Why record-keeping matters
Accurate and complete record-keeping is essential to demonstrate compliance with your anti-money laundering and counter-terrorism financing (AML/CTF) obligations. It helps show that your business understands its risks, takes them seriously and has appropriate systems in place.
"I’d recommend you adopt the ABC of AML compliance:
Assume nothing.
Believe no one.
Confirm everything.
And I would also offer a D to that, which is:
Document everything."
Michelle Garlick, MLRO, Weightmans / Compli
Your records are often the first thing AUSTRAC or other regulators will look at during an inspection or audit. If you haven’t documented it, you haven’t done it.
How long to keep records
You must keep AML/CTF records for at least seven years. The timeframe for retention depends on the type of record:
- Customer due diligence records must be retained to the end of a seven year period from the date the business relationship ends or the occasional transaction is completed, as per section 111 of the AML/CTF Act.
- Records of procedures carried out by another person and provided to your business must be retained for seven years after the last time you provided a designated service to the customer (section 114).
- Assessments of reliance arrangements must be retained for seven years after the record was prepared (section 114A).
After seven years, records may be securely destroyed unless required for legal or regulatory purposes.
What records to keep
AML/CTF program records
Keep evidence of:
- your AML/CTF program
- updates and reviews of the program
- documented risk assessments and their rationale
- internal controls and procedures
- approvals by senior management
"Every 12 to 18 months, I go back to each business unit with their last risk assessment and ask: is this still accurate? Do we need to change or expand it? Then I record that process. It takes time, but it proves to any regulator that we’ve thought about it, assessed the risks and kept them up to date."
Gary Spalding, AMLCO, Dentons
💡Tip: Save each version of your AML/CTF program with clear version numbers and approval dates to show how your compliance framework has evolved.
Customer due diligence (CDD)
You must keep:
- identity documents or certified copies
- information collected for KYC and beneficial ownership
- records of ML/TF risk assessments
- enhanced due diligence (EDD) actions if applicable
- any reliance arrangements or outsourced KYC processes
- ongoing monitoring records and any red flag reviews
"Record keeping is like the bedrock of good customer due diligence. So save everything that you have used during the client due diligence process, which informs your decisions."
Oscar Fransman, Compliance Analyst, MinterEllisonRuddWatts
💡Tip: Use a standard CDD checklist per client file to ensure consistency and reduce gaps.
Transaction records
You must keep enough information to reconstruct each transaction. This includes:
- date, amount and method of the transaction
- customer-provided transaction documents (original or a copy)
- names of parties involved
- purpose of the transaction
- supporting documentation such as contracts or settlement statements
- internal communications or risk assessments if enhanced checks were triggered
💡Tip: For high-risk matters, consider a transaction register that tracks key steps and review points.
Staff training records
Maintain records that show:
- names of attendees
- dates of training sessions
- training materials used
- completion results or assessments if applicable
💡Tip: Keep a central training register updated quarterly. This is often one of the first things a regulator will ask for.
Audit and review records
You must retain:
- reports from any independent AML/CTF review
- internal audit findings
- action plans and evidence that improvements were implemented
💡Tip: Link any policy or procedure updates to specific review recommendations. This helps demonstrate a responsive and maturing compliance culture.
Secure storage of records
Your AML/CTF records must be stored securely and responsibly. This means:
- records should be protected from unauthorised access, loss or tampering
- only authorised staff should have access
- physical files must be kept in locked storage with restricted access
- digital files must be stored on secure systems with access controls, encryption where necessary and regular backups
- records must be easily retrievable for compliance reviews or audits
💡Tip: Treat your AML/CTF records with the same level of care as sensitive client information. Ensure your document retention policy covers both security and access controls.
Remember, under the Privacy Act 1988, you must also take reasonable steps to protect personal information held in your records.
Where to store records
Acceptable storage options include:
- cloud-based practice management systems
- secure shared drives with restricted access
- AML-specific software platforms
The key is ensuring:
- role-based access controls are in place
- audit trails or version histories are available
- regular backups are performed
Making it work in practice
To stay compliant:
- document your processes in your AML/CTF program
- create templates and checklists for consistency
- train staff regularly and log attendance
- assign someone to be responsible for oversight (e.g. your AMLCO)
- perform spot checks to ensure records are complete
"If you've looked at something online, I would suggest printing it to PDF. Websites change or move on. So if you've used something, save that with your CDD file so that you have a record of how you made your decisions on that client."
Oscar Fransman, Compliance Analyst, MinterEllisonRuddWatts
If you identify a gap or error, document the issue and how you are resolving it. Regulators are more understanding when they see proactive controls and a commitment to improvement.
If it’s a maybe, it’s a yes
If you’re not sure whether to keep a document, keep it. It’s always safer to over-document than to under-record. A strong AML/CTF record-keeping system protects your business and builds credibility with regulators.
Make sure your systems are secure, your staff are trained and your processes are documented. This will set your firm up for success under the AML/CTF regime.
Example AML/CTF record retention policy
Purpose
This policy outlines how [Firm Name] manages, retains and securely disposes of records created or obtained in connection with its AML/CTF obligations.
Scope
Applies to all staff involved in client onboarding, transaction processing, AML/CTF compliance or records management.
Retention periods
| RECORD TYPE | RETAIN FOR 7 YEARS | RETENTION TRIGGER | NOTES |
| AML/CTF program documents | Yes | When no longer relevant | Keep all versions and approvals |
| Risk assessments and reliance arrangements | Yes | When completed | Document basis for reliance or assessment decisions |
| Customer due diligence | Yes | End of relationship or “Completion of occasional transaction | Include KYC documents, beneficial ownership, risk ratings and monitoring notes |
| KYC completed by third party | Yes | Seven years after the last time a designated service was provided to the customer | Retain copy of the third-party record and reliance agreement |
| Transactions | Yes | When record is made | Must be sufficient to reconstruct the transaction |
| Staff training | Yes | When training session held | Maintain central training register with attendee records |
| Audit and reviews | Yes | When report completed | Include follow-up actions and implementation notes |
Storage
- Physical records are stored in locked cabinets or secure file rooms with restricted staff access.
- Digital records are stored on secure systems that meet Australian privacy and security standards. This includes:
- Cloud-based AML/CTF platforms hosted on Australian servers (e.g. AWS in Sydney)
- Practice management or file storage systems with local data residency
- Internal servers with restricted access and regular backups
- All systems must support access control, user activity logging and secure backup processes.
- Access to records is restricted to authorised personnel only.
Disposal
Records are securely destroyed at the end of the required retention period, unless subject to a legal hold or ongoing regulatory inquiry.
Physical records are disposed of via secure shredding or a certified document destruction service based in Australia.
Digital records are:
- Permanently deleted from systems and backups, following a documented deletion process
- Removed from local servers or cloud storage infrastructure, including AML platforms hosted on Australian data centres (e.g. AWS Sydney)
- Disposed of in compliance with relevant data retention and privacy laws
- A log of destroyed records is maintained, noting date, method and authorisation.
Review
This policy is reviewed at least annually or following significant changes in AML/CTF obligations.
About First AML
First AML simplifies the entire anti-money laundering onboarding and compliance process. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
First AML transforms an otherwise complex and manual process into one that is simple, cost-effective, and compliant for businesses. By delivering efficiency and time savings, it protects reputations and enables companies to stay on the right side of history in the face of global threats.
Keen to find out more? Book a demo today!