Australia’s major banks did not voluntarily embark on large-scale customer identity remediation. They were pushed. Regulatory tightening around KYC and AML reframed customer data quality from an operational concern into a compliance risk. In doing so, it exposed how much institutional confidence had been placed in identity records that were never truly verified. The banks aren’t now just fixing UX. They are protecting their licence to operate. Think about that for a second.

While the public narrative centres on financial crime, terrorism financing, and systemic integrity, something more structural is occurring beneath the surface. Compliance is quietly converting identity data into hardened economic infrastructure. Data that survives sustained regulatory scrutiny becomes economically different. It can be relied upon and automated against and shared internally without qualification. And it reduces the cost and risk of every downstream decision that depends on it.

And today that matters beyond compliance. Verified identity is not just a regulatory obligation. It is a prerequisite for automation at scale. Without trustworthy records, delegated work collapses back into manual oversight. But with them, institutions can safely transition toward machine-assisted and agentic operating models.

In a recent discussion with one of the Big Four banks, I was told they are actively validating more than 1.3 million unique customer records. Not enriching them. Not optimising them. Simply validating. Addresses. Employment status. Proof of identity. Duplicate CRNs. Parallel identifiers created across legacy systems. Records that were considered “good enough” for years, but are no longer defensible.

These are institutions with deep technology budgets, mature analytics capability, and decades of digital transformation behind them. They have invested heavily. They have modernised repeatedly. Yet even here, identity foundations required remediation at scale.

So, if that is the position of Australia’s most heavily regulated, best-funded data environments, what does that imply for everyone else? Well, a great deal.

Let me make this far less abstract using my own personal experience.

Over several months my bank sent repeated requests for updated KYC information (primed by their own regulatory deadlines). I delayed. I was busy, and yes, slightly stubborn. But I was also hesitant because I knew the friction that was coming. I couldn’t remember my CRN. Password? Yes. PIN? Yes. Account numbers? Naturally. I’ve been a customer for decades. But the CRN, that single identifier, isn’t something someone needs on a day to day basis.

I tried and failed to recover it online. The website process instructed me to '“Please call this number.” Urgh. I opted to book an online appointment at the local branch, as much to transfer the inconvenience back to the organisation that had created it.

A bank employee then sat with me for roughly twenty minutes to satisfy compliance obligations. The interaction began with a simple question: “Why are you here?” Anyone who has spent time around agentic AI will recognise immediately this. It was textbook intent capture. The autonomous systems we are talking about today will be able to ask that question, instantly classify the request, and route the workflow without ever needing a chair. Instead, the process unfolded manually.

I explained that I was unsure of my CRN. I then provided basic identifying information. Then produced my passport. It was taken away and photocopied. I have submitted digital passport scans for foreign visa applications for years. Entire governments verify identity at national scale using digital processes. Here, a human inspected the document and made a copy.

I then signed a paper form. I updated my details, speaking while he typed. He retrieved my CRN and handed it to me. He then triggered a one-time password so I could re-enter and verify the same information inside my banking app. I typed it all again. Job done.

We can all agree that nothing in that interaction required complex human judgement. It was structured, sequential and deterministic. It was, in effect, an agentic workflow executed by people because the underlying identity data and orchestration layer were not sufficiently trusted to run autonomously1.

Now multiply that experience nationwide. If one million customers require similar service, and each interaction consumes twenty minutes, that equates to twenty million minutes. For a single institution. More than 330,000 hours. Roughly 160 full-time staff years. That’s the hidden cost of identity fragility.

Regulation can force the clean-up. But it is data inconsistency and orchestration immaturity that determine how painful that clean-up becomes. The regulatory stick is not creating the problem. It is exposing decades of accumulated identity drift. The institutions that complete this remediation properly will not simply satisfy compliance. They will harden their operating core and in doing so, unlock nonlinear gains. Because once verified identity is embedded at platform level, every workflow that depends on it becomes safer to automate, every delegated decision requires less oversight and every downstream interaction inherits trust.

The remediation cost, though significant, is incurred once. But the leverage compounds everywhere. Verified identity is not incremental improvement. It is an enabling condition for automation, delegation, and machine-scale trust.

If that is what identity remediation unlocks in banking, it is worth asking what the equivalent looks like in local government. Across Australia, the council Name and Address Register (NAR) underpins almost everything. Rates and property systems. Planning applications. Waste services. Animal registrations. Libraries. Customer request management. Infringements. Community services. It is the quiet spine of council operations. Yet in many councils, the NAR, or more accurately, the multiple NARs, sit in quiet disrepair.

Duplicate ratepayers. Historic land titles still attached to prior owners. Household members fragmented across systems. CRM records that do not reconcile with property data. Decades of manual overrides. Inconsistent address formats across applications. None of these are edge cases. They are structural artefacts of systems built for billing and statutory record-keeping, not for orchestration.

And yet there is increasing pressure for councils to now deliver seamless portals and real-time service coordination, better automate their workflows, and, if you don’t mind, now adopt AI-enabled assistance. Many voices in the sector speak confidently about digital experience yet far less about whether the identity spine beneath that experience is coherent, trusted, and platform-ready.

Whereas banks are being forced to confront identity integrity through regulatory mandate. Councils are not, which I think raises a harder question. In the absence of sector-wide enforcement, does identity remediation simply fall down the priority list? In my own experience, compliance budgets are approved quickly. Foundational data hygiene projects rarely are.

This matters more than ever now because Agentic AI and platform orchestration are not limited by intelligence. They are limited by data confidence. So without a validated citizen and property spine, automation just scales inconsistency. An AI assistant trained on duplicated identities does not fix the duplication. It accelerates the confusion and drives the customer into the front counter. A portal layered over fragmented records does not create seamless experience. It just masks fragmentation behind a digital façade.

And it’s not that it is not possible to achieve better right-sized outcomes. And the ambition for better citizen experience is definitely real. And the technology exists. And the sector talks confidently about transformation. But the NAR remains an unresolved architectural dependency. And this is where the uncomfortable truth sits.

Council CIOs and IT Managers cannot solve this alone. They can propose remediation programs. They can modernise systems. They can integrate platforms. But identity remediation at sector scale is not an IT project. It is a governance mandate.

Banks are not just cleaning millions of records because their CIOs and CTOs were ambitious, though of course many are. They are cleaning them because regulators made identity integrity a board-level risk. So until the civic identity spine is treated as a governance and risk issue, and not merely a system hygiene task, progress will remain incremental. So how do we move this forward?

If we want faster digital progress in local government, we need to reframe the Name and Address Register as critical infrastructure. Not IT. Not a back-office dataset. Not a legacy inconvenience. Critical civic infrastructure.

Councils understand assets better than almost any tier of government. They manage roads, bridges, stormwater systems, community buildings, parks and fleets through disciplined asset management frameworks. They track condition, depreciation, lifecycle risk and renewal schedules. They allocate capital to prevent failure. They plan decades ahead. Local government is, at its core, an asset portfolio manager. Now imagine if that same legislative discipline were applied to civic identity data.

It’s not such a bold step. Councils exist through state legislation. In most jurisdictions, asset management planning is mandated. They are required to demonstrate lifecycle planning, risk mitigation, renewal forecasting and financial sustainability across their physical asset base. The governance machinery already exists.

Imagine a state-level directive requiring councils to validate, reconcile and standardise their Name and Address Register over a defined period. Standardised address formats. Duplicate detection and remediation. Cross-system identity reconciliation. Clear ownership. Auditability. Executive reporting on data integrity metrics. Not as an IT uplift. As mandated asset stewardship.

It would not be glamorous. It would not generate headlines the way KYC has in banking (though it probably should). But it would create the conditions under which digital ambition could safely operate.

State governments already exercise oversight of councils in matters of financial sustainability and infrastructure risk. Extending that discipline to digital identity would not be radical. It would simply recognise that the civic identity spine now underpins service delivery as materially as roads and stormwater. The sector does not need another transformation slogan. It just needs the Name and Address Register treated with the same seriousness as a bridge.

Achieve that, and its even possible to see a little further down the orad. Across Australia, there is frequent discussion about councils sharing the cost of technology platforms. Shared ERP environments. Shared CRM. Regional system consolidation. The logic is understandable. Pooling investment appears efficient. Buying the same system sounds rational. And in principle, it is not a bad idea. But it is incomplete because systems do not create capability. Data does.

Two councils running the same platform with inconsistent, duplicated and poorly reconciled Name and Address Registers will not achieve interoperability. They will share infrastructure, but not integrity. The argument to “buy the same system” is easier to grasp. It is concrete. It can be tendered. It can be budgeted. It produces visible alignment.

But shared data discipline is harder. It requires governance alignment, common standards, reconciliation effort and executive mandate. It does not generate ribbon-cutting moments. But in practice, the capability of any shared system is determined by the quality of the data flowing through it.

A shared platform built on fragmented identity registers simply aggregates fragmentation at scale. If we are serious about shared technology services, then the logical precursor is shared identity integrity. Otherwise we are optimising the container while ignoring its contents.

What will not go away is the fact that, as citizens, we will constantly demand better digital engagement with our local authorities. Every new generation will expect faster responses. Better portals (and agents!). Coordinated services. Those experiences are built on identity integrity.

“Our” banks know that regulatory pressure accelerates the strengthening of that foundation. Our local governments probably do too and should not wait for a similar stick.

If councils are serious about AI, orchestration and modern digital experience, the transition must be led from the top, framed not as digital uplift, but as governance and risk management. Banking was compelled by KYC. Not because it was technologically elegant, but because it was institutionally undeniable. Boards understood it. Audit committees tracked it. Executives funded it.

Local government needs its own forcing function. One that reframes the Name and Address Register as critical civic infrastructure. And one that translates identity integrity into the language of risk and stewardship that non-technical leaders already understand, much as KYC did in banking.

Without that shift, digital ambition will roam the streets of an LGA near you. Visible, energetic, and politically attractive. All while the identity infrastructure it relies on remains untreated.