Caltury

The 12 records AUSTRAC actually wants you to keep (and for how long)

8 min readUpdated 19 May 2026By Ben Horne

Seven years sounds simple. The detail is which twelve record classes you actually have to keep, when each clock starts, and why hard-deletion is the single most common path to under-retention. This guide is the reference for every Tranche 2 reporting entity. It applies to real estate agencies, conveyancers, accountants, law firms, TCSPs, and dealers in precious metals and stones.

In this guide
  1. 01The headline: 7 years, varying starts
  2. 02The 12 record classes
  3. 03When each clock starts
  4. 04Why soft-delete, not hard-delete
  5. 05Format and accessibility
  6. 06Common questions

The headline: 7 years, varying starts

AUSTRAC’s headline retention rule is seven years. That is the floor under chapter 11 of the AML/CTF Rules and reinforced in sections 107 and 114 of the AML/CTF Act. The number itself is not the trap. The trap is that the seven-year clock starts from different events depending on the record class. Get the start date wrong and you can be technically compliant today but under-retained when AUSTRAC asks in 2033.

Two examples to make the trap concrete:

  • You onboard a customer on 1 July 2026, run CDD, settle a transaction in August 2026, then never see them again. If you treat the retention clock as starting at intake, you can dispose of their identity record in July 2033. If you treat it correctly — starting at end-of-relationship — you cannot dispose until the relationship is formally closed plus 7 years. The 7-year clock typically runs from the date you actively close the file, not the date of the last transaction.
  • You revise your AML/CTF Program in 2027 to add a new sanctions screening process. The 2026 version of the Program must be retained until 2034 (the date it was superseded plus 7 years), not until 2033 (the date it was originally written plus 7 years). Practices that overwrite the Program every year rather than versioning it lose the audit trail AUSTRAC may need.

The 12 record classes

AUSTRAC does not publish a numbered “12 records” list, but the obligations across the Act and Rules collapse into twelve distinct record classes a reporting entity has to keep. This is the reference list. Each row is the record, what it actually contains, when its clock starts, and the section of the Act or Rules that captures it.

Customer identification records

The verified identity data captured at CDD: name, date of birth, address, ID-document references, beneficial owners for non-natural persons.

Clock startsEnd of the customer relationship (last designated service provided).ReferenceAML/CTF Act s.107; Rules ch.10.

Transaction records

Each designated-service transaction: parties, amount, date, type of designated service, currency, account references.

Clock startsDate of the transaction.ReferenceAML/CTF Act s.107.

AML/CTF Program (Part A and Part B), every version

The current Program plus every superseded version. The audit trail of how risk management has evolved in the practice.

Clock startsDate the version was superseded.ReferenceAML/CTF Act s.114.

Risk assessment versions

The ML/TF risk assessment, plus every revised version. Including the dated approval by the governing body.

Clock startsDate the version was superseded.ReferenceRules ch.8.5.

Annual independent review reports

The reviewer's report, the reviewer's identity and qualifications, the management response, any remediation actions.

Clock startsDate the review was completed.ReferenceRules ch.8.6.

Suspicious Matter Report (SMR) records

Each lodged SMR plus the underlying suspicion trigger, supporting evidence, and the audit trail of who decided to lodge.

Clock startsDate the SMR was lodged with AUSTRAC.ReferenceAML/CTF Act s.107.

Threshold Transaction Report (TTR) records

Each lodged TTR plus the underlying cash transaction records.

Clock startsDate the TTR was lodged.ReferenceAML/CTF Act s.107.

International Funds Transfer Instruction (IFTI) records

Each lodged IFTI plus the underlying transfer instruction documentation.

Clock startsDate the IFTI was lodged.ReferenceAML/CTF Act s.107.

Sanctions and PEP screening records

Each screening run: customer record, screening date, source lists used, match results, decision taken (cleared, escalated to EDD, SMR).

Clock startsDate of the screening.ReferenceRules ch.4.3 implied by ongoing CDD requirements.

Training records

For every staff member exposed to designated services: training completed, dates, module content, assessment outcomes.

Clock startsLater of training completion or end of staff member's tenure.ReferenceRules ch.9.

Beneficial ownership records

For corporate, trust and partnership customers: the beneficial-owner chain captured at CDD, supporting evidence, refresh dates.

Clock startsEnd of the customer relationship (treated as part of the customer identity record).ReferenceRules ch.4.12 and s.107.

Source-of-funds and source-of-wealth records

For higher-risk customers and large transactions: documented evidence of where the money originated, including supporting paperwork (bank statements, sale contracts, payslips).

Clock startsDate of the underlying transaction or relationship close.ReferenceRules ch.15 (EDD requirements).

When each clock starts

The clock-start rule groups into three patterns:

Pattern A

Starts at end of customer relationship

Customer identification records and beneficial ownership records. The reasoning is that AUSTRAC may need to re-investigate a customer years after the last transaction if a suspicious matter is later surfaced. The relationship has to be formally closed (marked archived, file closed) before the clock starts.

Pattern B

Starts at date of the event

Transaction records, SMR records, TTR records, IFTI records, sanctions screening records. Each is anchored to the date the event happened. A 2027 transaction is retained until 2034 regardless of whether the customer relationship continues or not.

Pattern C

Starts when the version is superseded

AML/CTF Program versions and risk assessment versions. These are versioned documents; each version is retained from the date the next version replaced it. Practices that treat the Program as a single live document overwritten in place lose every previous version’s audit trail.

Why soft-delete, not hard-delete

The single most common path to under-retention is hard-deleting a customer record when the practice “moves on” from a client. A few situations where this routinely happens:

  • Client requests data deletion under the Privacy Act / APP 12. Reporting entities are allowed to retain records to meet a legal obligation despite a deletion request. The right answer is to retain plus inform the client; the wrong answer is to delete and then have nothing to show AUSTRAC.
  • Staff member leaves the practice and clears their inbox / dropbox / filing cabinet. Operational records lost without anyone realising for months.
  • Practice management software is migrated to a new vendor and the export does not include the AML evidence layer. Files appear to migrate; the audit trail does not.
  • Customer never closed but inactive for years. Practice marks them dormant in the CRM and the CRM purges dormant records after 2 years. Identity records gone before the 7-year clock could ever start.

The safer default for a Tranche 2 practice: every record class above is soft-deleted (marked archived, removed from active views, but persisted in the database) rather than hard-deleted. The retention obligation is then automatically met because the row is never destroyed; only the operational visibility is hidden. After 7 years from the relevant clock start, the record can be flagged for review and removed consciously, not as a side effect of a process change.

Format and accessibility

AUSTRAC does not prescribe a single record format. The Act only requires that records are kept in a way that they can be retrieved when AUSTRAC asks. In practice that means three things:

  • Retrievable within a reasonable timeframe. Records on a backup tape in storage offsite that take three weeks to recover are not really retrievable. Records in a live system that can be queried within hours are.
  • Readable by AUSTRAC, not just by your practice. PDF or CSV exports of the underlying data work fine. Proprietary file formats specific to a software vendor that no longer exists in 2033 do not.
  • Tamper-evident enough to be probative. Records that have been edited without an audit trail are weaker evidence than records held in an append-only system where every change is timestamped. AUSTRAC does not require cryptographic chains today, but they prefer evidence of integrity over evidence that has been overwritten.

The practical question: if AUSTRAC asks for a customer’s complete identity record, transaction history, sanctions screening history and the AML/CTF Program version in force when their last transaction happened, how long would it take your practice to produce that? Under a day is good. Under a week is acceptable. More than that is a sign the record system needs work.

Common questions

Can I keep paper records or do they have to be electronic?

Either. The Act is technology-neutral. Paper records that can be physically produced when AUSTRAC asks satisfy the obligation. The practical reality for most small practices is that electronic records are easier to search, retrieve and demonstrate completeness on. Hybrid approaches work; pure paper at scale is operationally painful.

What if I outsource record-keeping to a third party (a cloud vendor, a managed-service provider)?

The retention obligation stays with the reporting entity. You can outsource the operational storage to a cloud vendor or managed-service provider, but if they go out of business and lose your records, AUSTRAC pursues you, not them. Mitigation: keep a documented data-export path so you can recover the records if a vendor relationship ends, and confirm the vendor is not jurisdictionally hostile to AUSTRAC requests.

Do I keep records when a customer cancels onboarding before completing CDD?

Yes, in most cases. If you started a designated service and ran any CDD steps, those records (the partial verification, the screening result, the reason the customer abandoned) are part of the retention obligation. The relationship is short, but the obligation attaches. Soft-archive rather than delete.

What about a customer who fails CDD and is refused service?

The records of the failed CDD are retained the same way as records of a completed CDD. The fact that you ran the check and declined to proceed is itself part of the audit trail AUSTRAC may want to see, especially if the same person later appears as a customer of a different reporting entity.

Can my law society or industry body audit see the AML records?

Generally no, unless your governing body has a specific statutory power covering AML/CTF supervision (which most do not — that sits with AUSTRAC). Law-society trust account auditors look at trust account records under state legislation. AUSTRAC examiners look at AML/CTF records under the Commonwealth Act. Different scope, different access rights.

What records does Caltury actually retain on my behalf?

All 12 classes above, automatically. Customer identity, transaction history, AML/CTF Program versions, risk assessment versions, annual review reports, SMR/TTR/IFTI records, sanctions and PEP screening history, training records, beneficial ownership chains, source-of-funds documentation. Append-only audit log on the storage layer. Soft-delete on customer archival so the retention clock continues to run from the correct start date.

About the author

Caltury is AML/CTF software for independent Australian practices entering Tranche 2. Founded by Ben Horne (ex-ADF, sole trader, ABN 49 452 393 782, Australian-based). Sydney hosted on Supabase and Vercel. Async written support, no calls or demos. The readiness assessment is the right next step if this guide was useful and you want it applied to your specific practice.

Vertical-specific guidesBuyer FAQSecurity posture

This guide is general information about Australian AML/CTF record-keeping obligations. It is not legal advice. AUSTRAC has not reviewed this content. For situations specific to your practice consult an Australian-qualified lawyer or AML/CTF adviser. Section and chapter references are to the AML/CTF Act 2006 and the AML/CTF Rules as in force at the time of writing.

Free download

Not ready to start? Get the free Tranche 2 checklist.

The 40-point checklist covering AUSTRAC enrolment, your AML/CTF Program, KYC, sanctions screening, record-keeping and staff training. We email you the link plus a few short, useful follow-ups on getting ready before 1 July 2026. Unsubscribe in one click.

Ready to find your gaps?

12 questions, one number, real list.

Free. No signup. Shareable URL. The output is a score and a per-obligation diagnostic so you know exactly what to close before 1 July 2026.

More guides