Record Keeping Requirements Under Tranche 2

Why Record Keeping Matters

Record keeping isn't just paperwork — it's one of the pillars of your AML/CTF compliance. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act), Tranche 2 reporting entities must maintain comprehensive records of their compliance activities, customer interactions, and reporting obligations.

For accountants newly captured by Tranche 2, this is one of the most operationally significant obligations. You likely already have strong record-keeping habits for tax and audit purposes, but AML/CTF record keeping has its own specific requirements that go beyond your existing practices.

What Records Must You Keep?

The Act requires Tranche 2 entities to retain records across several categories:

1. Customer Identification and Verification Records

• Customer identification procedures (CIP) performed for each client
• Identity verification documents collected (or references to documents sighted)
• Beneficial ownership information and the steps taken to identify beneficial owners
• PEP and sanctions screening results, including the date screened and data sources used
• Enhanced CDD (ECDD) records where higher risk was identified
• Ongoing CDD — any updates to client information or re-verification

2. Transaction Records

• Details of designated services provided to each client
• The nature and date of each transaction or service
• For threshold transactions: the amount, parties, and method of payment
• International funds transfer instructions (IFTIs) if applicable

3. AML/CTF Program Records

• Your current AML/CTF program (Part A and Part B)
• All previous versions of the program, with dates of changes
• Enterprise-wide risk assessment (EWRA) and any updates
• Board or senior management approvals for the program

4. Reporting Records

• Copies of all suspicious matter reports (SMRs) submitted to AUSTRAC
• Copies of threshold transaction reports (TTRs)
• Any IFTI reports
• Internal records of matters considered but not reported (with reasoning)

5. Training Records

• Who was trained and when
• What training was provided (content, module, or course reference)
• Assessment results or completion records
• Refresher training schedule and compliance

6. Compliance Officer Records

• Nomination of the AML/CTF compliance officer
• Compliance officer reports and reviews
• Independent review reports (if applicable)

How Long Must Records Be Retained?

The general retention period under the Act is 7 years. However, the starting point for the 7-year clock depends on the record type:

Record Destruction: When and How

After the retention period expires, you're not required to destroy records — but if you choose to, you must do so securely. Key rules:

• Check for legal holds first. If any record is subject to litigation, a regulatory investigation, or an AUSTRAC examination, it must not be destroyed regardless of its age.
• Maintain a destruction register. Log what was destroyed, when, by whom, and the method of destruction.
• Use secure methods. Paper records should be cross-cut shredded or securely incinerated. Digital records should be permanently deleted with verification.
• Approval gate. Record destruction should require sign-off from the compliance officer or a senior manager.

Building a Compliant Record-Keeping System

Here's a practical approach for a small to mid-size accounting practice:

Step 1: Audit Your Current Records

Map what you already collect and where it lives. Most accounting practices have client identification documents in their practice management software, but may not have formal CDD records, screening results, or training logs.

Step 2: Identify the Gaps

Compare your current records against the categories above. Common gaps for accounting practices include:

• No formal CDD process (you have IDs on file but no structured verification record)
• No PEP/sanctions screening records
• No beneficial ownership documentation beyond what's needed for tax
• No training records specific to AML/CTF
• No SMR decision records (matters considered but not reported)

Step 3: Choose Your System

You have three options:

1. Manual (spreadsheets + folders). Workable for very small practices (1-3 staff) but difficult to scale and audit.
2. Integrated practice management. Some practice management tools are adding AML modules, but coverage is often incomplete.
3. Dedicated compliance software. Purpose-built tools like ComplyAU handle the full record-keeping lifecycle — collection, retention, audit trails, legal holds, and secure destruction — with built-in 7-year retention and immutable audit logs.

Step 4: Implement Audit Trails

AUSTRAC expects you to demonstrate not just that you kept the records, but when they were created, who created them, and that they haven't been tampered with. An immutable audit trail — where entries can't be edited or deleted after creation — is the gold standard.

Step 5: Test Your System

Before 1 July 2026, run a mock AUSTRAC examination. Can you produce:

• A complete CDD file for any client within 24 hours?
• Your current AML/CTF program and all previous versions?
• Training records for all staff?
• A complete audit trail for any compliance action?

If the answer to any of these is no, you have work to do before commencement.