ECSH63620 - Regulation 40 - Record-keeping
|
Category Heading |
Description |
|---|---|
|
The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/40 |
|
What it means |
A relevant person/business must keep copies of all the
documents used to undertake CDD, including transaction paperwork, for at least
five years. This also applies to a relevant person/business who undertakes CDD on behalf of another relevant person/business. |
|
Purpose |
To enable the business to demonstrate that they have been conducting CDD
correctly. |
|
Time Line |
This was also a requirement under MLR2007 (regulation 19) |
|
What to establish |
40(2) The records kept must include; * (a) the documents obtained to satisfy the CDD requirements of regulations 28, 29, 30A, 33, 34, 35, 36 & 37 * (b) supporting documents in respect of the transaction that brought about the need for CDD 40(3) The records should be kept for five years from the date; * (a) the transaction is completed for an occasional transaction * (i) a business relationship ends - transaction records * (ii) a business relationship ends - CDD records 40(6) CDD undertaken by another person is still subject to 40(3) 40(7) Records of CDD undertaken by another person must be made available, by that person, upon request |
|
How to test compliance and evidence to obtain |
View historic CDD records and cross reference to transactions. Note timing of checks i.e. before completion of transaction. Data protection laws are not an excuse not to keep records If kept electronically are the CDD records legible, especially for repeat customers. Check that records kept are as stated in PCPs. |
|
Scenario: |
A UK TCSP advises that it forms companies for lots of “off the street” clients and once it has completed the company formation it does not have any further business relationship with that client. The TCSP disposes of all CDD it had obtained from its one-off client, 1 year and a day after the transaction took place. This is in breach of Regulation 40(1) in reference to Regulation 40(3) as the TCSP should have kept the records for at least 5 years after the forming of the company for its one-off client. |
|
Best Practice |
Sector specific information: |
|
AMP |
Commercial and personal confidentiality are an important feature of the
art market therefore some resistance to view records may be encountered |
|
ASP |
Commercial and personal confidentiality are important to ASPs and
therefore some resistance to view client lists/records may be encountered. The excuse of 'breaching GDPR' can be
countered by reference to Reg 72(2). |
|
EAB |
When carrying out your intervention if the records are not available
always check if the records could be held elsewhere. If records are not held,
always ask why they are not available. |
|
LAB |
As per EAB above. |
|
HVD |
Due diligence may be limited to an exchange of standard business
documentation or "due diligence pack". These will usually be emailed
to new customers/suppliers and will contain copies of Certificate of
Incorporation, VAT registration certificate and any other regime specific
approvals (or the equivalent in another country). Normal commercial documentation will support the transaction and should provide a full audit trail from order to payment, including invoices, storage/transportation documents, through to banking. Records are retained for 6 years for tax purposes and therefore the retention period is likely to be adhered to. |
|
MSB |
Copies of CDD records obtained may be kept online via the
"transmission portal" |
|
TCSP |
Commercial and personal confidentiality are important to TCSPs and
therefore some resistance to view client lists/records may be encountered. The excuse of 'breaching GDPR' can be
countered by reference to Reg 72(2). |
|
Further Reading |
Chapter 7 of CCAB AML Guidance 2020 Part 1, chapter 8 of JMLSG Guidance Part II, section 7 of the BAMF AML guidance Gov.UK Guidance - Money Laundering Regulations - Your Responsibilities Chapter 6 of EAB Guidance Chapter 6 of HVD Guidance Chapter 7 of MSB Guidance Regulation 18 Risk assessment by relevant persons Regulation 19 Policies, controls and procedures Regulation 27 Customer due diligence Regulation 28 Customer due diligence measures Regulation 30A Requirement to report discrepancies in registers Regulation 33 Obligation to apply enhanced customer due diligence Regulation 34 Enhanced customer due diligence: credit institutions, financial institutions and corresponding relationships Regulation 35 Enhanced customer due diligence: politically exposed persons Regulation 36 Politically exposed persons: other duties Regulation 37 Application of simplified customer due diligence Regulation 39 Reliance Regulation 72 Provision of information and warrants: safeguards |
|
FAQs |
Can businesses cite Data Protection laws as a reason not to produce the required
records?
Data protection laws are not an excuse not to keep and produce records. |