AML/CTF Record-Keeping Requirements: What to Keep and for How Long

9 min read · General information, not legal advice · Updated 2026-06-12

You are the compliance lead at a real estate agency, a law or conveyancing practice, an accounting firm, a trust and company service provider, or a precious metals and stones business, and you have just realised that doing the work is only half the job. The other half is being able to prove you did it. From 1 July 2026, when tranche 2 obligations commence, you will need records that show your AML/CTF program is real and that you actually follow it, not just that it exists on paper.

The decision in front of you is concrete: what do you keep, where do you keep it, and for how long, so that if AUSTRAC asks you can produce a clean, organised file rather than scrambling through inboxes and shared drives. This is general information only, not legal advice, and your exact obligations depend on the specific designated services you provide. Always confirm against AUSTRAC guidance and, where needed, a qualified adviser.

What AML/CTF record-keeping actually means

Record-keeping is one of the core obligations of a reporting entity under Australia's AML/CTF regime, administered by AUSTRAC. In plain terms, it is the requirement to retain enough evidence to show that you met your other obligations: that you identified and verified customers, applied your AML/CTF program, monitored transactions, and reported when you should have.

It helps to think about records in two layers:

• Customer and transaction records — the evidence created as you serve customers, such as identity information, what you relied on to verify it, and the transactions you handled.
• Program and governance records — the evidence that your AML/CTF program itself was developed, approved, reviewed, and followed, including your ML/TF risk assessment, your policies and procedures, training, and reporting decisions.

The first layer proves you knew your customer. The second layer proves you ran a genuine compliance system. A regulator looking at audit-readiness wants to see both, and wants to see that they connect: a customer file should trace back to the procedure that produced it.

Who and what this applies to

Tranche 2 refers to the reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extend Australia's AML/CTF regime to new sectors, the so-called tranche 2 entities. The new obligations are due to commence on 1 July 2026.

The newly captured sectors are:

• Real estate professionals involved in buying and selling property.
• Dealers in precious metals and precious stones.
• Certain professional service providers, including lawyers, conveyancers, accountants, and trust and company service providers.

The nuance that decides your scope: these obligations apply when you provide specified designated services, not simply because of your job title. That distinction matters for record-keeping because the records you must keep attach to the designated services you provide. Your first task is to map which of your activities are designated services, because that tells you which customers, transactions, and decisions generate records you need to retain. Because the boundaries are set in the rules, treat the detail here as a starting point and confirm scope as the AUSTRAC rules are finalised.

What records to keep

Build your filing around the obligations the records are meant to evidence. A practical way to organise it is by category:

• Customer identification and verification (CDD/KYC) records. The identity information you collected, the reliable and independent sources you relied on to verify it, beneficial owner details, and the date you carried out each step.
• Risk-rating records. The risk rating you assigned to each customer and the factors behind it, plus any re-rating when circumstances changed.
• Transaction records. Details of the designated services and transactions you provided, sufficient to reconstruct what happened.
• Ongoing monitoring records. Evidence that you monitored the relationship, including any alerts you reviewed and how you resolved them.
• Reporting records. Copies of suspicious matter reports (SMRs) and threshold transaction reports (TTRs) for physical currency of AUD 10,000 or more, plus the reasoning behind a decision to report or not report a matter.
• AML/CTF program records. The program itself, your documented ML/TF risk assessment, your policies, procedures, systems and controls, and version history showing what changed and when.
• Governance records. Evidence the program was approved by the appropriate level of management, the appointment of your AML/CTF compliance officer (AMLCO), and any board or senior oversight.
• Training records. Who was trained, on what, and when.
• Independent review records. Any review of your program and how you acted on the findings.

A useful test for each category: if AUSTRAC asked you to demonstrate this obligation tomorrow, could you produce the evidence quickly and explain it? If not, that is a gap to close before 1 July 2026.

How long to keep records

The general rule is that AML/CTF records must be kept for seven years. As a working default, retain customer, transaction, reporting, and program records for at least seven years.

The practical questions are usually about when the clock starts, and that depends on the type of record:

• For customer identity and verification records, the retention period typically runs from the end of the customer relationship rather than from when you onboarded them.
• For transaction records, the period typically runs from when the transaction or service was completed.
• For program and governance records, keep them while the program is in force and for the retention period after a version is superseded, so you can show what your program said at any given time.

Because the precise start points and any category-specific timing are set in the rules, confirm the exact retention triggers as the AUSTRAC rules are finalised. The safe operating posture is simple: do not destroy AML/CTF records on a hunch. Set a retention schedule, default to seven years, and only dispose of records once you have confirmed the period has genuinely run.

Building an audit-ready system

Audit-readiness is less about volume and more about retrievability. A pile of records you cannot find on request is, in practice, almost as bad as no records at all. As the compliance lead, design for the moment someone asks "show me."

• Make records findable. Use a consistent structure so any customer file, transaction, or report can be located quickly by name, date, or reference.
• Keep records legible and intact. Stored records should be readable and complete for the full retention period, including any verification evidence.
• Protect and back up. Records should be secure against loss, tampering, and unauthorised access, with backups so a single failure does not wipe your history.
• Show the decision, not just the outcome. For reporting and risk-rating, record the reasoning. "We decided not to report" is far stronger when the file shows why.
• Link records to the program. A customer file should map back to the procedure that produced it, so an auditor can see your program is actually being followed.
• Version your program. Keep dated versions of your AML/CTF program and risk assessment so you can show what was in force at any point in time.

Non-compliance with record-keeping can attract significant civil and criminal penalties, so treat your records as the proof layer of your whole program, not as an afterthought.

Common record-keeping mistakes

If you are setting up record-keeping for the first time, these are the traps worth heading off early:

• Keeping the outcome but not the evidence. Noting that a customer was verified, without retaining what you actually relied on, leaves you unable to prove it later.
• No retention schedule. Without a documented schedule, records get deleted too early or kept inconsistently, and nobody knows the rule.
• Scattered storage. Records spread across personal inboxes, individual laptops, and ad hoc folders are not retrievable on request.
• Forgetting the program-side records. Many first-timers file customer records well but neglect evidence of program approval, training, reviews, and version history.
• Not recording reporting decisions. A decision not to lodge an SMR with no recorded reasoning is hard to defend.
• Destroying records too soon. Cleaning up storage without checking the seven-year clock is a self-inflicted compliance failure.
• Treating it as a one-off setup. Record-keeping is a continuous habit; it only works if it runs every time you serve a customer.

How record-keeping fits your wider obligations

Record-keeping is not a standalone task. If you are a reporting entity, it sits inside the set of obligations you build once and run continuously:

• Enrol with AUSTRAC via AUSTRAC Online.
• Develop and maintain an AML/CTF program, covering governance, a documented ML/TF risk assessment, and your policies, procedures, systems and controls.
• Conduct customer due diligence (CDD/KYC), including ongoing CDD and transaction monitoring.
• Report suspicious matters (SMRs) and threshold transactions involving physical currency of AUD 10,000 or more (TTRs).
• Keep records, generally for seven years (the subject of this guide).
• Appoint an AML/CTF compliance officer (AMLCO) to own the program.

Every one of those obligations produces records, and your record-keeping is what proves you met them. One practical note: an audit-ready template kit, with a retention schedule, a records register, a verification evidence checklist, and dated program and risk-assessment templates, can save a first-time compliance lead a lot of blank-page time. It gives you a defensible structure to tailor rather than inventing the filing model from scratch. Whatever you adopt, make sure it reflects your own designated services and risk assessment, because a template is a head start, not a substitute for running the system every day.