Seven Years, Seven Minutes: Win AML/CTF Record-Keeping

Small financial advice firms are under sharper AUSTRAC scrutiny. Treat AML/CTF record‑keeping not just as compliance, but as an operations discipline: aim to retrieve the right evidence in minutes, not days.

1) What’s Changing—and Why It Matters

This is a regulatory compliance update with real operational risk. Under the AML/CTF Act, AUSTRAC expects you to retain and retrieve customer identification, beneficial ownership, ongoing due diligence, transaction, and suspicious matter records—generally for seven years. The bigger risk isn’t only penalties—it’s the productivity drain, client frustration, and remediation effort when you can’t evidence who, what, when, and why.

2) The Painful Reality: The Family Trust File That Ate Your Week

Common story: you onboard a family trust. IDs are buried in email, trustee minutes live in a client portal, and the ML/TF risk assessment sits in a spreadsheet. An AUSTRAC query requests verification steps and beneficial owner evidence across three years. Your team spends days reconciling versions, can’t clearly show the rationale for ongoing monitoring, and you wear overtime costs, a remediation direction, and a strained client relationship.

Operational drag: scattered records and unclear version history.
Regulatory exposure: incomplete or unverifiable evidence trail.
Reputational damage: delays erode client confidence in your controls.

3) Know the Rules: What to Keep (and What Not to Copy)

Build your controls around the record classes AUSTRAC expects—and be deliberate about privacy:

Customer identification (CDD) and verification: evidence of how you verified identity, including data sources, reference numbers, and who did the check.
Beneficial ownership: structure charts, trustee/appointor details, minutes or deeds that establish control.
Ongoing due diligence: risk assessments, monitoring triggers, review notes, and decisions.
Transactions: records sufficient to reconstruct the transaction (amount, date, parties, purpose).
Suspicious matter assessments: rationale to file or not file a report.
AML/CTF Program (written): how you identify, mitigate, and manage ML/TF risk, including procedures and roles; keep versions and review logs.

Retention clock: keep AML/CTF records at least seven years; customer identification records are seven years after you stop providing the designated service. ASIC also requires AFS licensees to keep personal advice records for at least seven years. Where possible, record verification details rather than storing full ID copies (e.g., driver’s licence number reference and source), unless your risk‑based program or other law requires copies.

4) Step 1 — Map Retention to Record Classes

Inventory where records live: email, DMS, CRM, portals, spreadsheets, wet‑ink files.
Define the event that starts the clock: onboarding, transaction, or cessation of designated service.
Set the seven‑year rule per class: apply to CDD, UBO, ongoing due diligence, transactions, and SMR decisions.
Assign an owner and SLA: retrieval target of under 7–10 minutes for a complex file.
Choose a single source of truth: one controlled repository, with other systems holding references, not primary records.

5) Step 2 — Centralise and Standardise So Remote Teams Can Execute

Document your business so any staff member—on‑site or remote—can follow it the same way every time.

Folder template: pre‑build CDD, UBO, ODD, Transactions, and SMR subfolders per client/entity.
Naming convention: e.g., YYYY‑MM‑DD_RecordClass_DocumentType_Version_Uploader.
Metadata: client/entity, beneficial owners, verification method, review date, and risk rating.
Access controls: principle of least privilege; log every view/edit for audit.
Intake discipline: ban “records in inbox”; capture to DMS at creation with mandatory fields.
Privacy by design: prefer verification extracts over full ID images unless justified by your risk‑based procedures.

6) Step 3 — Run a Retrieval Drill and Prove the “Why”

Practice like you’ll be audited tomorrow—your aim is decisionable evidence, fast.

Pick a complex file: e.g., family trust with multiple controllers.
Time‑box to seven minutes: retrieve CDD trail, UBO proof, monitoring notes, and a sample transaction set.
Show reasoning: include notes explaining risk rating, ongoing monitoring frequency, and any SMR decision.
Build an audit pack: auto‑export a single PDF/zip with index, timestamps, and version history.
Log gaps and fix: update your AML/CTF Program, procedures, and training within a week.

7) Strategy Shift: Documentation Is an Operating System

“Document your business or get out.” Clear, current procedures turn compliance into speed and confidence.

Change management: version‑controlled SOPs; brief authorised representatives; capture attestations.
Culture: measure “time‑to‑evidence” as a core KPI.
Client experience: faster, transparent responses reduce friction and build trust.
Resilience: when people move on, your single source of truth stays.

8) Next Best Action: Your 60‑Minute Plan This Week

Read AUSTRAC’s implementation expectations and your industry guidance.
Draft a one‑page retention matrix mapped to AML/CTF record classes and the seven‑year rule.
Implement a client folder template, naming convention, and mandatory metadata in your DMS.
Run a retrieval drill on one complex client end‑to‑end; record your time‑to‑evidence.
Update your written AML/CTF Program, including roles, review dates, and exceptions handling.
Brief your team and authorised representatives; assign file owners and schedule periodic reviews.