Seven Years, Three Days: AML/CTF Records You Can Prove

Seven Years, Three Days: AML/CTF Records You Can Prove

AUSTRAC’s AML/CTF reforms are accelerating toward 2026, and record-keeping has become a live risk for advice practices, licensees, and other professional services. If you can’t produce complete evidence within days—not weeks—you face onboarding delays, remediation costs, audit pain, and potential civil penalties. Here’s how to turn record-keeping from a liability into a business advantage.

1) The Situation: New Compliance Obligations Meet Operational Risk

This is a regulatory update and emerging risk. Under the AML/CTF Act and Rules, you must keep customer identification (including beneficial ownership), transaction, program and reporting records for seven years. ASIC/Corporations Act expectations commonly require seven years for advice records too. AUSTRAC’s program reforms are progressing, with significant changes flagged for 2026, meaning scrutiny will only increase.

2) A Relatable Scenario: Remote Trust Onboarding, Missing Pieces

An adviser onboards a trust remotely. The KYC tool verifies IDs—but the file lacks a clear beneficial ownership map, there’s no saved sanctions/PEP screening outcome, and the AML/CTF program version relied on isn’t recorded. Months later, AUSTRAC queries the client. The team can’t retrieve complete evidence quickly, sparking remediation, re-KYC across the book, and operational strain during peak advice periods.

3) The Rule of Seven: What You Must Be Able to Produce

Think “seven years, ready on request.” You must retain and retrieve:

• CDD/Beneficial ownership evidence (trust deeds, company extracts, control/benefit maps).
• Sanctions/PEP screening results with timestamps and source (tool name, list versions).
• Transaction and engagement records that link advice provided to client activity.
• Program evidence: the AML/CTF program version, procedures, and the date relied upon.
• Reporting records including SMR-related notes (recorded without tipping off the client).

Also note: many businesses over $3m turnover must comply with the Australian Privacy Principles (APPs). Store records securely, limit access, and align your retention/destruction schedule to both AML/CTF and privacy obligations. Law practices and financial advisers face comparable retention expectations and ethical duties.

4) The Three-Day Retrieval Test

AUSTRAC or your auditor won’t wait. Can your firm deliver in three business days?

1. Find the full CDD pack and beneficial ownership map for any complex client.
2. Produce sanctions/PEP screening outcomes with date/time and list version.
3. Show transaction/engagement records that connect activities to advice.
4. Provide evidence of the AML/CTF program version/procedure relied on at the time.
5. Retrieve SMR-related notes (where applicable) recorded without tipping-off language.

If any item is missing or scattered, your risk exposure is rising.

5) This Week’s Action: Run a 5-File Targeted Check

Pick five complex or higher-risk clients (e.g., trusts, layered company structures, offshore links). In 72 hours, confirm you can retrieve:

• CDD and beneficial ownership evidence (including diagrams that show control and benefit).
• Sanctions/PEP screening outcomes with timestamps and the screening tool used.
• Transaction/engagement history, including advice records, saved communications, and approvals.
• SMR-related notes (if any), kept in a restricted area to avoid tipping-off.
• The AML/CTF program version and relevant procedures relied on at onboarding/periodic review.

Document gaps immediately and update your retention schedule and procedures the same week.

6) Build the System: Single Source of Truth over Scattered Evidence

Centralise the File

• Create a single client record where KYC, ownership maps, screening PDFs, and program version references live together.
• Use consistent naming conventions (e.g., YYYY-MM-DD_Sanctions-PEP_[ToolName]_ClientName.pdf).

Make Remote Work Repeatable

• Write step-by-step playbooks so remote staff follow the same collection and saving steps.
• Embed mandatory fields (program version, screening date, list version) in your workflow.

Control Versions

• Store the AML/CTF program with version numbers and an “effective date” banner.
• Link each client event (onboarding/review) to the program version used.

Culture Cue

Document your business or get out. If it isn’t written, it didn’t happen.

Train for retrieval drills quarterly. Measure time-to-evidence as a key risk indicator.

7) Strategic Payoff: Speed, Trust, and Audit Readiness

• Faster onboarding: clear ownership maps avoid escalations and “back and forth.”
• Lower audit stress: documented program versions and timestamped screenings reduce contention.
• Continuity: when staff change, a single source of truth preserves context and compliance.
• Regulatory confidence: consistent seven-year retention, available on request, shows maturity.

As reforms land (from late March 2026 with key obligations crystallising through mid-2026), firms that can prove compliance in days—not weeks—win.

8) 30-Day Plan: From Risk to Routine

1. Week 1: Run the 5-file check; log gaps; fix urgent misses (save screening results, build ownership maps).
2. Week 2: Update your retention schedule; standardise file structure and naming; lock down access per APPs.
3. Week 3: Version-control your AML/CTF program; embed “program version” fields into onboarding forms and CRMs.
4. Week 4: Train your team; simulate a three-day regulator request; track time-to-evidence and refine.

Make “retrieve in three days” your operational standard. Your future self—and your next audit—will thank you.

Related Links:

• AUSTRAC: Core Record-Keeping Guidance
• FAAA: AML/CTF Hub for Financial Advisers
• AUSTRAC: AML/CTF Program Reform – Record-Keeping

Recent Posts: