New Record Retention Periods under Art. 77 AMLR

New Record Retention Periods under Art. 77 AMLR

Regulation (EU) 2024/1624 (AMLR) introduces, for the first time, a fully harmonised and directly applicable EU framework for AML record retention.

Article 77 AMLR replaces divergent national rules on AML documentation with a single, binding standard governing:

  • which AML records must be retained,
  • in what form they must be kept,
  • how long they may be retained, and
  • when personal data must be deleted.

For obliged entities, Article 77 AMLR is a cornerstone provision at the intersection of AML compliance, supervisory auditability, and data-protection law.

From national AML/CFT retention rules to EU-wide harmonisation

Under previous AML directives, record-retention obligations were implemented through national legislation. As a result, retention periods, deletion practices and archival concepts differed significantly across Member States.

Article 77 AMLR eliminates this fragmentation.

It establishes:

  • a uniform 5-year retention period,
  • harmonised starting points for that period,
  • strictly limited extensions, and
  • an explicit obligation to delete personal data once the AML retention purpose expires.

AML/CFT record retention is no longer shaped by national discretion but by directly applicable EU law.

What must be retained under Article 77 AMLR

Article 77(1) AMLR sets out an exhaustive list of documents and information subject to AML retention obligations.

Customer Due Diligence documents

Obliged entities must retain copies of the documents and information obtained in the performance of customer due diligence pursuant to Chapter III AMLR, including:

  • identification and verification data,
  • beneficial ownership information,
  • information obtained through electronic identification means.

This obligation applies to all customer categories covered by Chapter III AMLR.

Records of suspicion assessments

Article 77(1)(b) AMLR explicitly requires retention of:

  • records of assessments undertaken pursuant to Article 69(2),
  • the information and circumstances considered,
  • the results of those assessments,
  • and copies of suspicious transaction reports, if any.

Crucially, this applies whether or not the assessment results in a suspicious transaction report being made to the FIU.

Internal AML assessments that do not lead to reporting are therefore fully subject to retention and supervisory review.

Transaction records and supporting evidence

Obliged entities must retain:

  • supporting evidence and records of transactions,
  • consisting of original documents or copies,
  • provided they are admissible in judicial proceedings under the applicable national law.

The retention obligation is tied to legal admissibility, not merely operational convenience.

Information-sharing records

Where obliged entities participate in information-sharing partnerships pursuant to Chapter VI AMLR, they must retain:

  • copies of documents and information obtained through those partnerships, and
  • records of all instances of information sharing.

This ensures traceability and supervisory transparency of cooperative AML arrangements.

No redaction of AML records

Article 77(1) AMLR imposes a strict integrity requirement:

Documents, information and records kept pursuant to this Article shall not be redacted.

AML/CFT records must therefore remain complete and unaltered throughout the retention period.

Retaining references instead of copies: a limited derogation

Article 77(2) AMLR allows a derogation from the copy-retention rule.

Obliged entities may retain references to information instead of copies, provided that:

  • the information can be provided immediately to competent authorities, and
  • the information cannot be modified or altered.

Where this derogation is used, obliged entities must define in their internal procedures drawn up pursuant to Article 9 AMLR:

  • the categories of information for which references are retained,
  • and the procedures for retrieving the information upon request.

The reference model is therefore conditional, documented and auditable.

5-year retention period and mandatory deletion

Article 77(3) AMLR establishes a uniform 5-year retention period, commencing on the earliest of:

  • termination of the business relationship,
  • carrying out of an occasional transaction,
  • refusal to enter into a business relationship, or
  • refusal to carry out an occasional transaction.

Upon expiry of this five-year period, obliged entities shall delete personal data, without prejudice to retention obligations under other Union legal acts or national law that comply with Regulation (EU) 2016/679 (GDPR).

Indefinite AML/CFT data retention is not permitted under AMLR.

Extensions of the retention period: strictly limited

Competent authorities may require further retention of AML/CFT information on a case-by-case basis, but only where necessary for the prevention, detection, investigation or prosecution of money laundering or terrorist financing.

Any such extension:

  • must be individually justified, and
  • must not exceed 5 additional years.

General or blanket extensions are incompatible with Article 77 AMLR.

Special rule for pending proceedings as of 10 July 2027

Article 77(4) AMLR introduces a transitional rule for ongoing legal proceedings.

Where, on 10 July 2027, legal proceedings relating to suspected money laundering or terrorist financing are pending, and an obliged entity holds relevant information or documents, that entity may retain such information for a period of five years from 10 July 2027.

Member States may allow or require retention for a further 5 years, provided that:

  • necessity and proportionality are established, and
  • national criminal law on evidence applicable to ongoing proceedings is respected.

Why does this matter in practice?

Article 77 AMLR transforms AML/CFT record retention into a time-bound, purpose-limited and supervisory-testable obligation.

Obliged entities must now be able to demonstrate:

  • why AML/CFT data is retained,
  • when the retention period starts and ends,
  • when deletion occurs,
  • and on what legal basis any extension applies.

Record-keeping under AMLR is no longer passive archiving. It is an active data-lifecycle control obligation, central to both AML compliance and data-protection accountability.

Key takeaway

Article 77 AMLR establishes a clear, harmonised EU framework for AML/CFT record retention.

For obliged entities, compliance means:

  • retaining exactly what the AMLR requires,
  • for exactly as long as permitted,
  • and deleting personal data when the AML purpose ends.

This makes AML/CFT record retention legally precise, audit-ready and enforceable across the EU.

Leave a Reply

Your email address will not be published. Required fields are marked *