Records must be kept of clients' identity, the supporting evidence of verification of identity (in each case including the original and any updated records), the business relationships (Customer due diligence overview) with them (including any non-engagement related documents relating to the client relationship) and details of any occasional transactions (Customer due diligence overview) and details of the monitoring of the relationship.
A business's records system must outline what records are to be kept, the form in which they should be kept and how long they should be kept.
A business may keep either a copy of verification material, or references to it. Businesses should consider holding CDD material separately from the client file for each retainer, as it may be needed by different practice groups within the business.
Depending on the size and sophistication of the business's record storage procedures it may wish to:
The option of merely recording reference details may be particularly useful when taking instructions from clients at their home or other locations away from the office. The types of details it would be useful to record include:
Businesses should consider keeping records of decisions on The risk-based approach concerning the extent of CDD to be undertaken. This does not need to be in significant detail, but merely a note on the CDD file stating the risk level attributed to a file and why it was considered that sufficient CDD information had been obtained.
For example:
'This is a low risk client with no beneficial owners providing medium risk instructions. Standard (Standard due diligence) CDD material was obtained and medium level Monitoring compliance is to occur.'
Such an approach may assist businesses to demonstrate they have applied The risk-based approach in a reasonable and proportionate manner.
Notes taken at the time are better than justifications provided later.
Businesses must keep all original documents or copies admissible in court proceedings.
Businesses should keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings. Such records may include notes of:
Businesses should ensure records are not inappropriately disclosed to clients or third parties to avoid offences of tipping off and prejudicing an investigation. This may be achieved by maintaining a separate file, either for the client or for the practice area.
The Data Protection Act 1998, in principle, allows clients or others to make subject access requests for data held by businesses in the regulated sector and by SOCA. Such requests could cover any disclosures made. However, Section 29 of the Data Protection Act 1998 states that personal data need not be provided where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
HM Treasury and the Information Commissioner have issued guidance which essentially provides that the Section 29 exception would apply where granting access would amount to tipping off. This may extend to suspicions only reported internally within the firm.
If a business decides the Section 29 exception applies, it should document the steps taken to assess this, to respond to any enquiries by the Information Commissioner.
Broadly, records of a particular transaction, either as an occasional transaction or within a business relationship, must be kept for five years after the date the transaction is completed. All other documents supporting records must be kept for five years after the completion of the business relationship.
Shown below is a summary of record-keeping requirements specified in the 2007 Regulations for CDD and business relationships/occasional transactions:
Record | Retention period | Comments |
---|---|---|
Client identification, including evidence of identity |
5 years from end of business relationship |
Care should be taken to ensure that records are not destroyed by one department, while another is still within the five year retention period or has undertaken new business with the client. Where a business is engaged with several different activities with a client, it may decide to keep details of customer due diligence within each part of the business so engaged, or to maintain central files, depending on its internal organisation. Evidence of client identity can be held in a variety of forms, e.g., in hard copy or in electronic form in accordance with the document retention policies employed within the business. |
Business relationships |
5 years from the date when all activities in relation to the business relationship were completed - except that in the case of particular transactions within that business relationship the retention period is 5 years from the date on which the transaction was concluded |
Records of business relationships and occasional transactions (i.e., client assignment working papers and related documents) also need to be maintained for 5 years from the end of the relationship or transaction. For particular transactions within a business relationship, the records for the particular transaction need only be retained for 5 years from the completion of that transaction. As businesses will need to maintain records for a wide range of purposes that comply with both legal and professional requirements for retention of documentation, it is unlikely that any special system should be needed - the general document retention systems employed within the business, provided they meet these standards, should be sufficient. |
It is vital for the control of legal risk that adequate records of internal reports are maintained, usually by the MLRO. These would normally be details of all internal reports made including details of the MLRO's handling of the matter, his requests for further information, assessments of the information received, decisions as to whether to conclude immediately or to wait for further developments or information, whether to make a SAR or not and on what grounds, any advice given to engagement teams as regards continuation of work and any consent requests made.
Details of internal reports submitted as SARs should also be retained. For efficiency, and ease of reference for the MLRO, it is recommended that some form of index of reports is kept and internal reference numbers given. The records may be simple, or sophisticated, depending on the size of the business and the volume of reporting, but all need to contain broadly the same information and be supported by appropriate working papers. These records are important as they may subsequently be required to justify and defend the actions of an individual or MLRO. There is no prescribed form specified for internal reports to an MLRO.
Shown below is guidance in respect of retention of internal reporting procedures and training records for which specific guidance is not given in the 2007 Regulations.
Record | Retention period | Comments |
---|---|---|
Suspicious activities |
Not prescribed |
Records of internal reports, the MLRO's consideration of them, any subsequent reporting decision and issues connected to consent, production of documents etc. are a vital record as they may form the basis of a defence to accusations of money laundering and related offences. For this reason, it is recommended that such records are retained for at least 5 years after being made and possibly longer, at least whilst the business relationship continues. |
Training |
Not prescribed |
Evidence of assessment of training needs and steps taken to meet such needs should be retained. Businesses should determine a retention period in the light of their normal retention period for training and other internal records, but it is recommended they be kept for at least 5 years in order to demonstrate a continuing compliance with current and previous regulations. |