See how we helped Michael

"Fantastic! The legal document I used was so comprehensive and easy to complete. It is very reassuring to know my business now has this level of protection"

Michael S, London

Record keeping

Record keeping

What records must be kept?

Records must be kept of clients' identity, the supporting evidence of verification of identity (in each case including the original and any updated records), the business relationships (Customer due diligence overview) with them (including any non-engagement related documents relating to the client relationship) and details of any occasional transactions (Customer due diligence overview) and details of the monitoring of the relationship.

A business's records system must outline what records are to be kept, the form in which they should be kept and how long they should be kept.

Customer due diligence (CDD) material

A business may keep either a copy of verification material, or references to it. Businesses should consider holding CDD material separately from the client file for each retainer, as it may be needed by different practice groups within the business.

Depending on the size and sophistication of the business's record storage procedures it may wish to:

  • Scan the verification material and hold it electronically
  • Take photocopies of CDD material and hold it in hard copy with a statement that the original has been seen
  • Accept certified copies of CDD material and hold them in hard copy
  • Keep electronic copies or hard copies of the results of any electronic verification checks
  • Record reference details of the CDD material

The option of merely recording reference details may be particularly useful when taking instructions from clients at their home or other locations away from the office. The types of details it would be useful to record include:

  • Any reference numbers on documents or letters
  • Any relevant dates, such as issue, expiry or writing
  • Details of the issuer or writer
  • All identity details recorded on the document

Risk assessment notes

Businesses should consider keeping records of decisions on The risk-based approach concerning the extent of CDD to be undertaken. This does not need to be in significant detail, but merely a note on the CDD file stating the risk level attributed to a file and why it was considered that sufficient CDD information had been obtained.

For example:

'This is a low risk client with no beneficial owners providing medium risk instructions. Standard (Standard due diligence) CDD material was obtained and medium level Monitoring compliance is to occur.'

Such an approach may assist businesses to demonstrate they have applied The risk-based approach in a reasonable and proportionate manner.

Notes taken at the time are better than justifications provided later.

Supporting evidence and records

Businesses must keep all original documents or copies admissible in court proceedings.

Suspicions and disclosures

Businesses should keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings. Such records may include notes of:

  • Ongoing monitoring undertaken and concerns raised by relevant persons and staff
  • Discussions with the MLRO regarding concerns
  • Advice sought and received regarding concerns
  • Why the concerns did not amount to a suspicion and a disclosure was not made
  • Copies of any disclosures made
  • Conversations with SOCA, law enforcement, insurers, supervisory authorities etc regarding disclosures made
  • Decisions not to make a report to SOCA which may be important for MLROs to justify their position to law enforcement

Businesses should ensure records are not inappropriately disclosed to clients or third parties to avoid offences of tipping off and prejudicing an investigation. This may be achieved by maintaining a separate file, either for the client or for the practice area.

Data protection

The Data Protection Act 1998, in principle, allows clients or others to make subject access requests for data held by businesses in the regulated sector and by SOCA. Such requests could cover any disclosures made. However, Section 29 of the Data Protection Act 1998 states that personal data need not be provided where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

HM Treasury and the Information Commissioner have issued guidance which essentially provides that the Section 29 exception would apply where granting access would amount to tipping off. This may extend to suspicions only reported internally within the firm.

If a business decides the Section 29 exception applies, it should document the steps taken to assess this, to respond to any enquiries by the Information Commissioner.

For how long must records be kept

Broadly, records of a particular transaction, either as an occasional transaction or within a business relationship, must be kept for five years after the date the transaction is completed. All other documents supporting records must be kept for five years after the completion of the business relationship.

Shown below is a summary of record-keeping requirements specified in the 2007 Regulations for CDD and business relationships/occasional transactions:

RecordRetention periodComments

Client identification, including evidence of identity

5 years from end of business relationship

Care should be taken to ensure that records are not destroyed by one department, while another is still within the five year retention period or has undertaken new business with the client. Where a business is engaged with several different activities with a client, it may decide to keep details of customer due diligence within each part of the business so engaged, or to maintain central files, depending on its internal organisation. Evidence of client identity can be held in a variety of forms, e.g., in hard copy or in electronic form in accordance with the document retention policies employed within the business.

Business relationships

5 years from the date when all activities in relation to the business relationship were completed - except that in the case of particular transactions within that business relationship the retention period is 5 years from the date on which the transaction was concluded

Records of business relationships and occasional transactions (i.e., client assignment working papers and related documents) also need to be maintained for 5 years from the end of the relationship or transaction. For particular transactions within a business relationship, the records for the particular transaction need only be retained for 5 years from the completion of that transaction. As businesses will need to maintain records for a wide range of purposes that comply with both legal and professional requirements for retention of documentation, it is unlikely that any special system should be needed - the general document retention systems employed within the business, provided they meet these standards, should be sufficient.

The Reporting Record

It is vital for the control of legal risk that adequate records of internal reports are maintained, usually by the MLRO. These would normally be details of all internal reports made including details of the MLRO's handling of the matter, his requests for further information, assessments of the information received, decisions as to whether to conclude immediately or to wait for further developments or information, whether to make a SAR or not and on what grounds, any advice given to engagement teams as regards continuation of work and any consent requests made.

Details of internal reports submitted as SARs should also be retained. For efficiency, and ease of reference for the MLRO, it is recommended that some form of index of reports is kept and internal reference numbers given. The records may be simple, or sophisticated, depending on the size of the business and the volume of reporting, but all need to contain broadly the same information and be supported by appropriate working papers. These records are important as they may subsequently be required to justify and defend the actions of an individual or MLRO. There is no prescribed form specified for internal reports to an MLRO.

Shown below is guidance in respect of retention of internal reporting procedures and training records for which specific guidance is not given in the 2007 Regulations.

RecordRetention periodComments

Suspicious activities

Not prescribed

Records of internal reports, the MLRO's consideration of them, any subsequent reporting decision and issues connected to consent, production of documents etc. are a vital record as they may form the basis of a defence to accusations of money laundering and related offences. For this reason, it is recommended that such records are retained for at least 5 years after being made and possibly longer, at least whilst the business relationship continues.


Not prescribed

Evidence of assessment of training needs and steps taken to meet such needs should be retained. Businesses should determine a retention period in the light of their normal retention period for training and other internal records, but it is recommended they be kept for at least 5 years in order to demonstrate a continuing compliance with current and previous regulations.

Copyright © 2024 Epoq Group Ltd. All trademarks acknowledged, all rights reserved

This website is operated by Epoq Legal Ltd, registered in England and Wales, company number 3707955, whose registered office is at 2 Imperial Place, Maxwell Road, Borehamwood, Hertfordshire, WD6 1JN. Epoq Legal Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 645296).

Our use of cookies

We use necessary cookies to make our site work. We would also like to set some optional cookies. We won't set these optional cookies unless you enable them. Please choose whether this site may use optional cookies by selecting 'On' or 'Off' for each category below. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookie notice.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functionality cookies

We'd like to set cookies to provide you with a better customer experience. For more information on these cookies, please see our cookie notice.