When auditors or regulators come calling, they aren’t looking for intentions or well-worded policies, they’re looking for clear, traceable records that show you AML/CTF policies don’t just exist on paper but are executed correctly.
While it may feel like a bureaucratic chore; a robust, defensible, body of AML record keeping evidence will provide the audit shield you need to help protect your business from unwanted regulatory action.
Keep reading to find out what you must record under the AML/CTF Act, how to record it properly, how long to keep it, and how to build a smart destruction policy.
Your AML record keeping evidence checklist
All reporting entities must keep comprehensive records to comply with the AML/CTF Act. The records you keep should be guided by your AML compliance program, and fall broadly into three categories.
1. Customer due diligence
As the cornerstone of AML activity, it’s no surprise that a large portion of your record keeping will involve the information you collected when conducting customer due diligence. This includes what you did to identify your customer, and the identifying information you collected.
- Identity and verification: Record details of your customer, any beneficial owner, any person acting on behalf of your client, and trustees. Show how you identified and verified them. Include any copies taken of identification documents.
- Source of wealth/source of funds: Ensure you record what procedures you followed to verify source of funds (SoF) and/or source of wealth (SoW). This may include proof of income, or proof of monetary gift received.
- Risk assessments: Document initial risk ratings applied to customers and the rationale behind ratings.
- Enhanced CDD: Record any additional checks, monitoring outputs, and decisions made if you need to carry out enhanced CDD on a customer.
- Ongoing monitoring: Include any decisions, alerts, or documented reviews performed as part of ongoing monitoring.
- Suspicious activities: Include details of any red flags raised, what procedures you followed when suspicions were raised, and keep copies of any suspicious matter reports (SMRs) submitted.
Doing this will not only help provide the required evidence at audit time to show your procedures are operating effectively, but also provide a valuable record of your relationship with your client and whether it has changed over time.
2. Transaction records
AUSTRAC states you need to keep records of transactions if they relate to providing a designated service to a customer.
These records must be sufficient to allow a transaction to be readily reconstructed by an auditor at any time, and include:
Transaction details: Document details of transactions, including amounts, currency, dates, parties involved, and channels used, such as deposits, wire transfers, or cash.
Threshold transaction reports: Keep copies of reports submitted and all internal records supporting the decision to submit (or not submit) a report.
International funds transfer instructions (IFTIs): Ensure detailed records for any international electronic funds transfer are kept for the required period.
If you are an intermediary institution, you must keep a record of ‘required transfer information’, which is either ‘complete payer information’ or ‘tracing information’, if:
- The transfer is forwarded by your permanent establishment in Australia.
- The money will be made available to the beneficiary through the beneficiary institution’s Australian office.
- You received all or part of the required transfer information from another institution in the payment chain.
- The ordering institution accepted the transfer instruction through one of its overseas offices.
- The transfer instruction was passed on to you by a permanent establishment of the ordering institution, or of another entity, in a foreign country.
3. Compliance program and training
Every reporting entity is required to have a documented AML/CTF compliance program. This program should clearly set out the policies, procedures and controls you rely on to meet your AML obligations. Just as importantly, your record keeping needs to show that this framework is more than a paper exercise.
- Program documentation: Retain all historical and current versions of the compliance program and risk assessment.
- Governance approvals: Record who approved the adoption of the program, and who has reviewed, and managed the ongoing maintenance of the program.
- Audit and review: Keep records of all independent AML/CTF audits, including the resulting audit report, your remediation plan (if required), and proof any corrective actions were implemented.
- Staff training: Log details of all training. Include who was trained, the date training occurred, and training topic.
How to store records
Keeping records is only part of the compliance story. To fully meet your obligations, you also need to make sure those records are stored properly and can be easily retrieved when required.
Accessibility
You need to be able to show that records can be quickly accessed and provided to regulators or auditors when requested.
- Centralisation: Keeping records spread across multiple systems creates unnecessary complexity. Using AML software to centralise your document management will make it far easier to store, access, and retrieve records when you need them.
Privacy and security
All reporting entities must comply with the Privacy Act 1988, and in addition your company may have their own rules around confidentiality that you need to follow.
- Access: Sensitive records, such as personal customer information and SMRs do not need to be accessed by everybody. Implement access controls and store SMRs separately from general client information to prevent accidental ‘tipping off’.
- Exit strategy: Both physical and electronic records must be disposed of securely after the designated period, unless subject to legal or regulatory inspection. Use a secure destruction service or ensure permanent deletion from electronics sources.
Timeframes
How long you need to keep records depends on the type of designated service you provide, and the nature of your business activities.
- Transactions: You must keep transaction records for seven years from the date the transaction was made.
- Customers: Records relating to your customer relationship, i.e. identification procedures must be retained for seven years after the relationship ends.
- Compliance program: You must keep AML/CTF program records for seven years after the program is no longer in use. If you update any part of the program, you must keep records of the previous version for seven years after that change stops applying.
From paperwork to protection
While record keeping can feel like a chore, it is non-negotiable AML obligation. By adopting a robust AML record keeping process you will shift from scrambling for documents during an audit or crisis, to providing comprehensive and defensible evidence at a moment’s notice.
If you’re unsure whether your current record keeping approach would stand up to regulatory scrutiny, a simple review of your systems and processes can help identify gaps before they become issues. Talk to our team and see how they can help.
About the author
Nicolas Charles
Nick has a background in financial services for nearly 10 years. During his time in retail finance and banking, he was directly involved in the application of AML verification and compliance, which gave him valuable skills for his current role as Head of Operations and Finance at tic company.
