Record keeping

Record keeping

Contents

What records must be kept?

Records must be kept of clients' identity, the supporting evidence of verification of identity (in each case including the original and any updated records), the business relationships (Customer due diligence overview) with them (including any non-engagement related documents relating to the client relationship) and details of any occasional transactions (Customer due diligence overview) and details of the monitoring of the relationship.

A business's records system must outline what records are to be kept, the form in which they should be kept and how long they should be kept.

Customer due diligence (CDD) material

A business may keep either a copy of verification material, or references to it. Businesses should consider holding CDD material separately from the client file for each retainer, as it may be needed by different practice groups within the business.

Depending on the size and sophistication of the business's record storage procedures it may wish to:

  • Scan the verification material and hold it electronically
  • Take photocopies of CDD material and hold it in hard copy with a statement that the original has been seen
  • Accept certified copies of CDD material and hold them in hard copy
  • Keep electronic copies or hard copies of the results of any electronic verification checks
  • Record reference details of the CDD material

The option of merely recording reference details may be particularly useful when taking instructions from clients at their home or other locations away from the office. The types of details it would be useful to record include:

  • Any reference numbers on documents or letters
  • Any relevant dates, such as issue, expiry or writing
  • Details of the issuer or writer
  • All identity details recorded on the document

Risk assessment notes

Businesses should consider keeping records of decisions on The risk-based approach concerning the extent of CDD to be undertaken. This does not need to be in significant detail, but merely a note on the CDD file stating the risk level attributed to a file and why it was considered that sufficient CDD information had been obtained.

For example:

'This is a low risk client with no beneficial owners providing medium risk instructions. Standard (Standard due diligence) CDD material was obtained and medium level Monitoring compliance is to occur.'

Such an approach may assist businesses to demonstrate they have applied The risk-based approach in a reasonable and proportionate manner.

Notes taken at the time are better than justifications provided later.

Supporting evidence and records

Businesses must keep all original documents or copies admissible in court proceedings.

Suspicions and disclosures

Businesses should keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings. Such records may include notes of:

  • Ongoing monitoring undertaken and concerns raised by relevant persons and staff
  • Discussions with the MLRO regarding concerns
  • Advice sought and received regarding concerns
  • Why the concerns did not amount to a suspicion and a disclosure was not made
  • Copies of any disclosures made
  • Conversations with SOCA, law enforcement, insurers, supervisory authorities etc regarding disclosures made
  • Decisions not to make a report to SOCA which may be important for MLROs to justify their position to law enforcement

Businesses should ensure records are not inappropriately disclosed to clients or third parties to avoid offences of tipping off and prejudicing an investigation. This may be achieved by maintaining a separate file, either for the client or for the practice area.

Data protection

The Data Protection Act 1998, in principle, allows clients or others to make subject access requests for data held by businesses in the regulated sector and by SOCA. Such requests could cover any disclosures made. However, Section 29 of the Data Protection Act 1998 states that personal data need not be provided where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

HM Treasury and the Information Commissioner have issued guidance which essentially provides that the Section 29 exception would apply where granting access would amount to tipping off. This may extend to suspicions only reported internally within the firm.

If a business decides the Section 29 exception applies, it should document the steps taken to assess this, to respond to any enquiries by the Information Commissioner.

For how long must records be kept

Broadly, records of a particular transaction, either as an occasional transaction or within a business relationship, must be kept for five years after the date the transaction is completed. All other documents supporting records must be kept for five years after the completion of the business relationship.

Shown below is a summary of record-keeping requirements specified in the 2007 Regulations for CDD and business relationships/occasional transactions:

RecordRetention periodComments

Client identification, including evidence of identity

5 years from end of business relationship

Care should be taken to ensure that records are not destroyed by one department, while another is still within the five year retention period or has undertaken new business with the client. Where a business is engaged with several different activities with a client, it may decide to keep details of customer due diligence within each part of the business so engaged, or to maintain central files, depending on its internal organisation. Evidence of client identity can be held in a variety of forms, e.g., in hard copy or in electronic form in accordance with the document retention policies employed within the business.

Business relationships

5 years from the date when all activities in relation to the business relationship were completed - except that in the case of particular transactions within that business relationship the retention period is 5 years from the date on which the transaction was concluded

Records of business relationships and occasional transactions (i.e., client assignment working papers and related documents) also need to be maintained for 5 years from the end of the relationship or transaction. For particular transactions within a business relationship, the records for the particular transaction need only be retained for 5 years from the completion of that transaction. As businesses will need to maintain records for a wide range of purposes that comply with both legal and professional requirements for retention of documentation, it is unlikely that any special system should be needed - the general document retention systems employed within the business, provided they meet these standards, should be sufficient.

The Reporting Record

It is vital for the control of legal risk that adequate records of internal reports are maintained, usually by the MLRO. These would normally be details of all internal reports made including details of the MLRO's handling of the matter, his requests for further information, assessments of the information received, decisions as to whether to conclude immediately or to wait for further developments or information, whether to make a SAR or not and on what grounds, any advice given to engagement teams as regards continuation of work and any consent requests made.

Details of internal reports submitted as SARs should also be retained. For efficiency, and ease of reference for the MLRO, it is recommended that some form of index of reports is kept and internal reference numbers given. The records may be simple, or sophisticated, depending on the size of the business and the volume of reporting, but all need to contain broadly the same information and be supported by appropriate working papers. These records are important as they may subsequently be required to justify and defend the actions of an individual or MLRO. There is no prescribed form specified for internal reports to an MLRO.

Shown below is guidance in respect of retention of internal reporting procedures and training records for which specific guidance is not given in the 2007 Regulations.

RecordRetention periodComments

Suspicious activities

Not prescribed

Records of internal reports, the MLRO's consideration of them, any subsequent reporting decision and issues connected to consent, production of documents etc. are a vital record as they may form the basis of a defence to accusations of money laundering and related offences. For this reason, it is recommended that such records are retained for at least 5 years after being made and possibly longer, at least whilst the business relationship continues.

Training

Not prescribed

Evidence of assessment of training needs and steps taken to meet such needs should be retained. Businesses should determine a retention period in the light of their normal retention period for training and other internal records, but it is recommended they be kept for at least 5 years in order to demonstrate a continuing compliance with current and previous regulations.