Chapter 8 - AML/CTF record-keeping obligations

Contents


Introduction

This chapter guides reporting entities through their record-keeping obligations under the Anti-Money Laundering and Counter-Terrorism Finacing Act 2006 (AML/CTF Act).

Back to top


Background

What is record keeping?

Record keeping is retaining and securely storing (physically or electronically) certain records a reporting entity creates or obtains while doing business. The purpose for retaining records is to:

  • enable a reporting entity to meet its legal obligations under the AML/CTF Act
  • enable a reporting entity to manage its risks of being misused for money laundering and terrorism financing
  • assist AUSTRAC and its partner agencies in investigating criminal activities. Reporting entity records are an essential component of the audit trail required to investigate money laundering, terrorism financing and other criminal activities.

Who do record-keeping obligations apply to?

All reporting entities have a range of record-keeping obligations under the AML/CTF Act.

A reporting entity's obligations depend on the type of designated service it provides. For example, different obligations apply if an entity provides remittance services, is part of a designated business group (DBG), or is involved in correspondent banking relationships.

What types of records must be kept?

Part 10 of the AML/CTF Act outlines the types of records reporting entities must retain, which includes records of or about:

  • transaction records
  • electronic funds transfers
  • customer identification procedures
  • AML/CTF programs
  • due diligence assessments of correspondent banking relationships.

Remittance service providers are also required to retain certain records about their registration on AUSTRAC's Remittance Sector Register.

Back to top


Categories of records that must be kept

Transaction records

What transaction records must a reporting entity keep in relation to providing a designated service?

If a reporting entity creates a transaction record that relates to providing a designated service to a customer, the entity must retain the transaction record (or a copy or extract of the record) for seven years after making the record (Part 10, Division 2 of the AML/CTF Act).

The same seven-year requirement applies if a customer (or an agent of the customer) provides a reporting entity with a document that relates to the provision or prospective provision of a designated service to that customer.

A 'record' only exists in order to capture the 'information' relating to the provision of the designated service to a customer. The record of this information can be in any form, whether hard copy or electronic and may be stored in any manner by a reporting entity, whether on-site or offsite. The records must be stored in a retrievable and auditable manner.

What type of transaction information does not need to be retained by a reporting entity?

Reporting entities do not need to retain the following information:

  • customer-specific documents (such as account statements), correspondence and publicly available statements, forms and documents that a reporting entity routinely provides to its customers (such as disclosure statements, financial or investment analysis or summary reports and product or service information) that replicate information retained as a record by the reporting entity
  • general correspondence with customers, including but not limited to, promotional materials and general correspondence relating to fees, service charges, interest rate changes, terms and conditions, technology changes or legislative changes that are not specific to a particular customer
  • overdrawn notices and accompanying correspondence
  • information provided to a customer on the methods for delivering a designated service
  • correspondence or similar documents a reporting entity provides to a customer that relate to, product or service enquiries or comments from customers (such as customer experience records or requests for information on a product)
  • records of interviews or conversations with customers (such as recordings of phone conversations where instructions are received from the customer) unless the information contained in such interviews or conversations relates to a reporting obligation under the AML/CTF Act.

What are the record-keeping obligations relating to electronic funds transfer instructions?

Electronic funds transfer instructions (EFTIs) occur when reporting entities undertake an international funds transfer that involves two or more institutions.

EFTIs can be either:

  • a multiple-institution person-to-person electronic funds transfer instruction; or
  • a multiple-institution same-person electronic funds transfer instruction.

This type of international transaction involves a funds transfer chain comprising:

  • the ordering institution
  • any person interposed between the ordering institution and the beneficiary institution
  • the beneficiary institution.

The interposed person must keep a record or copy of the 'required transfer information' (as defined in section 70 of the AML/CTF Act) when:

  • the transfer instruction is passed on by an interposed person at or through a permanent establishment of that person in Australia
  • the beneficiary institution makes available the transferred money at or through that institution's permanent establishment in Australia
  • some or all of the required transfer information is passed on to the interposed person by another entity in the funds transfer chain
  • the transfer instruction is accepted by the ordering institution at or through that institution's permanent establishment in a foreign country
  • the transfer instruction is passed on to the interposed person by a permanent establishment of the ordering institution, or of another person, in a foreign country.

Records, or copies of records, must be kept for seven years after the transfer instruction was passed on to the interposed person.

Back to top


Records of identification procedures

What are the record-keeping requirements for records of customer identification procedures?

Under Part 10, Division 3 of the AML/CTF Act, a reporting entity conducting a customer identification procedure must:

  • make a record of the procedure
  • make a record of the information obtained in carrying out the procedure.

Records of customer identification procedures must be kept for the life of the customer relationship and for seven years after the reporting entity ceases to provide designated services to the customer.

If a reporting entity provides two designated services to a customer, the seven-year retention period does not begin until the entity has ceased providing the final of the two designated services.

Is a copy of a customer identification procedure considered a record?

Yes. Making a copy of a document as part of a customer identification procedure is one way a reporting entity can make a record of the information contained in that document.

Does the retention period for customer identification procedure records change when customer information is updated?

The information contained in customer identification procedure records should remain unchanged for the life of the business relationship, plus seven years.

If a reporting entity collects new customer information about a customer, for example as part of its enhanced customer due diligence procedures, this does not affect the obligation to retain the records of the original customer identification procedure. That is, the original customer information records must be retained for an additional seven years after the reporting entity ceases to provide the designated service to the customer.

Does a reporting entity need to retain customer information that is updated but is not verified by the reporting entity?

If a reporting entity updates customer information, but does not verify the information using reliable and independent documentation or electronic data, then such records do not need to be retained.

Confirming new telephone numbers or addresses, or requesting customers confirm their details, without verifying that information does not constitute a customer identification procedure and is therefore not subject to the record-keeping requirements under the AML/CTF Act.

Records relating to customer identification procedures deemed to have been carried out by a reporting entity

Part 10, Division 3 of the AML/CTF Act allows for obtaining copies of records of identification procedures deemed to have been carried out by a reporting entity, where:

  • a reporting entity carried out the customer identification procedure regarding a customer to which it provided, or proposed to provide, a designated service
  • the reporting entity made a record of the procedure or information obtained in carrying out the procedure
  • the customer becomes a customer of another (second) reporting entity
  • the second reporting entity requests (in writing) a copy of the record from the first reporting entity, to be given within five business days of the request (with which the first reporting entity must comply).

The second reporting entity must then retain the copy of the record for seven years after ceasing to provide any designated services to the customer.

Under Chapter 7 of the AML/CTF Rules, these provisions only apply to 'licensed financial advisers' within the meaning of item 54 of table 1 in section 6 of the AML/CTF Act and 'designated business groups'.

Records relating to requests for verification information from a credit reporting agency

Reporting entities are able to request information from credit reporting agencies for the purposes of verifying customer identification information about an individual.

Both the reporting entity and the credit reporting agency are required to retain information about these requests.

Reporting entities

Reporting entities that make verification requests to credit reporting agencies about an individual must retain the following information:

  • the name of the credit reporting agency to which the request was made
  • the personal information about the individual provided to the credit reporting agency
  • the assessment (if any) the credit reporting agency provided about the individual.

Records of the customer identification procedure must be kept for the life of the customer relationship and for seven years after the reporting entity ceases to provide designated services to the customer.

Credit reporting agencies

Credit reporting agencies that receive a verification request for an individual must retain the following information for seven years after receiving the request:

  • the name of the reporting entity that made the request
  • the date the request was made
  • the personal information about the individual provided to the credit reporting agency
  • the date the credit reporting agency provided an assessment (if any) about the individual.

Privacy

Reporting entities must also comply with their obligations under Part IIIA of the Privacy Act 1988 when retaining credit reporting records of individuals. The AML/CTF Act requires reporting entities to retain records for seven years after ceasing to provide a designated service - this is longer than the maximum period permitted under the Privacy Act for retaining these types of records (generally five years). This means that after the maximum retention period permitted under the Privacy Act has expired, reporting entities must retain the records only to fulfil the record-keeping requirements of the AML/CTF Act and for no other purpose.

Further information

AUSTRAC Guidance Note 11/02 - Verification of identity: The use and disclosure of personal information by reporting entities and credit reporting agencies for the purposes of verifying an individual's identity - natural persons (e-verification).

For further information about what records a reporting entity or Designated Business Group needs to keep if it uses the Document Verification Service (DVS) as part of its identification procedures please go to the DVS and individual customer and beneficial owner identification page.

Back to top


Authorised deposit-taking accounts

What are the record-keeping requirements for authorised deposit-taking institutions (ADIs) transferring accounts between two ADIs?

Transferring open accounts

Under section 109 of the AML/CTF Act, when a reporting entity that is an authorised deposit-taking institution (ADI) transfers an open account to another ADI, the ADI transferring the account must give the ADI receiving the account the relevant transaction record documents. This must occur within 120 calendar days, beginning 30 calendar days before transferring the account.

The ADI receiving the transaction record documents must retain the originals or copies of the documents for seven years after receiving the documents, if it receives the documents within 120 calendar days.

Transferring closed accounts

Under section 110 of the AML/CTF Act, when transferring a closed account between two ADIs, the ADI transferring the closed account may give the original and copies of a document ('second document') about the account to the ADI receiving the account if:

  • a document about that account was previously transferred to the same recipient ADI when the account was open
  • the ADI receiving the second document must possess the document to fulfil its own record-keeping obligations under the AML/CTF Act
  • both ADIs agree in writing that the second document should be given within the 120 calendar days allowed for in giving the previous document.

Sections 107 and 108 of the AML/CTF Act do not apply to an ADI transferring the original or second document to another ADI, if the ADI transferring the document does so within the 120 day period.

The ADI that receives the original or copy of the second document within 120 days period must retain the second document (or a copy) for seven years after receiving it.

These record-keeping requirements ensure that at least one ADI retains copies of the account records, without requiring both to retain the records for seven years.

Back to top


AML/CTF programs

What are the record-keeping requirements for AML/CTF programs?

A reporting entity must retain:

  • a record, or a copy of a record, of the reporting entity adopting its AML/CTF program (for example, the Minutes of the Board of Directors approving the adoption of the AML/CTF program), and
  • the program, or a copy of the program, which has been adopted by the reporting entity.

A record of adopting the program, which should specify the date reporting entity adopted the program, must be kept from the date the record was prepared until seven years after the day AML/CTF program ceases to be in force.

The program itself must be retained from the date the program is adopted until seven years after the day the AML/CTF program ceases to be in force.

When an AML/CTF program is varied, the reporting entity must retain the variation, or a copy of the variation, from the time the AML/CTF program is varied until seven years after the varied AML/CTF program ceases to be in force.

See Chapter 6 - AMLCTF programs for more information about developing an AML/CTF program.

Back to top


Correspondent banking

What are the record-keeping requirements for due diligence assessments of correspondent banking relationships?

Financial institutions must retain a record, or a copy of a record, of a due diligence assessment of a correspondent banking relationship for seven years after the record was created.

Under Part 8 of the AML/CTF Act, financial institutions must undertake due diligence assessments concerning their correspondent banking relationships, where warranted by the institution's risk assessment of the relationship's vulnerability to money laundering or terrorism financing.

Back to top


Remittance registration

What are the record-keeping requirements for remittance registration?

Businesses providing remittance services (under items 31, 32 or 32A, table 1, section 6 of the AML/CTF Act) must apply for registration with AUSTRAC by providing the AUSTRAC CEO with information about their suitability for registration.

Chapter 56 of the AML/CTF Rules prescribes the information to be included to register as a remittance network provider, a remittance affiliate of the remittance network provider, or an independent remittance dealer.

A registration applicant must obtain and retain a copy (original or certified) of all national police certificates (or foreign equivalent) for key personnel. All certificates (or foreign equivalent) must be issued within six months before the remitter applies for registration (or 12 months for affiliates of remittance network providers). Remitters must also keep information about their remittance business and business structure (that is, the management structure and information on related entities).

A list of the information a remitter must retain is outlined in Part B, Schedules 1, 2 and/or 3, Chapter 56, AML/CTF Rules.

See Chapter 5 - Remitter registration requirements for information about remitter registration.

Back to top


Retention periods for records under the AML/CTF Act - Summary

The period a record must be kept depends on the type of record.

Type of record Period of retention

Transaction records

Seven years after making the record

Records about EFTIs

Seven years after the transfer instruction was passed on to the person

Records of identification procedures

For the life of the customer relationship and for seven years after the reporting entity ceases to provide all designated services to the customer.

Verification information - credit reporting agencies

Seven years after the request was received by the credit reporting agency

Verification information - reporting entities

For the life of the customer relationship and for seven years after the reporting entity ceases to provide all designated services to the customer

Records of customer identification procedures carried out by a second reporting entity - where the first reporting entity gives a copy of the record to a second reporting entity

For the life of the customer relationship and for seven years after the second reporting entity ceases to provide all designated services to the customer.

Records relating to open accounts transferred between ADIs

Seven years after the reporting entity receives the document/record

Records relating to closed ADI accounts

Seven years after the giving of the second document

Records of

  • the adoption of an AML/CTF program; and
  • a copy of an AML/CTF program

From the date the AML/CTF program was adopted until seven years after the program ceases to be in force.

Records about due diligence assessments of correspondent banking relationships

For seven years after making the record

Remittance registration records

Until the remitter's registration with AUSTRAC ceases.

Back to top


What record-keeping obligations apply to a reporting entity who is a member of a DBG?

When a reporting entity is a member of a designated business group (DBG), any member can perform the record-keeping obligations on behalf of that reporting entity. This allows entities to make joint arrangements to fulfil their record-keeping obligations. For example, one entity within a DBG may provide a storage and retrieval service for a number of other entities within that DBG that share a client base. Similarly, an entity within a DBG can fulfil the record-keeping requirements for customer identification procedures on behalf of another member.

However, the record-keeping obligation remains with the reporting entity for which the record-keeping obligation arose.

Back to top


General exemptions for record-keeping obligations

Subsection 118(5) of the AML/CTF Act exempts reporting entities from record-keeping requirements where the designated service is provided at or through a permanent establishment of the reporting entity in a foreign country.

This applies to all records except those relevant to:

  • transferred ADI records or records of closed ADI accounts
  • electronic funds transfers
  • AML/CTF programs
  • due diligence assessments of correspondent banking relationships.

Back to top


Modified record-keeping requirements for certain gambling services

Chapter 10 of the AML/CTF Rules modifies the record-keeping requirements for certain gambling services.

Casinos

Casinos are exempt from the AML/CTF Act requirements to maintain records of designated services and transaction information for the following services:

  • receiving or accepting a bet placed or made by a customer
  • placing or making a bet on behalf of a customer
  • accepting a customer into a game of chance or skill for money or other value (except where the game is played on a gaming machine at an eligible gaming machine venue)
  • paying out winnings of a bet only with gaming chips or tokens.

Oncourse bookmakers and TABs

Oncourse bookmakers and TABs are exempt from the AML/CTF Act requirements to maintain records of designated services and transaction information for the following services:

  • receiving or accepting a bet placed or made by a customer
  • placing or making a bet on behalf of a customer
  • accepting a customer into a game of chance or skill for money or other value (except where the game is played on a gaming machine at an eligible gaming machine venue).

Gaming machines

Chapter 52 of the AML/CTF Rules exempts reporting entities which have an entitlement to operate no more than 15 gaming machines and that provide the following designated services described at table 3, section 6 of the AML/CTF Act:

  • in the capacity of controller of an eligible gaming machine venue, allowing a person to play a game on a gaming machine located at the venue (item 5)
  • accepting entry of a person into a game for money or value, or a game of chance and/or skill (item 6)
  • paying out winnings, or awarding a prize, in respect of a game for money or value, or a game of chance and/or skill (item 9)
  • paying out winnings, or awarding a prize in the capacity of controller of an eligible gaming machine venue (as agent of the owner or lessee of the gaming machine) in respect of a game played on a gaming machine located at the venue (item 10).

These entities are exempt from retaining records of or about:

  • designated services
  • transferred and closed ADI accounts
  • identification procedures
  • electronic funds transfer instructions
  • AML/CTF programs
  • due diligence assessments of correspondent banking relationships.

Back to top


Record keeping and privacy

Reporting entities must comply with the Privacy Act 1988 when conducting activities to comply with the AML/CTF Act (such as record keeping). Some entities that would otherwise be exempt from the Privacy Act have obligations under the Privacy Act because they are a reporting entity under the AML/CTF Act. For example, most small business operators are exempt from the Privacy Act. However, subsection 6E(1A) of the Privacy Act requires a small business operator that is also a reporting entity under the AML/CTF Act to comply with the Privacy Act.

The Office of the Australian Information Commissioner provides guidance material to help organisations understand their obligations under the Privacy Act.

Back to top

Last modified: 20/08/2015 15:41