This article defines the terms used across BNDRY's product, your day-to-day compliance work, and the Australian AML/CTF regulatory landscape. Use it as a reference when something unfamiliar shows up in a form, an alert, a workspace, or a regulator's request.
Terms are listed alphabetically by their full name. For acronyms, the acronym appears in brackets after the full term — for example, Australian Transaction Reports and Analysis Centre (AUSTRAC) sits under A.
Glossary
| Term | Definition |
|---|---|
| Activity | A record of a compliance process or event linked to an Entity. Activities build the audit history of reviews, checks, document requests, and other actions taken on a customer over time. |
| Adverse Media | News and other public reporting that may affect a customer's risk. Often included in PEP and Sanctions screening. |
| Alert | An item that needs your attention, such as a screening match, an unusual transaction, or a verification failure. Alerts are raised by Policies in response to risk conditions. |
| AML Compliance Officer (AMLCO) | Previously the Money Laundering Reporting Officer, or MLRO. The senior compliance role responsible for the AML/CTF program and for reporting suspicious activity to regulators. Sometimes called the Nominated Officer. |
| Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) | The regulatory regime BNDRY helps you comply with. |
| Application Programming Interface (API) | The way external systems talk to BNDRY programmatically. API requests and responses use JSON. |
| Australian Privacy Principles (APP) | The rules in Australia's Privacy Act 1988 that govern how organisations collect, use, store, and protect personal information. |
| Australian Securities and Investments Commission (ASIC) | Australia's regulator for companies, financial markets, financial services, and consumer credit. |
| Australian Transaction Reports and Analysis Centre (AUSTRAC) | Australia's AML/CTF regulator and financial intelligence unit. |
| Authentication | Confirming who a user is — typically via password, single sign-on, or another identity provider. The "AuthN" half of identity and access management. See also Authorisation, SSO. |
| Authenticator | An app or hardware device that generates a one-time code as a second factor in MFA. Common examples include Google Authenticator, Microsoft Authenticator, Authy, and 1Password. The code typically refreshes every 30 seconds (see TOTP) and is required alongside the password to complete sign-in. |
| Authorisation | Determining what an authenticated user is allowed to do, based on their roles and the resources they're trying to access. The "AuthZ" half of identity and access management. See also RBAC, ReBAC. |
| Automated Decision Making (ADM) | Decisions made by software without meaningful human review — for example, automatically declining a customer based on a risk score. Under the Australian Privacy Act, ADM that significantly affects an individual can trigger additional transparency and review obligations. Worth understanding when configuring Policies that auto-decision customers without staff oversight. |
| Automation | A configured workflow BNDRY runs for you. Automations can be a single check (Task Automation, such as PEP screening) or a multi-step process (Process Automation, such as a full KYC flow). Triggered manually, via the API, or by a Policy. |
| Basic Authentication (Basic Auth) | Username-and-password Authentication — the most basic form. Sufficient for low-risk systems, but for sensitive systems it should always be paired with MFA. See also SSO. |
| Beneficial owner | The person who ultimately benefits from owning a business, even if their ownership is held through other companies. See also UBO. |
| Common Expression Language (CEL) | A lightweight expression language used in BNDRY to define rules — for example, risk-rating rules where each expression returns a numeric value that contributes to the overall risk score. |
| Company | An Entity type representing a business, partnership, non-profit, or any other non-human organisational structure. One of three Entity types alongside Individual and Trust. |
| Compliance Program | Your organisation's documented rules, processes, training, and controls that ensure you meet your legal and regulatory obligations. |
| Custom field | An extra field added to an Entity to capture information specific to your tenant. |
| Customer Due Diligence (CDD) | The standard checks you do when onboarding a customer. |
| Data anonymisation | Removing or transforming Personal information so an individual can no longer be identified, even by combining the data with other available sources. Distinct from de-identification, which can sometimes be reversed. Relevant when retiring records past their Retention period without destroying the underlying business data. |
| Data minimisation | The privacy principle that says you should only collect, use, and retain the Personal information you genuinely need for the purpose. Under the Australian Privacy Principles, collecting more than necessary is itself a compliance risk — not just an inefficiency. |
| Designated Non-Financial Businesses and Professions (DNFBPs) | Sectors such as real estate, casinos, lawyers, accountants, and precious metals dealers that are subject to AML/CTF obligations. |
| Designated Service | A service defined under the AML/CTF Act that brings a business into scope as a Reporting Entity. Examples include providing finance, gambling services, or remitting money. |
| Director(s) | A natural person legally appointed to manage the affairs of a Company. Directors have specific legal duties under the Corporations Act 2001. In BNDRY, a Director is represented as a Relationship between an Individual Entity and the Company Entity they direct. |
| Document | A structured record of an ID document (passport, driver's licence, Medicare card, visa) with typed fields like number, expiry, and issuing authority. Different from a File. |
| Electronic Funds Transfer (EFT) | The electronic movement of money between financial institutions, bank accounts, or individuals. |
| Employee | An Individual Entity who works for your organisation. BNDRY tracks the employment relationship so you can filter Individuals by employee status and manage staff records separately from customer records. |
| Enhanced Customer Due Diligence (ECDD) | Extra checks for higher-risk customers. |
| Entity | A record about a person or a business. Entities are how BNDRY consolidates risk and compliance data about your customers and third parties — every Alert, Activity, Workspace, Document, and File hangs off an Entity. Entities can also link to each other through Relationships (Director of, Shareholder of, and so on). |
| Event | A customer transaction or interaction streamed to BNDRY for real-time monitoring. Events trigger Alerts when monitoring rules detect anomalies. |
| External ID | An identifier from another system (your CRM, your membership system) attached to an Entity. |
| External portal | The customer-facing site BNDRY presents to people invited to a Workspace or filling in an integrated form. Branded with your organisation's logo and Portal theme. |
| Facial Recognition Technology (FRT) | Used in BNDRY's identity verification flows to compare a live selfie or video against the photo on an identity Document, confirming the person presenting the ID is the same person it was issued to. The biometric information and biometric templates FRT relies on are Sensitive information under the Privacy Act. |
| File | An uploaded file (PDF, image, spreadsheet, Word doc) attached to an Entity, a Workspace, or a form. Unstructured. |
| Financial Action Task Force (FATF) | The international body that sets global standards to fight money laundering, terrorist financing, and the financing of weapons proliferation. |
| Financial Intelligence Unit (FIU) | A country's central authority for receiving and analysing financial intelligence. AUSTRAC is Australia's FIU. |
| FinCrime | Shorthand for Financial Crime. The broader category that AML/CTF compliance sits inside. Covers fraud, scams, data theft, account takeovers, and other criminal activity that financial businesses must guard against. |
| Form | A structured way to capture information. Always lives in a Workspace. An instance of a Form template. |
| Form template | A reusable Form definition, written as a FormKit Schema, that can be deployed into multiple Workspaces. The template defines the fields and validation; the Form is the live instance customers fill in. |
| FormKit | The schema-driven form library BNDRY uses to render and validate forms. Drop a FormKit Schema into the BNDRY settings page to make it available as a Form template. |
| Gateway Service Provider (GSP) | An organisation accredited to provide access to Australian government identity verification services (see IDMatch). |
| Government-related identifiers | A specific category of Personal information under the Privacy Act 1988 covering Medicare numbers, Centrelink reference numbers, driver's licence numbers, tax file numbers, and other government-issued identifiers. The Privacy Act places extra restrictions on how Government-related identifiers can be collected, used, disclosed, and adopted as your own identifier. |
| Identity Provider (IdP) | A service that authenticates users and issues identity assertions to applications — Google, Microsoft Entra, Okta, and similar. BNDRY integrates with IdPs to support SSO. See also Authentication. |
| Identity Provider broker (IdP broker) | A service that sits between BNDRY and one or more upstream IdPs, providing a single integration point while supporting multiple authentication sources. Useful when your organisation needs to federate identities from multiple IdPs into a single login experience. |
| Identity Verification (IDV) | The digital process of confirming a person's identity using document scans, biometrics, and database checks. |
| Individual | An Entity type representing a natural person. One of three Entity types alongside Company and Trust. |
| Individual Entity Onboarding | A BNDRY Automation that creates an Individual Entity, runs identity verification and likeness checks, and signals your systems via Webhook when the onboarding completes. |
| International Funds Transfer Instruction (IFTI) | A mandatory report to AUSTRAC for money or property transfers into or out of Australia. Must be lodged within 10 business days. |
| JavaScript Object Notation (JSON) | The standard structured-data format BNDRY uses for FormKit Schemas, Custom field definitions, Webhook payloads, and API requests and responses. |
| Know Your Business (KYB) | The checks you do on a business customer. |
| Know Your Customer (KYC) | The checks you do on an individual customer. |
| Magic link | A secure single-use URL BNDRY generates so a customer can fill in a form without logging in. |
| Multi-Factor Authentication (MFA) |
Requiring two or more independent factors to confirm identity:
Significantly harder for an attacker to bypass than a password alone. |
| Note | Free-text information attached to an Entity, a Form, or a Workspace. Informal; not part of the audit trail. |
| Office of the Australian Information Commissioner (OAIC) | An independent Australian government agency within the Attorney-General's portfolio. Its primary functions are privacy, freedom of information, and government information policy — handling complaints, conducting investigations, reviewing decisions, and issuing guidance across these areas. |
| Official record holder | A government agency or other authoritative source that holds the original record for an identity document (such as a passport, driver's licence, or Medicare card). BNDRY verifies Documents by checking the details a customer provides against the official record holder via the Australian government's identity verification services. See IDMatch. |
| Ongoing Customer Due Diligence (OCDD) | The continuous monitoring and refresh of customer information throughout the customer relationship. |
| OpenID Connect (OIDC) | A modern Authentication protocol built on top of OAuth 2.0, used by IdPs (Google, Microsoft Entra, Okta, and so on) to issue identity assertions to applications. BNDRY supports OIDC for SSO. |
| Personal information | Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. The definition is set in section 6(1) of the Australian Privacy Act 1988 and is deliberately broad: it covers far more than just names and contact details. Anything that, alone or combined with other available information, could identify someone is in scope. See also Sensitive information, Government-related identifiers, PII. |
| Personally Identifiable Information (PII) | Common industry shorthand for Personal information. The Australian Privacy Act uses the term "Personal information" rather than "PII"; the two are used interchangeably in practice but the legal definition is the Privacy Act one. |
| Pipelined Relational Query Language (PRQL) | A modern, readable query language that compiles down to SQL. Queries are composed as a series of transformation steps rather than a single nested statement. |
| Policy | A configurable rule that triggers Alerts and Automations in response to defined conditions — screening hits, verification outcomes, Entity changes, or monitoring Events. |
| Politically Exposed Person (PEP) |
Someone who holds a prominent public role and may be at higher risk of corruption-related activity. PEPs are classified along two dimensions: Category — where the public role is held:
Tier — seniority of the role:
|
| Portal theme | The look and feel of the External portal presented to users viewing your integrated forms or invited to Workspaces. Configurable per tenant (logo, colours, copy). |
| Relationship |
A typed link between two Entities. Relationships capture how customers and third parties are connected — directorships, shareholdings, family ties, and so on — which matters for KYB, UBO discovery, and risk analysis. BNDRY supports:
|
| Relationship-Based Access Control (ReBAC) | An Authorisation model where permissions follow relationships between objects — for example, "you can edit this Workspace because you're a Collaborator on it". Complements RBAC for finer-grained access decisions. |
| Reporting Entity | A business that provides Designated Services under the AML/CTF Act and therefore has obligations to AUSTRAC. BNDRY customers are typically Reporting Entities. |
| Retention period | How long records must be kept before they can be destroyed or de-identified. Under the AML/CTF Act, Reporting Entities must keep CDD and transaction records for 7 years from the cessation of services. Full copies of identity Documents have never been explicitly required to be retained under the AML/CTF Act — only the record of the verification. The OAIC's updated guidance (13 April 2026) confirms that holding onto identity document copies is now generally prohibited under the Australian Privacy Principles' data minimisation requirement, unless retention is genuinely "reasonably necessary" under the APP test. A 3-year transitional period set by the Department of Home Affairs applies; during it, the OAIC expects Reporting Entities to commit to destroying or de-identifying existing copies of identity documents and to maintain a documented roadmap toward that end state. |
| Risk Assessment | Your organisation's process for identifying, analysing, and evaluating the risks your business faces. A required component of an AML/CTF program. |
| Risk rating | A score or category showing how risky a customer is. |
| Risk rating levels | The configurable bands BNDRY uses to categorise Entities by risk. Each level has a label, a Threshold (the upper limit for that level), and a display colour. A computed score is assigned to the level whose Threshold it falls at or below — so each level only needs one value, and adding a new level doesn't require updating adjacent ranges. |
| Role-Based Access Control (RBAC) | An Authorisation model where permissions are granted by assigning users to roles (Admin, Reader, Writer, and so on) and the roles carry the permissions. BNDRY's platform roles work this way. |
| Roles | The set of BNDRY platform roles that determine what each user can do — Admin, Writer, Reader, Collaborator, Duty Manager, Human Resources (HR), Investigations, and View Only Admin. Each role carries a defined set of permissions. See the permissions matrix for the full breakdown of which role can do what. See also RBAC. |
| Sanctions | Lists of individuals and organisations that financial businesses are prohibited from dealing with. |
| Schema | A formal definition of the structure of a piece of data — what fields it contains, what types they are, and what's required. BNDRY uses Schemas for FormKit Form templates, Custom field definitions, and Webhook payloads. |
| Screening | Checking a customer against PEP, Sanctions, and Adverse Media lists. |
| Screening tag | Another name for Tag, used in the context of configuring screening. The two terms refer to the same thing — a label attached to an Entity — but "Screening tag" emphasises its role in determining which screening lists or services apply. See Tag. |
| Security Assertion Markup Language (SAML) | An older but still widely-used enterprise Authentication protocol that lets an IdP issue identity assertions to applications via XML. BNDRY supports SAML for SSO alongside OIDC. |
| Sensitive information | A specific category of Personal information defined in section 6(1) of the Australian Privacy Act 1988. Includes information about a person's health, racial or ethnic origin, religious or philosophical beliefs, political opinions or affiliations, sexual orientation or practices, criminal record, and union membership — as well as biometric information used for the purpose of automated biometric verification or identification (paragraph (d)) and biometric templates (paragraph (e)). Sensitive information attracts stricter handling requirements than ordinary Personal information. |
| Single Sign-On (SSO) | An Authentication method that lets users sign in to BNDRY using their existing identity provider (Google, Microsoft Entra ID, Okta, and so on) instead of a BNDRY-specific password. |
| Source of Funds (SoF) | Where the money used for a specific transaction comes from — for example, salary income or proceeds from an asset sale. |
| Source of Wealth (SoW) | How a customer's overall wealth was accumulated — for example, through business ownership or inheritance. |
| Structured Query Language (SQL) | The standard language for querying relational databases. See also PRQL. |
| Suspicious Matter Report (SMR) | A regulatory report you file with AUSTRAC about a suspicious transaction or interaction. See also UAR. |
| Tag | A label attached to an Entity to help you group and filter. See also Screening tag. |
| Tenant | Your isolated BNDRY instance. Contains your Entities, Workspaces, Forms, Automations, and data — separate and secure from every other customer. |
| Threshold | The upper-limit (ceiling) value for a Risk rating level. A computed risk score is assigned to the level whose Threshold it falls at or below — so each level only needs one value, and adding a new level doesn't require updating adjacent ranges. See Risk rating levels. |
| Threshold Transaction Report (TTR) | An AUSTRAC report for cash transactions of A$5,000 or more. |
| Time-based One-Time Password (TOTP) | A short numeric code generated by an Authenticator app that refreshes every 30 seconds. The standard mechanism behind app-based MFA. |
| Transaction | A financial or non-financial Event streamed to BNDRY — payments, transfers, gaming machine activity — assessed against monitoring rules and threshold reporting obligations. |
| Transaction Monitoring Program (TMP) | The documented set of rules, thresholds, and processes your organisation uses to monitor transactions for suspicious activity. A required component of your AML/CTF program under the AML/CTF Act. |
| Transaction Monitoring System (TMS) | The system or capability used to surveil customer transactions in near-real-time and detect anomalies that warrant investigation. BNDRY's Events and Policies provide a TMS capability. |
| Trust | An Entity type for legal structures that hold assets on behalf of beneficiaries. One of three Entity types alongside Individual and Company. |
| Ultimate Beneficial Owner (UBO) | The natural person who ultimately owns or controls a company (typically 25% or more ownership). A key concept in KYB. |
| Unusual Activity Report (UAR) | An internal flag raised when something looks off but suspicion hasn't yet been formed. Often precedes an SMR. |
| Webhooks | HTTP callbacks BNDRY sends to your systems when something happens — an Alert is raised, an onboarding completes, a Workspace is submitted. The mechanism for integrating BNDRY with your downstream systems in near-real-time. |
| Workspace | A multi-step process that gathers forms, files, and screening results for a single piece of work. |
Comments
0 comments
Article is closed for comments.