AMLG11700 - Guidance for all sectors: Record Keeping
17. Record Keeping
You must retain records concerning customer identification and transactions as evidence of the work you have undertaken in complying with your obligations under the Regulations, as well as for use as evidence in any investigation conducted by HMRC.
Where you have an appointed representative, use agents, or delegate responsibility for your record keeping to a third party in any way, it is important to remember that it is ultimately your responsibility to comply with your record keeping obligations and you must therefore ensure that any such third party keeps your records in accordance with those obligations.
What are your record keeping obligations?
Your business has specific record keeping obligations as set out in Regulation 40 under which you must keep the following records:
- Copies of any documents and information obtained by you to satisfy the customer due diligence requirements, including EDD and SDD.
- Sufficient supporting records (consisting of the original documents or copies) in respect of a transaction (whether or not the transaction is an occasional transaction) which is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.
How long must you retain these records?
Records of identification evidence and supporting documentation to reconstruct the transaction must be kept for a period of five years after the business relationship with the customer has ended, or the transaction is complete in the case of an occasional transaction.
Upon the expiry of the five-year period, you must delete any personal data unless:
- You are required to retain records containing personal data by, or under, any enactment, or for the purposes of any court proceedings; or
- You have reasonable grounds for believing that records containing the personal data need to be retained for the purpose of legal proceedings; or
- The data subject has given consent to the retention of that data.
Groups, branches and subsidiary undertakings
Where documents verifying the identity of a customer are held in one part of a group, they do not need to be held in duplicate form in another. The records do, however, need to be accessible to the nominated officer, compliance officer and where they may be called upon by HMRC to produce them.
When an introducing branch or subsidiary undertaking ceases to trade or have a business relationship with a customer, as long as the customer’s relationship with other group members continues, particular care needs to be taken to retain, or hand over, the appropriate customer records. Similar arrangements need to be made if a company holding relevant records ceases to be part of the group. This will also be an issue if the record keeping has been delegated to a third party.
Businesses involved in mergers, take-overs or internal reorganisations
Businesses involved in mergers, take-overs or internal reorganisations need to ensure that when changing computer systems and physical storage arrangements, the records keeping obligations are still complied with.
You should ensure you are able to retrieve required records without undue delay.
Records held outside of the UK
Where records are held outside the UK, it is the responsibility of the UK business to ensure that the records meet UK requirements and are readily available when HMRC require them to be produced.
Additional record keeping requirements
As well as your record keeping obligations in relation to customer identification, and transactions, the regulations require you to keep various other records which have been set out in this guidance including records of the following:
- Your risk assessment (see AMLG1800).
- Your policies, controls and procedures, and any changes to those PCPs together with steps taken to communicate them throughout your business (see AMLG1900). Actions taken under the internal and external reporting requirements
- The measures you have taken to comply with your training obligations and the training that you have provided (see AMLG11030).
Records of internal and external reporting
You should make and retain:
- Records of actions taken under the internal and external reporting requirements; and
- When the nominated officer has considered information or other material concerning possible money laundering, but has not made a report to the NCA, a record of the other material that was considered.
In addition, copies of any SARs made to the NCA should be retained. Records of all internal and external reports should be retained for at least five years from the date the report was made.
Your records in relation to compliance monitoring should include:
- Reports by the nominated officer or compliance officer to senior management; and
- Records of consideration of those reports and of any action taken as a consequence.