AML Email Archiving: What Law Firms & Accountants Need

An email arrives from AUSTRAC or the NCA. They're investigating a past client and need all communications related to their onboarding and ongoing monitoring from 2022. Suddenly, your practice manager is scrambling. Key emails are in a former employee’s old mailbox, some are on a shared drive, and others are simply gone. The frantic search quickly reveals the gaps in your firm's email retention, turning a routine request into a compliance nightmare. This isn't just an inconvenience; it's a direct challenge to your firm's adherence to Anti-Money Laundering (AML) regulations, which mandate specific record-keeping for client identification and transaction monitoring, including all relevant email correspondence.

The Real Compliance Requirement for AML

Anti-Money Laundering (AML) legislation in Australia and the UK places strict obligations on professional services firms, including law firms, accounting practices, and financial advisers, to retain client identification and transaction records. These aren't vague guidelines; they are explicit legal mandates with significant penalties for non-compliance.

In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and its associated Rules govern these requirements. Specifically, Section 103 of the AML/CTF Act and Chapter 10 of the AML/CTF Rules require 'reporting entities' to keep records of customer identification procedures, transaction details, and suspicious matter reports. Lawyers and accountants are reporting entities when providing "designated services" like managing client funds, property, or companies. These records, which explicitly include "all correspondence," must be retained for 7 years from the date the transaction occurred or the business relationship ended. Failure to comply can result in substantial civil penalties, including fines up to AUD 2.22 million for individuals and AUD 22.2 million for corporations, as of 2026.

In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) are the primary legislation. Regulation 40 mandates that relevant persons—which include independent legal professionals and accountants—retain records of customer due diligence (CDD) measures and supporting evidence, as well as transaction records. The retention period is 5 years from the date the business relationship ends or the date of the occasional transaction. Non-compliance can lead to severe sanctions, including unlimited fines, imprisonment for up to two years, and reputational damage.

For both jurisdictions, "all correspondence" in this context means any email exchange directly related to client onboarding (Know Your Customer/KYC), risk assessment, source of funds/wealth verification, ongoing monitoring, and any suspicious activity reporting. This includes initial engagement emails, requests for documentation, follow-up queries, and internal discussions about client risk profiles.

What Most Small Firms Actually Do

In the absence of a dedicated compliance team, many small professional services firms rely on ad-hoc methods for email retention. A common approach involves saving critical emails as individual files in shared network drives, often stripping vital metadata in the process. Others might rely on individual staff members to keep "important" emails in their personal inbox folders, or worse, export large batches of emails to PST files once a year. Some mistakenly believe that their cloud email provider (like Microsoft 365 or Google Workspace) automatically provides a compliant archive.

These workarounds are precarious. PST files are notorious for corruption, are difficult to search across the entire firm, and often lack the tamper-evident properties required for compliance. Shared drives can be disorganised, incomplete, and easily manipulated. Relying on individual inboxes means crucial records vanish when an employee leaves, or if their mailbox is deleted. While cloud providers offer some basic retention, it's often not truly immutable, comprehensive, or easily auditable in the way regulators demand. When an AUSTRAC or NCA request arrives, these fragmented approaches inevitably break down, leaving firms unable to produce a complete, verifiable audit trail.

What Good Looks Like for AML Email Archiving

An audit-ready email archive for AML compliance goes far beyond simply saving emails. It’s a robust system designed for integrity, completeness, and retrievability, ensuring you can meet regulatory demands without panic. Here’p>

• Continuous, Automated Capture: Every email, sent and received by all relevant employees, is automatically captured and archived in real-time. There's no reliance on manual saving, forwarding, or individual discretion, eliminating the risk of human error or oversight.
• Tamper-Evident, Immutable Storage: The archive must be WORM (Write Once, Read Many) compliant, meaning once an email is archived, it cannot be altered, deleted, or backdated. This immutability is critical for proving the authenticity and integrity of records to regulators. Audit trails should record every access or attempted modification.
• Full Metadata Preservation: Beyond the email content and attachments, the archive preserves all critical metadata: sender, recipients (To, Cc, Bcc), date and time sent/received, subject line, and unique message ID. This detail is essential for establishing context and authenticity during an investigation.
• Fast, Granular Retrieval: When a regulator asks for emails from a specific client, date range, or containing certain keywords, your system must be able to produce them quickly and accurately. This requires powerful search capabilities that can filter by sender, recipient, subject, date, and content across the entire firm's archive.
• Comprehensive Coverage: A compliant archive includes not just external client communications but also internal emails related to client due diligence, risk assessments, and decision-making processes, as these can be vital evidence in an AML investigation.

This level of integrity and functionality typically requires a dedicated email archiving solution. Tools like AutoArchive Mail capture emails directly from your mail server before they even hit an inbox, storing them in a secure, immutable, and easily searchable cloud archive. This ensures compliance without burdening your IT team or disrupting your daily workflow. You can Start Free Trial to see how it works.

The Practical Path Forward

Getting your firm's AML email archiving right doesn't have to be an overwhelming overhaul. Here's a practical, prioritised path:

1. Review Your Current Policy (30 minutes): Start by asking: What's our current policy for retaining client-related emails? Who is responsible? For how long? If you don't have one, or it's vague, that's your first flag.
2. Assess Your Existing Email Platform's Retention: For Microsoft 365 or Google Workspace users, explore their built-in retention policies (e.g., Microsoft Purview Compliance Portal). While often not fully immutable or easily searchable across an entire firm for audit purposes, configuring basic retention can be a quick win for preventing accidental deletion.
3. Identify Critical Gaps: Based on your policy review and platform assessment, pinpoint where your firm is most vulnerable. Are emails from past employees gone? Can you easily find all KYC emails for a client from 2023?
4. Consider a Dedicated Archiving Solution: For true AML compliance, especially if you handle high-risk clients or a significant volume of transactions, a dedicated email archiving solution is usually necessary. These systems provide the immutability, comprehensive capture, and advanced search capabilities that built-in cloud email features often lack. Evaluate options that integrate seamlessly with your existing email provider.
5. Migrate Historical Data (If Feasible): If you have critical historical emails scattered in PSTs or old mailboxes, plan to migrate them into your chosen archiving solution. This centralises your data and makes it searchable.
6. Establish a Retrieval Protocol: Once an archive is in place, document how you will respond to a regulatory request. Practice retrieving specific sets of emails to ensure the process is smooth and efficient.
7. Ongoing Training & Review: Regularly remind staff about the importance of email record-keeping and how the archiving system works. Review your policies and systems annually to ensure they remain adequate for evolving regulatory landscapes.

If your firm has under 10 people and very low AML exposure (e.g., no designated services for high-risk clients), a simple, well-documented manual process combined with basic platform retention might be adequate for a short period. However, as soon as client volume or risk increases, or if you want true peace of mind, automated archiving becomes essential. For complex legal or accounting structures, or if you've faced prior compliance challenges, seeking advice from an AML compliance consultant or legal counsel is highly recommended.

Honest Limitation

This article focuses specifically on email archiving for AML compliance in Australia and the UK. It does not cover other critical record-keeping obligations your firm may have, such as physical document retention, call recording requirements, or other industry-specific regulations (e.g., ASIC's general financial advice record-keeping rules for 7 years, or specific state bar trust accounting rules), which also demand careful attention.