fbpx

Seven-Year Proof: Make Your AML/CTF Records Audit-Ready

Seven-Year Proof: Make Your AML/CTF Records Audit-Ready

With AML/CTF reforms advancing and AUSTRAC sharpening supervision, advice firms can’t rely on tax-era retention habits. Here’s how one small firm rewired its record-keeping to meet 7-year AML/CTF obligations—and how you can do the same, fast.

1) The Monday Letter: A Wake-Up Call

“We’re increasing our supervision focus.” That line from an AUSTRAC communication jolted our advisory team. Our tax settings were tidy, but AML/CTF? Not so much. We had five-year habits, seven-year obligations, and customer due diligence (CDD) scattered across email, CRM, and shared drives. The risk wasn’t intent—it was retrieval.

“Document your business or get out.” The mantra landed. If we couldn’t prove CDD, monitoring, and program decisions quickly, we didn’t truly have them.

2) The Real Problem: Not Risk—Records

The gap was operational: fragmented systems, unclear owners, and no single source of truth. Remote staff couldn’t follow inconsistent instructions. When CDD files span ID checks, beneficial ownership diagrams, verification snapshots, and ECDD notes, “search everywhere” isn’t a strategy.

  • Fragmentation: CRM notes, emails, ID PDFs, and spreadsheets lived in silos.
  • Ambiguity: No one knew who owned each record type or the retention trigger.
  • Latency: Producing a complete CDD file took days—unacceptable under scrutiny.

Lesson:

Compliance isn’t only “do the right thing.” It’s “prove it quickly.” That requires documented systems, role clarity, and retrieval muscle.

3) What to Keep for 7 Years

The four pillars of AML/CTF records

  • Customer due diligence (CDD): Identification and verification data, beneficial ownership, screening results (e.g., PEP/sanctions), source-of-funds/source-of-wealth rationale, risk rating, and who verified what, when, and how.
  • Transaction records: Nature, date, amount, counterparties, channels/accounts, and relevant instructions.
  • Ongoing monitoring and ECDD decisions: Alerts reviewed, escalations, ECDD triggers and outcomes, rationale, and approvals.
  • AML/CTF program and governance: Part A/Part B programs, ML/TF risk assessment, training logs, independent review/assurance, Board/owner approvals, and policy change history.

Retention rules you can act on

  • Hold for at least 7 years. This often exceeds tax record settings.
  • Retention triggers: CDD and identification records—7 years from when the business relationship ends; transaction records—7 years from the transaction date; program/governance—7 years from creation/last update or as required by your policy.
  • Purpose alignment: Keep records so they assist financial crime investigations and demonstrate compliance, consistent with the AML/CTF regime.

4) Map Owners and Triggers (Your Actionable Blueprint)

We created a simple mapping that turned confusion into accountability.

Do this on one page:

  1. Record type: CDD, transactions, monitoring/ECDD, program/governance.
  2. System of record: CRM, KYC tool, DMS, core ledger, case management.
  3. Named owner: e.g., Head of Compliance (CDD), Operations Lead (transactions).
  4. Retention trigger: e.g., CDD = 7 years after relationship ends; transactions = 7 years from transaction date.
  5. Access path: Exact folder/library path or saved search query to retrieve full files.
  6. Privacy check: Apply Australian Privacy Principles (APPs) and controls for secure storage and defensible deletion at end-of-retention.
Example snippet
  • CDD files: System = KYC module; Owner = Compliance; Trigger = 7 years post-relationship; Retrieval = “ClientID > CDD > Final Pack”.
  • Transactions: System = Core ledger; Owner = Ops; Trigger = 7 years from transaction; Retrieval = Saved report filter + export template.

5) Build the Single Source of Truth

We didn’t rip and replace. We declared system-of-records and integrated others around them.

Design choices that worked

  • One destination per record type: CRM/KYC for CDD, ledger for transactions, DMS for program/governance.
  • Immutable audit trail: Versioning + read-only “final CDD pack” PDF snapshots after verification.
  • Indexing: Naming conventions (ClientID_Date_RecordType) and mandatory metadata (owner, trigger, end-of-relationship date).
  • Remote-ready SOPs: Click-by-click procedures with screenshots; a single source of truth wiki everyone follows.
Why documenting systems is crucial
  • Consistency for remote teams—no heroics required.
  • Faster onboarding and fewer errors.
  • Clear accountability and simpler audits.

6) The Retrieval Drill: Pass in 60 Minutes

We ran a monthly “CDD drill.” The rule: produce the complete CDD file—including beneficial ownership, verification data, and monitoring/ECDD notes—within 60 minutes of request.

How we practiced

  1. Random client selection by Compliance.
  2. Use only documented SOPs to retrieve records from the declared system-of-records.
  3. Assemble a single PDF pack with an index page.
  4. Peer review against a checklist.

Within two months we cut retrieval time from days to under 45 minutes, with 0 missing elements in spot checks. The main challenge—proving compliance quickly—was resolved.

7) Outcomes: Fewer Gaps, More Confidence

  • Audit-ready: Complete files on request, consistent with AUSTRAC expectations.
  • Coverage: 100% of new clients have verified beneficial ownership recorded and retrievable.
  • Governance: Board-approved AML/CTF program and risk assessment version-controlled for 7 years.
  • Remote workers follow instructions: SOPs reduce variance and rework.
  • Privacy-by-design: Retain only what’s required; apply APPs and delete at end-of-retention.

Ops Lead: “We finally have one place to look.” Compliance: “And one way to prove it.”

8) Your 30-Day Action Plan

  1. Days 1–5: List the four record pillars. For each, name the system-of-record and owner.
  2. Days 6–10: Set retention triggers (7 years from transaction or relationship end). Update policies and your AML/CTF program.
  3. Days 11–15: Document SOPs with screenshots; publish to a single wiki. Train remote staff.
  4. Days 16–20: Tag records with metadata (owner, trigger, end-of-relationship date). Enable versioning.
  5. Days 21–25: Run a CDD retrieval drill. Fix gaps immediately.
  6. Days 26–30: Schedule monthly drills; add independent review; monitor KPIs (retrieval time, completeness).

Keep it simple, consistent, and provable. If you can retrieve a complete CDD file on demand, you’re future-proofing your firm for reforms and supervision.

Related Links:

Recent Posts:

PEAL + 3.2.2A: The Event-Day Compliance PlaybookPEAL + 3.2.2A: The Event-Day Compliance Playbook
Stop the Drift: WHS + NCC Compliance That Protects MarginStop the Drift: WHS + NCC Compliance That Protects Margin
Storm Friday, Audit Monday: Turning Queensland Strata Compliance Chaos into ControlStorm Friday, Audit Monday: Turning Queensland Strata Compliance Chaos into Control