Anti-money laundering documentation required: what Australian businesses need
As AML/CTF obligations expand under Tranche 2, one area that’s often underestimated is documentation. Many businesses focus on processes (things like how to onboard clients, verify identity, assess risk), but overlook the importance of recording those actions properly. Under the AML/CTF framework, documentation is how you demonstrate that your business is compliant.
So what exactly are the AML documentation requirements? Let’s look at what records do you need to keep and how they should be managed.
What documentation is required to stay AML compliant?
At a high level, AML documentation refers to the records your business must keep to show how it identifies, manages and monitors money laundering and terrorism financing risk. When people ask what is AML documentation, the answer is simple - it’s the evidence that your AML/CTF program exists, and how it’s being followed.
It covers your end-to-end AML compliance lifecycle, including:
- Customer Due Diligence records
- Risk assessments
- AML/CTF program documents (including superseded programs)
- Transaction monitoring and file notes
- Reporting records (such as Suspicious Matter Reports)
- Staff training records
Without this documentation, even the best-run processes can’t be demonstrated.
Why is this documentation required under Australian law?
Under the AML/CTF Act and Rules, reporting entities must be able to show that they have taken reasonable steps to meet their obligations. AUSTRAC does not expect Tranche 2 businesses to be perfect from day one, but they do place a very strong emphasis on record-keeping because it allows the regulators to:
- Verify that customer due diligence has been conducted
- Assess whether risk has been properly identified and managed
- Confirm that reporting obligations have been met
- Review how decisions were made
Importantly, most AML records must be retained for at least seven years. This means you need to consider how your AML documentation evidences your compliance well into the future.
What businesses need to keep AML documentation?
Any business that is classified as a reporting entity under the AML/CTF framework must maintain AML documentation. This includes industries already captured under Tranche 1, as well as those coming into scope under Tranche 2, such as:
- Real estate agencies
- Conveyancing firms
- Law practices
- Accounting and tax advisory firms
- Trust and company service providers
- Dealers in precious metals and stones
Even if AML-related services form only part of your business, if you provide a designated service, these documentation requirements apply to any client to whom you provide that service(s).
Core AML documents that every business must have
To meet AML documentation requirements, businesses need to maintain a combination of policy documents, operational records and evidence of actions taken.
Risk Assessment
Your risk assessment documents the types of money laundering and terrorism financing risks your business may face. For each of those risks, it looks at your business’s appetite for those risks and how you propose to manage them. This forms the basis for all other compliance decisions.
AML/CTF Program
Your AML/CTF program is the foundation of your compliance framework and is based on your Risk Assessment. Your program needs to outline how your business identifies, mitigates and manages risk, together with customer identification and verification procedures. This document must be tailored to your business and regularly reviewed.
Customer Due Diligence (CDD) Records
These are often referred to as AML KYC (Know Your Customer) documents. CDD records include:
- Details of identity documents (e.g. passport, driver’s licence)
- Verification records and any enquiries made
- Beneficial ownership information
- Records of how identity was verified
These documents demonstrate that you know who your customer is — a core requirement under AML/CTF laws. It is important to note though, that in accordance with the Privacy Guidance issued by the Office of the Australian Information Commissioner, businesses should not retain copies of full ID documents. The AML/CTF rules only you to document what customer information you collected and the steps you took to verify the information collected.
Ongoing Monitoring and File Notes
AML compliance doesn’t stop at onboarding. Businesses must monitor clients and transactions over time and document any changes in risk (as they apply to the individual client and the business as a whole) and unusual activity. Decisions made in response to those changes should also be recorded. File notes are particularly important here, as they show how your team interpreted and responded to information.
Reporting Records (e.g. SMRs)
If your business identifies suspicious activity, you may be required to lodge a Suspicious Matter Report (SMR). You must retain copies of any reports submitted, together with their supporting documentation. You should also retain records of how and why the decision to report (or not to report) was made. This all forms part of your audit trail which may be requested by AUSTRAC.
Staff Training Records
AML/CTF compliance requires that all of your staff should be trained appropriately. You must maintain records showing:
- who has completed training
- when it was completed
- what content was covered
Training should be tailored to your staff members’ particular roles, and to your business (in line with your risk assessment).
Who is responsible for maintaining AML documentation?
While certain tasks in your AML compliance can be delegated, the overarching responsibility cannot. The reporting entity is ultimately responsible for ensuring that AML documentation is accurate, complete and easily accessible/retrievable.
In practice, this responsibility sits with the Board/Senior Management and the Compliance Officer.
Even if you use software, consultants or outsourcing providers, your business remains accountable for maintaining proper records. This is a consistent theme across all AML/CTF obligations: support can be outsourced, but responsibility stays with you.
How to safely store your AML documentation
Maintaining documentation is only part of the requirement. You also need to store it in a way that is secure, yet accessible. AML documentation must be retained for at least seven years. This applies to things like:
- Customer identification records
- Transaction records
- AML program documentation
- Reporting records
These AML records should be easily retrievable by you in the event that AUSTRAC requests it. If documentation is scattered across emails, folders and systems, it becomes difficult to demonstrate compliance (even if the work has been done).
Data security and privacy considerations
AML documentation often includes sensitive personal information. Businesses must consider how data is stored, who has access to it and how it is protected. It’s also important to consider how your storage approach aligns with applicable privacy requirements, including where data is stored and whether it is held locally in Australia or offshore.
While the specifics will vary depending on your setup, this is not an area that can be overlooked.
Frequently Asked Questions
What is AML documentation?
AML documentation refers to the records a business keeps to demonstrate compliance with AML/CTF obligations. This includes customer due diligence records, risk assessments & AML programs, monitoring records, reporting documentation and staff training records.
What AML documents are required for compliance?
Common AML documents include your AML/CTF program, risk assessment, customer due diligence records (KYC/KYB documents), transaction monitoring notes, Suspicious Matter Reports and other reporting and staff training records.
How long must AML documentation be kept?
Most AML documentation must be retained for at least seven years under AML/CTF requirements.
Who is responsible for AML documentation?
The reporting entity is responsible for maintaining AML documentation, typically overseen by the Board and Compliance Officers (even if external providers are used).
How should AML documentation be stored?
AML documentation should be stored securely, be easily accessible for audit or review, and align with privacy requirements, including considerations around data storage location and access controls.
Understanding your AML documentation requirements
The real challenge here for most businesses isn’t knowing what documents are required. It’s managing them consistently over time. Structure and the right system makes a big difference here. Instead of relying on manual processes, easyAML helps businesses centralise their AML documents, link them to their risk assessment and workflows, and maintain a clear audit trail across their entire compliance program.
You can get started for free, with no lock-in contracts, no credit card required and no commitments.
Get started now at https://easyaml.com/get-started/