AUSTRAC Is Looking: Fix Your AML/CTF Records Without Hoarding IDs
Record-keeping is under sharper scrutiny as AUSTRAC steps up assurance and clients expect stronger privacy. For financial advisers who are reporting entities, weak customer due diligence (CDD) evidence and poor retention risk costly remediation, enforcement, and AFSL findings. Here’s how to turn that risk into an operational advantage.
1) The situation: regulatory pressure meets privacy expectations
Type of situation: New compliance obligations and an emerging privacy/operational risk. AUSTRAC’s assurance focus is rising, while clients question why firms still keep copies of IDs. The gap between what AUSTRAC expects you to document and what you actually store is where exposure lives.
Bottom line: If it’s not recorded, it didn’t happen—and if it’s over-retained, it’s a privacy liability.
- AUSTRAC expects timely, accurate, and retrievable records for CDD and transactions.
- OAIC and the Privacy Act (APPs) expect data minimisation and secure deletion.
- AFS licensees must ensure advisers follow approved AML/CTF procedures and forms.
2) The cautionary tale: onboarding a family trust
Where small gaps become big problems
Your team onboards a family trust. You sight IDs, store licence photos, but don’t fully capture beneficial owners/controllers. Months later, AUSTRAC asks for evidence. You can’t produce a dated record of the customer identification procedure, how you determined beneficial owners, or that CDD was completed before the designated service. Meanwhile, you’re holding unnecessary ID images—an APPs risk.
- Consequence: scramble remediation, potential enforcement interest, and adverse AFSL findings.
- Client impact: awkward re-requests for documents and loss of trust.
3) What AUSTRAC expects you to retain
‘Show your work’ without hoarding personal data
- CDD records (min. 7 years): date/time of checks, who verified, sources used, verification outcomes, and how beneficial owners/controllers were determined.
- Transactions/services (min. 7 years): nature, amount, date, and links to the customer profile and risk rating.
- Program governance: your AML/CTF program version in force at the time, risk assessments, training logs, and quality assurance findings.
- Important: The AML/CTF Act does not require you to keep scanned or photocopied IDs for record-keeping purposes. Prefer recording verification outcomes over storing ID images.
Financial advisers should confirm licensee policy and the use of FAAA/FSC forms to document the record of verification procedure.
4) Design a lean evidence trail (without ID copies)
Make your ‘record of verification procedure’ bulletproof
- Standardise forms: Use a single source of truth template that captures: individuals verified, beneficial owners/controllers, sources (e.g., registry extracts), method (electronic/manual), result, and verifier details.
- Date-and-who stamps: Auto-capture timestamps and staff IDs. Lock entries after review.
- Beneficial ownership logic: Record the decision path (ownership thresholds, control tests, trustee/appointor roles) and evidence relied upon.
- Pre-service attestation: Require a checkbox: “CDD completed before designated service commenced.”
- Link to risk rating: Tie CDD outcomes to the customer risk score and ECDD triggers.
- Retention and deletion: Set 7-year retention on CDD/transactions; set shorter, documented deletion timers for any temporary ID images where policy allows; record destruction events.
5) Privacy by design: minimise, restrict, delete
- Minimise: Store verification outcomes, not ID scans, unless your licensee policy compels otherwise—then justify and time-limit.
- Access control: Restrict CDD records to need-to-know roles; enable audit logs.
- Secure deletion: Automate deletion workflows; evidence the deletion with logs.
- Data-loss prevention: Block downloads of ID images to personal devices; watermark any necessary temporary copies.
- Breach readiness: Maintain an incident playbook aligned to OAIC notifiable data breach requirements.
6) Make it operational: single source of truth for remote teams
Document your business or get out
Remote and hybrid teams need crisp, version-controlled instructions to execute CDD consistently. Create a single source of truth for policies, forms, and checklists so every adviser follows the same playbook.
- Document control: numbered versions, change logs, owner/approver fields, and review dates.
- Runtime guidance: embed micro-instructions and examples in the form itself.
- Quality loop: monthly spot-checks of files against the AUSTRAC record-keeping checklist; feed findings into retraining.
7) Strategy: turn audit-readiness into a trust advantage
Clients and licensees reward firms that run tight systems. Make audit-readiness visible: publish your privacy-by-design stance, confirm CDD-before-service adherence, and highlight that you retain evidence for 7 years without unnecessary ID images.
- Metrics that matter: CDD completion before service (%), files with named beneficial owners (%), RVP form completeness score, records retrieved within 48 hours, and deletion success rate.
- Training: scenario-based drills for complex structures (trusts, companies with layered ownership).
8) Your 7-day action plan
- Map records to AUSTRAC’s checklist: identify gaps in CDD, transactions, governance.
- Fix the forms: ensure your RVP captures beneficial ownership logic and outcomes.
- Set retention + deletion: 7 years for CDD/transactions; shorter timers for any temporary ID images; log destruction.
- Align with licensee: confirm AML/CTF policy, the use of FAAA/FSC forms, and approval to avoid storing ID scans where possible.
- Secure the vault: tighten access, enable audit logs, and test retrieval time.
- Run a file hygiene sprint: remediate past onboardings (start with high-risk clients and trusts).
- Train the team: 30-minute refresher on beneficial ownership and RVP completion.
- Schedule monthly QA: put the checklist on the calendar and keep it there.