Under the AML/CTF Act, you must keep records of your compliance checks for 7 years — and Workflow stores all of them automatically.
What records you must keep
The law requires you to retain four categories of records:
Customer Due Diligence (CDD) records — the identity verification you conducted, including copies of the documents used
Transaction records — details of the designated service you provided (e.g., the property sale or legal matter)
Risk assessment results — the completed risk assessment for each client and transaction, including the score and outcome
Identity verification results — the outcome of the verification check, including any PEP or adverse media flags and your response to them
Workflow creates and stores all of these automatically as part of each case.
How long you need to keep them
You must retain records for 7 years from the date the business relationship ends — not from when the check was done.
This distinction matters. If you verify a client in 2026 and they remain a client (through repeat transactions) until 2030, your 7-year clock starts in 2030 — meaning you must retain those records until 2037.
In practice, this means records for active clients are subject to an ongoing retention obligation. Workflow does not automatically delete records, so your data remains accessible for as long as you need it.
How Workflow helps you meet this obligation
Workflow's case workspace captures all required records in one place:
Identity verification results are saved automatically when a check is completed — including the outcome, document scans, and any notes on a pass or fail
Risk assessment results are saved to the case the moment you submit them
Documents (such as source of funds or source of wealth documentation) are stored in the Documents tab of each case
Case history and audit trail logs every action taken on a case, including who did what and when
You do not need to manually export or file anything. Workflow's built-in structure is designed to satisfy AUSTRAC's record-keeping requirements.
What happens at audit time
When your auditor reviews your records, they can log in directly to Workflow and access case history, risk assessment results, verification reports, and uploaded documents. The audit trail in each case shows a timestamped log of every action.
You do not need to prepare separate spreadsheets or printed files. Your Workflow account is the record. Simply invite the auditor using your Settings < Team member page and add their email.
If a client's business relationship is unclear
If you're unsure whether a business relationship has ended, treat it as ongoing and maintain the record. When in doubt, retain.
Related articles
This article provides general information only and is not legal advice.