Record keeping overview (Reform)

Reporting entities must keep records to comply with their anti-money laundering and counter-terrorism financing (AML/CTF) obligations. Record keeping involves creating full and accurate records along with securely storing and managing them.

On this page

This guidance will help you understand: 

  • when to make a record
  • what to record
  • how long to keep the record.

Why record keeping is important

Keeping records helps you comply with the law and shows us you’re fulfilling your AML/CTF obligations. 

Additionally, if your business is misused for money laundering, terrorism financing and proliferation financing (we refer to these as ML/TF), your records may help us and other authorities investigate.

Proper record keeping involves:

  • creating accurate and complete records
  • keeping records for a specific period, usually 7 years.

Records can include:

  • contracts and agreements
  • relevant details of identification documents
  • emails and other correspondence
  • senior manager approvals
  • audio and video files
  • reports
  • transaction details
  • meeting minutes
  • logs and databases
  • software code.

The types of records you keep depend on how your business operates and the services it provides. For example, a casino might keep surveillance footage as a record for suspicious matter reports. However, this wouldn’t be common practice for an accountant.

You can meet your record keeping obligations by making or keeping records yourself or using an external provider.

Learn more about using outsourcing to help meet your AML/CTF obligations

Records you must keep

This section refers to the Act sections 107, 108, 111, 114 and 116.

The AML/CTF records you must keep are:

  • AML/CTF program records
  • customer due diligence (CDD) records
  • transaction records related to a designated service.

‘Reasonably necessary’ or ‘sufficient’ records

You must keep records that are: 

  • reasonably necessary to show you’re meeting your CDD and AML/CTF program obligations
  • sufficient to reconstruct individual transactions. 

This allows you to use your professional judgement to decide what records you need to demonstrate compliance. 

We provide examples of: 

  • records that are reasonably necessary in the sections on AML/CTF program records and CDD records
  • sufficient records in transaction records.

Storage

Records may be:

  • hard copy or electronic
  • stored at your premises or offsite. 

We expect you to keep records in their original format or the format you usually use. This will help show how you’re meeting your AML/CTF obligations. For example, you would keep an Excel document as a spreadsheet file, rather than converting it to PDF or other file type that may change the document’s structure or usability.

Sensitive records

We expect you to store sensitive records securely, and limit access to authorised staff. This may include records such as details of customer identification and suspicious matter reports. 

If you don’t store records securely, you’re more likely to be non-compliant with your obligations to avoid tipping off.

Learn more about the tipping-off offence.

Record keeping and privacy

All reporting entities must comply with the Privacy Act 1988. Even if you’re a small business, you have obligations under the Privacy Act because you’re a reporting entity under the Anti-Money Laundering and Counter-Terrorism Funding Act 2006 (the Act). 

For help understanding your obligations under the Privacy Act, contact the Office of the Australian Information Commissioner.

Records of your AML/CTF program

This section refers to the Act section 116(1).

You must make and keep records that are reasonably necessary to show you’re compliant with your obligations under Part 1A of the Act.

Part 1A covers the AML/CTF program obligations, including:

  • ML/TF risk assessment
  • policies
  • responsibilities of governing bodies
  • AML/CTF compliance officers
  • program documentation and approvals.

Example: ML/TF risk assessment compliance 

Section 26E of the Act requires reporting entities to have an up-to-date ML/TF risk assessment before providing designated services.

You may demonstrate compliance by making sure your ML/TF risk assessment contains: 

  • approval dates
  • approving senior manager details
  • version history.

Demonstrating compliance through records

This section refers to the Act sections 26C, 26D, 26F, 26H and 51B and the Rules Part 5.

Below are examples of records that may show you’re meeting your AML/CTF program record keeping obligations. These are suggestions, and not an exhaustive list.

Obligation Records that may demonstrate compliance
Enrol with us and register if required
  • enrolment confirmation message
  • completed AUSTRAC Business Profile Form
  • completed AUSTRAC Registration Form (if applicable)
  • registration approval (if applicable)
  • any related correspondence
Conduct an ML/TF risk assessment
  • current, documented risk assessment
  • previous versions within the past 7 years
  • records of senior manager approval and notification to the governing body
  • record of the steps taken to conduct, review and update the risk assessment
Develop and maintain an AML/CTF program tailored to your business
  • current program, including version history
  • records of senior manager approval and notification to the governing body
  • emails or meeting minutes showing consultation during program development
Review and update your AML/CTF program
  • review schedule showing when the program was reviewed and why
  • updated versions of the program, showing version control
  • meeting minutes documenting discussions on the effectiveness of the program, which may include input from the AML/CTF compliance officer, senior manager and other relevant staff
  • records showing when and how ML/TF risk has been reviewed and by whom
  • documented quality assurance testing that shows the program is operating effectively
  • records of control testing that show how controls are managing and mitigating your ML/TF risk
Conduct personnel due diligence
  • background checks and results
  • records of promotion or role change
  • suitability reassessment documents or approval records
  • job descriptions, training completion logs or register, qualifications and internal assessment results
Establish ongoing AML/CTF personnel training
  • AML/CTF training content and materials, including training that reflects the AML/CTF program policies and procedures
  • training schedules or plans, such as annual or periodic training calendars detailing topics, dates and target staff
  • register of training attendance, results and completion and action taken in response to non-attendance
Review and update AML/CTF program in response to AUSTRAC communications and mandatory triggers
  • AUSTRAC communications received
  • records of decision making and outcomes
  • documentation of identified changes (for example, business operations, products, services or customer base)
  • records of ML/TF risk assessment and outcomes
Conduct independent evaluations
  • engagement letters or audit plans that detail what the independent evaluation will cover
  • independent evaluation reports
  • records of considerations or actions taken in response

Governance and oversight obligations

This section refers to the Act section 26F and the Rules section 5–7.

Obligation Records that may demonstrate compliance
Appoint an AML/CTF compliance officer
  • policy or role description that clearly defines the responsibilities of your AML/CTF compliance officer
  • records confirming appointment
  • evidence of how you assessed the person to be fit and proper for the role
  • evidence of training, along with skills and knowledge as required under personnel due diligence obligations
  • confirmation of AML/CTF compliance officer appointment through AUSTRAC Online
Review and, if required, update AML/CTF policies in response to changes to ML/TF risk assessment
  • AML/CTF policies review schedule
  • records of updates or version history
  • approvals by senior manager
  • records of how staff are made aware of relevant AML/CTF policy changes
Inform the governing body of ML/TF risks (if the reporting entity isn’t an individual). Make sure they receive reports from its compliance officer at least once every 12 months
  • briefings provided to the governing body
  • annual or more frequent internal AML/CTF compliance reports
  • meeting agendas and minutes, including records of discussion on AML/CTF compliance and any decisions and actions taken
Designate a senior manager or managers responsible for approving AML/CTF policies and ML/TF risk assessments (if the reporting entity isn’t an individual)
  • policy or role descriptions clearly outlining the role and responsibilities of senior managers
  • records of appointment
  • evidence of AML/CTF training, along with skills and knowledge as required under personnel due diligence obligations
  • procedures for senior manager approvals of the AML/CTF program and the provision of a designated service to high ML/TF risk customers

Reporting obligations

This section refers to the Act Part 3 and the Rules section 5–12.

Obligation Records that may demonstrate compliance
Report certain transactions and suspicious activities to us
  • internal reporting logs or registers showing date, type and reference number of reports made to us
  • copies of records and documents that support reports submitted to us 
Establish processes to identify, review and determine if there are reasonable grounds to submit an SMR to us
  • written SMR procedures that detail decision making processes
  • internal escalation records, case files or audit trails that demonstrate determination of whether a suspicion exists as soon as practicable. Compliance with SMR reporting deadlines (including when a matter was first identified, and when a suspicion was formed)
  • meeting notes, emails or internal system notes showing review outcomes and rationale of decisions
  • AML/CTF training materials and attendance records related to SMR processes

Language requirement obligation

This section refers to the Act section 116(1).

AML/CTF program records must be in English or in a format easily accessed and translated into English.

Retention period obligation

This section refers to the Act section 116(3).

Once created, you must keep records related to your AML/CTF program from the time the record is made to 7 years after the record is no longer relevant to demonstrate compliance with your obligations under Part 1A.

You’ll need to use your professional judgement to decide when a record is no longer relevant to demonstrate compliance (it’s from this period the 7-year retention period begins). 

Customer due diligence records

This section refers to the Act section 111.

When you provide, or propose to provide, a designated service, you must make and keep records of your CDD. This includes:

You must make and keep records that are reasonably necessary to demonstrate compliance with your CDD obligations. This means your records must clearly show:

  • what customer information you collected
  • steps you took to verify the information collected, or to make sure the information was verified by a third party
  • analysis, identification or assessment of ML/TF risk, or decision making, that explains why the level of CDD was applied. 

Records of CDD carried out by a third party

This section refers to the Act sections 37B, 111, 114 and 114A.

You may choose to enter into a CDD arrangement with a third-party reporting entity (or foreign equivalent). 

If you choose to rely on CDD they have carried out, you must complete assessments of whether the third party is properly carrying out this process. You must record these results and keep them for 7 years after the record is prepared. The record must be prepared within 10 business days after completing the assessment.

You must keep a record of the CDD arrangement, as it will outline the scope, timelines and responsibilities. This agreement also serves as a record under Part 1A (AML/CTF program) of the Act. 

You must keep these records in line with the retention periods for CDD records.

Practical considerations

This section refers to the Explanatory Memorandum paragraphs 271 and 937.

For the purposes of section 111 of the Act, you only need to keep records of information that’s relevant to the CDD process. 

If you collect new customer information during the business relationship and conduct ongoing CDD, you must also keep previous CDD records. This is required if it is reasonably necessary to demonstrate compliance with your obligations.

Under the Act, you aren’t required to make copies of identification documents provided as part of CDD. Instead, you must keep records of what you did to identify the customer and what information they provided. 

For example, if the customer presents a passport, you must record the passport details used to verify their identity rather than making a copy. However, you may have a legal responsibility to copy these documents outside the Act.

Showing compliance through records

This section refers to the Act sections 111, 114 and 114A.

Below are examples of records that may show you’re meeting your CDD record-keeping obligations. These are suggestions, and not an exhaustive list.

Obligation Records that may demonstrate compliance
Perform CDD, including initial, ongoing, simplified and enhanced CDD
  • a policy detailing when and how you’ll perform CDD
  • procedures for CDD, including initial, ongoing, simplified and enhanced CDD
  • outcomes of identity verification for customers, such as results from the document verification service (DVS)
  • internal forms or system logs showing updates to customer information or profiles
  • emails, call notes or signed declarations from the customer confirming changes to their details
  • updated customer ML/TF risk ratings, including scoring or rationale for changes
  • approvals or comments from compliance staff related to changes to customer risk classification
  • register of enhanced CDD conducted, including trigger, review, measures taken and approvals
  • high-risk customer register with onboarding approval
Keep records of assessment and CDD procedure records performed by third parties (if applicable)
  • records of CDD procedures conducted through third party agreement
  • records of periodic assessments of third party under a CDD arrangement and any findings or decisions
  • contract or agreement with the third party, outlining scope, timelines and responsibilities (this can also be kept as a record under Part 1A)

Language requirements

This section refers to the Act section 111(2).

CDD records must be in English or in a format easily accessed and translated into English.

Retention period

This section refers to the Act section 111(2).

You must keep your CDD records for 7 years from when either the:

  • provision of an occasional transaction is complete
  • business relationship ends.

For example, if you conduct CDD as part of an ongoing business relationship starting 7 February 2027 and ending 5 April 2029, you must keep the record until 4 April 2036. This is 7 years after the business relationship ends.

An occasional transaction refers to a transaction that isn’t part of an ongoing business relationship (such as a one-off purchase of property). For example, if you complete an occasional transaction on 4 September 2027, you must keep the record until 3 September 2034.

Transaction records

This section refers to the Act section 107(1).

You must make and keep transaction records for each designated service. 

These records must include enough details and supporting documents to fully and accurately reconstruct the transaction.

This detail may include records of:

  • date and time the transaction was completed
  • amount and currency or details of the virtual assets or property involved
  • customer information, such as name, account number or other identifiers
  • recipient information, if applicable
  • transaction type, such as deposit, withdrawal, purchase and transfer
  • unique transaction identifier, if applicable
  • payment method, such as cash, credit card, bank transfer and virtual assets
  • receipts, invoices, contracts or agreements, or related documents that provide context.

Customer-provided transaction records

This section refers to the Act section 108.

If a customer gives you any transaction documents while providing them a designated service, you must keep these documents as a record.

This may include:

  • signed contracts or agreements
  • order forms
  • payment instructions.

Retention period

This section refers to the Act sections 107 and 108(2).

You must keep general transaction records for 7 years from the day the record is created. 

You must keep customer-provided transaction records for 7 years from the day you were given the document.

Repealed Financial Transaction Reports Act

You may have additional record keeping obligations for transactions that occurred before 7 January 2025 if you’re a:

  • solicitor
  • business that buys and sells traveller’s cheques
  • motor vehicle dealer who acts as an insurance provider or intermediary
  • online remitter that doesn’t provide designated services at or through a permanent establishment in Australia.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 17 Oct 2025
Page ID: 1298

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.