All reporting entities must keep records to comply with their AML/CTF obligations. Record-keeping involves creating full and accurate records and storing and managing them.

Motor vehicle dealers (who are insurers or who act as insurance intermediaries) and solicitors also have record-keeping obligations to comply with the Financial Transactions Reports Act 1988.

The records you must keep and how long you need to retain them depends on the type of designated services you provide, and the nature of your business activities.

Generally you will have to keep records of or about:

  • transactions
  • customer identification procedures
  • your AML/CTF program.

There are additional record-keeping requirements for remittance service providers and digital currency exchange providers.

You must store these records securely, in a format that allows them to be retrieved and audited. They can be:

  • hard copy or electronic
  • stored at your premises or offsite.

Keeping records helps you comply with the law and shows AUSTRAC that you are fulfilling your AML/CTF obligations. It also helps you manage the risks of your business or organisation being exploited for money laundering or terrorism financing. If your business or organisation is misused for criminal purposes, your records may help us and other authorities investigate.

You need to keep records of transactions (transaction records) if they relate to providing a designated service to a customer. You must keep all transaction records that you create.

If a customer (or their agent) gives you any documents relating to designated services you are providing or intend to provide, you must keep those documents as a record.

For AML/CTF purposes, you do not have to keep certain transaction records, including:

  • customer-specific documents (such as account statements)
  • general customer correspondence
  • publicly available statements
  • forms and documents you routinely give customers (such as disclosure statements or financial summary reports)
  • notices of overdrawn accounts
  • information you give customers about how you will deliver a designated service
  • correspondence with customers or any documents you give them in response to their questions about your products or services
  • records of interviews or conversations with customers, unless the information in the interview or conversation relates to another reporting obligation you have under the AML/CTF Act.

There are special rules for transaction record-keeping for authorised deposit-taking institutions (ADIs) transferring accounts.

You must keep transaction records for seven years.

You may have to keep a record of information about international electronic funds transfer instructions (EFTIs). An EFTI is an instruction to transfer funds electronically between financial institutions. The transfer may be from one person to another, or between different accounts held by the same person.

International EFTIs involve an instruction to transfer funds that is sent:

Sometimes for international EFTIs, there is a chain with one or more intermediary institutions between the ordering institution and the beneficiary institution.

If you are an intermediary institution, you must keep a record of ‘required transfer information’, which is either ‘complete payer information’ or ‘tracing information’, if:

  • the transfer is to be passed on by your permanent establishment in Australia
  • the transferred money will be made available at or through the permanent establishment of the beneficiary institution in Australia
  • all or some of the required transfer information was passed on to you by any other institution in the chain
  • the transfer instruction was accepted by the ordering institution at or through its permanent establishment in a foreign country
  • the transfer instruction was passed on to you by a permanent establishment of the ordering institution, or of another entity, in a foreign country.

You must keep records about these EFTIs for seven years.

When you carry out a customer identification procedure (KYC) you must make and keep a record of:

  • what you did to identify the customer
  • the identifying information they presented.

You don’t have to copy documents (for example you can record details of a driver’s licence or passport rather than photocopying them). However, if you do take copies, they become records you must keep.

If you collect new customer information about a customer, you must still keep the original customer identification procedure records.

If you don’t verify updated customer information you don’t need to keep a copy of it because it’s not a customer identification procedure. For example, if a customer tells you their new residential address and you don’t verify these new details as part of the customer identity verification procedure, you don’t need to keep a record.

You must keep customer identification procedure records for the duration of your relationship with the customer, and for an additional seven years after you stop providing any designated services to them.

Records relating to using the Document Verification Service

If you use the Document Verification Service (DVS) as part of your applicable customer identification procedures, you must keep a record of the results. This could include printing, saving, scanning or making a file note of the results of your search.

Records relating to using credit reporting agencies

If you ask a credit reporting agency to verify a customer’s identification information, you must record:

  • the name of the credit reporting agency
  • the personal information you gave the credit reporting agency about the customer
  • the assessment (if any) the credit reporting agency gave you about the customer.

Credit reporting agencies that receive a request to verify customer identification must record:

  • the date the request was made
  • the name of the reporting entity that made the request
  • the personal information it received about the customer
  • the date it provided an assessment (if any) of the customer.

Both the reporting entity and the credit reporting agency must keep these records for seven years after making or receiving the request.

Requesting copies of another entity’s customer identification records

In some circumstances, you can ask for copies of customer identification records from a licensed financial adviser, or another member of your designated business group (DBG), if their customer becomes your customer.

The copy is a valid record that you must then keep for seven years after you stop providing all designated services to the customer.

Privacy requirements and customer records

Under the AML/CTF Act, you must keep customer identification records for seven years after you’ve stopped providing any designated services to them. The record-keeping requirements under the AML/CTF Act do not override the credit reporting provisions in the Privacy Act. This means that if you keep records for longer than the five years permitted by the Privacy Act, you can only use the records for purposes related to meeting your record-keeping requirements under the AML/CTF Act.

You must create and retain records relating to your AML/CTF program. This includes records of:

  • the date you adopted the program (such as board minutes approving the program)
  • who approved the adoption of the program
  • the program itself
  • any changes to the program.

You must keep these records for seven years after the day the program ends and is no longer used. When you change a part of your program, you must retain records about the program for seven years after the change no longer has effect. For example, if your program was implemented in 2010, and paragraph 10 of your program was changed in 2013, you must keep a record of the original paragraph 10 until 2020.

All remittance service providers and digital currency exchange providers must keep records of their registration details and information about their business. This includes:

  • an original or certified copy of a national police certificate or equivalent for all key personnel (this also applies to new key personnel)
  • details of the business structure, including the management structure and any related entities.

You must keep these records until you are no longer registered with AUSTRAC.

Financial institutions must retain a record, or a copy of a record, of a due diligence assessment of a correspondent banking relationship.

Financial institutions must undertake due diligence assessments of their correspondent banking relationships if they believe there is a risk of money laundering or terrorism financing.

The record must be kept for seven years after the record was made.

In some circumstances, reporting entities:

  • are exempt from record-keeping obligations
  • can allow other entities to keep their records
  • can have their obligations modified.

Exemptions for designated services provided in a foreign country

You are exempt from some of the record-keeping requirements for designated services you provide at or through a permanent establishment in a foreign country.

The only records you must keep are those about:

  • transferred ADI records or records of closed ADI accounts
  • electronic funds transfers
  • AML/CTF programs
  • due diligence assessments of correspondent banking relationships.

Joint arrangements for designated business group and corporate group members

Members of designated business groups (DBGs) or corporate groups can arrange to jointly fulfil their record-keeping obligations. Any member of the group can keep records on behalf of other members.

For example, another member of the group may provide a storage and retrieval service for you. Or, you may fulfil the record-keeping requirements for customer identification procedures for other members of your group.

The legal obligation for record-keeping remains with the member providing the designated service, despite any agreement made within the group. You can get another member to act on your behalf but you can’t transfer your legal obligations.

All reporting entities must comply with the Privacy Act. Reporting entities that would otherwise be exempt, such as small businesses, have obligations under the Privacy Act because they are a reporting entity under the AML/CTF Act. Contact the Office of the Australian Information Commissioner for help to understand your obligations under the Privacy Act.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 15 Jan 2024
Page ID: 39

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.