With Tranche 2 approaching, most conversations are focused on enrolment deadlines, AML programs, and customer due diligence procedures. But very few accountants are asking the question that actually keeps them up at night:
"Where am I supposed to store all these passports, licences, trust deeds, and company documents?"
AML compliance doesn't just mean paperwork. It means your firm is now responsible for handling the most sensitive identity documents your clients own. And that creates a data custodianship responsibility that most accounting practices have never had to think about before.
AML/CTF law requires you to record what you verified and retain those records for at least seven years. It does not require you to centralise client identity documents on a third-party cloud platform. Best practice is to store documents within your firm's existing secure systems — and use SimpleAML to maintain the compliance register of what was checked, when, and by whom.
You Are Now a Custodian of Identity Data
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, you must collect identification information and retain records of your verification process for at least seven years. That means maintaining records relating to:
- Passports and driver licences — type, number, country of issue, verification outcome
- Trust deeds and company constitutions — sighted, reviewed, and confirmed
- Beneficial ownership structures — who controls the entity and how
- Proof of address and source of funds
- Sanctions and PEP screening results — provider, date, outcome, reference ID
This is not ordinary client data. This is identity-grade data. If it is mishandled, lost, or breached, the consequences extend well beyond a compliance issue — into Privacy Act liability and serious reputational harm to your practice.
The law requires records of verification — not copies of documents. AUSTRAC requires you to record that you sighted a passport, verified the details, and screened the individual. It does not require you to retain a scanned copy of the passport itself. Understanding this distinction matters when choosing how to structure your CDD process.
The Mistake Many Firms Are About to Make
Many AML software platforms are built as cloud document vaults. They encourage firms to upload CDD documents directly into their servers — passports, licences, deeds, company extracts — all centralised in one place for convenience.
This sounds practical. Until you think about what it actually means.
- Client identity documents on third-party servers
- Outside your firm's direct control
- Centralised target attractive to attackers
- Dependent on vendor's security practices
- Privacy Act implications for offshore storage
- Data loss risk if vendor changes or closes
- Documents stay within your firm's environment
- You control access and retention
- Fits within your existing security policies
- No new third-party data exposure
- Compliance register separate from document storage
- 7-year retention under your own governance
The question every firm should ask before adopting any AML platform is simple: "Where will my clients' passports and licences actually live?" If the answer is a server you don't control, that is a risk worth examining carefully.
Best Practice for AML Identity Record-Keeping
Good AML practice is not about uploading everything into a new system. It is about having a clear, documented process that separates two distinct functions:
The register — a record of what was verified, when, by whom, and with what outcome. This is what AUSTRAC will ask to see in an audit. It proves your firm conducted CDD properly.
The cabinet — your firm's secure document storage, where underlying evidence is held if required. This stays in your environment — SharePoint, a practice server, a document management system — accessible only to authorised staff.
- Verify identity documents in person or via an approved electronic method
- Record the verification outcome — ID type, number, date verified, staff member, result
- Screen individuals against sanctions and PEP databases — record provider, date, result, reference ID
- Store any underlying document copies in your firm's own secure systems
- Restrict access to CDD records to authorised AML staff only
- Maintain records for a minimum of seven years from the end of the client relationship
Why SimpleAML Is Designed Differently
SimpleAML was built specifically for accounting firms who were uncomfortable with the idea of uploading client identity documents into external platforms. The design decision was deliberate: SimpleAML stores compliance records locally in your browser, meaning nothing is transmitted to SimpleAML servers.
That means:
- No client data is held on SimpleAML's servers — ever
- Your compliance register stays on the device where you use it
- You decide where your firm's document copies are stored
- SimpleAML records the CDD process — not the documents themselves
What SimpleAML records: the ID type and number sighted, verification date and outcome, screening provider and result, the staff member who conducted the check, and the next review date. What SimpleAML does not store: scanned copies of passports, licences, or any identity document. Those stay where they belong — in your firm's systems.
One Important Thing to Understand About Local Storage
Local browser storage is not a document vault, and it is worth being clear about what that means in practice.
Because SimpleAML stores data locally in your browser, the security of your compliance records is directly tied to the security of the device and browser you use. This means:
- If you clear your browser data, your SimpleAML records will be lost — use the built-in backup function regularly
- If another person has access to your device and browser, they may be able to access your SimpleAML data
- Records are device-specific — they will not automatically appear on another computer
- SimpleAML cannot recover your data if it is lost — you are responsible for maintaining backups
Use the Account Backup feature. SimpleAML includes a built-in export function that saves your entire compliance register as a JSON file. Download a backup regularly and store it in your firm's document management system alongside your other AML records. Treat it the same way you treat any seven-year retention obligation.
Local storage means SimpleAML never sees your data. But it also means your firm is responsible for protecting it. Use it on a secured, access-controlled device, keep regular backups, and restrict browser access to authorised staff — the same discipline you would apply to any sensitive client file.
You Keep the Documents. SimpleAML Keeps the Evidence.
This is the core design principle behind SimpleAML, and it reflects how AUSTRAC actually thinks about CDD record-keeping.
AUSTRAC wants to see that your firm has a documented, repeatable process for identifying clients and screening them for risk. It wants a clear audit trail — who was checked, when, by whom, with what result. It does not require that all underlying identity documents live in a centralised external system.
SimpleAML gives you that audit trail. Your existing document systems give you the cabinet. Together, they give you a complete, defensible CDD record without creating new data security risks in the process.
Before You Choose Any AML Platform
As Tranche 2 rolls out, many firms will adopt AML tools without asking the right questions about where their client data will actually end up. The convenience of cloud document storage is real — but so is the risk of centralising your clients' most sensitive identity information outside your control.
Before choosing any system, ask:
- Where will my clients' identity documents be stored — on whose servers?
- What happens to my data if this vendor closes or is acquired?
- Does this platform comply with the Australian Privacy Act for offshore data storage?
- Am I required to upload document copies, or just record the verification outcome?
- Can I export my compliance records in a format I control?
AML compliance should strengthen your firm's data governance — not create new exposure. The right tool fits within your existing security posture, not around it.
SimpleAML — the register, not the cabinet
SimpleAML records your CDD process locally in your browser. Nothing is uploaded to our servers. Your documents stay in your firm's systems. Your compliance register stays under your control. Free, no account required.
Open SimpleAML Free → Check your scope first →