a participation agreement, you must complete a compliance statement – even if you haven’t used the IVS in the last 12 months.

You must:

• complete all sections of the compliance statement, even if your access to and use of the IVS is through a gateway service provider
• complete and submit the compliance statement by the due date requested
• complete one compliance statement for each participation agreement that your organisation has signed.

Visit Completing a business user compliance statement for details.

Addressing non-compliance

You must notify us if you identify any non-compliance with your participation agreement, the IVS Rules 2024 or the relevant access policy.

Non-compliance does not mean we will automatically suspend or terminate your access to the IVS. You will need to address and remediate any non-compliance within the timeframe we provide.

Visit Audit and compliance remediation process for details.

Got questions?

If you have questions about your compliance reporting requirements, please email us at ivscompliancereporting@ag.gov.au.