Definition
Record-keeping refers to the obligation to store and maintain records relating to customer identification, transactions, and compliance processes. In the UK, regulated businesses must retain these records for a set period — typically five years from the end of a business relationship or the date of a transaction — under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.
Why it matters
Proper record-keeping enables regulators, law enforcement, and the business itself to:
- Verify that due diligence procedures were followed.
- Trace transactions in the event of an investigation.
- Identify suspicious patterns or connections.
Failure to keep adequate records can result in regulatory fines, reputational damage, and difficulty defending against allegations of non-compliance.
How record-keeping works in AML/CTF compliance
- Customer identification – Keep copies of documents and information used to verify identity.
- Beneficial ownership – Store details of ultimate beneficial owners and related verification evidence.
- Transaction records – Maintain data on the nature, value, date, and parties to each transaction.
- Compliance activity – Document CDD, EDD, sanctions screening, and any suspicious activity reports (SARs).
- Retention period – Keep records for the legally required period (five years in most UK cases), then securely destroy them unless required for ongoing investigations.
Examples and use cases
- Bank – Retaining identity documents and transaction logs for all account holders.
- Law firm – Keeping client matter files, CDD evidence, and payment records for the retention period.
- High-value dealer – Maintaining sales records and AML checks for qualifying transactions.
- Payment provider – Archiving transaction data and fraud prevention records.
Mini-FAQ
Q: Can records be stored electronically?
A: Yes - as long as they are secure, retrievable, and meet regulatory standards for integrity and accessibility.
Q: Do I need customer consent to retain AML records?
A: No. AML record-keeping is a legal requirement and overrides certain data protection provisions, though retention periods must still be observed.