Every identity check, every screening result, every piece of CDD evidence — in one audit-ready place.
The AML/CTF Act requires you to create and retain records of all CDD and verification activities. It is not enough to check a client's identity — you must be able to prove you checked it, what you found, and when you did it. AUSTRAC's compliance expectation is that you can produce this evidence on demand during an audit or investigation.
The records you must retain include:
7-year retention requirement. Under section 106 of the AML/CTF Act, all CDD and transaction records must be retained for a minimum of 7 years from the date the record was made or the date the business relationship ended — whichever is later.
Records are the backbone of any AML/CTF enforcement action. When AUSTRAC or the Australian Federal Police investigates a money laundering matter, they will request documentation from every professional who touched the client or transaction. Without records, you cannot demonstrate you fulfilled your obligations — and the default assumption is that you didn't.
Beyond enforcement, records serve a practical intelligence purpose. AUSTRAC uses aggregated data from reporting entities across the financial system to detect patterns of criminal behaviour. Your records, if requested, contribute to that picture.
PEP and sanctions screening is ongoing, not once-off. A client who was low-risk when onboarded can become a PEP or appear on a sanctions list years later. AUSTRAC expects you to have a process for periodic re-screening — and evidence that you ran it.
During an AUSTRAC audit, the burden is on you to demonstrate compliance. If you cannot produce records of your CDD and screening activities, AUSTRAC will treat that as evidence of non-compliance — not as an oversight.
Failure to keep required records is itself a breach of the AML/CTF Act, carrying penalties of up to $4.4 million per breach for individuals. If AUSTRAC finds a pattern of missing records across your client base, each missing record is a separate breach.
Beyond regulatory penalties, missing records create professional liability exposure. If a client later becomes the subject of a money laundering investigation and you cannot show you conducted proper due diligence, you may face action from your professional body and potential civil claims.
The 7-year retention requirement also means that deleting or losing records — even accidentally — is a compliance failure. Cloud storage, email folders and paper files are not adequate substitutes for a structured document register.
Because SimpleAML stores data locally in your browser, your evidence register never leaves your device. You retain full control of your records and are solely responsible for backing them up — which is why the export function is a core part of the app, not an afterthought.
Start documenting your CDD evidence properly. No account needed — open SimpleAML in your browser right now.
Open SimpleAML Free →