Learning objectives

By the end of this module, you will: 

• Understand what regulators expect to see in your records, 

• How to document decisions rather than just outcomes, 

• How good recordkeeping supports audits, reviews, and regulatory inquiries. 

This module is designed to give you clarity on why your documentation should tell a clear and consistent story.

Introduction: Why records matter

Record keeping is how regulators understand what you did and why. Even strong AML controls can appear weak if they lack clear documentation.

This module focuses on creating records that explain decision-making, so you don’t make the mistake of producing paperwork just because. 

Good records protect your business by providing evidence of thoughtful, consistent action.

Section 1: What regulators expect to see

Regulators do not expect perfect documentation. They expect records that allow them to reconstruct key decisions. Again, the key is to show regulators thoughtful, consistent action.

At a minimum, regulators look for records that show:

• How customers were identified and assessed.

• How risks were evaluated and updated.

• How unusual activity was reviewed and resolved.

• How escalation and reporting decisions were made.

These records should also be easy to locate and consistent across cases. For a deeper look at the specific types of data points, from verification logs to correspondence, that constitute a 'complete' record, see this overview of AML record-keeping requirements.

Pause and reflect.

Think about how decisions are recorded today.

Would someone unfamiliar with the case understand why a decision was made?
If you reviewed the record in six months, would the reasoning still be clear?

Section 2: Documenting decisions, not just outcomes

One of the most common weaknesses regulators identify is documentation that records what happened without explaining why. Effective records explain the reasoning behind decisions. 

For example, if a case was reviewed and no report was filed, the record should explain exactly what led to that conclusion. 

Documentation should reflect the information available at the time the decision was made, not hindsight. Regulators assess judgment based on what you knew when you made the decision, not on what you know now.

Section 3: Record retention and accessibility

AML records must be retained for defined periods that vary by jurisdiction but generally follow a minimum standard of 5 years after the end of a business relationship or the completion of a transaction. The most accurate source is always the regulator in your country (e.g., FinCEN in the US, AUSTRAC in Australia, FCA in the UK, etc.).

Beyond retention, accessibility matters.

Records should be stored securely, protected from unauthorized access, and retrievable when needed. Disorganized or incomplete records undermine confidence in the AML program. Clear ownership of record management, on the other hand, helps ensure consistency and accountability. 

It all adds up, and the more you can prove that AML is a serious and central part of your daily activities, the more regulators will see you as a compliant organization when the time comes to verify your records. 

Section 4: Preparing for audits and regulator questions

Audits and regulatory reviews often focus on patterns rather than individual cases. Reviewers look for consistency across decisions and alignment with documented policies.

Strong audit readiness means being able to explain how your AML framework operates in practice and to demonstrate that records support that explanation.

Well-maintained records reduce the burden of audits and increase confidence in your controls.

Learning checkpoint: What good looks like after step 8

At the end of this module, you should be able to:

• Explain what records regulators expect to see.

• Show how decisions are documented and supported.

• Demonstrate consistent record retention and access controls.

• Confidently respond to audit or regulator questions using documentation.

If your records clearly explain how and why decisions were made, you are meeting regulatory expectations at this stage.

Preparing for step 9

In the next module, you will focus on training, ownership, and accountability to ensure AML responsibilities are clearly understood across the organization.

Further reading & resources:

• The record keeping guide

• The 9 essential AML data types

• The biggest AML fines in 2025