Skip to main content
  • 9. Record Keeping

    • 9.1 Obligations and Timeframe for the Retention and Availability of Records

      (AML-CFT Law Articles 16.1(a),(f); AML-CFT Decision Articles 7.2, 24, 36, 37.3)

      FIs are obliged to maintain detailed records, documents, data and statistics for all transactions, all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, as well as a variety of record types and documents associated with their ML/FT risk assessment and mitigation measures, as specified in the relevant provisions of the AML-CFT Decision (see Section 9.2, Required Record Types). FIs are required to maintain the records in an organized fashion so as to permit data analysis and the tracking of financial transactions, and to make the records available to the Competent Authorities immediately upon request. They should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. All CDD information and transaction records should be available swiftly to Competent Authorities upon appropriate authority.

      The statutory retention period for all records is at least five (5) years, depending on the circumstances, from the date of the most recent of any of the following events:

      Termination of the Business Relationship or the closing of a customer’s account with the FI;
       
      Completion of an occasional transaction (in respect of a customer with whom no Business Relationship is established);
       
      Completion of an inspection of the records by the Supervisory Authorities;
       
      The issue date of a final judgment by the competent judicial authorities;
       
      Liquidation, dissolution, or other form of termination of a legal person or arrangement.
       

      Without prejudice to the above, FIs should note that it is the prerogative of the Competent Authorities to require the retention of the records of any FI, whether data, statistics, or records pertaining to a specific customer or transaction or to general categories of customers or transactions which they deemed to be of interest, for a longer period of time at their own discretion.

      In order to fulfil their record-keeping obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Examples of the factors which FIs should give consideration to when formulating the relevant policies, procedures and controls, include but are not limited to:

      Organisational roles and responsibilities in regard to the ML/TF business risk assessment, implementation, review and updating of AML/CFT policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
       
      Organisational roles and responsibilities in relation to record-keeping (including logging, cataloguing and organisation, archiving, handling and transferring of records and documents, as well as of the destruction of expired records) of CDD information and transactions;
       
      Physical and cyber security, and the protection of active and archived data and records from unauthorised access;
       
      Appropriate audit and quality assurance testing policies.
       
    • 9.2 Required Record Types

      (AML-CFT Law Articles 16.1(a),(b),(f); AML-CFT Decision Articles 7.2, 24)

      The AML-CFT Law and AML-CFT Decision oblige FIs to retain several types of records, which can be classified broadly into the following categories:

      Transaction Records. This category relates to operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature.
       
      CDD Records. This category relates to records, documents, and information about customers, their due diligence, and the investigation and analysis of their activities, and can be further divided into sub-categories such as records pertaining to:
       
      -Customer Information, including account files and business correspondence, and results of any analysis undertaken
      -Company Information
      -Reliance on Third Parties to Undertake CDD
      -Ongoing Monitoring of Business Relationships
      -Suspicious Transaction Reports (STRs)
       

      Additional guidance related to these record types is provided in the following sub-sections.

      • 9.2.1 Transactions

        (AML-CFT Law Articles 16.1(f); AML-CFT Decision Articles 24.1-3, 28.1-2, 29.4)

        FIs are obliged to retain the operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature, and irrespective of the type of customer and whether or not a Business Relationship is maintained, for a minimum period of five (5) years. Some examples of the type of records, documents and information which must be retained include but are not limited to:

        Customer credit or debit advices, and transaction orders or applications (including those for cash deposits or withdrawals, currency exchange transactions);
         
        Credit-related documentation, including loan or guarantee applications, agreements, amendments and supporting documents, disbursement or repayment records, collateral pledges, letter of credit documentation, promissory notes;
         
        Deal tickets, trade blotters and ledgers, settlement and dividend payment records related to foreign exchange, securities dealing or investing transactions;
         
        Escrow or fiduciary account transaction records;
         
        Insurance policy premiums, pay-outs, and related transaction records and documents;
         
        Money transfer records, including book transfers orders, and domestic and cross-border wire transfer orders, and their related originator and beneficiary records;
         
        Statistics and analytical data related to customers’ financial transactions, including their monetary values, volumes, currencies, interest rates, and other information.
         

        In addition to the above, FIs should compile notes on any particularly large or unusual transactions, and keep these notes as part of their records. In particular, FIs licensed by the Central Bank must examine the background and purpose of all complex, unusual large transactions and all unusual patterns of transactions, which have no apparent economic or lawful purpose, and document their findings in writing. This includes transactions that are not considered necessary to be reported as suspicious. These findings must be maintained for inspection by the Central Bank for a period of at least five years.

      • 9.2.2 Customer Information

        (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 24.2-4, 27.7, 28.1-2, 29.4, 37.1-3)

        FIs are required to retain all customer records and documents obtained through the performance of CDD measures in relation to Business Relationships, including customers, Beneficial Owners, beneficiaries, or other controlling persons. Examples of such records include but are not limited to:

        Customer account information and files;
         
        Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls);
         
        Copies of personal identification documents, CDD (including EDD and SDD) forms, profiles and supporting documentation, and results of due diligence background searches, queries and investigations;
         
        Customer risk assessment and classification records.
         
      • 9.2.3 Company Information

        (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 8.1(b), 9.1, 34-36)

        The AML-CFT Decision provides that the administrators, liquidators, or any other stakeholders involved in the dissolution of a company are obliged to retain the records, documents and information specified in the relevant articles for a minimum period of five (5) years from the date of its dissolution, liquidation or termination. These records pertain to corporate documents as well as to information on Beneficial Owners, legal shareholders, and senior managers. Such records include but are not limited to documents and information concerning:

        Company formation, registration, deregistration, liquidation, dissolution or expiry, including documents such as share registers, memoranda and articles of association, deeds of settlement and foundation charters, or similar documents, along with any amendments to them (whether the organisation is for-profit or not-for-profit);
         
        Changes to company information, such as name, registered address, legal representatives and corporate officers (directors, company secretary), or legal form;
         
        Identification and identity verification documents related to Beneficial Owners, shareholders, nominee shareholders, directors and senior management officers and, in the case of Legal Arrangements, settlors or founders, protectors, beneficiaries, trustees or executors, governing council or committee members, or similar controlling persons.
         

        In order to fulfil their statutory record-keeping obligations in this regard, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records when they dissolve or liquidate companies in which they hold a controlling interest. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation (see Section 9.1, Obligations and Timeframe for the Retention and Availability of Records for additional guidance concerning policies, procedures, controls and statutory retention periods related to record-keeping and data protection).

      • 9.2.4 Reliance on Third Parties to Undertake CDD

        (AML-CFT Law Article 16.1(b); AML-CFT Decision Articles 24.2-4, 19.1(b)-2(a))

        FIs that rely on third parties, whether unaffiliated or members of their own financial groups, are obliged to ensure that copies of all the necessary documents collected through the performance of CDD measures can be obtained upon request and without delay, and that the third parties adhere to the record-keeping provisions of the AML-CFT Decision. See Section 9.2.2, Customer Information above for examples of such records.

        In order to fulfil their statutory obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the assessment, monitoring, and testing of third parties’ record-retention frameworks. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Some of the factors to which FIs should give consideration when formulating relevant policies, procedures and controls include but are not limited to:

        Organisational roles and responsibilities in regard to the assessment, monitoring and testing of the third party’s policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
         
        Organisational roles and responsibilities for the implementation of service-level agreements with third parties governing the provision of record-keeping services;
         
        Operational procedures related to request and transfer of records and documents, as well as their physical and cyber security, and the protection of active and archived data and records from unauthorised access;
         
        Appropriate audit and quality assurance testing policies related to the monitoring and testing of the third-party’s record-retention framework.
         
      • 9.2.5 Ongoing Monitoring of Business Relationships

        (AML-CFT Law Article 16.1(b),(f); AML-CFT Decision Article 24.2-4)

        FIs are required to retain all customer records and documents obtained through the ongoing monitoring of Business Relationships. Examples of such records include but are not limited to:

        Transaction review, analysis, and investigation files, with their related correspondence;
         
        Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls) related to those transactions or their analysis and investigation;
         
        CDD records, documents, profiles or information gathered in the course of reviewing, analysing or investigating transactions, as well as transaction-related supporting documentation, including the results of background searches on customers, Beneficial Owners, beneficiaries, controlling persons, or counterparties to transactions;
         
        Transaction handling decisions, including approval or rejection records, together with related analysis and correspondence.
         
      • 9.2.6 Suspicious Transaction Reports (STRs)

        (AML-CFT Law Article 16.1(f); AML-CFT Decision Articles 24.2-4)

        FIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed. Such records relate to both internal STRs and those filed with the FIU, and include but are not limited to:

        Suspicious transaction indicator alert records, logs, investigations, recommendations and decision records, and all related correspondence;
         
        Competent authority request for information, correspondent bank requests for assistance, and their related investigation files and correspondence;
         
        CDD and Business Relationship monitoring records, documents and information obtained in the course of analysing or investigating potentially suspicious transactions, and all internal or external correspondence or communication records associated with them;
         
        STRs (internal and external), logs, and statistics, together with their related analysis, recommendations and decision records, and all related correspondence;
         
        Notes concerning feedback provided by the FIU with respect to reported STRs, as well as notes or records pertaining to any other actions taken by, or required by, the FIU.