Skip to content

Record-keeping — 7 years of what, exactly

The seven record categories you must retain for seven years under the AML/CTF Act, the format requirements, and where most agencies fail.

In short

Seven categories of records, retained for seven years, in a form AUSTRAC can audit on demand. CDD records run seven years from the end of the customer relationship. The Privacy Act effectively keeps the data in Australia.

Record-keeping is where most agencies will fail their first AUSTRAC inspection. The obligation sounds simple — keep records for seven years — but the scope is broad and the format requirements are demanding.

What must be kept.

  1. CDD records — identification documents, verification evidence, source-of-funds and source-of-wealth records, beneficial-ownership tracing, PEP and sanctions screening results, ECDD approvals
  2. Transaction records — every designated service provided, including parties, dates, amounts, and the nature of the service
  3. Programme documentation — every version of the AML/CTF programme, board or principal approvals, risk assessments, policy updates
  4. Training records — who was trained, on what, when, with assessment results
  5. SMR and TTR records — every report filed, the evidence behind it, and the internal decision trail
  6. Internal escalation records — suspicious matters considered and not reported, with reasons
  7. Independent evaluation records — each evaluation report and the remediation plan that followed

Retention periods. Seven years from the end of the customer relationship for CDD records. Seven years from the date of the transaction for transaction records. Seven years from the date the record stopped being relevant for programme, training, and evaluation records. The retention period is fixed by ss 107, 108, 111, 114 and 116 of the AML/CTF Act 2006 (Cth) and cannot be shortened.

Format requirements. Records must be:

  • Retrievable within a reasonable time on AUSTRAC request — practically, days, not weeks
  • Admissible as evidence — originals or certified copies with metadata preserved
  • Tamper-evident — alterations after the fact must be detectable
  • Within Australia in practice — APP 8 of the Privacy Act 1988 (Cth) restricts cross-border transfer of personal information

Paper records are permitted but become unmanageable fast. Most agencies will operate digitally, which raises questions about the integrity of the storage system. Append-only or write-once-read-many (WORM) storage is the conservative position.

Where agencies fall down.

  • Records scattered across email, conveyancing software, the CRM, and personal drives — no single retrievable archive
  • Identity documents kept in transient form: phone photos, attachments deleted after settlement
  • No version history on the programme or the risk assessment
  • Training records limited to "we ran a session" with no attendance or assessment evidence
  • SMR decisions undocumented, including the decisions not to file

What to do next. Audit your current records against the seven categories above, identify the gaps, and consolidate into a single retrievable archive before 1 July 2026. Decide your retention platform before you start generating volume — retrofitting WORM storage after the fact is harder than starting clean.

Frequently asked questions

When does the seven-year clock start for a buyer's CDD pack?
From the end of the customer relationship — usually settlement. Not from the date the documents were collected.
Can records be kept entirely in the cloud?
Yes, provided they are retrievable, admissible, and tamper-evident, and the storage location respects Privacy Act APP 8 on cross-border transfer.
Are paper records acceptable?
Permitted but impractical at volume. Most agencies will operate digitally with append-only or write-once storage for compliance records.
Does this apply to SMRs we decided not to file?
Yes. Document the matter considered, the analysis, and the decision not to file. The decision trail is what defends the call.

Sources

  1. AML/CTF Act 2006 (Cth) ss 107, 108, 111, 114, 116
  2. AML/CTF Rules 2025
  3. Privacy Act 1988 (Cth) APP 8

This is general guidance for Australian real estate professionals. It does not constitute legal advice. Consult a qualified AML/CTF practitioner before relying on it for your agency.