Skip to content

Record keeping — 7 years of what, exactly

What records you must keep, for how long, and in what form.

Record-keeping is where most agencies will fail their first AUSTRAC inspection. The obligation looks simple — keep records for seven years — but the scope is broad and the format requirements are exacting.

What must be kept.

  1. Customer due diligence records — identification documents, verification evidence, source-of-funds and source-of-wealth records, beneficial-ownership tracing, PEP and sanctions screening results, ECDD approvals.
  2. Transaction records — every designated service provided, including parties, dates, amounts, and the nature of the service.
  3. Programme documentation — every version of your AML/CTF programme, board approvals, risk assessments, policy updates.
  4. Training records — who was trained, on what, when, and the assessment results.
  5. SMR and TTR records — every report filed, the underlying evidence, and the internal decision-making trail.
  6. Internal escalation records — suspicious matters considered and not reported, and the reasons.
  7. Independent review records — every review report and remediation plan.

Retention period. Seven years from the end of the customer relationship for CDD records, seven years from the date of the transaction for transaction records, and seven years from the date of creation for programme, training, and review records. The period is fixed by the AML/CTF Act 2006 (Cth) and cannot be shortened.

Format. Records must be:

  • Retrievable within a reasonable time on AUSTRAC request (in practice, days, not weeks)
  • Admissible as evidence (originals or certified copies; metadata preserved)
  • Tamper-evident — changes after the fact must be detectable
  • Australian-resident in practical terms — APP 8 of the Privacy Act 1988 (Cth) restricts cross-border transfer of personal information

Paper records are permitted but rapidly become unmanageable. Most agencies will operate digitally, which raises questions about the integrity of the storage system. Cloud storage with append-only or write-once-read-many (WORM) characteristics is the conservative position.

Where agencies fall down.

  • Records scattered across email, conveyancing software, the CRM, and personal drives — no single retrievable archive
  • Identity documents kept in transient form (photos on phones, attachments deleted after settlement)
  • No version history on the programme or risk assessment
  • Training records limited to "we ran a session" with no attendance or assessment evidence
  • SMR decisions undocumented — including the decisions not to file

Every transaction your agency closes generates a CDD pack, a transaction record, and audit-trail metadata that must be retained for seven years and produced on demand in an AUSTRAC-auditable format.

What to do next: Audit your current records against the seven categories above, identify gaps, and consolidate into a single retrievable archive before 1 July 2026.

Up next · Your Obligations
Training and the "fit and proper" person test

Who needs AML/CTF training, how often, and what makes a person fit and proper to handle compliance.

Sources

  1. AML/CTF Act 2006 (Cth) Part 10
  2. AML/CTF Rules 2025
  3. Privacy Act 1988 (Cth) APP 8

This is general guidance for Australian real estate professionals. It does not constitute legal advice. Consult a qualified AML/CTF practitioner before relying on it for your agency.

Back to Your Obligations