Record keeping checklist (Reform)

This checklist promotes good record-keeping practice and supports reporting entities in meeting their AML/CTF obligations. This is a guide and not an exhaustive list.

On this page

Have a record keeping policy

Your record keeping policy should:

  • clearly identify what records you must keep to meet your AML/CTF obligations
  • specify the format and systems to be used for storing records
  • detail how long each type of record must be kept
  • assign responsibility for maintaining, reviewing and securely storing records
  • include procedures for protecting records from unauthorised access, loss or tampering
  • outline how you’ll make records available for regulatory review or audit, if required.

Implement a system or process for record keeping

Your record-keeping process should:

  • designate a specific role, or team, responsible for record keeping
  • provide training about the system and process for other staff
  • have a policy about record keeping including which records are kept, how they are secured and who is responsible
  • store records to make them easily retrievable particularly if records include text and chat messages across multiple apps and smartphones.

Make and keep records that show compliance with AML/CTF obligations

Your business should be able to:

  • develop and maintain an AML/CTF program
  • perform CDD (including initial, ongoing, simplified and enhanced CDD)
  • keep all transaction records related to a designated service, including customer-provided transaction records.

Keep records in English, or in a format that can be easily translated into English

Your business must be able to quickly access and translate its records into English if needed.

Keep all relevant records for 7 years

Your business should:

  • have a policy ensuring all AML/CTF records are kept for at least 7 years or as required by the Act
  • keep customer due diligence records for at least 7 years from the date the business relationship ends
  • keep transaction records for at least 7 years from the date the transaction was completed
  • make sure there’s adequate storage for long-term record retention, both physically and electronically.

Secure sensitive records

Your business should:

  • have a policy for storing sensitive records, including CDD and suspicious matter reports
  • limit sensitive records access to authorised personnel
  • implement electronic records security measures such as encryption, password protection or restricted access
  • securely store paper records in locked cabinets or restricted-access areas
  • avoid security risks by printing unnecessary copies
  • dispose of records securely.

Back up electronic records

Your business should:

  • regularly back up AML/CTF records to a secure, offsite location or encrypted cloud storage
  • ensure backup systems protect data from tampering or unauthorised access
  • have a data recovery plan for data loss or cyber incidents.

 

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 17 Oct 2025
Page ID: 1299

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.