7-Year Record Keeping: What AML/CTF Records You Must Retain

Record keeping is one of the foundational obligations under Australia's AML/CTF regime. The rules are straightforward but unforgiving: you must retain specific compliance records for a minimum of seven years. Failure to do so is a contravention of the Act and can result in civil penalties, enforcement action, and significant difficulties if AUSTRAC comes knocking.

Why Seven Years?

The seven-year retention period reflects the reality that money laundering investigations often unfold over extended timeframes. Criminal proceeds may be layered through multiple transactions over several years before detection. Law enforcement and AUSTRAC need access to historical records to trace the flow of funds, identify participants, and build cases.

Seven years is the minimum. There is no prohibition on keeping records longer, and in some circumstances — such as ongoing investigations or unresolved suspicious matters — you may be required to retain records beyond this period.

What Records Must You Keep?

The AML/CTF Act and AUSTRAC Rules specify several categories of records that reporting entities must retain.

1. Customer Identification Records

Every document and piece of information collected during the customer due diligence process must be retained, including:

Copies of identity documents (passports, driver's licences, Medicare cards)
ASIC extracts, company searches, and trust deed extracts
Beneficial ownership records and ownership structure diagrams
Electronic verification results (if you use digital identity verification)
Any additional documents collected during enhanced due diligence
File notes recording the CDD process, including any issues encountered

Retention period: Seven years from the date the record was made, or seven years after the end of the client relationship — whichever is later.

2. Transaction Records

For every designated service you provide, you must retain records of the transaction. For Tranche 2 businesses, this includes:

Details of the designated service provided (e.g., property transfer, trust establishment, company formation)
The date and nature of the transaction
The amount and currency of any funds involved
The parties to the transaction
Settlement statements and payment records
Correspondence related to the transaction

Retention period: Seven years from the date the transaction was carried out.

3. Suspicious Matter Reports

Every SMR lodged with AUSTRAC must be retained, along with:

The completed SMR form
Supporting documentation and file notes
Internal escalation records (how the suspicion was identified and reported within your business)
Any correspondence with AUSTRAC about the report

Important: SMR records must be stored separately from the general client file and access must be restricted to authorised personnel. This protects against accidental tipping off.

Retention period: Seven years from the date the report was made.

4. AML/CTF Program Documents

Your AML/CTF program — including Part A and Part B — and all related documents must be retained:

Current and all previous versions of your AML/CTF program
Risk assessment documents (initial and all subsequent updates)
Annual review reports
Board or management committee minutes where AML/CTF matters were discussed
Correspondence with AUSTRAC (enrolment records, compliance assessment responses)

Retention period: Seven years from the date the document was created or superseded.

5. Training Records

Evidence that your staff have been trained in AML/CTF obligations must be kept:

Training attendance records or completion certificates
Training materials and content (including versions used at different times)
Records of when each employee was trained and by whom
Evidence of refresher training

Retention period: Seven years from the date of the training session.

6. Ongoing Monitoring Records

Records of your ongoing CDD and monitoring activities, including:

Periodic client review records
Updated risk assessments for individual clients
Records of triggers that prompted re-verification (e.g., change of ownership structure)
Transaction monitoring alerts and their resolution

Retention period: Seven years from the date the record was made.

Storage Requirements

The AML/CTF Act does not prescribe a specific format for record storage, but records must be:

Accessible: You must be able to retrieve records promptly if requested by AUSTRAC or law enforcement. "Promptly" is generally interpreted as within a few business days.
Legible: Records must be readable. Scanned documents should be clear and complete. Electronic records must be in a format that can be opened and reviewed.
Secure: Records containing personal information must be stored in compliance with the Privacy Act. Access should be limited to authorised personnel. Sensitive records (particularly SMRs) require additional access controls.
Complete: Partial records are treated as missing records. If you collected a copy of a passport during CDD, the full copy must be retained — not just a note that you saw it.

Digital vs Physical Storage

Both digital and physical storage are acceptable. However, digital storage is strongly recommended for practical reasons:

Easier to search and retrieve
Less susceptible to physical damage (fire, flood)
Can be backed up and replicated
More practical for meeting the seven-year retention obligation

If you use digital storage, ensure your systems are backed up regularly and that backups are stored in a separate location. Cloud-based storage is acceptable provided the data remains accessible from Australia and complies with privacy requirements.

Preparing for an AUSTRAC Audit

When AUSTRAC conducts a compliance assessment, record keeping is one of the first areas they examine. Prepare by:

Conducting a self-assessment. Review your records against the categories above. Identify any gaps.
Indexing your records. Ensure you can locate specific client CDD files, transaction records, and SMRs quickly.
Testing retrieval. Practice pulling records for a sample of clients. If it takes hours to locate a file, your system needs improvement.
Checking retention dates. Confirm that no records have been prematurely destroyed.
Reviewing access controls. Ensure that SMR records are restricted and that only authorised staff can access sensitive compliance files.

Centralise Your Records with ComplyReady

Managing seven years of compliance records across spreadsheets, email folders, and filing cabinets is a recipe for gaps. ComplyReady stores all your CDD records, training logs, risk assessments, and program documents in a single, searchable, audit-ready platform with built-in retention management.

Start your free trial and never worry about missing records again.

Why Seven Years?

What Records Must You Keep?

The AML/CTF Act and AUSTRAC Rules specify several categories of records that reporting entities must retain.

1. Customer Identification Records

Every document and piece of information collected during the customer due diligence process must be retained, including:

Copies of identity documents (passports, driver's licences, Medicare cards)
ASIC extracts, company searches, and trust deed extracts
Beneficial ownership records and ownership structure diagrams
Electronic verification results (if you use digital identity verification)
Any additional documents collected during enhanced due diligence
File notes recording the CDD process, including any issues encountered

Retention period: Seven years from the date the record was made, or seven years after the end of the client relationship — whichever is later.

2. Transaction Records

For every designated service you provide, you must retain records of the transaction. For Tranche 2 businesses, this includes:

Details of the designated service provided (e.g., property transfer, trust establishment, company formation)
The date and nature of the transaction
The amount and currency of any funds involved
The parties to the transaction
Settlement statements and payment records
Correspondence related to the transaction

Retention period: Seven years from the date the transaction was carried out.

3. Suspicious Matter Reports

Every SMR lodged with AUSTRAC must be retained, along with:

The completed SMR form
Supporting documentation and file notes
Internal escalation records (how the suspicion was identified and reported within your business)
Any correspondence with AUSTRAC about the report

Important: SMR records must be stored separately from the general client file and access must be restricted to authorised personnel. This protects against accidental tipping off.

Retention period: Seven years from the date the report was made.

4. AML/CTF Program Documents

Your AML/CTF program — including Part A and Part B — and all related documents must be retained:

Current and all previous versions of your AML/CTF program
Risk assessment documents (initial and all subsequent updates)
Annual review reports
Board or management committee minutes where AML/CTF matters were discussed
Correspondence with AUSTRAC (enrolment records, compliance assessment responses)

Retention period: Seven years from the date the document was created or superseded.

5. Training Records

Evidence that your staff have been trained in AML/CTF obligations must be kept:

Training attendance records or completion certificates
Training materials and content (including versions used at different times)
Records of when each employee was trained and by whom
Evidence of refresher training

Retention period: Seven years from the date of the training session.

6. Ongoing Monitoring Records

Records of your ongoing CDD and monitoring activities, including:

Periodic client review records
Updated risk assessments for individual clients
Records of triggers that prompted re-verification (e.g., change of ownership structure)
Transaction monitoring alerts and their resolution

Retention period: Seven years from the date the record was made.

Storage Requirements

The AML/CTF Act does not prescribe a specific format for record storage, but records must be:

Accessible: You must be able to retrieve records promptly if requested by AUSTRAC or law enforcement. "Promptly" is generally interpreted as within a few business days.
Legible: Records must be readable. Scanned documents should be clear and complete. Electronic records must be in a format that can be opened and reviewed.
Secure: Records containing personal information must be stored in compliance with the Privacy Act. Access should be limited to authorised personnel. Sensitive records (particularly SMRs) require additional access controls.
Complete: Partial records are treated as missing records. If you collected a copy of a passport during CDD, the full copy must be retained — not just a note that you saw it.

Digital vs Physical Storage

Both digital and physical storage are acceptable. However, digital storage is strongly recommended for practical reasons:

Easier to search and retrieve
Less susceptible to physical damage (fire, flood)
Can be backed up and replicated
More practical for meeting the seven-year retention obligation

Preparing for an AUSTRAC Audit

When AUSTRAC conducts a compliance assessment, record keeping is one of the first areas they examine. Prepare by:

Conducting a self-assessment. Review your records against the categories above. Identify any gaps.
Indexing your records. Ensure you can locate specific client CDD files, transaction records, and SMRs quickly.
Testing retrieval. Practice pulling records for a sample of clients. If it takes hours to locate a file, your system needs improvement.
Checking retention dates. Confirm that no records have been prematurely destroyed.
Reviewing access controls. Ensure that SMR records are restricted and that only authorised staff can access sensitive compliance files.

Centralise Your Records with ComplyReady

Start your free trial and never worry about missing records again.

7-Year Record Keeping: What AML/CTF Records You Must Retain

Why Seven Years?

What Records Must You Keep?

1. Customer Identification Records

2. Transaction Records

3. Suspicious Matter Reports

4. AML/CTF Program Documents

5. Training Records

6. Ongoing Monitoring Records

Storage Requirements

Digital vs Physical Storage

Preparing for an AUSTRAC Audit

Centralise Your Records with ComplyReady

Ready to get AML/CTF compliant?

7-Year Record Keeping: What AML/CTF Records You Must Retain

Why Seven Years?

What Records Must You Keep?

1. Customer Identification Records

2. Transaction Records

3. Suspicious Matter Reports

4. AML/CTF Program Documents

5. Training Records

6. Ongoing Monitoring Records

Storage Requirements

Digital vs Physical Storage

Preparing for an AUSTRAC Audit

Centralise Your Records with ComplyReady

Ready to get AML/CTF compliant?