Most firms approach record keeping with a simple instinct: keep everything, forever, just in case. For AML/CTF, that instinct is now wrong, and acting on it can put you on the wrong side of two different laws at once.
Since the AML/CTF rules were amended, the record-keeping obligation and the privacy obligation pull in opposite directions on one specific thing: copies of your clients' identity documents. Getting this right is not hard, but it does require unlearning the "hoard it all" habit.
The rule that changed
The old approach was to scan a client's driver licence or passport, file the image, and hold it for the retention period. Under the amended AML/CTF Act (the narrowing of the section 111 record-keeping obligation, which applies to Tranche 2 firms from 1 July 2026), you are no longer required to retain a copy of the identification document itself.
What you are required to keep is the record of the information you relied on and the verification you carried out: the client's name, date of birth and address, the document type and number, the fact that you verified it, how, and when. The photocopy or scan of the licence is not part of that requirement.
That single change has a sharp consequence. If the AML/CTF Act does not require you to hold the document image, then Australian Privacy Principle 11.2 steps in and says the opposite: you must destroy or de-identify personal information once you no longer need it. An identity document scan you are keeping "just in case", with no legal basis to hold it, is not a safe archive. It is a privacy exposure sitting in your files, and identity documents are exactly the kind of data that turns a small breach into a serious one.
What you must keep for seven years
Retention has not gone away. For each client you provide a designated service to, you still keep, for seven years, the records that show you met your obligations:
- The identity information you collected and verified: name, date of birth, residential address, the document type and number, and the outcome of verification (verified, could not be confirmed, and by what method).
- Your customer due diligence records: the risk you assessed for the client, the basis for it, and any enhanced due diligence you carried out.
- Your transaction records for the designated services provided.
- Your AML/CTF program and any changes to it, plus governance records like your compliance officer appointment.
- Staff training records and any independent review or audit results.
Seven years runs from when the record was made or the business relationship ended, whichever is later. The point of these records is that if AUSTRAC ever asks, you can show what you did and why. None of that requires the raw document image.
What you should now destroy
Once identity is verified and the verification record is captured, the document image has done its job. Holding it longer is retaining personal information you have no obligation to keep, which APP 11.2 asks you to dispose of.
In practice that means:
- Scans and photocopies of driver licences, passports and other identity documents collected purely to verify identity, once the verification outcome is recorded, should be securely destroyed or de-identified rather than archived indefinitely.
- Selfies or images from an electronic verification step sit with your verification provider under their terms; you should not be building your own separate library of them.
There is a transition allowance. Identity documents collected before the changes took effect can be handled under the previous rules, and AUSTRAC expects reasonable steps proportionate to your size rather than an overnight purge. But the direction is clear, and a documented destruction process is now part of doing this properly.
The distinction that keeps you safe
The line to hold onto is this: keep the record of the check, not the raw material of the check.
The information you extracted and the verification you performed is your evidence, and it is what the seven-year rule protects. The document image is the source you verified against, and once you have recorded the outcome, keeping it is a liability rather than a protection. Firms that treat "we kept a copy of everything" as diligence are, under the amended rules, quietly accumulating the opposite.
Making it a process, not a habit
The safe version of this is not a judgment call made client by client. It is a standing part of your program: verify identity, record the details and the outcome, and have a defined point at which the document image is destroyed or de-identified. Written down, applied consistently, and logged, so that both your AML/CTF file and your privacy position are defensible at the same time.
AML Mate is built around this distinction. When you verify a client, the identity details and the verification outcome are captured as the record you keep for seven years, which is what the AML/CTF Act actually asks for. And when you use electronic identity verification, the document images and selfie stay with the verification provider rather than landing in your own files, so the check is done without you starting a private library of licences and passports. Compliance and privacy should not be in tension in your filing, and with the record separated from the raw document, they are not.
