The AML/CTF Act requires reporting entities to retain identification, transaction and program records for seven years. The seven years runs from different dates depending on the record type, which is a frequent source of confusion.
Retention triggers
- Customer ID records — seven years from the end of the customer relationship.
- Transaction records — seven years from the date of the transaction.
- SMR/TTR records — seven years from the date of the report.
- Training records — seven years from the date of the training.
- Program documents — seven years after the program is replaced or the firm ceases to be a reporting entity.
Defensible storage
Records must be retrievable on demand and produced in a form AUSTRAC can read. Cloud storage in your AML platform is fine; an unindexed shared drive is not. Backup is your responsibility — if your provider goes out of business, your retention obligation does not.