Record keeping is not filing scans in a folder.
I say that because it is the obligation I most often see treated as an afterthought, and it is the one AUSTRAC looks at first. When a regulator turns up, the opening question is not how good your program reads. It is show me. Show me the customer checks. Show me why you rated this client low risk. Show me the decision you made when something looked off. If you cannot produce that, then as far as the regulator is concerned, you did not do it.
That is the whole idea, and it is worth sitting with for a second. A program you cannot evidence is a program that, on the record, was never run.
So the question is not really whether you are keeping records. Everyone keeps something. The question is whether the records you keep would let someone reconstruct what you did and why, years later, quickly, and in a form they can read.
Keeping everything is the old instinct. It is not the rule.
Here is the part that trips people up, because the common advice is out of date.
You might have heard that you need to keep a copy of every customer’s ID. Under the rule as it now stands, you do not. Since the reforms, the record keeping obligation was narrowed. You keep what is reasonably necessary to demonstrate that you met your obligations, and that can be as little as the outcome of the verification and a record of how you carried it out.
And keeping more than that is not the safe option I think people assume it is. Hold a pile of photo ID you do not need and you have created a privacy exposure, not a compliance buffer. The reform pulled AML record keeping back into line with privacy law rather than letting it override privacy law the way it used to. So the skill now is keeping the right records, not the most records.
Since 31 March 2026, keeping more is not safer. Section 111 was narrowed: keep what is reasonably necessary to demonstrate compliance, not copies of everything. Over-retention is now a privacy exposure, not a compliance buffer.
What you actually have to keep
Four categories cover most firms.
The four record categories that cover most firms. The reasoning behind a decision is itself a record.
Your customer due diligence records: who the customer is, what you collected, how you verified them, the risk rating you gave them and the reasoning behind it. The exact contents of a good CDD record are their own topic, and I have set them out in what customer due diligence requires. For record keeping, the point is that you keep enough to show the check was done properly.
Your transaction records: the designated services you provided, and the records that go with them.
Your AML/CTF program itself: the document, the versions, when each version was adopted and approved, and what changed. The AML/CTF program is the thing the records are meant to prove you operated.
And your decisions, with their basis. This is the one firms skip. A decision with no recorded reason is, for evidentiary purposes, close to no decision at all. If you assessed someone’s ML/TF risk, write down the assessment. If you decided not to escalate something, record why. The reasoning is the record.
It is always 7 years. The catch is when the 7 years starts.
The retention period is not the hard part. Almost everything is 7 years.
What people get wrong is the start date, because it is different for different records. The table below is the version I would pin above the desk.
Record type | When the 7 years starts |
Customer due diligence records | 7 years after the business relationship ends, or the occasional transaction is completed |
Transaction records | 7 years after the transaction is completed |
AML/CTF program records | 7 years after the record stops being relevant to demonstrating compliance, which is a judgment you make |
Reliance assessment records | 7 years after the assessment record is prepared, and the record is due within 10 business days of the assessment |
Retention is always 7 years. The start date is what changes by record type.
A reliance arrangement is worth one extra note. If you rely on another reporting entity’s customer checks, you have to assess whether they are doing it properly, prepare that assessment within 10 business days, and then keep it for 7 years from when you prepared it. People forget the 10-day clock.
The test is whether you can produce it
A record you cannot find is not much better than a record you never made. So the obligation is not only about retention. It is about retrievability.
A few things AUSTRAC expects, and that I would build in from the start. Keep records in the format you made them. A spreadsheet stays a spreadsheet, not a flattened PDF that loses the formulas and the structure. Store anything sensitive securely, and limit who can open it, because customer identification records and anything touching a suspicious matter are exactly the records you do not want leaking. And be able to pull a record quickly and, if asked, translate it into English.
The records that relate to suspicious matter reports sit inside record keeping too, but the reporting itself, and the tipping-off trap that comes with it, is its own subject. I have covered that in how suspicious matter reporting and tipping off work.
If you are setting this up: write a short record keeping policy. What you keep, where it lives, how it is secured, who is responsible, and when records get destroyed. Then keep records in their original format, and resist the urge to hoard. The goal is a clean, retrievable chain that proves the work, held for the right 7 years, and nothing you do not need.
The regulatory detail
The record keeping obligation and what changed
Source: Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), Part 10 (Record-Keeping Requirements). Since 31 March 2026, section 111 has been narrowed: a reporting entity must keep records reasonably necessary to demonstrate compliance with its customer due diligence obligations, rather than copies of all documents collected. The records that demonstrate compliance include the type and contents of data collected, and records of the analysis or assessment of ML/TF risk and the decisions made. AUSTRAC record-keeping guidance refers to Act sections 107, 108, 111, 114, 114A and 116.
Retention periods
The retention period is 7 years; the start point depends on the record type. Customer due diligence records: 7 years after the business relationship ends, or after the occasional transaction is completed (s111). Transaction records: 7 years after the transaction is completed (s107). AML/CTF program records: kept from when the record is made until 7 years after it stops being relevant to demonstrating compliance, which is a matter for the entity’s professional judgment (Part 1A). Reliance assessment records: prepared within 10 business days of completing the assessment, and kept for 7 years after the record is prepared (s114A). After the relevant 7-year period, records may be securely destroyed unless needed for another legal or regulatory purpose.
Format, storage and retrieval
Records are expected to be kept in their original or usual format, so that structure and usability are preserved. Sensitive records, including customer identification records and records relating to suspicious matters, must be stored securely with access limited to authorised staff. An entity must be able to retrieve records promptly and translate them into English on request.
Interaction with privacy law
Part 10 does not override the Privacy Act 1988 (Cth) (s105). Following the reforms, AML/CTF record keeping no longer pre-empts privacy obligations as it once did, so personal information held for AML/CTF purposes should be limited to what is reasonably necessary, consistent with Australian Privacy Principle 3.
Commencement
The reformed record-keeping obligations commence on 31 March 2026 for existing reporting entities, and apply to Tranche 2 reporting entities from 1 July 2026, when their AML/CTF obligations begin.
FATF context
Record keeping reflects the international standards set by the Financial Action Task Force (FATF Recommendation 11), which requires reporting entities to maintain records for at least 5 years. Australia applies a 7-year period.
Frequently asked questions
How long do I have to keep AML/CTF records?
7 years. The period is consistent, but the start date depends on the record: customer due diligence records run 7 years from when the business relationship ends, transaction records 7 years from when the transaction is completed, and program records 7 years from when the record stops being relevant to demonstrating compliance.
What records do I actually have to keep?
Records of your customer due diligence, your transactions, your AML/CTF program and its versions, and your decisions together with the reasons for them. The unifying test is whether the records are reasonably necessary to demonstrate that you met your obligations.
Do I have to keep copies of my customers’ photo ID?
Not necessarily. Since 31 March 2026, section 111 was narrowed: you keep what is reasonably necessary to demonstrate compliance, which can be the outcome of the verification and a record of how it was carried out, rather than full copies of identity documents. Keeping more than you need can create a privacy exposure.
Can I store records in the cloud or use an external provider?
Yes. You can meet your record keeping obligations yourself or through an external provider, but you remain responsible for the records, their security and their retrievability.
What format do records need to be in?
Their original or usual format, kept so the structure and usability are preserved, stored securely, and retrievable promptly. If asked, you must be able to translate a record into English.
When can I destroy old records?
Once the relevant 7-year retention period has run from the correct start point, unless the records are needed for another legal or regulatory purpose. Good practice is to log what was destroyed, when, how and on whose authority.
Homepedia builds HP-KYC to capture customer due diligence records and hold them, retrievable, for the full retention period. HP-KYC
Sources
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), Part 10 (Record-Keeping Requirements)
- AUSTRAC, Record keeping overview (Reform guidance, s111 and retention)
- AUSTRAC, Record keeping checklist
- OAIC, Privacy guidance for reporting entities under the AML/CTF Act
- Home Affairs, Overview of the AML/CTF Amendment Act
- FATF, Recommendation 11 (Record keeping)
This article is general information, not legal advice. Verify the obligations and retention periods against current AUSTRAC and legislation sources for your own circumstances.
