Find Accountant
My AIA
My AIA

Record Keeping

Record keeping is not just a regulatory requirement, it’s the foundation of a defensible AML framework.

AIA expects firms to demonstrate that AML procedures are being followed. Records provide the audit trail needed to show:

  • Risk assessments were conducted
  • CDD and EDD checks were completed
  • Suspicious activity was identified and reported
  • Ongoing monitoring is in place

Without proper documentation, firms cannot prove compliance, even if procedures were followed.

In cases of suspected money laundering, law enforcement agencies may request access to client records. Accurate documentation helps:

  • Trace the source and flow of funds
  • Identify beneficial owners and control structures
  • Understand the rationale behind transactions

This can be vital in supporting criminal investigations or defending your firm’s actions.

Maintaining records allows firms to:

  • Track changes in client risk profiles
  • Identify patterns that may indicate financial crime
  • Escalate concerns appropriately

It also helps protect the firm from inadvertently facilitating illicit activity.

Under MLR 2017, firms must retain:

  • Identity verification documents
  • Risk assessments
  • Transaction records
  • Suspicious activity reports

These must be kept for at least five years after the end of the business relationship or the date of the transaction.

To meet AML obligations effectively:

  • Use secure digital systems to store and manage records
  • Ensure records are complete, accurate, and up-to-date
  • Implement access controls to protect sensitive data
  • Train staff on documentation standards and retention policies
  • Regularly review records to ensure ongoing compliance

Your records relating to AML may be inspected during your AIA Monitoring Visit.

Records relating to CDD, the business relationship and occasional transactions must be kept for five years from the end of the client relationship.

All records related to an occasional transaction must be retained for five years after the date of the transaction.

Unless there is a basis for retaining records beyond this period they must be destroyed.

The 2017 Regulations do not specify the medium in which records should be kept, but they must be readily retrievable.

No retention period is officially specified for records relating to:

  • internal reports;
  • the MLRO’s consideration of internal reports;
  • any subsequent reporting decisions;
  • issues connected to consent, production of documents and similar matters;
  • suspicious activity reports and consent requests sent to the NCA, or its responses

Since these records can form the basis of a defence against accusations of MLTF and related offences,
businesses may decide that five years is a suitable retention period for them

Businesses must be aware of the interaction between of MLTF laws and regulations with the requirements of the Data Protection Regime. The Data Protection Regime requires that personal information be subject to appropriate security measures and retained for no longer than necessary for the purpose for which it was originally acquired.

Businesses must demonstrate their compliance with regulations that place a legal obligation on them to make sure that certain of their relevant employees and agents are, (a) aware of the law relating to MLTF, and (b) trained regularly in how to recognise and deal with transactions and other events which may be related to MLTF.

These records should show the training that was given, the dates on which it was given, which individuals received the training and the results from any assessments.

Records related to internal and external SARs of suspicious activity are not part of the working papers relating to client assignments. They should be stored separately and securely as a safeguard against tipping off and inadvertent disclosure to someone making routine use of client working papers.

A business may arrange for another organisation to perform some of its AML related activities – CDD or training, for example. In which case, it must also ensure that the other party’s record keeping procedures are good enough to demonstrate compliance with the MLTF obligations, or else it must obtain and store copies of the records for itself. It must also consider how it would obtain its records from the other party should they be needed, as well as what would happen to them if the other party ceased trading.

Under Regulation 40 of the 2017 Regulations, when expiration deadlines specified have passed, the business must delete any personal data unless:

  • The business is required to retain it under statutory obligation, or
  • the business is required to retain it for legal proceedings, or
  • the data subject has consented to the retention and the consent has been given in accordance with the GDPR.

AIA offers a qualification and membership pathway for everyone.

Apply Now

About

Membership

Study

Insights

CPD