Entities regulated under Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) compliance are mandated to maintain records of documents related to their AML/CFT/CPF compliance obligations. Record-keeping is the process of creating, collecting, and maintaining accurate records and storing them in a way that they are easily accessible, retrievable, and verifiable.
The AML/CFT/CPF regulatory regime of various countries lists the specific documents that must be maintained as part of the entities’ record-keeping requirements.
This blog is the ultimate guide to AML/CFT/CPF record-keeping, answering various questions about record-keeping, including what records to maintain, time period, and other requirements.
Legal and Regulatory Framework
The Financial Action Task Force (FATF) is a global ML/TF and PF watchdog and AML/CFT/CPF standards-setter. FATF’s 40 Recommendations provide a comprehensive AML/CFT/CPF framework that aims to help countries effectively mitigate Money Laundering, Terrorism Financing, and Proliferation Financing (ML/TF and PF) through effective AML/CFT/CPF laws and regulations.
Recommendation No. 11 discusses record-keeping as an essential component of AML/CFT/CPF compliance. It states that the required records should be maintained for at least five years to enable entities to comply with the information requests of competent AML/CFT/CPF regulatory authorities. This helps regulatory authorities to reconstruct transactions for investigation or prosecution purposes.
This Recommendation has been adopted by countries all over the world. To illustrate, the following table lists some countries, their AML/CFT/CPF laws, and the time period for record-keeping in these countries.
Legal and Regulatory Framework Across the Globe for AML Record-Keeping
|
Country
|
Regulation
|
Time Period for Maintenance of Records
|
Australia |
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 |
7 Years |
India |
Prevention of Money-Laundering Act, 2002 and Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 |
5 Years |
Nigeria |
Money Laundering (Prevention and Prohibition) Act, 2022 and Economic and Financial Crimes Commission (Anti-Money Laundering Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction for Designated Non-Financial Businesses and Professions, and Other Related Matters) Regulations, 2024 |
5 Years |
Singapore |
Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, Terrorism (Suppression of Financing Act 2002) and other AML/CFT/CPF laws for specific sectors |
5 Years |
United Arab Emirates (UAE) |
Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations |
5 Years |
United Kingdom (UK) |
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 |
5 Years |
Types of Records to Maintain
FATF’s Recommendation No. 11 suggests that the following documents should be maintained as part of the AML/CFT/CPF record-keeping compliance obligation:
- Records on transactions, both domestic and international
- All documents obtained during the Customer Due Diligence (CDD) process, such as official identification documents
- Account files
- Business correspondence
- Results of any analysis undertaken (for example, analysis of unusual or large transactions)
FATF recommends that these documents should be maintained for at least five years, after the end of the business relationship with the customer, or after an occasional transaction has ended.
Based on this, the following countries have provided that the following documents should be maintained as part of the record-keeping obligation under AML/CFT/CPF laws of that country:
AML Records to be Maintained Across Various Countries
|
Country |
Types of Records to Be Maintained |
Australia |
- Transactions records
- Customer Identification Procedures or KYC, what was done to identify the customer and customer information, records related to requesting information from Document Verification Services, Credit Reporting Agencies, licensed financial advisors, other members of the entity’s Designated Business Group, etc.
- AML/CTF Program, including the date of adoption of the program, approval of the program, any changes to the program
- International Electronic Funds Transfer Instructions
- For Remittance Service Providers and Digital Currency Exchange Service Providers: Registration details, details of national police certification for all key personnel, details of business and management structure, etc.
- For Financial Institutions: Records of due diligence assessments of a correspondent banking relationship.
|
India |
- Records of transactions, including:
- Cash transactions above INR 10 lakhs
- Series of connected cash transactions totalling, individually valued below INR 10 lakhs, taking place within a month, with monthly aggregate being more than INR 10 lakhs
- Receipts by Non-Profit Organisations of value more than INR 10 lakhs
- Cash transactions where counterfeit currency has been used
- Suspicious transactions
- Credits and debits from non-monetary accounts
- Money transfer or remittance to third-party beneficiaries
- Cross-border wire transactions above INR 5 lakhs
- Purchase and sale of immovable property above INR 50 lakh
- KYC documents, including account files and business correspondence relating to the client.
|
Nigeria |
- Transaction records, both domestic and international, including the risk profile of customer or Beneficial Owner, nature and date of the transaction, type and amount of currency involved, official documents collected, business correspondence, analysis of documents, etc.
- KYC records.
- Customer Due Diligence (CDD) related records including name, address, National Identification Number
- Ongoing Due Diligence
- Risk assessments
- Risk management systems, procedures, and additional CDD measures for domestic and foreign Politically Exposed Persons (PEP)
|
Singapore |
- Documents and information related to the CDD process
- Details of transactions
- Copy of Suspicious Transaction Report (STR)
- Copy of Cash Transaction Report (CTR).
|
UAE |
- Financial transaction records and all its related documents, data, and statistics for both local and international transactions
- Records and documents obtained through the CDD process, including:
- Customer Information
- Ongoing monitoring
- Account files
- Business correspondence
- Copies of personal identification documents
- Suspicious Transaction Reports
- Results of any analysis performed, such as Customer Risk Assessment
|
UK |
- Copy of documents and information collected during the CDD process
- Sufficient supporting records of transactions
- Internal and external suspicion reports
- Money Laundering Reporting Officer (MLRO) annual report and other reports
- Information that was received, or collected, but not acted upon
- Training, including the effectiveness of training
- Compliance monitoring
|
Addressing Various Record-Keeping Concerns
While implementing record-keeping procedures as a part of their AML/CFT/CPF program, entities may encounter the following concerns in terms of data management:
- Manually Organising and Storing Records: The vast volume of documents that need to be maintained may be difficult to organise and store efficiently. There may be issues such as lack of space for the files, files being stored in a haphazard manner, corruption of files leading to data loss, files of the same customer scattered across different folders related to different compliance tasks, etc. These challenges make the documents difficult to retrieve and search when required which can be resolved through relying on case management and cloud-based record-keeping solutions.
- Physical Records Versus Digital Records: Storing records physically can lead to their challenges. Physically maintaining records is riddled with issues, such as physical storage space limitations, damage due to natural hazards such as flood or fire, difficulty in maintaining the physical security of the files, etc. These limitations can be countered through digital storage.
- Privacy Concerns: Maintaining customers’ privacy is also an obligation entities need to observe. Entities must implement strict data privacy policies to ensure that their record-keeping policies align with the data privacy regulatory regimes.
- Security Concerns: In an increasingly digital environment, security breaches have become a rising concern. Security breaches of customer data can lead to unauthorised access to sensitive and private information, opening the company to regulatory penalties. Even with physical data maintenance, the lack of security can cause reputational damage and regulatory fines and penalties. It is important that the regulated entity deploys a proper security system to address the security concerns.
- Uneven Retention Period: Various countries have different record-keeping durations prescribed in their AML laws; regulated entities need to come up with record-keeping policies that address this issue.
Best Practices in AML Record-Keeping
In this section, the best practices for AML/CFT/CPF record-keeping have been discussed. Implementing these best practices ensures that the required documents are systematically and securely maintained.
- Carve out Record-Keeping Policy and Procedures: Record-keeping should be established as part of the AML/CFT/CPF compliance program of the entity. The entity should detail the following in its AML/CFT/CPF policies and procedures:
- Types of documents that need to be maintained
- Form in which the documents are to be kept
- Time period for maintenance
- Data security and privacy policies
- Coordinating with AML/CFT/CPF regulators.
- Assign Roles and Responsibilities Around Record-Keeping: Clearly defining and assigning roles and responsibilities ensures that designated staff tasked with maintaining records understand their obligations and can perform their role efficiently without confusion or delays.
- Centralised Data Management: Centralised data management resolves the concerns regarding organisation and efficient storage of records. This allows for all relevant information to be readily available for retrieval, and reduces the risk of data silos, or information being scattered across various platforms.
- Implement AML software: AML software enhances record-keeping through the optimisation of record-keeping tasks. It automates the record-keeping process, provides self-upload functionalities for customers, stores the related documents in relevant folders, organises information in an easy to navigate manner, and streamlines the data retrieval process. It also provides data security and cloud storage functionalities.
- Staff Training on Record-Keeping: Staff training should be conducted to ensure that all relevant staff understand the importance of proper record-keeping. Staff training on record-keeping should cover the following:
- Types of records that need to be kept
- Procedures for documenting the records
- Form in which the documents need to be maintained
- Data security measures to protect sensitive information.
- Ensure Data Security and Privacy: Implementing robust data security and privacy practices is necessary to avoid data breaches and leakage. Entities should implement stringent data access and security protocols, adopt efficient anti-virus, malware protection, and anti-phishing software, conduct regular vulnerability assessments to understand loopholes in data security systems, etc.
- Regular Audits and Review: Record-keeping policies, procedures, systems, software, etc., should be regularly audited and assessed to ensure that any vulnerabilities are promptly identified and dealt with.
Challenges in AML Record-Keeping
After understanding the concerns associated with data management and best practices to address those concerns, this section discusses the challenges associated with implementing AML/CFT/CPF record-keeping policies and procedures. These challenges include the following:
- Integrating Record-Keeping Practices with other AML/CFT/CPF Compliance Processes: One of the key challenges is ensuring that record-keeping practices are seamlessly integrated with other AML/CFT/CPF compliance processes such as CDD, transaction monitoring, regulatory reporting, etc. Effective integration is important to maintain a comprehensive record of AML/CFT/CPF compliance tasks.
- Storage Concerns: Due to limitations in storage capacity, there may be challenges related to scalability when the entity expands.
- Variations in Regulatory Requirements: Different jurisdictions have varying AML/CFT/CPF record-keeping requirements, which may be challenging for entities operating across multiple jurisdictions.
- Compliance with Evolving AML/CFT/CPF Laws and Regulations: Regulatory requirements for AML/CFT/CPF record-keeping evolve to combat emerging ML/TF and PF threats. Keeping up with AML/CFT/CPF regulatory changes and amendments can be challenging.
- Data Quality, Integrity, and Accuracy: Ensuring the accuracy and integrity of documents is important for AML/CFT/CPF compliance. Inaccurate or incomplete records can lead to regulatory penalties and reputational damage.
- Coordination and Collaboration Issues: Implementation of effective AML/CFT/CPF record-keeping policies requires coordination and collaboration between multiple departments and staff such as front facing staff, AML/CFT/CPF compliance department, senior management, etc. Without communication, records may be inadequately, incomplete, or not updated on time.
These challenges can be effectively addressed through AML record-keeping software solutions.
How AML Software Can Help in Fulfilling Record-Keeping Obligations
The concerns and challenges discussed in this blog can be alleviated through the adoption of effective and comprehensive AML software solutions. AML software optimises record-keeping practices through the following functionalities:
- Enhanced Data Management: AML record-keeping software provides centralised data management capabilities, which ensures that all relevant information, documents, records, information, reports, etc., are organised in a systematic manner.
- Customisable and Scalable: AML record-keeping software is customisable and scalable and can be tailored according to the needs of the entity. The flexible nature of AML record-keeping software helps it align with the evolving business processes of the entity.
- Importing, Automatic Storage, and Scanning Functionalities: AML record-keeping software is added with the functionality of being able to automatically import records from various sources such as transaction logs, CDD data, e-mails, chats, etc. It also provides automatic storage solutions, ensuring that all records are in the right place according to its category. Scanning functionality helps users in capturing and uploading records and documents given to them in physical format, digitising the records with ease.
- Intelligent Classification of Records: AML record-keeping software can automatically categorise documents based on pre-defined criteria, which can be changed through its settings. This helps organise records better.
- Constructive Collaboration and Cooperation: AML record-keeping software allows collaboration among departments, staff, and management of the entity. It provides a shared platform where staff assigned with different AML/CFT/CPF compliance tasks can work together, share date, and coordinate efficiently.
- Smart Integration with other AML/CFT/CPF Compliance Systems: AML record-keeping software integrates with other AML/CFT/CPF compliance systems such as CDD, transaction monitoring, regulatory reporting, name screening, etc. This integration ensures that all records of all AML/CFT/CPF compliance tasks are maintained, leaving no gaps.
- Cloud Storage Capabilities: Solving the issue of storage space, AML record-keeping software is integrated with secure cloud storage systems. This ensures that the storage space is scalable and data is accessible from multiple locations. This also helps keep a back-up of data, ensuring that it is not lost due to damage, or corruption.
- Easy Search and Retrieval: AML record-keeping software optimises the searching and retrieval of documents. Users can easily locate the required files based on the search criteria they enter, reducing overall time spent on combing through data, and improving efficiency.
- Assistance in Auditing Process: AML record-keeping software helps create audit trails. Audit trails are useful to ensure detailed records for future independent AML/CFT/CPF independent audits, which is a statutory requirement in many countries.
- Seamless Workflows: AML record-keeping software helps users create their own workflows based on what works for them. This helps ensure that the steps involved in the record-keeping process are uniform across the entity. From uploading the document to its authentication, workflows ensure a smooth record-keeping process, reducing human errors.
- Stringent Data Security Protocols: AML record-keeping software is equipped with stringent data security protocols to ensure that sensitive customer data is protected. It has access control features, allowing administrators to grant specific permissions to users based on their role. It also has features such as data encryption and other security measures to safeguard the information from breaches or unauthorised access.
- Robust Data Privacy Policies: AML record-keeping software incorporates strong privacy policies that govern how customer information is collected, stored, and shared. It ensures that personal data is stored and processed in accordance with privacy laws the entity is required to observe.
Key Takeaways on AML Record-Keeping
Record-keeping helps entities comply with their AML/CFT/CPF obligations and effectively collaborate with the AML/CFT/CPF regulator during their investigation of ML/TF and PF risks. It protects entities from financial crimes by ensuring an audit trail for later review and investigation of risks.